Utah Code § 13-60-104

Current through the 2024 Fourth Special Session
Section 13-60-104 - Consumer genetic information - Privacy notice - Consent - Access - Deletion - Destruction
(1) A direct-to-consumer genetic testing company shall:
(a) provide to a consumer:
(i) essential information about the company's collection, use, and disclosure of genetic data; and
(ii) a prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;
(b) obtain a consumer's initial express consent for collection, use, or disclosure of the consumer's genetic data that:
(i) clearly describes the company's use of the genetic data that the company collects through the company's genetic testing product or service;
(ii) specifies who has access to test results; and
(iii) specifies how the company may share the genetic data;
(c) if the company engages in any of the following, obtain a consumer's:
(i) separate express consent for:
(A) the transfer or disclosure of the consumer's genetic data to any person other than the company's vendors and service providers;
(B) the use of genetic data beyond the primary purpose of the company's genetic testing product or service; or
(C) the company's retention of any biological sample provided by the consumer following the company's completion of the initial testing service requested by the consumer;
(ii) informed consent in accordance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46, for transfer or disclosure of the consumer's genetic data to a third party for:
(A) research purposes; or
(B) research conducted under the control of the company for the purpose of publication or generalizable knowledge; and
(iii) express consent for:
(A) marketing to a consumer based on the consumer's genetic data; or
(B) marketing by a third party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service;
(d) require valid legal process for the company's disclosure of a consumer's genetic data to law enforcement or any government entity without the consumer's express written consent;
(e) develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and
(f) provide a process for a consumer to:
(i) access the consumer's genetic data;
(ii) delete the consumer's account and genetic data; and
(iii) destroy the consumer's biological sample.
(2) Notwithstanding Subsection (1)(c)(iii), a direct-to-consumer genetic testing company with a first-party relationship to a consumer may, without obtaining the consumer's express consent, provide customized content or offers on the company's website or through the company's application or service.

Utah Code § 13-60-104

Added by Chapter 361, 2021 General Session ,§ 4, eff. 5/5/2021.

Technically renumbered to avoid duplication of section number also enacted in HB314, Chapter 185, and HB202, Chapter 138.