BILL ANALYSIS                                                                                                                                                                                                    Ó






                             SENATE JUDICIARY COMMITTEE
                             Senator Noreen Evans, Chair
                              2011-2012 Regular Session


          SB 1267 (Padilla)
          As Amended  March 27, 2012
          Hearing Date: April 24, 2012
          Fiscal: Yes
          Urgency: No
          SK
                    

                                        SUBJECT
                                           
                            Privacy: Genetic Information 

                                      DESCRIPTION  

          This bill would enact the Genetic Information Privacy Act, which 
          would permit genetic information to be obtained, analyzed, 
          retained, or disclosed as long as the individual to whom the 
          information pertains has provided a written authorization.  This 
          bill would specify the information that must be included in the 
          authorization and impose various civil penalties to be paid to 
          the individual to whom the information pertains for a violation 
          of the bill's provisions, as specified.  This bill contains 
          several exceptions to its provisions.

                                      BACKGROUND  

          Genetic testing is a sophisticated technique used to test for 
          genetic disorders.  More recently, direct-to-consumer genetic 
          testing has allowed individual consumers to provide genetic 
          samples in order to test for genetic disorders, identify their 
          ancestry, or take part in research studies.  But, this testing 
          has not come without controversy and concerns.  A 2010 report by 
          the General Accounting Office (GAO), entitled 
          "Direct-to-Consumer Genetic Tests: Misleading Test Results are 
          Further Complicated by Deceptive Marketing and Other 
          Questionable Practices," found test results that were 
          "misleading and of no practical use.  For example, GAO's donors 
          often received disease risk predictions that varied across the 
          four companies, indicating that identical DNA samples yield 
          contradictory results."  (General Accounting Office, Highlights, 
          Direct-to-Consumer Genetic Tests: Misleading Test Results are 
                                                                (more)



          SB 1267 (Padilla)
          Page 2 of ?



          Further Complicated by Deceptive Marketing and Other 
          Questionable Practices (July 22, 2010)  Ŭas of Apr. 19, 2012].)  Furthermore-and 
          the subject of this bill-the GAO found egregious examples of 
          deceptive marketing, including two companies who "told GAO's 
          fictitious consumer that she could secretly test her fiancé's 
          DNA to 'surprise' him with test results," despite the fact that 
          surreptitious genetic testing is restricted in many states. 
          In 2009, two reporters from New Scientist demonstrated that it 
          was possible to bypass and ignore consent requirements of 
          certain companies and submit someone else's DNA for testing.  
          Their article detailing the experience stated:

            The terms and conditions for the deCODEme service state that 
            someone submitting DNA must have the legal authority to do so, 
            and that the sample must be taken from the cheek.  We wanted 
            to test whether deCODEme is vulnerable to abuse from someone 
            prepared to ignore these terms, so Michael pipetted some of 
            Peter's DNA onto deCODEme's swabs and sent them off for 
            analysis under his own name.  As far as Decode was concerned, 
            it was a sample of Michael's DNA taken by swabbing his own 
            cheek.  . . .  ŬThe reporters submitted a sample to another 
            company.]  This company also has terms and conditions 
            specifying that customers must have the necessary consents and 
            approvals to submit samples.  Mimicking a hacker who would be 
            willing to ignore these terms, Michael submitted the amplified 
            DNA for scanning.  . . .  Both of these back-up plans worked.  


          In addition, a report by the Genetics and Public Policy Center 
          found "10 states that restrict surreptitious collection, 
          analysis, and/or disclosure for both health- and non-health 
          related purposes, 15 states that restrict surreptitious testing 
          for health-related purposes only, six states with restrictions 
          in the context of court-ordered parentage proceedings, and two 
          states with employment-related restrictions only." (Genetics and 
          Public Policy Center, State laws pertaining to surreptitious DNA 
          testing (Jan. 21, 2009) 
           Ŭas of Apr. 19, 2012].)

          Federal and state laws offer various protections for genetic 
          testing.  For example, in 2008, Congress enacted the federal 
          Genetic Information and Nondiscrimination Act (GINA), which 
          prohibits discrimination in group health plan coverage and 
          employment based on genetic information.  Last year, the 
                                                                      



          SB 1267 (Padilla)
          Page 3 of ?



          Legislature passed and the Governor signed SB 559 (Padilla, Ch. 
          261, Stats. 2011), which prohibited discrimination under the 
          Unruh Civil Rights Act and the Fair Employment and Housing Act 
          (FEHA) on the basis of genetic information.  In 2009, SB 482 
          (Padilla), sponsored by 23&Me, was introduced to relate to 
          direct-to-consumer genetic testing.  Under existing law, the 
          Department of Public Health has required companies that provide 
          for direct-to-consumer genetic testing to be licensed as 
          clinical laboratories.  SB 482, which would have specifically 
          provided that such companies are not clinical labs and therefore 
          not subject to requirements for those laboratories and instead 
          would have established a separate regulatory scheme, died in 
          this committee. 

          This bill would permit genetic information to be obtained, 
          analyzed, retained, or disclosed with the written authorization 
          of the individual to whom the information pertains.  

          (This analysis reflects author's amendments to be offered in 
          Committee.) 

                                CHANGES TO EXISTING LAW
           
           Existing law  , the California Constitution, provides that all 
          people have inalienable rights, including the right to pursue 
          and obtain privacy.  (Cal. Const., art. I, Sec. 1.)  
           
          Existing law  prohibits discrimination under the Unruh Civil 
          Rights Act and the Fair Employment and Housing Act (FEHA) on the 
          basis of genetic information.  (Civ. Code Sec. 51 and Gov. Code 
          Sec. 12920 et seq.)

           Existing federal law  prohibits, under the Genetic Information 
          and Nondiscrimination Act (GINA), discrimination in group health 
          plan coverage and employment based on genetic information.  
          (Pub. Law 110-233.)

           Existing law  provides for the following penalties concerning the 
          disclosure of genetic tests: 
           any person who negligently discloses results of a test for a 
            genetic characteristic to any third party, in a manner which 
            identifies or provides identifying characteristics of the 
            person to whom the test results apply, except as specified, 
            shall be assessed a civil penalty in an amount not to exceed 
            $1,000 plus court costs, as determined by the court, which 
            penalty and costs shall be paid to the subject of the test;
                                                                      



          SB 1267 (Padilla)
          Page 4 of ?



           any person who willfully discloses the results of a test for a 
            genetic characteristic to any third party, in a manner which 
            identifies or provides identifying characteristics of the 
            person to whom the test results apply, except as specified, 
            shall be assessed a civil penalty in an amount not less than 
            $1,000 and no more than $5,000 plus court costs, as determined 
            by the court, which penalty and costs shall be paid to the 
            subject of the test; 
           any person who commits any of the above two acts shall be 
            liable to the subject for all actual damages, including 
            damages for economic, bodily, or emotional harm which is 
            proximately caused by the act;
           any person who willfully or negligently discloses the results 
            of a test for a genetic characteristic to a third party, in a 
            manner which identifies or provides identifying 
            characteristics of the person to whom the test results apply, 
            except as specified, which results in economic, bodily, or 
            emotional harm to the subject of the test, is guilty of a 
            misdemeanor punishable by imprisonment in a county jail for a 
            period not to exceed one year, by a fine of not to exceed 
            $10,000, or by both that fine and imprisonment; and
           each disclosure made in violation of this section is a 
            separate and actionable offense.  (Ins. Code Sec. 10149.1.)

           This bill  would provide that genetic information is protected by 
          the constitutional right of privacy and would specify that 
          genetic information shall not be obtained, analyzed, retained, 
          or disclosed without the written authorization of the individual 
          to whom the information pertains pursuant to the bill.

           This bill  would require that the written authorization:
           be written in plain language in typeface no smaller than 
            14-point type; 
           be dated and signed by the individual to whom the information 
            pertains or a person authorized to act on behalf of the 
            individual; and 
           be a separate document, not attached to any other document, 
            and may not be more than one page.

           This bill  would require any person who obtains, analyzes, 
          retains, or discloses the genetic information of an individual 
          to use a statutory notice form to obtain the authorization of 
          the individual to whom the information pertains so that the 
          individual may make a decision and provide direction regarding 
          the use of his or her genetic information.  That form would 
          require the following information: 
                                                                      



          SB 1267 (Padilla)
          Page 5 of ?




           the types of persons who are authorized to obtain, analyze, 
            retain, or disclose genetic information about the individual;
           the nature of the genetic information that the individual is 
            authorizing to be obtained, analyzed, retained, or disclosed;
           the name of the person or persons authorized to obtain, 
            analyze, retain, or disclose the information and his or her 
            function;
           the purpose for which the information is collected;
           a statement that the authorization shall remain valid for as 
            long as it takes to carry out the purpose;
           whether the genetic information will remain identifiable or 
            will be made nonidentifiable; and 
           if the information is retained, the manner in which the 
            information shall be stored.

           This bill  would require that the form notify the individual that 
          he or she has the right to limit the purpose for which his or 
          her genetic information is used and, once the purpose is 
          fulfilled, the genetic information and sample must be destroyed. 
           The statutory form created by this bill would also permit the 
          individual to authorize the use of his or her genetic 
          information for research purposes or for commercial purposes and 
          permit him or her to limit the purpose.  The form would permit 
          the individual to limit access to his or her genetic information 
          to certain people specified by the individual. 

           This bill  would provide that any person who obtains, analyzes, 
          retains, or discloses the genetic information of an individual 
          may not obtain, analyze, retain, or disclose that genetic 
          information for any purpose other than the purpose authorized by 
          the individual to whom the information pertains.

           This bill  would provide that once the specific purpose 
          authorized by the individual to whom the genetic information 
          pertains has been fulfilled, the individual's genetic 
          information and DNA sample shall be destroyed.

           This bill  would specify that genetic information may be 
          obtained, analyzed, retained, or disclosed without the 
          authorization provided in the bill in the following instances 
          provided that the entity may obtain, analyze, retain, or 
          disclose the information only for the specified purposes 
          indicated, and any use for any other purpose is subject to the 
          authorization required by the bill:
           a law enforcement official in the execution of his or her 
                                                                      



          SB 1267 (Padilla)
          Page 6 of ?



            official duties consistent with existing law; 
           a hospital, laboratory, or physician carrying out 
            court-ordered tests for genetic information; 
           a licensed health care professional in medical emergencies; 
           a coroner or medical examiner in the execution of his or her 
            official duties consistent with existing law; and 
           any screening of newborn infants required by state or federal 
            law.

           This bill  would provide that disaggregated and anonymized data 
          that was collected before the enactment of this bill may be 
          obtained, analyzed, retained, or disclosed without the required 
          authorization.

           This bill  would specify that disaggregated and anonymized data 
          may be obtained, analyzed, retained, or disclosed if written 
          authorization required by the bill is obtained and the data is 
          used for a purpose authorized by the individual to whom the 
          information pertains.

           This bill  would provide that any person who negligently violates 
          the bill's authorization requirement shall be assessed a civil 
          penalty not to exceed $1,000 plus court costs, which shall be 
          paid to the individual to whom the genetic information pertains.

           This bill  would specify that any person who willfully violates 
          the bill's authorization requirement shall be assessed a civil 
          penalty in an amount not less than $1,000 and not more than 
          $5,000 plus court costs, which shall be paid to the individual 
          to whom the genetic information pertains.

           This bill  would provide that, in addition to the penalties 
          above, a person who commits an act described in the above two 
          penalty provisions shall be liable to the person to whom the 
          genetic information pertains for all actual damages, including 
          damages for economic, bodily, or emotional harm which is 
          proximately caused by the act. 

           This bill  would provide that any person who willfully or 
          negligently violates the bill's authorization requirement and 
          the violation results in economic, bodily, or emotional harm to 
          the individual to whom the genetic information pertains is 
          guilty of a misdemeanor punishable by a fine not to exceed 
          $10,000.

           This bill  would provide that each violation of the bill is a 
                                                                      



          SB 1267 (Padilla)
          Page 7 of ?



          separate and actionable offense. 

           This bill  contains definitions of the following terms: 
          "anonymized," "DNA sample," "genetic characteristic," "genetic 
          information," "genetic service," "genetic test," and "person," 
          as specified. 








































                                                                      



          SB 1267 (Padilla)
          Page 8 of ?



                                        COMMENT
           
          1.  Stated need for the bill  
          
          The author writes:
          
            While these advances in technology have led to the ease of 
            deciphering personal genetic information, they also give rise 
            to the potential for misuse of genetic information.  For 
            example, in 2009, two reporters from New Scientist magazine 
            successfully had their sample DNA tested and analyzed without 
            consent.  In 2010, the U.S. Government Accountability Office 
            released a study that illustrated examples of genetic testing 
            companies who were willing to test DNA without the consent of 
            the person to whom the genetic information belonged.  The 
            potential motives for wanting to obtain such information could 
            give rise to a genetic McCarthyism as was noted in a November 
            2008 article from the New England Journal of Medicine.  Given 
            that traces of our DNA and genetic information are left behind 
            on numerous types of discarded items, this threat is very 
            real.  
          
          2.  This bill would permit genetic information to be obtained, 
            analyzed, retained, or disclosed with written authorization of 
            the individual to whom the information pertains
             
          Under this bill, genetic information could be obtained, 
          analyzed, retained, or disclosed as long as the individual to 
          whom the information pertains has provided a written 
          authorization.  The author's amendments clarify the bill's 
          provisions and provide an individual with a clear opportunity to 
          authorize the use of his or her genetic information for 
          particular purposes, as described in more detail below.  

          Importantly, the amendments also create substantive protections 
          which are necessary given that sometimes consent can be 
          fraudulent.  This is evidenced by the experience of the two New 
          Scientist reporters, described in the Background and noted by 
          the author, who simply ignored consent requirements.  If consent 
          requirements can be ignored, substantive provisions become 
          increasingly important as detailed below.  

              a.   Statutory notice form

             From a policy standpoint, permitting genetic information to be 
            obtained, analyzed, retained, or disclosed provided that the 
                                                                      



          SB 1267 (Padilla)
          Page 9 of ?



            individual to whom the information pertains has given his or 
            her authorization raises the question of how best to ensure 
            that individual is making a fully informed decision.  Given 
            that DNA is unique to every individual, it is critically 
            important that people know where their information is going, 
            for what purposes it is being used, and what happens to their 
            information after that purpose is fulfilled.  The statutory 
            notice form in this bill is intended to achieve this goal. 
             
            This bill would require that any person who obtains, analyzes, 
            retains, or discloses the genetic information of an individual 
            must use a statutory notice form to obtain the authorization 
            of the individual to whom the information pertains so that the 
            individual may make a decision and provide direction regarding 
            the use of his or her genetic information.  That form would 
            contain specified information, including the types, names, and 
            functions of persons who are authorized to obtain, analyze, 
            retain, or disclose genetic information about the individual; 
            the nature of the genetic information that the individual is 
            authorizing to be obtained, analyzed, retained, or disclosed; 
            and the purpose for which the information is collected.

            The form would also contain important information to help the 
            individual make a decision and direct the use of his or her 
            genetic information, including a statement that the 
            authorization shall remain valid for as long as it takes to 
            carry out the purpose and a notification that the individual 
            has the right to limit the purpose for which his or her 
            genetic information is used and, once the purpose is 
            fulfilled, the genetic information and sample must be 
            destroyed.  The form also permits the individual to authorize 
            the use of his or her genetic information for research 
            purposes or for commercial purposes. 

              b.   Purpose limitation and destruction of information after 
               purpose fulfilled

             This bill would require that the written authorization specify 
            the purpose for which the information is collected.  This bill 
            would also prohibit any person who obtains, analyzes, retains, 
            or discloses the genetic information of an individual from 
            obtaining, analyzing, retaining, or disclosing the genetic 
            information for any purpose other than the purpose authorized 
            by the individual to whom the information pertains.  This 
            purpose limitation, which would limit the use of the 
            information to the purpose for which it was collected, is a 
                                                                      



          SB 1267 (Padilla)
          Page 10 of ?



            fundamental tenet of privacy law and appears in other statutes 
            where personal information-often name, address, or other 
            information that is arguably not as unique to an individual as 
            his or her DNA-is permitted to be shared or disclosed for a 
            particular purpose.  (See, e.g., Fam. Code Sec. 17528; Pub. 
            Util. Code Secs. 8380, 8381; Veh. Code Secs. 1808.23, 21455.5, 
            40248.)

            This bill also would require that an individual's genetic 
            information and DNA sample be destroyed once the specific 
            purpose authorized by the individual to whom the genetic 
            information pertains has been fulfilled.  

             c.   Use of genetic information for particular purposes: 
               commercial, research, or other purposes
           
            Under this bill, the statutory authorization that must be used 
            to obtain an individual's authorization to obtain, analyze, 
            retain, or disclose his or her genetic information permits the 
            individual to authorize the use of his or her genetic 
            information for research purposes or for commercial purposes.  
            The form would allow the individual to limit the purpose for 
            which his or her genetic information is authorized to be used. 
             The form also would permit the individual to limit access to 
            his or her genetic information to certain people specified by 
            the individual.

            In some cases, a consumer may want to give his or her genetic 
            information only for a limited purpose such as testing for 
            genetic disorders or risks or ancestry.  The statutory 
            authorization created by this bill allows the individual to do 
            so.  Also, some commercial genetic testing companies "include 
            contractual clauses that lets them use and sell their client's 
            genetic information to outside parties."  (Keim, Genetic 
            protections skimp on privacy, says gene tester (May 23, 2008) 
            Wired  Ŭas 
            of Apr. 15, 2012].)  Under this bill, that use would not be 
            permitted without the individual's authorization obtained 
            using the statutory authorization. 
             
             d.   Exemptions
           
            Under this bill, genetic information may be obtained, 
            analyzed, retained, or disclosed without the statutory 
            authorization described above only in the following instances 
            provided that the specified entity may obtain, analyze, 
                                                                      



          SB 1267 (Padilla)
          Page 11 of ?



            retain, or disclose the information only for the particular 
            purpose indicated, and any use for any other purpose is 
            subject to the authorization required by the bill: 

                 a law enforcement official in the execution of his or 
               her official duties consistent with existing law; 
                 a hospital, laboratory, or physician carrying out 
               court-ordered tests for genetic information; 
                                                                 a licensed health care professional, as defined in 
               Section 56.05, in medical emergencies; 
                 a coroner or medical examiner in the execution of his or 
               her official duties consistent with existing law; and 
                 any screening of newborn infants required by state or 
               federal law.

            In addition, the bill would provide that disaggregated and 
            anonymized data that was collected before the enactment of 
            this bill may be obtained, analyzed, retained, or disclosed 
            without the required authorization.  This bill also would 
            specify that disaggregated and anonymized data may be 
            obtained, analyzed, retained, or disclosed if written 
            authorization required by the bill is obtained and the data is 
            used for a purpose authorized by the individual to whom the 
            information pertains.  Both of these instances use the term 
            "disaggregated," which is not defined in the bill.  The 
            author's office indicates that it is currently in discussion 
            with privacy groups regarding this particular term which may 
            need to be revised as the bill moves through the legislative 
            process. 

            In addition, the California Hospital Association has raised 
            questions about this bill's application to certain kinds of 
            information sharing and has indicated a desire to work with 
            the author and Committee staff as the bill moves through the 
            process to address any concerns. 

              a.   Penalties 

             This bill would impose penalties for violation of the bill's 
            requirement that a written authorization first be obtained 
            before an individual's genetic information may be obtained, 
            analyzed, retained, or disclosed.  Those penalties range from 
            negligent violations, which would be subject to a civil 
            penalty not to exceed $1,000 plus court costs, to willful 
            violations, which are subject to a civil penalty in an amount 
            not less than $1,000 and not more than $5,000 plus court 
                                                                      



          SB 1267 (Padilla)
          Page 12 of ?



            costs.  In both cases, the penalties and costs would be paid 
            to the individual to whom the genetic information pertains.   
             This bill also would provide that, in addition to the 
            penalties above, a person who commits an act described in the 
            above two penalty provisions would be liable to the person to 
            whom the genetic information pertains for all actual damages, 
            including damages for economic, bodily, or emotional harm 
            which is proximately caused by the act.  And, any person who 
            willfully or negligently violates the bill's authorization 
            requirement and the violation results in economic, bodily, or 
            emotional harm to the individual to whom the genetic 
            information pertains is guilty of a misdemeanor punishable by 
            a fine not to exceed $10,000.  

            These penalties are based on existing Insurance Code Section 
            10149.1 and, in fact, mirror those provisions which relate to 
            the disclosure of test results for a genetic characteristic.  
            Under Section 10149.1, penalties are imposed when such a 
            disclosure is made to any third party in a manner which 
            identifies or provides identifying characteristics of the 
            person to whom the test results apply.


           Support  :  None Known

           Opposition :  None Known

                                        HISTORY
           
           Source  :  Author

           Related Pending Legislation  : None Known

           Prior Legislation  :

          SB 559 (Padilla, Ch. 261, Stats. 2011) See Background.

          SB 482 (Padilla, 2009) See Background.
           
                                   **************