BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2011-2012 Regular Session
SB 1267 (Padilla)
As Amended March 27, 2012
Hearing Date: April 24, 2012
Fiscal: Yes
Urgency: No
SK
SUBJECT
Privacy: Genetic Information
DESCRIPTION
This bill would enact the Genetic Information Privacy Act, which
would permit genetic information to be obtained, analyzed,
retained, or disclosed as long as the individual to whom the
information pertains has provided a written authorization. This
bill would specify the information that must be included in the
authorization and impose various civil penalties to be paid to
the individual to whom the information pertains for a violation
of the bill's provisions, as specified. This bill contains
several exceptions to its provisions.
BACKGROUND
Genetic testing is a sophisticated technique used to test for
genetic disorders. More recently, direct-to-consumer genetic
testing has allowed individual consumers to provide genetic
samples in order to test for genetic disorders, identify their
ancestry, or take part in research studies. But, this testing
has not come without controversy and concerns. A 2010 report by
the General Accounting Office (GAO), entitled
"Direct-to-Consumer Genetic Tests: Misleading Test Results are
Further Complicated by Deceptive Marketing and Other
Questionable Practices," found test results that were
"misleading and of no practical use. For example, GAO's donors
often received disease risk predictions that varied across the
four companies, indicating that identical DNA samples yield
contradictory results." (General Accounting Office, Highlights,
Direct-to-Consumer Genetic Tests: Misleading Test Results are
(more)
�
SB 1267 (Padilla)
Page 2 of ?
Further Complicated by Deceptive Marketing and Other
Questionable Practices (July 22, 2010) Ŭas of Apr. 19, 2012].) Furthermore-and
the subject of this bill-the GAO found egregious examples of
deceptive marketing, including two companies who "told GAO's
fictitious consumer that she could secretly test her fiancé's
DNA to 'surprise' him with test results," despite the fact that
surreptitious genetic testing is restricted in many states.
In 2009, two reporters from New Scientist demonstrated that it
was possible to bypass and ignore consent requirements of
certain companies and submit someone else's DNA for testing.
Their article detailing the experience stated:
The terms and conditions for the deCODEme service state that
someone submitting DNA must have the legal authority to do so,
and that the sample must be taken from the cheek. We wanted
to test whether deCODEme is vulnerable to abuse from someone
prepared to ignore these terms, so Michael pipetted some of
Peter's DNA onto deCODEme's swabs and sent them off for
analysis under his own name. As far as Decode was concerned,
it was a sample of Michael's DNA taken by swabbing his own
cheek. . . . ŬThe reporters submitted a sample to another
company.] This company also has terms and conditions
specifying that customers must have the necessary consents and
approvals to submit samples. Mimicking a hacker who would be
willing to ignore these terms, Michael submitted the amplified
DNA for scanning. . . . Both of these back-up plans worked.
In addition, a report by the Genetics and Public Policy Center
found "10 states that restrict surreptitious collection,
analysis, and/or disclosure for both health- and non-health
related purposes, 15 states that restrict surreptitious testing
for health-related purposes only, six states with restrictions
in the context of court-ordered parentage proceedings, and two
states with employment-related restrictions only." (Genetics and
Public Policy Center, State laws pertaining to surreptitious DNA
testing (Jan. 21, 2009)
Ŭas of Apr. 19, 2012].)
Federal and state laws offer various protections for genetic
testing. For example, in 2008, Congress enacted the federal
Genetic Information and Nondiscrimination Act (GINA), which
prohibits discrimination in group health plan coverage and
employment based on genetic information. Last year, the
�
SB 1267 (Padilla)
Page 3 of ?
Legislature passed and the Governor signed SB 559 (Padilla, Ch.
261, Stats. 2011), which prohibited discrimination under the
Unruh Civil Rights Act and the Fair Employment and Housing Act
(FEHA) on the basis of genetic information. In 2009, SB 482
(Padilla), sponsored by 23&Me, was introduced to relate to
direct-to-consumer genetic testing. Under existing law, the
Department of Public Health has required companies that provide
for direct-to-consumer genetic testing to be licensed as
clinical laboratories. SB 482, which would have specifically
provided that such companies are not clinical labs and therefore
not subject to requirements for those laboratories and instead
would have established a separate regulatory scheme, died in
this committee.
This bill would permit genetic information to be obtained,
analyzed, retained, or disclosed with the written authorization
of the individual to whom the information pertains.
(This analysis reflects author's amendments to be offered in
Committee.)
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const., art. I, Sec. 1.)
Existing law prohibits discrimination under the Unruh Civil
Rights Act and the Fair Employment and Housing Act (FEHA) on the
basis of genetic information. (Civ. Code Sec. 51 and Gov. Code
Sec. 12920 et seq.)
Existing federal law prohibits, under the Genetic Information
and Nondiscrimination Act (GINA), discrimination in group health
plan coverage and employment based on genetic information.
(Pub. Law 110-233.)
Existing law provides for the following penalties concerning the
disclosure of genetic tests:
any person who negligently discloses results of a test for a
genetic characteristic to any third party, in a manner which
identifies or provides identifying characteristics of the
person to whom the test results apply, except as specified,
shall be assessed a civil penalty in an amount not to exceed
$1,000 plus court costs, as determined by the court, which
penalty and costs shall be paid to the subject of the test;
�
SB 1267 (Padilla)
Page 4 of ?
any person who willfully discloses the results of a test for a
genetic characteristic to any third party, in a manner which
identifies or provides identifying characteristics of the
person to whom the test results apply, except as specified,
shall be assessed a civil penalty in an amount not less than
$1,000 and no more than $5,000 plus court costs, as determined
by the court, which penalty and costs shall be paid to the
subject of the test;
any person who commits any of the above two acts shall be
liable to the subject for all actual damages, including
damages for economic, bodily, or emotional harm which is
proximately caused by the act;
any person who willfully or negligently discloses the results
of a test for a genetic characteristic to a third party, in a
manner which identifies or provides identifying
characteristics of the person to whom the test results apply,
except as specified, which results in economic, bodily, or
emotional harm to the subject of the test, is guilty of a
misdemeanor punishable by imprisonment in a county jail for a
period not to exceed one year, by a fine of not to exceed
$10,000, or by both that fine and imprisonment; and
each disclosure made in violation of this section is a
separate and actionable offense. (Ins. Code Sec. 10149.1.)
This bill would provide that genetic information is protected by
the constitutional right of privacy and would specify that
genetic information shall not be obtained, analyzed, retained,
or disclosed without the written authorization of the individual
to whom the information pertains pursuant to the bill.
This bill would require that the written authorization:
be written in plain language in typeface no smaller than
14-point type;
be dated and signed by the individual to whom the information
pertains or a person authorized to act on behalf of the
individual; and
be a separate document, not attached to any other document,
and may not be more than one page.
This bill would require any person who obtains, analyzes,
retains, or discloses the genetic information of an individual
to use a statutory notice form to obtain the authorization of
the individual to whom the information pertains so that the
individual may make a decision and provide direction regarding
the use of his or her genetic information. That form would
require the following information:
�
SB 1267 (Padilla)
Page 5 of ?
the types of persons who are authorized to obtain, analyze,
retain, or disclose genetic information about the individual;
the nature of the genetic information that the individual is
authorizing to be obtained, analyzed, retained, or disclosed;
the name of the person or persons authorized to obtain,
analyze, retain, or disclose the information and his or her
function;
the purpose for which the information is collected;
a statement that the authorization shall remain valid for as
long as it takes to carry out the purpose;
whether the genetic information will remain identifiable or
will be made nonidentifiable; and
if the information is retained, the manner in which the
information shall be stored.
This bill would require that the form notify the individual that
he or she has the right to limit the purpose for which his or
her genetic information is used and, once the purpose is
fulfilled, the genetic information and sample must be destroyed.
The statutory form created by this bill would also permit the
individual to authorize the use of his or her genetic
information for research purposes or for commercial purposes and
permit him or her to limit the purpose. The form would permit
the individual to limit access to his or her genetic information
to certain people specified by the individual.
This bill would provide that any person who obtains, analyzes,
retains, or discloses the genetic information of an individual
may not obtain, analyze, retain, or disclose that genetic
information for any purpose other than the purpose authorized by
the individual to whom the information pertains.
This bill would provide that once the specific purpose
authorized by the individual to whom the genetic information
pertains has been fulfilled, the individual's genetic
information and DNA sample shall be destroyed.
This bill would specify that genetic information may be
obtained, analyzed, retained, or disclosed without the
authorization provided in the bill in the following instances
provided that the entity may obtain, analyze, retain, or
disclose the information only for the specified purposes
indicated, and any use for any other purpose is subject to the
authorization required by the bill:
a law enforcement official in the execution of his or her
�
SB 1267 (Padilla)
Page 6 of ?
official duties consistent with existing law;
a hospital, laboratory, or physician carrying out
court-ordered tests for genetic information;
a licensed health care professional in medical emergencies;
a coroner or medical examiner in the execution of his or her
official duties consistent with existing law; and
any screening of newborn infants required by state or federal
law.
This bill would provide that disaggregated and anonymized data
that was collected before the enactment of this bill may be
obtained, analyzed, retained, or disclosed without the required
authorization.
This bill would specify that disaggregated and anonymized data
may be obtained, analyzed, retained, or disclosed if written
authorization required by the bill is obtained and the data is
used for a purpose authorized by the individual to whom the
information pertains.
This bill would provide that any person who negligently violates
the bill's authorization requirement shall be assessed a civil
penalty not to exceed $1,000 plus court costs, which shall be
paid to the individual to whom the genetic information pertains.
This bill would specify that any person who willfully violates
the bill's authorization requirement shall be assessed a civil
penalty in an amount not less than $1,000 and not more than
$5,000 plus court costs, which shall be paid to the individual
to whom the genetic information pertains.
This bill would provide that, in addition to the penalties
above, a person who commits an act described in the above two
penalty provisions shall be liable to the person to whom the
genetic information pertains for all actual damages, including
damages for economic, bodily, or emotional harm which is
proximately caused by the act.
This bill would provide that any person who willfully or
negligently violates the bill's authorization requirement and
the violation results in economic, bodily, or emotional harm to
the individual to whom the genetic information pertains is
guilty of a misdemeanor punishable by a fine not to exceed
$10,000.
This bill would provide that each violation of the bill is a
�
SB 1267 (Padilla)
Page 7 of ?
separate and actionable offense.
This bill contains definitions of the following terms:
"anonymized," "DNA sample," "genetic characteristic," "genetic
information," "genetic service," "genetic test," and "person,"
as specified.
�
SB 1267 (Padilla)
Page 8 of ?
COMMENT
1. Stated need for the bill
The author writes:
While these advances in technology have led to the ease of
deciphering personal genetic information, they also give rise
to the potential for misuse of genetic information. For
example, in 2009, two reporters from New Scientist magazine
successfully had their sample DNA tested and analyzed without
consent. In 2010, the U.S. Government Accountability Office
released a study that illustrated examples of genetic testing
companies who were willing to test DNA without the consent of
the person to whom the genetic information belonged. The
potential motives for wanting to obtain such information could
give rise to a genetic McCarthyism as was noted in a November
2008 article from the New England Journal of Medicine. Given
that traces of our DNA and genetic information are left behind
on numerous types of discarded items, this threat is very
real.
2. This bill would permit genetic information to be obtained,
analyzed, retained, or disclosed with written authorization of
the individual to whom the information pertains
Under this bill, genetic information could be obtained,
analyzed, retained, or disclosed as long as the individual to
whom the information pertains has provided a written
authorization. The author's amendments clarify the bill's
provisions and provide an individual with a clear opportunity to
authorize the use of his or her genetic information for
particular purposes, as described in more detail below.
Importantly, the amendments also create substantive protections
which are necessary given that sometimes consent can be
fraudulent. This is evidenced by the experience of the two New
Scientist reporters, described in the Background and noted by
the author, who simply ignored consent requirements. If consent
requirements can be ignored, substantive provisions become
increasingly important as detailed below.
a. Statutory notice form
From a policy standpoint, permitting genetic information to be
obtained, analyzed, retained, or disclosed provided that the
�
SB 1267 (Padilla)
Page 9 of ?
individual to whom the information pertains has given his or
her authorization raises the question of how best to ensure
that individual is making a fully informed decision. Given
that DNA is unique to every individual, it is critically
important that people know where their information is going,
for what purposes it is being used, and what happens to their
information after that purpose is fulfilled. The statutory
notice form in this bill is intended to achieve this goal.
This bill would require that any person who obtains, analyzes,
retains, or discloses the genetic information of an individual
must use a statutory notice form to obtain the authorization
of the individual to whom the information pertains so that the
individual may make a decision and provide direction regarding
the use of his or her genetic information. That form would
contain specified information, including the types, names, and
functions of persons who are authorized to obtain, analyze,
retain, or disclose genetic information about the individual;
the nature of the genetic information that the individual is
authorizing to be obtained, analyzed, retained, or disclosed;
and the purpose for which the information is collected.
The form would also contain important information to help the
individual make a decision and direct the use of his or her
genetic information, including a statement that the
authorization shall remain valid for as long as it takes to
carry out the purpose and a notification that the individual
has the right to limit the purpose for which his or her
genetic information is used and, once the purpose is
fulfilled, the genetic information and sample must be
destroyed. The form also permits the individual to authorize
the use of his or her genetic information for research
purposes or for commercial purposes.
b. Purpose limitation and destruction of information after
purpose fulfilled
This bill would require that the written authorization specify
the purpose for which the information is collected. This bill
would also prohibit any person who obtains, analyzes, retains,
or discloses the genetic information of an individual from
obtaining, analyzing, retaining, or disclosing the genetic
information for any purpose other than the purpose authorized
by the individual to whom the information pertains. This
purpose limitation, which would limit the use of the
information to the purpose for which it was collected, is a
�
SB 1267 (Padilla)
Page 10 of ?
fundamental tenet of privacy law and appears in other statutes
where personal information-often name, address, or other
information that is arguably not as unique to an individual as
his or her DNA-is permitted to be shared or disclosed for a
particular purpose. (See, e.g., Fam. Code Sec. 17528; Pub.
Util. Code Secs. 8380, 8381; Veh. Code Secs. 1808.23, 21455.5,
40248.)
This bill also would require that an individual's genetic
information and DNA sample be destroyed once the specific
purpose authorized by the individual to whom the genetic
information pertains has been fulfilled.
c. Use of genetic information for particular purposes:
commercial, research, or other purposes
Under this bill, the statutory authorization that must be used
to obtain an individual's authorization to obtain, analyze,
retain, or disclose his or her genetic information permits the
individual to authorize the use of his or her genetic
information for research purposes or for commercial purposes.
The form would allow the individual to limit the purpose for
which his or her genetic information is authorized to be used.
The form also would permit the individual to limit access to
his or her genetic information to certain people specified by
the individual.
In some cases, a consumer may want to give his or her genetic
information only for a limited purpose such as testing for
genetic disorders or risks or ancestry. The statutory
authorization created by this bill allows the individual to do
so. Also, some commercial genetic testing companies "include
contractual clauses that lets them use and sell their client's
genetic information to outside parties." (Keim, Genetic
protections skimp on privacy, says gene tester (May 23, 2008)
Wired Ŭas
of Apr. 15, 2012].) Under this bill, that use would not be
permitted without the individual's authorization obtained
using the statutory authorization.
d. Exemptions
Under this bill, genetic information may be obtained,
analyzed, retained, or disclosed without the statutory
authorization described above only in the following instances
provided that the specified entity may obtain, analyze,
�
SB 1267 (Padilla)
Page 11 of ?
retain, or disclose the information only for the particular
purpose indicated, and any use for any other purpose is
subject to the authorization required by the bill:
a law enforcement official in the execution of his or
her official duties consistent with existing law;
a hospital, laboratory, or physician carrying out
court-ordered tests for genetic information;
a licensed health care professional, as defined in
Section 56.05, in medical emergencies;
a coroner or medical examiner in the execution of his or
her official duties consistent with existing law; and
any screening of newborn infants required by state or
federal law.
In addition, the bill would provide that disaggregated and
anonymized data that was collected before the enactment of
this bill may be obtained, analyzed, retained, or disclosed
without the required authorization. This bill also would
specify that disaggregated and anonymized data may be
obtained, analyzed, retained, or disclosed if written
authorization required by the bill is obtained and the data is
used for a purpose authorized by the individual to whom the
information pertains. Both of these instances use the term
"disaggregated," which is not defined in the bill. The
author's office indicates that it is currently in discussion
with privacy groups regarding this particular term which may
need to be revised as the bill moves through the legislative
process.
In addition, the California Hospital Association has raised
questions about this bill's application to certain kinds of
information sharing and has indicated a desire to work with
the author and Committee staff as the bill moves through the
process to address any concerns.
a. Penalties
This bill would impose penalties for violation of the bill's
requirement that a written authorization first be obtained
before an individual's genetic information may be obtained,
analyzed, retained, or disclosed. Those penalties range from
negligent violations, which would be subject to a civil
penalty not to exceed $1,000 plus court costs, to willful
violations, which are subject to a civil penalty in an amount
not less than $1,000 and not more than $5,000 plus court
�
SB 1267 (Padilla)
Page 12 of ?
costs. In both cases, the penalties and costs would be paid
to the individual to whom the genetic information pertains.
This bill also would provide that, in addition to the
penalties above, a person who commits an act described in the
above two penalty provisions would be liable to the person to
whom the genetic information pertains for all actual damages,
including damages for economic, bodily, or emotional harm
which is proximately caused by the act. And, any person who
willfully or negligently violates the bill's authorization
requirement and the violation results in economic, bodily, or
emotional harm to the individual to whom the genetic
information pertains is guilty of a misdemeanor punishable by
a fine not to exceed $10,000.
These penalties are based on existing Insurance Code Section
10149.1 and, in fact, mirror those provisions which relate to
the disclosure of test results for a genetic characteristic.
Under Section 10149.1, penalties are imposed when such a
disclosure is made to any third party in a manner which
identifies or provides identifying characteristics of the
person to whom the test results apply.
Support : None Known
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
SB 559 (Padilla, Ch. 261, Stats. 2011) See Background.
SB 482 (Padilla, 2009) See Background.
**************