Governor Pillen Signs Genetic Information Privacy Act
Consistent with the national trend focusing on data privacy, this Nebraska Unicameral session has considered several data privacy related bills. One in particular, LB 308 (the Genetic Information Privacy Act or “GIPA”), made its way to the Governor who signed the bill into law on February 13, 2024.
Nebraska’s GIPA applies solely to direct-to-consumer genetic testing companies that offer consumer genetic testing products or services directly to Nebraska residents, or collect, use, or analyze genetic data provided to the company by a Nebraska resident that resulted from a direct-to-consumer genetic testing product or service. Entities solely engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined under federal law, are explicitly excluded from GIPA.
GIPA broadly defines “genetic data” as any data that concerns a consumer’s genetic characteristics, including:
- Raw sequence data that results from sequencing of a consumer’s complete extracted DNA or a portion of the extracted DNA;
- Genotypic and phenotypic information that results from analyzing the raw sequence data; and
- Self-reported health information that a consumer submits to a company regarding the consumer’s health conditions and that is used for research and development and analyzed in connection with the consumer’s raw sequence data.
GIPA does not apply to de-identified data that cannot reasonably be used to infer information about, or otherwise be linked to an identifiable consumer when certain safeguards are in place. Importantly, GIPA also does not apply to protected health information collected by a covered entity or business associate governed by HIPAA.
Under GIPA, direct-to-consumer genetic testing companies must:
- Provide clear and complete information regarding the company’s policies and procedures for collection, use, or disclosure of genetic data;
- Obtain express consumer consent for collection, use, or disclosure of the consumer’s genetic data;
- Require a court order before disclosing genetic data to any government agency, without the consumer’s express written consent;
- Develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data from unauthorized access, use or disclosure; and
- Provide a process for Nebraska residents to:
- Access their data;
- Delete their account and data; and
- Request and obtain written documentation verifying the destruction of the consumer’s biological sample.
There is no private right of action for violations of GIPA, but the Attorney General may bring an action against violators of GIPA. Violators risk a civil penalty of $2,500 for each violation, in addition to any actual damages incurred by the affected consumer, and costs and reasonable attorney’s fees incurred by the Attorney General.