Bill Text: TX HB2545 | 2023-2024 | 88th Legislature | Comm Sub
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to an individual's genetic data, including the use of that data by certain genetic testing companies for commercial purposes and the individual's property right in DNA; authorizing a civil penalty.
Spectrum: Slight Partisan Bill (Republican 5-2)
Status: (Passed) 2023-06-17 - Effective on 9/1/23 [HB2545 Detail]
Download: Texas-2023-HB2545-Comm_Sub.html
Bill Title: Relating to an individual's genetic data, including the use of that data by certain genetic testing companies for commercial purposes and the individual's property right in DNA; authorizing a civil penalty.
Spectrum: Slight Partisan Bill (Republican 5-2)
Status: (Passed) 2023-06-17 - Effective on 9/1/23 [HB2545 Detail]
Download: Texas-2023-HB2545-Comm_Sub.html
| 88R21251 JES-F | |||
| By: Capriglione, Harris of Williamson, | H.B. No. 2545 | ||
| Oliverson | |||
| Substitute the following for H.B. No. 2545: | |||
| By: González of Dallas | C.S.H.B. No. 2545 | ||
|
|
||
|
|
||
| relating to the use of an individual's genetic data by certain | ||
| genetic testing companies for commercial purposes; authorizing a | ||
| civil penalty. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Subtitle A, Title 11, Business & Commerce Code, | ||
| is amended by adding Chapter 503A to read as follows: | ||
| CHAPTER 503A. DIRECT-TO-INDIVIDUAL GENETIC TESTING COMPANIES | ||
| Sec. 503A.001. DEFINITIONS. In this chapter: | ||
| (1) "Biological sample" means a material part of the | ||
| human body, or a discharge or derivative part of the body, including | ||
| tissue, blood, urine, or saliva that is known to contain DNA. | ||
| (2) "Deidentified data" means data not reasonably | ||
| linked to and that cannot reasonably be used to infer information | ||
| about an identifiable individual. | ||
| (3) "Direct-to-individual genetic testing company" | ||
| means an entity that: | ||
| (A) offers genetic testing products or services | ||
| directly to individuals; or | ||
| (B) collects, uses, or analyzes genetic data that | ||
| results from a direct-to-individual genetic testing product or | ||
| service and that an individual provides to the entity. | ||
| (4) "DNA" means deoxyribonucleic acid. | ||
| (5) "Express consent" means an individual's | ||
| affirmative response to a clear and meaningful notice regarding the | ||
| collection, use, or disclosure of genetic data for a specific | ||
| purpose. | ||
| (6) "Genetic data" means any data, regardless of | ||
| format, concerning an individual's genetic characteristics. The | ||
| term: | ||
| (A) includes: | ||
| (i) raw sequence data derived from | ||
| sequencing all or a portion of an individual's extracted DNA; | ||
| (ii) genotypic and phenotypic information | ||
| obtained from analyzing an individual's raw sequence data; and | ||
| (iii) health information regarding the | ||
| health conditions that an individual self-reports to a company and | ||
| that the company: | ||
| (a) uses for scientific research or | ||
| product development; and | ||
| (b) analyzes in connection with the | ||
| individual's raw sequence data; and | ||
| (B) does not include deidentified data. | ||
| (7) "Genetic testing" means a laboratory test of an | ||
| individual's complete DNA, regions of DNA, chromosomes, genes, or | ||
| gene products to determine the presence of the individual's genetic | ||
| characteristics. | ||
| (8) "Person" means an individual, partnership, | ||
| corporation, association, business, or business trust or the legal | ||
| representative of an organization. | ||
| Sec. 503A.002. APPLICABILITY. (a) This chapter applies to | ||
| a direct-to-individual genetic testing company that: | ||
| (1) offers its products or services to individuals who | ||
| are residents of this state; or | ||
| (2) collects, uses, or analyzes genetic data that | ||
| results from the company's products or services and was provided to | ||
| the company by an individual who is a resident of this state. | ||
| (b) This chapter does not apply to: | ||
| (1) an entity only when they are engaged in | ||
| collecting, using, or analyzing genetic data or biological samples | ||
| in the context of research, as defined by 45 C.F.R. Section 164.501, | ||
| that is conducted in accordance with: | ||
| (A) the federal policy for the protection of | ||
| human subjects (45 C.F.R. Part 46); | ||
| (B) the good clinical practice guidelines issued | ||
| by the International Council for Harmonisation of Technical | ||
| Requirements for Pharmaceuticals for Human Use (ICH); or | ||
| (C) the United States Food and Drug | ||
| Administration policy for the protection of human subjects (21 | ||
| C.F.R. Parts 50 and 56); | ||
| (2) genetic data that is protected health information | ||
| collected by a covered entity or business associate, as defined by | ||
| 45 C.F.R. Part 160, subject to the privacy, security, and breach | ||
| notification rules under the Health Insurance Portability and | ||
| Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.); or | ||
| (3) an institution of higher education or a private or | ||
| independent institution of higher education, as those terms are | ||
| defined by Section 61.003, Education Code. | ||
| Sec. 503A.003. REQUIREMENTS FOR CERTAIN USES OF | ||
| DEIDENTIFIED DATA. (a) Except as otherwise provided by this | ||
| chapter or other law, a direct-to-individual genetic testing | ||
| company that possesses an individual's deidentified data shall: | ||
| (1) implement administrative and technical measures | ||
| to ensure the data is not associated with a particular individual; | ||
| and | ||
| (2) publicly commit to maintaining and using data in | ||
| deidentified form and refraining from making any attempt to | ||
| identify an individual using the individual's deidentified data. | ||
| (b) If a direct-to-individual genetic testing company | ||
| shares an individual's deidentified data with another person, the | ||
| company shall enter into a legally enforceable contractual | ||
| obligation prohibiting the person from attempting to identify an | ||
| individual using the individual's deidentified data. | ||
| Sec. 503A.004. REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE | ||
| OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a) A direct-to-individual | ||
| genetic testing company shall: | ||
| (1) develop, implement, and maintain a comprehensive | ||
| security program to protect an individual's genetic data against | ||
| unauthorized access, use, or disclosure; and | ||
| (2) make publicly available: | ||
| (A) a high-level privacy policy overview that | ||
| includes basic, essential information about the company's | ||
| collection, use, or disclosure of genetic data; and | ||
| (B) a prominent privacy notice that includes | ||
| information about the company's data collection, consent, use, | ||
| access, disclosure, transfer, security, retention, and deletion | ||
| practices. | ||
| (b) Before collecting, using, or disclosing an individual's | ||
| genetic data, a direct-to-individual genetic testing company shall | ||
| provide to the individual information about the company's | ||
| collection, use, and disclosure of genetic data the company | ||
| collects through a genetic testing product or service, including | ||
| information that: | ||
| (1) clearly describes the company's use of the genetic | ||
| data; | ||
| (2) specifies the persons who have access to test | ||
| results; and | ||
| (3) specifies the manner in which the company may | ||
| share the genetic data. | ||
| (c) A direct-to-individual genetic testing company shall | ||
| provide a process for an individual to: | ||
| (1) access the individual's genetic data; | ||
| (2) delete the individual's account and genetic data; | ||
| and | ||
| (3) destroy or require the destruction of the | ||
| individual's biological sample. | ||
| Sec. 503A.005. REQUIRED CONSENT. (a) A | ||
| direct-to-individual genetic testing company engaging in any of the | ||
| following activities must obtain: | ||
| (1) an individual's separate express consent for: | ||
| (A) the transfer or disclosure of the | ||
| individual's genetic data to any person other than the company's | ||
| vendors and service providers; | ||
| (B) the use of genetic data for a purpose other | ||
| than the primary purpose of the company's genetic testing product | ||
| or service; or | ||
| (C) the retention of any biological sample | ||
| provided by the individual following the company's completion of | ||
| the initial testing service requested by the individual; | ||
| (2) an individual's informed consent in accordance | ||
| with guidelines for the protection of human subjects issued under | ||
| 45 C.F.R. Part 46, for transfer or disclosure of the individual's | ||
| genetic data to a third party for: | ||
| (A) research purposes; or | ||
| (B) research conducted under the control of the | ||
| company for the purpose of publication or generalizable knowledge; | ||
| and | ||
| (3) an individual's express consent for: | ||
| (A) marketing by the company to the individual | ||
| based on the individual's genetic data; or | ||
| (B) marketing by a third party to the individual | ||
| based on the individual's ordering or purchasing of a genetic | ||
| testing product or service. | ||
| (b) For purposes of Subsection (a), "marketing" does not | ||
| include providing customized content or offers to an individual | ||
| with whom a direct-to-individual genetic testing company has a | ||
| first-party relationship on the company's Internet website or | ||
| through an application or service provided by the company to the | ||
| individual. | ||
| Sec. 503A.006. PROHIBITED DISCLOSURES. (a) A | ||
| direct-to-individual genetic testing company may not disclose an | ||
| individual's genetic data to a law enforcement entity or other | ||
| governmental body unless: | ||
| (1) the company first obtains the individual's express | ||
| written consent; or | ||
| (2) the entity or body obtains a warrant or complies | ||
| with another valid legal process required by the company. | ||
| (b) A direct-to-individual genetic testing company may not | ||
| disclose, without first obtaining an individual's written consent, | ||
| the individual's genetic data to: | ||
| (1) an entity that offers health insurance, life | ||
| insurance, or long-term care insurance; or | ||
| (2) an employer of the individual. | ||
| Sec. 503A.007. CIVIL PENALTY. (a) A direct-to-individual | ||
| genetic testing company that violates this chapter is liable to | ||
| this state for a civil penalty in an amount not to exceed $2,500 for | ||
| each violation. | ||
| (b) The attorney general may bring an action to recover a | ||
| civil penalty imposed under Subsection (a) and to restrain and | ||
| enjoin a violation of this chapter. The attorney general may | ||
| recover reasonable attorney's fees and court costs incurred in | ||
| bringing the action. | ||
| SECTION 2. The changes in law made by this Act apply only to | ||
| genetic information obtained by a direct-to-individual genetic | ||
| testing company on or after the effective date of this Act. | ||
| SECTION 3. This Act takes effect September 1, 2023. | ||
