California Expands Consumer Protections for Genetic Testing

We know you care about privacy, and we’ve been working hard to deliver on our promises of transparency and choice, even beyond your experience at 23andMe. 

This is why we’re excited to share that California recently enacted a new law to protect consumers’ genetic data privacy. We have worked hard with the Coalition for Genetic Data Protection to make this happen in California, as well as Utah and Arizona earlier this year, and we hope to see this legislation become a model for genetic privacy legislation nationally.

We fundamentally believe that it’s our responsibility to protect our customers’ data and ensure their privacy,” said Jacquie Cooke Haggarty, deputy general counsel, and privacy officer at 23andMe.  

We believe every consumer deserves the same level of genetic data privacy, and California’s new Genetic Information Privacy Act (“GIPA”), signed by Governor Newsom on October 6, 2021, builds on industry best practices and existing consumer privacy protections adopted by the state two years ago under the California Consumer Privacy Act (“CCPA”). GIPA requires genetic testing services to provide consumers with transparency and choice, which are 23andMe’s core privacy principles that have guided our privacy program from the beginning. 

That trust is built on a foundation of transparency and choice — our customers know that they are always in control of their data,” Jacquie said.

In 2018, 23andMe joined forces with the non-profit Future of Privacy Forum and worked alongside other personal genetic testing companies, including Ancestry.com and Helix, to develop the Privacy Best Practices for Consumer Genetic Testing Services. The best practices offer a framework for protecting consumer genetic data, as well as guidelines for the collection, protection, sharing, and use of genetic data generated from consumer genetic testing. 

Now all consumers in California, Utah, and Arizona will be afforded the same level of privacy protection regardless of whether the genetic testing company with which they tested adheres to the best practices or not. Importantly, genetic testing companies include those that provide genetic interpretation services, too.   

The California, Utah, and Arizona laws include many of the same protections that 23andMe has long offered its customers, including:

  • Requiring separate express consent for genetic data to be: 
    • used for scientific research purposes
    • shared with a third party
    • used for marketing purposes
  • If a customer opts in to research, offering a simple way to opt-out of research at any time
  • Giving customers a clear and easy way to close their accounts and delete their data, if they choose
  • Requiring destruction of a customer’s biological sample within 30 days of the customer’s request 
  • Prohibiting genetic testing companies from sharing genetic data with employers or providers of insurance for any reason
  • Requiring genetic testing companies to provide clear and complete information about their privacy practices and protocols

You can learn more about 23andMe’s privacy policies here.