Search genetic

Last month, Nebraska passed the Nebraska Data Privacy Act (NDPA), making it the latest state to enact comprehensive privacy legislation. Nebraska joins California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Maryland. The law will take effect on January 1, 2025.

The NDPA applies to entities that conduct business in Nebraska or produce products or services consumed by Nebraska residents and that process or sell personal data of Nebraska residents. Similar to other state consumer privacy laws, the NDPA exempts nonprofits, government entities, financial institutions, and protected health information under the Health Insurance Portability and Accountability Act.

Consumers are granted the following rights under the NDPA: rights of access, deletion, portability, and correction; the right to opt-out of targeted advertising; and the sale of personal data, and/or automated profiling. Similar to the California Consumer Privacy Act, the NDPA defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration.” The NDPA also requires businesses to obtain consent before processing consumer-sensitive data. Sensitive data includes personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify individuals, personal data collected from a known minor, and precise geolocation data.

Lastly, the NDPA will require businesses to conduct Data Protection Impact Assessments for all processing activities that involve targeted advertising, the sale of personal data, some types of profiling, the processing of sensitive data, or that otherwise present a heightened risk of harm to the consumer.

If the NDPA applies to your business, the business is subject to enforcement by the Nebraska Attorney General, but there is a 30-day right to cure violations of the NDPA that does not sunset.

The Federal Trade Commission (FTC) and the California Attorney General teamed up against California company CRI Genetics, LLC, filing a joint complaint against the company alleging that it engaged in deceptive practices when it “deceived consumers about the accuracy of its test reports compared with those of other DNA testing companies, falsely claimed to have patented an algorithm for its genetic matching process, and used fake reviews and testimonials on its websites.” In addition, the complaint alleged that CRI “used ‘dark patterns’ in its online billing process to trick consumers into paying for products they did not want and did not agree to buy.”

CRI agreed to pay a $700,000 civil penalty to settle the action, and agreed to change its marketing practices so it does not misrepresent that: its DNA testing product or service is more accurate or detailed than others; it can show the geographic location of ancestors “with a 90 percent or higher accuracy rate”; or it will show “exactly where consumers’ ancestors came from or exactly when or where they arrived, among others.

The proposed order also requires CRI to disclose the costs of products and services to consumers, obtain consent from consumers about how it may share DNA information, and delete the genetic and other information of consumers who received refunds and requested that their data be deleted.

The full FTC unanimously authorized the proposed order which will now be presented to a federal judge for approval.

We previously reported on the unfortunate data breach suffered by 23andMe last month and its implications. We never imagined how horrible it could be.

According to an October 6, 2023, posting by Wired earlier that week, hackers involved with the 23andMe breach posted “an initial data sample on the platform BreachForums…claiming that it contained 1 million data points exclusively about Ashkenazi Jews…and starting selling 23andMe profiles for between $1 and $10 per account.”

Several days later, it was reported that “another user on BreachForums claimed to have the 23andMe data of 100,000 Chinese users.”

The implications of posting account information, including potential genetic information of users for political or hateful reasons is real and happening in real time. According to news reports, the war in Gaza “is stoking antisemitism in the U.S.” and across the world. Preliminary data from the Anti-Defamation League shows a 388% jump of antisemitic incidents in the U.S. since Hamas’ attack on Israel on October 7, 2023.  

If you are a 23andMe user, it is important to find out for your safety and well being whether your genetic data was compromised and is posted by extremist threat actors. The Electronic Frontier Foundation published an article, “What to Do if You’re Concerned About the 23andMe Breach” providing more information about the background of the breach, the selling of information, and what you can do to protect yourself further, including deleting your data.

We have published blog posts before on sharing genetic information and the risk associated with the disclosure of such sensitive information.

Unfortunately, our concerns have been realized. On Monday, October 9, 2023, 23andMe confirmed that its investigation into a data security incident involving customer profile information shared through its DNA Relatives feature “was compiled from individual 23andMe.com accounts without the account users’ authorization” by threat actors.

Although its investigation continues, 23andMe is “requiring that all customers reset their passwords and are encouraging the use of multi-factor authentication (MFA).”

The company recommends that its customers take action to keep their account and password secure. It recommends:

  • Confirm you have a strong password, one that is not easy to guess and that is unique to your 23andMe account. If you are not sure whether you have a strong password for your account, reset it.
  •  Enable multi-factor authentication (MFA) on your 23andMe account.
  • Review its Privacy and Security Checkup page with additional information on how to keep your account secure.

We will follow this incident closely. In the meantime, if you or a family member has provided genetic information to 23andMe, you may wish to consider changing your password, telling your family members to do the same and follow the recommendations of 23andMe.

Nevada Governor Joe Lombardo recently signed into law a sweeping and restrictive consumer health data privacy law that requires covered entities (defined as any person who conducts business in the state or produces or provides products or services that are targeted to consumers in Nevada) to provide privacy rights to consumers who provide health data to companies not covered by other laws that apply to health care providers.

The broad law defines “consumer health data”, as “personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present or future health status of the consumer,” and includes a long list of data elements including health condition, status, disease or diagnosis, social psychological, behavioral or medical intervention, surgeries, use or acquisition of medication, bodily functions, vital signs or symptoms, reproductive or sexual health care, gender-affirming care, biometric data, genetic data, precise geolocation data, and any data that is derived or extrapolated from information that is not consumer health data through an algorithm, machine learning, or any other means, but excludes shopping habits and gaming information.

The law requires covered entities to make available to consumers a privacy policy on the internet regarding its privacy of consumer health data, prohibits an entity from collecting or sharing consumer health data without affirmative, voluntary consent of a consumer, requires the entity to establish a process to obtain access to (and an appeal process for responding to) consumer requests, limits the entity from processing the data, prohibits entities from selling consumer health data, prohibits geofencing and prohibits discrimination against individuals for exercising their rights under the law. The law provides for a civil penalty of not more than $5,000 per violation and includes criminal provisions. It becomes effective on March 31, 2024.

Effective Date: January 1, 2023 

Your Rights and Choices

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively the “CCPA”) provides California residents with specific rights regarding their personal information. In addition to our Privacy Policy, https://www.rc.com/california-privacy-rights, this webpage further describes your CCPA rights and explains how to exercise

Bloomberg reported this week that the first comprehensive federal privacy bill of the year was introduced by Representative Suzan DelBene (D-Washington). The bill is known as the Information Transparency and Personal Data Control Act. The key concept of the bill is to protect sensitive personal information, which includes data relating to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, social security numbers, and religious beliefs. This means that companies would need to have opt-in consent from consumers before such sensitive information could be used or disclosed. The bill also provides protections for the information of children under 13 years of age. According to her press materials, Rep. DelBene states that the key elements of the bill are:

  • Plain English: Requires companies to provide their privacy policies in “plain English.”
  • Opt-in: Allows users to “opt-in” before companies can use their most sensitive private information in ways they might not expect.
  • Disclosure: Increases transparency by requiring companies to disclose if and with whom their personal information will be shared and the purpose of sharing the information.
  • Preemption: Creates a unified national standard and avoids a patchwork of different privacy standards by preempting conflicting state laws.
  • Enforcement: Gives the Federal Trade Commission (FTC) strong rulemaking authority to keep up with evolving digital trends and the ability to fine bad actors on the first offense. Empowers state attorneys general to also pursue violations if the FTC chooses not to act.
  • Audits: Establishes strong “privacy hygiene” by requiring companies to submit privacy audits every two (2) years from a neutral third party.

The bill requires that data controllers shall provide users with the ability to opt out at

any time for the collection, transmission, storage,  processing, selling, sharing, or other use of non-sensitive personal information, including sharing with third parties. The bill has no private right of action and would increase both the staffing and budget of the Federal Trade Commission. We will continue to monitor this legislation as well as other pending state legislative privacy bills.

The California Privacy Rights Act (CPRA) expands the definition of personal information as it currently exists in the California Consumer Privacy Act (CCPA). The CPRA adds “sensitive personal information” as a defined term, which means:

(l) personal information that reveals:

(A) a consumer’s social security, driver’s license, state identification card, or passport number;

(B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;

(C) a consumer’s precise geolocation;

(D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership;

(E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;

(F) a consumer’s genetic data; and

(2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer;

(B) personal information collected and analyzed concerning a consumer’s health; or

(C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

This is perhaps the broadest definition of personal information in the country as it now includes entirely new classes of personal information such as racial, ethnic origin, religious or philosophical beliefs or union membership, the content of a consumer’s mail, email and text messages, genetic data, biometric data, and data collected and analyzed concerning a consumer’s health or sex life or sexual orientation.

What does this mean for a business that is covered by the CPRA? In a previous post, we provided a detailed overview of  the CPRA, but suffice it to say that if the business had to comply with CCPA, it also will likely be covered by CPRA. Given this new definition of sensitive personal information, one of the first steps in thinking about CPRA compliance will be to think about data mapping to determine whether the business collects any of these new categories of sensitive personal information. The CPRA is still very much a consumer-focused law with the goal of expanding consumer knowledge about the types of personal information businesses collect about consumers and how that personal information is used, sold, or shared. It will be a critical first step for businesses to understand the data and personal information they collect about consumers and whether they collect any sensitive personal information under this new definition.

Proposition 24 is known as the California Privacy Rights Act of 2020 (CPRA). It is on the ballot in California on November 3, and if it passes it will amend and expand certain provisions of the California Consumer Privacy Act (CCPA). Some say it’s CCPA 2.0, however, there are some provisions that make the CPRA look more like the General Data Protection Regulation (GDPR) – the European data regulation that reshaped privacy rights in the European Union. Two provisions in particular are very GDPR-like; specifically, the creation of the California Privacy Protection Agency (CPPA), which will become the regulator charged with implementing and enforcing both the CCPA and CPRA, and the expanded definition of sensitive personal information. CPRA would become effective Jan. 1, 2023, with an enforcement date of July 1, 2023. Here are some key highlights of Proposition 24.

What’s new for California consumers in CPRA? CPRA creates a new category of data, similar to GDPR, for sensitive personal information. CPRA also adds several new rights for consumers:

  • to restrict the use of sensitive personal information;
  • to correct inaccurate personal information;
  • to prevent businesses from storing data longer than necessary;
  • to limit businesses from collecting more data than necessary;
  • to know what personal information is sold or shared and to whom, and to opt out of that sale or sharing of personal information;
  • CPRA expands the non-discrimination provision to prevent retaliation against an employee, applicant for employment, or independent contractor for exercising their privacy rights.

What do businesses need to know regarding CPRA? It creates a new data protection agency with regulatory authority for enforcement of both CCPA and CPRA. Some new key provisions for businesses are:

  • the CPRA creates a Chief Auditor, who will have the authority to audit businesses data practices;
  • the CPRA also requires high risk data processors to perform regular cybersecurity audits and regular risk assessments;
  • the CPRA adds provisions regarding profiling and automated decision making;
  • the CPRA adds restrictions on transfer of personal information;
  • the CPRA requires businesses that sell or share personal information to provide notice to consumers and a separate link to the “Do Not Sell or Share My Personal Information” webpage and a separate link to the “Limit the Use of My Sensitive Personal Information” webpage or a single link to both choices;
  • the CPRA triples the fines set forth in CCPA for collecting and selling children’s private information and requires opt-in consent to sell personal information of consumers under the age of 16;
  • the CPRA expands the consumer’s private right of action to include a breach of a consumer’s email address and password/security question and answer.

The CPRA also changes the definition of “business” to more clearly define the annual period of time to determine annual gross revenues, which specifies that a business must comply with CPRA if, “as of January 1 of the calendar year,” the business had annual gross revenues in excess of twenty-five million dollars “in the preceding calendar year,” or alone or in combination annually buys or sells or shares the personal information of 100,000 or more consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

In addition to these criteria, CPRA adds somewhat puzzling language that states that a business would also be defined in the CPRA as a person that does business in California, that is not covered by one of the criteria described above, who may voluntarily certify to the California Privacy Protection Agency that it is in compliance with and agrees to be bound by CPRA.

The CPRA adds the new term “contractor” in addition to service provider. A contractor is a person to whom the business makes available a consumer’s personal information for a business purpose pursuant to a written contract with the business. The CPRA contains specific provisions to be included in the contract terms, and the contract must include a certification that the contractor understands the restrictions and will comply with them. The CPRA adds several new definitions, including definitions for cross-context behavioral advertising, dark pattern, non-personalized advertising, and profiling, and makes some changes to the definition of personal information. The CPRA eliminates some of the CCPA language regarding the “categories” of personal information.

The CPRA also adds “sensitive personal information” as a defined term which means:

(l) personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; (F) a consumer’s genetic data; and (2) (A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

The CPRA retains the CCPA exemptions for medical information governed by the California Confidentiality of Medical Information Act or protected health information collected by a covered entity or business associate under HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act), personal information collected as part of a clinical trial or other biomedical research study, activity involving the collection of personal information bearing on a consumer’s credit worthiness, and personal information collected, processed, sold or disclosed subject to the Gramm-Leach-Bliley Act or the federal Driver’s Privacy Protection Act of 1994.

The CCPA’s limited exemptions for employment information and so-called business-to-business information are also continued in the CPRA, however these provisions shall expire on January 1, 2023.

The CPRA provides authority for the CPPA to create extensive regulations, including a requirement for regulation of businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security to: (A) perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent; and (B) to submit to the CPPA on a regular basis a risk assessment with respect to the processing of personal information.

The private right of action under CPRA is expanded to include that consumers whose email address in combination with a password or security question and answer that would permit access to the account be able to institute a civil action and to recover damages or other injunctive relief. The CCPA 30-day cure period after notice of a breach is eliminated and administrative fines for violation of the CPRA increase to not more than $2,500 for each violation or $7,500 for each intentional violation or violations involving the personal information of consumers that the business has actual knowledge is under 16 years of age. The CPPA will have broad powers of investigation and enforcement for violations of the CPRA.

We will follow the progress of Proposition 24 on election day and provide an update here next week.

The California Privacy Rights Act (CPRA) recently qualified for the November 2020 ballot, and if California voters approve this initiative, the CPRA will expand the rights of California residents under the current (stringent) California Consumer Privacy Act (CCPA), beginning on January 1, 2023.

So what will change under the CPRA?

  1. Creation of the California Privacy Protection Agency (CPPA): If the CPPA is created, it would be the first of its kind in the United States. The CPPA would be governed by a five-member board that would have full administrative power, authority and jurisdiction to implement and enforce the CCPA (instead of the California Attorney General).
  2. Stricter Definitions: CPRA defines “sensitive personal information” more strictly than “personal information;” “sensitive personal information” includes government-issued identifiers (i.e., Social Security numbers, driver’s license numbers, passport numbers), account credentials, financial information, precise geolocation, race or ethnic origin, religious beliefs, contents of certain types of messages (i.e., mail, e-mail, text), genetic data, biometric information, and other types of information.

The CPRA also would create new obligations for companies and organizations processing sensitive personal information. It also would allow consumers to limit the use and disclosure of their sensitive personal information.

The CPRA would also expand consumer rights under the CCPA. Specifically, under the CPRA, consumers would have the right to:

  1. Correct personal information;
  2. Know the length of data retention;
  3. Opt-out of advertisers using precise geolocation; and,
  4. Restrict usage of sensitive personal information.

The CPRA also would extend the moratorium related to employee data until January 1, 2023; currently, under the CCPA, employee data are not covered until January 1, 2021. Note that California AB-1281, which was enrolled on September 1, 2020, extends the current exemption for employee data to January 1, 2022 in the event that the CPRA is not voted into law.

Lastly, in addition to the private right of action for data breaches under the CCPA, the CPRA would expand this private right of action to include the unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security safeguards.

While many companies are still grappling with the nuances of the CCPA, if the CPRA gets the green light from voters in November, it will bring yet another wave of compliance issues and implementation of new policies, procedures and processes for many businesses in and outside of the California. We will watch this ballot question closely as we near the November election.