RI Senate Response to 23andMe Bankruptcy Lacks Teeth, Says EPIC

The Rhode Island legislation is moving as many attorneys general and consumer advocates raise privacy concerns about the bankruptcy of 23andMe (see 2503240046). Some expect that significant public awareness of the biotechnology company’s bankruptcy will lead to more privacy regulation and enforcement (see 2504100033).

“Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk,” says the bill by Sen. Samuel Zurier and two other Democratic senators. “There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization. … The potential information hidden within genomic data is cause for significant concern.”

Under the bill, companies would have to obtain opt-in consent “for collection, use, and disclosure of the consumer’s genetic data, including, at a minimum, separate and express consent for” (1) using collected genetic data, (2) storage of a consumer’s biological sample after initial testing, (3) each “use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses,” (4) each transfer or disclosure of the data or sample to a third party, including the third party’s name, and (5) marketing based on the genetic data.

Also, the testing company must maintain reasonable security procedures to protect consumers’ genetic data and develop procedures so that consumers may easily access and delete their data and have their biological samples destroyed.

Additionally, S-767 would require genetic testing companies to give consumers “clear and complete information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data,” including a summary of their privacy practices in “plain language” and “prominent and easily accessible privacy notice that includes, at a minimum, complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter.” It would also require companies to notify consumers that deidentified genetic information may be shared with or disclosed to researchers.

The bill would be enforced exclusively by the state attorney general, with possible penalties up to $1,000 for negligent violations and between $1,000 and $10,000 for willful violations.

The Rhode Island bill might not do enough to help consumers, said Suzanne Bernstein, EPIC counsel. "As 23andMe continues through bankruptcy proceedings, consumers are rightly concerned about the privacy of their highly-sensitive health and genetic data,” she emailed Friday. “To provide meaningful protections for … consumers, the Rhode Island Senate should not rely on a consent-based privacy framework and instead require direct-to-consumer testing companies like 23andMe to have strong use and purpose limitations for consumer data, including a prohibition on selling or sharing sensitive health data, like genetic data.”

“Relying on consent, even ‘affirmative authorization,’ as the bill currently would require, is an insufficient and flawed safeguard for consumers,” Bernstein said. “A 23andMe consumer could not have ever imagined, or consented to, the many ways that 23andMe, or the entity that eventually purchases their assets, could use their highly-sensitive data down the line.”