HR 2155

Version: Introduced+in+House
Author: Rep. Bobby Rush (D-IL)

H. R. 2155 (Introduced-in-House)


116th CONGRESS
1st Session
H. R. 2155


To provide for certain requirements with respect to the treatment of personally identifiable information by genetic testing services.


IN THE HOUSE OF REPRESENTATIVES

April 9, 2019

Mr. Rush introduced the following bill; which was referred to the Committee on Energy and Commerce


A BILL

To provide for certain requirements with respect to the treatment of personally identifiable information by genetic testing services.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the "Genetic Information Privacy Act of 2019".

SEC. 2. Treatment of personally identifiable information by genetic testing services.

(a) Consent required.-

(1) EXPRESS CONSENT FOR DISCLOSURE.-

(A) IN GENERAL.-A genetic testing service may not disclose personally identifiable information of a customer to a third party unless the service obtains the express consent of the customer.

(B) RELATIONSHIP TO INFORMED CONSENT REQUIREMENT.-In the case of the disclosure of genetic information for medical research, paragraph (2) applies instead of subparagraph (A).

(2) INFORMED CONSENT FOR USE OR DISCLOSURE OF GENETIC INFORMATION FOR MEDICAL RESEARCH.-A genetic testing service may not use genetic information of a customer for medical research, or disclose such information to a third party for medical research, unless the service-

(A) obtains the informed consent of the customer in accordance with section 46.116 of title 45, Code of Federal Regulations, as in effect on the date of the enactment of this Act; and

(B) documents the consent of the customer in accordance with section 46.117 of title 45, Code of Federal Regulations, as in effect on the date of the enactment of this Act.

(3) OPTION REGARDING GENETIC INFORMATION.-In seeking the consent of a customer under paragraph (1) or (2) for the disclosure of personally identifiable information, a genetic testing service shall give the customer the option of providing consent for the disclosure of the genetic information of the customer while withholding consent for the disclosure of any other personally identifiable information of the customer.

(4) PROHIBITION ON CONDITIONING SERVICE ON CONSENT.-A genetic testing service may not condition the provision of service to a customer on obtaining the consent of the customer required by paragraph (1) or (2), except to the extent that disclosure of personally identifiable information is necessary to provide the service.

(b) Notification.-

(1) NEW CUSTOMERS.-In the case of an agreement for service entered into between a genetic testing service and a customer on or after the effective date described in section 6, the genetic testing service shall notify the customer of the rights of the customer under subsection (a)-

(A) at the time when the agreement is entered into;

(B) using the same method of communication by which the agreement is entered into; and

(C) in a manner that is-

(i) clear and conspicuous; and

(ii) separate from any privacy policy, data use policy, or other similar document.

(2) EXISTING CUSTOMERS.-

(A) IN GENERAL.-In the case of an agreement for service entered into between a genetic testing service and a customer before the effective date described in section 6, the genetic testing service shall notify the customer of the rights of the customer under subsection (a)-

(i) not later than the date that is 1 year after such effective date;

(ii) using the primary method of communication of the genetic testing service with the customer; and

(iii) in a manner that is-

(I) clear and conspicuous; and

(II) separate from any privacy policy, data use policy, or other similar document.

(B) INABILITY TO CONTACT.-A genetic testing service may not be considered to be in violation of subparagraph (A) by reason of being unable to contact a customer, if the service sends the notification required by such subparagraph-

(i) if the primary method of communication of the service with the customer is in writing, to the last known home mailing address of the customer in the records of the service; and

(ii) if the primary method of communication of the service with the customer is email or other electronic means, to the last known email address, or using the last known other electronic contact information, as the case may be, of the customer in the records of the service.

(3) WEBSITE NOTIFICATION.-In addition to the notifications required by paragraphs (1) and (2), a genetic testing service shall provide clear and conspicuous notification of the rights of customers under subsection (a) on the internet website of the service (if the service maintains such a website). Such notification shall be separate from any privacy policy, data use policy, or other similar document.

(4) CONTENTS.-The Commission shall include in the regulations promulgated under subsection (d) requirements for the contents of the notifications required by this subsection.

(c) Information security requirements.-The Commission shall promulgate regulations that require a genetic testing service to implement policies and procedures to secure the personally identifiable information of customers of the service against unauthorized access.

(d) Regulations.-

(1) IN GENERAL.-Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate, under section 553 of title 5, United States Code-

(A) regulations to implement subsections (a) and (b); and

(B) the regulations required by subsection (c).

(2) CONSIDERATIONS.-In promulgating regulations under paragraph (1), the Commission shall take into consideration-

(A) the size of, and the nature, scope, and complexity of the activities engaged in by, different types or categories of genetic testing services;

(B) the cost of implementing the requirements of subsections (a) and (b) and such regulations; and

(C) in the case of the regulations required by subsection (c), the current state of the art in administrative, technical, and physical safeguards to secure information against unauthorized access.

SEC. 3. Enforcement.

(a) Enforcement by Federal Trade Commission.-

(1) UNFAIR OR DECEPTIVE ACTS OR PRACTICES.-A violation of section 2 or a regulation promulgated under such section shall be treated as an unfair or deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

(2) POWERS OF COMMISSION.-The Commission shall enforce section 2 and the regulations promulgated under such section in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act. Any person who violates such section or such a regulation shall be subject to the penalties and entitled to the privileges and immunities provided in the Federal Trade Commission Act.

(b) Enforcement by State attorneys general.-

(1) CIVIL ACTION.-In any case in which the attorney general of a State, or an official or agency of a State, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by any person who violates section 2 or a regulation promulgated under such section, the attorney general, official, or agency of the State, as parens patriae, may bring a civil action on behalf of the residents of the State in a district court of the United States of appropriate jurisdiction-

(A) to enjoin further violation of such section or such regulation by the defendant;

(B) to compel compliance with such section or such regulation; or

(C) to obtain civil penalties in the same amount as the civil penalties that may be obtained by the Commission under section 5(m) of the Federal Trade Commission Act (15 U.S.C. 45(m)).

(2) INTERVENTION BY FTC.-

(A) NOTICE AND INTERVENTION.-The State shall provide prior written notice of any action under paragraph (1) to the Commission and provide the Commission with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Commission shall have the right-

(i) to intervene in the action;

(ii) upon so intervening, to be heard on all matters arising therein; and

(iii) to file petitions for appeal.

(B) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS PENDING.-If the Commission has instituted a civil action for violation of section 2 or a regulation promulgated under such section, no State attorney general, or official or agency of a State, may bring an action under paragraph (1) during the pendency of the action of the Commission against any defendant named in the complaint of the Commission for any violation of such section or such regulation alleged in the complaint.

(3) RULE OF CONSTRUCTION.-For purposes of bringing any civil action under paragraph (1), nothing in this Act or the regulations promulgated under this Act shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State to-

(A) conduct investigations;

(B) administer oaths or affirmations; or

(C) compel the attendance of witnesses or the production of documentary and other evidence.

SEC. 4. Effect on other laws.

(a) Preemption of certain State laws relating to genetic testing.-This Act and the regulations promulgated under this Act supersede any provision of a statute, regulation, or rule of a State or political subdivision of a State, with respect to an entity to the extent this Act and the regulations promulgated under this Act apply to such entity, that expressly provides for requirements relating to treatment of personal information by services providing genetic testing that are similar to any requirements contained in section 2 or a regulation promulgated under such section.

(b) Preservation of certain State laws.-This Act and the regulations promulgated under this Act may not be construed to preempt the applicability of-

(1) State trespass, contract, or tort law; or

(2) other State laws to the extent that those laws relate to acts of fraud.

(c) Additional preemption.-

(1) IN GENERAL.-No person other than the attorney general of a State, or another official or agency of a State, may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of this Act or a regulation promulgated under this Act.

(2) PRESERVATION OF CONSUMER PROTECTION LAWS.-This subsection may not be construed to limit the enforcement of any State consumer protection law by an attorney general of a State, or another official or agency of a State.

(d) Preservation of FTC authority.-Nothing in this Act may be construed in any way to limit the authority of the Commission under any other provision of law.

SEC. 5. Definitions.

In this Act:

(1) COMMISSION.-The term "Commission" means the Federal Trade Commission.

(2) GENETIC INFORMATION.-The term "genetic information"-

(A) has the meaning given such term in section 201 of the Genetic Information Nondiscrimination Act of 2008 (42 U.S.C. 2000ff); and

(B) includes a physical sample, such as fluid or tissue, obtained from a customer for purposes of performing a genetic test.

(3) GENETIC TEST.-The term "genetic test" has the meaning given such term in section 201 of the Genetic Information Nondiscrimination Act of 2008 (42 U.S.C. 2000ff).

(4) GENETIC TESTING SERVICE.-The term "genetic testing service" means any entity that-

(A) offers genetic tests directly to consumers; or

(B) analyzes genetic information obtained from a genetic test offered directly to consumers, except to the extent that the analysis is performed by a medical professional for diagnosis or treatment of a medical condition.

(5) MEDICAL RESEARCH.-The term "medical research" means the conduct of investigations, experiments, and studies to discover, develop, or verify knowledge relating to the causes, diagnosis, treatment, prevention, or control of physical or mental diseases and impairments of humans.

(6) PERSONALLY IDENTIFIABLE INFORMATION.-

(A) DEFINITION.-The term "personally identifiable information" means any of the following of an individual:

(i) Name.

(ii) Address.

(iii) Social Security number.

(iv) Phone number.

(v) Online identifier, such as an email address or user ID.

(vi) Genetic information.

(vii) Information, other than genetic information, that-

(I) relates to the past, present, or future physical or mental health or condition of the individual; and

(II) either-

(aa) identifies the individual; or

(bb) there is a reasonable basis to believe can be used to identify the individual.

(B) MODIFIED DEFINITION BY RULEMAKING.-The Commission may, by regulation promulgated under section 553 of title 5, United States Code, modify the definition of "personally identifiable information" under subparagraph (A) to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.

(7) STATE.-The term "State" means each State of the United States, the District of Columbia, each commonwealth, territory, or possession of the United States, and each federally recognized Indian Tribe.

(8) THIRD PARTY.-The term "third party" means, with respect to a genetic testing service, an entity (including an entity that controls, is controlled by, or is under common control with the service) that holds itself out to the public as separate from the service such that a customer of the service acting reasonably under the circumstances would not expect the entity to be related to the service or to have access to personally identifiable information that the customer provides to the service.

SEC. 6. Effective date.

Except for subsections (c) and (d) of section 2, section 5(6)(B), this section, and section 7, this Act and the regulations required by subsections (c) and (d) of section 2 shall apply beginning on the date that is 30 days after the date on which the Commission promulgates such regulations.

SEC. 7. Authorization of appropriations.

There is authorized to be appropriated to the Commission $5,000,000 for each of the fiscal years 2020 through 2029 to carry out this Act.