[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2155 Introduced in House (IH)]

<DOC>






116th CONGRESS
  1st Session
                                H. R. 2155

 To provide for certain requirements with respect to the treatment of 
    personally identifiable information by genetic testing services.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 9, 2019

   Mr. Rush introduced the following bill; which was referred to the 
                    Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
 To provide for certain requirements with respect to the treatment of 
    personally identifiable information by genetic testing services.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Genetic Information Privacy Act of 
2019''.

SEC. 2. TREATMENT OF PERSONALLY IDENTIFIABLE INFORMATION BY GENETIC 
              TESTING SERVICES.

    (a) Consent Required.--
            (1) Express consent for disclosure.--
                    (A) In general.--A genetic testing service may not 
                disclose personally identifiable information of a 
                customer to a third party unless the service obtains 
                the express consent of the customer.
                    (B) Relationship to informed consent requirement.--
                In the case of the disclosure of genetic information 
                for medical research, paragraph (2) applies instead of 
                subparagraph (A).
            (2) Informed consent for use or disclosure of genetic 
        information for medical research.--A genetic testing service 
        may not use genetic information of a customer for medical 
        research, or disclose such information to a third party for 
        medical research, unless the service--
                    (A) obtains the informed consent of the customer in 
                accordance with section 46.116 of title 45, Code of 
                Federal Regulations, as in effect on the date of the 
                enactment of this Act; and
                    (B) documents the consent of the customer in 
                accordance with section 46.117 of title 45, Code of 
                Federal Regulations, as in effect on the date of the 
                enactment of this Act.
            (3) Option regarding genetic information.--In seeking the 
        consent of a customer under paragraph (1) or (2) for the 
        disclosure of personally identifiable information, a genetic 
        testing service shall give the customer the option of providing 
        consent for the disclosure of the genetic information of the 
        customer while withholding consent for the disclosure of any 
        other personally identifiable information of the customer.
            (4) Prohibition on conditioning service on consent.--A 
        genetic testing service may not condition the provision of 
        service to a customer on obtaining the consent of the customer 
        required by paragraph (1) or (2), except to the extent that 
        disclosure of personally identifiable information is necessary 
        to provide the service.
    (b) Notification.--
            (1) New customers.--In the case of an agreement for service 
        entered into between a genetic testing service and a customer 
        on or after the effective date described in section 6, the 
        genetic testing service shall notify the customer of the rights 
        of the customer under subsection (a)--
                    (A) at the time when the agreement is entered into;
                    (B) using the same method of communication by which 
                the agreement is entered into; and
                    (C) in a manner that is--
                            (i) clear and conspicuous; and
                            (ii) separate from any privacy policy, data 
                        use policy, or other similar document.
            (2) Existing customers.--
                    (A) In general.--In the case of an agreement for 
                service entered into between a genetic testing service 
                and a customer before the effective date described in 
                section 6, the genetic testing service shall notify the 
                customer of the rights of the customer under subsection 
                (a)--
                            (i) not later than the date that is 1 year 
                        after such effective date;
                            (ii) using the primary method of 
                        communication of the genetic testing service 
                        with the customer; and
                            (iii) in a manner that is--
                                    (I) clear and conspicuous; and
                                    (II) separate from any privacy 
                                policy, data use policy, or other 
                                similar document.
                    (B) Inability to contact.--A genetic testing 
                service may not be considered to be in violation of 
                subparagraph (A) by reason of being unable to contact a 
                customer, if the service sends the notification 
                required by such subparagraph--
                            (i) if the primary method of communication 
                        of the service with the customer is in writing, 
                        to the last known home mailing address of the 
                        customer in the records of the service; and
                            (ii) if the primary method of communication 
                        of the service with the customer is email or 
                        other electronic means, to the last known email 
                        address, or using the last known other 
                        electronic contact information, as the case may 
                        be, of the customer in the records of the 
                        service.
            (3) Website notification.--In addition to the notifications 
        required by paragraphs (1) and (2), a genetic testing service 
        shall provide clear and conspicuous notification of the rights 
        of customers under subsection (a) on the internet website of 
        the service (if the service maintains such a website). Such 
        notification shall be separate from any privacy policy, data 
        use policy, or other similar document.
            (4) Contents.--The Commission shall include in the 
        regulations promulgated under subsection (d) requirements for 
        the contents of the notifications required by this subsection.
    (c) Information Security Requirements.--The Commission shall 
promulgate regulations that require a genetic testing service to 
implement policies and procedures to secure the personally identifiable 
information of customers of the service against unauthorized access.
    (d) Regulations.--
            (1) In general.--Not later than 1 year after the date of 
        the enactment of this Act, the Commission shall promulgate, 
        under section 553 of title 5, United States Code--
                    (A) regulations to implement subsections (a) and 
                (b); and
                    (B) the regulations required by subsection (c).
            (2) Considerations.--In promulgating regulations under 
        paragraph (1), the Commission shall take into consideration--
                    (A) the size of, and the nature, scope, and 
                complexity of the activities engaged in by, different 
                types or categories of genetic testing services;
                    (B) the cost of implementing the requirements of 
                subsections (a) and (b) and such regulations; and
                    (C) in the case of the regulations required by 
                subsection (c), the current state of the art in 
                administrative, technical, and physical safeguards to 
                secure information against unauthorized access.

SEC. 3. ENFORCEMENT.

    (a) Enforcement by Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        section 2 or a regulation promulgated under such section shall 
        be treated as an unfair or deceptive act or practice in 
        violation of a regulation under section 18(a)(1)(B) of the 
        Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding 
        unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce 
        section 2 and the regulations promulgated under such section in 
        the same manner, by the same means, and with the same 
        jurisdiction, powers, and duties as though all applicable terms 
        and provisions of the Federal Trade Commission Act (15 U.S.C. 
        41 et seq.) were incorporated into and made a part of this Act. 
        Any person who violates such section or such a regulation shall 
        be subject to the penalties and entitled to the privileges and 
        immunities provided in the Federal Trade Commission Act.
    (b) Enforcement by State Attorneys General.--
            (1) Civil action.--In any case in which the attorney 
        general of a State, or an official or agency of a State, has 
        reason to believe that an interest of the residents of that 
        State has been or is threatened or adversely affected by any 
        person who violates section 2 or a regulation promulgated under 
        such section, the attorney general, official, or agency of the 
        State, as parens patriae, may bring a civil action on behalf of 
        the residents of the State in a district court of the United 
        States of appropriate jurisdiction--
                    (A) to enjoin further violation of such section or 
                such regulation by the defendant;
                    (B) to compel compliance with such section or such 
                regulation; or
                    (C) to obtain civil penalties in the same amount as 
                the civil penalties that may be obtained by the 
                Commission under section 5(m) of the Federal Trade 
                Commission Act (15 U.S.C. 45(m)).
            (2) Intervention by ftc.--
                    (A) Notice and intervention.--The State shall 
                provide prior written notice of any action under 
                paragraph (1) to the Commission and provide the 
                Commission with a copy of its complaint, except in any 
                case in which such prior notice is not feasible, in 
                which case the State shall serve such notice 
                immediately upon instituting such action. The 
                Commission shall have the right--
                            (i) to intervene in the action;
                            (ii) upon so intervening, to be heard on 
                        all matters arising therein; and
                            (iii) to file petitions for appeal.
                    (B) Limitation on state action while federal action 
                is pending.--If the Commission has instituted a civil 
                action for violation of section 2 or a regulation 
                promulgated under such section, no State attorney 
                general, or official or agency of a State, may bring an 
                action under paragraph (1) during the pendency of the 
                action of the Commission against any defendant named in 
                the complaint of the Commission for any violation of 
                such section or such regulation alleged in the 
                complaint.
            (3) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1), nothing in this Act or the 
        regulations promulgated under this Act shall be construed to 
        prevent an attorney general of a State from exercising the 
        powers conferred on the attorney general by the laws of that 
        State to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.

SEC. 4. EFFECT ON OTHER LAWS.

    (a) Preemption of Certain State Laws Relating to Genetic Testing.--
This Act and the regulations promulgated under this Act supersede any 
provision of a statute, regulation, or rule of a State or political 
subdivision of a State, with respect to an entity to the extent this 
Act and the regulations promulgated under this Act apply to such 
entity, that expressly provides for requirements relating to treatment 
of personal information by services providing genetic testing that are 
similar to any requirements contained in section 2 or a regulation 
promulgated under such section.
    (b) Preservation of Certain State Laws.--This Act and the 
regulations promulgated under this Act may not be construed to preempt 
the applicability of--
            (1) State trespass, contract, or tort law; or
            (2) other State laws to the extent that those laws relate 
        to acts of fraud.
    (c) Additional Preemption.--
            (1) In general.--No person other than the attorney general 
        of a State, or another official or agency of a State, may bring 
        a civil action under the laws of any State if such action is 
        premised in whole or in part upon the defendant violating any 
        provision of this Act or a regulation promulgated under this 
        Act.
            (2) Preservation of consumer protection laws.--This 
        subsection may not be construed to limit the enforcement of any 
        State consumer protection law by an attorney general of a 
        State, or another official or agency of a State.
    (d) Preservation of FTC Authority.--Nothing in this Act may be 
construed in any way to limit the authority of the Commission under any 
other provision of law.

SEC. 5. DEFINITIONS.

    In this Act:
            (1) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (2) Genetic information.--The term ``genetic 
        information''--
                    (A) has the meaning given such term in section 201 
                of the Genetic Information Nondiscrimination Act of 
                2008 (42 U.S.C. 2000ff); and
                    (B) includes a physical sample, such as fluid or 
                tissue, obtained from a customer for purposes of 
                performing a genetic test.
            (3) Genetic test.--The term ``genetic test'' has the 
        meaning given such term in section 201 of the Genetic 
        Information Nondiscrimination Act of 2008 (42 U.S.C. 2000ff).
            (4) Genetic testing service.--The term ``genetic testing 
        service'' means any entity that--
                    (A) offers genetic tests directly to consumers; or
                    (B) analyzes genetic information obtained from a 
                genetic test offered directly to consumers, except to 
                the extent that the analysis is performed by a medical 
                professional for diagnosis or treatment of a medical 
                condition.
            (5) Medical research.--The term ``medical research'' means 
        the conduct of investigations, experiments, and studies to 
        discover, develop, or verify knowledge relating to the causes, 
        diagnosis, treatment, prevention, or control of physical or 
        mental diseases and impairments of humans.
            (6) Personally identifiable information.--
                    (A) Definition.--The term ``personally identifiable 
                information'' means any of the following of an 
                individual:
                            (i) Name.
                            (ii) Address.
                            (iii) Social Security number.
                            (iv) Phone number.
                            (v) Online identifier, such as an email 
                        address or user ID.
                            (vi) Genetic information.
                            (vii) Information, other than genetic 
                        information, that--
                                    (I) relates to the past, present, 
                                or future physical or mental health or 
                                condition of the individual; and
                                    (II) either--
                                            (aa) identifies the 
                                        individual; or
                                            (bb) there is a reasonable 
                                        basis to believe can be used to 
                                        identify the individual.
                    (B) Modified definition by rulemaking.--The 
                Commission may, by regulation promulgated under section 
                553 of title 5, United States Code, modify the 
                definition of ``personally identifiable information'' 
                under subparagraph (A) to the extent that such 
                modification is necessary to accommodate changes in 
                technology or practices, will not unreasonably impede 
                interstate commerce, and will accomplish the purposes 
                of this Act.
            (7) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.
            (8) Third party.--The term ``third party'' means, with 
        respect to a genetic testing service, an entity (including an 
        entity that controls, is controlled by, or is under common 
        control with the service) that holds itself out to the public 
        as separate from the service such that a customer of the 
        service acting reasonably under the circumstances would not 
        expect the entity to be related to the service or to have 
        access to personally identifiable information that the customer 
        provides to the service.

SEC. 6. EFFECTIVE DATE.

    Except for subsections (c) and (d) of section 2, section 5(6)(B), 
this section, and section 7, this Act and the regulations required by 
subsections (c) and (d) of section 2 shall apply beginning on the date 
that is 30 days after the date on which the Commission promulgates such 
regulations.

SEC. 7. AUTHORIZATION OF APPROPRIATIONS.

    There is authorized to be appropriated to the Commission $5,000,000 
for each of the fiscal years 2020 through 2029 to carry out this Act.
                                 <all>