Express consent: means a consumer's affirmative response to a clear, meaningful, and prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose. See Tennessee Code 47-18-4902
First-party relationship: means the relationship between a company and a consumer from which the company has collected genetic data. See Tennessee Code 47-18-4902
Genetic data: means data, excluding deidentified data, regardless of format, concerning a consumer's genetic characteristics, including:(A) Raw sequence data that results from sequencing all or a portion of a consumer's extracted DNA. See Tennessee Code 47-18-4902
Genetic testing: means : (A) A laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of the consumer. See Tennessee Code 47-18-4902
Person: means an individual, corporation, business, partnership, limited liability company, or other business entity. See Tennessee Code 47-18-4902
written: includes printing, typewriting, engraving, lithography, and any other mode of representing words and letters. See Tennessee Code 1-3-105
(1) Provide to a consumer:
(A) Essential information about the company’s collection, use, and disclosure of genetic data; and(B) A prominent, publicly available privacy notice that includes information about the company’s data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;(2) Obtain a consumer’s initial express consent for collection, use, or disclosure of the consumer’s genetic data that:
(A) Clearly describes the company’s use of the genetic data that the company collects through the company’s genetic testing product or service;(B) Specifies who has access to test results; and(C) Specifies how the company may share the genetic data;(3) If the company engages in the following conduct, obtain a consumer’s:
(A) Separate express consent for:
(i) The transfer or disclosure of the consumer’s genetic data to a person other than the company’s vendors and service providers;(ii) The use of genetic data beyond the primary purpose of the company’s genetic testing product or service; or(iii) The company’s retention of a biological sample provided by the consumer following the company’s completion of the initial testing service requested by the consumer;(B) Informed consent in accordance with the Federal Policy for the Protection of Human Subjects, as described in 45 C.F.R. part 46 , for transfer or disclosure of the consumer’s genetic data to a third party for:
(i) Research purposes; or(ii) Research conducted under the control of the company for the purpose of publication or generalizable knowledge; and(C)Express consent for:
(i) Marketing to a consumer based on the consumer’s genetic data; or(ii) Marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service;(4) Require valid legal process for the company’s disclosure of a consumer’s genetic data to law enforcement or a government entity without the consumer’s express written consent;(5) Develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure; and(6) Provide a process for a consumer to:
(A) Access the consumer’s genetic data;(B) Delete the consumer’s account and genetic data; and(C) Destroy the consumer’s biological sample.(b) Notwithstanding subdivision (a)(3)(C), a direct-to-consumer genetic testing company with a first-party relationship to a consumer may, without obtaining the consumer’s express consent, provide customized content or offers on the company’s website or through the company’s application or service.