On February 13, 2024, Nebraska’s Governor signed Legislative Bill 308, which enacts additional consumer protections for consumers in the state. It is similar to another genetic information law passed by Montana last year.
The law takes effect July 17, 2024 (90 days after the legislature adjourns on April 18, 2024).
The law applies to direct-to-consumer genetic testing companies which are defined as an entity that:
- Offers consumer genetic testing products or services directly to a consumer; or,
- Collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by the consumer.
The law does not cover entities that are solely engaged in collecting, using, or analyzing genetic data or biological samples in the context of research under federal law.
The law applies to an individual who is a resident of the State of Nebraska.
Obligations Under the Law
Under the new law covered businesses would be required to:
- Provide clear and complete information regarding the company policies and procedures for the collection, use, or disclosure of genetic data
- Obtain a consumer’s consent for the collection, use, or disclosure of the consumer’s genetic data
- Require a valid legal process before disclosing genetic data to any government agency, including law enforcement, without the consumer’s express written consent
- Develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data from authorized access, use, or disclosure
Similar to several comprehensive consumer privacy laws, the company must provide a consumer with:
- Access to their genetic data
- A process to delete an account and genetic data
- A process to request and obtain written documentation verifying the destruction of the consumer’s biological sample
Under the new law, the Nebraska Attorney General may bring an action on behalf of a consumer to enforce rights under the law. There is no private right of action specified within the statute.
A violation of the act is subject to a civil penalty of $2,500 per violation, in addition to actual damages, costs, and reasonable attorney’s fees.
If you have questions about Nebraska’s genetic privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.