To safeguard the confidentiality, integrity, privacy, and security of a consumer's genetic data, a direct-to-consumer genetic testing company shall: (1) Make available to the consumer in plain language: (a) A privacy policy that includes basic, essential information about the company's collection, disclosure, and use of genetic data; and (b) A prominent, publicly available privacy notice that includes information about the company's access, consent, data collection, deletion, disclosure, maintenance, retention, security, and transfer practices; and how the company uses genetic data; (2) Provide a clear and complete notice to the consumer that the consumer's de-identified data may be shared with or disclosed to a third party for research purposes, in accordance with 45 C.F.R. part 46 (November 25, 2025); (3) Obtain the consumer's express consent to collect, disclose, or use the consumer's genetic data, including: (a) Initial express consent that describes the uses of genetic data collected through a genetic testing product or service and specifies who has access to the test results and how the genetic data may be shared; (b) Separate express consent, which must include the name of the person receiving the information, for each transfer or disclosure of the consumer's genetic data or biological sample to any person other than the company's vendors and service providers; (c) Separate express consent for each use of the consumer's genetic data or the biological sample beyond the primary purpose of the genetic testing product or service; (d) Separate express consent to retain any biological sample provided by the consumer following completion of the initial testing service requested by the consumer; (e) Informed consent, in compliance with federal policy for the protection of human research subjects under 45 C.F.R. part 46 (November 25, 2025), to transfer or disclose the consumer's genetic data to a third-party for research purposes, or for research conducted under the control of the company for publication or generalizable knowledge purposes; and (f) Separate express consent for marketing by the direct-to-consumer genetic testing company, to another consumer, based on the consumer's genetic data, or by a third party, to another consumer, based on the consumer having ordered or purchased a genetic testing product or service; (4) Develop, implement, and maintain a security program to protect the consumer's genetic data against unauthorized access, disclosure, or use; (5) Provide a process for the consumer to: (a) Access the consumer's genetic data; (b) Delete the consumer's account and genetic data; and (c) Request and obtain the destruction of the consumer's biological sample; and (6) Provide mechanisms, without any unnecessary steps, for the consumer to revoke any consent of the consumer. At least one mechanism must utilize the primary medium through which the company communicates to the consumer.
‹ Prev All South Dakota sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.