Meetings
Transcript: Select text below to play or share a clip
[Speaker 0]: Good afternoon, everyone. This is the Vermont House Committee on Commerce and Economic Development. It is Tuesday, 01/20/2026 at 02:10 in the afternoon. And so we're here with our legislative council, Rick Segal, to do the walkthrough of age six thirty nine, which is bill dealing with genetic data privacy. Unfortunately, Shai couldn't make it today, but we will have her come in tomorrow to give us more information about why, she proposes this bill. So good afternoon, Rick.
[Rick Segal (Office of Legislative Counsel)]: Good afternoon. Rick Segal, office of legislative council. I'm gonna share h six thirty nine on my screen. So this is, as the chair said, a bill that would provide some genetic data privacy to Vermont consumers. Several states have passed some form of this, either through their comprehensive data privacy or as a separate data privacy law. You don't have to have. This bill is written in a way that you don't have to have a comprehensive data privacy law. It can stand alone, and some states, again, have done that. So the bill starts on page two, and I'm putting a new chapter, a data privacy chapter, assuming there'll be maybe at some point other bills that would fall under data privacy. So, subchapter one, genetic information privacy. So this would be known as the Genetic Information Privacy Act, that's subsection a. Then we have a lot of definitions. So like a lot of my bills, the definitions are extensive and they're wordy, but they are that way because they are usually very, very important when it comes to the language in the bill. I'll highlight a couple that I think are really, really, really important, even though they're all important. So we have affirmative authorization. That's an intentional act decision by the consumer. Biological sample means any material part of the human discharged there from or derivative thereof, such as tissue, blood, urine, or saliva known to contain. Okay. I practiced earlier. Now it's fading for me. Deoxyribonucleic acid. I think that's close. I'm not gonna say it again.
[Rep. Edye Graning (Vice Chair)]: Nicely done.
[Rick Segal (Office of Legislative Counsel)]: Because it's DNA. We all know DNA, but deoxyribonucleic acid. That's it. Okay. Consumer is a individual who resides in Vermont. Dark pattern is a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, basically tricking the consumer. You've seen that definition before. Direct to consumer genetic testing company. This is an important definition because this is the type of entity that is being regulated in this bill. It is an entity that sells, markets, interprets, or otherwise offers consumer initiated genetic testing products or services directly to consumers. Page three analyzes genetic data obtained from consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition. So, when I saw the phrase healing arts, I wasn't quite sure what that meant, and I felt stupid, because it really is just a doctor, a dentist. I was thinking more creative arts. I don't know why I thought that, but I did. So in case you were also then not wanting to admit that anyone thought that, I am free to admit that. It is a person licensed in Vermont that's offering some type of actual doctor, dentist type of service.
[Rep. Kirk White (Ranking Member)]: You're sick with us.
[Rep. Michael Boutin (Member)]: Thank you. And this isn't
[Rick Segal (Office of Legislative Counsel)]: being reported, is it? Okay. Then we have in the human arch for diagnosis or treatment of a medical condition. So in other words, if you go to your doctor to have some tests done and you have that sample tested by doctor's office, the hospital, they would not be covered as a direct to consumer genetic testing company. Or C, so again, this is what a genetic testing company would be, collects, uses, maintains, or discloses genetic data that is one collected or derived from a direct to consumer genetic testing product or service or directly provided by a consumer. Disclose, disclosing or disclosure means to solicit, sell, assign, transfer, give, provide, or trade whether or not for valuable consideration. So express consent is important. That's kind of what this bill is based on. You'll see here that the consumer has to consent to a lot of things. So, express consent means a consumer's affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. Expressed consent cannot be inferred from inaction. Agreement obtained through these abduct patterns does not constitute express consent. Okay, also important, what is genetic data? It's any data regardless of its format that results from the analysis of a biological sample, which you think could be tissue, urine, saliva, etcetera, or from another element enabling equivalent information to be obtained and concerns genetic material. Genetic material includes DNA, ribonucleic acid, RNA, genes, chromosomes, don't know how to pronounce that word, alleles, genomes, alterations, or modifications to DNA or RNA, single nucleotide polymorphisms, and you might want a medical professional to explain to you what those are, uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom. Genetic data does not include the identified data, and that means data that cannot be used to infer information about or otherwise be linked to a particular individual provided the business that possesses the information, takes reasonable measures to ensure that the information cannot be associated with a consumer or a household, publicly commits to maintain and use the information only in de identified form and not to attempt to re identify the information, except the business may periodically attempt to re identify the information solely for the purpose of determining whether the process satisfies the requirements of the subdivision on the express condition that the business does not disclose or use any information reidentified in this process and destroys the reidentified operation upon completion of that periodic assessment and contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in de identified form and not to re identify the information. Genetic data also does not include data or a biological sample to the extent that data or a biological sample is collected, used, and maintained, or disclosed. And here you have several research uses, federal research uses. So you have 45 CFR Part 46, the testing of human subjects or in compliance with all applicable federal and state laws and regulations for the protection of human subjects and research, including the Common Rule, US FDA Parts fifteen fifty six, and FERPA. Again, this is just government research, and these are typical exceptions you see in these data privacy laws. Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred there from. A person is just about anything, individual, partnership, corporation, association, etcetera. Page six, publicly available information is information that is made available through federal, state, or local records or to the general public from widely distributed media. Public information does not include biometric data collected by a business about a consumer without the consumer's knowledge. Typically, we define biometric data. We don't have it defined here, but it's becoming one of those very similar definitions. It's used in your biological identifications, your fingerprints, iris, face scan. I don't know if you have to define it, but it's something we can think about if you think it needs to be defined. Information that is collated and combined to create a consumer profile that is made available to user of a publicly available website either in exchange for a payment or free of charge, information that is made available for sale, an inference that is generated from the information described in two or three of the subdivision, obscene visual depictions as defined in federal law, personal data that is created through the combination of personal data with publicly available information, Genetic data, unless otherwise made publicly available by the consumer to whom the information pertains. Information provided by a consumer on a website or online service made available to all members of the public for free or for a fee, where the consumer has maintained a reasonable expectation of privacy in the information, such as by restricting the information to a specific audience, or intimate images authentic or computer generated known to be non consensual. Okay, pop up page seven, service provider. It means a sole pretty much anything besides an individual, sole proprietorship, partnership, limited liability company, corporation, or other legal entity that is involved in the collection, transportation. And I'm actually wondering if this should be or analysis. I have it in my notes, Something we can ask when this is about here. So is a service provider all three of those things or are they just one? One of the three. So I have that in my notes. So collection transportation and analysis of the consumer's biological sample or extracted genetic material on behalf of A, at the end of my notes too, currently it says the, it should be A, on behalf of a direct to consumer genetic testing company, on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct consumer genetic testing product or service, or that is directly provided by a consumer. Questions about the definitions?
[Rep. Edye Graning (Vice Chair)]: Just have a general question. It feels like we have been reviewing these kinds of definitions over and over and over again in this committee. Any of them in law today? And does this align with that?
[Rep. Herb Olson (Member)]: The ones that are in law?
[Rick Segal (Office of Legislative Counsel)]: Sorry. So the publicly available Right. The publicly available information, I believe, comes from our age appropriate design code. I need to double check. Todd Delos, as you're nodding at me. It's been a month or two since I drafted this. I think I matched it with that. I can double check. This is a relatively new definition, and if we don't have it in the age of perfect design code, it's probably not anywhere else in our statutes. So that one would be one that matches up. But in this bill, consumer is pretty consistent. It's someone that lives in Vermont. We didn't have to define person here, but we did. Genetic testing, As far as I'm concerned in Title IX, having defined genetic testing that I'm aware of, genetic data. So to answer your question, this bill is probably a bit different in that you want to be more careful to define these terms, but there may be a couple that we can double check. Or if you wanna cross reference it. And so the reason, it's coming back to me, the reason I didn't cross reference the age appropriate definition is because that's not effective yet. It's effective Jan one, twenty twenty seven. So, we don't wanna pass a law that's not effective yet. Yeah. Okay, so the requirements on the line 12 of page seven. So privacy terms and consent. To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, a direct to consumer genetic testing company shall provide clear and complete information regarding the company's policies and procedures for maintaining and collecting genetic data by making available to a consumer all the following: A summary of its privacy practices written in plain language that includes information about the company's collection, use, maintenance, and disclosure of genetic data. A prominent and easily accessible privacy notice that includes complete information about their data collection, consent use access, disclosure, maintenance, etcetera, and deletion practices. And a notice that the consumers de identified genetic or phenotypic information may be shared. I know what that word means. I don't know how to pronounce it. So that's Eunotypic, thank you. That's information that is observed from genetic information. So, it's what your age is, what your eye color is, right? May be shared with or disclosed to third parties for research purposes in accordance with CFR Part 46. Okay, so they shall obtain a consumer's express consent for the collection, use, and disclosure of the consumer's genetic data. This is a pretty big requirement, right? It's one thing to require privacy notice. It's another thing to require express consent. And remember what that definition means that how what express consent means in this context. For each of the following, the use of the genetic data collected through genetic testing product or service offered to the consumer, including who has access to the data, how it may be shared, and the specific purposes for which the data will be collected, used, and disclosed. Express consent for the storage of a consumer's biological sample after the initial testing requested by the consumer has been fulfilled. Consent for each use of genetic data or the biological sample beyond the primary purpose of the testing testing or service and inherent contextual uses. Consent for each transfer or disclosure of the consumer's genetic data or sample to a third party other than a service provider, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed and the intended purpose of said transfer, except a company shall not require a consumer to express the consent to the actions in the subdivision in order to receive the services ordered from the company by the consumer. And finally, that they shall consent to the marketing or facilitation of marketing to a consumer based on the consumer's genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service. Questions about the requirements as far as the express consent of the consumer? So they can do all these things, right? They can store a consumer's genetic data or sample, but you have to get after you provide the service, but you have to get the express consent of the consumer to do that.
[Rep. Herb Olson (Member)]: This may be tip of the iceberg question, but the express notice provision that's in this bill. I frankly can't remember how we dealt with or how the amendment that was published to S-seventy one last spring, we didn't take testimony. How do I compare this? Is there any express consent provision in there? Or it's maybe unfair because you haven't had time. Haven't thought
[Rick Segal (Office of Legislative Counsel)]: about that amendment in a while.
[Rep. Herb Olson (Member)]: And so I can wait to
[Rick Segal (Office of Legislative Counsel)]: To the genetic issue or did
[Rep. Herb Olson (Member)]: Yeah, you I'm trying to wrap my head around and trying to remember how our previous what we've seen previously compares to this.
[Rick Segal (Office of Legislative Counsel)]: I can't say for sure. So let me get back to you on that. If it's sensitive data, which I think it is, and that version of the data privacy bill, there are certain things you just can't do with sensitive data. So, I think this is kind of going in a different direction as far as It's going away. In a different direction, right? Because you're saying they can obviously process it because they're companies, you know, that's what they do. But I think it's a different context than data privacy, Bill. But I'll double check and make sure, compare the two for you. Okay. Thank you. That's
[Rep. Emily Carris Duncan (Member)]: okay. So,
[Rep. Kirk White (Ranking Member)]: Rick, I'm just thinking back, it might have been before you were with us. At one point, the committee had the UVM cancer study that brought forth legislation that was intended to, that basically insurance, life insurance policies, that they could not access the genetic data. They couldn't request it or require it in order to write a policy. And so does this affect how that process works?
[Rick Segal (Office of Legislative Counsel)]: So there is language coming up where you wouldn't be able to send information to a company that makes health insurance decisions, life insurance decisions. There's also federal laws on that, but there is specific in this law protection against that data going to a company that can make a health insurance decision. So
[Rep. Kirk White (Ranking Member)]: could that insurance company require in order to provide you? I suppose if you said, no, I'm not going to give you this information, then they wouldn't give you a policy.
[Rick Segal (Office of Legislative Counsel)]: Who's the you? Is it a consumer or is it a company that's?
[Rep. Kirk White (Ranking Member)]: If the life insurance company wanted to require anyone that wants to get a policy to disclose that information they gathered from, for example, the UVM breast cancer study that people participated in.
[Rick Segal (Office of Legislative Counsel)]: Required disclosure of that. I don't think this bill would prevent a life insurance company from requesting that information. I don't know if there are other laws that would regulate that, but this bill would not prevent that requirement that the life insurance company would ask that you disclose a test, Is that what you're kind of getting at? You done this type of testing, right?
[Rep. Kirk White (Ranking Member)]: I mean, because the concern at the time was that the UVM study was not getting enough applicants because people didn't want to have their data produced and then go want to get a life insurance policy and be rejected because they had some markers that made them higher risk. And the insurance company's argument was that, well, if you already know that you're a high risk because you've had this study done, then you come to us and want to take out a maximum life insurance policy that they're forced to make decisions based on incomplete information. I
[Speaker 0]: think this is a little different because you're not getting your genome, you're getting your DNA to find out where your ancestry is.
[Rep. Kirk White (Ranking Member)]: This is more my three and me. Yeah, this is so I don't know. But the pheno,
[Rep. Michael Boutin (Member)]: Yes. Because that would definitely qualify, which would anti selection, which would not be good for insurance companies.
[Rep. Kirk White (Ranking Member)]: Sorry.
[Rep. Michael Boutin (Member)]: So getting back to what Kirk was saying, it doesn't say that they can't ask for it. Usually, data and understand our insurance, if we can't get something one way, we'll do underwriting a different way. But it doesn't say that you can't ask for it. The bill does not, correct. Okay. And regarding express consent, that is not doing thinking of a YULO, where end user license agreement, you fill out whatever doc and you're downloading. Is Express content considered that 50 page document that says, we're going to use your data for whatever we want to use it for?
[Rick Segal (Office of Legislative Counsel)]: So I'm Yeah, sorry.
[Rep. Michael Boutin (Member)]: Or is it you, they say, well, this place wants the data. Do we have to get your express consent at that time?
[Rick Segal (Office of Legislative Counsel)]: So I don't think the bill is clear on that. It's a good point. You see some data privacy bills that are very detailed in how the consent must be provided or received. In this case, we have a definition. It's clear, meaningful, prominent, right? Does that mean it can be 150 page? To me, I think, yeah, that actually would be allowed. Because if I'm a direct to consumer genetic testing company and this bill passes and I look at this, and I see that we need our customers to consent to all these things, you're to have what 10 check boxes, one after the other, next, next. I mean, you could do that or you could have just one giant agreement that you check at the end. Is that expressed consent? In my opinion, maybe people will differ on this. I think the bill is not clear on it. That would be okay. So I think if you want to be more consumer friendly, you can make this more clear on how you want the consent to be gained. If you want to be more friendly to the companies who shouldn't make 10 or 20 checkboxes, then you can either leave it as is, in my opinion, or you can be more lenient on express consent, how that works. Does that make sense?
[Rep. Michael Boutin (Member)]: Yeah. I don't want to take away somebody's rights to or a company's right to do the 50 page thing, but then again, I also want to take away their rights to do that so that I know that I'm signing off. Of us read this.
[Rep. Emily Carris Duncan (Member)]: That was a thing, public pointed summary or something at least that brings the information up to the top. Because we're not going to read 50 pages. I
[Rep. Michael Boutin (Member)]: think Rick is the only one that's aware of that.
[Rick Segal (Office of Legislative Counsel)]: Oh, yeah, read all those.
[Rep. Michael Boutin (Member)]: I read all those. Oh, that's a
[Rep. Edye Graning (Vice Chair)]: really good idea.
[Rep. Emily Carris Duncan (Member)]: We're fine print leaders who will look on his face. I just wanted to jump back to the whole issue about whether this is strictly DNA or health. I just pulled up 23andMe's website and they do seem to test for health, or they at least are making health inferences with the data that they're getting. And I think that's part of the business model for a lot of these genetic testing sites. They wanted people to be able to go to them to continue for their health analysis. So it might be something that we have to put extra scrutiny on.
[Rep. Michael Boutin (Member)]: The insurance side, the thing that we have to weigh is this data point that we have will help lower cost of premiums because insurance companies can make quicker decisions and sometimes better decisions.
[Rep. Emily Carris Duncan (Member)]: From a consumer protection and privacy issue Correct. But you don't
[Rep. Michael Boutin (Member)]: have to get insurance. You should.
[Rep. Emily Carris Duncan (Member)]: Of course, yeah. But when it comes to issues like actual health insurance, I know that's I not mean, I know that's not necessarily what our committee deals with directly, but I do think from a consumer protection standpoint, it's something that we should think about, just because it complicates the it complicates the waters.
[Rep. Michael Boutin (Member)]: So
[Rep. Herb Olson (Member)]: trying to get my head back to Addison, how it relates to other statues. There are some might not be the same thing, but there are some internal statues that we talk about genetic testing. And I always remember to be fairly restricted on the insurance company in terms of what they offer don't offer. Maybe I recall that differently. I'm just trying to understand whether this is maybe inadvertently expanding on what an insurance company can do in connection with genetic testing.
[Rick Segal (Office of Legislative Counsel)]: Well, so Ripple, what I would say is that this bill is specific to these genetic testing companies. We're not regulating health insurance companies. We're saying that these companies cannot sell to health insurance providers or live insurance providers.
[Speaker 0]: Right.
[Rick Segal (Office of Legislative Counsel)]: So, that's why I can't, because I think my colleague Maria would be able to, or maybe Jen, Carby, would be able to come and talk about, here's what we currently have on health insurance companies related to genetic data. I don't know. I think you're right.
[Rep. Herb Olson (Member)]: There are Or life insurance companies.
[Rick Segal (Office of Legislative Counsel)]: Right, life insurance companies. There are
[Rep. Herb Olson (Member)]: And I'm just wondering if a life insurance company, guess any other insurance company could acquire the information from one of these service providers.
[Rick Segal (Office of Legislative Counsel)]: I see what you mean.
[Rep. Herb Olson (Member)]: Might be inconsistent with the underlying.
[Rick Segal (Office of Legislative Counsel)]: How would they acquire it? How would they acquire it if it's From the insurance. This bill passes and becomes law, how would the life returns company report?
[Rep. Herb Olson (Member)]: Well, that's a good question. I suppose it would have to be with consent.
[Rick Segal (Office of Legislative Counsel)]: Of the consumer?
[Rep. Herb Olson (Member)]: Yeah, so you got the insurance company would maybe wanna acquire the testing data from this type of company. And I'm just trying to, maybe it's not though, yeah, that would be good. Maybe just check with Maria about how that, the annual discrimination statutes and insurance might lead to this, why not?
[Rep. Michael Boutin (Member)]: Yeah. Just thinking I don't I don't know if any insurance companies actually use this kind of data, But it's not like I've been to too many insurance companies.
[Rep. Herb Olson (Member)]: Maybe it's straight to the other. Might be because we have a substantial.
[Rep. Michael Boutin (Member)]: Right, which makes sense. Mean, there are I'm just thinking of the data points that could be collected, some of those data points could get you into some really sketchy areas of danger. But regarding the express consent, I think that the whole upfront thousand page approval, I think that would probably cover express consent. And then folks can just sell this information.
[Rick Segal (Office of Legislative Counsel)]: Well, not sell, but using it in certain ways, storing it in certain ways, but not necessarily selling the genetic data.
[Rep. Michael Boutin (Member)]: So if you have a contract with a company that can ping the database, would that be considered selling? Ping which database? Well, the database of genetic information.
[Rick Segal (Office of Legislative Counsel)]: Tell me sorry, don't follow what the transaction is. So if you have a contract
[Rep. Michael Boutin (Member)]: with a company that's similar to data brokers, If you have a contract that allows you to search their database for information, is that considered sell? So let me show you
[Rick Segal (Office of Legislative Counsel)]: subdivision D. So express consent for each transfer or disclosure of the consumer genetic data or sample to a third party other than this service provider that carries out their business.
[Rep. Michael Boutin (Member)]: So it would require every single transaction to get Express off the Yeah, and then
[Rick Segal (Office of Legislative Counsel)]: we define this disclosed pretty broadly up here. Is Solicit, sell, assign, transfer, get, provide, trade. So, yeah, I think you're right.
[Rep. Michael Boutin (Member)]: I think it would be interesting to to see what the insurers say on on that. My my guess is they probably don't use this data.
[Speaker 0]: I don't think so. It's more of a you're specifically going, you know, going to your doctor's office and asking for a test and not disclosing the results of that test if you purchase a life insurance. I think that's what the issue was with with the UVM, is that it would have prohibited the insurers from getting that information.
[Rep. Michael Boutin (Member)]: But when you get life insurance, you sign off on getting medical records.
[Speaker 0]: So it would have prohibited insurance companies from being able to get that record.
[Rep. Michael Boutin (Member)]: And at the time,
[Rep. Kirk White (Ranking Member)]: I remember the insurers said they didn't use these kind of
[Speaker 0]: direct consumer things because it wasn't actually precise enough for them.
[Rick Segal (Office of Legislative Counsel)]: And there is a nondisclosure coming up, so let's hold if we can. There is language specific to that, that they cannot disclose to entities that are responsible for health insurance decisions, life insurance decisions. So, maybe let's hold off on that until we see that language. Because that might affect how you think about it. Okay, shall I continue? Alright, so subsection B, we have a marketing exception, so I'm going to leave E on the screen because it references E. So, Subdivision A2E, right above, does not require a direct to consumer genetic testing company to obtain a consumer's express consent to market to the consumer on the company's own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer. Cookies, I think is what we're talking about here. Nothing in the subdivision alters, limits, or negates the requirements of any other anti discrimination law or targeted advertising law. So number two, any advertisement of a third party product or service presented to a consumer pursuant to that exception shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement shall also clearly indicate that the advertised product or service and any associated claims have not been vetted or endorsed by the direct to consumer genetic testing company. Revoking consent. So, direct to consumer genetic testing company that has requested consent, expressed consent from a consumer shall provide effective mechanisms without any unnecessary steps for a consumer to revoke consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers. If a consumer revokes consent, the direct to consumer company shall honor that revocation as soon as practicable, but not later than thirty days after the individual revokes consent. And if the revocation is related to the storage or use of a consumer's biological sample, destroy that sample not later than thirty days after receipt of the revocation to consent.
[Rep. Edye Graning (Vice Chair)]: Making notes to yourself without any unnecessary steps, can we just have that be at least as simple as?
[Speaker 0]: Let's see.
[Rep. Edye Graning (Vice Chair)]: It was in equine, under revoking consent, one direct consumer genetic testing.
[Rick Segal (Office of Legislative Counsel)]: Were there any necessary steps? What would you like
[Rep. Edye Graning (Vice Chair)]: to As simple as, at least as whatever, as signing up for something. Unnecessary is such an
[Rep. Emily Carris Duncan (Member)]: unclear Buyer to behold. Yes.
[Rick Segal (Office of Legislative Counsel)]: Shall provide productive mechanisms. And your suggestion for parenting is something like
[Rep. Edye Graning (Vice Chair)]: At least as simple as, at least as, there's a language that we have used
[Rep. Emily Carris Duncan (Member)]: for other things. Don't want to miss that as we go back. I'm
[Rep. Michael Boutin (Member)]: sorry, I have to go back because I'm a little confused and I just want to make sure that I fully understand. So if a doctor orders a genetic test, this is going to apply. No, okay. Okay, I got a little confused as we were talking because I was just, I'm thinking of medical records and the medical records on the left side, it says all the different health issues And I just checked to make sure
[Rick Segal (Office of Legislative Counsel)]: Subsection D, line four on page 11, data security and access. A direct to consumer genetic testing company shall implement and maintain reasonable security procedures and practices to protect a consumer of genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable consumer to easily access the consumer's genetic data, delete their account and genetic data, except if it's required to be kept by law, and request to have and have the consumers biological sample destroyed. Subdivision two, genetic data and biometric samples of consumers shall not be stored within the territorial boundaries of any country currently sanctioned in any way by the US Office of Foreign Assets Control or designated as a foreign adversary under 15 CFR 7.4a. Those are China, Iran, Cuba, some examples, North Korea. Breathe, genetic data or biometric data of consumers shall only be transferred or stored outside The US with the express consent. So notice number two, you can't do it all. You cannot store it in these certain countries. Number three, only outside The US upon express consent of the consumer. But yes, China is listed as one of these countries. I don't know how common it is for companies to use China storage. I don't know. But something to think about. Subsection E contracts. A contract between a direct consumer genetic testing company and a service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, genetic data, or any information regarding the consumer, the identity of the consumer, including whether that consumer has solicited or received genetic testing for a commercial purpose other than providing the services specified in the contract with the business. Associating or combining the sample, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law. Subsection Discrimination, a person or public entity, this will appear in a second why that's there, shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under the subchapter by denying goods, services, or benefits to the consumer, charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties, Providing a different level of quality of goods, services, or benefits to the consumer. Suggesting the consumer will receive a different price or rate for the good services or benefits, or a different level or quality of good services or benefits. And five, this is the public entity, considering the consumer's exercise of rights under the subchapter as a basis for suspicion of criminal wrongdoing or unlawful conduct. A subsection G is the subsection I was referring to earlier, non disclosure. So notwithstanding any other provision in this section, a direct to consumer geneticists and companies shall not disclose a consumer's genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long term care insurance, disability insurance, or employment, or to any entity that provides advice to an entity that is responsible for performing those functions. So, I think that clears up some of the Yeah. Maybe not everything. That is How do they get it? That's my Yeah. Okay. Enforcement is gonna be your standard Vermont Consumer Protection Act language. So a direct to consumer genetic testing company or service provider that violates a subchapter or rules adopted, commits an unfair and deceptive act, bringing it into play the Vermont Consumer Protection Act 2453 of the title. The AG shall have the same authority to make rules, conduct civil investigations, bring civil actions. Again, this is your standard language under the Vermont Consumer Protection Act. Okay, applicability. The provisions of the subchapter shall not reduce a direct to consumer genetic testing company's duties, obligations, requirements, or standards under any applicable state and federal law for the protection of privacy and security. In the event there's a conflict between this law and any other law, the provisions of law that afford the greatest protection for the right of privacy for consumers shall control. Subsection C, I'm going to read these word for word because these are your typical HIPAA other federal research exemptions from the law. So one is HIPAA. Two is a different type of protection under HIPAA. Three, HIPAA. Four, scientific research or educational activities conducted by a public or private nonprofit post secondary. So this is your research done at the collegiate university level, government research. Okay, five. Tests conducted exclusively to diagnose whether an individual had a specific disease to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information as described in the HIPAA protection of this section. Genetic data used or maintained by an employer or disclosed by an employee to an employer to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance law or regulation. Indeed, nothing in the subchapter shall be construed to affect access to publicly available information. So remember the definition earlier, if there's information that has been gained through government records or through widely distributed media, this bill does not affect those disclosures. And then the effective date is 07/01/2026.
[Rep. Michael Boutin (Member)]: Stupid question. Why would an employer view genetic data?
[Rick Segal (Office of Legislative Counsel)]: I imagine some employers do testing. Remember, data is very broad. I'm not an employer, so I don't know what the purpose will be. But if there's a local state or federal law that requires the employer to have these results or do these testing, So it's very narrowly drawn to where it's just that one. If you're required to comply with a law and you must do this testing, then that is permitted in this bill.
[Rep. Michael Boutin (Member)]: So as we were reading, we saw the medical tests that were done by doctors. And I'm probably just thinking too much about it, but I bring my I've had 23andMe done. I bring it to my doctor. My doctor reviews that and says, oh, that's a problem. They note it in the medical records. That's part of the medical records that doesn't get redacted as they were sent out, correct?
[Rick Segal (Office of Legislative Counsel)]: Sent out where? To an insurance company.
[Rep. Michael Boutin (Member)]: That gets back to the anti selection that you were talking about and that's what I'm concerned about. Because somebody has Huntington's genetic data, They go to the doctor, they show the DNA, the doctor says, oh, Okay, we should probably get the official test of us. And the person says, you know what, just hold off just one minute. You're going go go get insurance. This happens. This does happen. That information, is it redacted from does this require a redaction? That's a good question. Would have a huge problem if it does.
[Rick Segal (Office of Legislative Counsel)]: Because there's no requirements on medical providers in this bill. It's just the genetic testing companies. So I would say no. But I don't know if there's other laws on the books that either federally or statewide that already protect that information. Because I would imagine
[Rep. Michael Boutin (Member)]: it's possible. I'm not worried about it.
[Rick Segal (Office of Legislative Counsel)]: It may be happening, but it
[Rep. Michael Boutin (Member)]: may not be legal. I'm just As we talked about this,
[Speaker 0]: you're you're purchasing wanna purchase life insurance. You have to give your consent to allow the insurer your insurance company to look at
[Rep. Michael Boutin (Member)]: your medical records. Right? But when we were talking about the UBM issue, didn't you say that it was not part of the medical records? Well, that didn't go through. Okay.
[Rep. Emily Carris Duncan (Member)]: Effort five. Right there. It's not what covered
[Rep. Michael Boutin (Member)]: That's if the doctor does it. We're talking about if I do a 23andMe, I go to my doctor and show them?
[Speaker 0]: Yeah. But you're disclosing that as a consumer. You're disclosing that to your doctor. Okay.
[Rep. Michael Boutin (Member)]: Yeah, as long as I don't
[Speaker 0]: see how and then you're giving the insurance company a right to check your medical record, right? So if becomes part of your medical record, it's
[Rep. Michael Boutin (Member)]: all a choice that you as a consumer And that's fine. As long as the medical records aren't redacted, that's what I was concerned about.
[Rep. Edye Graning (Vice Chair)]: Is this based off in other states?
[Rick Segal (Office of Legislative Counsel)]: So I've mentioned before, several states have this. They come in different forms. California's was inspired or California's inspired this route. It's not word for word, but California's is more recently updated. So, the thought was to have Vermont be, since we're a little bit later than other states, to be kind of more learning from the mistakes of other states.
[Speaker 0]: Any questions?
[Rep. Herb Olson (Member)]: I would just think, Mike, that lot of the issues you're talking about, I think are a matter of HIPAA law. Yeah. And that regulates medical records and who gets to see them and what exclusions are. So, kind of think I can understand the construct of how this bill was put together. Said, okay. This doesn't apply to these records because HIPAA does. And I don't know all the details of it. Gonna go.
[Rep. Michael Boutin (Member)]: Yeah. I I I just I think I get I get confused very easily, so it's always better not to give me any information. But I just want to make sure that I understood it the way that think I I don't think I have a problem. Know, everything relies on whether or not I have a problem.
[Speaker 0]: Any other questions? Great, thank you. You're welcome. We will we have invited representative Chittenden tomorrow. Trying to give us the good evening for a reason. Questions? So tomorrow morning, we are instead of taking up H to eleven because of witnesses in, we will be going through all the new bills that came in. We'll be hearing from the sponsors tomorrow. And then in the afternoon, we'll be hearing from the Human Rights Commission. We have 01:15. Then at 02:15, we'll be hearing from the Vermont captive insurance. So that's it. The discussion is on