(1) In order to safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, a direct-to-consumer genetic testing company shall:
(a) Provide clear and complete information regarding the company's policies and procedures for collection, use, or disclosure of genetic data by making available to a consumer: (i) A high-level privacy policy overview that includes basic information about the company's collection, use, or disclosure of genetic data; and (ii) a prominent, publicly available privacy notice that includes, at a minimum, information about the company's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices;
(b) Obtain a consumer's consent for collection, use, or disclosure of the consumer's genetic data, including:
(i) Initial express consent that clearly states the uses for which the genetic data collected through the genetic testing product or service is intended, specifies the parties who have access to test results, and the means by which such genetic data may be shared;
(ii) Separate express consent for transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers, or for using genetic data for purposes not stated in subdivision (1)(b)(i) of this section and inherent contextual uses;
(iii) Separate express consent for the retention of any biological sample provided by the consumer following completion of the initial testing service requested by the consumer;
(iv) Informed consent in compliance with the Federal Policy for the Protection of Human Research Subjects, as described in 45 C.F.R. part 46, for transfer or disclosure of the consumer's genetic data to third-party persons for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge; and
(v) Express consent for marketing to a consumer based on the consumer's genetic data or for marketing by a third-party person to a consumer based on the order or purchase by a consumer of a genetic testing product or service. For purposes of this subdivision, marketing does not include the provision of customized content or offers on websites or through applications or services provided by the direct-to-consumer genetic testing company having the first-party relationship to the consumer;
(c) Require a court order before disclosing genetic data to any government agency, including law enforcement, without the consumer's express written consent;
(d) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data from unauthorized access, use, or disclosure; and
(e) Provide a process for a consumer to (i) access the consumer's genetic data, (ii) delete the consumer's account and genetic data, and (iii) request and obtain written documentation verifying the destruction of the consumer's biological sample.
(2) A direct-to-consumer genetic testing company shall not disclose a consumer's genetic data to any entity offering health insurance, life insurance, or long-term care insurance or to any employer of the consumer without the consumer's written consent.
(3) The Attorney General may bring an action to enforce the provisions of the Genetic Information Privacy Act. A violation of the act is subject to a civil penalty of two thousand five hundred dollars for each violation, in addition to actual damages incurred by the consumer, and costs and reasonable attorney's fees incurred by the Attorney General. Within thirty days after receipt of any civil penalty amount, the Attorney General shall remit such amount to the State Treasurer to be distributed in accordance with Article VII, section 5, of the Constitution of Nebraska.