Cartwright-Smith, L. et al., “Health Information Ownership: Legal Theories and Policy Implications,” Vanderbilt Journal of Entertainment & Technology Law 19 (2016): 207.Google Scholar

National Human Genome Research Institute, Privacy in Genomics, available at <https://www.genome.gov/about-genomics/policy-issues/Privacy> (last visited June 19, 2019); Norrgard, K., “Protecting Your Genetic Identity: GINA and HIPAA,” Nature Education 1 (2008): 21, available at <https://www.nature.com/scitable/topicpage/protecting-your-genetic-identity-gina-and-hipaa-678> (last visited June 19, 2019); Fendrick, S., “The Role of Privacy Law in Genetic Research,” I/S: A Journal of Law and Policy for the Information Society 4 (2008): 803, available at <https://kb.osu.edu/bitstream/handle/1811/72811/1/ISJLP_V4N3_803.pdf> (last visited February 4, 2020).Google Scholar

Kocha, V. Gutmann and Todd, K., “Research Revolution or Status Quo?: The New Common Rule and Research Arising from Direct-To-Consumer Genetic Testing,” Houston Law Review 56 (2018): 81.Google Scholar

Cech, M., “Genetic Privacy in the ‘Big Biology’ Era: The ‘Autonomous’ Human Subject,” Hastings Law Journal 70 (2019): 851; Bailey, P., “Big Brother or Big Pharma: The Lion Fight Over the Surveillance and Promotion of Pharmaceutical Use in America,” Florida State University Law Review 44 (2017): 1483.Google Scholar

Schilly, S.D. and Khoury, M.J., “What Is Translational Genomics? An Expanded Research Agenda For Improving Individual and Population Health,” Applied Translational Genomics 3, no. 4 (2014): 82–83, available at <https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4694629/> (last visited February 4, 2020).CrossRefGoogle Scholar

Regalado, A., “2017 Was the Year Consumer DNA Testing Blew Up,” MIT Technology Review (2018), available at <https://www.technologyreview.com/s/610233/2017-was-the-year-consumer-dna-testing-blew-up/> (last visited June 19, 2019).+(last+visited+June+19,+2019).>Google Scholar

Regalado, A., “More than 26 Million People Have Taken an At-Home Ancestry Test,” MIT Technology Review (2019), available at <https://www.technologyreview.com/s/612880/more-than-26-million-people-have-taken-an-at-home-ancestry-test/> (last visited October 6, 2019).+(last+visited+October+6,+2019).>Google Scholar

Zhang, S., “Big Pharma Would Like Your DNA,” The Atlantic, July 27, 2018, available at <https://www.theatlantic.com/science/archive/2018/07/big-pharma-dna/566240/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

See, e.g., Zhang, S., “The Loopholes in the Law Prohibiting Genetic Discrimination,” The Atlantic, March 13, 2017, available at <https://www.theatlantic.com/health/archive/2017/03/genetic-discrimination-law-gina/519216/> (last visited June 23, 2019).+(last+visited+June+23,+2019).>Google Scholar

Guerrini, C. J., Robinson, J. O., Petersen, D., and McGuire, A. L., “Should Police Have Access to Genetic Genealogy Databases? Capturing the Golden State Killer and Other Criminals Using a Controversial New Forensic Technique,” PLOS Biology 16 (2018): 10, available at <https://doi.org/10.1371/journal.pbio.2006906> (last visited February 4, 2020).CrossRefGoogle Scholar

Schwartz, P. M., “Preemption and Privacy,” Yale Law Journal 118 (2009): 902.Google Scholar

See, e.g., Social Media Privacy Protection and Consumer Rights Act of 2019, S. 189, 116th Cong. (2019); Information Transparency & Personal Data Control Act, H.R. 2013, 116th Cong. (2019); “Consumer Data Privacy Legislation,” National Conference of State Legislatures (2019), available at <http://www.ncsl.org/research/telecommunications-and-information-technology/consumer-data-privacy.aspx> (last visited October 6, 2019).+(last+visited+October+6,+2019).>Google Scholar

Ohm, P., “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law Review 57 (2010): 1701. See also Farr, C., “Facebook Sent a Doctor on a Secret Mission to Ask Hospitals to Share Patient Data,” CNBC (2018), available at <https://www.cnbc.com/2018/04/05/facebook-building-8-explored-data-sharing-agreement-with-hospitals.html> (last visited June 19, 2019).Google Scholar

Rothstein, M.A., “Is Deidentification Sufficient to Protect Health Privacy in Research?” The American Journal of Bioethics 10 (2010): 3.CrossRefGoogle Scholar

“Federal Policy for the Protection of Human Subjects,” Federal Register 82, no. 12 (2017): 7149–7269, available at <https://www.govinfo.gov/content/pkg/FR-2017-01-19/pdf/2017-01058.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

Id.Google Scholar

Riddle, J., “Final Rule Material: Secondary Research with Identifiable Information and Biospecimens,” Biomedical Research Alliance of New York LLC (2017), available at <https://about.citiprogram.org/wp-content/uploads/2018/07/Final-Rule-Material-Secondary-Research-with-Identifiable-Information-and-Biospecimens.pdf> (last visited February 4, 2020); “KUMC Guidance Document for Exempt Research 2018 Common Rule Changes,” University of Kansas Medical Center (2018), available at <http://www.kumc.edu/Documents/hrpp/Topical%20Guidance/KUMC%20Guidance%20Document%20for%20Exempt%20Research%202018%20Common%20Rule%20Changes.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020);+“KUMC+Guidance+Document+for+Exempt+Research+2018+Common+Rule+Changes,”+University+of+Kansas+Medical+Center+(2018),+available+at++(last+visited+February+4,+2020).>Google Scholar

Id.Google Scholar

McGeveran, W., Privacy and Data Protection Law (2016): 257–258.Google Scholar

McGeveran, W., “Friending the Privacy Regulators,” Arizona Law Review 58 (2016): 973–975.Google Scholar

See Charter of Fundamental Human Rights of the European Union, Arts. 7 and 8; European Convention on Human Rights, Art. 8. See also Google Spain SL v. AEPD, Court of Justice of the European Union, 2014 E.C.R. 317.Google Scholar

15 U.S.C. § 45(n).Google Scholar

Id. at § 45(a)(2) and 15 U.S.C. § 44.Google Scholar

Id. at § 45(a)(2).Google Scholar

See, e.g., In the matter of GeneLink, Inc. and Foru Corp., F.T.C. C-4456-4457 (2014), available at <https://www.ftc.gov/system/files/documents/cases/140512forutmcmpt.pdf> (last visited February 4, 2020); In the Matter of PaymentsMD, LLC, 2015 FTC LEXIS 24 (2015), available at <https://www.ftc.gov/enforcement/cases-proceedings/132-3088/paymentsmdllc-matter> (last visited February 4, 2020); HenrySchein Practice Solutions, Inc., F.T.C. No. 1423161 (2016) (consent order), available at <https://www.ftc.gov/system/files/documents/cases/160105scheinagreeorder.pdf> (last visited February 4, 2020); Accretive Health, F.T.C. No. C-4432 (2014) (consent order), available at <http://www.ftc.gov/system/files/documents/cases/140224accretivehealthdo.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020);+In+the+Matter+of+PaymentsMD,+LLC,+2015+FTC+LEXIS+24+(2015),+available+at++(last+visited+February+4,+2020);+HenrySchein+Practice+Solutions,+Inc.,+F.T.C.+No.+1423161+(2016)+(consent+order),+available+at++(last+visited+February+4,+2020);+Accretive+Health,+F.T.C.+No.+C-4432+(2014)+(consent+order),+available+at++(last+visited+February+4,+2020).>Google Scholar

Hoofnagle, C.J., Federal Trade Commission Privacy Law and Policy (2016): 113–114.CrossRefGoogle Scholar

Bartz, D., “Facebook Facing 20-Year Consent Agreement after Privacy Lapses: Source,” Reuters, May 13, 2019, available at <https://www.reuters.com/article/us-facebook-ftc/facebook-facing-20-year-consent-agreement-after-privacy-lapses-source-idUSKCN1SJ2C2> (last visited February 4, 2020). See also “FTC Approves Final Settlement With Facebook,” Federal Trade Commission, August 10, 2012, available at <https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-final-settlement-facebook> (last visited February 4, 2020).+(last+visited+February+4,+2020).+See+also+“FTC+Approves+Final+Settlement+With+Facebook,”+Federal+Trade+Commission,+August+10,+2012,+available+at++(last+visited+February+4,+2020).>Google Scholar

Carter, C., “Consumer Protection in the States: A 50-State Evaluation of Unfair and Deceptive Practices Laws,” National Consumer Law Center Inc. (2018), available at <https://www.nclc.org/images/pdf/udap/udap-report.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

Citron, D. K., “The Privacy Policymaking of State Attorneys General,” Notre Dame Law Review 92, no. 2 (2016): 754.Google Scholar

2018 N.J. S.B. 2834, available at <https://www.njleg.state.nj.us/2018/Bills/S3000/2834_I1.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

“Washington Privacy Act,” 2019 WA S.B. 5376, available at <http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/Bills/Senate%20Bills/5376-S2.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

Information Transparency & Personal Data Control Act, H.R. 2013 (116th Cong. 2019).Google Scholar

Cal. Civ. Code § 140(o)(1).Google Scholar

Cal. Civ. Code § 140(o)(1).Google Scholar

2018 N.J. S.B. 2834, available at <https://www.njleg.state.nj.us/2018/Bills/S3000/2834_I1.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

Washington Privacy Act, supra note 31.Google Scholar

Baird, S., “GDPR Matchup: The Health Insurance Portability and Accountability Act,” International Association of Privacy Professionals (2017), available at <https://iapp.org/news/a/gdpr-match-up-the-health-insurance-portability-and-accountability-act/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

GDPR, Recital 34, available at <https://gdpr-info.eu/recitals/no-34/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

GDPR, Article 9, available at <https://gdpr-info.eu/art-9-gdpr/> (last visited February 4, 2020); “Special category data,” Information Commissioner's Office, available at <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-tothe-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/> (last visited February 4, 2020). (last visited February 4, 2020).' href=https://scholar.google.com/scholar?q=GDPR,+Article+9,+available+at++(last+visited+February+4,+2020);+“Special+category+data,”+Information+Commissioner's+Office,+available+at++(last+visited+February+4,+2020).>Google Scholar

GDPR, Article 7, available at <https://gdpr-info.eu/art-7-gdpr/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

For the Common Rule's “informed consent” standard, see For the Common Rule, see Department of Health and Human Services (DHHS), “Protection of Human Subjects,” 45 C.F.R. Part 46 § 116, available at <http://www.hhs.gov/ohrp/human-subjects/guidance/45cfr46.html> (last visited February 4, 2020). (last visited February 4, 2020).' href=https://scholar.google.com/scholar?q=For+the+Common+Rule's+“informed+consent”+standard,+see+For+the+Common+Rule,+see+Department+of+Health+and+Human+Services+(DHHS),+“Protection+of+Human+Subjects,”+45+C.F.R.+Part+46+§+116,+available+at++(last+visited+February+4,+2020).>Google Scholar

“WP29 Guidelines on Consent,” International Association of Privacy Professionals (2018), available at <https://iapp.org/resources/article/wp29-guidelines-on-consent/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

“Burden of Proof and Requirements for Consent,” available at <https://gdpr-info.eu/recitals/no-42/> (last visted February 4, 2020).+(last+visted+February+4,+2020).>Google Scholar

“Sharing Consumer Health Information? Look to HIPAA and the FTC Act,” Federal Trade Commission (2016), available at https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act (last visited February 4, 2020).Google Scholar

Sheber, S., “OCR Releases Guidance for HIPAA-Covered Entities to Follow FTC Regulations When Sharing Patient Data,” Journal of AHIMA, October 27, 2016, available at <https://journal.ahima.org/2016/10/27/ocr-releases-guidance-forhipaa-covered-entities-to-follow-ftc-regulations-when-sharing-patient-data/>..>Google Scholar

Jillson, E., “Selling genetic testing kits? Read on.” Federal Trade Commission (2019), available at <https://www.ftc.gov/news-events/blogs/business-blog/2019/03/selling-genetic-testing-kits-read> (last visited February 4, 2020). See also Malek, L. A. and Johnson, J. E., “Genetic Testing Is On FTC's Radar,” Law360, April 18, 2019.+(last+visited+February+4,+2020).+See+also+Malek,+L.+A.+and+Johnson,+J.+E.,+“Genetic+Testing+Is+On+FTC's+Radar,”+Law360,+April+18,+2019.>Google Scholar

In the Matter of Rite Aid Corp., F.T.C. C-4308 (2010) available at <https://www.ftc.gov/sites/default/files/documents/cases/2010/11/101122riteaidcmpt.pdf> (last visited February 2, 2020). See also Press Release, “Rite Aid Settles FTC Charges That It Failed to Protect Medical and Financial Privacy of Customers and Employees,” Federal Trade Commission, July 27, 2010, available at <https://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-financial> (last visited February 4, 2020).+(last+visited+February+2,+2020).+See+also+Press+Release,+“Rite+Aid+Settles+FTC+Charges+That+It+Failed+to+Protect+Medical+and+Financial+Privacy+of+Customers+and+Employees,”+Federal+Trade+Commission,+July+27,+2010,+available+at++(last+visited+February+4,+2020).>Google Scholar

Id.Google Scholar

Rite Aid Corp. complaint, supra note 47.Google Scholar

Health Information Technology for Economic and Clinical Health Act, Pub. Law No. 111-5, §§ 13001–424, 123 Stat. 226 (2009) (codified as amended at 42 U.S.C. §§ 300jj–300jj-51, 17901–53). See, e.g., Commonwealth v. Beth Israel Deaconess Med. Ctr., Civ. No. 14-3627 (Mass. Sup. Ct. Nov. 20, 2014); State v. Innova Hosp., No. 2010CI-13714 (Tex. Cty. Ct. Oct. 11, 2010); State v. HealthNet, Civ. No. 2:11-CV-16 (Vt. Dist. Ct. Jan. 14, 2011); Press Release, “Eye Care Retailer Settles in Data Security Lapse,” Office of the Attorney General of Maryland (Aug. 19, 2015), available at <https://mdoag-public.sharepoint.com/press/2015/081915.pdf> (last visited March 24, 2020); Press Release, “A.G. Schneiderman Announces Settlement with University of Rochester to Prevent Future Patient Privacy Breaches,” Office of the Attorney General of New York, December 2, 2015, available at <https://ag.ny.gov/press-release/2015/ag-schneiderman-announces-settlement-university-rochester-prevent-future-patient> (last visited February 4, 2020).+(last+visited+March+24,+2020);+Press+Release,+“A.G.+Schneiderman+Announces+Settlement+with+University+of+Rochester+to+Prevent+Future+Patient+Privacy+Breaches,”+Office+of+the+Attorney+General+of+New+York,+December+2,+2015,+available+at++(last+visited+February+4,+2020).>Google Scholar

Press Release, “McLean Hospital to Implement New Security and Training Programs After Data Breach Exposed Sensitive Health Information,” Office of the Attorney General of Massachusetts, December 12, 2018, available at <https://www.mass.gov/news/mclean-hospital-to-implement-new-security-and-training-programs-after-data-breach-exposed> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

Id.Google Scholar

Complaint, States of Ariz. v. Med. Informatics Eng'g, No. 3:18-cv-969-RLM-MGG, 2019 U.S. Dist. LEXIS 97107 (N.D. Ind. May 28, 2019), available at <https://images.law.com/contrib/content/uploads/documents/292/Indiana-Suit.pdf> (last visited February 4, 2020). (last visited February 4, 2020).' href=https://scholar.google.com/scholar?q=Complaint,+States+of+Ariz.+v.+Med.+Informatics+Eng'g,+No.+3:18-cv-969-RLM-MGG,+2019+U.S.+Dist.+LEXIS+97107+(N.D.+Ind.+May+28,+2019),+available+at++(last+visited+February+4,+2020).>Google Scholar

Id.Google Scholar

Dennis, C. and Johnson, E., “Paging all health care privacy pros: CCPA deserves your attention despite HIPAA exemption,” International Association of Privacy Professionals, July 25, 2018, available at <https://iapp.org/news/a/paging-all-health-care-privacy-pros-cacpa-deserves-your-attention-despite-hipaa-exemption/> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar

Linnea, L., “Transparency and Direct-to-Consumer Genetic Testing Companies,” Harvard Law Petrie-Flom Center, November 22, 2016, available at <http://blog.petrieflom.law.harvard.edu/2016/11/22/transparency-and-direct-to-consumer-genetic-testing-companies/> (last visited February 2, 2020).+(last+visited+February+2,+2020).>Google Scholar

Pitts, P., “The Privacy Delusions Of Genetic Testing,” Forbes, February 15, 2017, available at <https://www.forbes.com/sites/realspin/2017/02/15/the-privacy-delusions-of-genetic-testing/#670caf2e1bba> (last visited Febrary 4, 2020); Elfin, D., “DNA Testing? You Might Want to Wait for More Legal Protection,” Bloomberg Law, January 7, 2019, available at <https://news.bloomberglaw.com/pharma-and-life-sciences/dna-testing-you-might-want-to-wait-for-more-legal-protection> (last visited February 4, 2020); Ornstein, C., “Privacy Not Included: Federal Law Lags Way Behind New Health-Care Technology,” Pacific Standard Magazine, June 14, 2017, available at <https://psmag.com/social-justice/privacy-not-included-federal-law-lags-way-behind-new-health-care-technology> (last visited February 4, 2020).+(last+visited+Febrary+4,+2020);+Elfin,+D.,+“DNA+Testing?+You+Might+Want+to+Wait+for+More+Legal+Protection,”+Bloomberg+Law,+January+7,+2019,+available+at++(last+visited+February+4,+2020);+Ornstein,+C.,+“Privacy+Not+Included:+Federal+Law+Lags+Way+Behind+New+Health-Care+Technology,”+Pacific+Standard+Magazine,+June+14,+2017,+available+at++(last+visited+February+4,+2020).>Google Scholar

Hoffman, S., “Electronic Health Records and Medical Big Data,” Cambridge Bioethics and Law (2016): 131–134.Google Scholar

“Health Information Privacy Beyond HIPAA: A 2018 Environmental Scan of Major Trends and Challenges,” National Committee on Vital and Health Statistics, December 13, 2017, available at <https://www.ncvhs.hhs.gov/wp-content/uploads/2018/02/NCVHS-Beyond-HIPAA_Report-Final-02-08-18.pdf> (last visited February 4, 2020).+(last+visited+February+4,+2020).>Google Scholar