Following a trend from the past few years, several states have introduced bills related to genetic privacy in recent months. These bills have focused on a range of issues, including the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, the national security implications of “foreign adversaries” accessing genetic information, and other topics related to genetic privacy and testing.  We summarize a subset of such recently introduced bills below.

Privacy of DTC Genetic Testing Companies

In recent years, more than 10 states have enacted genetic privacy legislation to regulate “DTC genetic testing companies,” though the scope of entities regulated by these laws and the related obligations varies from state to state.  Rhode Island, South Dakota, and Vermont are the latest states to propose similar legislation.

Rhode Island

S 2203 defines a “[DTC] genetic testing company” as an entity that: (i) sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers; (ii) analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or (iii) collects, uses, maintains, or discloses genetic data collected or derived from a [DTC] genetic testing product or service, or is directly provided by a consumer.  For entities that meet the definition of a DTC genetic testing company, key obligations under S 2203 would include:

  • Notice Requirements: The bill would require a DTC genetic testing company to provide a “prominent and easily accessible” privacy notice that includes information about the company’s privacy practices related to genetic data, including a notice that “a consumer’s de-identified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with 45 C.F.R. part 46” (the federal Common Rule).
  • Consent Obligations: A DTC genetic testing company would be required to obtain a consumer’s “express consent” for collection, use, and disclosure of the consumer’s genetic data, “including, at a minimum, a separate and express consent” for certain purposes, including, among others: (i) the storage of a consumer’s sample after the initial testing has been completed; (ii) each secondary use of the genetic data or biological sample; and (iii) each transfer or disclosure of the genetic data or sample to a third party other than to a service provider, “including the name of the third party to which the genetic data or biological sample will be transferred or disclosed.”
  • Consumer Rights: A DTC genetic testing company would be required to provide a mechanism “without any unnecessary steps” for a consumer to revoke consent.  A DTC genetic testing company must also “develop procedures and practices” to enable a consumer to “easily” access or delete their genetic data or destroy their biological samples.
  • Service Provider Contracts: A DTC genetic testing company would be required to include certain provisions in its contracts with service providers that restrict the service provider’s ability to retain, use, or disclose the biological sample, genetic data, or any information regarding the identity of the consumer outside of the services provided to the company.
  • Exceptions: “Genetic data” for purposes of S 2203 does not include de-identified data, which is “data that cannot be used to infer information about, or otherwise be linked to, a particular individual,” provided that the business that possesses the information takes certain steps to reduce the likelihood of re-identification.  The bill also includes exemptions for: (i) information and entities subject to Rhode Island’s medical information confidentiality law or HIPAA; (ii) scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with HHS pursuant to 45 CFR Part 46 to the extent such research activities comply with applicable human subject research regulations; and (iii) tests conducted “exclusively” to diagnose whether an individual has a specific disease to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information subject to Rhode Island’s medical confidentiality law or HIPAA, respectively.

South Dakota

SB 49 defines “[DTC] genetic testing company,” as an entity that “offers genetic testing products or services directly to consumers” or “analyzes, collects, or uses genetic data collected via a direct-to-consumer genetic testing product or service that is provided to the company by the consumer.”  Key provisions of the bill include:

  • Notice Requirements: The bill would require a DTC genetic testing company to provide a “prominent, publicly available” privacy notice that includes information about the company’s privacy practices, including “clear and complete notice” to the consumer that their de-identified data may be shared with or disclosed to a third party for research purposes, in accordance with 45 C.F.R. Part 46 (the federal Common Rule).
  • Consent Obligations: A DTC genetic testing company would be required to obtain a consumer’s “express consent” for collection, use, and disclosure of the consumer’s genetic data, including, among others: (i) “separate express consent, which must include the name of the person receiving the information, for each transfer or disclosure of the consumer’s genetic data or biological sample to any person other than the company’s vendors and service providers;” (ii) “separate express consent” for each secondary use of the genetic data or biological sample; (iii) “separate express consent” to retain a consumer’s sample after the initial testing has been completed; and (iv) “informed consent, in compliance with [the federal Common Rule]” to transfer or disclose a consumer’s genetic data to a third-party for research purposes or for research conducted “under the control of the company for publication or generalizable knowledge purposes.”
  • Consumer Rights: A DTC genetic testing company would be required to provide mechanisms “without any unnecessary steps” for a consumer to revoke consent.  At least one of these mechanisms must “utilize the primary medium through which the company communicates to the consumer.”  A DTC genetic testing company would also be required to “provide a process” to enable a consumer to access or delete their account or genetic data or destroy their biological sample.
  • Service Providers: A service provider under contract with a DTC genetic testing company subject to SB 49 would be “subject to the same confidentiality obligations as the [DTC] genetic testing company, as set forth in [the bill] . . . with respect to all biological samples, genetic data, and information regarding the identity of any consumer that is in the service provider’s possession.”
  • Exceptions: “Genetic data” for purposes of SB 49 does not include de-identified data, which is “data that cannot be used to infer information about, or otherwise be linked to, an identifiable consumer.”  The bill also includes exemptions for: (i) protected health information collected by a covered entity or business associate subject to HIPAA; (ii) biological samples obtained or genetic data generated for the purpose of a consumer’s medical screening, diagnosis, or treatment; (iii) a public or private institution of higher education or an entity owned by such; and (iv) an entity “that analyzes, collects, or uses genetic data or biological samples only in the context of research (as defined in 24 C.F.R. § 164.501)”[1] in a manner that complies with certain human subject research regulations.

Vermont

HB 639 defines a DTC genetic testing company as an entity that (i) “sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers,” (ii) “analyzes genetic data obtained from a consumer, except to the extent the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition,” or (iii) “collects, uses, maintains, or discloses” genetic data that is “collected or derived from a direct-to-consumer genetic testing product or service” or “directly provided by a consumer.”

  • Notice Requirements: The bill would require a DTC genetic testing company to provide a “prominent and easily accessible” privacy notice that includes information about the company’s privacy practices, including a notice to the consumer that their de-identified genetic or phenotypic information may be shared with or disclosed to a third party for research purposes in accordance with 45 C.F.R. Part 46 (the federal Common Rule).
  • Consent Obligations: A DTC genetic testing company would be required to obtain a consumer’s “express consent” for collection, use, and disclosure of the consumer’s genetic data, “including, at a minimum, a separate and express consent” for certain purposes, including: (i) the storage of a consumer’s sample after the initial testing has been completed; (ii) each secondary use of the genetic data or biological sample beyond the primary purpose of the genetic testing or service and “inherent contextual uses;” and (iii) each transfer or disclosure of the genetic data or sample to a third party other than to a service provider, “including the name of the third party to which the genetic data or biological sample will be transferred or disclosed and the intended purpose of said transfer, except that a company shall not require a consumer to . . . [provide such consent] in order to receive the services from the company.” 
  • Consumer Rights: A DTC genetic testing company would be required to provide “effective mechanisms, without any unnecessary steps” for a consumer to revoke consent, “at least one of which utilizes the primary medium through which the company communicates to the consumer.”  A DTC genetic testing company must also “develop procedures and practices” to enable a consumer to “easily” access or delete their genetic data or destroy their biological sample.
  • Service Provider Contracts: A DTC genetic testing company would be required to include certain provisions in its contracts with service providers that restrict the service provider’s ability to retain, use, or disclose the biological sample, genetic data, or any information regarding the identity of the consumer outside of the services provided to the company.
  • Data Storage: The bill would impose a prohibition on storing genetic data or biometric samples within the territorial boundaries of any country currently sanctioned by the U.S. Office of Foreign Assets Control or designated as a “foreign adversary” under 15 C.F.R. § 7.4(a).  Further, HB 639 would require a DTC genetic testing company to obtain express consent from the consumer before transferring or storing their genetic data or biometric data outside the United States.
  • Exceptions: “Genetic data” for purposes of the bill does not include (i) de-identified data, which is “data that cannot be used to infer information about, or otherwise be linked to, a particular individual;” provided that, the business that possesses the information takes certain steps to reduce the likelihood of re-identification or (ii) data or samples “collected, used, maintained, and disclosed” (a) exclusively for scientific research conducted by an institution that holds an assurance with HHS pursuant to 45 C.F.R. Part 46 or (b) in compliance with applicable human subject research regulations.  The bill also includes exemptions for: (i) information and entities subject to HIPAA; (ii) scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with HHS pursuant to 45 CFR Part 46 to the extent such research activities comply with applicable human subject research regulations; and (iii) tests conducted “exclusively” to diagnose whether an individual has a specific disease “to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as protected health information subject to HIPAA.”

Access to Genetic Data by “Foreign Adversaries”

In the past two years, there has been an uptick in national security-focused state laws that regulate “foreign adversaries’” access to genomic sequencing information.  While some of these state laws are focused on data storage only (e.g., Montana’s genetic privacy law, Vermont’s HB 639 discussed above), other states have enacted standalone laws that prohibit the use of genetic sequencers and related software produced by foreign adversaries and that regulate access to genomic sequencing information within the borders of these countries.  While some of these laws are specifically focused on laboratories or medical and research facilities, other state laws apply more broadly (e.g., Texas).  Utah, Virginia, and Wisconsin are the latest states to propose enacting such laws.

Utah

HB 182 would prohibit a medical facility or genomic research facility from using a genetic sequencer or operational and research software that is produced in or by or distributed by a foreign adversary, an entity owned or controlled by a foreign adversary, an entity domiciled in a foreign adversary, or an entity owned or controlled by a subsidiary or affiliate domiciled in the foreign adversary.  “Genomic research facility” is defined to include “a facility that conducts research on, with, or relating to genetic sequencing or the human genome.”  HB 182 defines “foreign adversary” as those countries identified in 15 C.F.R. § 791.4, which includes China, Cuba, Iran, North Korea, Russia, and Venezuelan politician Nicolás Maduro (Maduro Regime).  

The bill would also prohibit “a medical facility, genomic research facility, or other person that stores genetic sequencing data” from storing that data within the boundaries of a foreign adversary or providing remote access to such data by a person within the boundaries of a foreign adversary.  Unlike Texas’ law, HB 182 does not contain an express exemption for certain genetic sequencing data stored or accessible within a foreign adversary country as permitted by the U.S. Department of Justice’s Data Security Program (“DOJ DSP”).

Beginning December 31, 2027, each medical facility and genomic research facility that is subject to the bill would be required to provide a sworn statement to the Utah Attorney General confirming that the facility is in compliance with the requirements of the bill.

Virginia

HB 685 would prohibit “medical care facilities” from using genetic sequencers or any operational or research software used for genetic sequencing produced in or by a foreign adversary or a subsidiary or affiliate that is owned or controlled by a person domiciled within a foreign adversary.  Like in Utah HB 182 discussed above, the definition of “foreign adversary” in HB 685 cross-references the countries identified in 15 C.F.R. § 791.4.

The bill would also prohibit medical care facilities from storing genetic sequencing data with a foreign adversary or allowing foreign adversaries to remotely access such data.  The bill would require medical care facilities to certify compliance with the state annually.

Wisconsin

AB 673 would prohibit a medical facility or research facility in Wisconsin from using a genetic sequencer used for genetic analysis or operational and research software used for genetic analysis that is produced in or by a foreign adversary, a company organized within the borders of a country that is a foreign adversary, or an owned or controlled subsidiary or affiliate of a company domiciled within the borders of a country that is a foreign adversary.  The definitions of “medical facility” and “research facilities” are both limited to certain entities that receive state moneys, including through pass-through appropriations from the federal government, and conduct research or testing on or relating to genetic analysis or the human genome.  AB 673 also defines “foreign adversary” as those countries identified in 15 C.F.R. § 791.4.  

The bill would also prohibit “a medical facility, research facility, company, or nonprofit organization” from storing human genome sequencing data of a resident of Wisconsin within the borders of a country that is a foreign adversary or providing access to such data to an individual within the borders of that country.  This restriction would not apply to “the storage of human genome sequencing data that is collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with [the DOJ DSP].”  The bill does not contain provisions requiring an affirmative annual certification to the state regarding compliance with the bill.

Other Genetic Privacy & Genetic Testing Bills

Genetic testing and genetic information have long been subject to a patchwork of federal and state frameworks, which generally focus on obtaining consent to perform a genetic test and/or disclose the resulting information.  Alabama, Illinois, and South Carolina are the latest states to propose adding to this patchwork.

Alabama

HB 265 proposes to criminalize certain collection, use, retention, or disclosure of a person’s DNA sample or genetic information without the person’s express consent by any person, with penalties ranging from a misdemeanor to a felony.  Specifically, the bill would make intentionally and without express consent:

  • Selling or transferring a person’s DNA sample or genetic data to a third party without express consent a Class C felony. 
  • (i) Submitting another person’s DNA sample for genetic testing or conducting or procuring such testing; or (ii) disclosing another individual’s genetic data to a third party (except where the genetic data was previously voluntarily disclosed to that person by the individual tested) a Class D felony.
  • (i) Collecting or retaining another individual’s DNA sample with the intent to perform a DNA analysis or (ii) collecting or retaining another individual’s DNA sample or genetic information by accessing a computer system without authorization a Class A misdemeanor.

“Express consent” for purposes of the bill would require a “clear and prominent disclosure regarding the manner of collection, use, retention, and disclosure of a DNA sample or genetic data for a specific purpose,” though the bill provides that a single provision of express consent may authorize every instance of a specified purpose or use.

The bill defines “genetic data” in accordance with Alabama’s existing genetic privacy law, which does not include de-identified data.  That law defines “deidentified data” as “genetic data possessed by a genetic testing company which cannot be used to infer information about, or otherwise be linked to, an identifiable consumer and which either meets the requirements for deidentification of genetic data set forth in [HIPAA] or is subject to [certain steps to reduce the likelihood of re-identification].”

Illinois

SB 2886 would amend Illinois Genetic Information Privacy Act (“GIPA”) to apply to biomarker testing.  Currently, the law regulates only genetic testing.  The bill proposes to define “biomarker testing” as the analysis of a patient’s “tissue, blood, or fluid biospecimen for the presence of a biomarker[,] include[ing], but is not limited to, single-analyte tests, multi-plex panel tests, and partial or whole genome sequencing.”  Due to its private right of action, GIPA continues to be the basis for a large number of private lawsuits, though a number of these cases have been brought in the employment context.

South Carolina

SB 731 would prohibit companies and individuals from selling genetic material without written consent, which may only be obtained through an “independent document” that “adress[es] only the selling or sharing of genetic information and must provide the ability to opt-out of specific levels of sharing the genetic information.”  The bill also establishes an individual’s property right in their own genetic information and material by stating that a company has no legal right to an individual’s genetic information or material—only the individual owns their genetic information.  SB 731 does not contain any express exemptions, including for de-identified data.  SB 731 would permit a person or entity to bring a private right of action based on a violation of the bill.

[1] The reference to “24 C.F.R. § 164.501” may be a typographical error meant to refer to 45 CFR § 164.501, the provision of HIPAA that defines the term “research.” 45 C.F.R. § 164.501 defines “research” as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”

Tags: Genetic Privacy, Health Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth BrimEmail
Show more Show less