On March 5, 2025, Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) introduced the federal Genomic Data Protection Act (“GDPA”).  The Senators introduced the same bill at the end of last year, but the bill stagnated, and Congress adjourned soon after.  Notably, as part of his February 2024 white paper, Senator Cassidy specifically called for the regulation of genetic data collected by direct-to-consumer genetic testing companies, pointing to several states that have enacted laws regulating these companies over the past several years.

While the GDPA bears some resemblance to these state direct-to-consumer genetic privacy laws, the bill has certain unique features, such as applying to companies that purchase data from direct-to-consumer genomic testing companies and requiring that a direct-to-consumer genomic testing company provide notice to consumers if the company is purchased or otherwise acquired.  We summarize key provisions of the GDPA below.

Applicability

The GDPA applies to a “direct-to-consumer genomic testing company,” which is defined to mean a person that:

  • Manufactures or develops genomic testing products or services for sale directly to consumers;
  • Analyzes or interprets genomic data obtained from a consumer;
  • Collects, uses, maintains, or discloses genomic data collected or derived from a direct-to-consumer genomic testing product or service; or
  • Purchases or acquires genomic data from a direct-to-consumer genomic testing company.

The definition of “direct-to-consumer genomic testing company” excludes “a health care professional” as defined in section 225 of the Public Health Service Act (42 U.S.C. § 234) that performs any of the four above actions for purposes of diagnosis or treatment of a medical condition. 

The GDPA applies to “genomic data,” which “means any data, regardless of its format or whether the data has been deidentified, that results from the analysis of a biological sample from a consumer and concerns genomic material” including:

  • DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA/RNA, and SNPs;
  • uninterpreted data that results from the analysis of the biological sample; or
  • any information extrapolated, derived, or inferred therefrom.

The definition of “genomic data” excludes “deidentified genomic data of a consumer to the extent that such data is used to conduct medical or scientific research, consistent with the privacy regulations promulgated under . . . [HIPAA].”  Deidentified genomic data is defined as “data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information [implements specific safeguards listed in the bill to prevent against re-identification].”

A “consumer” means an individual who provides a biological sample to a direct-to-consumer genomic testing company.

Consumer Rights

The bill requires that direct-to-consumer genomic testing companies provide a “simple and effective mechanism” (through the primary means the company communicates to the consumer) to allow a consumer to: (i) access their genomic data and (ii) delete the account of the consumer (including associated genomic data) AND request destruction of any of their biological samples.

The bill provides an exception only if exercising the right would (i) require deletion of information subject to a warrant, subpoena, or other court order; or (ii) the company must retain such information to comply with other applicable legal/regulatory requirements.

Notice

The bill requires a direct-to-consumer genomic testing company provide a notice that accurately summarizes the consumer rights and explicitly discloses that “deidentified genomic data of a consumer may be shared or disclosed to conduct a medical or scientific research [under HIPAA].”  The bill notes that this notice must be available in a clear and conspicuous, not misleading, and easy-to-read manner.

Corporate Transaction Disclosure

The bill requires that if a direct-to-consumer genomic testing company is purchased or otherwise acquired by another entity, the company must provide consumers with a “detailed and accurate” description of the identity of the entity purchasing the company and how the consumer can exercise their access and deletion rights under the new ownership.  The company must deliver its notice at least 30 days before the acquisition is complete, and if the acquisition is completed while a consumer’s request is pending, the entity purchasing the company is required to comply with the request.

Preemption

The GDPA expressly states that it will not preempt state laws unless they conflict with the GDPA.

Enforcement

Violations of the GDPA would be deceptive or unfair trade practices under the FTC Act.  The FTC may engage in rulemaking within 1 year of enactment.

Following its introduction in the Senate, the GDPA was referred to the Senate Committee on Commerce, Science, and Transportation.

Tags: Congress, Genetic Privacy, Legislation
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth BrimEmail
Show more Show less
Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Read more about Natalie MaasEmail
Show more Show less