Bipartisan Genomic Data Protection Act Reintroduced in Senate
Earlier this month, a bipartisan pair of senators reintroduced the Genomic Data Protection Act, which aims to regulate the genetic data collected by direct-to-consumer (DTC) genetic testing companies, which are not bound by the HIPAA Rules.
Genetic data collected by HIPAA-regulated entities must be safeguarded in accordance with the HIPAA Rules and there are restrictions on disclosures of that data. When genetic data is collected by DTC companies, in the absence of federal data privacy law, DTC companies are only required to implement safeguards and restrict disclosures of the data if mandated by state laws. That means that the data collected by DTC companies could potentially be used or disclosed for reasons other than the intended purpose for which the samples were collected.
Several states have introduced laws that specifically cover DTC genetic testing companies, but the protections can vary considerably from state to state. For example, in 2024, Nebraska enacted a law that requires DTC genetic testing companies to publish a privacy policy, obtain consent for the collection, use and disclosure of genetic data, and obtain consent to retain biological samples. The law also gives consumers rights over their genetic data. A similar law was enacted in Virginia the previous year; however, there are no such data privacy laws in states such as Ohio and Mississippi.
The Genomic Data Protection Act (GDPA) was introduced in the last Congress by Senators Bill Cassidy (R-LA) and Gary Peters (D-MI); however, the bill stalled and has now been reintroduced and referred to the Senate Committee on Commerce, Science, and Transportation. Sen. Cassidy, Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (HELP) Committee, published a white paper in February 2024 that includes several proposals for safeguarding health information that is not covered by HIPAA, including potentially expanding HIPAA to cover health data collected by non-HIPAA-regulated entities. In the white paper, Sen. Cassidy specifically referred to genetic data collected by DTC companies.
GDPA is similar to several state laws that have been introduced to regulate DTC companies; however, it has some unique requirements. GDPA adopts a definition of direct-to-consumer genomic testing company that includes entities that manufacture or develop genomic testing products for sale directly to consumers; analyze or interpret genomic data obtained from a consumer; collect, use, maintain, or disclose genomic data collected or derived from a DTC genomic testing product or service; or purchase or acquire genomic data from a DTC company. The definition of covered data includes identifiable and deidentified genomic data, although excludes data protected under HIPAA and deidentified genomic data that is deidentified and used consistent with the HIPAA Rules – to conduct medical or scientific research, for example.
GDPA gives consumers rights over their genomic data. DTC companies must provide consumers with a simple and effective mechanism for accessing their genomic data, deleting their account, and requesting the destruction of biological samples, except the deletion of data or destruction of samples subject to a warrant, subpoena, or other court order or if retention is required by other laws or regulations.
Consumers must be provided with a clear notice that explains consumers’ rights, and if the company wishes to disclose deidentified genomic data for medical or scientific research, it must be clearly and concisely stated. If a DTC company is purchased or acquired by another entity, consumers must be informed and provided with detailed and accurate information on the company purchasing or acquiring the DTC firm, and those notices must be delivered at least 30 days prior to the completion of the purchase of acquisition.
The aim of GDPA is to improve privacy protections for all Americans, so GDPA does not preempt state laws unless they conflict with GDPA. Companies that fail to comply with GDPA will be subject to deceptive or unfair trade practices penalties under the FTC Act.
