In September 2024, a company specializing in direct-to-consumer genetic testing and ancestry analysis services agreed to pay $30 million as part of a class action settlement brought on behalf of consumers whose genetic and personal information was leaked as a result of a data breach last year. The breach exposed the data of approximately 6.9 million users, including location, ancestry reports, DNA matches, family names, profile pictures, birthdates, and more.

In the wake of an uptick in the proliferation of consumer ancestry testing over the last several years, this settlement has reinvigorated discussions about the data collection and storage practices of genetic information companies. These concerns have also animated a recent wave of state legislative activity aimed at protecting residents' genetic data, including the passage of LB 308, the Genetic Information Privacy Act (GIPA), in Nebraska, which was signed by Governor Jim Pillen on February 13, 2024, and went into effect on July 17, 2024.

In addition to Nebraska, there are currently 11 other states with statutes governing direct-to-consumer genetic testing companies: Alabama, Arizona, California, Kentucky, Maryland, Montana, Tennessee, Texas, Utah, Virginia, and Wyoming.

The passage of GIPA comes on the heels of Governor Jim Pillen signing into law the Nebraska Data Privacy Act (NDPA) on April 17, 2024, as Nebraska joined the 18 other states with comprehensive privacy statutes. The NDPA is set to go into effect on January 1, 2025.

In this Insight article, Maureen Fulton, Nathan Sheeley, and Briseyda Garcia-Ticas, from Koley Jessen P.C., L.L.O., will first review the key provisions of GIPA, including the scope of protected information and the statutory obligations imposed on direct-to-consumer genetic analysis companies. Next, they will provide an overview of the NDPA. Finally, they will contrast the two statutes by highlighting important differences in their threshold applicability, purpose, and enforcement structure.