On October 9, 2024, House Bill 2627 for the Genetic Information Privacy Act was referred to the House of Representatives Consumer Protection, Technology, and Utilities Committee.

Scope and definitions

The bill applies to 'direct-to-consumer genetic testing companies,' meaning entities that offer a direct-to-consumer genetic testing product or service or collect, use, or analyze genetic data provided to the entity by a consumer as a result of a direct-to-consumer genetic testing product or service.

The bill defines, among other things, genetic data as any data, regardless of the data format, that concerns a consumer's genetic characteristics, excluding de-identified data. The term includes raw sequence data resulting from extracted DNA, genotypic and phenotypic information, and self-reported health information regarding health conditions.

Moreover, the bill outlines several excluded entities and types of information, such as protected information under the Health Insurance Portability and Accountability Act (HIPPA).

Privacy notice

According to the bill, direct-to-consumer genetic testing companies must provide clear and complete information regarding company policies and procedures for the collection, use, or disclosure of genetic data by making available, among other things:

• a high-level privacy policy overview; and
• a prominent, publicly available privacy notice including information on data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices.

Consent requirements

The bill requires direct-to-consumer genetic testing companies to obtain, among other things:

• initial consent clearly describing the genetic data use and with whom the data may be shared;
• separate express consent for transferring or disclosing genetic data outside a company's service provider or for using it beyond the primary purpose;
• separate express consent for additional retention past initial testing;
• informed consent regarding the transfer or disclosure of genetic data for research purposes; and
• express consent for marketing based on the genetic data or by a third party based on the purchase of the genetic testing product by the consumer. Customized content from first-party providers is excluded.

Security measures and consumer rights

The bill states that direct-to-consumer genetic testing companies must develop, implement, and maintain a comprehensive security program to protect the genetic data against unauthorized access, use, or disclosure.

Furthermore, under the bill, the consumers must be provided with a process that allows them to:

• access their genetic data;
• delete their account and genetic data; and
• request and obtain the destruction of the biological sample.

Disclosure requirements

The bill requires a valid legal process for disclosing genetic data to a federal, state, or local government entity without the consumer's consent. The bill prohibits the disclosure of consumer genetic data by direct-to-consumer genetic testing companies without the consumer's written consent to:

• insurance companies; and
• employer of the consumer.

Penalties and entry into force

The bill provides that the Office of the Attorney General (AG) may bring a civil action for violations of the bill before a competent court. The court can impose a civil penalty of $2,500 per violation, the recovery of actual damages, the costs, and reasonable attorney fees.

The bill will take effect in 60 days from its enactment.

You can read the bill here and track its progress here.