As the name suggests, genetic information privacy laws are associated with protecting individuals’ genetic data, giving them more transparency and control over how or who can access this sensitive data.
This tracker contains a list of genetic data privacy laws around the world.
California Genetic Information Privacy Act
Status
The Genetic Information Privacy Act (GIPA) was introduced as a California Senate Bill 41, which later went into effect on January 1, 2022.
Applicability
GIPA applies to direct-to-consumer genetic testing companies that do any of the following:
- Sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers.
- Analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.
The law also applies to any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service or is directly provided by a consumer.
Data Subject Rights
Under the GIPA, the consumers have the right to revoke their consent, request access to their genetic data, request direct-to-consumer genetic testing companies to delete the consumer’s account and genetic data, or request to destroy the consumer’s biological sample.
Obligations of Regulated Entities
Privacy Policy/Notice
The direct-to-consumer genetic testing companies must maintain a prominent and easily accessible privacy notice. Privacy notices must be maintained in a prominent and easily accessible manner. The privacy notice must include information about the company’s data collection, consent, privacy rights, transfer, retention, and deletion practices written in plain language.
Consent
Consent must be obtained for the collection, use, or disclosure of consumers’ genetic data. Moreover, separate and express consent must be collected from the consumer for the use of genetic data for genetic product testing, for the storage of a biological sample, for the use of biological samples other than the primary reason it was initially collected, and for disclosing the consumer’s genetic data to a third party.
Sharing/Sale
A separate and expressed consent from a consumer must be obtained for the transfer or disclosure of genetic information.
Security Measures
GIPA requires direct-to-consumer genetic testing companies to implement reasonable security measures to safeguard consumers’ genetic data against unauthorized access, modification, disclosure, and destruction.
Regulatory Authority
The Attorney General of the state of California, the district attorneys, the county attorney, and, in some cases, city attorneys can enforce the GIPA.
Penalties for Non-Compliance
Violators may be fined up to $1000 per incident for negligent violation along with the court costs. A fine ranging from $1,000 to $10,000 may be imposed in case of willful violation, plus court costs.
Arizona Genetic Information Privacy Act
Status
The Arizona House Bill 2069, also known as the Arizona Genetic Information Privacy Act, went into effect on September 29, 2021, after receiving the approval of the State Governor on April 20, 2021.
Applicability
The law applies to a direct-to-consumer genetic testing company that collects and processes DNA, chromosomes, genes, or gene products.
Data Subject Rights
Under the law, a direct-to-consumer genetic testing company must allow consumers to exercise their right to access the consumers’ genetic data, delete the consumers’ accounts and genetic data, and request the destruction of consumers’ biological samples.
Obligations of Regulated Entities
Privacy Policy/Notice
Direct-to-consumer genetic testing companies must maintain prominent and publicly available privacy policies or notices, including clear and complete information related to the company’s data collection and processing policies or practices, consent, consumers’ rights, and data disclosure or transfer, security, and retention/deletion practices.
Consent
The direct-to-consumer genetic testing companies are required to obtain consumers’ consent for collecting, using, or disclosing consumer’s genetic data. The consent must describe the consumers' use of their genetic data and how it is shared.
Sharing/Sale
Separate express consent must be obtained from the consumer for marketing based on the consumer’s genetic data or by a third party to a consumer or purchase of a genetic testing product or service.
Security Measures
The direct-to-consumer genetic testing companies must design, implement, and maintain a comprehensive security program to protect the consumers’ genetic data against unauthorized disclosure, access, or use.
Regulatory Authority
The Attorney General of Arizona is responsible for enforcing the provisions of the law and imposing penalties for violations.
Penalties for Non-Compliance
The Attorney General can impose a civil penalty of up to $2,500 for each violation along with the damages, costs, and attorney fees of the Attorney General.
Utah Genetic Information Privacy Act
Status
The Utah Genetic Information Privacy Act came into effect on May 05, 2021.
Applicability
The law applies to direct-to-consumer genetic testing companies that collect, use, or analyze consumers’ genetic data or offer consumer genetic testing products or services directly to consumers in the state of Utah.
Data Subject Rights
The law requires regulated entities to provide consumers with the rights to access and delete their genetic data, request the destruction of their biological samples, and prohibit the disclosure of their genetic data.
Obligations of Regulated Entities
Privacy Policy/Notice
The direct-to-consumer genetic testing companies must create and maintain a prominent and publicly available privacy notice to communicate to consumers the company’s practices associated with data collection, consent, transfer, disclosure, retention, use, access, and deletion of consumers’ genetic data.
Consent
The law requires direct-to-consumer genetic testing companies to obtain the consumer’s initial express consent for the collection, use, or disclosure of the consumer’s genetic data. A separate consent is required to transfer or disclose a consumer’s genetic data to any person other than the company’s vendors and service providers, the use of genetic data beyond the primary purpose of the company's genetic testing product or service, and the company's retention of any biological sample provided by the consumer following the company's completion of the initial testing service requested by the consumer.
Sharing/Sale
The direct-to-consumer genetic testing companies are prohibited from disclosing or sharing the genetic data of a consumer with their employer or health and life insurance company without the consumer's written consent.
Security Measures
A comprehensive security framework must be developed, implemented, and maintained to protect the consumers’ genetic data from unauthorized data, use, or disclosure.
Regulatory Authority
The Attorney General of the state of Utah is responsible for enforcing this law and any civil penalties against entities violating its provisions.
Penalties for Non-Compliance
A penalty of $2,500 may be imposed on violators, along with the actual damage, costs, and attorney’s fees for each violation.
Florida Protecting DNA Privacy Act
Status
The Protecting DNA Privacy Act went into effect on October 1, 2021, in Florida.
Applicability
The law applies to individuals or entities involved in analyzing a person’s DNA only if the DNA sample is collected in Florida.
Obligations of Regulated Entities
Privacy Notice
A person performing DNA analysis or receiving results of DNA analysis must provide the person tested with a privacy notice containing information about the DNA analysis. The notice must also contain whether the information was used in any decision related to insurance, employment, mortgage, or educational opportunity.
Consent
The law requires the regulated entities to seek the express consent of a person before analyzing their DNA. Further, the regulated entities must also seek the express consent of the person tested before disclosing the result of their DNA analysis.
Sharing/Sale
Consent is required for the disclosure, selling, or transferring of a person’s DNA sample or results of a DNA analysis.
Security Measures
The law doesn't define any provisions for this section.
Regulatory Authority
The law does not define any provisions for this section.
Penalties for Non-Compliance
Each instance of violation, whether it involves collection, retention, submission, analysis, or disclosure, is considered a separate violation, and each is subject to a distinct penalty. For instance, violating the prohibition on unlawful collection or retention is classified as a misdemeanor of the first degree. If an individual intentionally discloses someone else's DNA analysis results to a third party without explicit consent, it constitutes a felony as per the law.
Kentucky Genetic Data Privacy Law
Status
The Kentucky House Bill 502, also known as the Genetic Information Privacy Act, was signed into law in April 2022 and later went into effect on 1 June 2022. The law provides increased control to consumers over their genetic information.
Applicability
The law applies to direct-to-consumer genetic testing companies that offer genetic testing products or services to consumers or collect, use, or analyze the genetic information of a consumer residing in Kentucky.
Data Subject Rights
The law provides consumers with the right to access their genetic information collected, used, or disclosed by a company, delete their account and genetic data, and request to obtain or destroy their biological sample.
Obligations of Regulated Entities
Privacy Policy/Notice
The law requires direct-to-consumer genetic testing companies to maintain a prominent and publicly available privacy notice that, at a minimum, provides details regarding consumers’ genetic data or the company’s practices associated with the collection, consent, use, transfer, security, destruction, or disclosure of consumer’s genetic data.
Consent
As per the law, direct-to-consumer genetic testing companies must obtain the initial consent of the consumer describing the uses of genetic data collected and must specify who has access to test results and how the data will be shared. Moreover, separate consent is required for cases like biological sample retention, compliance with federal policy for the protection of human research subjects for research purposes, research conducted under the company’s control for publication or generalizable knowledge, or marketing based on consumers’ genetic data. In addition, it requires a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer’s express written consent.
Sharing/Sale
The direct-to-consumer testing companies must obtain separate consent from the consumers for the disclosure or transfer of their genetic data to any person other than the company’s vendors and service providers and expressed consent for using the genetic data for marketing purposes. In addition, direct-to-consumer genetic testing companies may disclose a consumer’s genetic data to any entity offering health insurance, life insurance, or long-term care insurance or to any employer of the consumer without the consumer’s written consent.
Security Measures
For security measures, the law establishes that regulated entities must develop and maintain a comprehensive security program to protect consumers’ genetic data against unauthorized access, use, or disclosure.
Regulatory Authority
The law grants the Attorney General of Kentucky the right to implement and enforce its provisions.
Penalties for Non-Compliance
The Kentucky Attorney General is responsible for enforcing a civil penalty of $2,500 for each violation of this law, along with the damages, costs, and attorney’s fees.
Wyoming Genetic Data Privacy Law
Status
Wyoming’s Governor signed House Bill 86, the Genetic Data Privacy Law, in March 2022, which came into effect on 1 July 2022. The law is directed toward businesses collecting or testing consumers' genetic data.
Applicability
The law governs direct-to-consumer genetic testing companies that offer consumer genetic testing products or services to consumers or collect, use, or analyze Wyongmin’s consumers’ genetic data.
Data Subject Rights
The direct-to-consumer genetic testing companies must provide a process for the consumers to access their genetic data, delete their account and genetic data, and request to obtain or destroy their biological sample.
Obligations of Regulated Entities
Privacy Policy/Notice
The direct-to-consumer genetic testing companies must create and maintain a prominent and publicly available privacy notice that provides details regarding the data collection, use, access, disclosure, transfer, retention, and security practices.
Consent
The direct-to-consumer genetic testing companies must obtain the consumer’s express consent for the collection, use, or disclosure of genetic data and specify who shall have access to test results. Also, separate consent is required for cases like biological sample retention, compliance with federal policy for the protection of human research subjects for research purposes or research conducted under the company’s control for publication or generalizable knowledge, or transfer for research purposes, or marketing based on consumers’ genetic data. Moreover, it requires a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer’s express written consent.
Sharing/Sale
The direct-to-consumer genetic testing companies must obtain separate consent from the consumer for sharing or disclosing their genetic data to third parties.
Security Measures
Under the law, the security obligations require the direct-to-consumer genetic testing companies to develop, maintain, and implement a security program to safeguard consumers’ genetic data against unauthorized access, use, or disclosure.
Regulatory Authority
The law grants the state's Attorney General power to implement and enforce its provisions.
Penalties for Non-Compliance
The Attorney General may impose a civil penalty of up to $2,500 for each violation, along with the actual damages, costs, and attorney’s fees.
South Dakota Genetic Data Privacy Law
Status
The state governor of South Dakota signed Senate Bill 178 on March 21, 2021, which prohibits certain life and long-term care insurers from using genetic information. The law took effect on January 01, 2022.
Applicability
The law broadly applies to any company providing genetic testing services to consumers.
Data Subject Rights
The law does not define any provisions for this section.
Obligations of Regulated Entities
Privacy Policy/Notice
The law does not define any provisions for this section.
Consent
Written consent must be acquired by companies offering direct-to-consumer genetic testing companies for sharing or disclosing genetic tests or information with health carriers, life insurers, or long-term care insurers. However, there is an exception allowing communication between the genetic testing company and a health carrier for purposes such as payment, coordination of medical treatment, or patient care, provided that this communication must comply with the Health Insurance Portability and Accountability Act (HIPAA) and can only be used for specified purposes.
Sharing/Sale
Health carriers, life insurers, and long-term care insurers are prohibited from requiring individuals to take genetic tests.
Security Measures
The law does not define any provisions for this section.
Regulatory Authority
The law does not define any provisions for this section.
Penalties for Non-Compliance
The law does not define any provisions for this section.
Status
Senate Bill 1087, also known as Virginia Genetic Data Privacy Law, was signed into law on 26 March 2023 and took effect on 1 July 2023.
Applicability
The law applies to businesses that provide direct-to-consumer genetic testing products or services to a consumer and are involved in collecting, using, or analyzing consumers’ genetic information.
Data Subject Rights
Under the law, consumers can access their genetic information, request to delete the data, and revoke consent.
Obligations of Regulated Entities
Privacy Policy/Notice
The covered entities must provide consumers with a clear privacy notice providing details regarding the collection, disclosure, transfer, selling, and deletion of their genetic data.
Consent
Consent must be required to collect, use, and disclose genetic data. An express and separate consent must be obtained for the following:
- The utilization of genetic data acquired through the genetic testing product or service.
- The storage of a consumer's biological sample after completing the initial testing required by the consumer.
- Any additional use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service, including inherent contextual uses.
- Marketing purpose with specific exemption from consent for marketing on its own website or mobile application under specific conditions.
Sharing/Sale
Separate consent must be obtained for transferring, sharing, or disclosing consumers’ genetic data.
Security Measures
Regulated companies must maintain reasonable security measures to protect genetic data against unauthorized access, use, and disclosure.
Regulatory Authority
The Attorney General is responsible for implementing and enforcing the law or imposing civil penalties in case of violations.
Penalties for Non-Compliance
In the event of violations, the Attorney General can impose a civil penalty of up to $1,000 for non-willful violations or a fine of not less than $1,000 up to $10,000 for each willful violation. It may also include the attorney’s fees, charges, and court costs.
Tennessee Genetic Information Privacy Act
Status
Tennessee House Bill 1310 for the Genetic Information Privacy Act was signed into law by the Tennessee Governor on April 28, 2023. It came into effect on July 01, 2023.
Applicability
The law applies to entities that offer genetic testing products or services directly to consumers and collect, use, or analyze provided genetic data. However, the law does not apply to:
- de-identified data;
- protected health information collected by a covered entity or business associate as defined under the HIPAA regulations; and
- public or private higher education institutions and entities that they own or operate.
Data Subject Rights
Under this law, consumers have the right to access their genetic data or request the deletion of their account and genetic data, as well as the destruction of their biological samples.
Obligations of the Regulated Entities
Privacy Policy/Notice
A prominent and publicly available privacy notice must be made available for consumers communicating the collection, consent, use, testing, disclosure, security, retention, and transfer practices of consumers’ genetic information.
Consent
Express consent must be obtained from the consumer, communicating to them how their genetic data is collected, who accesses the test results, and how the data is shared. Moreover, informed consent must be obtained in accordance with the Federal Policy for the Protection of Human Subjects to transfer or disclose consumers' genetic data to a third party for research purposes or research conducted under the company's control for publication or generalizable knowledge
Sharing/Sale
The regulated entities must obtain separate express consent for sharing or disclosing the data to third parties except their vendors and service providers, using it beyond the primary purpose, retaining consumers’ biological samples, or marketing purposes.
Security Measures
Reasonable security measures and programs must be implemented to protect consumers’ genetic data against unauthorized access, use, or disclosure.
Regulatory Authority
The division of consumer affairs in the office of the attorney general and reporter shall enforce this law.
Penalties for Non-Compliance
The law does not define any provisions for this section.
Montana Genetic Information Privacy Act
Status
Montana’s Governor signed Senate Bill 351, also known as the Genetic Information Privacy Act, on June 7, 2023. This law took effect on October 1, 2023.
Applicability
The law applies to entities, such as corporations, partnerships, or associations, that provide genetic testing products or services directly to consumers or collect, use, or analyze their genetic information.
Data Subject Rights
Under this law, consumers have the right to access their genetic data, revoke their consent, obtain or request the destruction of their biological samples, or request the deletion of their genetic data.
Obligations of the Regulated Entities
Privacy Policy/Notice
To safeguard the privacy, clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making it available to a consumer. A high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data. Moreover, a prominent and publicly available privacy notice must be made available to consumers containing information about the entity’s data collection, use, analysis, transfer, security, retention, and disclosure of consumer’s genetic data.
Consent
An initial express consent must be obtained from the consumer whose data is collected, used, analyzed, or disclosed. The request for consent must also describe the entity’s use of genetic data and specify the individuals who can access the genetic data.
Sharing/Sale
Separate express consent must be obtained from consumers for the purpose of transferring or disclosing their genetic data or biological samples, using it other than the initial primary purpose, or retention of biological samples or marketing.
Security Measures
Reasonable security measures must be in place to protect consumers’ genetic data against unauthorized access, use, or disclosure.
Regulatory Authority
The Attorney General is solely responsible for enforcing the genetic data law in Montana.
Penalties for Non-Compliance
The Attorney General of Montana can impose a civil fine of up to $2,500 for each violation, along with the actual damages, costs, and attorney’s fees.