Interest in genetic data is on the rise, driven by the growth of direct-to-consumer (DTC) genetic testing and its value for AI in drug development and personalized medicine. Historically, gaps in privacy laws have sometimes left sensitive health information unprotected when individuals share it with companies outside the clinical setting. This issue has been brought into sharp relief with the 23andMe bankruptcy.
While HIPAA, at the federal level, generally protects health information, including genetic information, created and received by healthcare providers and health plans, it does not apply to data given to consumer genetics companies. Instead, consumers are treated as customers, not patients and plan enrollees, leaving their genetic information outside the reach of the nation’s strongest health data protections. The Genetic Information Nondiscrimination Act (GINA) offers some safeguards, but is limited to misuse by insurers or employers.
Moreover, state laws have also fallen short in filling the gaps in federal privacy protections. While twenty states have enacted comprehensive privacy laws, most of them do not prevent companies from selling genetic data in a bankruptcy proceeding. Even health-specific privacy laws in states such as Washington and Nevada contain bankruptcy exceptions. Furthermore, some states’ privacy laws define “sensitive data” as genetic information when it is used for the purpose of identification. As a result, if a company collects genetic data but does not use it for identification, that data may not be protected by privacy laws and could be sold.
Lawmakers—at the federal and state levels—are moving to address these gaps and joining states such as Illinois, California and Utah that have specific genetic privacy statutes. It is crucial for companies to stay informed and adapt to these new legal requirements. This article explores some of these efforts.
Don’t Sell My DNA Act
A bipartisan group of lawmakers introduced the Don’t Sell My DNA Act, aiming to bring genetic data under the protection of the federal Bankruptcy Code. On July 17, 2025, Representatives Zoe Lofgren (D-Calif.) and Ben Cline (R-Va.) introduced a House version of the bill, complementing a Senate proposal from earlier this year. The legislation would amend the U.S. Bankruptcy Code such that it would restrict the sale of genetic data without explicit consumer permission.
Specifically, the bill updates the definition of “personally identifiable information” in the Bankruptcy Code to include genetic data.
If enacted, the Don’t Sell My DNA Act would require companies to provide written notice and obtain affirmative consent from consumers before their genetic data could be used, sold or leased during bankruptcy proceedings. It would also mandate the deletion of any genomic information not subject to a sale, providing consumers with greater control and transparency over their most sensitive data.
DOJ Bulk Data Rule
A major new federal regulation, the Department of Justice’s “Bulk Data Rule,” has added a significant layer of compliance and risk for companies handling genetic data. This rule, which took effect on April 8, 2025, is designed to prevent certain “countries of concern” and “covered persons” from accessing large volumes of Americans’ sensitive personal data, including genetic information, by restricting and, in some cases, prohibiting certain data transfers and transactions.
Transactions involving bulk genetic data are prohibited if they result in access by a country of concern or covered person, unless an exemption applies. The rule is not limited to traditional data brokers or healthcare providers—it applies broadly to any U.S. person or entity, including DTC genetic testing companies, that engages in covered data transactions.
Key features of the rule include:
1. Coverage of Genetic Data
Among other data, the rule specifically applies to “human ‘omic data,” which includes human genomic, epigenomic, proteomic and transcriptomic data. This means that the DNA data routinely collected, analyzed and stored by DTC genetic companies is squarely within the rule’s scope.
2. Bulk Thresholds
The rule applies when the amount of data involved meets or exceeds certain thresholds within a rolling 12-month period. For human genomic data, the threshold is more than 100 U.S. persons; for other ‘omic data, it is more than 1,000 U.S. persons.
3. No Exemption for Anonymized Data
Critically, the rule applies even if the data is anonymized, pseudonymized, de-identified or encrypted. This is a significant departure from many state privacy laws, which often exempt de-identified data from their requirements.
Companies must now carefully assess their data flows, counterparties and contractual arrangements to ensure compliance with the DOJ Bulk Data Rule.
Texas HB 130 and Florida SB 768
In addition to the federal DOJ Bulk Data Rule, states are implementing their own measures to further restrict foreign access to genetic data. Texas HB 130, the Texas Genomic Act of 2025, imposes broad requirements on entities handling genome sequencing data of Texas residents. Importantly, the law specifically prohibits the sale or transfer of such data to foreign adversaries as part of a bankruptcy proceeding.
Florida SB 768 prohibits licensed laboratories from using operational or research software for genetic sequencing that is produced by, or affiliated with, China, Russia, Iran, North Korea, Cuba, Venezuela and Syria.
Indiana HB 1521
On May 6, 2025, Indiana enacted HB 1521, which establishes a focused regulatory framework specifically targeting consumer genetic testing providers. The law applies to businesses that provide DTC genetic testing services and specifically exempts genetic testing ordered by healthcare providers for medical purposes that are subject to HIPAA privacy protections. It also does not apply to genetic testing performed for research purposes.
Effective immediately upon passage on May 6, 2025, the law includes the following key features:
1. Prohibition of Genetic Discrimination
The law makes it illegal for any person or entity to discriminate against an individual based on the individual’s use of consumer genetic testing services or the results of such tests. This includes denying access to goods or services, charging different rates, or suggesting that such measures will be taken.
2. Strict Privacy and Consent Requirements for Providers
Consumer genetic testing providers must give individuals a clear, written disclosure of their privacy policies, including how biological material and genetic data are collected, stored, used and shared. Providers must obtain freely given, specific, informed and unambiguous consent from individuals before performing any additional testing, using samples for other purposes or sharing data with third parties.
3. Data Security and Consumer Rights
Providers are required to implement commercially reasonable security measures to protect genetic data and biological material from unauthorized access or use. Individuals have the right to access their genetic data, revoke consent and request the destruction of their biological material and data within specified timeframes.
4. Enforcement and Penalties
The Indiana Attorney General has exclusive authority to enforce the law, with the power to seek injunctions and civil penalties of up to $7,500 per violation. Providers are given a 30-day period to cure alleged violations before formal action is taken. The law does not create a private right of action for individuals.
Montana SB 163
Senate Bill 163 (SB 163), enacted by the Montana Legislature in 2025, revises the Montana Genetic Information Privacy Act (MGIPA) to expand its scope and strengthen privacy protections for both genetic and neurotechnology data. SB 163 expands the MGIPA to include neurotechnology data and applies broadly to any entity that offers consumer genetic testing products or services directly to consumers, as well as any entity that collects, uses or analyzes genetic data.
However, the Act carves out specific exclusions to ensure clarity and avoid regulatory overlap. It does not apply to protected health data collected by HIPAA-covered entities or business associates, provided they obtain separate informed consent for genetic or neurotechnology data and comply with specific consumer rights. Entities engaged solely in scientific or clinical research with express consent, subject to federal research protections, are also excluded. Key features include consent requirements, notice to consumers and consumer rights.
1. Consent Requirements
Initial express consent is required to collect, use or disclose genetic data. Separate, informed express consent is needed for transferring or disclosing genetic data to third parties for research or for research conducted under the entity’s control for publication or generalizable knowledge.
Additional separate express consent is required for:
- Transferring or disclosing genetic data or biological samples to any third party (other than processors).
- Using genetic data beyond the primary purpose of the genetic testing product or service.
- Retaining biological samples after initial testing is complete.
- Marketing to consumers based on their genetic data.
- Third-party marketing based on a consumer’s purchase of a genetic testing product or service.
- Sale or other valuable consideration of the consumer’s genetic data.
- Disclosing genetic data to health, life or long-term care insurers, or to the consumer’s employer.
2. Notice to Consumers
Entities must provide two privacy policies. First, a high-level privacy policy overview with essential information about collection, use and disclosure of genetic data.
Second, a detailed, publicly available privacy notice covering data collection, consent, use, access, disclosure, transfer, security, retention and deletion practices specific to genetic data.
3. Consumer Rights
Consumers have the right to:
- Access and delete their genetic data.
- Revoke consent at any time.
- Request and obtain destruction of their biological sample.
These rights may be waived if the consumer has provided express, informed, written consent for participation in a clinical research trial, or if the data is used solely for clinical research purposes.
Sunwoo Lee (Summer Associate) contributed to this article.
[View source.]
