LegisTrack
Back to all bills
S 863119th CongressIn Committee

Genomic Data Protection Act

Introduced: Mar 5, 2025
View on Congress.gov
Standard Summary
Comprehensive overview in 1-2 paragraphs

The Genomic Data Protection Act would create new consumer rights around genomic data collected by direct-to-consumer (DTC) genomic testing companies. It requires these companies to provide simple ways for consumers to access their genomic data, delete their account and associated genomic data, and request destruction of their biological samples. The bill also imposes clear notices about these rights and how deidentified genomic data may be used for medical or scientific research, and it mandates that companies notify customers if the company is acquired by another entity, including how the rights can be exercised under new ownership. Deletion/destruction requests must be processed within 30 days, with specific rules if an acquisition occurs during an outstanding request; there are exceptions for legally required data retention (e.g., warrants, subpoenas, other regulatory requirements). The legislation assigns FTC enforcement, allows rulemaking within a year, and provides definitions to implement the framework. Overall, the bill aims to give consumers more control over their genetic information and to standardize protections across the DTC genomics industry.

Key Points

  • 1Consumer controls and rights: Direct-to-consumer genomic testing companies must provide a straightforward mechanism for consumers to access their genomic data, delete their account and associated genomic data, and request destruction of their biological samples, using the company’s primary communication channel with the consumer.
  • 2Notice and transparency: Companies must deliver clear notices about consumer rights and about the use of deidentified genomic data for medical or scientific research, in line with HIPAA-related privacy protections.
  • 3Acquisition protections: If the company is purchased or acquired, the new owner must notify consumers at least 30 days before closing and explain how rights can be exercised under the new ownership.
  • 4Processing timelines and continuity: Deletion/destruction requests must be fulfilled within 30 days, with these timelines applicable even if a purchase occurs during an outstanding request; the purchasing entity must continue to fulfill such requests.
  • 5Exceptions and enforcement: Deleting genomic data may be restricted when required by warrants, subpoenas, or other legal/regulatory duties. The FTC would enforce the act, with rulemaking authority granted within one year of enactment.

Impact Areas

Primary group/area affected: Consumers who have provided biological samples to direct-to-consumer genomic testing companies (e.g., for ancestry, health-related genomic testing) and the companies themselves.Secondary group/area affected: Entities acquiring or merging with DTC genomic testing companies (must manage ongoing deletion requests and provide transition notices); health care professionals are specifically exempt from the DTC definition when performing diagnosis or treatment.Additional impacts: Researchers and entities that work with deidentified genomic data (the bill allows deidentified data to be used for research under HIPAA-related privacy rules, affecting how data can be shared and used post-deidentification); the bill may influence industry practices around data retention, data destruction, data sharing, and consumer consent. It also introduces FTC regulatory scrutiny and potential penalties for noncompliance, shaping compliance programs and consumer privacy practices across the DTC genomics sector.
Generated by gpt-5-nano on Nov 18, 2025