Concord Privacy News: 4/1/25
Senators Reintroduce Genomic Data Protection Act
On March 5, 2025, Senators reintroduced the federal Genomic Data Protection Act (GDPA), aiming to establish consumer protections for personal genomic data. The bill, which was originally introduced late last year but stalled in Congress, comes at a time when approximately 21% of Americans have taken direct-to-consumer DNA tests.
Key Provisions of the GDPA
The legislation would establish several important protections for consumers who use at-home DNA testing services:
- Require companies to provide a "simple and effective mechanism" for consumers to access their genomic data, delete their accounts (including associated genomic data), and request destruction of biological samples
- Mandate that companies notify consumers at least 30 days before being acquired by another entity, with detailed information about the new owner and how consumers can exercise their rights under new ownership
- Require companies to process deletion requests within 30 days and notify consumers once their request has been completed
- Allow deidentified genomic data to be used only for medical or scientific research consistent with HIPAA privacy regulations
"Americans want to know what happens to their data after an at-home DNA test," said Dr. Cassidy. "Let's give them control over their own genomic data. It should be private if they want it to be."
Senator Peters added, "American citizens should have the right to control how their unique health and genetic information is being used and stored. This bill would give consumers the power to access their personal genomic data, delete it from a company's platform, and ultimately destroy it if they choose."
Scope and Enforcement
The GDPA applies broadly to companies that manufacture or develop genomic testing products for direct consumer sale, analyze genomic data, collect or disclose genomic data, or purchase genomic data from testing companies. Healthcare professionals using genomic data for diagnosis or treatment purposes are exempted.
The Federal Trade Commission would be charged with enforcing the law, with violations treated as deceptive or unfair trade practices under the FTC Act. The Commission would have one year after enactment to engage in rulemaking.
State Laws and Federal Framework
Currently, ten states (Arizona, California, Kentucky, Maryland, Montana, Tennessee, Texas, Utah, Virginia, and Wyoming) have enacted consumer protections related to genomic data, but no federal framework exists. Notably, the GDPA would not preempt state laws unless they directly conflict with the federal legislation.
Proponents argue the legislation addresses both consumer privacy concerns and potential national security risks that could arise if sensitive genomic information falls into the hands of bad actors.
Following its introduction, the bill was referred to the Senate Committee on Commerce, Science, and Transportation for consideration.
Other Privacy News of Note
Report Shows That School Districts Lag on Data Privacy Expertise
Most district leaders tasked with managing and implementing privacy programs do not have that task listed in their job descriptions, according to a report published Tuesday by the nonprofit Consortium for School Networking. According to the report, of the nearly 90% of surveyed district leaders who said they oversee their district’s student data privacy program, 73% said it was not part of their job description. Seventeen percent said they had never received relevant privacy training, and one quarter of those who had been trained paid out of pocket. Read more.
Top 10 Takeaways From the New HIPAA Security Rule NPRM
On Jan. 6, 2025, the U.S. Department of Health and Human Services (HHS) proposed new regulations to enhance cybersecurity protections for electronic protected health information (ePHI) under the Health Insurance Portability and Accountability Act (HIPAA). This Notice of Proposed Rulemaking (NPRM) marks the first significant update since the HIPAA Security Rule's original publication in 2003 and its last revision in 2013. Read more.
