This bill creates a federal framework aimed at how companies that sell genomic testing directly to consumers handle genetic information and physical samples. It directs those companies to give individuals a clear technical channel to manage their genomic data and requires companies to disclose core privacy practices in plain language.
The statute also defines key terms (including what counts as ‘‘genomic data’’ and ‘‘deidentified genomic data’’), preserves existing Federal and State law where compatible, and directs the Federal Trade Commission to enforce the new rules. The measure is tailored to DTC testing products and excludes health-care professionals acting for diagnosis or treatment.
At a Glance
What It Does
Requires direct-to-consumer genomic testing companies to provide an easy mechanism—through the company’s primary communication channel—for individuals to access their genomic information and to request deletion of account-associated genomic data and destruction of biological samples. It sets timing obligations for responding to such requests and lays out narrowly drawn exceptions for legal holds and other statutory retention duties.
Who It Affects
Applies to manufacturers, analyzers, and any entity that collects, purchases, or acquires genomic data from DTC testing products or services; it explicitly excludes health-care professionals performing diagnostic or treatment activities. Acquirers of DTC companies and downstream recipients of deidentified genomic datasets (for research) are also pulled into compliance by contractual and notice obligations.
Why It Matters
Establishes a single federal baseline for individual control over lifelong genetic information, introduces operational requirements that will affect product design and M&A diligence, and treats violations as unfair or deceptive acts enforceable by the FTC—potentially shifting costs onto companies that handle genomic samples and datasets.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill focuses on the ‘‘direct-to-consumer’’ channel: companies that sell testing products to individuals, analyze samples, or buy genomic data from those testing services. It requires those companies to offer a straightforward, effective way for a consumer to obtain their genomic data and, if desired, to request both deletion of their online account and the destruction of any physical biological sample tied to that account.
The statute ties the delivery of that mechanism to whatever channel the company primarily uses to talk to customers (email, account dashboard, or other primary communications).
There are process rules. When a consumer submits a deletion or destruction request, the company must perform the work and inform the consumer within a set compliance window.
If a company is bought while a consumer’s request is pending, the acquiring entity must complete the request and the original request date controls the compliance clock. The bill also creates narrow exceptions: companies do not have to honor deletion or destruction requests where retaining the data or sample is required by a court order, warrant, or another legal or regulatory obligation.The bill draws a detailed line between ‘‘genomic data’’ and ‘‘deidentified genomic data.’’ Genomic data is broadly defined to include raw and interpreted outputs from DNA/RNA analyses and any derived or inferred information.
Deidentified genomic data used for medical or scientific research is carved out and treated differently, but only if the business takes specific steps—reasonable technical measures to prevent reidentification, a public commitment not to reidentify (except for limited testing of deidentification), and contractual obligations on recipients to maintain deidentification.Enforcement lives with the Federal Trade Commission: violations are treated as unfair or deceptive acts under the FTC Act, the FTC can use its full investigatory and remedial powers, and the statute contemplates agency rulemaking to fill in operational details. The bill preserves other federal and state laws except where a conflict exists, so covered entities will need to reconcile this statute with HIPAA, state biometric/genetic privacy laws, and clinical laboratory regulations where they overlap.Operationally, the statute forces companies to grapple with the practicalities of destroying physical samples, cleaning backups and derivatives, and updating contractual flows with research partners.
It also creates notice obligations tied to company acquisitions: consumers must receive a pre-acquisition notice explaining who is buying the company and how to exercise their rights under the new ownership, which affects deal diligence and integration plans.
The Five Things You Need to Know
The statute requires covered companies to complete consumer requests to delete account-associated genomic data or destroy biological samples within 30 days of the request and to notify the consumer after completion.
Companies must surface the access/deletion/sample-destruction mechanism through the company’s primary communication channel (for example, the account dashboard or primary email) rather than burying it in buried policy pages.
Deidentified genomic data used for research is not treated as ‘‘genomic data’’ for deletion purposes if the business: (A) takes reasonable measures to prevent reidentification, (B) publicly commits to use only deidentified data and limits reidentification attempts to testing the deidentification method, and (C) contractually binds recipients to the same protections.
If a DTC genomic company is sold, it must notify consumers at least 30 days before closing with the buyer’s identity and an explanation of how to exercise deletion and destruction rights under the new owner; an acquirer must complete any outstanding deletion/destruction requests.
The Federal Trade Commission enforces the law by treating violations as unfair or deceptive acts under the FTC Act, and the Commission may issue implementing rules within one year of enactment.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the statute the ‘‘Genomic Data Protection Act.’
Consumer controls and required communication channel
Mandates that direct-to-consumer genomic testing companies provide an effective mechanism allowing a consumer to access genomic data and to request deletion of their account data and destruction of biological samples. The mechanism must be made available through the company’s primary means of communication with the consumer (not hidden in fine print), which forces product and UX changes so customers can find and use the control.
Notices, acquisition notices, and processing timelines
Requires a clear, conspicuous notice explaining consumer rights and disclosing that deidentified data may be shared for research. If a company is acquired, it must send consumers a pre-closing notice (at least 30 days before completion) identifying the buyer and explaining how rights are exercised post-acquisition. The statute sets an administrative timeline for processing deletion/destruction requests and specifies that an acquirer must honor pending requests, using the original request date to measure compliance.
Exceptions where deletion/destruction is not required
Permits companies to refuse deletion or sample destruction when retention is required by a warrant, subpoena, court order, or other legal or regulatory obligation. That exception is narrow but practical—companies will need internal legal screening processes to flag requests that intersect with investigations, litigation holds, or statutory record-retention duties.
FTC enforcement and rulemaking
Treats violations as unfair or deceptive acts under the FTC Act, bringing the full suite of FTC investigatory and remedial powers to bear. The Commission may promulgate rules under APA notice-and-comment procedures within one year, which gives the FTC flexibility to write technical compliance standards and enforcement guidance.
Definitions and interplay with other laws
Provides detailed definitions—what counts as genomic data, biological sample, direct-to-consumer company, and deidentified genomic data—and excludes health-care professionals performing clinical activities from the DTC definition. It preserves other federal and state law unless a direct conflict exists, requiring covered entities to reconcile this Act with HIPAA, state genetic-privacy statutes, CLIA/CMS rules for labs, and state consumer-protection laws.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Individual consumers who submitted samples to DTC companies — gain a statutory pathway to obtain, delete, and request destruction of their genetic data and related biological samples, improving personal control over long-lived, sensitive information.
- Privacy-focused researchers and ethics bodies — receive clearer rules on when deidentified genomic datasets can be used for research, because the statute sets baseline deidentification expectations and contractual obligations for downstream recipients.
- Consumer advocates and data-rights organizations — obtain a federal enforcement path (through the FTC) to challenge noncompliance and deceptive notices, strengthening systemic enforcement of genomic privacy norms.
- Clinical- and research-partner organizations that already maintain strong deidentification practices — benefit from legal clarity that appropriately deidentified datasets remain available for scientific use, preserving some research throughput.
Who Bears the Cost
- Direct-to-consumer genomic testing companies — must invest in technical interfaces, administrative workflows, and physical-sample destruction procedures; they also face increased legal exposure under the FTC Act for noncompliance.
- Acquirers and buyers of DTC companies — must factor pre-closing consumer notices and the obligation to honor outstanding deletion/destruction requests into M&A diligence and post-close remediation budgets.
- Labs, biobanks, and data recipients — if they receive deidentified genomic datasets, they must enter and police contractual commitments preventing reidentification and implement reasonable technical controls, increasing compliance program costs.
- Smaller startups and early-stage developers — may face disproportionate burdens to build compliant systems and handle sample disposition logistics compared with larger firms that can amortize these costs.
Key Issues
The Core Tension
The central dilemma: giving individuals meaningful control over immutable, highly sensitive genomic information versus allowing data to remain available for medical and scientific research that depends on large datasets—each objective is legitimate, but strict deletion rights and sample destruction can undermine reproducibility and long-term research value while lax rules increase privacy and reidentification risks.
The bill leaves several operational and legal questions unresolved. The statutory standard for ‘‘reasonable measures’’ to deidentify data is flexible but undefined, which will push the hard work to FTC rulemaking and case-by-case enforcement.
That gap creates short-term uncertainty for companies and researchers about which technical controls will pass muster and whether particular reidentification risks—especially for genomic data, which is intrinsically reidentifiable—will be tolerated.
There is also a practical tension between the right to delete and the reality of data flows: derivative datasets, shared research copies, and analytic outputs may persist after a deletion request, and the statute’s treatment of deidentified research data raises the prospect that companies could flatly deny deletion for datasets they claim are ‘‘deidentified’’ even when reidentification risk is nontrivial. Finally, the logistics of destroying biological samples—chain-of-custody verification, destruction of backups, handling third-party lab holdings, and proof to consumers—are operationally complex and costly.
The statute assigns enforcement to the FTC but does not create a private right of action, leaving consumer pathways dependent on agency priorities and resources.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.