New Genomic Data Act Gives Consumers 30 Days to Delete DNA Results from Testing Companies

If you’ve ever spit in a tube and sent it off to one of those direct-to-consumer (DTC) DNA testing companies, this new bill is for you. The Genomic Data Protection Act is essentially a privacy upgrade, giving consumers clear, federally enforced rights over their genetic blueprints. The core of the bill is simple: you own your data, and you get to decide if and when it disappears. It sets a hard 30-day clock for companies to comply with deletion requests, which is a major win for people who worry about where their sensitive genetic information ends up.

The Right to Erase: A 30-Day Guarantee

For most people, the biggest change is the Right to Deletion. Currently, getting a company to completely wipe your account, data, and physical sample (like the saliva you sent) can be tough, often buried in fine print. This Act changes that by mandating that DTC companies must give you an easy way to request a full deletion. Once you ask, the company has just 30 days to delete all your genetic data and destroy any physical biological samples they still have on file. They also have to notify you once the job is done within that same 30-day window. This is a huge deal for digital natives who understand that data is permanent unless someone is legally forced to hit the delete button.

When Companies Change Hands

What happens when the company you trusted gets bought out by a bigger fish? The bill addresses this common business maneuver head-on. If a DTC genomic testing company is acquired, they must notify every consumer at least 30 days before the sale closes. This notice must identify the new owner and explain how consumers can still exercise their rights to access or delete their data under the new management. Crucially, if you request a deletion during the sale process, the acquiring company is still legally bound to honor that 30-day deadline, ensuring your privacy rights don't get lost in the merger paperwork.

The Fine Print on Data Sharing

While the bill locks down your right to delete, it also clarifies what companies can do with your information before you ask them to delete it. Companies must provide a clear, easy-to-read notice explaining that even if your data is “deidentified”—meaning they’ve removed obvious personal identifiers like your name—they might still share it for medical or scientific research. This sharing must follow existing HIPAA privacy rules. This provision is a necessary clarification, but it's also where the bill gets a little squishy. While deidentification is the standard, the risk of re-identification increases as technology advances. If you’re uneasy about your genetic data being used in research, even anonymously, your best bet is to use the 30-day deletion right this bill provides.

Enforcement and Exceptions

Who’s making sure these companies actually follow the rules? The Federal Trade Commission (FTC) is tasked with enforcement. Violating this Act is considered an unfair or deceptive business practice, giving the FTC the power to investigate and penalize companies that drag their feet or refuse to comply. There are only two exceptions where a company can refuse your deletion request: if they have a valid court order (like a subpoena or warrant) or if another law specifically requires them to keep the information. Overall, this Act significantly raises the bar for data privacy in the DTC testing space, giving control back to the consumer and setting clear, enforceable deadlines for companies handling our most sensitive personal information.