The Genomic Data Protection Act enhances consumer control over genomic data by requiring direct-to-consumer genetic testing companies to provide options for data access, deletion, and sample destruction, with FTC enforcement.
Bill Cassidy
Senator
LA
The Genomic Data Protection Act aims to protect consumer privacy by granting individuals more control over their genomic data collected by direct-to-consumer testing companies. It requires companies to provide clear notifications about data usage, facilitate data deletion and sample destruction upon request, and inform consumers of their rights during company acquisitions. The Federal Trade Commission (FTC) is empowered to enforce the Act and create necessary regulations, ensuring compliance and safeguarding consumer interests. This law preserves existing Federal and State laws unless there is a direct conflict.
Genomic Data Protection Act Gives You Control Over Your DNA Data from Testing Kits, Sets 30-Day Deletion Rule
A new bill, the Genomic Data Protection Act, aims to put you back in the driver's seat when it comes to the genetic information you share with direct-to-consumer testing companies – think services like AncestryDNA or 23andMe. The core idea? Giving you clear rights to see, delete, and even destroy the biological samples these companies hold.
Your DNA, Your Rules?
So, what does this actually mean for you? Under this proposed Act, companies selling those popular DNA test kits would have to provide easy-to-use options for you to:
- Access your genomic data: See what information they have on you.
- Delete your account and data: Wipe your genetic profile from their servers.
- Destroy your biological sample: Get rid of the saliva or cheek swab you sent in.
Companies need to be upfront about these rights in clear notices. They also have to explain if and how your deidentified data (information supposedly stripped of personal identifiers) might be used for research. If the company gets bought out, they have to give you a heads-up at least 30 days beforehand, reminding you how to exercise these rights before the new owners take over.
Got a request? They have 30 days to delete your data or destroy your sample once you ask, and they must confirm it's done within that same window.
Reading Between the Lines
While this sounds like a win for privacy, there are a few catches baked into the text. Companies can refuse your deletion request if your data is tied up in a warrant, subpoena, court order, or other legal or regulatory demand. This makes sense for legal processes, but it's worth watching how broadly this exception might be applied.
Another key area is the definition of "deidentified genomic data." The effectiveness of this protection hinges on how strictly 'deidentified' is interpreted and enforced. If the standard isn't robust, companies might still find ways to use or share data that could potentially be linked back to individuals, even if it's technically deidentified according to the rules.
The Act also states it doesn't override other Federal laws and only steps on State laws if there's a direct conflict. This could lead to a patchwork of regulations across different states, potentially causing confusion for both consumers and companies.
The Watchdog Gets Involved
Who makes sure companies follow these rules? The Federal Trade Commission (FTC). The bill designates violations as "unfair or deceptive acts or practices," giving the FTC the power to step in. The agency is also tasked with creating specific rules to implement the Act within one year of it becoming law. This means the real-world impact will depend heavily on how the FTC writes and enforces these regulations.