Since the beginning of 2025, there have been a flurry of bills introduced at the state and federal level related to genetic privacy, which follows a similar trend over the past several years.  These bills have focused on a range of issues, including general genetic privacy, national security implications of “foreign adversaries” accessing genetic information, the privacy practices of direct-to-consumer (“DTC”) genetic testing companies, and the transfer of genetic data as part of bankruptcy proceedings, among others.  We summarize a subset of such bills moving through state and federal legislatures below.

State Legislation

Montana SB 163

On May 1, the Montana governor signed SB 163 to amend the state’s Genetic Information Privacy Act (“MT GIPA”), which was originally enacted in 2023.  Effective October 1, 2025, there will be several changes to the law, including:

  • Creating Deidentification Exemption: The original version of MT GIPA did not contain an express exemption for deidentified data.  SB 163 amends the law to include an express exemption for the use of deidentified genetic data for certain research purposes.  Specifically, SB 163 includes an exemption for “deidentified genetic data obtained from a third party to the extent that the data is used to conduct internal, medical, or scientific research.”  The deidentification standard is similar to the standard adopted under many comprehensive state privacy laws and other state DTC genetic privacy laws.
  • Waiver of Certain Rights in the Clinical Trial Context: The law provides that consumers’ rights to access and delete data, destroy samples, and revoke consent must be waived in a limited context related to the collection of genetic data as part of a clinical trial if certain conditions are met, including prescriptive requirements for consent.  Specifically:
    • The relevant entity generally must obtain express and informed written consent for participation in a clinical research trial, including the collection and use of any genetic data, which must, among others, be in accordance with the good clinical practice (“GCP”) guideline issued by the international council for harmonisation of technical requirements for pharmaceuticals for home use and include the entity’s biological sample and data retention, sharing, and use policies.
    • The biological sample and genetic data must be utilized for clinical research purposes only.

SB 163 states that these requirements are meant to “supersede all exceptions to, and waivers of” informed consent pursuant to the federal Common Rule.  However, it is not clear how this new limited exemption is meant to interact with the existing exemption for entities that are engaged in collecting, using, or analyzing genetic data or biological samples in the context of scientific or clinical research with express consent of the individual and in accordance with human subject research frameworks, including GCP, the federal Common Rule, or FDA’s human subjects research regulations at 21 C.F.R. parts 50 and 56.

  • Neural Data: The obligations under the law will now also apply to “neurotechnology data” defined as “information that is captured by neurotechnologies, is generated by measuring the activity of an individual’s central or peripheral nervous systems, or is data associated with neural activity, which means the activity of neurons or glial cells in the central or peripheral nervous system, and that is not nonneural information.”  Montana becomes the third state to enact a privacy law that specifically protects neural data.  

Texas HB 130

On May 23, the Texas legislature passed HB 130 (the “Texas Genomic Act of 2025”), which seeks to protect genetic information of Texas residents by regulating the collection, storage, and use of genome sequencing data.  The bill is focused on ensuring that “foreign adversaries” (as defined in 15 C.F.R. § 791.4(a) and includes China, Cuba, Iran, North Korea, Russia, and Venezuela) are unable to access the genetic information of Texas residents.  Notably, the definitions of “foreign adversaries” aligns with the countries that are identified as “countries of concern” in the U.S. Department of Justice’s recently finalized Data Security Program (“DOJ DSP”), which focuses on access to bulk U.S. sensitive personal data (including human genomic data) by these countries and certain “covered persons.”  

The bill would go into effect on September 1, 2025. Key provisions are summarized below:

  • Broad Applicability: The bill would apply to a “medical facility, research facility, company, or nonprofit organization that conducts research on or testing of genome sequencing or the human genome” in Texas.
  • Storage and Access to Genome Sequencing Data: The bill would impose obligations on regulated entities with respect to their storage of genome sequencing data of Texas residents within the borders of a foreign adversary, including access to such data within the borders of a foreign adversary.  Notably, these requirements do not apply to the storage of genome sequencing data by the regulated entities that is collected as part of a clinical trial or biomedical research study subject to, or conducted in accordance with, the DOJ DSP.  The bill also contains substantive provisions related to the use of genomic sequencing equipment or software produced by or on behalf of a foreign adversary or certain related parties.
  • Sale or Transfer of Genomic Sequencing Data: The bill would prohibit the sale or transfer of genomic sequencing data of Texas residents as part of a bankruptcy proceeding to a foreign adversary, state-owned enterprise of a foreign adversary, or a company domiciled in a country that is a foreign adversary or its subsidiary or affiliate. 
  • Annual Certification: By December 31 of each year, each regulated entity must certify its compliance with the Texas Genomic Act of 2025 to the Texas Attorney General.
  • Private Right of Action and AG Enforcement: Texas residents can seek recovery for alleged violations, including actual damages or statutory damages up to $5,000 per violation.  The Attorney General can also seek up to $10,000 for each violation. 

Florida SB 768

Notably, the Florida governor recently signed a bill, SB 786, which is similar to certain provisions of the Texas Genomic Act of 2025, but is generally narrower in scope.  Specifically, the bill amends the provisions of Florida law that apply to the licensing of laboratories to require that the laboratory not use any operational or research software for genetic sequencing that is produced by a “foreign country of concern.”  “Foreign country of concern” aligns to “foreign adversaries” under the Texas Genomic Act of 2025, though also includes Syria. 

Federal Legislation

On May 22, 2025, a bipartisan group of Senators introduced the “Don’t Sell My DNA Act” which would amend the federal Bankruptcy Code, including to impose a notice and affirmative consumer consent requirement before genetic information is used, sold, or leased in a bankruptcy proceeding.

This is the second genetic privacy bill introduced during this Congress, with Senators Cassidy (R-LA) and Peters (D-MI) having introduced the Genomic Data Protection Act (“GDPA”) earlier this session in March, which specifically focuses on the privacy practices of DTC genomic testing companies.  Shortly after being introduced, the GDPA was referred to committee and has not advanced further.  We covered the GDPA in a prior Inside Privacy post, available here.

Tags: Genetic Privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie CanterEmail
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth BrimEmail
Show more Show less
Photo of Natalie Maas Natalie Maas

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory…

Natalie is an associate in the firm’s San Francisco office, where she is a member of the Food, Drug, and Device, and Data Privacy and Cybersecurity Practice Groups. She advises pharmaceutical, biotechnology, medical device, and food companies on a broad range of regulatory and compliance issues.

Natalie also maintains an active pro bono practice, with a particular focus on health care and reproductive rights.

Read more about Natalie MaasEmail
Show more Show less