At the state level, genetic privacy remains a fast-moving topic, and states continue to introduce and advance bills regulating genetic data.

Several proposals that we covered in more detail earlier this year have progressed since our last update, including:

  • Utah enacted HB 182, which regulates “foreign adversaries’” access to genetic sequencing information. The final version of the bill delayed the effective date until January 1, 2028 (previously May 5, 2027) and added an exemption to the storage-related provisions for genetic sequencing data gathered as part of a clinical trial (i) from clinical trial subjects outside of the U.S. or (ii) when the storage, transfer, or remote access to the data is permitted under the DOJ Data Security Program.
  • South Dakota enacted SB 49, which regulates the practices of direct-to-consumer (“DTC”) genetic testing companies. The law takes effect July 1, 2026.
  • The Wisconsin legislature passed AB 673, which would regulate foreign adversaries access to genomic sequencing information. However, the Wisconsin governor vetoed the bill on March 27, 2026, citing potential unintended consequences that the bill may have on medical and research activities in Wisconsin, such as multi-institution or international research collaborations or industry partnerships.

Additionally, several states have proposed new bills, including:

  • West Virginia introduced HB 5034, which is a multi-faceted bill that would regulate foreign adversaries’ access to genetic data and also includes additional DTC-like provisions that would apply to entities that collect, use, or analyze genetic data.
    • The foreign adversary provisions would apply to medical facilities, research facilities, companies, entities, or nonprofit organizations and would prohibit the use of genome sequencers or software produced by certain companies based in, owned by, or controlled by a “foreign adversary,” defined by 15 C.F.R. Section 791.4. The bill would also prohibit these entities from storing genome sequencing data or providing access to it within the boundaries of a foreign adversary, except as part of a clinical trial or biomedical research study subject to or conducted in accordance with the DOJ Data Security Program. The bill would also prohibit the sale of genomic sequencing data in bankruptcy or reorganization to a foreign adversary or certain companies based in, owned by, or controlled by a foreign adversary. The bill would also require entities to annually certify compliance with the provisions of the bill to the state attorney general.
    • The DTC-like provisions would apply to entities that offer “consumer genetic testing products or services directly to a consumer” or that “collect[], use[], or analyze[] genetic data.” The bill would prohibit the collection or processing of genomic information without a consumer’s “express consent,” and require separate express consent to transfer the data to a third party or use the data beyond the service’s primary purpose. HB 5034 would grant consumers the right to access, delete, and direct the destruction of their genomic information and biological samples. Additionally, these provisions would (i) prohibit the storage of genetic data or biometric samples of West Virginia residents collected in the state within the territorial boundaries of any country sanctioned by the U.S. office of foreign asset control or designated as a foreign adversary and (ii) require consent of the resident to transfer or store such data outside of the U.S.
    • The bill contains exceptions for (i) “an entity when it is engaged only in collecting, using, or analyzing genetic data or biological samples in the context of research as defined in 45 CFR 164.501 conducted with the express consent of an individual and in accordance with” human subject research frameworks and (ii) PHI that is collected by a covered entity or business associate “if separate informed consent related to the collection, use, and dissemination of genetic data is obtained and the [entity] follows the policies under this article.”  The bill does not contain an express exemption for de-identified data.
    • The West Virginia Attorney General can bring enforcement actions under the bill, with damages of $2,500 for each violation. HB 5034 also contains a private right of action.  
  • Connecticut introduced HB 5128, which would regulate DTC genetic testing companies. The Connecticut Attorney General specifically called for the legislature to enact such a law in its 2025 Connecticut Data Privacy Act Enforcement Report. The bill defines “direct‑to‑consumer genetic testing companies” as an entity that “offers genetic testing directly to a consumer” or that “collects, uses or analyzes genetic data that a consumer has provided.” The bill also establishes that a consumer has a property right in their biological sample and genetic test results derived from the consumer’s DNA. HB 5128 requires companies to disclose their genetic data handling practices to consumers and to obtain consumers’ “express consent” for genetic data collection, use, disclosure, and retention, along with secondary uses, third‑party transfers, and post‑testing sample retention. The bill would grant consumers the right to access, delete, require destruction, and revoke consent for their genetic data. The bill includes exceptions for disclosures pursuant to court order and for de-identified data, but does not include an exemption for research conducted in accordance with human subject research frameworks or for entities or data subject to HIPAA. Violations are deemed unfair or deceptive trade practices enforceable by the Connecticut Attorney General. The bill would take effect on October 1, 2026.
  • Rhode Island introduced H 7639, which largely mirrors S 2203, which we summarized in our last update. Like S 2203, H 7639 regulates DTC genetic testing companies. 
  • Illinois introduced SB 2994, which would amend the Genetic Information Privacy Act to also regulate “neurotechnology.” The bill defines neurotechnology to include “devices capable of recording, interpreting, and altering the response of an individual’s central or peripheral nervous system to its internal or external environment.” If enacted, Illinois would follow several other states in enacting protections for neural data and/or provisions to regulate neurotechnology. The amendment would take effect January 1, 2027.
  • California introduced AB 1727, which would amend California’s genetic privacy law to include criminal penalties. Specifically, the bill would make it a misdemeanor for a person to “willfully sell[] or transfer[] genetic data” without “express consent.” The misdemeanor would be punishable by up to a year of imprisonment, a fine of up to $1,000, or both. Currently, the statute assesses a civil penalty of up to $1,000 for a negligent violation, and a civil penalty of between $1,000 and $10,000 for a willful violation, which this amendment would not change.
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Chambers USA 2025 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Read more about Libbie Canter
Show more Show less
Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Read more about Elizabeth Brim
Show more Show less
Photo of Clare Mathias Clare Mathias

Clare Mathias is an associate in the firm’s Boston office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Health Care Practice Group.

Clare advises clients on a wide range of privacy and health care issues, including compliance…

Clare Mathias is an associate in the firm’s Boston office. She is a member of the Data Privacy and Cybersecurity Practice Group and the Health Care Practice Group.

Clare advises clients on a wide range of privacy and health care issues, including compliance with federal health care regulations and U.S. state and federal privacy laws.

Clare also maintains an active pro-bono practice.

Show more Show less