WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA) and Gary Peters (D-MI) introduced the Genomic Data Protection Act to give Americans using at-home DNA tests the choice to delete their genomic data and destroy their biological samples. Around 21% of Americans have taken a mail-in a DNA test from a direct-to-consumer genomic testing company. The absence of privacy protections allows for the potential selling of American’s data, posing a risk to consumers and the country’s national security if a bad actors obtains the information.
“Americans want to know what happens to their data after an at-home DNA test,” said Dr. Cassidy. “Let’s give them control over their own genomic data. It should be private if they want it to be.”
“American citizens should have the right to control how their unique health and genetic information is being used and stored,” said Senator Peters. “This bill would give consumers the power to access their personal genomic data, delete it from a company’s platform, and ultimately destroy it if they choose.”
Arizona, California, Kentucky, Maryland, Montana, Tennessee, Texas, Utah, Virginia, and Wyoming have consumer protections related to the genomic data held by direct-to-consumer genomic testing companies. However, there is no federal framework that empowers Americans to protect the privacy of their personal genomic data. The legislation tasks the Federal Trade Commission with enforcing the Genomic Privacy Protection Act.
The Genomic Data Protection Act would:
- Require direct-to-consumer genomic testing companies to enable a consumer to access their genomic data, delete their genomic data, and destroy their biological samples;
- Require direct-to-consumer genomic testing companies to notify consumers about the upcoming purchase or acquisition of a direct-to-consumer genomic testing companies and remind consumers of their rights to access, delete, and destroy their genomic data and biological sample;
- Require direct-to-consumer genomic testing companies to process deletion requests within 30 days. The companies must also notify consumers that their request was processed 30 days after the data was deleted; and,
- Stipulate that deidentified data can only be used for medical research in compliance with Health Insurance Portability and Accountability Act (HIPPA).
###