WASHINGTON – U.S. Senators Bill Cassidy, M.D. (R-LA) and Gary Peters (D-MI) introduced the Genomic Data Protection Act to give Americans using at-home DNA tests the choice to delete their genomic data and destroy their biological samples. Approximately 21% of Americans have taken a mail-in a DNA test from a Direct-to-Consumer Genomic Testing Company. The lack of privacy protections opens the door to the potential selling of this data, which poses a risk to consumers and national security if an adversarial entity acquires the information.
“Americans should know what happens to their personal health data after an at-home DNA test,” said Dr. Cassidy. “We need federal guidelines to make sure their rights are protected. Specifically, Americans should control their own genomic privacy.”
“American citizens should have the right to control how their unique health and genetic information is being used and stored,” said Senator Peters. “This bill would give consumers the power to access their personal genomic data, delete it from a company’s platform, and ultimately destroy it if they choose.”
Ten states, including Arizona, California, Kentucky, Maryland, Montana, Tennessee, Texas, Utah, Virginia, and Wyoming have enacted consumer protections related to the genomic data held by Direct-to-Consumer Genomic Testing Companies. However, there is no federal framework that allows Americans to protect the privacy of their personal genomic data. The legislation tasks the Federal Trade Commission with enforcing the Genomic Privacy Protection Act.
The Genomic Data Protection Act would:
- Require Direct-to-Consumer Genomic Companies to enable a consumer to access their genomic data, delete their genomic data, and destroy their biological samples;
- Require Direct-to-Consumer genomic testing companies to notify consumers about the upcoming purchase or acquisition of a Direct-to-Consumer Genomic Companies and remind consumers of their rights to access, delete, and destroy their genomic data and biological sample;
- Require Direct-to-Consumer Genomic Companies to process deletion requests within 30 days. The companies must also notify consumers that their request was processed 30 days after the data was deleted; and,
- Stipulate that deidentified data can only be used for medical research in compliance with Health Insurance Portability and Accountability Act (HIPPA).
###