States tighten genetic privacy
What happened
Utah and South Dakota have enacted new genetic‑privacy laws while other states advance similar bills, adding to a patchwork of rules on collection, use and deletion of genomic data. For companies handling biomarker and genomic safety data, these state laws create operational tasks around mapping data flows, consent wording and vendor obligations. (insideprivacy.com)
Why it matters
Utah’s legislature approved House Bill 182, which the governor signed on March 17, 2026, and that creates new rules limiting which companies’ sequencing machines and software can be used and where sequencing data may be stored; the bill’s main provisions take effect January 1, 2028. (le.utah.gov) South Dakota enacted Senate Bill 49, signed in late March 2026, which targets companies that sell genetic tests directly to consumers and requires clear notices, affirmative written consent before collecting or using a person’s genetic information, and consumer access and deletion rights; the state set an operational start date of July 1, 2026 for those obligations. (sdlegislature.gov) (Hunton.com) Under Utah’s law a “foreign adversary” is defined by the federal regulation at 15 C.F.R. § 791.4 (that is, a named list of countries and entities identified by the federal government), and the bill bars the use of genetic sequencers or sequencing software that are produced by or controlled by those foreign adversaries; a genetic sequencer is defined in the text as a device or platform that determines the order of the nucleotide building blocks in a human genome. (le.utah.gov) Utah’s statute also sets enforcement mechanics: facilities that store sequencing data must certify compliance in sworn statements, violations for storing data inside a foreign adversary’s boundaries can trigger fines of $10,000 per instance, and some parts of the penalty regime become enforceable in mid‑2028. (legiscan.com)) (billtrack50.com)) South Dakota’s law spells out who counts as a “direct‑to‑consumer genetic testing company” — any company that offers testing services directly to state residents or analyzes genetic data obtained from such tests — and defines “express consent” as an affirmative written response that can be captured electronically, with companies required to provide a plain‑language privacy policy and to honor revocations or deletion requests within 30 days. (sdlegislature.gov) (dataguidance.com)) Both laws assign enforcement roles to the state attorney general and set civil penalties: South Dakota authorizes fines up to $5,000 per violation and direct enforcement by the attorney general, while Utah authorizes the attorney general to investigate, seek civil actions, and recover fines and fees under the new sections; Utah also includes a specific clinical‑trial carve‑out that permits certain sequencing data from non‑U.S. trial subjects to be stored under specified federal data‑security programs. (dataguidance.com)) (InsidePrivacy / Covington & Burling)
Key numbers
- (sdlegislature.gov) (Hunton.com) Under Utah’s law a “foreign adversary” is defined by the federal regulation at 15 C.F.R.
Quick answers
What happened in States tighten genetic privacy?
Utah and South Dakota have enacted new genetic‑privacy laws while other states advance similar bills, adding to a patchwork of rules on collection, use and deletion of genomic data. For companies handling biomarker and genomic safety data, these state laws create operational tasks around mapping data flows, consent wording and vendor obligations. (insideprivacy.com)
Why does States tighten genetic privacy matter?
Utah’s legislature approved House Bill 182, which the governor signed on March 17, 2026, and that creates new rules limiting which companies’ sequencing machines and software can be used and where sequencing data may be stored; the bill’s main provisions take effect January 1, 2028. (le.utah.gov) South Dakota enacted Senate Bill 49, signed in late March 2026, which targets companies that sell genetic tests directly to consumers and requires clear notices, affirmative written consent before collecting or using a person’s genetic information, and consumer access and deletion rights; the state set an operational start date of July 1, 2026 for those obligations. (sdlegislature.gov) (Hunton.com) Under Utah’s law a “foreign adversary” is defined by the federal regulation at 15 C.F.R. § 791.4 (that is, a named list of countries and entities identified by the federal government), and the bill bars the use of genetic sequencers or sequencing software that are produced by or controlled by those foreign adversaries; a genetic sequencer is defined in the text as a device or platform that determines the order of the nucleotide building blocks in a human genome. (le.utah.gov) Utah’s statute also sets enforcement mechanics: facilities that store sequencing data must certify compliance in sworn statements, violations for storing data inside a foreign adversary’s boundaries can trigger fines of $10,000 per instance, and some parts of the penalty regime become enforceable in mid‑2028. (legiscan.com)) (billtrack50.com)) South Dakota’s law spells out who counts as a “direct‑to‑consumer genetic testing company” — any company that offers testing services directly to state residents or analyzes genetic data obtained from such tests — and defines “express consent” as an affirmative written response that can be captured electronically, with companies required to provide a plain‑language privacy policy and to honor revocations or deletion requests within 30 days. (sdlegislature.gov) (dataguidance.com)) Both laws assign enforcement roles to the state attorney general and set civil penalties: South Dakota authorizes fines up to $5,000 per violation and direct enforcement by the attorney general, while Utah authorizes the attorney general to investigate, seek civil actions, and recover fines and fees under the new sections; Utah also includes a specific clinical‑trial carve‑out that permits certain sequencing data from non‑U.S. trial subjects to be stored under specified federal data‑security programs. (dataguidance.com)) (InsidePrivacy / Covington & Burling)
