Read the full stored bill text
PRINTER'S NO. 1787
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No. 1530
Session of
2025
INTRODUCED BY BURGOS, PIELLI, MAYES, HILL-EVANS, GIRAL, NEILSON,
SANCHEZ, McANDREW, BOROWSKI, KENYATTA, DONAHUE, CERRATO,
WARREN, RIVERA, BOYD, E. NELSON, BIZZARRO, McNEILL, CEPEDA-
FREYTIZ, TOMLINSON AND CIRESI, MAY 30, 2025
REFERRED TO COMMITTEE ON CONSUMER PROTECTION, TECHNOLOGY AND
UTILITIES, MAY 30, 2025
AN ACT
Providing for duties of direct-to-consumer genetic testing
companies and for prohibition on disclosure of genetic data
of consumers; and imposing civil penalties.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Short title.
This act shall be known and may be cited as the Genetic
Information Privacy Act.
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Biological sample." A material part of, or discharge from,
a human being or a derivative of a material part of, or
discharge from, a human being, including tissue, blood, urine
and saliva, known to contain DNA.
"Consumer." An individual who is a resident of this
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Commonwealth.
"Deidentified data." Data that cannot reasonably be used to
infer information about, or otherwise be linked to, an
identifiable consumer that is subject to all of the following:
(1) Administrative and technical measures to ensure that
the data cannot be associated with a particular consumer.
(2) A public commitment by a direct-to-consumer genetic
testing company to maintain and use the data in a
deidentified form and to not attempt to reidentify the data.
(3) Legally enforceable contractual obligations that
prohibit a recipient of the data from attempting to
reidentify the data.
"Direct-to-consumer genetic testing company" or "company."
As follows:
(1) An entity that:
(i) offers a direct-to-consumer genetic testing
product or service; or
(ii) collects, uses or analyzes genetic data
provided to the entity by a consumer as a result of a
direct-to-consumer genetic testing product or service.
(2) The term does not include an entity that is only
engaged in collecting, using or analyzing genetic data or
biological samples in the context of research, as defined in
45 CFR 164.501 (relating to definitions), that is conducted
in accordance with 21 CFR Ch. I Subch. A Pts. 50 (relating to
protection of human subjects) and 56 (relating to
institutional review boards), 45 CFR Subt. A Subch. A Pt. 46
(relating to protection of human subjects) and the Good
Clinical Practice Guideline issued by the International
Council for Harmonisation.
20250HB1530PN1787 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
"DNA." Deoxyribonucleic acid.
"Express consent." A consumer's affirmative response to a
clear, meaningful and prominent notice regarding the collection,
use or disclosure of genetic data for a specific purpose.
"Genetic data." Any data, regardless of the format of the
data, that concerns a consumer's genetic characteristics. The
term does not include deidentified data. The term includes any
of the following:
(1) Raw sequence data that results from sequencing of a
consumer's complete extracted DNA or a portion of the
extracted DNA.
(2) Genotypic and phenotypic information that results
from analyzing the raw sequence data.
(3) Self-reported health information that a consumer
submits to a direct-to-consumer genetic testing company
regarding the consumer's health conditions and that is used
for scientific research or product development and analyzed
in connection with the consumer's raw sequence data.
"Genetic testing." A laboratory test of a consumer's
complete DNA, regions of DNA, chromosomes, genes or gene
products to determine the presence of genetic characteristics of
the consumer.
"Person." An individual, partnership, corporation,
association, business, business trust or legal representative of
an organization.
Section 3. Duties of direct-to-consumer genetic testing
companies.
In order to safeguard the privacy, confidentiality, security
and integrity of a consumer's genetic data, a direct-to-consumer
genetic testing company shall have the following duties:
20250HB1530PN1787 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(1) Provide clear and complete information regarding the
company's policies and procedures for the collection, use or
disclosure of genetic data by making all of the following
available to a consumer:
(i) A high-level privacy policy overview that
includes basic, essential information about the
company's collection, use or disclosure of genetic data.
(ii) A prominent, publicly available privacy notice
with information about the company's data collection,
consent, use, access, disclosure, transfer, security and
retention and deletion practices.
(2) Obtain a consumer's consent for the collection, use
or disclosure of the consumer's genetic data, which includes
all of the following:
(i) Initial express consent that clearly describes
the uses of the consumer's genetic data collected through
the genetic testing product or service and specifies who
has access to test results and how the genetic data may
be shared.
(ii) Separate express consent for transferring or
disclosing the consumer's genetic data to a person other
than the company's vendor or service provider or for
using the consumer's genetic data beyond the primary
purpose of the genetic testing product or service and
inherent contextual uses.
(iii) Separate express consent for the retention of
a biological sample provided by the consumer after
completion of the initial testing service requested by
the consumer.
(iv) Informed consent in accordance with 45 CFR
20250HB1530PN1787 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Subt. A Subch. A Pt. 46 (relating to protection of human
subjects) for the transfer or disclosure of the
consumer's genetic data to a third-party person for
research purposes or research conducted under the control
of the company for the purpose of publication or
generalizable knowledge.
(v) Express consent for marketing to the consumer
based on the consumer's genetic data or for marketing by
a third-party person to the consumer based on the
consumer having ordered or purchased a genetic testing
product or service. As used in this subparagraph, the
term "marketing" does not include the provision of
customized content or offers on an Internet website or
through an application or service provided by a direct-
to-consumer genetic testing company with a first-party
relationship to a consumer.
(3) Require a valid legal process for disclosing genetic
data to a law enforcement agency or any other Federal, State
or local government entity without the consumer's express
written consent.
(4) Develop, implement and maintain a comprehensive
security program to protect the consumer's genetic data
against unauthorized access, use or disclosure.
(5) Provide a process for the consumer to:
(i) access the consumer's genetic data;
(ii) delete the consumer's account and genetic data;
and
(iii) request and obtain the destruction of the
consumer's biological sample.
(6) Otherwise comply with Federal and State laws
20250HB1530PN1787 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
regarding the privacy, confidentiality, security and
integrity of the consumer's genetic data.
Section 4. Prohibition on disclosure of genetic data of
consumers.
Notwithstanding the provisions of section 3, a direct-to-
consumer genetic testing company may not disclose a consumer's
genetic data to any of the following without the consumer's
written consent:
(1) An entity offering health insurance, life insurance
or long-term care insurance.
(2) An employer of the consumer.
Section 5. Civil penalties.
The Office of Attorney General may bring a civil action in
the name of the Commonwealth or on behalf of consumers to
enforce the provisions of this act in a court of competent
jurisdiction. In an action brought under this section, the court
may impose a civil penalty of $2,500 for each violation of this
act, the recovery of actual damages incurred by consumers on
whose behalf the action was brought and the costs and reasonable
attorney fees incurred by the Office of Attorney General.
Section 6. Applicability.
This act shall not apply to any of the following:
(1) Protected health information that is collected by a
covered entity or business associate governed by the privacy,
security and breach notification regulations issued by the
United States Department of Health and Human Services under
45 CFR Subt. A Subch. C Pts. 160 (relating to general
administrative requirements) and 164 (relating to security
and privacy) and established under the Health Insurance
Portability and Accountability Act of 1996 (Public Law 104-
20250HB1530PN1787 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
191, 110 Stat. 1936) and the Health Information Technology
for Economic and Clinical Health Act (Public Law 111-5, 123
Stat. 226-279 and 467-496).
(2) Biological samples or genetic data lawfully obtained
by a law enforcement agency from a crime scene reasonably
suspected to belong to a putative suspect in a criminal case.
(3) Biological samples or genetic data obtained from a
deceased individual whose identity is unknown solely for the
purposes of identifying the individual.
Section 7. Effective date.
This act shall take effect in 60 days.
20250HB1530PN1787 - 7 -
1
2
3
4
5
6
7
8
9
10
11