AN ACT RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- GENETIC INFORMATION PRIVACY ACT (Requires a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the company’s policies and procedures regarding use of genetic data.)

H7639

2026 -- H 7639
========
LC005027
========

STATE OF RHODE ISLAND
IN GENERAL ASSEMBLY
JANUARY SESSION, A.D. 2026
____________
A N A C T
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS --
GENETIC INFORMATION PRIVACY ACT

Introduced By:
Representatives Ajello, Cortvriend, Corvese, Place, Cruz, Kislak, Handy,
Boylan, Donovan, and Cotter

Date Introduced:
February 11, 2026

Referred To:
House Judiciary
It is enacted by the General Assembly as follows:
1
SECTION 1. Legislative findings and short title.
2
The general assembly finds and declares the following:
3
(1) Direct-to-consumer genetic testing services are largely unregulated and could expose
4
personal and genetic information, and potentially create unintended security consequences and
5
increased risk.
6
(2) There is growing concern in the scientific community that outside parties are exploiting
7
the use of genetic data for questionable purposes, including mass surveillance and the ability to
8
track individuals without their authorization.
9
(3) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30
10
to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also
11
very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived
12
value, as opposed to other biometric data such as blood tests, which have expiration dates.
13
(4) The potential information hidden within genomic data is cause for significant concern.
14
As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data.
15
SECTION 2. Title 6 of the General Laws entitled "COMMERCIAL LAW — GENERAL
16
REGULATORY PROVISIONS" is hereby amended by adding thereto the following chapter:
17
CHAPTER 63
18
GENETIC INFORMATION PRIVACY ACT

1

6-63-1. Short title.

2

This chapter shall be known, and may be cited, as the "Genetic Information Privacy Act."
3

6-63-2. Definitions.

4

For purposes of this chapter, the following definitions apply:
5

(1) “Affirmative authorization” means an action that demonstrates an intentional decision
6
by the consumer.
7

(2) “Biological sample” means any material part of a human subject, discharge therefrom,
8
or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid
9
(DNA).
10

(3) “Consumer” means a natural person who is a Rhode Island resident.
11

(4) “Dark pattern” means a user interface designed or manipulated with the substantial
12
effect of subverting or impairing user autonomy, decision making, or choice.
13

(5) “Direct-to-consumer genetic testing company” means an entity that does any of the
14
following:
15

(i) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing
16
products or services directly to consumers.
17

(ii) Analyzes genetic data obtained from a consumer, except to the extent that the analysis
18
is performed by a person licensed in the healing arts for diagnosis or treatment of a medical
19
condition.
20

(iii) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-
21
to-consumer genetic testing product or service, or is directly provided by a consumer.
22

(6) “Express consent” means a consumer’s affirmative authorization to grant permission in
23
response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance,
24
or disclosure of genetic data for a specific purpose. The nature of the data collection, use,
25
maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that
26
an ordinary consumer would notice and understand it. Express consent cannot be inferred from
27
inaction. Agreement obtained through use of dark patterns does not constitute consent.
28

(7)(i) “Genetic data” means any data, regardless of its format, that results from the analysis
29
of a biological sample from a consumer, or from another element enabling equivalent information
30
to be obtained, and concerns genetic material. Genetic material includes, but is not limited to,
31
deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes,
32
alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs),
33
uninterpreted data that results from the analysis of the biological sample, and any information
34
extrapolated, derived, or inferred therefrom.

LC005027 - Page 2 of 10
1

(ii) “Genetic data” does not include deidentified data. For purposes of this subsection,
2
“deidentified data” means data that cannot be used to infer information about, or otherwise be
3
linked to, a particular individual; provided that, the business that possesses the information does all
4
of the following:
5

(A) Takes reasonable measures to ensure that the information cannot be associated with a
6
consumer or household;
7

(B) Publicly commits to maintain and use the information only in deidentified form and
8
not to attempt to reidentify the information, except that the business may attempt to reidentify the
9
information solely for the purpose of determining whether its deidentification processes satisfy the
10
requirements of this subsection; provided that, the business does not use or disclose any information
11
reidentified in this process and destroys the reidentified information upon completion of that
12
assessment; and
13

(C) Contractually obligates any recipients of the information to take reasonable measures
14
to ensure that the information cannot be associated with a consumer or household and to commit
15
to maintaining and using the information only in deidentified form and not to reidentify the
16
information;
17

(iii) “Genetic data” does not include data or a biological sample to the extent that data or a
18
biological sample is collected, used, maintained, and disclosed exclusively for scientific research
19
conducted by an investigator with an institution that holds an assurance with the United States
20
Department of Health and Human Services pursuant to 45 CFR Part 46 of the Code of Federal
21
Regulations, in compliance with all applicable federal and state laws and regulations for the
22
protection of human subjects in research including, but not limited to, the Common Rule pursuant
23
to 45 CFR Part 46 of the Code of Federal Regulations, United States Food and Drug Administration
24
regulations pursuant to 21 CFR Parts 50 and 56 of the Code of Federal Regulations, and the federal
25
Family Educational Rights and Privacy Rights Act (20 U.S.C. §. 1232g).
26

(8) “Genetic testing” means any laboratory test of a biological sample from a consumer for
27
the purpose of determining information concerning genetic material contained within the biological
28
sample, or any information extrapolated, derived, or inferred therefrom.
29

(9) “Person” means an individual, partnership, corporation, association, business, business
30
trust, or legal representative of an organization.
31

(10) “Service provider” means a sole proprietorship, partnership, limited liability company,
32
corporation, association, or other legal entity that is organized or operated for the profit or financial
33
benefit of its shareholders or other owners, that is involved in the collection, transportation, and
34
analysis of the consumer’s biological sample or extracted genetic material on behalf of the direct-

LC005027 - Page 3 of 10
1
to-consumer genetic testing company, or on behalf of any other company that collects, uses,
2
maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing
3
product or service, or is directly provided by a consumer, or the delivery of the results of the
4
analysis of the biological sample or genetic material. The contract between the company and the
5
service provider shall prohibit the service provider from retaining, using, or disclosing the
6
biological sample, extracted genetic material, genetic data, or any information regarding the
7
identity of the consumer, including whether that consumer has solicited or received genetic testing,
8
as applicable, for any purpose other than for the specific purpose of performing the services
9
specified in the contract for the business, including both of the following:
10

(i) A provision prohibiting the service provider from retaining, using, or disclosing the
11
biological sample, extracted genetic material, genetic data, or any information regarding the
12
identity of the consumer, including whether that consumer has solicited or received genetic testing,
13
as applicable, for a commercial purpose other than providing the services specified in the contract
14
with the business; and
15

(ii) A provision prohibiting the service provider from associating or combining the
16
biological sample, extracted genetic material, genetic data, or any information regarding the
17
identity of the consumer, including whether that consumer has solicited or received genetic testing,
18
as applicable, with information the service provider has received from or on behalf of another
19
person or persons, or has collected from its own interaction with consumers or as required by law.
20

6-63-3. Privacy of genetic data.

21

(a) To safeguard the privacy, confidentiality, security, and integrity of a consumer’s genetic
22
data, a direct-to-consumer genetic testing company shall do both of the following:
23

(1) Provide clear and complete information regarding the company’s policies and
24
procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by
25
making available to a consumer all of the following:
26

(i) A summary of its privacy practices, written in plain language, that includes information
27
about the company’s collection, use, maintenance, and disclosure, as applicable, of genetic data;
28

(ii) A prominent and easily accessible privacy notice that includes, at a minimum, complete
29
information about the company’s data collection, consent, use, access, disclosure, maintenance,
30
transfer, security, and retention and deletion practices, and information that clearly describes how
31
to file a complaint alleging a violation of this chapter; and
32

(iii) A notice that the consumer’s deidentified genetic or phenotypic information may be
33
shared with or disclosed to third parties for research purposes in accordance with 45 CFR Part 46
34
of the Code of Federal Regulations.

LC005027 - Page 4 of 10
1

(2) Obtain a consumer’s express consent for collection, use, and disclosure of the
2
consumer’s genetic data, including, at a minimum, separate and express consent for each of the
3
following:
4

(i) The use of the genetic data collected through the genetic testing product or service
5
offered to the consumer, including who has access to genetic data, and how genetic data may be
6
shared, and the specific purposes for which it will be collected, used, and disclosed;
7

(ii) The storage of a consumer’s biological sample after the initial testing requested by the
8
consumer has been fulfilled;
9

(iii) Each use of genetic data or the biological sample beyond the primary purpose of the
10
genetic testing or service and inherent contextual uses;
11

(iv) Each transfer or disclosure of the consumer’s genetic data or biological sample to a
12
third party other than to a service provider, including the name of the third party to which the
13
consumer’s genetic data or biological sample will be transferred or disclosed; and
14

(v)(A) The marketing or facilitation of marketing to a consumer based on the consumer’s
15
genetic data or the marketing or facilitation of marketing by a third party based upon the consumer
16
having ordered, purchased, received, or used a genetic testing product or service;
17

(B) This subsection does not require a direct-to-consumer genetic testing company to
18
obtain a consumer’s express consent to market to the consumer on the company’s own website or
19
mobile application based upon the consumer having ordered, purchased, received, or used a genetic
20
testing product or service from that company if the content of the advertisement does not depend
21
upon any information specific to that consumer, except for the product or service that the consumer
22
ordered, purchased, received, or used, and the placement of the advertisement is not intended to
23
result in disparate exposure to advertising content. Nothing in this subsection alters, limits, or
24
negates the requirements of any other antidiscrimination law or targeted advertising law;
25

(C) Any advertisement of a third-party product or service presented to a consumer shall be
26
prominently labeled as advertising content and be accompanied by the name of any third party that
27
has contributed to the placement of the advertising. If applicable, the advertisement also shall
28
clearly indicate that the advertised product or service, and any associated claims, have not been
29
vetted or endorsed by the direct-to-consumer genetic testing company; and
30

(D) For the purpose of this section, “third party” does not include a public or private
31
nonprofit postsecondary educational institution to the extent that the consumer’s genetic data or
32
biological sample is disclosed to a public or private nonprofit postsecondary educational institution
33
for the purpose of scientific research or educational activities as described in § 6-63-6. A company
34
that is subject to the requirements described in this section shall provide effective mechanisms,

LC005027 - Page 5 of 10
1
without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one
2
of which utilizes the primary medium through which the company communicates with consumers.
3

(b) If a consumer revokes the consent that they provided pursuant to this section, the
4
company shall honor the consumer’s consent revocation as soon as practicable, but not later than
5
thirty (30) days after the individual revokes consent, in accordance with both of the following:
6

(1) Revocation of consent under this section shall comply with 45 CFR Part 46 of the Code
7
of Federal Regulations; and
8

(2) The company shall destroy a consumer’s biological sample within thirty (30) days of
9
receipt of revocation of consent to store the sample.
10

(c) The direct-to-consumer genetic testing company shall do both of the following:
11

(1) Implement and maintain reasonable security procedures and practices to protect a
12
consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure;
13
and
14

(2) Develop procedures and practices to enable a consumer to easily do any of the
15
following;
16

(i) Access the consumer’s genetic data;
17

(ii) Delete the consumer’s account and genetic data, except for genetic data that is required
18
to be retained by the company to comply with applicable legal and regulatory requirements; or
19

(iii) Have the consumer’s biological sample destroyed.
20

(d) A person or public entity shall not discriminate against a consumer because the
21
consumer exercised any of the consumer’s rights under this chapter by doing any of the following
22
including, but not limited to:
23

(1) Denying goods, services, or benefits to the customer;
24

(2) Charging different prices or rates for goods or services, including through the use of
25
discounts or other incentives or imposing penalties;
26

(3) Providing a different level or quality of goods, services, or benefits to the consumer;
27

(4) Suggesting that the consumer will receive a different price or rate for goods, services,
28
or benefits, or a different level or quality of goods, services, or benefits; or
29

(5) Considering the consumer’s exercise of rights under this chapter as a basis for suspicion
30
of criminal wrongdoing or unlawful conduct.
31

(e)(1) Notwithstanding any other provision in this section, and except as provided in
32
subsection (e)(2) of this section, a direct-to-consumer genetic testing company shall not disclose a
33
consumer’s genetic data to any entity that is responsible for administering or making decisions
34
regarding health insurance, life insurance, long-term care insurance, disability insurance, or

LC005027 - Page 6 of 10
1
employment or to any entity that provides advice to an entity that is responsible for performing
2
those functions;
3

(2) A direct-to-consumer genetic testing company may disclose a consumer’s genetic data
4
or biological sample to an entity described in subsection (e)(1) of this section if all of the following
5
are true:
6

(i) The entity is not primarily engaged in administering health insurance, life insurance,
7
long-term care insurance, disability insurance, or employment;
8

(ii) The consumer’s genetic data or biological sample is not disclosed to the entity in that
9
entity’s capacity as a party that is responsible for administering, advising, or making decisions
10
regarding health insurance, life insurance, long-term care insurance, disability insurance, or
11
employment; and
12

(iii) Any agent or division of the entity that is involved in administering, advising, or
13
making decisions regarding health insurance, life insurance, long-term care insurance, disability
14
insurance, or employment is prohibited from accessing the consumer’s genetic data or biological
15
sample.
16

6-63-4. Penalties.

17

(a) Any person who negligently violates this chapter shall be assessed a civil penalty in an
18
amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.
19

(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an
20
amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars
21
($10,000) plus court costs, as determined by the court.
22

(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of
23
competent jurisdiction by the attorney general.
24

(d) Court costs recovered pursuant to this section shall be paid to the party or parties that
25
prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual
26
to whom the genetic data at issue pertains.
27

(e) Any provision of a contract or agreement between a consumer and a person governed
28
by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy
29
for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to
30
this chapter.
31

(f) Each violation of this chapter is a separate and actionable violation.
32

6-63-5. Conflicts of law.

33

(a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing
34
company’s duties, obligations, requirements, or standards under any applicable state and federal

LC005027 - Page 7 of 10
1
laws for the protection of privacy and security.
2

(b) In the event of a conflict between the provisions of this chapter and any other law, the
3
provisions of the law that afford the greatest protection for the right of privacy for consumers shall
4
control.
5

6-63-6. Exclusions.

6

(a) This chapter shall not apply to any of the following:
7

(1) Medical information governed by chapter 37.3 of title 5, (“confidentiality of medical
8
information act”) or to protected health information that is collected, maintained, used, or disclosed
9
by a covered entity or business associate governed by the privacy, security, and breach notification
10
rules issued by the United States Department of Health and Human Services, 45 CFR Parts 160 and
11
164 of the Code of Federal Regulations established pursuant to the federal Health Insurance
12
Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health
13
Information Technology for Economic and Clinical Health Act (Public Law 111-5);
14

(2) A provider of health care governed by chapter 37.3 of title 5, or a covered entity
15
governed by the privacy, security, and breach notification rules issued by the United States
16
Department of Health and Human Services, 45 CFR Parts 160 and 164 of the Code of Federal
17
Regulations, established pursuant to the Health Insurance Portability and Accountability Act of
18
1996 (Public Law 104-191) and the federal Health Information Technology for Economic and
19
Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009
20
(Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses
21
genetic information in the same manner as medical information or protected health information, as
22
described in subsection (a)(1) of this section;
23

(3) A business associate of a covered entity governed by the privacy, security, and data
24
breach notification rules issued by the United States Department of Health and Human Services,
25
45 CFR Parts 160 and 164 of the Code of Federal Regulations, established pursuant to the federal
26
Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal
27
Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal
28
American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the
29
business associate maintains, uses, and discloses genetic information in the same manner as medical
30
information or protected health information, as described in subsection (a)(1) of this section;
31

(4) Scientific research or educational activities conducted by a public or private nonprofit
32
postsecondary educational institution that holds an assurance with the United States Department of
33
Health and Human Services pursuant to 45 CFR Part 46 of the Code of Federal Regulations, to the
34
extent that the scientific research and educational activities conducted by that institution comply

LC005027 - Page 8 of 10
1
with all applicable federal and state laws and regulations for the protection of human subjects in
2
research including, but not limited to, the Common Rule pursuant to 45 CFR Part 46 of the Code
3
of Federal Regulations, United States Food and Drug Administration regulations pursuant to 21
4
CFR Parts 50 and 56 of the Code of Federal Regulations, the federal Family Educational Rights
5
and Privacy Rights Act (20 U.S.C. Sec. 1232g);
6

(5) The provisions of the newborn screening program pursuant to § 23-13-14;
7

(6) Tests conducted exclusively to diagnose whether an individual has a specific disease,
8
to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic
9
information in the same manner as medical information or protected health information, as
10
described in subsection (a)(1) of this section; and
11

(7) Genetic data used or maintained by an employer, or disclosed by an employee to an
12
employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply
13
with a local, state, or federal workplace health and safety ordinance, law, or regulation.
14

(b) Nothing in this chapter shall be construed to affect access to information made available
15
to the public by the consumer.
16

6-63-7. Severability.

17

The provisions of this chapter are severable. If any provision of this chapter or its
18
application is held invalid, that invalidity shall not affect other provisions or applications that can
19
be given effect without the invalid provision or application.
20
SECTION 3. This act shall take effect upon passage.
========
LC005027
========

LC005027 - Page 9 of 10
EXPLANATION
BY THE LEGISLATIVE COUNCIL
OF
A N A C T
RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS --
GENETIC INFORMATION PRIVACY ACT
***
1
This act would require a direct-to-consumer genetic testing company, as defined, to provide
2
a consumer with certain information regarding the company’s policies and procedures for the
3
collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a
4
consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data, as
5
specified.
6
This act would take effect upon passage.
========
LC005027
========

LC005027 - Page 10 of 10