As a privacy lawyer, including one focused on genetic privacy, our practice focuses on helping clients navigate the complex landscape of laws and regulations that protect genetic information. This includes federal laws like the Genetic Information Nondiscrimination Act (GINA), state-specific comprehensive privacy laws such as the California Consumer Privacy Act (CCPA), as well as state-specific laws such as the California Genetic Information Privacy Act (GIPA) and the Illinois Genetic Information Privacy Act (GIPA), as well as international frameworks like the General Data Protection Regulation (GDPR).
Overview of Relevant Laws
- HIPAA: The Health Insurance Portability and Accountability Act primarily regulates the use and disclosure of health information, including genetic data, within healthcare settings. GINA further enhances HIPAA by treating genetic information as a type of protected health information.
- GINA: Prohibits genetic discrimination in employment and health insurance. It ensures that genetic information is not used to make decisions regarding employment or insurance.
- State Privacy Laws:
- California GIPA: Focuses on protecting genetic data collected by companies like 23andMe, requiring explicit consent for data collection and use.
- Illinois GIPA: Prohibits the use of genetic information for insurance underwriting and has seen recent class actions against employers for requesting family medical history.
- CCPA and CPRA: While not exclusively focused on genetic data, these laws provide broad protections for personal data, including genetic information, collected from California residents.
- Other State Privacy Laws: There are numerous other comprehensive privacy laws, similar to the CCPA, that would also apply in the context of genetic privacy.
- GDPR: Applies to companies handling the genetic data of EU residents, emphasizing consent and data subject rights.
- Other International Laws: Many countries have comprehensive privacy laws that may be relevant in genetics privacy scenarios.
Recent Developments and Insights
23andMe Bankruptcy
The recent bankruptcy filing by 23andMe highlights significant concerns about the future of genetic data privacy. With millions of DNA profiles, concerns exist about potential data misuse or unauthorized access. Despite assurances from 23andMe that it will prioritize data privacy in any sale, some users have chosen to delete their data.
Illinois GIPA Class Actions
Over 30 lawsuits have been filed under Illinois’ GIPA, targeting companies that require job applicants to disclose family medical history. These cases present a new legal challenge, particularly for industries such as transportation and logistics, where physical fitness assessments are frequently used. Early court decisions have favored plaintiffs, but there remains uncertainty about what constitutes genetic information.
Practice Focus
Our practice is dedicated to advising clients on compliance with these laws and navigating the complexities of genetic data privacy. If you are a business seeking to ensure compliance with evolving regulations, we can guide you through this rapidly changing legal landscape.
Inquire About Our Genetic Privacy Law Services
- Montana Expands Genetic Privacy Law to Include Neural Data: Montana has become the third state to regulate “neurotechnology data,” amending its Genetic Information Privacy Act (GIPA) with new protections for neural data, effective October 1, 2025. Unlike Colorado and California, which added neural protections under broader consumer privacy laws, Montana does so within its genetic privacy statute. The amendment requires businesses handling neural data—such as brainwave or neurotech-derived information—to meet strict notice and consent obligations. This shift signals a move toward integrating neural privacy into biological data laws, adding to the patchwork of evolving neural data rules in the U.S. Read More →
- 23andMe Bankruptcy Spotlights Data Stewardship in Asset Sales: The 23andMe bankruptcy has underscored critical best practices for managing and transferring sensitive genetic and personal data during corporate insolvency. Following the July 2025 sale, the process highlights the need for robust privacy safeguards, regulatory compliance, and transparency to protect individual information—even as business ownership changes hands. Read More →
- AGs sue to prevent 23andMe from selling customer genetic data without consent: On June 9, 2025, the Oregon Attorney General, along with AGs from 28 states, filed a lawsuit against 23andMe to prevent the sale of personal genetic data without customer consent, following the company’s bankruptcy filing. Read More →
- Pharma giant Regeneron to buy 23andMe and its customers’ data for $256M: Pharmaceutical maker Regeneron announced Monday it will buy genetic testing company 23andMe for $256 million following a bankruptcy auction. Regeneron said it will acquire 23andMe’s genomics service and its bank of 15 million customers’ personal and genetic data as part of the deal. The pharma giant said it plans to use the 23andMe customer data to help drug discovery, and that it will “prioritize the privacy, security, and ethical use of 23andMe’s customer data.” Read More →
- Lawmakers push DNA privacy after 23andMe bankruptcy: Pennsylvania lawmakers plan to introduce legislation aimed at protecting consumers’ genetic data as 23andMe’s bankruptcy sends shockwaves through the biotech world. Read More →
- Employers and Insurance Companies Continue Targeted with Deluge of Claims Under the Illinois Genetic Information Privacy Act: The Illinois Genetic Information Privacy Act, 410 ILCS 513/1, et seq. (“GIPA”), which was passed in 1998 and amended in 2008, had until recently received little attention from the plaintiffs’ bar. That changed last August, after a court granted certification in a federal GIPA class action involving alleged unauthorized disclosure of consumers’ genetic information to unknown third-party developers by a website that sold DNA analysis reports. Read More →
- Data privacy and genetic testing: Guidance and enforcement from regulators: Begun in 1990, the Human Genome project had the goal of generating the first sequence of the human genome. By 2003, 92% of the genome was mapped and it was declared complete, while the final assembly was completed in January 2022. Today, anyone can download the complete sequence of a human genome from the National Library of Medicine’s website. Read More →
- Privacy authorities in Canada and UK announce joint probe of 23andMe data breach: Canadian and British privacy regulators are together probing the global data breach of the genetic testing company 23andMe, authorities in the two countries announced Monday. Read More →
- Seventh Circuit Affirms Dismissal of Lawsuit Alleging Violation of Genetic Right to Privacy, Rebuffing Claims Premised on Stock Purchase of Genetic Testing Company: The Seventh Circuit issued a ruling which affirmed the dismissal of claims filed under Illinois’s Genetic Information Privacy Act. Bridges, et al. v. Blackstone, Inc., No. 22-2486 (7th Circ. 2023). Because this decision limits in most instances the circumstances under which claims could be brought under the statute in the context of a corporate transaction, it is a win for defendants in future filed cases. Read More →
- The DNA of Genetic Privacy Legislation: Montana, Tennessee, Texas, and Virginia Enter 2024 with New Genetic Privacy Laws Incorporating FPF’s Best Practices: In 2023, four states enacted new genetic privacy laws regulating direct-to-consumer genetic testing companies. This blog post provides details on what these new laws cover and how they compare to FPF’s widely-adopted Best Practices for Consumer Genetic Testing Services. Read More →
- FTC Says Genetic Testing Company 1Health Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy: The Federal Trade Commission charged that the genetic testing firm 1Health.io left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected. Read More →