WeVote

Bill

Bill

SB 2203

AN ACT RELATING TO COMMERCIAL LAW--GENERAL REGULATORY PROVISIONS -- GENETIC INFORMATION PRIVACY ACT

2026 Regular Session Introduced by Dawn Euer and 4 co-sponsors

Rhode Island SB 2203 creates a comprehensive genetic data privacy law for direct-to-consumer testing, requiring explicit consent, disclosures, data security, and penalties for viol

06/19/2026 Signed by Governor
0
WeVote Research Nonpartisan
Bill Summary · SB 2203

Summary of Bill SB 2203 (Rhode Island, 2026) – Genetic Information Privacy Act

Date Introduced: January 23, 2026
Committee: Senate Commerce
Sponsors: Zurier, Valverde, Euer, Urso, Gu (co-sponsors include Sam Zurier, Bridget Valverde, Victoria Gu, Dawn Euer, Lori Urso)

1) Purpose and Intent

  • Establishes a new Rhode Island chapter (Chapter 63) within the General Laws to regulate direct-to-consumer (DTC) genetic testing and the handling of genetic data.
  • Aims to address privacy, security, and potential misuse risks associated with consumer genetic testing, including concerns about surveillance and long-lived sensitivity of genomic information.

2) Key Provisions and Changes

  • 6-63-2 Definitions
    • Introduces defined terms:
    • Direct-to-consumer genetic testing company
    • Genetic data, including DNA, SNPs, RNA, etc., and excluding deidentified data under certain conditions
    • Deidentified data criteria
    • Affirmative authorization/express consent
    • Service provider, dark patterns, etc.
  • 6-63-3 Privacy of Genetic Data
    • Mandatory disclosures:
    • Companies must provide a plain-language privacy practices summary.
    • Prominent privacy notice detailing collection, use, access, disclosure, retention, security, and complaint process.
    • Notice that deidentified data may be shared with third parties for research per 45 CFR Part 46 (Common Rule).
    • Express consent:
    • Separate, explicit consent for: primary collection/uses, storage of biological samples after testing, each use beyond primary purpose, transfers/disclosures to third parties, and any marketing based on genetic data.
    • Exemption for on-site website/app advertising for own products if content is non-targeted to the individual consumer.
    • Revocation of consent:
    • Consumers may revoke consent; the company must honor revocation within 30 days and destroy stored biological samples within 30 days of revocation.
    • Security obligations:
    • Reasonable security procedures to protect genetic data.
    • Procedures to allow consumers to access, delete their data, or have samples destroyed.
    • Anti-discrimination:
    • Prohibits denying goods/services or imposing penalties based on exercising rights under the Act.
    • Insurance and employment privacy exemptions:
    • Limits disclosures to health, life, long-term care, disability, or employment insurers, with conditions:
      • Entity not primarily engaged in administering those insurances
      • Disclosure not in that capacity
      • Any involved entity’s employees are prohibited from accessing the data.
  • 6-63-4 Penalties
    • Civil penalties:
    • Negligent violation: up to $1,000 plus court costs.
    • Willful violation: $1,000 to $10,000 plus court costs.
    • Enforcement:
    • Actions brought by Rhode Island Attorney General in a court of competent jurisdiction.
    • Recovery:
    • Penalties awarded to the affected individual; court costs to prosecuting party.
  • 6-63-5 Conflicts of Law
    • This Act does not weaken existing privacy/security duties under other laws.
    • In case of conflict, the highest-protection privacy standard prevails.
  • 6-63-6 Exclusions
    • carves out several exceptions, including:
    • Medical information regulated by HIPAA and related protections (PHI)
    • Healthcare providers and business associates under HIPAA rules
    • Scientific research/education by nonprofit/postsecondary institutions under federal research protections
    • Newborn screening data
    • Tests diagnosing specific diseases with PHI protections
    • Genetic data used by employers to comply with workplace health/safety laws
    • Public access to information otherwise remains unaffected.
  • 6-63-7 Severability
    • Provisions are severable; invalid parts do not void the remainder.

3) Who/What Would Be Affected

  • Direct-to-consumer genetic testing companies operating in Rhode Island (and any service providers engaged by them).
  • Rhode Island residents who use or are solicited by DTC genetic testing services.
  • Third-party entities receiving genetic data (subject to consent and disclosure rules).
  • Entities in the health, life, long-term care, disability insurance, or employment domains (with restrictions on using genetic data for eligibility decisions).
  • Public entities or nonprofit educational institutions conducting permissible research under federal protections (with stated exclusions).

4) Procedural and Timeline Aspects

  • Effective Date: Upon passage (no delayed or phased implementation stated).
  • Enforcement: Civil penalties by the state Attorney General; separate violations are treated as separate acts.
  • Compliance mechanisms: Companies must implement consent flows, privacy disclosures, data access/deletion mechanisms, and sample destruction processes within the framework of the Act.

If you’d like, I can provide a side-by-side comparison with existing Rhode Island privacy statutes or a plain-language briefing for stakeholders (consumers, banks/insurers, and healthcare providers).

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.