An act relating to genetic data privacy
Vermont’s law gives consumers explicit consent requirements and strong controls over how direct-to-consumer genetic data is collected, used, stored, shared, and destroyed.
Vermont’s law gives consumers explicit consent requirements and strong controls over how direct-to-consumer genetic data is collected, used, stored, shared, and destroyed.
Purpose
- Establish a comprehensive regulatory framework to protect genetic data collected by direct-to-consumer (DTC) genetic testing companies and related service providers.
- Require clear privacy disclosures, explicit consumer consent, limits on data sharing, enhanced data security, and enforcement mechanisms.
- Create strong privacy protections while clarifying applicability alongside existing privacy laws.
Scope and Definitions
- Applies to Vermont residents who use DTC genetic testing products/services or whose genetic data is collected/maintained on their behalf.
- Key defined terms:
- Direct-to-consumer genetic testing company: entities selling or providing consumer-initiated genetic testing, analyzing consumer genetic data, or handling data derived from such testing.
- Genetic data: any data resulting from analysis of a biological sample that concerns genetic material, including DNA, RNA, genes, SNPs, etc. Excludes deidentified data under specific safeguards, certain health/privacy regimes, public information, and certain research contexts.
- Service provider: entities involved in collection, transportation, and analysis of genetic material on behalf of a DTC company or related data handlers.
- Affirmative/express consent: explicit consumer authorization given in response to clear, prominent notices; cannot be inferred from inaction or dark patterns.
- Dark patterns: UI designs that subvert consumer autonomy or decision-making.
Main Provisions (Key Requirements)
1) Privacy Terms and Express Consent (Sec. 2412)
- DTC companies must provide:
- A plain-language summary of privacy practices.
- A prominent, accessible privacy notice detailing data collection, use, disclosure, storage, security, retention, and deletion.
- Notice that deidentified genetic/phenotypic information may be shared with researchers per 45 C.F.R. Part 46.
- Must obtain express, separate consent for:
- Primary uses of genetic data: who can access, how it may be shared, and the specific purposes.
- Storage of the consumer’s biological sample after initial testing.
- Each use of genetic data or the biological sample beyond the primary purpose (contextual uses).
- Transfers/disclosures to third parties (including the third party’s name and purpose), with consumer protection against coercive conditions to consent.
- Marketing based on the consumer’s genetic data (or third-party marketing linked to genetic testing).
- Marketing exception: allowed to market on the company’s site/app if ads do not depend on consumer-specific genetic data. Ads must be labeled and disclose third-party involvement.
2) Revoking Consent (Sec. 2412, subd. (c))
- Consumers must have easy, effective methods to revoke consent.
- Once revoked, company must honor within 30 days; if related to storage/use of a biological sample, destroy the sample within 30 days of revocation.
3) Data Security and Access (Sec. 2412, subd. (d))
- Companies must implement reasonable data security measures.
- Provide mechanisms for consumers to:
- Access their genetic data.
- Delete their account and genetic data (subject to legal/regulatory retention requirements).
- Request destruction of their biological sample.
- Restrictions on cross-border data storage: genetic data/biometric samples cannot be stored in countries sanctioned by the U.S. OFAC or designated as foreign adversaries without express consent.
- Transfers/storage outside the U.S. require express consumer consent.
4) Contracts with Service Providers (Sec. 2412, subd. (e))
- Contracts must prohibit service providers from retaining, using, or disclosing consumer data for purposes beyond the contract.
- Prohibit linking/combining data with information from other sources for purposes beyond service delivery.
5) Non-Discrimination (Sec. 2412, subd. (f))
- Prohibits denying goods/services, charging different prices, or curtailing benefits based on exercising rights under the act.
- Prohibits implying criminal suspicion due to exercising privacy rights.
6) Nondisclosure (Sec. 2412, subd. (g))
- Prohibits disclosure of genetic data to entities administering or underwriting health, life, long-term care, disability, or employment insurance, or advising such entities.
Enforcement and Applicability
- Enforcement: Violations constitute an unfair and deceptive act in commerce; Vermont Attorney General can adopt rules, conduct investigations, bring civil actions, and issue assurances of discontinuance.
- Relationship to other laws: does not reduce existing privacy/security duties under other laws; where conflicts arise, the more protective privacy standard applies.
- Exclusions: The act does not apply to HIPAA-covered entities/business associates (PHI handling) or to certain research activities conducted under applicable federal and state human-subject protections; also excludes employment-related data where required for workplace health/safety compliance.
- Publicly available information remains outside the act's reach.
Effective Date
- July 1, 2026.
Impact and Implications
- Direct-to-consumer genetic testing companies operating in Vermont must overhaul consent mechanisms, privacy disclosures, and data-use practices to align with explicit consent and purpose limitation.
- Stronger controls on sharing with third parties, data storage/location, and cross-border transfers.
- Enhanced consumer rights: access, deletion, revocation of consent, and ability to destroy samples.
- Service providers face tighter contractual and data-use restrictions.
- Potential impact on marketing practices and research sharing, with explicit labeling for third-party advertising.
- Possible compliance costs for smaller DTC firms and potential clarifications through subsequent AG rules and amendments.
Overall, H.639 creates a dedicated Vermont framework to safeguard genetic information, elevating consumer control and privacy protections beyond general data privacy standards for the specific realm of genetic data and DTC testing.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.