Genetic Data Privacy for Health Tech: The 2026 Compliance Roadmap
GINA, GIPA, Florida's DNA Privacy Act, Illinois BIPA, Texas HB 130, and FTC enforcement — the operational compliance roadmap for health tech apps that collect, process, store, or share DNA and genetic data in 2026.
The Genetic Data Compliance Landscape in 2026
If your health tech app collects, analyzes, stores, or shares genetic data — DNA sequences, SNP profiles, polygenic risk scores, or even raw biological samples — you are operating in one of the fastest-evolving corners of U.S. privacy law. The federal floor is thin. State genetic privacy statutes are multiplying. And the 2025 bankruptcy of 23andMe made one thing clear: when a genetic data company fails, its data assets don't simply disappear — they become saleable assets in bankruptcy court, subject to whatever privacy commitments the company made (and failed to keep) while it was solvent.
Here is the operational reality: at least 11 U.S. states have enacted genetic-specific privacy laws, each with different consent, deletion, and anti-selling requirements (NPR, March 2025). The FTC has signaled increased scrutiny of genetic data practices, intervening in the 23andMe bankruptcy proceedings to protect consumer privacy commitments (Ars Technica, April 2025). And Texas enacted a standalone genomic privacy statute in 2025 that creates a private right of action — meaning plaintiffs can sue directly (Texas HB 130, 89th Legislature).
If you are building a DNA-testing app, a genetic-health risk tool, or a platform that processes genetic data from third-party testing services, this guide maps the laws that apply to you and the operational requirements each one imposes.
Federal Floor: GINA's Employment and Insurance Prohibitions
The Genetic Information Nondiscrimination Act (GINA, 42 U.S.C. § 2000ff) is the only federal statute that specifically addresses genetic information privacy — but its scope is narrow. GINA prohibits employers with 15+ employees and health insurers from collecting or using genetic information for employment or coverage decisions. It does not regulate direct-to-consumer genetic testing companies, health apps, or platforms that process genetic data outside the employment and insurance contexts.
For health tech founders, GINA matters in two scenarios. First, if your app is used by employers for workplace wellness programs, GINA restricts how you collect and handle genetic data through those programs. Second, GINA's existence means that genetic data carries a unique discrimination risk that other health data does not — a risk that state legislatures have been actively addressing through genetic-specific privacy statutes.
The key takeaway: GINA is a floor, not a ceiling. It does not preempt stricter state genetic privacy laws. Your compliance obligations are almost entirely driven by state law and FTC enforcement, not by GINA itself.
California's Genetic Information Privacy Act (GIPA)
California's Genetic Information Privacy Act, enacted as SB 41 and codified at Cal. Civ. Code § 56.18–56.186, took effect January 1, 2022. It applies to direct-to-consumer genetic testing companies — businesses that sell, market, or offer consumer-initiated genetic testing products, or that analyze, collect, use, maintain, or disclose genetic data from such products (Privacy Rights Clearinghouse).
GIPA imposes five operational requirements that health tech founders must build into their product:
Express Consent for Collection, Use, and Disclosure
You must obtain express consent before collecting, using, or disclosing a consumer's genetic data. This is not a browse-wrap terms-of-service click — it must be a specific, informed, and affirmative consent action. Users may revoke consent at any time, and you must honor the revocation within 30 days.
Access Rights
Users have the right to access their genetic data in a readily accessible format. Because GIPA-covered companies must also comply with the CCPA, this access right overlaps with CCPA's broader access right for personal information.
Deletion and Sample Destruction
Users can request deletion of their genetic data and their account. They can also request destruction of their biological sample, which you must comply with within 30 days. Deletion may be denied only if retention is required by law or regulation.
Anti-Discrimination Protection
You may not discriminate against users for exercising their GIPA rights — no service degradation, no denial of features, no price increases.
Privacy Notice and Security
Your privacy notice must specifically address genetic data collection, use, access, disclosure, maintenance, transfer, security, retention, deletion practices, and complaint procedures. You must implement reasonable security measures to protect genetic data.
Violations carry civil penalties: up to $1,000 per negligent violation and $1,000–$10,000 per intentional violation, enforceable by the California Attorney General and district attorneys.
Florida's DNA Privacy Act
Florida's Protecting DNA Privacy Act (HB 833), effective October 1, 2021, takes a different approach. Rather than focusing solely on direct-to-consumer testing companies, Florida created four new criminal offenses related to the unlawful use of another person's DNA (Fla. Stat. § 943.325).
The statute makes it a crime to: (1) collect a person's DNA sample without consent, (2) analyze DNA without consent, (3) disclose DNA analysis results without consent, and (4) sell or transfer a person's DNA sample or results without consent. The criminal penalty structure means that non-compliance isn't just a regulatory fine — it creates personal liability for individuals who handle genetic data improperly.
For health tech founders, Florida's law means that any operation involving DNA samples or analysis from Florida residents requires explicit, documented consent at each stage: collection, analysis, disclosure, and any transfer. The anti-selling provision is particularly important if your business model involves sharing genetic data with research partners or pharmaceutical companies.
Illinois BIPA: Does It Cover Genetic Data?
The Illinois Biometric Information Privacy Act (740 ILCS 14) is the most aggressively litigated biometric privacy law in the country, with a private right of action that has generated hundreds of class actions and billions in potential damages. The question for health tech founders: does BIPA cover genetic data?
BIPA defines "biometric information" as any information based on an individual's biometric identifier used to identify a specific person. Biometric identifiers explicitly include retina or iris scans, fingerprints, voiceprints, and scans of face or hand geometry. DNA is not listed — but the statute's definition is not exhaustive, and some plaintiffs' attorneys have argued that genetic data constitutes a biometric identifier when used for identification purposes.
The safer approach: if your app uses genetic data to identify, authenticate, or verify individuals, treat it as potentially within BIPA's scope. The cost of compliance — written consent, retention policy, prohibition on sale, and destruction requirements — is far lower than the cost of defending a BIPA class action in Illinois. Illinois courts have held that BIPA's $1,000–$5,000 per violation damages apply per person per instance, making even small-scale violations financially devastating.
If you are also handling other health data, our guide on mental health app data privacy beyond HIPAA covers the additional federal and state obligations that apply to sensitive health data.
Texas Genetic Data Provisions
Texas enacted the Texas Genomic Privacy Act (HB 130) during the 89th Legislative Session in 2025, creating standalone genetic privacy protections for Texas residents (Texas HB 130). The law requires consent for the collection, use, and disclosure of genetic information, prohibits the sale of genetic data without explicit consent, and — critically — provides a private right of action with civil penalties.
A private right of action means that consumers can sue directly without waiting for a state AG to act. For health tech founders operating in Texas (which is where our firm is based), this statute creates the same kind of litigation exposure that has made Illinois BIPA so dangerous. The compliance baseline is the same as GIPA and Florida's law: explicit consent, deletion rights, anti-selling requirements, and clear privacy notice.
Texas also has broader data privacy infrastructure through the Texas Data Privacy and Security Act, which classifies genetic data as sensitive data requiring opt-in consent. For a broader view of which state privacy laws apply to your app, see our guide to the state privacy law patchwork in 2026.
FTC Enforcement: Section 5 and Genetic Data
Even where no specific genetic privacy statute applies, the FTC can bring enforcement actions under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. The FTC has repeatedly stated that failing to honor privacy commitments regarding genetic data — or changing privacy policies to permit data uses that consumers did not agree to — constitutes a deceptive practice.
In the 23andMe bankruptcy proceedings, the FTC intervened as a privacy ombudsman, monitoring the sale of genetic data assets to ensure that the buyer would honor 23andMe's existing privacy commitments to its 15 million users (Ars Technica, April 2025). The FTC also issued a public letter warning that any buyer of 23andMe's data assets must uphold the company's consumer privacy pledges (FTC Letter to 23andMe, 2025).
For health tech founders, the FTC's message is clear: whatever privacy promises you make in your terms of service and privacy policy are enforceable. If you promise not to sell genetic data and then attempt to do so — in bankruptcy, in an acquisition, or in a normal business pivot — the FTC can treat that as a deceptive practice regardless of whether a state genetic privacy statute explicitly prohibits the sale.
The 23andMe Bankruptcy: Data Portability and Asset Transfer Risks
When 23andMe filed for bankruptcy in March 2025, it held genetic data on more than 15 million users. The company had previously suffered a data breach affecting 6.9 million customer accounts in 2023. The bankruptcy filing immediately raised the question: what happens to genetic data when the company holding it goes under? (NPR, March 2025)
California Attorney General Rob Bonta issued a consumer alert urging residents to exercise their deletion rights and direct 23andMe to destroy their data. The bankruptcy court appointed a privacy ombudsman to oversee the sale of data assets, and the FTC actively monitored the proceedings.
Three lessons for health tech founders:
1. Your privacy commitments survive bankruptcy. If you promise consumers that their genetic data will not be sold, that promise follows the data into bankruptcy court. The FTC and state AGs will enforce it.
2. Build deletion infrastructure now. 23andMe's customers could delete their data during bankruptcy proceedings — but only because the company had built deletion infrastructure. If your app doesn't have a working deletion pipeline, you cannot fulfill your statutory deletion obligations, and you cannot give users the one tool that protects them in a wind-down scenario.
3. Asset transfer clauses must address genetic data specifically. If your company is acquired, sold, or fails, the contracts governing data transfer must explicitly address genetic data separately from other personal information. Standard data transfer language in M&A agreements often treats all personal data as a single category — but genetic data carries unique legal and ethical obligations that require separate treatment.
For health tech founders building AI-powered tools that process genetic data, our guide on FDA SaMD regulation for AI health tech covers the parallel regulatory framework that applies when your app crosses from wellness into medical device territory.
Operational Compliance Roadmap
Based on the statutes above, here is the minimum operational baseline for any health tech app that touches genetic data:
Consent Flows
Build a standalone genetic data consent flow — not a checkbox buried in your general privacy policy. The consent must be specific (what data, what uses, what disclosures), informed (plain language about what genetic data reveals), and affirmative (active opt-in, not pre-checked boxes). You need separate consent for: collection, each category of use (research, product development, third-party sharing), and each disclosure category. Users must be able to revoke consent, and revocation must take effect within 30 days under California GIPA.
Data Minimization
Collect only the genetic data necessary for the specific service the user requested. If your app provides polygenic risk scores for specific conditions, you do not need whole-genome sequencing data. If your app provides ancestry analysis, you do not need health-related genetic variants. Data minimization reduces both your regulatory exposure and your data breach risk.
Deletion Rights
Build infrastructure that can: (1) delete genetic data from all production and backup systems, (2) destroy biological samples if you hold them, (3) propagate deletion to third parties who received the data, and (4) verify completion within the statutory deadline. Incomplete deletion — where data persists in backups or downstream systems — is a compliance failure, not a technical limitation.
Anti-Selling Requirements
Florida, California, and Texas all prohibit selling genetic data without explicit, separate consent. Your terms of service and privacy policy must clearly state that genetic data is not sold. If your business model involves any form of data licensing or sharing that could be characterized as a sale — including barter arrangements, research partnerships with pharmaceutical companies, or data broker relationships — you need specific consent for each arrangement.
Third-Party Data Sharing Restrictions
Every contract with a vendor, processor, or research partner that receives genetic data must include: (1) restrictions on use limited to the specific purpose disclosed to the user, (2) prohibitions on re-identification of deidentified data, (3) obligations to honor deletion requests, (4) security requirements appropriate to the sensitivity of genetic data, and (5) prohibition on further disclosure without your consent and the user's consent.
Actionable Next Steps
If your health tech app collects, processes, stores, or shares genetic data, here is what we recommend you do — in order — to build a defensible compliance posture:
- Audit your data flows. Map every point where genetic data enters your system, every place it is stored, every third party it is shared with, and every use it is put to. If you cannot produce this map, you cannot certify compliance with any genetic privacy statute.
- Build a standalone genetic data consent flow. Separate it from your general privacy policy. Make it specific, informed, and revocable. Test it against the requirements of California GIPA, Florida's DNA Privacy Act, and Texas HB 130 — the most stringent of these sets your baseline.
- Implement deletion infrastructure. Your system must be able to delete genetic data, destroy biological samples, and propagate deletion to third parties — all within 30 days. This is not a future roadmap item; it is a current legal requirement in California.
- Draft vendor and partner contracts. Every agreement involving genetic data must include use restrictions, re-identification prohibitions, deletion obligations, and security requirements. Standard SaaS DPAs are not sufficient.
- Review your privacy policy. Ensure it specifically addresses genetic data collection, use, disclosure, retention, deletion, and transfer. Generic privacy policies that do not mention genetic data are non-compliant under GIPA and other state statutes.
- Plan for wind-down. Document what happens to genetic data if your company is acquired, fails, or pivots. Your privacy commitments survive bankruptcy — build the operational infrastructure to honor them.
Genetic data compliance is not a one-time project. State legislatures are actively drafting and amending genetic privacy statutes — California, Florida, Texas, Utah, Arizona, and others have already enacted laws, and more are coming. Build your compliance infrastructure to the most stringent standard, and you will be positioned to absorb new state requirements without rebuilding from scratch.
Building a genetic data app? We help health tech founders build consent flows, deletion infrastructure, and vendor agreements that comply with GIPA, BIPA, Florida's DNA Privacy Act, and FTC requirements — before the first sample arrives.