December 5, 2022

Volume XII, Number 339


December 05, 2022

Subscribe to Latest Legal News and Analysis

California and Florida Introduce Two More Genetic Privacy Laws Into the Mix

Florida and California join a growing minority of states enacting laws protecting a person’s genetic information (Nevada and Alaska also have laws). Florida’s new genetic privacy law, known as Protecting DNA Privacy Act, went into effect on October 1, 2021. California’s governor recently signed the Genetic Information Privacy Act (GIPA) into law on October 6, 2021. It will go into effect on January 1, 2022. 

Florida and California take different approaches to their genetic privacy laws. Violations of Protecting DNA Privacy Act are subject to criminal penalties while violations of GIPA are subject to civil penalties. We outline some of the highlights of each below.  

In Florida, a business cannot, without express written consent, do any of the following: 

  • Collect or retain another person’s DNA sample with the intent to analyze it; 

  • Submit another person’s DNA sample for analysis or conduct the analysis on the DNA sample; 

  • Disclose the DNA analysis results to a third party; or 

  • Sell or otherwise transfer another person’s DNA sample or analysis to a third party even if the DNA sample was originally collected with express consent. 

In California, a genetic testing company must: 

  • Be transparent about its data collection practices regarding genetic data; 

  • Obtain express written consent from individuals to use such data; 

  • Implement and maintain reasonable security procedures and practices to protect the consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure; and 

  • Establish procedures for the consumer to easily revoke consent, access their genetic data, delete their account and genetic data, and to have their biological sample destroyed.  




Effective Date

October 1, 2021

January 1, 2022

Individuals Protected

Any person who has their DNA sample collected in Florida is protected

California residents

Regulated Entities

Any person or entity who collects, uses, retains, or maintains a DNA sample or the results of a DNA analysis or conducts the DNA analysis is covered

GIPA applies to direct-to-consumer genetic testing companies, meaning a company that meets one of the following: 

  • Sells, markets, interprets, or offers genetic testing products or services directly to consumers;

  • Analyzes genetic data obtained from a consumer; or  

  • Collects, uses, maintains, or discloses genetic data from another direct-to-consumer genetic testing product or service or is directly provided by a consumer. 


Entities in Florida that collect DNA samples will need to obtain express consent from the person giving the DNA sample. Entities can use a single express consent form to authorize every instance of a specified purpose or use. Additionally, entities that perform DNA analysis or receives the results must provide the person with a notice that the analysis was performed.

Entities in California must be transparent about the business’s privacy practices regarding genetic data.  They also must obtain express consent from consumers for the collection, use, and disclosure of the consumer’s genetic data.  They must obtain separate, express consent for use of the genetic data for different uses and before transferring it to parties other than service providers.  They must obtain consent before directly marketing based on consumer’s genetic data or third party marketing based on a consumer’s order, purchase, use of a genetic testing product or service.  Business are required to have reasonable security procedures and practices to protect the consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.  They must give consumers a way to easily withdraw consent, provide access to data, allow consumers to delete their account, and request destructions of their DNA samples.  Companies cannot discriminate against consumers that exercise their rights.  


The Protecting DNA Privacy Act does not include a private right of action. The law will be enforced by the state. There is no cure period. 

GIPA does not create a private right of action. The law is enforced exclusively through the Attorney General, district attorney, county attorney, city attorney, or city prosecutor. There is a 30-day period for the company to comply with a request to revoke consent, but no other cure period. 

Penalties for Violation of the Law

The criminal penalties range from first degree misdemeanor for the unlawful collection of another person’s DNA sample with the intent to perform a DNA analysis to second degree felony for the unlawful sell or transfer of another person’s DNA sample or results of DNA analysis even if the person originally gave express consent for the collection and retention of the DNA sample.

For a negligent violation of the law, the court can assess a penalty capped at $1,000 plus court costs. For a willful violation of the law, the court can assess a penalty capped at $10,000 plus court costs. The assessed penalties are paid directly to the consumer whose genetic data was used. Each violation can be assessed a separate penalty.


If the DNA sample, analysis, or results are used for criminal investigations, compliance with lawful court orders, compliance with federal law, determining paternity, or conducting research that is subject to federal regulations.

The law exempts certain entities governed by federal regulations, certain universities conducting scientific research, California Newborn Screening Program, tests conducted to diagnose whether an individual has a specific disease, and genetic data used or maintained by an employer or disclosed to an employer by the employee to comply with other laws or regulations.





This overview is not a substitute for considering Florida’s Protecting DNA Privacy Act and California’s Genetic Information Privacy Act and their requirements in their entireties. 


Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume XI, Number 292

About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude