Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Maryland: Genetic Information Privacy Act of 2022 – what you need to know

On 29 May 2022, House Bill 866 for the Genetic Information Privacy Act was enacted without the Governor's signature. The Act applies to direct-to-consumer genetic testing companies that collect genetic information from residents of the State of Maryland and will  go into effect on 1 October 2022. In this article, OneTrust DataGuidance highlights key provisions of the Act, in particular on its scope, key definitions, business obligations, and enforcement provisions.

your_photo / Essentials collection /

Scope of the Act

The Act applies to a 'direct-to-consumer genetic testing company', which is defined as an 'entity that offers genetic testing products or services directly to consumers; or collects, uses, or analyses genetic data that resulted from a direct-to-consumer genetic testing product or service that was provided to the company by a consumer'.

Additionally, the Act applies to criminal procedures concerning 'direct-to-consumer genetic genealogy services' which means 'genetic genealogy services that are offered by private companies directly to members of the public and law enforcement agencies rather than through clinical health care providers, typically via customer access to secure online website'.

Key definitions

The Act provides various definitions which are relevant to the understanding of its provisions as they related to genetic testing, genetic data, and the abovementioned definitions on those to which the Act applies.

Specifically, the Act regulates the 'genetic testing', and thereby 'genetic data'. In this context, 'genetic testing' is defined as a laboratory test of the complete Deoxyribonucleic Acid ('DNA'), regions of DNA, chromosomes, genes, or gene products of a consumer, in order to determine the consumer's genetic characteristics.

Relevant to this definition is the Act's definition of 'genetic data', alongside what falls within this scope. As such, the Act defines 'genetic data' as 'data in any form that concerns the genetic characteristics of a consumer'. To elaborate on this, the Act outlines what genetic data includes, thereby listing:

  • raw sequenced data that results from the sequencing of a consumer's complete DNA or a portion of it;
  • genotypic or phenotypic information resulting from analysing raw sequence data;
  • information extrapolated, derived, or inferred from analysing raw sequence data; and
  • self-reported health information submitted by a consumer to the direct-to-consumer genetic testing company regarding their health conditions.

However, the Act highlights that genetic data does not include de-identified data.

Additionally, the Act provides for a definition of 'express consent', which is the 'affirmative response by a consumer to a specific, discreet, freely given, and unambiguous notice regarding the collection, use, and disclosure of the consumer's genetic data for a specific purpose'.

Business obligations

A genetic-to-consumer testing company is required to provide a consumer with clear and complete information on its policies and procedures with respect to the collection, use, and disclosure of genetic information. Thus, the information provided to consumers should include:

  • an overview of the company's privacy policy, which should include information on how the company collects, uses, and discloses genetic data, and which should be publicly accessible and placed on the company's website; and
  • a privacy notice with information on the company's collection, use, disclosure, transfer, security, retention, access, and consent practices.

In addition, a direct-to-consumer testing company is required to obtain the following forms of consent before collecting, using, or disclosing a consumer's genetic data:

  • Initial express consent: should describe the uses of the collected genetic data and provide information on the person who will have access to the results of the genetic testing as well as how the said data can be shared.
  • Express consent:
    • when the company intends to transfer or disclose the genetic data to third parties other than its vendors and service providers;
    • when the company intends to use the genetic data beyond the primary purpose of the genetic product or service requested by a consumer;
    • for the retention of a biological sample of the consumer after the initial testing service requested by the consumer is completed; and
    • before marketing to the consumer based on their genetic data or after they purchase a genetic product or service.
  • Informed consent: for the transfer or disclosure of a consumer's genetic data to third parties for research purposes in compliance with the federal policy for the protection of human research subjects.
  • Written consent: before disclosing a consumer's genetic data to a consumer's employer or a company offering health insurance, life insurance, disability insurance, or long-term care insurance. 

Moreover, a direct-to-consumer genetic testing company is required to establish legal policies and processes with respect to the disclosure of a consumer's genetic data without express consent to law enforcement or other government agencies.

Furthermore, it is required to develop, implement, and maintain a comprehensive security program to ensure the protection of consumers' genetic data against unauthorised access and disclosure.

Finally, it is required to establish a process for consumers to exercise their rights to access their genetic data, delete their account and genetic data, and request the destruction of their biological sample.


Any violation of the Act is treated as an unfair, abusive, or deceptive trade practice under Maryland laws and thus is likely to attract associated penalties. In addition to such penalties, however, individuals are also granted the possibility of pursuing additional remedies provided in the law.


Direct-to-consumer genetic testing companies will need check that they have implemented the necessary measures to ensure compliance for when the Act enters into force, on 1 October 2022.

Wangari Thuo, Privacy Analyst
[email protected]