Laws & Statutes WV WV-HB-5034
HB-5034
WV · State · USA
WV
USA
● Pending
Proposed Effective Date
2026-07-01
West Virginia House Bill 5034 — West Virginia Genomic Information Privacy Act of 2026
Creates the West Virginia Genomic Information Privacy Act of 2026, imposing privacy and security obligations on entities that offer consumer genetic testing or collect, use, or analyze genetic data of West Virginia residents. Requires entities to provide privacy notices, obtain express consent before collecting or disclosing genetic data, maintain comprehensive security programs, and provide consumers with access, deletion, and consent revocation rights. Prohibits use of genome sequencers produced by foreign adversaries, storage of genomic data in foreign adversary countries, and transfer of genomic data to foreign adversaries in bankruptcy. Requires annual compliance certification to the Attorney General. Enforced by the AG with $2,500 per-violation civil penalties, and provides a private right of action for harmed patients or research subjects with statutory damages up to $5,000 per violation.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-02-02 introduced Filed for introduction
2026-02-02 other To Health and Human Resources then Judiciary
2026-02-02 introduced Introduced in House
2026-02-02 other To House Health and Human Resources
Mapped Requirements
D-01 Automated Processing Rights & Data Controls R-02 Regulatory Disclosure & Submissions
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Creates the West Virginia Genomic Information Privacy Act of 2026, imposing privacy and security obligations on entities that offer consumer genetic testing or collect, use, or analyze genetic data of West Virginia residents. Requires entities to provide privacy notices, obtain express consent before collecting or disclosing genetic data, maintain comprehensive security programs, and provide consumers with access, deletion, and consent revocation rights. Prohibits use of genome sequencers produced by foreign adversaries, storage of genomic data in foreign adversary countries, and transfer of genomic data to foreign adversaries in bankruptcy. Requires annual compliance certification to the Attorney General. Enforced by the AG with $2,500 per-violation civil penalties, and provides a private right of action for harmed patients or research subjects with statutory damages up to $5,000 per violation.

Enforcement & Penalties
Enforcement Authority
The Attorney General has sole authority to enforce this article on behalf of the State of West Virginia. The Attorney General may investigate allegations of violations and initiate civil enforcement actions. A private right of action is also available to a legal resident of the state who is a patient or research subject and who is harmed by the storage or use of their genome sequencing data in violation of the act.
Penalties
AG enforcement: $2,500 per violation of any provision, actual damages to the consumer, costs, reasonable attorney fees, and reasonable investigative expenses. Private right of action: the greater of actual damages or statutory damages not to exceed $5,000 per violation, plus court costs and reasonable attorney's fees. Private plaintiffs must show they were 'harmed' by the violating storage or use, but statutory damages do not require proof of actual monetary harm. Civil penalties collected by the AG are deposited into the general revenue fund.
Who Is Covered
"Entity" means a partnership, corporation, association, or public or private organization of any character that: (A) Offers consumer genetic testing products or services directly to a consumer; or (B) Collects, uses, or analyzes genetic data.
Compliance Obligations 11 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · BiometricsHealthcare
§ 16-5EE-4(1)-(2)
Plain Language
Before collecting, using, or disclosing a consumer's genetic data, an entity must provide both a high-level privacy policy overview and a prominent, publicly available privacy notice covering at minimum the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices. The entity must also obtain initial express consent that clearly describes how the genetic data will be used, who within the entity can access test results, and how the data may be shared. Consent must come from the consumer or, where applicable, a parent, guardian, or power of attorney.
Statutory Text
To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, an entity shall: (1) Provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making available to a consumer: (A) A high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data; and (B) A prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data; (2) Obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer's genetic data that: (A) Clearly describes the entity's use of the genetic data that the entity collects through the entity's genetic testing product or service; (B) Specifies the categories of individuals within the entity that have access to test results; and (C) Specifies how the entity may share the genetic data;
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · BiometricsHealthcare
§ 16-5EE-4(4)
Plain Language
For several categories of heightened-risk activities, an entity must obtain separate, specific express consent beyond the initial consent. These activities include: transferring genetic data or biological samples to third parties (with the third party's name disclosed), using genetic data beyond the primary testing purpose, retaining biological samples after completing testing, transferring data for research purposes, and marketing based on genetic data or selling genetic data. Each category requires its own consent. Transfers to processors under qualifying contracts are exempt from the third-party transfer consent requirement, but the processor contract must prohibit any use beyond the contracted services.
Statutory Text
(4) If the entity engages in any of the following, obtain a consumer's: (A) Separate express consent for: (i) The transfer or disclosure of the consumer's genetic data or biological sample to any third party other than the entity's processors, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed with the consumer's express consent; (ii) The use of genetic data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses; or (iii) The entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer; (B) Informed express consent for transfer or disclosure of the consumer's genetic data to third party persons for: (i) Research purposes; or (ii) Research conducted under the control of the entity for the purpose of publication or generalizable knowledge; and (C) Express consent for: (i) Marketing to a consumer based on the consumer's genetic data; (ii) Marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the entity with the first-party relationship to the consumer; or (iii) Sale or other valuable consideration of the consumer's genetic data.
D-01 Automated Processing Rights & Data Controls · D-01.1D-01.2 · Deployer · BiometricsHealthcare
§ 16-5EE-4(6)(A)
Plain Language
Entities must develop and maintain a comprehensive security program to protect genetic data from unauthorized access, use, or disclosure. In addition, entities must provide consumers with a process to: access their own genetic data, request deletion of that data, revoke any previously provided consent, and request destruction of their biological samples. These are ongoing operational obligations — the security program and consumer-rights processes must be actively maintained, not merely established at launch.
Statutory Text
(6) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and (A) Provide a process for a consumer to: (i) Access the consumer's genetic data; (ii) Delete the consumer's genetic data; (iii) Revoke any consent provided by the consumer; and (iv) Request and obtain the destruction of the consumer's biological sample.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · BiometricsHealthcare
§ 16-5EE-4(7)
Plain Language
Genetic data and biological samples of West Virginia residents may not be stored in any country sanctioned by OFAC or designated as a foreign adversary. Any transfer or storage of this data outside the United States requires the resident's consent. This is both a categorical prohibition (sanctioned/adversary countries) and a consent-gated restriction (all other non-U.S. storage).
Statutory Text
(7) Genetic data and biometric samples of West Virginia residents collected in the state may not be stored within the territorial boundaries of any country currently sanctioned in any way by the United States office of foreign asset control or designated as a foreign adversary under 15 CFR 7.4(a). Genetic data or biometric data of West Virginia residents collected in the state may only be transferred or stored outside the United States with the consent of the resident.
Other · BiometricsHealthcare
§ 16-5EE-5(a)-(b)
Plain Language
Entities may not disclose a consumer's genetic data to health insurers, life insurers, long-term care insurers, or the consumer's employer without the consumer's express consent. All disclosures of genetic data must also comply with applicable state and federal privacy and security laws. This is an additional consent gate on top of the general consent requirements in § 16-5EE-4 — the insurer/employer restriction applies even if the consumer has provided general consent to data sharing.
Statutory Text
(a) The disclosure of genetic data pursuant to this article must comply with all state and federal laws for the protection of privacy and security. (b) Notwithstanding any other provisions in §16-5EE-4 of this code, an entity may not disclose a consumer's genetic data to any entity offering health insurance, life insurance, or long-term care insurance, or to any employer of the consumer without the consumer's express consent.
Other · BiometricsHealthcare
§ 16-5EE-6
Plain Language
Medical facilities, research facilities, companies, entities, and nonprofits subject to this act are categorically prohibited from using any genome sequencer or genome sequencing software produced by or on behalf of a foreign adversary, a state-owned enterprise of a foreign adversary, or any company or nonprofit domiciled in or controlled by entities in a foreign adversary country. This is an equipment and software supply-chain prohibition — covered organizations must audit their genome sequencing technology supply chains to ensure no foreign adversary nexus.
Statutory Text
A medical facility, research facility, company, entity or nonprofit organization subject to this chapter may not use a genome sequencer or software produced by or on behalf of: (1) A foreign adversary; (2) A state-owned enterprise of a foreign adversary; (3) A company or nonprofit organization domiciled within the borders of a country that is a foreign adversary; or (4) An owned or controlled subsidiary or affiliate of a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary.
Other · BiometricsHealthcare
§ 16-5EE-7
Plain Language
Covered organizations may not sell or transfer West Virginia residents' genomic sequencing data to foreign adversaries or their affiliates as part of a bankruptcy proceeding or Chapter 11 reorganization plan. This closes a potential loophole where genomic data assets could be acquired by foreign adversaries through bankruptcy asset sales. The prohibition applies regardless of the purchase price or terms.
Statutory Text
A medical facility, research facility, company, or nonprofit organization subject to this chapter may not sell or otherwise transfer genomic sequencing data of residents of this state as part of a bankruptcy proceeding or pursuant to a plan of reorganization under Chapter 11 of the United States Bankruptcy Code (11 U.S.C. Section 1101 et seq.) to: (1) A foreign adversary; (2) A state-owned enterprise of a foreign adversary; (3) A company or nonprofit organization domiciled within the borders of a country that is a foreign adversary; or (4) An owned or controlled subsidiary or affiliate of a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary.
Other · BiometricsHealthcare
§ 16-5EE-8(a)-(d)
Plain Language
Covered organizations may not store genome sequencing data of West Virginia residents in any foreign adversary country and must ensure such data is inaccessible to any person located in a foreign adversary country. All stored genomic data must be secured using reasonable encryption, access restrictions, and cybersecurity best practices — including when storage is outsourced to third-party data storage providers. A narrow exception exists for data collected as part of clinical trials or biomedical research studies subject to 28 C.F.R. Part 202.
Statutory Text
(a) A medical facility, research facility, company, entity, or nonprofit organization subject to this chapter may not store any genome sequencing data of a resident of this state at a location within the borders of a country that is a foreign adversary. (b) A medical facility, research facility, company, or nonprofit organization subject to this chapter that stores genome sequencing data of residents of this state, including storage of genome sequencing data through a contract with a third-party data storage company, shall ensure the security of the genome sequencing data using reasonable encryption methods, restriction on access, and other cybersecurity best practices. (c) A medical facility, research facility, company, or nonprofit organization subject to this chapter shall ensure genome sequencing data of residents of this state, other than open data, is inaccessible to any person located within the borders of a country that is a foreign adversary. (d) This section does not apply to the storage of genome sequencing data by a medical facility, research facility, company, or nonprofit organization subject to this chapter that is collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, 28 C.F.R. Part 202.
R-02 Regulatory Disclosure & Submissions · R-02.4 · Deployer · BiometricsHealthcare
§ 16-5EE-9(a)-(b)
Plain Language
By December 31 of each year, every covered medical facility, research facility, company, or nonprofit must certify to the Attorney General that it is in compliance with all provisions of the Genomic Privacy Act. The certification must be submitted by an attorney representing the organization — this creates a professional-responsibility overlay, as the attorney is making a representation to the AG on behalf of the entity. Note that subsection (b) references '§16-5EE-8(a)' but appears to be a drafting error — in context, it should reference §16-5EE-9(a).
Statutory Text
(a) Not later than December 31 of each year, a medical facility, research facility, company, or nonprofit organization subject to this §16-5EE-1 et seq. shall certify to the attorney general that the facility, company, or organization is in compliance with this chapter. (b) An attorney representing a medical facility, research facility, company, or nonprofit organization subject to this chapter shall submit the certification required under Subsection §16-5EE-8(a).
Other · Deployer · BiometricsHealthcare
§ 16-5EE-4(5)
Plain Language
Entities must comply with West Virginia's existing legal process requirements (under the state's consumer protection code) before disclosing genetic data to law enforcement or government agencies without the consumer's express consent. This incorporates by reference existing procedural safeguards rather than creating a new standalone obligation.
Statutory Text
(5) Comply with the provisions of §46A-7-101 et seq. of this code requiring a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express consent;
Other · Government · BiometricsHealthcare
§ 16-5EE-3(d)
Plain Language
Beginning January 1, 2027, governmental agencies may only collect, store, use, or disseminate genetic data if authorized by a specific state law or a search warrant. While governmental agencies are generally exempt from the Act's entity obligations, this provision imposes a separate, delayed-onset restriction on government use of genetic data. This creates a six-month gap where governmental agency use is exempt from the Act (July 1, 2026 to December 31, 2026) before the search-warrant/specific-law requirement takes effect.
Statutory Text
(d) Beginning January 1, 2027, any collection, storage, use, or dissemination of genetic data by a governmental agency must be performed in accordance with a specific state law or executed through a search warrant.