Laws & Statutes WV WV-HB-5034
HB-5034
WV · State · USA
WV
USA
● Pending
Proposed Effective Date
2026-07-01
West Virginia House Bill 5034 — West Virginia Genomic Information Privacy Act of 2026
Creates the West Virginia Genomic Information Privacy Act of 2026, imposing privacy and security obligations on entities that offer genetic testing products or services or that collect, use, or analyze genetic data of West Virginia residents. Requires entities to provide privacy notices, obtain express consent before collecting or disclosing genetic data, maintain comprehensive security programs, and provide consumers with rights to access, delete, and revoke consent. Prohibits the use of genome sequencers or software produced by or on behalf of foreign adversaries, bars storage of genomic data within foreign adversary countries, and prohibits the sale or transfer of genomic data to foreign adversaries in bankruptcy. Requires annual compliance certification to the Attorney General. Enforceable by the Attorney General with $2,500 per-violation civil penalties, and provides a private right of action for harmed patients or research subjects with statutory damages up to $5,000 per violation.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party (No data)
Bipartisan No
Prior session None
Legislative History
2026-02-02 introduced Filed for introduction
2026-02-02 other To Health and Human Resources then Judiciary
2026-02-02 introduced Introduced in House
2026-02-02 other To House Health and Human Resources
Mapped Requirements
D-01 Automated Processing Rights & Data Controls R-02 Regulatory Disclosure & Submissions
Official Sources
Full Text
Entry Last Reviewed
2026-04-02
AI generated
Summary

Creates the West Virginia Genomic Information Privacy Act of 2026, imposing privacy and security obligations on entities that offer genetic testing products or services or that collect, use, or analyze genetic data of West Virginia residents. Requires entities to provide privacy notices, obtain express consent before collecting or disclosing genetic data, maintain comprehensive security programs, and provide consumers with rights to access, delete, and revoke consent. Prohibits the use of genome sequencers or software produced by or on behalf of foreign adversaries, bars storage of genomic data within foreign adversary countries, and prohibits the sale or transfer of genomic data to foreign adversaries in bankruptcy. Requires annual compliance certification to the Attorney General. Enforceable by the Attorney General with $2,500 per-violation civil penalties, and provides a private right of action for harmed patients or research subjects with statutory damages up to $5,000 per violation.

Enforcement & Penalties
Enforcement Authority
The Attorney General has sole authority to enforce this article on behalf of the State of West Virginia. The Attorney General may investigate allegations of violations and initiate civil enforcement actions. A private right of action is also available to a legal resident of the state who is a patient or research subject and who is harmed by the storage or use of their genome sequencing data in violation of the chapter.
Penalties
Attorney General enforcement: actual damages to the consumer, $2,500 per violation of any provision, costs, reasonable attorney's fees, and reasonable expenses including investigative costs, witness fees, and deposition expenses. Private right of action: the greater of actual damages or statutory damages not to exceed $5,000 per violation, plus court costs and reasonable attorney's fees. Private plaintiffs must be harmed by the storage or use of genome sequencing data in violation of the chapter, but statutory damages do not require proof of actual monetary harm beyond the violation itself.
Who Is Covered
"Entity" means a partnership, corporation, association, or public or private organization of any character that: (A) Offers consumer genetic testing products or services directly to a consumer; or (B) Collects, uses, or analyzes genetic data.
Compliance Obligations 13 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
§ 16-5EE-4(1)-(2)
Plain Language
Before collecting, using, or disclosing a consumer's genetic data, entities must provide both a high-level privacy policy overview and a detailed, publicly available privacy notice covering the entity's data practices. The entity must also obtain initial express consent from the consumer (or parent/guardian/power of attorney) that clearly describes how genetic data will be used, who within the entity can access test results, and how the data may be shared. This is a precondition to any genetic data collection — the consent must be obtained before data is collected, not after.
Statutory Text
To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, an entity shall: (1) Provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making available to a consumer: (A) A high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data; and (B) A prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data; (2) Obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer's genetic data that: (A) Clearly describes the entity's use of the genetic data that the entity collects through the entity's genetic testing product or service; (B) Specifies the categories of individuals within the entity that have access to test results; and (C) Specifies how the entity may share the genetic data;
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
§ 16-5EE-4(4)
Plain Language
Beyond the initial consent requirement, entities must obtain separate, purpose-specific express consent for each additional use of genetic data. Third-party transfers require separate consent naming the recipient. Secondary uses beyond the testing service's primary purpose, retention of biological samples after initial testing, research transfers, genetic-data-based marketing, third-party marketing, and sale of genetic data each require their own express consent. Research transfers require 'informed' express consent — a higher standard. The marketing exception for first-party customized content does not require separate consent. Transfers to processors operating under restrictive contracts are exempt from the third-party consent requirement.
Statutory Text
(4) If the entity engages in any of the following, obtain a consumer's: (A) Separate express consent for: (i) The transfer or disclosure of the consumer's genetic data or biological sample to any third party other than the entity's processors, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed with the consumer's express consent; (ii) The use of genetic data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses; or (iii) The entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer; (B) Informed express consent for transfer or disclosure of the consumer's genetic data to third party persons for: (i) Research purposes; or (ii) Research conducted under the control of the entity for the purpose of publication or generalizable knowledge; and (C) Express consent for: (i) Marketing to a consumer based on the consumer's genetic data; (ii) Marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the entity with the first-party relationship to the consumer; or (iii) Sale or other valuable consideration of the consumer's genetic data.
D-01 Automated Processing Rights & Data Controls · D-01.1D-01.2 · Deployer · Biometrics
§ 16-5EE-4(6)(A)
Plain Language
Entities must develop and maintain a comprehensive security program for genetic data and provide consumers with individual rights mechanisms including the ability to access their genetic data, delete it, revoke any previously granted consent, and request destruction of their biological sample. These consumer rights must be operationalized through an accessible process — the statute does not specify the format but requires the capability to be available to consumers.
Statutory Text
(6) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and (A) Provide a process for a consumer to: (i) Access the consumer's genetic data; (ii) Delete the consumer's genetic data; (iii) Revoke any consent provided by the consumer; and (iv) Request and obtain the destruction of the consumer's biological sample.
Other · Biometrics
§ 16-5EE-5(a)-(b)
Plain Language
Entities may not disclose a consumer's genetic data to health insurers, life insurers, long-term care insurers, or the consumer's employer without express consent. All disclosures must also comply with applicable state and federal privacy and security laws. This creates a heightened consent gate for disclosure to these specific categories of recipients, layered on top of the general consent requirements.
Statutory Text
(a) The disclosure of genetic data pursuant to this article must comply with all state and federal laws for the protection of privacy and security. (b) Notwithstanding any other provisions in §16-5EE-4 of this code, an entity may not disclose a consumer's genetic data to any entity offering health insurance, life insurance, or long-term care insurance, or to any employer of the consumer without the consumer's express consent.
Other · Biometrics
§ 16-5EE-6
Plain Language
Medical facilities, research facilities, companies, entities, and nonprofit organizations may not use any genome sequencer or genome sequencing software produced by or on behalf of a foreign adversary (as defined by federal regulation at 15 C.F.R. § 791.4), a foreign adversary's state-owned enterprise, or any company or nonprofit domiciled in or affiliated with a foreign adversary country. This is a supply chain ban — covered organizations must audit and replace any foreign-adversary-produced sequencing hardware or software.
Statutory Text
A medical facility, research facility, company, entity or nonprofit organization subject to this chapter may not use a genome sequencer or software produced by or on behalf of: (1) A foreign adversary; (2) A state-owned enterprise of a foreign adversary; (3) A company or nonprofit organization domiciled within the borders of a country that is a foreign adversary; or (4) An owned or controlled subsidiary or affiliate of a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary.
Other · Biometrics
§ 16-5EE-7
Plain Language
Covered organizations may not sell or transfer genomic sequencing data of West Virginia residents to foreign adversaries, their state-owned enterprises, or affiliated entities as part of any bankruptcy proceeding or Chapter 11 reorganization. This prevents distressed organizations from disposing of genomic data assets to foreign adversary buyers, even under court supervision.
Statutory Text
A medical facility, research facility, company, or nonprofit organization subject to this chapter may not sell or otherwise transfer genomic sequencing data of residents of this state as part of a bankruptcy proceeding or pursuant to a plan of reorganization under Chapter 11 of the United States Bankruptcy Code (11 U.S.C. Section 1101 et seq.) to: (1) A foreign adversary; (2) A state-owned enterprise of a foreign adversary; (3) A company or nonprofit organization domiciled within the borders of a country that is a foreign adversary; or (4) An owned or controlled subsidiary or affiliate of a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary.
Other · Biometrics
§ 16-5EE-8(a)-(d)
Plain Language
Covered organizations may not store genomic data of West Virginia residents in any country designated as a foreign adversary. They must secure stored genomic data with reasonable encryption, access restrictions, and cybersecurity best practices — including when using third-party data storage providers. Genomic data (other than open data) must be inaccessible to any person located within a foreign adversary country. An exception applies for genomic data collected as part of clinical trials or biomedical research conducted in accordance with 28 C.F.R. Part 202.
Statutory Text
(a) A medical facility, research facility, company, entity, or nonprofit organization subject to this chapter may not store any genome sequencing data of a resident of this state at a location within the borders of a country that is a foreign adversary. (b) A medical facility, research facility, company, or nonprofit organization subject to this chapter that stores genome sequencing data of residents of this state, including storage of genome sequencing data through a contract with a third-party data storage company, shall ensure the security of the genome sequencing data using reasonable encryption methods, restriction on access, and other cybersecurity best practices. (c) A medical facility, research facility, company, or nonprofit organization subject to this chapter shall ensure genome sequencing data of residents of this state, other than open data, is inaccessible to any person located within the borders of a country that is a foreign adversary. (d) This section does not apply to the storage of genome sequencing data by a medical facility, research facility, company, or nonprofit organization subject to this chapter that is collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, 28 C.F.R. Part 202.
Other · Biometrics
§ 16-5EE-4(7)
Plain Language
Genetic data and biometric samples of West Virginia residents may not be stored in any OFAC-sanctioned country or any country designated as a foreign adversary. Any transfer or storage of such data outside the United States requires the consent of the resident. This imposes both an absolute prohibition (sanctioned/adversary countries) and a consent requirement (all other non-U.S. storage).
Statutory Text
(7) Genetic data and biometric samples of West Virginia residents collected in the state may not be stored within the territorial boundaries of any country currently sanctioned in any way by the United States office of foreign asset control or designated as a foreign adversary under 15 CFR 7.4(a). Genetic data or biometric data of West Virginia residents collected in the state may only be transferred or stored outside the United States with the consent of the resident.
R-02 Regulatory Disclosure & Submissions · R-02.4 · Deployer · Biometrics
§ 16-5EE-9(a)-(b)
Plain Language
By December 31 each year, every covered medical facility, research facility, company, or nonprofit organization must certify to the Attorney General that it is in compliance with the Genomic Information Privacy Act. The certification must be submitted by an attorney representing the organization. This is a continuing annual obligation — not a one-time filing.
Statutory Text
(a) Not later than December 31 of each year, a medical facility, research facility, company, or nonprofit organization subject to this §16-5EE-1 et seq. shall certify to the attorney general that the facility, company, or organization is in compliance with this chapter. (b) An attorney representing a medical facility, research facility, company, or nonprofit organization subject to this chapter shall submit the certification required under Subsection §16-5EE-8(a).
Other · Biometrics
§ 16-5EE-4(5)
Plain Language
Entities must comply with existing West Virginia law requiring valid legal process before disclosing genetic data to law enforcement or government agencies without consumer consent. This is a cross-reference to existing legal requirements under §46A-7-101 et seq. and does not create a new independent obligation — it incorporates the existing legal process requirement into this article's framework.
Statutory Text
(5) Comply with the provisions of §46A-7-101 et seq. of this code requiring a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express consent;
Other · Biometrics
§ 16-5EE-10(a)-(f)
Plain Language
The Attorney General has exclusive authority to enforce this article on behalf of the state, including investigating allegations and bringing civil enforcement actions. Remedies include actual damages, $2,500 per violation, costs, attorney's fees, and investigative expenses. This provision establishes the enforcement mechanism but creates no independent compliance obligation.
Statutory Text
(a) The Attorney General may investigate an allegation of a violation of this chapter and has the sole authority to enforce this article on behalf of the State of West Virginia. (b) The attorney general may bring an action to recover the civil penalty imposed under this section. (c) The Attorney General may initiate a civil enforcement action against a person for violation of this article. (d) In an action to enforce this article, the Attorney General may recover: (1) Actual damages to the consumer; (2) Costs; (3) Reasonable attorney fees; and (4) $2,500 for each violation of any provision of §16-5EE-1 et seq. of this code. (e) The attorney general shall deposit a civil penalty collected under this section in the state treasury to the credit of the general revenue fund. (f) The attorney general may recover reasonable expenses incurred in obtaining a civil penalty under this section, including court costs, reasonable attorney's fees, investigative costs, witness fees, and deposition expenses.
Other · Biometrics
§ 16-5EE-11(a)-(b)
Plain Language
West Virginia residents who are patients or research subjects and who are harmed by a violation of this chapter related to the storage or use of their genomic data may sue the violating entity. Damages are the greater of actual damages or up to $5,000 per violation, plus court costs and reasonable attorney's fees. Venue lies in the plaintiff's county of residence. This provision creates the private right of action but imposes no independent compliance obligation.
Statutory Text
(a) A legal resident of this state who is a patient or research subject of a medical facility, research facility, company, or nonprofit organization subject to this chapter and who is harmed by the storage or use of the patient's or subject's genome sequencing data in violation of this chapter may bring an action against the facility, company, or organization that violated this chapter and is entitled to obtain: (1) The greater of: (A) Actual damages; or (B) Statutory damages in an amount not to exceed $5,000 for each violation; and (2) Court costs and reasonable attorney's fees. (b) An action under this section may be brought in the county in which the plaintiff resides.
Other · Government · Biometrics
§ 16-5EE-3(d)
Plain Language
Beginning January 1, 2027, governmental agencies at all levels may only collect, store, use, or disseminate genetic data if authorized by a specific state law or pursuant to a search warrant. This imposes a legal authority requirement on government use of genomic data, effectively requiring either statutory authorization or judicial authorization for each instance of government access to genetic data.
Statutory Text
(d) Beginning January 1, 2027, any collection, storage, use, or dissemination of genetic data by a governmental agency must be performed in accordance with a specific state law or executed through a search warrant.