Via Community News Service, a University of Vermont journalism internship
When genetic testing company 23andMe was hacked in Oct. 2023, roughly 6.9 million users had ancestry-related data breached. The company filed for bankruptcy in March 2025 and recently settled a $30 million class-action lawsuit.
In response, Vermont lawmakers are considering a consumer protection bill that would regulate how genetic testing companies collect, use and share Vermonters’ data. An amended version of the bill was voted out of the House Committee on Commerce and Economic Development on Feb. 19.
The bill, H.639, sponsored by 28 state representatives, was introduced after 23andMe’s controversy raised questions about the status of customer data once the company’s ownership transferred.
The bill’s main sponsor, Rep. Robin Scheu, D-Addison-1, told the House Committee on Commerce and Economic Development on Jan. 21 that she took on the bill after her own experience with an at-home DNA testing kit left her with questions.
“What happens to everybody’s genetic data?” she said regarding 23andMe. “In the wrong hands, bad things can happen to people.”
Scheu said the bill aims to give people more control over how their genetic data is handled once they submit a sample. H.639 would also limit how genetic testing kit companies share data and require them to be transparent with customers.
The bill would also require companies to obtain additional consent from customers for data usage. Instead of relying on one, long agreement, customers could opt-in to some agreements and decline others.
Scheu said H.639 would prohibit genetic testing companies from disclosing consumer data to insurance companies and employers, potentially revealing health risks which could affect one’s ability to get insurance.
“That’s been a big fear that many of us have had all along,” she said.
Assistant Attorney General Todd Daloz told lawmakers on Jan. 29 that genetic data has different privacy concerns compared to other personal information.
“Our genome is immutable — we cannot change it,” Daloz said. “When that data gets out, as this committee knows well, there’s no really putting that genie back in the bottle.”
Ritchie Engelhardt, Ancestry.com’s head of government affairs, told lawmakers on Feb 4. that the company supports H.639. He said Ancestry.com lets customers delete their data and destroy biological samples if they want to.
Although he said he was in favor of the bill, Engelhardt asked lawmakers to remove the private right of action section, which would allow consumers to sue companies directly for violations of these rules.
Engelhardt said a private right of action “could trigger lawsuits for potentially millions in damages for technical glitches that we discovered and fixed before any privacy harms occurred.”