Vermont AG’s office urges express, stepwise consent in proposed Genetic Information Privacy Act (H.639)
January 30, 2026 | Commerce & Economic Development, HOUSE OF REPRESENTATIVES, Committees, Legislative , Vermont
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
The Vermont House Committee on Commerce & Economic Development heard testimony Jan. 29 on H.639, the proposed Genetic Information Privacy Act, as Todd Dalos, assistant attorney general, urged lawmakers to require express, stepwise consent and stronger protections for genetic samples and data.
Dalos told the committee that genetic data is uniquely sensitive and immutable, and that privacy risks are magnified by family-tree linkages. “Genetic data is not just data about people,” he said. “Genetic data is people.” He described the 23andMe cyberattack and bankruptcy that affected roughly 14,000 directly breached accounts and an estimated 6.9 million interconnected accounts, saying those numbers illustrate how genetic information can be amplified when combined across records.
The Attorney General’s Office said it issued a consumer alert during the 23andMe episode and worked with other state attorneys general and the company to assist consumers seeking deletion of accounts and destruction of samples. Dalos said states objected in the bankruptcy to transfers of genetic-data assets and negotiated an agreement with a successor company to secure privacy protections after the court allowed the sale.
H.639 would require plain-language consumer notices about collection, security and deletion practices; prominent disclosure at points of collection; and express consent for distinct decision points, Dalos said. “H.639 requires express consent on each one of these decision points,” he said, adding the bill aims for a simple revocation process so consumers can delete accounts without a multi-step opt-out.
The bill contemplates appropriate transfers to third-party labs or service providers but seeks to limit the risk that those providers combine genetic-derived information with other datasets to make inferences about individuals. It includes anti-discrimination language broader than the federal Genetic Information Nondiscrimination Act (GINA), and would bar a direct-to-consumer testing company from disclosing a consumer’s genetic information to employers or insurers—while not regulating separate consumer–insurer relationships such as life-insurance underwriting.
Dalos said enforcement would follow a model similar to Act 63 (the state’s age-appropriate design code), vesting enforcement authority with the Attorney General’s Office under the Title 9, Chapter 63 framework and enabling remedies when immutable genetic identifiers are at risk.
A committee member who spoke in support recommended technical edits, including defining “biometric data” consistently with prior children’s privacy law, replacing the term “biometric samples” with “biological samples,” and clarifying the phrase “inherent contextual uses” to avoid vagueness. Dalos said those recommendations appeared congruent with the AGO’s goals and welcomed language to close inference loopholes.
No vote was taken; the committee recessed and scheduled additional testimony on the bill for a future meeting.
Next steps: further testimony and markup are expected at a subsequent committee meeting.
Dalos told the committee that genetic data is uniquely sensitive and immutable, and that privacy risks are magnified by family-tree linkages. “Genetic data is not just data about people,” he said. “Genetic data is people.” He described the 23andMe cyberattack and bankruptcy that affected roughly 14,000 directly breached accounts and an estimated 6.9 million interconnected accounts, saying those numbers illustrate how genetic information can be amplified when combined across records.
The Attorney General’s Office said it issued a consumer alert during the 23andMe episode and worked with other state attorneys general and the company to assist consumers seeking deletion of accounts and destruction of samples. Dalos said states objected in the bankruptcy to transfers of genetic-data assets and negotiated an agreement with a successor company to secure privacy protections after the court allowed the sale.
H.639 would require plain-language consumer notices about collection, security and deletion practices; prominent disclosure at points of collection; and express consent for distinct decision points, Dalos said. “H.639 requires express consent on each one of these decision points,” he said, adding the bill aims for a simple revocation process so consumers can delete accounts without a multi-step opt-out.
The bill contemplates appropriate transfers to third-party labs or service providers but seeks to limit the risk that those providers combine genetic-derived information with other datasets to make inferences about individuals. It includes anti-discrimination language broader than the federal Genetic Information Nondiscrimination Act (GINA), and would bar a direct-to-consumer testing company from disclosing a consumer’s genetic information to employers or insurers—while not regulating separate consumer–insurer relationships such as life-insurance underwriting.
Dalos said enforcement would follow a model similar to Act 63 (the state’s age-appropriate design code), vesting enforcement authority with the Attorney General’s Office under the Title 9, Chapter 63 framework and enabling remedies when immutable genetic identifiers are at risk.
A committee member who spoke in support recommended technical edits, including defining “biometric data” consistently with prior children’s privacy law, replacing the term “biometric samples” with “biological samples,” and clarifying the phrase “inherent contextual uses” to avoid vagueness. Dalos said those recommendations appeared congruent with the AGO’s goals and welcomed language to close inference loopholes.
No vote was taken; the committee recessed and scheduled additional testimony on the bill for a future meeting.
Next steps: further testimony and markup are expected at a subsequent committee meeting.
Don't Miss a Word: See the Full Meeting!
Go beyond summaries. Unlock every video, transcript, and key insight with a Founder Membership.
✓
Get instant access to full meeting videos
✓
Search and clip any phrase from complete transcripts
✓
Receive AI-powered summaries & custom alerts
✓
Enjoy lifetime, unrestricted access to government data
30-day money-back guarantee
