Insights & Events
Filter your search:
Filter your search:
Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
Updates
June 18, 2025

Texas Genomic Act: A New Era of Genetic Privacy Legislation

Including Prohibitions on Genetic Sequencing, Storage and Sale of Genomic Information

Download
Authors: Peter A. Blenkinsop , Reed Abrahamson , Simonne Brousseau , Aliyah N. Price , Andy Taylor , Alyce A. Hammer

At a Glance

  • Texas HB 130, known as the Texas Genomic Act, has passed both chambers of the Texas Legislature and would have significant implications for life sciences companies, research institutions, diagnostics providers and other businesses carrying out or supporting research on Texas residents’ genomic data.
  • If enacted, the Act would prohibit companies, medical facilities, research facilities and nonprofit organizations from using a genome sequencer or genome sequencing-related software produced by or on behalf of a foreign adversary.
  • If enacted, the Act would become effective September 1, 2025. Companies should thus take steps over the coming months to evaluate the impact of Texas HB 130 on their business operations.

Texas is poised to adopt significant new legislation governing how its residents’ genetic information is processed, stored and protected, in an effort to limit access by “foreign adversaries.” If enacted, the Texas Genomic Act (Texas HB 130, or the Act) would prohibit companies, medical facilities, research facilities and nonprofit organizations from using a genome sequencer or genome sequencing-related software produced by or on behalf of a foreign adversary. “Foreign adversary” is currently defined to include China, Cuba, Iran, North Korea, Russia and Venezuela1— the same countries identified as “countries of concern” in the Department of Justice’s (DOJ) new Data Security Program.

The Act also includes multiple broad restrictions and prohibitions on genetic sequencing, storage, and sale of genomic information, which make it substantially unlike other common state genetic information and testing laws. Significantly for businesses, Texas HB 130 would be enforceable both by the state attorney general — to which an annual compliance certification must be made — and through a private right of action.

Texas HB 130, which passed both chambers of the Texas Legislature nearly unanimously, would have significant implications for life sciences companies, research institutions, diagnostics providers and other businesses carrying out or supporting research on Texans’ genomic data. Specifically, entities subject to the Act must:

  1. Not use a genome sequencer or software produced by or on behalf of (i) a foreign adversary, (ii) a state-owned enterprise of a foreign adversary, (iii) a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary, or (iv) an owned or controlled subsidiary or affiliate of a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary2
  2. Not sell or otherwise transfer Texans’ genomic sequencing data as part of a bankruptcy or reorganization under Chapter 11 of the U.S. Bankruptcy Code to any of the same categories of entities3
  3. Not store Texans’ genome sequencing data “at a location within the borders of a country that is a foreign adversary”4
  4. Ensure the security of genome sequencing data by using (in an apparent nod to the DOJ’s Data Security Program, though without further specification) “reasonable encryption methods, restriction on access, and other cybersecurity best practices”5
  5. Ensure Texans’ genome sequencing data — other than “open data” (which is not defined by the Act) — is inaccessible to persons located within the borders of a foreign adversary6

Analysis of Requirements and Obligations

While these obligations create new, significant restrictions on and responsibilities for entities researching and testing genetic information, the first of these requirements (found in § 174.005) has a notably wide reach.7 Namely, if enacted, § 174.005 would prohibit the use of genome sequencers and software produced by or on behalf of (i) a foreign adversary, (ii) a state-owned enterprise of a foreign adversary, (iii) a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary, or (iv) an owned or controlled subsidiary or affiliate of a company or nonprofit organization domiciled within the borders of a country that is a foreign adversary.8 That prohibition would apply to entities subject to the Act in general — not just when Texans’ data is involved. The term “software” is also broadly defined as “computer programs and related equipment used for genome sequencing or the operation, control, analysis, research, or other functions of genome sequencers.”9 Accordingly, scoping compliance with § 174.005 and understanding its impact on existing company operations will be a key challenge for companies that fall within the scope of the Act.

In addition to the requirements mentioned above, other significant obligations under the Texas Genomic Act include an annual certification of compliance and a private right of action. First, each entity must have an attorney certify annually to the Texas attorney general that the entity is compliant with this Act.10 Second, this Act is enforceable through either the Texas Attorney General’s Office or a private right of action.11 The attorney general may bring an action to recover a civil penalty of up to $10,000 per violation of this Act.12 Additionally, any Texas resident harmed by the storage or use of his or her genome sequencing data in violation of this Act is entitled to recover the greater of actual damages or statutory damages of up to $5,000 per violation, in addition to court costs and reasonable attorney’s fees.13

Private Right of Action

This Act’s private right of action is particularly striking, given the inclusion of a statutory damages amount and the lack of a private right of action in the Texas Data Privacy & Security Act and the DOJ’s Data Security Program. From 2020 to 2024, the number of privacy cases filed in U.S. courts has nearly doubled, including dozens of new genetic information privacy lawsuits under the Illinois Genetic Information Privacy Act (GIPA). This does not account for the torrent of privacy demand letters that threaten litigation against businesses, which have become an everyday cost of doing business. Texas HB 130 could have the effect of steadily contributing to the increase in these types of claims.

Research Exemption

Although Texas HB 130 includes a research exemption, this exemption is notably unique and appears limited in scope. Specifically, one section of the statute (§ 174.007, pertaining to requirements for genomic information storage) does not apply to “the storage of genome sequencing data by a medical facility, research facility, company, or nonprofit organization subject to this chapter that is collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, 28 C.F.R. Part 202 [the DOJ’s new Data Security Program].”14 This research exemption differs from the broader exemption provided in the Texas Data Privacy & Security Act (TDPSA). Accordingly, the breadth of the exemption and the research activities that may fall within it remain unclear at this time.

In Conclusion

If enacted, Texas HB 130 will become effective September 1, 2025. Companies should thus take steps over the coming months to evaluate the impact of Texas HB 130 on their business operations.

For More Information

If you have any questions about how the Texas Genomic Act could affect your business, you may reach out to the authors.

  1. Tex. Health & Safety Code § 174.002(3); 174.003. “Human genome” means “the set of DNA found in human cells.” See id. at § 174.002(6).
  2. Id. at § 174.005.
  3. Id. at § 174.006.
  4. Id. at 007(a).
  5. Id. at (b).
  6. Id. at (c).
  7. Id. at § 174.005.
  8. Id.
  9. Id. at § 174.002(8) (emphasis added).
  10. Id. at § 174.008.
  11. Id. at § 174.009–11.
  12. Id. at § 174.010.
  13. Id. at § 174.011.
  14. Tex. Health & Safety Code § 174.007(d). See generally Data Security Program, 28 C.F.R. Part 202 (2025).

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Meet the Authors

Photo of Peter A. Blenkinsop
Peter A. Blenkinsop

Partner

+1 202 230 5142
Washington, D.C.
Photo of Reed C.F. Abrahamson
Reed Abrahamson

Partner

+1 202 230 5672
Washington, D.C.
Photo of Simonne Brousseau
Simonne Brousseau

Associate

+1 202 230 5260
Washington, D.C.
Photo of Aliyah Price
Aliyah N. Price

Associate

+1 202 230 5138
Washington, D.C.
Photo of Any Taylor
Andy Taylor

Associate

+1 612 766 1625
Minneapolis
Photo of Alyce Hammer
Alyce A. Hammer

Associate

+1 202 230 5304
Washington, D.C.

Related Legal Services

Government & Regulatory Health Care International Litigation Nonprofit Organizations Privacy, Cybersecurity, Data Ethics & Strategy Health Care Privacy, Security & Cybersecurity Health Information Technology & Innovation Research Customs & International Trade Privacy Litigation State Attorneys General Purchased Services, Outsourcing & Cost-Saving Initiatives

Related Industries

Health & Life Sciences Clinical Research Hospitals & Health Systems

Suggested Reading

Updates April 2025

DOJ Releases New Key Guidance on Its Data Security Program (DSP)

Substantial Compliance Obligations Related to Certain Foreign Transactions Involving Sensitive Personal and Government Data
16 min read  
Updates October 2023

Employers Beware: Sudden Spike in Class Actions Under the Illinois Genetic Information Privacy Act

6 min read