South Dakota's Genetic Data Privacy Act (SB 49) Takes Effect July 1, 2026

South Dakota's Genetic Data Privacy Act (SB 49) Takes Effect July 1, 2026
South Dakota's Genetic Data Privacy Act, Senate Bill 49, took effect July 1, 2026, roughly three months after Governor Larry Rhoden signed it on March 23, 2026. The law requires direct-to-consumer genetic testing companies to get consumers' express written consent before using or disclosing their DNA data.
Information last verified on July 8, 2026. This is a developing story; we update it as the record changes.
Status: Signed March 23, 2026; effective July 1, 2026.
Jurisdiction scope: SB 49 applies only to direct-to-consumer genetic testing companies operating in or serving South Dakota consumers. It does not create a general consumer data privacy law in South Dakota (see South Dakota data privacy laws) and does not reach HIPAA-covered clinical or diagnostic genetic testing.
What Happened
Governor Larry Rhoden signed Senate Bill 49, the Genetic Data Privacy Act, into law on March 23, 2026, after it cleared the South Dakota Senate 34-0 and the House of Representatives 65-2. The bill came out of the Senate Judiciary Committee at the request of Attorney General Marty Jackley, one of ten bills his office introduced during the 2026 legislative session. SB 49 took effect July 1, 2026, alongside the rest of that year's newly enacted South Dakota statutes.
The Act regulates "direct-to-consumer genetic testing companies," defined to include any entity that offers genetic testing products or services directly to consumers, or that analyzes, collects, or uses genetic data derived from those products or services. Jackley has tied the bill directly to the 2025 collapse of 23andMe. In June 2025, Jackley joined a multistate coalition of attorneys general in a lawsuit seeking to block 23andMe from selling customers' genetic data as part of its bankruptcy proceeding, arguing customers had never consented to a sale to a new, unknown buyer.
"They can't sell and transfer it without consent." (Attorney General Marty Jackley, on SB 49's purpose, KOTA TV, March 24, 2026)
The bill also addresses the bankruptcy scenario directly. It bars the sale of genomic sequencing data in a bankruptcy or reorganization proceeding to a foreign adversary, or to a company based in, owned by, or controlled by a foreign adversary.

What the Law Actually Says
SB 49 builds consent and disclosure duties on top of South Dakota's existing, targeted approach to data protection, described further at South Dakota data privacy laws. Unlike the state's data breach notification law, which addresses what happens after unauthorized access to data, SB 49 regulates a company's ordinary collection and use of genetic data from the outset.
Covered companies must secure a consumer's express consent, an affirmative written response, before using or disclosing genetic data, and must obtain separate express consent for the initial description of intended uses, for who can access test results, and for how the data will be used. Companies must publish a prominent, publicly available privacy notice covering collection, disclosure, use, retention, and security practices, and must specifically disclose whether de-identified genetic data is shared with third parties for research. Consumers can request access to their genetic data, deletion of their account, and destruction of their physical biological sample.
The Act exempts HIPAA-covered entities and their business associates, along with genetic data used for medical screening, diagnosis, or treatment at hospitals and affiliated labs or facilities. That carve-out separates SB 49 from South Dakota's biometric privacy law and the patchwork of state biometric privacy laws elsewhere, which typically cover fingerprints, faceprints, and other biometric identifiers rather than raw genetic sequences.
Enforcement runs exclusively through the Attorney General. Under the Act, a civil penalty for violating the consent, notice, or security-safeguard provisions may not exceed five thousand dollars per violation. The statute does not create a private right of action, so individual consumers cannot sue a testing company directly under SB 49.
Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
SB 49 fits a broader 2026 pattern of states writing genetic-data-specific privacy statutes rather than waiting on a comprehensive federal law. Utah enacted its own genetic privacy law around the same time, and both moves trace back to the same event: 23andMe's 2025 bankruptcy, which put millions of customers' raw DNA profiles up for sale as a company asset. Genetic data differs in kind from a password or a credit card number. It cannot be reset, it identifies a consumer's blood relatives without their participation, and it can reveal health predispositions the consumer never intended to disclose to a testing company's downstream buyers or partners.
By requiring consent that is specific, meaning separate consent for use, access, and disclosure, rather than a single blanket sign-up checkbox, SB 49 pushes DTC genetic testing companies toward the same granular consent model that comprehensive state privacy laws use for other sensitive data categories. The HIPAA carve-out matters here too. SB 49 leaves clinical and diagnostic genetic testing to existing federal health privacy law and targets only the consumer-facing ancestry and wellness testing market where 23andMe, and its many smaller competitors, operate. The $5,000-per-violation cap and AG-only enforcement mean the law's practical reach depends heavily on how actively South Dakota's Attorney General polices the DTC testing market going forward.
How This Affects You
If you have used a direct-to-consumer genetic testing service, or are considering one, the company's privacy notice should now disclose, in plain terms, whether it shares de-identified genetic data with researchers and how to request deletion of your account or destruction of your saved biological sample. Consumers who used 23andMe or a similar DTC service before July 1, 2026, should check whether the company now holding their data, including any buyer from a bankruptcy sale, still honors deletion requests. Courts have generally treated pre-existing account terms as still binding after a corporate sale, so reviewing a company's current privacy notice remains the most direct way to confirm your rights under South Dakota law.
This is general legal information, not legal advice. It covers South Dakota and reflects sources verified on July 8, 2026. Laws change and this story is developing; consult a lawyer licensed in your jurisdiction about your specific situation.
Related articles
- South Dakota data privacy laws
- South Dakota data breach notification law
- South Dakota biometric privacy law
- Biometric privacy laws by state
Last updated: 2026-07-08. This is a developing story; details verified as of 2026-07-08.
Frequently Asked Questions
What is South Dakota's Genetic Data Privacy Act?
It is Senate Bill 49, signed by Governor Larry Rhoden on March 23, 2026, and effective July 1, 2026. It regulates direct-to-consumer genetic testing companies operating in South Dakota, requiring consent, privacy notices, and security safeguards for consumer genetic data.
Does South Dakota's genetic privacy law apply to 23andMe?
SB 49 applies to any direct-to-consumer genetic testing company serving South Dakota consumers going forward, including a company that acquired 23andMe's assets in its 2025 bankruptcy, unless the data at issue falls under the HIPAA or clinical-testing exemption.
What consent must a genetic testing company get under SB 49?
Covered companies must obtain a consumer's express written consent before using or disclosing their genetic data, with separate consent for the described uses, who can access results, and how the data will be used.
Are hospitals or medical genetic tests covered by SB 49?
No. SB 49 exempts HIPAA-covered entities and business associates, and exempts genetic data used for medical screening, diagnosis, or treatment at hospitals and affiliated facilities.
What penalties apply if a company violates South Dakota's genetic data law?
The South Dakota Attorney General can seek a civil penalty of up to $5,000 per violation. There is no private right of action for individual consumers under SB 49.
Can I delete my genetic data under South Dakota law?
Yes. SB 49 requires covered direct-to-consumer genetic testing companies to let consumers request deletion of their account and genetic data, and destruction of their physical biological sample.
Why did South Dakota pass a genetic data privacy law in 2026?
Attorney General Marty Jackley has said the 2025 multistate fight over 23andMe's bankruptcy sale of customer DNA data, which he joined as part of a coalition of state attorneys general, directly shaped SB 49's consent requirements.
Sources and References
- South Dakota SB 49 (2026), Genetic Data Privacy Act, official bill page(sdlegislature.gov).gov
- SB 49 (2026) enrolled bill text, South Dakota Legislative Research Council(mylrc.sdlegislature.gov).gov
- South Dakota Attorney General press release, "Attorney General Jackley's Genetic Data Privacy Bill Signed into Law"(atg.sd.gov).gov
- Hunton Andrews Kurth Privacy and Cybersecurity Law Blog, "South Dakota Enacts Genetic Data Privacy Act"(hunton.com)
- Covington Inside Privacy, "Utah and South Dakota Enact Genetic Privacy Laws as Other States Advance Bills"(insideprivacy.com)
- KOTA TV, "Gov. Rhoden signs Attorney General Jackley's genetic data privacy bill into law"(kotatv.com)