If you’ve ever spit into a plastic tube or swabbed your cheek and mailed your saliva away to learn about your ancestry or health risks, you might have assumed that the company analyzing your DNA is legally required to keep your genetic data private. But you’d be wrong.
The Health Insurance Portability and Accountability Act, known as HIPAA, protects individuals’ medical information when it's handled by doctors, hospitals, and health insurance companies. This applies to genetic tests ordered by your doctor but not to those you can buy online directly from companies like 23andMe and Ancestry because these kits aren’t considered medical tests. As a result, the companies have largely operated in a legal gray area. Firms write their own privacy policies that customers agree to when they purchase a kit, but the companies can change these policies at any time.
That’s a problem, since genetic data can reveal all sorts of sensitive information about you—your ethnicity, your family connections, and even your likelihood of developing Alzheimer’s disease or certain cancers. Law enforcement officers are increasingly using consumer genetic databases to investigate violent crimes.
But a growing number of states are adopting genetic privacy laws in an effort to close these gaps. California became the latest on October 6 when Governor Gavin Newsom signed into law the Genetic Information Privacy Act, which puts restrictions on the data collected by direct-to-consumer DNA testing companies. SB 41, which goes into effect in January, requires customers to give express consent before their genetic data can be used for scientific research or shared with a third party. If customers consent to having their data used for research, companies must provide a simple way for them to opt out at any time.
Mahoney says privacy advocates wanted to make sure DNA testing firms can’t bury consent clauses in long terms of service agreements. The new California law bans companies from using “dark patterns”—deceptive practices that employ popups and other web elements to trick consumers into providing consent.
It also mandates that companies give customers a clear and easy way to close their accounts and delete their DNA data from the company's database, if they choose. In addition, the companies are required to destroy a customer’s biological sample within 30 days of their request.
Utah enacted a similar law in March, followed by Arizona in April. Both state laws address consent issues, data security, notice of privacy practices, and an individual’s right to have their genetic data removed and their biological sample destroyed.
Advocates say such protections are needed because US privacy laws were written before the advent of home genetic testing. HIPAA was enacted in 1996. The Human Genome Project didn’t reveal the first draft of our genetic code until 2003. Five years later, Congress recognized the potential for genetic data to be used to discriminate against individuals, and in 2008 it passed the Genetic Information Nondiscrimination Act (GINA). The law prohibits prejudicial treatment by employers and health insurers on the basis of a person’s genetic information. But it doesn’t prevent other entities—such as life insurers, mortgage lenders, or schools—from denying services based on a person’s genetic makeup.
The effort to generate the first blueprint of the human genome cost $2.7 billion over 13 years. Few could have predicted that cheap DNA tests would become widely available a decade later. Consumer Reports estimates that around 20 percent of Americans have taken a home test from companies such as 23andMe, Ancestry, MyHeritage, and Family Tree DNA.
“This is really coming about because so much has changed in the marketplace and the technology,” says Lee Tien, a senior staff attorney at the San Francisco digital rights nonprofit Electronic Frontier Foundation, about the recent wave of state legislation addressing genetic privacy.
Ancestry and 23andMe—the two largest consumer genetic testing companies—have applauded the law's passage. “We think it's very important for all consumers in California to be afforded the confidence that when they choose to participate in direct-to-consumer genetic testing that their data will be used and shared as they permit it,” says Jacquie Cooke Haggarty, 23andMe’s deputy general counsel and privacy officer. She says 23andMe has long provided these protections to customers.
In an emailed statement, an Ancestry spokesperson wrote that customer trust is the company’s top priority and the bill “aligns with Ancestry’s current privacy and data stewardship commitments.”
But it remains unclear how violations of the California law will be tracked and how DNA testing companies will be held accountable. Consumers can notify the California Attorney General if they believe a testing company isn’t complying with the new law, Mahoney says, but they won’t be able to sue. “You can have these protections on the books, but what really matters is whether or not companies comply and whether or not they're incentivized to comply,” Mahoney says.
Other states, meanwhile, are addressing another aspect of genetic privacy: law enforcement’s growing use of consumer genetic databases to investigate violent crimes. Some of these databases, including GEDmatch (now owned by Verogen) and Family Tree DNA, allow investigators to upload a DNA profile of a suspect or victim and view that person’s familial matches. From there, genealogists can help police build out that person’s family tree and use public records to narrow in on the identity of a suspect or a nameless victim. The technique is known as forensic genetic genealogy. Use of the technique has exploded since 2018, when authorities used GEDmatch to identify Joseph James DeAngelo, who is now serving multiple life sentences, as the Golden State Killer.
(23andMe and Ancestry don’t allow law enforcement access to their genetic databases.)
Earlier this year, Maryland and Montana became the first states to pass forensic genealogy laws. The Montana law requires law enforcement to obtain a search warrant to view data in a consumer DNA database. The more comprehensive Maryland law, which took effect October 1, limits the types of crimes consumer genetic databases can be used for. Under that law, police can only use them to investigate murders, rapes, felony sexual offenses, or other violent crimes that pose a significant threat to public safety or national security. To investigate one of these crimes using a consumer genetic database, police officers must seek written approval from a judge and prove they’ve exhausted other investigative avenues first. Genealogists who work with law enforcement will also be required to get a special license.
Maryland legislators who crafted the bill were worried about innocent people getting swept up in criminal investigations involving relatives they may or may not know. “This technology is so powerful that it is identifying people who have not necessarily consented for their DNA to be used for this purpose,” says Emily Shetty, a member of the Maryland House of Delegates who co-sponsored the bill.
Verogen, the forensic genetics company that bought GEDmatch in 2019, says Maryland and Montana’s new laws are a step in the right direction. “GEDmatch has long supported the privacy rights of consumers,” CEO Brett Williams told WIRED in an email. "We do not believe that either piece of legislation will negatively impact GEDmatch."
Mahoney and Tien say these new laws aren’t perfect, and it’s unclear how well they’ll work for consumers, but they’re a start. “All areas of privacy are inherently always evolving because technology evolves,” Tien says. “I don’t think you can ever look at privacy laws and say, ‘Oh, we’re done’ because they're always going to adapt to new technology.”