Home Blog Legally Addressing DNA Privacy Concerns

Legally Addressing DNA Privacy Concerns

June 08, 2022
3d render of DNA structure, abstract background

In the modern word, terms of service agreements are ubiquitous. And, if we’re being honest with ourselves, the general layperson does not thoroughly read the entire agreement, which is often full of legal jargon that is difficult to understand or relatively ambiguous for those not well versed in law. We agree to terms of service agreements for all sorts of services, but what happens when we sign an agreement for a consumer DNA test, which reveals a host of personal information about us?

The user agreement for a consumer DNA service can have much different impacts on us than signing the terms of service agreement for the latest update to our phone’s OS. Our phones contain a lot of personal information about us, but our DNA is the core of our being. The law is just beginning to catch up when it comes to DNA privacy, which leaves consumers in a legal gray area that is open to the whims of the companies collecting our most fundamental data.

A Brief History of DNA Testing

Back in 1996 when HIPAA first went into effect, the Human Genome Project was around seven years from completing the first sequence of the human genome, which was done in 2003. And even at that point, the sequence only covered 92 percent of the sequence.1 However, the first commercial DNA tests made their way to the market in 2000.2 At that time, the tests were being used to construct genealogies and DNA privacy was at the forefront as a concern.

It would take longer for DNA tests to be approved to relate health information to consumers. In 2013, 23andMe was forced to stop sharing health reports by the US Food and Drug Administration (FDA).2 Only when the test was approved by the FDA as a medical device was 23andMe able to relaunch its Health + Ancestry Service in 2015, with further approval to market health risk reports over the past several years.3

In the midst of the growing popularity of at home DNA tests, the U.S. passed the Genetic Information Nondiscrimination Act of 2008. This act protects Americans from being discriminated against on two fronts—health insurance and employment. Relating back to HIPAA, an amendment was made in 2013 that stated genetic information is health information and cannot be used by health insurers to make decisions about eligibility for health insurance benefits, what benefits are offered, and the premiums consumers are expected to pay.4

As of early 2020, Ancestry has sold about 14 million tests, and 23andMe has sold around 9 million.5

DNA Privacy Concerns

There are several concerns around consumer DNA testing, including cyberattacks on consumer accounts opened under these testing companies and the ethics surrounding companies selling consumer information to researchers and pharmaceutical companies. While consumers have to opt in for their information to be shared for research purposes, they do not have a say whether or not a company can sell a drug discovered thanks to that DNA information for a high profit.

Two of the biggest concerns, however, surround the fact that companies can change their privacy statements/terms of service agreements at any time, and that law enforcement are asking testing companies for DNA information for criminal cases.

Changing Privacy Policies

In the tech and healthcare space, companies are bought and sold or may go out of business entirely. And even when these major events don’t happen, business practices are subject to change, meaning the company's privacy policy may change, and change often. Consumers still have to agree to these changes, but again, those not versed in the law may not take the time to thoroughly read and understand these agreements. We must question how DNA privacy will be affected by these changes.

Law Enforcement Concerns

In 2018, Joseph DeAngelo became the first person to be publicly arrested through genetic genealogy. Better known as the Golden State Killer, DeAngelo plead guilty to 13-counts of first-degree murder in 2020. Authorities were able to use DNA obtained at crime scenes decades earlier and honed in on DeAngelo as a suspect using DNA submitted to public genealogy databases.6

Law enforcement has continued to use similar techniques to track down suspects since, and will even go to companies like 23andMe and Ancestry to obtain DNA data. While these companies may try to prevent this information from being shared, it is a reminder to the consumer that they are opening up information about their family members as well when they submit their samples to be tested. Law enforcement and government agencies can still use subpoenas to get information, and this will only continue to be an issue that needs to be worked out by the law and legal minds.

New DNA Privacy Laws

As these privacy concerns persist, some states have enacted laws to begin addressing these issues.

California’s Genetic Information Privacy Act

California’s Senate Bill No. 41 went into effect at the start of 2022. This act was meant to close up any gaps in consumer protection laws, requiring direct-to-consumer (DTC) companies to get a consumer’s express consent for7:

  • Using genetic data collected through a genetic testing product or service. The consent has to describe who will have access to the data, how it may be shared, and the purposes it may be collected, used, and disclosed for.
  • Storing a consumer’s sample after the initial testing is complete
  • Use of the consumer’s genetic data or biological sample after the primary purpose for the test has been completed.
  • Transfers or disclosures of a consumer’s genetic data or biological sample to a third party other than to a service provider.

Arizona and Utah have since passed similar legislation.

Maryland and Montana’s Forensic Genealogy Laws

Relating back to the concerns about genetic data being obtained by government agencies or law enforcement agencies, these states have enacted laws around DNA for forensic purposes. In Montana, officers must get a search warrant to search in consumer DNA databases. In Maryland, police have to get written approval from a judge after proving that they’ve taken every other avenue to investigate the crime. Law enforcement is also limited to the types of crime they can investigate using consumer DNA information. These crimes include murder, rape, felony sexual offenses, and other violent crimes.8

The Future for DNA Privacy Laws

The legal strides made to protect consumers around DNA privacy are a start, but there are still many unknowns around how this powerful information can and should be used.

DNA testing is bleeding into other areas of law, as well. In a 2022 Netflix documentary, Our Father, a fertility doctor was shown to have used his own sample to inseminate women in his practice. These women did not know that he was the donor. Because of consumer DNA testing, the doctor was revealed to have fathered a total of 94 children as of the time of the documentary’s release. And this is not the only incident of something like this occurring. As consumer DNA tests tell us more about ourselves and our families, issues we haven’t even thought of yet might arise, and it will ultimately be up to great legal minds to work these issues out and set new precedents.

Specialize in Data and Privacy Law with Cardozo School of Law

Laws around data privacy are rapidly evolving. Stay current with an online Master of Studies in Law (MSL) in Data and Privacy Law from Yeshiva University Cardozo School of Law.

Earning a master of studies in law with a specialization is an excellent way to set yourself apart in your field. As such, the Cardozo online MSL focuses on data and privacy law, breaking down the complexities of cybersecurity and data and privacy laws to allow students to excel in IT, cybersecurity, HR, operations and more.

Cardozo’s MSL program is designed by industry leaders and combines theoretical and practical perspectives on compelling topics, including international data protection, cybersecurity, internet law and much more. As a Cardozo student, you’ll study with our top-ranked faculty and build connections with your fellow students in small group settings that focus on engagement. Gain the skills and confidence to make smarter decisions about data operation and management—in your current professional role or your future career as a data specialist.

Connect with an Admissions Advisor to learn more about the online MSL in Data and Privacy Law.

  1. Retrieved June 2, 2022, from nih.gov/news-events/nih-research-matters/first-complete-sequence-human-genome
  2. Retrieved June 2, 2022, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5223458/
  3. Retrieved June 2, 2022, from customercare.23andme.com/hc/en-us/articles/211831908-23andMe-and-the-FDA
  4. Retrieved June 2, 2022, from genome.gov/about-genomics/policy-issues/Genetic-Discrimination
  5. Retrieved June 2, 2022, from cnbc.com/2020/02/07/how-dna-testing-companies-like-ancestry-and-23andme-can-survive.html
  6. Retrieved June 2, 2022, from abc11.com/golden-state-killer-joseph-deangelo-timeline-caught/7515045/
  7. Retrieved June 2, 2022, from natlawreview.com/article/california-s-senate-bill-41-genetic-information-privacy-act
  8. Retrieved June 2, 2022, from wired.com/story/states-are-toughening-up-privacy-laws-for-at-home-dna-tests/