Genes Talk: The Current State of DNA Privacy Law

Photo Credit:

By Samantha Cook, Feature Editor

AncestryDNA® (“Ancestry”) and its competitors, like 23andMe® (“23andMe”), provide users with a fascinating look at their genealogies and help to connect them with distant relatives. I thought it would be an interesting experiment to give my parents Ancestry DNA kits for Christmas, but the idea of spitting into a tube and mailing it away to a private company made me curious about what else it could do with genetic information that is voluntarily provided.

Ancestry’s privacy policy contains much of the same boilerplate language used in most privacy policies. It uses genetic information to deliver ethnicity results and to find users’ relatives and ancestors, as promised.[1] The policy goes on to lay out specific instances where information may be shared, and outlines who the recipients could be. It emphasizes that Ancestry does not share genetic information with insurers, employers, or third-party marketers without express consent.[2]

Most interesting to me was the provision about legal or regulatory process requirements. The section reads: “We may share your Personal Information if we believe it is reasonably necessary to: Comply with valid legal process (e.g. subpoenas, warrants);…”[13] “Personal Information” includes genetic information for those who have taken the Ancestry DNA kit.[4] Only once, in 2014, did Ancestry have to provide law enforcement with the identify of a person based on a DNA sample in compliance with a valid search warrant.[5] While it does seem that Ancestry and 23andMe take their users’ privacy very seriously, they are not responsible for data which is voluntarily publicized by the users – many of whom likely do not understand the implications of their actions.

Use of Public DNA Databases in Law Enforcement

The arrest and indictment of Joseph DeAngelo marked a turning point in the use of DNA in criminal investigations. Better known as the “Golden State Killer,” DeAngelo is suspected of having committed a series of violent crimes in California in the 1970’s and 80’s.[6] Last year, Sacramento investigators salvaged discarded DNA evidence from the crime scene and uploaded it to an open source DNA database called GEDmatch.[7]

GEDmatch is a free website where users can upload raw data from their DNA tests from AncestryDNA or 23andMe, and it matches them to potential relatives who have done the same.[8] Law enforcement is quickly turning to public DNA databases like GEDmatch.[9]  Unlike forensic databases, investigators do not need a warrant to use GEDmatch because it is open source and all its data has been consensually uploaded.

This allows investigators to upload DNA extracted from a crime scene and find matches in the system, leading to suspects’ relatives who have uploaded their DNA data.[10] Genetic genealogists then work with law enforcement to trace the matches to common ancestors, and then work forward until the family trees start to converge. From there, law enforcement then takes more traditional investigatory measures, like surveillance, handwriting analysis, and direct evidence collection.[11]

GEDmatch’s terms of service expressly disclaim users’ confidentiality and states that law enforcement may use the database to identify perpetrators of violent crimes.[12] Despite the terms of service and the fact that users consent to the use of their data, there is rising concern among privacy advocates about legal protections for DNA privacy in criminal investigations.[13]

The Constitutional guarantee of privacy protects citizens from unreasonable searches and seizures where a person has a reasonable expectation of privacy.[14] Genetic databases create a unique problem to this long-held rule. Potential suspects have little to no control over whether their relatives upload DNA data to this open source website, which may compromise their entire family’s privacy.[15]

DNA privacy protections for criminal suspects is largely uncharted territory, especially at the federal level. Most recently, in 2013, the Supreme Court considered a Maryland case where a suspect arrested for assault had a DNA sample taken via cheek swab pursuant to a Maryland law.[16] That DNA sample was matched to DNA found at a crime scene of an unsolved rape case from several years prior.[17]  The suspect was charged with rape. He moved to suppress the DNA evidence, asserting that the cheek swab was an unreasonable search under the Fourth Amendment.[18] The Court ruled against the suspect, with one concurrence noting

…the courts have acknowledged DNA testing’s ‘unparalleled ability both to exonerate the wrongly convicted and to identify the guilty. It has the potential to significantly improve both the criminal justice system and police investigative practices.[19]

While it is clear that the judiciary values DNA’s accuracy and utility in law enforcement, the issue of familial DNA testing has thus far evaded the federal court system.[20] States are split on how to treat the use of familial DNA in criminal investigations, but it is conceivable that in the near future, the Supreme Court will be asked to reexamine its DNA privacy jurisprudence in light of the rapid increase of consensual DNA testing and sharing.

Genetic Discrimination in the Insurance Industry

Widespread DNA testing also has implications for healthcare and insurance companies. These industries have much to gain from access to members’ genetic information. The business model involves the allocation of risk; it is expensive for health and life insurers to insure people who are likely to get sick or die, so the rise of consensual genetic testing raises serious legal and ethical questions about who may have access to that data, and for what purposes.

23andMe offers an assessment called the “Genetic Health Report,” which the FDA approved to scan for genetic diseases, like Alzheimer’s and Parkinson’s.[21] Ancestry and 23andMe’s privacy policies both assure users that DNA data will not be sold or shared with insurers without express consent.[22][23] The law protecting users from discrimination based on DNA, however, remains underdeveloped.

Governing federal law is the Genetic Information Nondiscrimination Act (GINA). GINA protects people from discrimination based on genetics in acquiring group health insurance or supplemental Medicare plans.[24] Similarly, the Health Insurance Portability and Accountability Act, better known as HIPAA, increased its protections for genetic privacy in 2013 to comply with GINA.[25]

GINA is limited in its scope. When it was drafted, legislators determined that health insurance and employment were the areas with the strongest need to protect genetic privacy.[26] First, it does not apply to life insurance at all.[27] This suggests that life insurance providers are free (except in 17 states)[28] to request, or even require, genetic information in their underwriting process, potentially leaving those with predispositions to genetic diseases with extremely high premiums or even denial of coverage altogether.

A few other statutes prohibit genetic discrimination, including the Affordable Care Act (ACA) and the Americans with Disabilities Act (ADA). The ACA’s pre-existing conditions provision offers some protection to people who carry genetic diseases by prohibiting insurers from declining coverage to somebody carrying a genetic disease. The Equal Employment Opportunity Commission (EEOC) declared in 1995 that discrimination based on genetic information is prohibited by the ADA, which makes it illegal to discriminate against people with disabilities in employment, public services, accommodations, and communications. [29]

Although the law is incrementally addressing genetic discrimination, there is yet to be a cohesive piece of legislation to address all facets of genetic privacy protections. The need is especially strong to face the prominent threat that comes with consumers voluntarily submitting their genetic information to private companies, whose privacy policies are not bound by law.




[1] Your Privacy, Ancestry, (last visited Mar. 29, 2019).

[2] Id.

[3] Id.

[4] Id.

[5]  Ancestry 2015 Transparency Report, Ancestry, (Last visited Mar. 29, 2019).

[6] Andrew Blankstein, Jonathan Dienst and Corky Siemaszko, Golden State Killer: Ex-cop arrested in serial murder-rape cold case, NBCNews (Apr. 25, 2018, 9:17 PM EDT),

[7] Sam Stanton and Ryan Lillis, Relative’s DNA from genealogy websites cracked East Area Rapist case, DA’s office says, The Sacramento Bee (Apr. 27, 2018, 11:33 AM),

[8] Megan Molteni, The Future of Crime-Fighting is Family Tree Forensics, Wired (Dec. 26, 2018, 8:00 AM),

[9] Id.

[10] Id.

[11] Id.

[12]  GEDmatch, Terms of Service and Privacy Policy, GEDMATCH (last updated May 20, 2018),

[13] Gina Kolata and Heather Murphy, The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder, N.Y. Times, (Apr. 27, 2018),

[14] Katz v. United States, 389 U.S. 347, 360 (1967) (J. Harlan, concurring).

[15] Kolata, supra note 12.

[16] Maryland v. King, 569 U.S. 435 (2013).

[17] Id.

[18] Id. at 440.

[19] Id. at 442 (citing DA’s Office v. Osborne, 557 U.S. 52, 55 (2009)).

[20] Trevor Woodage, Article: Relative Futility: Limits to Genetic Privacy Protection Because of the Inability to Prevent Disclosure of Genetic Information by Relatives, 95 Minn. L. Rev. 682, 705 (Dec. 2010).

[21] Kelly Song, 4 Risks consumers need to know about DNA testing kit results and buying life insurance, CNBC (Aug 9, 2018, 3:17 PM EDT),–risks-consumer-face-with-dna-testing-and-buying-life-insurance.html.

[22] Ancestry, supra note 1.

[23] Privacy Highlights, 23andMe, (last visited Mar. 29, 2019).

[24] Genetic Information Privacy, Elec. Frontier Found., (Last visited Mar. 29, 2019).

[25] Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health

Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act;

Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566, 5566 (Jan. 25, 2013).

[26] Sarah Zhang, The Loopholes in the Law Prohibiting Genetic Discrimination, The Atlantic (Mar 13, 2017).

[27] Nat’l Human Genome Research Inst., Genetic Information Nondiscrimination Act of 2008, Nat’l Inst. Health, (Last visited Mar. 29, 2019).

[28] Song, supra note 4.

[29] Nat’l Human Genome Research Inst., Genetic Discrimination and Other Laws, Nat’l Inst. Health, (Last visited Mar. 29, 2019).

Comments are closed.