If you’ve ever spit into a plastic tube or swabbed your cheek and mailed your saliva away to learn about your ancestry or health risks, you might have assumed that the company analyzing your DNA is legally required to keep your genetic data private. But you’d be wrong.
The Health Insurance Portability and Accountability Act, known as HIPAA, protects individuals’ medical information when it’s handled by doctors, hospitals, and health insurance companies. This applies to genetic tests ordered by your doctor but not to those you can buy online directly from companies like 23andMe and Ancestry because these kits aren’t considered medical tests. As a result, the companies have largely operated in a legal gray area. Firms write their own privacy policies that customers agree to when they purchase a kit, but the companies can change these policies at any time.
That’s a problem, since genetic data can reveal all sorts of sensitive information about you—your ethnicity, your family connections, and even your likelihood of developing Alzheimer’s disease or certain cancers. Law enforcement officers are increasingly using consumer genetic databases to investigate violent crimes.
But a growing number of states are adopting genetic privacy laws in an effort to close these gaps. California became the latest on October 6 when Governor Gavin Newsom signed into law the Genetic Information Privacy Act, which puts restrictions on the data collected by direct-to-consumer DNA testing companies. SB 41, which goes into effect in January, requires customers to give express consent before their genetic data can be used for scientific research or shared with a third party. If customers consent to having their data used for research, companies must provide a simple way for them to opt out at any time.
Mahoney says privacy advocates wanted to make sure DNA testing firms can’t bury consent clauses in long terms of service agreements. The new California law bans companies from using “dark patterns”—deceptive practices that employ popups and other web elements to trick consumers into providing consent.
It also mandates that companies give customers a clear and easy way to close their accounts and delete their DNA data from the company’s database, if they choose. In addition, the companies are required to destroy a customer’s biological sample within 30 days of their request.
Utah enacted a similar law in March, followed by Arizona in April. Both state laws address consent issues, data security, notice of privacy practices, and an individual’s right to have their genetic data removed and their biological sample destroyed.
Advocates say such protections are needed because US privacy laws were written before the advent of home genetic testing. HIPAA was enacted in 1996. The Human Genome Project didn’t reveal the first draft of our genetic code until 2003. Five years later, Congress recognized the potential for genetic data to be used to discriminate against individuals, and in 2008 it passed the Genetic Information Nondiscrimination Act (GINA). The law prohibits prejudicial treatment by employers and health insurers on the basis of a person’s genetic information. But it doesn’t prevent other entities—such as life insurers, mortgage lenders, or schools—from denying services based on a person’s genetic makeup.