State Genetic Privacy Statutes: Good Intentions, Unintended Consequences?
By Christi Guerrini, David Gurney, Steve Kramer, CeCe Moore, Margaret Press, and Amy McGuire
State legislators have enacted a flurry of genetic privacy bills that will strengthen the privacy and security practices of direct-to-consumer genetic testing companies and give customers more control over their data. What they might not realize is that these bills could be interpreted in ways that limit law enforcement’s ability to use a new technique that helps identify violent criminals and human remains and exonerate the wrongfully convicted.
Known as investigative genetic genealogy (IGG), this technique was used in 2018 to identify the Golden State Killer, whose crime spree terrorized California residents for decades. IGG has since helped close over 800 cases around the country—and counting. Many of these cases had long gone cold and could not be solved in any other way.
However, in similarly worded bills enacted in a growing number of states that include California, Tennessee, Texas, and Virginia, legislators have, perhaps unintentionally, introduced confusion regarding when state and local authorities may use this technique.
IGG relies on well-known genetic genealogy tools and methods to generate leads about a person’s identity. In the case of a criminal investigation, investigators can use IGG to help identify a person of interest when DNA found at a crime scene does not match anyone in the national forensic database. Specifically, investigators can upload the DNA profile to genetic genealogy databases that permit IGG—the same databases used by millions of genealogy hobbyists. Each database will produce a list of participants in the database who share DNA with the putative perpetrator, as well as the length and location of shared DNA. This list will include hundreds or thousands of people who are typically distant relatives—the same information that other database participants receive when they use the database for relative matching, except that, for law enforcement, it will not include anyone who has opted out of IGG. Investigators can then use the names on the list to create family trees and, ultimately, identify one or more possible leads for a person of interest. Finally, these leads are investigated using traditional police methods, including direct DNA testing between the crime scene DNA and person of interest.
This technique for generating leads has rightly been hailed as the greatest investigative breakthrough since DNA was introduced to law enforcement investigations in the 1980s. In addition to solving violent crimes, IGG has helped to exonerate at least two individuals who were convicted of crimes they did not commit. It also has provided closure to those with missing loved ones whose remains could not, until now, be identified.
Yet, new state genetic privacy laws could be interpreted to clip IGG just as it is getting started.
Although their exact wording differs, all of these laws require that those who upload their DNA to genetic genealogy databases consent to retention of their genetic data and disclosure of these data to third parties—a move we applaud. However, some of the laws are ambiguous about their application to DNA of perpetrators of violent crimes and unidentified decedents that is uploaded by law enforcement. Unlike most customers of genetic genealogy databases who contractually agree to disclosure of their genetic data to third parties, suspects who leave DNA at crime scenes cannot provide the same consent when the police legally obtain and upload their DNA to these databases. The suspect’s identity is not yet known—discovering their identity is, of course, the point of IGG. Yet, some of the new laws could be interpreted to mean that, in a murder case, investigators may have to get the suspect’s permission before conducting IGG with their DNA. Although U.S. courts consistently have held that there is no reasonable expectation of privacy in abandoned biological material, including crime scene DNA, some of the new civil code laws create confusion as to their application in criminal investigative contexts.
Moreover, some state statutes indicate that participants must provide express consent for each disclosure of their genetic data to named third parties. Depending on how exactly the law defines genetic data—some say it includes anything derived from genetic data—this could be interpreted to mean that, in every investigation, law enforcement is required to obtain new consent from each database participant, or at least every participant who is related to the person whose identity is under investigation, before the database can identify them as a genetic relative of that person. But compliance with this requirement is not practical; it is impossible to know in advance which database participants are related to the unknown person and, therefore, who exactly to ask for consent.
Some statutes identify an alternative to these requirements that involves law enforcement obtaining a warrant or using other valid legal processes to conduct IGG. Assuming that IGG can satisfy the legal requirements for a warrant or subpoena, that path is more privacy intrusive than current IGG practice because it invites law enforcement to conduct IGG with DNA profiles of database participants who opted out of law enforcement matching and in databases that do not permit law enforcement matching with respect to any of its participants’ profiles. Warrants and subpoenas can also be used to request information about each participant, such as their private family trees and contact and financial information, which is off limits to law enforcement under current practice.
It is possible that some legislators did not anticipate or appreciate these consequences when they passed their new statutes. For these legislators, the good news is that the problems easily can be fixed. First, legislators can exempt criminal investigations from their new statutes’ provisions. Alternatively, legislators can unambiguously exclude criminal perpetrators and unidentified decedents from their statutes’ consent provisions, which would eliminate the nonsensical possibility that law enforcement might be required to obtain consent from these unknown persons to use their DNA to help identify them. Second, where applicable, legislators can replace provisions suggesting that law enforcement ask every database participant for consent for each instance of IGG with one that codifies the current database practice of disclosing if and when law enforcement is allowed to participate and allowing participants, at any time, to opt in or out of IGG. These small changes will ensure that participants remain in control of their data while allowing IGG to be conducted consistent with individual privacy selections.
However, it is possible that some states did intend to regulate IGG, and perhaps even ban it, via their new statutes. We urge legislators in these states—as well as others that might follow suit in the future—to be transparent about this objective and to regulate IGG explicitly via laws directed at the technique, rather than indirectly via general privacy statutes. This was the approach taken by Maryland and Utah, both of which have enacted comprehensive IGG legislation. Utah legislators, in particular, engaged experts in the practice of IGG (including two of this letter’s authors) and revised the bill to ensure that the law regulated exactly what it was supposed to—and nothing more.
Another good lesson from these states is the importance of writing access to IGG for people who have been wrongfully convicted into IGG legislation. It took far too long for states to adopt similar provisions for traditional DNA testing. Since we are still in the early days of IGG, states have an opportunity to avoid that mistake a second time around.
IGG is a new and complex law enforcement technique that should not be regulated by accident or as an afterthought. Rather, it should be examined in context with existing legal constraints placed on law enforcement and addressed through laws carefully tailored to meet specific policy objectives. Ultimately, we believe that IGG and genetic privacy protections can coexist in ways that promote both individual interests in privacy and societal interests in public safety and justice. To accomplish this balance and avoid unintended consequences, legislators should consult with experienced IGG practitioners and other stakeholders. It is not too late for states that have already passed relevant laws to solicit this input and make adjustments that give due consideration to all interests at stake.
Christi Guerrini is Assistant Professor in the Center for Medical Ethics and Health Policy at Baylor College of Medicine and a member of the Investigative Genetic Genealogy Working Group of the Scientific Working Group on DNA Analysis Methods.
David Gurney is Director of the IGG Center and Assistant Professor of Law & Society at Ramapo College and President of the Investigative Genetic Genealogy Accreditation Board.
Steve Kramer is Co-Founder and President of Indago Solutions, LLC. He is a former FBI attorney and led the team that identified the Golden State Killer using IGG.
CeCe Moore is Chief Genetic Genealogist at Parabon NanoLabs, CEO of DNA Justice, founder of The DNA Detectives, and co-founder of the Institute of Genetic Genealogy. She also is a media consultant and appears on the television series The Genetic Detective and Finding Your Roots.
Margaret Press is Co-Founder and CEO of the DNA Doe Project, COO of DNA Justice, and a member of the Investigative Genetic Genealogy Accreditation Board.
Amy McGuire is the Leon Jaworski Professor of Biomedical Ethics and Director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine.
This research was supported by the National Human Genome Research Institute of the National Institutes of Health under Award Number R01HG011268. The content is solely the responsibility of the authors and does not represent the official views of the National Institutes of Health.