So you spat in a tube 10 years ago, clicked “I agree” a few too many times, and now you know you’re 12% Italian and you found your 3rd cousins. Cool. But while you were busy building your family tree and marveling at your Neanderthal percentage, your health information may have been quietly passed around — bought, sold, shared, maybe even breached.
Welcome to the world of genetic privacy in the United States, where your DNA can be exposed legally faster than your social security number gets pilfered in a phishing scam. Despite dealing with your most private and unchangeable secrets, direct-to-consumer (DTC) genetics companies are running billion-dollar, largely unregulated shindigs, often moonlighting in biotech partnerships and data monetization. Case in point: the colossal data breach at 23andMe confirmed in late 2023, where hackers nabbed genetic ancestry info, specifically targeting folks of Ashkenazi Jewish descent.
To be clear: clinical genetic testing ordered through a doctor or genetic counselor is very different. These tests are protected under HIPAA, performed in regulated labs, and come with the oversight and privacy standards patients deserve. The concern is with direct-to-consumer platforms and health apps that exist outside those guardrails — collecting similar data with far fewer protections.
It’s a bizarre truth of American life when it comes to consumer health companies. Your genetic and health privacy rights change the moment you cross a state line. In California for example, your health information has the strong protections. But in many other states? Your most intimate biological information can be collected, sold, or shared with minimal oversight. This patchwork of protections means that two people using the exact same DNA service could have radically different rights — or none at all — depending entirely on where they live. In a country that treats genetic data as the foundation of personalized medicine, it’s wild that your legal control over your own body’s blueprint isn’t consistent from coast to coast.
Only A Few States Have Consumer Health Privacy Laws:
1. California
Laws:
- California Consumer Privacy Act (CCPA), 2018
- California Privacy Rights Act (CPRA), 2020
- California Genetic Information Privacy Act (SB 41), 2021
Unique Rights:
- Right to Know what personal data is collected and why.
- Right to Delete personal data (including genetic data).
- Right to Opt Out of the sale or sharing of your data.
- Right to Correct inaccurate personal information.
- Right to Limit Use of Sensitive Data, such as health/genetic info.
2. Washington State
Law:
Unique Rights:
- Covers consumer health data, including genetic data.
- Requires explicit, opt-in consent for collecting and sharing.
- Right to delete data at any time.
- Includes a private right of action.
3. Oregon
Law:
Unique Rights:
- Right to Confirm if a controller is processing your personal data.
- Right to Access personal data collected about you.
- Right to Correct inaccuracies in your personal data.
- Right to Delete personal data held by controllers.
- Right to Opt Out of the sale of personal data, targeted advertising, or profiling.
- Right to Data Portability to obtain a copy of your data in a usable format.
4. Vermont
Law:
Unique Rights:
- Requires informed consent to use or disclose genetic data.
- Mandates destruction of samples unless opted in.
- Applies to direct-to-consumer genetic testing.
5. Illinois
Laws:
- Genetic Information Privacy Act (GIPA, 410 ILCS 513), 1998
- Biometric Information Privacy Act (BIPA, 740 ILCS 14), 2008
Unique Rights:
- Requires written consent before disclosure.
- Gives individuals the right to sue for violations.
- Applies to both genetic and biometric data.
Florida
Law:
Unique Rights:
- Makes unauthorized DNA testing or sharing a felony.
- Prevents use of DNA without informed written consent.
- Applies to all genetic testing, including 23andMe.
🛡️ Quick Summary:
| State | Key Protections |
|---|---|
| California | Opt-out rights, data deletion, sensitive data limits |
| Washington | Strongest opt-in consent for health data |
| Oregon | Rights to confirm, access, correct, delete, and portability |
| Vermont | Informed consent + limits on sample storage |
| Illinois | Private right to sue for misuse of genetic info |
| Florida | Criminal penalties for unauthorized DNA use |
If your state isn’t listed, there’s no law to protect you.
Consumer DNA companies like 23andMe promised empowerment, insight, and privacy — but delivered data breaches, fine print, and quiet double-dipping deals with pharmaceutical giants while they charged you for their service. They aren’t alone. From wearables to fertility apps to AI mental health chatbots, the entire digital health ecosystem is thriving on a business model built on your most sensitive information. Meanwhile, regular people are left exposed, with rights that depend on ZIP code and laws that lag a decade behind the technology.
Your DNA isn’t just personal — it’s permanently identifying, impossible to change, and increasingly valuable to insurers, researchers, marketers, and law enforcement. As technology advances, your genetic and health data becomes more profitable to others and more predictive of your future — not just your ancestry, but your disease risk, reproductive potential, even your kids’ health. And yet, the protections around it remain fragile, fractured, and easy for Silicon Valley lawyers to sidestep.
The truth is: your health data holds power — but without rights and safeguards, it can be used against you. We’re all giving it away to companies that treat consent as a checkbox and privacy as a PR line. Until we demand uniform privacy laws, enforceable rights, and community-driven oversight, we’re not patients — we’re just products in the making.
It’s time to stop settling for broken promises
This brings us to a bigger point about what your rights are when it comes to health privacy, which encompasses not only the protection of your personal medical information but also the ability to control who has access to it and how it is used. Understanding these rights is essential in today’s digital age, where sensitive health data is often shared and stored online. It’s important for individuals to be informed about the laws and regulations that safeguard their information, as well as the steps they can take to ensure their privacy is respected and maintained, allowing for greater confidence in the handling of their health records. Here is a helpful outline of different laws in different states.
Discover more from Light Collective
Subscribe to get the latest posts sent to your email.