The Genome as Commodity: Property, Privacy, and Criminal Procedure in the Era of Direct-to-Consumer DNA Companies

Abstract

The rise of direct-to-consumer genetic testing (DTC-GT), marketed by companies such as Ancestry, 23andMe, and MyHeritage, has democratized access to genomic information but has also generated profound legal tensions. This Article adopts a comparative United States–European Union framework to analyze the principal regulatory and judicial conflicts arising from the mass collection of DNA by private entities. It examines: (i) the fragmentation of the U.S. regulatory landscape versus the European fundamental‑rights standard; (ii) the doctrinal debate over whether DNA should be treated as property or as private data; (iii) judicial procedures for law enforcement access to commercial genetic databases; (iv) the challenges of consent and anonymization under the GDPR; and (v) civil liability for data breaches, in light of the 2023 23andMe incident. The Article concludes that international harmonization and recognition of "relational autonomy" are essential to balance scientific and judicial progress against the inviolability of human privacy.

Keywords: genetic privacy, forensic genealogy, GDPR, DNA ownership, 23andMe, informed consent.

I. Introduction

1.1. Evolution of Direct‑to‑Consumer Genetic Testing (DTC‑GT) and Its Impact on Forensic Genealogy

The landscape of human genetics has undergone a radical transformation since the completion of the first human genome sequencing in 2003. Today, the proliferation of direct‑to‑consumer genetic testing (DTC‑GT) companies, such as AncestryDNA, 23andMe, and MyHeritage, has democratized access to genomic information, allowing millions of consumers to obtain ancestry profiles and health predispositions for less than one hundred dollars. These entities operate under a business model that has decoupled the acquisition of genetic information from the traditional clinical setting, enabling third parties to access and process this highly sensitive data outside medical supervision.

The commercial landscape of DTC-GT has fundamentally transformed both the production and legal status of genetic information. Where once DNA analysis was confined to medical laboratories and research institutions operating under institutional review boards and ethical oversight, the business model of DTC-GT companies treats genetic testing as a consumer product, marketed directly to the public through websites and mass advertising. This shift has profound implications for the legal classification of DNA: is it data, property, or an aspect of bodily autonomy protected by fundamental rights?

1.2. The Paradigm Shift: From the Golden State Killer Success to Mass Genetic Privacy Concerns

The first major turning point in the intersection of DTC-GT and criminal investigation occurred in 2018 with the arrest of Joseph DeAngelo, the "Golden State Killer," through Investigative Genetic Genealogy (IGG). Investigators uploaded DeAngelo's DNA profile to the public genealogy database GEDmatch, which aggregates user data from multiple DTC-GT companies. By comparing the uploaded profile against millions of family trees in the database, law enforcement identified DeAngelo through genetic relationships to distant relatives who had voluntarily submitted DNA for ancestry purposes. This investigative breakthrough demonstrated the dual-edged nature of commercial genetic databases: tools for genealogical research could simultaneously become instruments of law enforcement surveillance.

The Golden State Killer case catalyzed two divergent legal responses. In the United States, law enforcement agencies, federal prosecutors, and judicial authorities embraced IGG as a legitimate investigative technique, viewing it as an efficient tool for solving violent crimes. Between 2018 and 2023, IGG contributed to the identification of suspects in hundreds of cases, including murders, assaults, and sexual offenses spanning decades. The technique's success created a powerful institutional momentum within American law enforcement, establishing IGG as standard practice within forensic laboratories and criminal investigation units.

Yet simultaneously, this success triggered profound concerns about the unintended consequences of DTC-GT. Millions of individuals who had submitted DNA to commercial databases for ancestry purposes found themselves unknowingly enrolled in a vast law enforcement surveillance system. The revelation that private genetic information, deposited voluntarily for genealogical research, could be accessed by government agencies without explicit consent or judicial oversight created a novel constitutional and ethical tension: the conflict between public safety interests and the inviolability of genetic privacy.

1.3. Scope of the Study: Intersection of Commercial Interests, Public Safety, and Fundamental Rights

This Article examines the legal frameworks governing DTC-GT companies and their intersection with criminal procedure, property law, and fundamental rights protection. The analysis is structured around five principal areas of legal conflict:

First, the fragmentation of the regulatory landscape. The United States operates under a sectoral approach—GINA (Genetic Information Nondiscrimination Act), HIPAA (Health Insurance Portability and Accountability Act), and FTC enforcement—creating gaps where genetic information enjoys no explicit protection. The European Union, by contrast, has elevated genetic data to the status of a special category under the GDPR, subject to heightened safeguards and stricter procedural requirements. This comparative gap illuminates the theoretical foundations of each system: the U.S. model treats genetic privacy as one privacy interest among many, while the EU model recognizes genetic information as inherently exceptional due to its immutability and relational nature.

Second, the doctrinal debate over the legal nature of DNA. Classical jurisprudence rejected the notion that individuals possess property rights in their biological materials or genetic information, as exemplified by Moore v. Regents and Greenberg v. Miami Children's Hospital. Yet recent legislative developments in Alaska and Florida signal a shift toward recognition of property interests in DNA, with statutory provisions allowing individuals to claim monetary compensation for unauthorized use of their genetic information. This doctrinal evolution raises foundational questions about bodily autonomy, informational self-determination, and the appropriate boundaries between the human person and the commercial sphere.

Third, the procedures by which law enforcement accesses commercial genetic databases. The golden question: does law enforcement access to GEDmatch or similar platforms require a judicial warrant, or can investigators access these databases as "public information"? The answer depends on complex procedural doctrines—the Fourth Amendment's reasonable expectation of privacy, the distinction between government searches and searches by private entities, and the evolving definition of "public" information in the digital age. European jurisprudence, particularly the CJEU case C‑118/22 (NG v. Director of the National Police of Bulgaria) and the ECtHR's longstanding S. and Marper doctrine, apply the principle of "strict necessity," requiring particularized judicial orders and individual reasoning rather than mass collection.

Fourth, the challenges of informed consent and anonymization under the GDPR. Consent forms used by DTC-GT companies frequently employ language of "broad consent," allowing companies to process genetic data for purposes the user did not explicitly authorize—including data sales to third parties, pharmaceutical companies, and research institutions. The technical feasibility of true anonymization of genetic data remains contested, as advances in computational genomics make it increasingly possible to re-identify supposedly "anonymized" individuals through familial matching. The GDPR's research exemption (Article 9(2)(j)) further complicates this landscape, permitting processing of special categories of data without explicit consent provided adequate safeguards are in place.

Fifth, civil liability for data breaches and the adequacy of current remedial frameworks. The 23andMe cybersecurity incident of October 2023, affecting approximately 6.4 million customers, exemplifies the security vulnerabilities that characterize commercial DNA platforms. Settlement negotiations revealed a tension between the immeasurable harm of genetic privacy breach and the modest economic compensation ultimately provided. Questions persist about whether statutory damages, ranging from $5,000 to $100,000 in states such as Alaska, adequately deter corporations generating billions in annual revenue from genetic data exploitation.

II. Comparative Normative Framework: The U.S. Model vs. The European Standard

2.1. The U.S. Legal Regime: Legislative Fragmentation and the Genetic Exceptionalism Approach

The United States does not possess a comprehensive legal framework protecting genetic privacy. Instead, protection derives from sectoral legislation addressing specific contexts and specific entities. This fragmented approach, while leaving significant gaps, reflects a particular jurisprudential conception of genetic information: not as inherently exceptional, but rather as one category of personal information subject to existing privacy regimes.

2.1.1. Scope and Limitations of GINA and HIPAA

The Genetic Information Nondiscrimination Act (GINA) of 2008 is the primary federal statute addressing genetic privacy. GINA prohibits health insurers and employers from requesting, requiring, or purchasing genetic information or using such information for underwriting, rate-setting, or employment decisions. The statute's definition of "genetic information" includes an individual's genetic tests, genetic tests of family members, requests for or receipt of genetic services, participation in clinical research involving genetic services, and genetic information about fetuses or embryos.

However, GINA's protections are circumscribed in critical ways. First, GINA applies only to health insurers and employers, creating a significant gap in coverage for other entities that may access and use genetic information—including financial institutions, life insurers, disability insurers, and data brokers. Second, GINA does not address the use of genetic information by law enforcement, commercial data companies, or pharmaceutical manufacturers. Third, GINA does not prevent an individual from being asked to take a genetic test; it prevents only the use of that information for certain prohibited purposes. An employer may request a genetic test as a condition of employment; GINA forbids only the use of the test results in hiring, promotion, or compensation decisions. Fourth, GINA does not address data security, requiring that genetic information be protected against unauthorized access or breach.

The Health Insurance Portability and Accountability Act (HIPAA) and its Privacy Rule extend certain protections to genetic information when that information is created, maintained, or transmitted by "covered entities"—that is, health care providers, health plans, and health care clearinghouses. For DTC-GT companies, HIPAA coverage depends on whether the entity qualifies as a "covered entity." Most commercial DTC-GT companies do not operate as medical providers and are not regulated as covered entities under HIPAA; they are regulated as consumer product companies or, in limited contexts, as clinical laboratories. Accordingly, HIPAA's protections do not typically extend to genetic information maintained by companies such as 23andMe or Ancestry.

2.1.2. The FTC's Role in Consumer Protection

In the absence of a comprehensive genetic privacy statute, enforcement against DTC-GT companies falls primarily to the Federal Trade Commission (FTC), which possesses jurisdiction over unfair or deceptive practices in commerce. The FTC has begun to assert genetic privacy as an enforcement priority, initiating actions against companies including 1Health/Vitagene and CRI Genetics for alleged security failures and deceptive practices regarding data anonymization and deletion.

The FTC's approach, however, remains reactive rather than proactive. The Commission investigates specific complaints and instances of wrongdoing but does not establish industry-wide standards or require pre-emptive security measures. The FTC lacks authority to impose binding regulations regarding DTC-GT companies' collection, processing, or retention of genetic data; instead, the Commission must prove unfairness or deception in each individual case, a burden that demands substantial evidence and resources. Moreover, the FTC's enforcement authority covers only practices deemed "unfair or deceptive," leaving significant regulatory gaps regarding practices that may be neither deceptive nor clearly unfair but which pose substantial risks to privacy.

2.2. The European Union Framework: Genetic Data as a Special Category and Fundamental Right

The European regulatory model treats genetic information as inherently exceptional due to its sensitive nature, immutability, and capacity to reveal information not only about the individual but also about biological relatives. This exceptionalism manifests in elevated legal protections embedded in the General Data Protection Regulation (GDPR) and in specialized directives addressing genetic research and forensic applications.

2.2.1. The GDPR and Directive (EU) 2016/680

The GDPR classifies genetic data as a "special category" of personal data (Article 9(1)), subjecting it to heightened protections. Special categories of data—including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and genetic data—may be processed only in limited, enumerated circumstances. The core rule is prohibition: without explicit legal authorization or specific exemption, processing of special categories is forbidden.

The principal exemptions to the prohibition on processing genetic data are enumerated in Article 9(2):

(a) Explicit consent: The data subject has given explicit consent to the processing.

(b) Employment and social security law: Processing is necessary for employment law or social security law purposes.

(c) Vital interests: Processing is necessary to protect the vital interests of the data subject or another person.

(d) Legitimate activity of certain organizations: The data controller is a foundation, association, or other nonprofit body; processing is necessary for the organization's legitimate purposes; and the data is processed only for members or former members.

(e) Manifestly public data: The data subject has manifestly made the data public.

(f) Legal claims: Processing is necessary for establishing, exercising, or defending legal claims.

(g) Employment: Processing is carried out by an employer in the context of employment.

(h) Healthcare: Processing is necessary for healthcare purposes in the context of medical treatment or health management.

(i) Public health interests: Processing is necessary on grounds of public interest in the context of public health.

(j) Research exemption: Processing is carried out for purposes of scientific or historical research, in compliance with Article 89 and subject to appropriate safeguards.

For DTC-GT companies, the relevant exemptions are (a) explicit consent and (j) the research exemption. The consent requirement under (a) is particularly stringent: Article 7 GDPR requires that consent must be freely given, specific, informed, and unambiguous, constituted by an affirmative action ("opt-in" rather than opt-out). The burden of proof falls on the controller to demonstrate that consent has been obtained. This standard poses significant challenges for DTC-GT companies, which often employ broad consent language allowing processing for purposes the user did not explicitly foresee or authorize.

The research exemption under Article 9(2)(j) permits processing of genetic data without explicit consent provided that (1) processing is for scientific or historical research purposes, (2) the controller has implemented appropriate safeguards (including pseudonymization and encryption), and (3) the controller has not denied the data subject's rights except to the extent necessary to preserve research integrity. This exemption is subject to Article 89 GDPR, which permits Member States to introduce derogations from fundamental data subject rights—the right of access, the right of rectification, the right of erasure, the right to restrict processing, and the right to object—if the exercise of those rights would seriously impair or prevent the achievement of research purposes. However, such derogations must be proportionate and subject to appropriate safeguards.

Directive (EU) 2016/680, the "Law Enforcement Directive," governs the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offenses. The directive applies to law enforcement access to genetic databases, including commercial platforms. The directive requires that law enforcement processing of personal data be strictly necessary for law enforcement purposes, that data be processed lawfully and fairly, and that data subjects be provided with certain rights regarding their data.

2.2.2. Implementation in Spain: Organic Law 7/2021 and the Biomedical Research Act

Spain has implemented the GDPR through Organic Law 3/2018 (LOPDGDD, Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales). Additionally, Spain's Organic Law 7/2021 (Ley Orgánica de Protección de la Salud en el Contexto de la Pandemia de la COVID-19), enacted during the pandemic, addresses biomedical research and genetic testing. The Act establishes requirements for the collection, processing, and retention of genetic data in research contexts, including requirements for informed consent, data security, and researcher qualifications.

Critically, Spanish law treats DTC-GT tests marketed directly to consumers as falling outside the medical supervision framework unless the company explicitly qualifies as a medical provider or clinical laboratory. This regulatory gap—the classification of commercial genetic tests as consumer products rather than medical services—creates tension with fundamental principles of Spanish biomedical research law. A consumer purchasing an ancestry test through a commercial platform enjoys fewer protections than a research subject participating in a clinical study, despite both providing genetic information to a third party for processing.

III. The Legal Nature of Genetic Information: Property Right or Privacy Right?

3.1. Classical Jurisprudence and Its Rejection of Property Rights (Moore v. Regents, Greenberg v. Miami Children's)

Traditional common law jurisprudence has consistently rejected claims that individuals possess property rights in their genetic information or biological materials. The foundational precedent is Moore v. Regents of the University of California, decided by the California Supreme Court in 1990. In Moore, a patient with hairy-cell leukemia received treatment at UCLA Medical Center. Without the patient's knowledge or consent, physicians extracted his spleen and established a cell line from his spleen cells, which proved commercially valuable for research and therapeutic purposes. The cell line, named "Mo," was patented and commercialized, generating substantial revenue. The patient discovered the use of his cells years later and sued, asserting a property interest in his biological materials.

The California Supreme Court held that the patient possessed no property right in his excised cells or in the derived cell line. The court's reasoning proceeded from several foundations. First, common law principles of abandoned property suggested that once biological materials were removed from the body, they lost the character of property belonging to the individual. Second, recognizing property rights in biological materials would impose impractical burdens on medical practitioners and researchers, who would be required to negotiate with every individual from whom cells or tissues were extracted. Third, recognizing such property rights might impede biomedical research by introducing transaction costs and encouraging litigation. Fourth, California public policy favored the advancement of medical science; imposing property rights would discourage such advancement.

The Moore court's reasoning extended to genetic information. If an individual possessed no property right in his cells or tissues, logically he possessed no property right in the genetic information contained within those cells. The court wrote that the patient's claim based on conversion of cells was "preempted" by state law policies governing the use of human biological materials in medical research.

A similar holding emerged from Greenberg v. Miami Children's Hospital, decided by the Florida Supreme Court in 2003. In Greenberg, the parents of children with Canavan disease—a rare genetic disorder—donated tissue samples and medical information to researchers at Miami Children's Hospital for the purpose of identifying the genetic mutation responsible for the disease. The researchers, using tissue and information provided by the affected families, identified the gene and patented the discovery. The hospital then licensed the patent to commercial entities and began charging for genetic testing based on the patent. Affected families who had contributed tissue and information were charged fees for testing and were denied access to certain genetic information without paying licensing fees to the hospital.

The families sued, asserting that they possessed property rights in their genetic information and tissues and that these rights had been wrongfully converted. The Florida Supreme Court held that the families possessed no property right in the donated materials or in the genetic information derived from those materials. The court distinguished between the families' interests (characterized as privacy interests, not property interests) and the hospital's interests in the biological materials and derived information. Once donated, the materials and information belonged to the hospital and its research partners, not to the families that had provided them.

Both Moore and Greenberg reflected a jurisprudential conviction that property rights in biological materials and genetic information would conflict with public policy favoring biomedical research and medical progress. The courts were reluctant to impose what they viewed as transactional impediments on scientific advancement.

3.2. Emerging Trends: Toward Recognition of a Property Interest in DNA (Cole v. Gene by Gene)

Beginning in the 2020s, a counter-trend emerged in American jurisprudence, questioning whether the blanket rejection of property rights in genetic information remained justified or whether limited property interests should be recognized. The pivotal case was Cole v. Gene by Gene, Ltd., decided by the Northern District of Texas in 2023.

In Cole, a consumer had purchased a DNA ancestry test from Gene by Gene, Ltd., through its DNA.Land platform. The company's terms of service stated that the consumer granted the company and its research partners a worldwide, non-exclusive license to use the consumer's genetic data for "research and development purposes." Through this license language, the company used the consumer's DNA in genomic research and shared the data with pharmaceutical companies and academic research institutions without explicit payment to or consent of the consumer.

The consumer sued, asserting that the company had wrongfully appropriated his genetic information and that he possessed a property interest in his DNA sufficient to support claims of conversion and unjust enrichment. The plaintiff argued that genetic information should be treated as property because (1) it is sufficiently discrete and identifiable, (2) it has economic value, (3) the individual has a reasonable expectation of control over it, and (4) recognition of property interests would incentivize individuals to participate in research while ensuring they capture some portion of the value derived from their genetic contributions.

The federal court, in a notable departure from Moore and Greenberg, acknowledged that the law was in flux. While the court ultimately denied the plaintiff's motion for class certification on alternative grounds—finding that individual plaintiffs' claims were not sufficiently similar because each plaintiff had signed different terms of service—the court's opinion signaled receptiveness to the possibility that property rights in genetic information might be recognized in future cases. The court noted that the economic value of genetic information, the technical capacity to isolate and identify genetic data, and the emergence of a market for genetic information all suggested that property law concepts might be applicable.

3.3. Disruptive State Legislation: Alaska, Florida, and the Debate over Monetary Compensation

The doctrinal flux evident in Cole was mirrored by legislative developments. In 2022, Alaska enacted legislation granting individuals statutory property rights in their genetic information. Alaska Statute § 18.80.100 permits individuals to claim monetary compensation when their genetic information is used commercially without authorization. The statute establishes a statutory damages regime, allowing affected individuals to recover between $2,500 and $25,000 per violation, with enhanced damages available for willful violations.

Florida followed suit in 2023, enacting the Genetic Privacy Act, which grants individuals property rights in their genetic information and permits recovery of statutory damages, ranging from $5,000 to $100,000, for violations. The Florida Act explicitly recognizes that individuals possess a property interest in their genetic information and that unauthorized commercial use constitutes conversion.

These statutory developments represent a dramatic doctrinal shift from the Moore and Greenberg framework. Rather than treating individuals as lacking property interests in their genetic information, Alaska and Florida now recognize such interests, with monetary compensation mechanisms designed to incentivize compliance with privacy obligations and to restore to individuals some portion of the value derived from genetic research and commercialization.

The emergence of statutory property rights in DNA raises complex questions about the nature of genetic information, the proper scope of individual control over biological materials, and the balance between individual interests and scientific progress. Notably, these statutes exist in tension with the older Moore doctrine still recognized in many other jurisdictions. This doctrinal fracture across states creates uncertainty for national and multinational DTC-GT companies, which must now navigate disparate legal regimes—recognizing property rights in some states while denying them in others.

IV. Judicial Procedures and Access to Commercial Genetic Databases

4.1. Investigative Genetic Genealogy (IGG) as a Criminal Investigative Tool

Investigative Genetic Genealogy (IGG) has emerged as a powerful forensic technique, enabling law enforcement to identify criminal suspects through comparison of unknown DNA profiles against genealogical databases. The technique operates by uploading a DNA profile from a crime scene to a public genealogy database such as GEDmatch, which aggregates genetic data from multiple DTC-GT companies and genealogy platforms. The system identifies relatives of the unknown DNA donor, allowing investigators to construct a family tree and identify the likely source of the crime-scene DNA.

The power of IGG derives from the scale of available data. As of 2024, GEDmatch contained genetic profiles of approximately 20 million individuals—a substantial proportion of the ancestry-testing population across North America and Europe. By identifying distant relatives (even fifth or sixth cousins), investigators can narrow the suspect pool from millions to dozens or hundreds of individuals. Combined with additional investigative leads—geographic proximity, timing, circumstantial evidence—IGG often permits identification of specific suspects for follow-up investigation.

The success of IGG in solving violent crimes is undisputed. Since the DeAngelo case in 2018, IGG has contributed to identification of suspects in hundreds of murders, rapes, and other felonies. Judicial and prosecutorial acceptance of IGG has been swift; by 2023, IGG had become standard practice in major metropolitan police departments and federal investigative agencies.

4.2. Procedural Requirements for Database Access: Judicial Orders and the Probable Cause Standard

The legal permissibility of law enforcement access to commercial genetic databases depends on constitutional requirements governing government searches and seizures. The Fourth Amendment to the U.S. Constitution prohibits "unreasonable searches and seizures." The Supreme Court has established that a search of private information ordinarily requires a warrant issued by a neutral magistrate upon a showing of probable cause. However, the scope of this requirement depends on complex doctrinal questions about what constitutes a "search" and what expectations of privacy the Constitution protects.

The principal doctrinal question regarding IGG is whether law enforcement access to GEDmatch or similar platforms constitutes a "search" requiring a warrant. If GEDmatch and similar platforms are treated as "public" information to which law enforcement may freely access, then no warrant requirement applies. If, however, GEDmatch data is treated as private information belonging to the individuals who uploaded it, then access requires a warrant based on probable cause.

In practice, the vast majority of law enforcement agencies employ a "warrant first" approach, seeking judicial approval before uploading crime-scene DNA to genealogy databases. Many jurisdictions have established protocols requiring that investigators obtain either a warrant or a grand jury subpoena authorizing database searches. These protocols recognize that while genealogy databases are publicly accessible, the comparison of crime-scene DNA against millions of user profiles implicates significant privacy interests of database users who did not expect their genetic information would be compared against law enforcement DNA profiles.

The United States Department of Justice (DOJ) issued interim guidance on forensic genetic genealogical DNA analysis in 2019, recommending that federal investigators obtain warrants or grand jury authorizations before searching genealogical databases. However, the DOJ guidance is not binding on state and local law enforcement, and compliance with the guidance varies significantly across jurisdictions. Some states have enacted statutes requiring judicial authorization for database searches; others have not.

4.3. The "Strict Necessity" Principle in CJEU and ECtHR Jurisprudence (Case C‑118/22, S. and Marper)

European jurisprudence establishes a significantly more restrictive standard for law enforcement access to genetic databases. The Court of Justice of the European Union (CJEU), in Case C‑118/22 (NG v. Director of the National Police of Bulgaria), decided in January 2024, held that the collection and storage of genetic profiles by law enforcement authorities must be subject to the principle of "strict necessity" and must be based on individual reasoning—not mass collection or undifferentiated storage of genetic profiles from entire populations.

The case involved Bulgarian law enforcement's practice of collecting genetic profiles from all individuals arrested for any reason, including minor offenses, and storing those profiles in a national genetic database for possible future use in investigating unrelated crimes. The CJEU held that such mass collection violated fundamental rights protections under the EU Charter of Fundamental Rights, particularly the right to respect for private and family life and the right to data protection. The court emphasized that genetic information is uniquely sensitive due to its capacity to reveal information not only about the individual but also about biological relatives, making indiscriminate collection particularly intrusive.

The CJEU's reasoning built upon earlier jurisprudence of the European Court of Human Rights (ECtHR) in S. and Marper v. United Kingdom, decided in 2008. In S. and Marper, the ECtHR held that indefinite retention of DNA profiles and cellular samples from individuals who had not been convicted of crimes violated Article 8 of the European Convention on Human Rights (right to private and family life). The ECtHR reasoned that retention of genetic information entailed a particularly serious interference with privacy rights and could not be justified merely by the possibility that the individual might commit a crime in the future.

These European authorities establish a principle—"strict necessity"—that stands in marked contrast to the permissive approach characteristic of American law enforcement. Under the strict necessity principle, collection and use of genetic data by law enforcement requires not only a judicial order but also individualized determination that collection is strictly necessary for a specific investigation, not for speculative future use or for general intelligence gathering.

4.4. Specific Regulatory Models: The Case of Maryland

Maryland offers an instructive example of a state jurisdiction that has attempted to reconcile public safety interests with genetic privacy protections. In 2021, Maryland enacted legislation restricting law enforcement access to commercial genealogy databases. Under the Maryland statute, law enforcement may search commercial genealogy databases only (1) in the context of a specific criminal investigation, (2) with a judicial warrant or grand jury subpoena, (3) with proper notice to database users that their genetic information has been searched, and (4) with restrictions on the subsequent use of the information—for instance, prohibiting the use of database matches as the sole basis for charging a suspect.

The Maryland model attempts to balance forensic utility with privacy protection. By requiring judicial authorization and restricting use, the statute acknowledges that law enforcement access to genetic databases implicates significant privacy interests while recognizing that IGG can serve legitimate investigative purposes when properly constrained.

V. Legal Conflicts in Data Protection

5.1. The Challenge of Consent: From Informed Consent to Broad Consent

The collection of genetic data by DTC-GT companies nominally rests on the consent of users who download genetic testing kits, provide biological samples, and agree to the company's terms of service. However, the principle of informed consent—a cornerstone of research ethics and data protection law—faces significant challenges in the DTC-GT context.

Informed consent, as understood in biomedical research, requires (1) disclosure of all material information regarding the proposed use of biological materials and data, (2) a genuine opportunity for the individual to understand the disclosed information, and (3) a voluntary decision to participate. Traditional informed consent is specific: a researcher describes the particular study, the particular purposes for which data will be used, and the particular risks of participation. The individual consents to those specific purposes.

DTC-GT companies, by contrast, employ "broad consent" frameworks. Users agree, often by checking a box, that their genetic data may be used for "ancestry research," "health research," "development of new services," "research partnerships," and numerous other purposes, often specified only vaguely. The terms of service frequently include language permitting the company to share data with "research partners," "affiliates," and "third parties," without specifying which entities or what those entities intend to do with the information.

This shift from specific to broad consent reflects a mismatch between the legal requirement of informed consent and the commercial incentive structure of DTC-GT companies. A company's business model depends on aggregating genetic data from millions of users and monetizing that data through sale to pharmaceutical companies, research institutions, and other commercial entities. Specific consent—requiring the company to describe each intended use to each user and obtain affirmative permission—would render the business model impractical. Accordingly, companies employ broad consent language, allowing them to use genetic data for purposes the user did not specifically envision or anticipate.

The GDPR's consent requirements (Articles 4 and 7) establish a stringent standard. Consent must be freely given, specific, informed, and unambiguous, constituted by an affirmative action. Consent must be distinct from other matters and must be presented in an easily understandable and easily accessible form. Broad consent language that permits the controller to process data for purposes not specifically contemplated at the time of collection does not satisfy these requirements. Under GDPR jurisprudence, once a user's purpose has been specified, the controller may not subsequently use the data for fundamentally different purposes without obtaining fresh consent.

In practice, DTC-GT companies operating in the European Union have begun to modify their consent frameworks to comply with GDPR standards, implementing more granular consent mechanisms that permit users to opt in or out of specific uses. However, compliance remains uneven, and enforcement action continues.

5.2. The Anonymization Problem: Is Genomic Anonymization Technically Possible under the GDPR?

The GDPR provides relief from certain protections for truly anonymized data—data that does not relate to an identified or identifiable person. If genetic data has been properly anonymized, the GDPR's requirements for consent, data subject rights, and security do not apply. Anonymization thus offers a potential path for DTC-GT companies to process genetic data with fewer legal constraints.

However, the technical feasibility of true anonymization of genetic information is increasingly doubtful. Genetic information is uniquely identifiable; a DNA sequence constitutes a biological identifier as distinctive as a fingerprint. Moreover, with advances in computational genomics and the availability of large reference databases, it has become increasingly possible to re-identify supposedly "anonymized" genetic data.

Re-identification occurs through familial matching. Even if a genetic data set has been stripped of direct identifiers (name, address, account number), investigators can submit the genetic data to genealogy databases and identify genetic relatives. Through this indirect approach, the identity of the ostensibly anonymized data subject can be ascertained. Research published by geneticists and computer scientists has demonstrated that the vast majority of individuals of European ancestry can be re-identified through genealogy database matching, even when genetic data has been anonymized.

The GDPR addresses this challenge through the concept of "irreversibly anonymized data." Data is considered anonymized only if the process of anonymization is irreversible—that is, once anonymized, the data cannot be re-identified through any reasonably available means. Genetic data that can be re-identified through genealogy database matching, arguably, does not meet this standard and therefore does not qualify for the anonymization exemption.

This tension between the promise of anonymization and the technical reality of re-identifiability creates significant legal risk for companies claiming that genetic data has been anonymized. Regulatory authorities, including the EDPB (European Data Protection Board) and the DPA (Data Protection Authority), have begun to scrutinize anonymization claims, requiring companies to demonstrate that their anonymization processes are truly irreversible.

5.3. Third‑Party Rights and "Relational Autonomy": The Impact of Data Processing on Biological Relatives

A distinctive feature of genetic information is its relational nature: genomic data reveals information not only about the individual from whom the sample was obtained but also about the individual's biological relatives. A genetic test result indicating predisposition to a hereditary disease, genetic ancestry, or carrying status for a recessive genetic condition may have implications for siblings, parents, children, and more distant relatives. These biological relatives have not consented to genetic testing and often do not even know that genetic information about them has been collected.

This relational dimension of genetic privacy creates a novel legal problem. When an individual consents to genetic testing by a DTC-GT company, does that consent authorize the company to process genetic information that reveals characteristics of the individual's biological relatives, who have not consented? The answer has profound implications for relational autonomy—the notion that individual autonomy is exercised not in isolation but through relationships with others, and therefore must account for the interests of those with whom we stand in relationship.

Some data protection frameworks have begun to recognize relational autonomy as a guiding principle. The EU's approach to genetic data has incorporated, in some contexts, the idea that genetic data processing must account for the interests of relatives. For example, when a genetic testing company proposes to share genetic data with research partners, it should arguably consider whether the data reveals information about relatives who have not consented to such sharing.

However, existing legal frameworks provide only limited recognition of relatives' interests. In most jurisdictions, the individual who provides the genetic sample is treated as the sole "data subject" whose consent is required; relatives' interests are subordinated or ignored. This creates a situation in which one person's decision to provide genetic information can expose the genetic information of their relatives without the relatives' knowledge or consent.

Some commentators have proposed that genetic data regulation should adopt "family consent" requirements, under which data collection and processing would require affirmative consent from all affected relatives. However, such requirements would be administratively burdensome—requiring, in effect, consent from potentially dozens of relatives for any genetic test. A middle approach would recognize relatives' interests as a limiting principle on an individual's consent: an individual could not consent to uses of genetic data that unreasonably threaten the privacy of close biological relatives.

5.4. The Research Exemption and Its Limits

The GDPR establishes in Article 9(2)(j) a special "research exemption" regime, allowing the processing of special categories of data (including genetic data) without explicit consent, provided that adequate safeguards are in place. Under this umbrella, the purpose limitation principle is relaxed, as further processing for research purposes is considered not incompatible with the initial collection purposes. Likewise, it permits the retention of data for longer periods than strictly necessary for the original purpose.

However, the use of this exemption by commercial DNA companies generates controversy. These entities often operate internal research units that justify the massive processing of genetic data outside user control. Article 89 of the GDPR allows Member States to introduce derogations from fundamental data subject rights—such as the right of access, rectification, restriction, and objection—if the exercise of those rights would seriously impair or prevent the achievement of research purposes.

This derogatory power, if not balanced with rigorous technical and organizational security measures (such as encryption and strict pseudonymization), risks turning scientific research into a "Trojan horse" for genetic surveillance and indiscriminate commercial exploitation. The European Data Protection Board has cautioned that the research exemption should not be interpreted to permit commercial exploitation of genetic data under the guise of research activity. Research must be genuinely scientific in character, subject to appropriate ethical oversight, and motivated by advancement of knowledge rather than commercial profit maximization.

VI. Civil Liability and Data Breach Security

6.1. Security Obligations of DNA Collection Companies under the FTC and GDPR Standards

The protection of genetic data requires a standard of technical and organizational security that is directly proportional to the sensitivity of the information processed. In the United States, the FTC has established that any entity that collects or stores genetic data is on notice that security commensurate with the potential risk of harm that its disclosure could cause both to the individual and to his or her family network is expected. Required measures include robust access controls, encryption of publicly accessible data, and continuous monitoring of user accounts to prevent unauthorized access.

Under the European Union framework, the GDPR imposes similar obligations through Article 32, reinforced by Article 29 for special categories of data. The principle of accountability obliges DTC‑GT companies to implement "data protection by design and by default" measures. Deficiencies in these practices have led to enforcement actions against companies such as 1Health/Vitagene and CRI Genetics, accused of maintaining insufficient security protocols and misleading consumers about their actual ability to delete data or effectively anonymize it.

6.2. Analysis of Critical Incidents: The 23andMe Hack and Negligent Custody Liability

The most paradigmatic case of vulnerability in the sector has been the cybersecurity incident at 23andMe, announced in October 2023. This event resulted in unauthorized access to the personal information of approximately 6.4 million customers in the United States. The breach highlighted the risks of social networking features within genetic platforms, where access to a single account can compromise data of relatives linked through family‑search tools.

Legal liability in such incidents is often based on negligent custody of data. In the case of 1Health/Vitagene, for example, the FTC alleged that the company failed to comply with its own privacy promises by storing genetic data in identifiable form despite assuring that it was kept disconnected from user identity. Such practices are considered "deceptive or unfair," allowing the imposition of substantial civil penalties and the obligation to destroy unlawfully obtained data.

6.3. Quantification of Harm and Redress: Challenges in Class Actions and the Sufficiency of Statutory Damages

Redress for harm arising from a genetic data breach presents complex procedural obstacles. In the 23andMe litigation settlement, remedial measures included five years of free genetic and privacy monitoring services, as well as reimbursements of up to $10,000 for documented expenses arising from the incident. Nevertheless, for most affected individuals, cash compensation was limited to modest sums (between $100 and $165), raising questions about whether those figures reflect the true value of the loss of privacy of immutable and heritable data.

One of the main problems in DTC‑GT litigation is the difficulty of obtaining class action certification. As seen in Cole v. Gene by Gene, Ltd., courts have sometimes denied such certifications on the ground that the harm suffered by users is individualized and depends on the specific consent forms signed by each customer. This judicial fragmentation benefits companies, which can use non‑standardized contracts to avoid mass litigation. Moreover, there is an inherent tension in the valuation of harm: while for the individual the data have a privacy value, for the company the value is aggregated and commercial. Scholars such as Gitter (2023) suggest that current statutory damages (ranging from $5,000 to $100,000 in states like Alaska) are insufficient to deter companies that generate hundreds of millions of dollars in annual revenue through the exploitation of users' genetic "raw material."

VII. Conclusions

7.1. The Need for International Harmonization in Light of the Legal Vacuum

The exhaustive analysis of the legal regime for DNA collection companies (DTC‑GT) reveals a normative fragmentation that compromises global legal certainty. Whereas the United States operates under a sectoral and reactive model centered on nondiscrimination (GINA) and consumer protection (FTC), the European Union has elevated the protection of genetic data to the status of a fundamental right through the GDPR. Yet even within the European framework, a "legal gap" persists regarding the direct marketing of these tests, which are often erroneously assimilated to ordinary consumer products, circumventing the medical oversight required by laws such as Spain's Biomedical Research Act.

The rapid evolution of techniques such as IGG has outpaced legislative responsiveness, creating a scenario of legal vacuum in which corporate privacy policies—often unilaterally amendable—constitute the only real barrier between citizens' intimacy and state or commercial scrutiny. The disparity between restrictive legislation, such as Maryland's, and states with minimal regulation underscores the urgency of international harmonization to establish minimum protection standards for information that, by its hereditary nature, knows no national borders.

7.2. Toward a Balance between Scientific‑Judicial Progress and the Inviolability of Human Privacy

The success of IGG in solving heinous crimes—from the Golden State Killer to aggravated rape cases—should not serve as a "blank check" for the erosion of fundamental rights. The most recent CJEU and ECtHR jurisprudence marks a necessary turning point: the collection and processing of genetic and biometric data by authorities must be subject to the "strict necessity" principle and individual reasoning, rejecting the massive and undifferentiated storage that characterizes total surveillance models.

Likewise, the paradigm of genetic privacy must evolve toward recognition of relational autonomy. Because genomic information is structurally shared, individual consent is insufficient to protect the interests of biological relatives, who are involuntarily exposed by the decisions of their kin. The future of genetic law seems to be moving toward the consolidation of property interests in DNA—as suggested by the laws of Alaska and Florida—as a mechanism to return to the individual control over his or her "blueprint of life" and to ensure that biotechnological progress does not come at the expense of human dignity.

References

• Ansell, R. & Fagerholm, S. (2015). Legislation for forensic investigative genetic genealogy in Sweden. Forensic Science International: Synergy.
• Cabezas‑López, M. D. (2019). Informe sobre el marco legal de comercialización y uso de los Test Genéticos Directos al Consumidor en España. Ars Pharmaceutica.
• CJEU (Court of Justice of the European Union) (2024). Judgment of 30 January 2024, Case C‑118/22, NG v. Director of the National Police of Bulgaria.
• DOJ (United States Department of Justice) (2019). Interim Policy: Forensic Genetic Genealogical DNA Analysis and Searching.
• ECtHR (European Court of Human Rights) (2008). S. and Marper v. United Kingdom (nos. 30562/04 and 30566/04). Grand Chamber.
• EDPB (European Data Protection Board) (2021). Document on response to the request from the European Commission for clarification on the consistent application of the GDPR, focusing on health research.
• FTC (Federal Trade Commission) (2024). FTC Calls Out Genetic Data as an Enforcement Priority. WilmerHale.
• Geary, L. (2023). A Critical Eye Toward Commercial DNA Database Criminal Procedures. The University of Chicago Law Review.
• Gitter, D. M. (2023). Achieving Genetic Data Privacy Through Enforcement of Property Rights. UC Davis Law Review.
• James, R. (2022). Uncovering Lies with Family Ties: The Use and Legal Implications of Investigative Genetic Genealogy in the United States and United Kingdom. SMU Law Review.
• Jover, J. (2026). El TJUE frena la recogida automática de datos biométricos por la policía. Diario Sabemos.
• Kroll Settlement Administration (2026). Settlement Announced in 23andMe Cyber Security Incident Litigation. PR Newswire.
• Lynch, J. (2018). Distant Relatives Aren't The Only Ones Looking for Your DNA on Genealogy Sites—Law Enforcement Is Looking, Too. Electronic Frontier Foundation.
• Noronha, S. B. (2014). Maryland v. King: Sacrificing the Fourth Amendment to Build up the DNA Database. Maryland Law Review.
• Zhang, M. (2020). Legal Analysis on the Genetic Privacy Protection: A Comparative Perspective from the United States and the European Union. University of Macau Master Thesis.