The Health Insurance Portability and Accountability Act, known as HIPAA, protects individuals’ medical information when it’s handled by doctors, hospitals, and health insurance companies. This applies to genetic tests ordered by your doctor but not to those you can buy online directly from companies like 23andMe and Ancestry because these kits aren’t considered medical tests. As a result, the companies have largely operated in a legal gray area.
But a growing number of states are adopting genetic privacy laws in an effort to close these gaps. California became the latest on October 6 when Governor Gavin Newsom signed into law the Genetic Information Privacy Act, which puts restrictions on the data collected by direct-to-consumer DNA testing companies.
SB 41, which goes into effect in January, requires customers to give express consent before their genetic data can be used for scientific research or shared with a third party. If customers consent to having their data used for research, companies must provide a simple way for them to opt out at any time.
“Consumers have an inherent right to privacy,” says Maureen Mahoney, a technology and privacy policy analyst at Consumer Reports.