UC Irvine Law Review

We often think of DNA as a unique personal identifier. Yet, as of 2019, direct-to-consumer (DTC) genetic testing companies have amassed the genetic data of more than twenty-six million consumers. This raises the concern that companies do not uniformly protect consumers’ genetic privacy. Substantiating such concerns are complaints that companies permit law enforcement access to their databases, sell consumer genetic information to third parties, pursue drug development, and suffer data breaches.

Regulators have been slow to respond to this emerging privacy issue. The current legal framework is largely inadequate: there is no federal data-privacy law; courts and agencies are ill-equipped or lack directive to tackle a privacy issue of this magnitude; and current genetic-related laws focus on notice, informed consent, and antidiscrimination. However, recently enacted state data-privacy laws like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) may serve as a legal framework to address privacy in the DTC genetic testing context.

Under the CCPA and CPRA, the right to delete promises to give control back to consumers over their genetic information. However, further genetic-specific regulations under the CCPA and CPRA, or a separate genetic-privacy statute, are needed to protect privacy in the DTC genetic testing context while balancing against legitimate business and governmental interests. This Note attempts to delineate how such a balance can be achieved.