When police finally captured Joseph D’Angelo, the alleged Golden State Killer who had eluded arrest for decades, they used DNA evidence to track him down. The forensic team that finally pieced together enough information that led to D’Angelo’s arrest relied on law enforcement data bases.
But few people realize that if they purchase a DNA kit from a commercial site such as Ancestry.com or 23andme.com, the privacy policies each state that information in your DNA may well be sold to other businesses and even the police without your knowledge or consent.
Other than the attorneys who write them, few – if any – people bother to read the privacy policy of any website they visit or business they buy something from online. So, it’s unlikely that anyone who ordered a DNA kit from the two most-popular testing sites realize how their information might be used once they send off a swab. Facebook users were largely unaware that the social media leviathan was reaping huge profits by selling information about their friends, likes, click-throughs and comments made on various posts.
Likewise, hardly anyone who sends off a kit to learn if they are likely to suffer from celiac disease, contract cancer or go bald realize that they also are likely to have all of that data sold off to other businesses.
A doctor or hospital is prohibited from doing this thanks to the Health Insurance Portability and Accountability Act (HIPAA). Yet a commercial business is allowed to profit from your very private information, whether it’s DNA markers, financial matters or what you “like” on a social media site.
Watching the growing number of hacks, leaks and deliberate exploitation of people’s information, as a privacy, data security and protection attorney I believe strongly that it is time for the United States Congress to enact a statute similar to Illinois’ BIPA that’s been around for a decade, the GDPR in the European Union coming into force at the end of May, and the Canadian PIPEDA law which becomes effective Nov.1.
In the U.S., there is a patchwork of laws, regulations and agencies with authority to compel businesses to take proactive steps to protect their customer’s private information as regulators have under GDPR and PIPEDA. Responsibility is decentralized and there is no equivalent of the GDPR or PIPEDA.
Given the attitude of the Trump Administration towards regulation in general, it seems unlikely that a Republican-controlled Congress will tackle writing and passing any meaningful data protection and privacy legislation. This is unfortunate because, as we saw first with Facebook and Twitter more recently, many businesses have no qualms about profiting from the data they collect on users and customers. Indeed, Twitter had the audacity to announce unequivocally that it will sell content generated by tweeters to businesses, colleges and universities, and even police departments monitoring non-criminal activities such as protest marches and demonstrations.
Perhaps the only real hope for a genuine American data protection and privacy law is if Congress changes hands in November, or if enough state legislatures follow Illinois’ lead and enact their own version of BIPA. Such a law is way past due; the United States is about to become the last major industrialized nation that doesn’t protect the privacy of its citizens against the use and misuse of their data.
By Marcus Harris