THE SEARCH for the so-called Golden State Killer — who allegedly raped dozens of women and killed at least 12 people in the 1970s and 1980s — had hit a dead end when investigators decided to test DNA evidence from a crime scene against genetic data on GEDmatch, a website of volunteered samples. Eventually, this technique helped investigators close one of the most notorious cold cases in recent history — but it also raised important questions about the privacy rights of customers. How and when should genetic testing companies share data with third parties such as researchers, websites or law enforcement officials? And do companies have an obligation to inform users that their information has been shared?
These concerns were heard in the genetic-testing industry. A number of popular companies, including Ancestry and 23andMe, recently committed to a new set of best practices governing how and when they would collect, use and share customers’ DNA. Among these guidelines are promises that the firms would obtain “separate express consent” from users before sharing their genetic information, use robust information security and... see more