States Are Toughening Up Privacy Laws for At-Home DNA Tests

IF YOU’VE EVER spit into a plastic tube or swabbed your cheek and mailed your saliva away to learn about your ancestry or health risks, you might have assumed that the company analyzing your DNA is legally required to keep your genetic data private. But you’d be wrong.

The Health Insurance Portability and Accountability Act, known as HIPAA, protects individuals’ medical information when it's handled by doctors, hospitals, and health insurance companies. This applies to genetic tests ordered by your doctor but not to those you can buy online directly from companies like 23andMe and Ancestry because these kits aren’t considered medical tests. As a result, the companies have largely operated in a legal gray area. Firms write their own privacy policies that customers agree to when they purchase a kit, but the companies can change these policies at any time.

That’s a problem, since genetic data can reveal all sorts of sensitive information about you—your ethnicity, your family connections, and even your likelihood of developing Alzheimer’s disease or certain cancers. Law enforcement officers are increasingly using consumer...