Policy Forum
Mar 2016

Shedding Privacy Along with our Genetic Material: What Constitutes Adequate Legal Protection against Surreptitious Genetic Testing?

Nicolle K. Strand, JD, MBioethics
AMA J Ethics. 2016;18(3):264-271. doi: 10.1001/journalofethics.2016.18.3.pfor2-1603.


We leave our genetic material everywhere we go. Our DNA—the building blocks of what makes us who we are, from our physical appearance, to our intelligence, to our susceptibility to stigmatized illnesses—is left behind in the hairs that fall off of our heads on the subway, the saliva we leave on the rim of a coffee cup, and the cigarette butt or chewing gum we discard on the street. Ten years ago, leaving behind DNA was of virtually no consequence—it would have been very difficult to isolate it, analyze it, and learn anything significant from it. Back then, the only people able to analyze DNA were scientists with access to laboratories and expensive equipment. Today, that has changed: direct-to-consumer (DTC) genetic testing companies make genetic analysis as easy as mailing a sample, paying $199, and waiting a few weeks to access the results online [1].

Surreptitious genetic testing happens when a sample containing a person’s genetic information is accessed without the knowledge or consent of that person and when that sample is tested without the knowledge or consent of that person. There have been some high-profile examples of concern about and perpetration of surreptitious genetic testing. An article posted online by a CNN affiliate reported that Madonna is afraid of fans stealing her DNA and thus demands her dressing rooms be wiped clean upon her departure [2]. In 2013, CNN reported that cousins of the late Princess Diana had submitted their DNA to a British ancestry DNA testing service without the family’s consent to determine the ancestral origins of the future royal children [3]. Celebrities, politicians, and other public figures are obvious targets of surreptitious genetic testing, with potential for compromise of their public positions and fame as a result of genetic revelations.

Surreptitious genetic testing could also easily be a problem for ordinary people. For example, there are Internet services offering to isolate DNA from personal items (such as sheets and clothing) in order to expose infidelity [4] and others offering to analyze the paternity of a child from swabs of the child and his or her presumed biological father [5]. Other examples of surreptitious genetic testing might include sending the genetic material of a work associate or an acquaintance to a DTC genetic testing company to glean information about the person that could be used in any number of ways. Potential employers could offer interviewees a glass of water, send DNA to be analyzed, and use information about disease risk to make employment decisions. Political candidates could steal DNA and blackmail opponents into leaving a race. Someone wondering whether to propose marriage to a romantic partner could steal DNA to secretly determine whether the potential spouse has a genetic profile that he or she considers unfavorable or that poses risk of passing an allegedly problematic trait on to future children.

No matter the intended or actual use, surreptitious genetic testing is ethically and legally problematic. In each of the examples described above, the potential for harm—whether in the form of unjust discrimination or another consequence—is generated by the genetic material having been stolen. So, surreptitious genetic testing is ethically and legally problematic not only because of potential harmful consequences of testing, but also because both sample acquisition and the acquisition of information generated by testing the sample threaten privacy. In 2013, an article published in Science showed that, even in the absence of other identifiers, such as a person’s name, an individual’s whole genome sequence alone can result in identification, by matching of the data set to publicly available data from genetic databases and other information about the person whose sample was tested [6]. As science advances, the amount and variety of personal information that can be gleaned from a single tested sample will also likely continue to expand; our wariness about privacy violations, thus, should also grow.

In its 2012 report, Privacy and Progress in Whole Genome Sequencing, the Presidential Commission for the Study of Bioethical Issues recognized these kinds of potential for harm, both instrumental and otherwise, in surreptitious genetic testing and recommended that states develop consistent minimum standards of genetic privacy protections to deter and punish the practice [7]. The Presidential Commission found a great deal of variation in state laws’ privacy protections and also found that it is difficult in some cases, due to ambiguous statutory language, to determine whether a given state adequately deters and punishes surreptitious genetic testing. As a result, the degree of protection from surreptitious genetic testing a given state confers on people depends on where they reside, where the sample is analyzed, how state law is interpreted, and other factors [7].

State Regulation of Surreptitious Genetic Testing

States have taken a variety of approaches to protecting against surreptitious genetic testing. As of March 2012, 12 states had developed comprehensive protections aimed at deterring and punishing surreptitious genetic testing, 13 others prohibited laboratories from testing samples without the consent of the person from whom the sample was taken, 9 others required consent for different reasons, and 16 states’ laws and regulations were silent on the practice [7].

For states to adequately protect individuals from surreptitious genetic testing, laws must define the following things as comprehensively as possible: who counts as a perpetrator, the type of testing prohibited, the set of contexts and settings covered, appropriate exceptions, and penalties. These are described and elaborated below. More stringent laws would also be ethically acceptable; what follows is the minimum level of protection that would adequately protect privacy.

Perpetrators. First, to achieve an adequate standard of protection, the law should protect against surreptitious genetic testing regardless of where, how, or by whom the sample was obtained. For example, instead of only prohibiting health care workers from conducting unauthorized analyses on samples obtained with informed consent, as some states do, the law should protect against unauthorized genetic analysis or testing regardless of how or by whom the sample was obtained [7].

As described above, surreptitious genetic testing can occur in a variety of contexts and can be perpetrated by almost anyone. We expect that health care professionals typically have ready access to genetic information about patients or to their biological samples from which that information can be derived, but we don’t typically expect that anyone with access to a toothbrush or used drinking glass can also conduct surreptitious genetic testing. An adequate law would deter or punish as many members of society as possible who might engage in surreptitious testing—from clinicians and laboratory employees to vindictive ex-spouses and potential employers.

In addition, adequate protections would emphasize that informed consent should be obtained not only for an initial sample collection, but also for any subsequent uses [7]. A person might consent to donate a sample for de-identified research but might object to certain analyses or tests of that sample or disclosures of information learned from that sample. Prohibiting the collection, analysis, and retention of samples containing genetic material and the disclosure of information about that sample by any person or entity without the knowledge and informed consent of the person whose sample is accessed, tested, and learned about seems to adequately cover many potential scenarios of surreptitious genetic testing, and it underscores the importance of detailed informed consent procedures.

For example, biological samples are often collected from patients in clinical settings, creating the potential for genetic analysis and a variety of subsequent uses of the data and information obtained from those samples. In the 1950s, a woman named Henrietta Lacks was diagnosed with cervical cancer. Doctors removed cells from her tumor for clinical testing, but those cells were also passed on without her knowledge or consent to a researcher and became an immortal cell line that has been used by scientific researchers around the world ever since [8]. Recently, the cell line was genetically typed, and genetic information about Henrietta Lacks and her family was published on the Internet [9]. Informed consent has vastly improved since the 1950s, but the case remains a prominent example of the importance of detailed informed consent, especially when biological material (and, thus, genetic material) is involved. This case also illuminates potential harms of nonconsensual use and sharing of information learned from samples, including threats to the privacy of not just the person whose sample is gathered and tested but that person’s family members.

Two Washington state laws prohibiting surreptitious genetic testing provide an example of inadequate privacy protections. One statute pertains to specimens of genetic material obtained solely for the purpose of a court-ordered paternity test, prohibiting people who come into contact with such specimens (such as employees of the court or of a laboratory that analyzes data for the court) from releasing genetic samples or data from those samples without the consent of the donor [10], but not prohibiting release of information obtained from other types of analyses. Another statute prohibits health care professionals with access to results of genetic analyses from releasing or disclosing them without the donor’s consent [11]. These two laws discourage release of any genetic information or of samples obtained for paternity tests by groups of people who most commonly and readily have access to genetic information. However, they do not protect against disclosure of information derived from samples obtained by unauthorized persons, much less improper collection or analysis of samples, and, therefore, do not adequately cover the most likely potential opportunities for surreptitious genetic testing.

New Hampshire state law avoids the shortcomings of the Washington state law. Its surreptitious testing law takes care to prohibit unauthorized genetic testing in the state, on any resident of the state, and on any materials obtained in the state [12]. The law is comprehensive in the scope of its definition of who counts as a violator—anyone who surreptitiously collects or analyzes another person’s genetic material or discloses another person’s genetic information falls under the purview of the law, opening them up to civil suits and damages of $1,000 or more.

Testing. Second, to achieve an adequate level of protection, the law should provide a clear definition of the type of testing or analysis it addresses. The definition provided or referenced in the statute must be neither too vague (or absent) nor too narrow. Instead, it should specifically prohibit surreptitious genetic analyses that claim to pertain to paternity, asymptomatic disease propensity, symptomatic disease, and ancestry and other analyses that potentially yield information that could be learned now or in the future by someone without the knowledge and consent of the person whose sample has been tested.

Georgia state law provides an example of a vague, and therefore a poor, definition of genetic testing. The law defines genetic testing as analysis of DNA for mutations “which are associated with a disease or illness that is asymptomatic at the time of testing” [13]. A definition limited to prohibiting testing for asymptomatic disease propensity only is too narrow and does not provide adequate privacy protection because it does not restrict surreptitious paternity testing, ancestry testing, or testing for symptomatic genetic diseases.

In New York (a state that prohibits unauthorized genetic testing but defines the term genetic test narrowly to encompass only health-related testing) [14], an odd case of surreptitious testing occurred. An artist picked up discarded cigarette butts and chewing gum on the street, sent them in for analysis, and used the information about face structure, hair and eye color, and other features to construct portraits of the people who had discarded the material [15]. This activity was not prohibited in the state because of the narrow definition of the restriction [14]. The artist did not technically engage in genetic testing under the law, which restricts the definition to testing that reveals health information but does not prohibit testing that reveals physical traits. What the law permitted—displaying artistic renditions of people’s faces in a gallery in New York City based on biological samples obtained from discarded items—could, for some, represent a serious privacy violation. This case demonstrates why a law that adequately protects people’s privacy would broadly define the scope of what constitutes a genetic test.

Encompassing various testing contexts. It is also important that states not limit their surreptitious testing protections to contexts in which people are likely to be harmed by unauthorized use of their genetic material or information. All unauthorized uses and analyses of samples and disclosures of information from those samples should be restricted. Throughout this article, examples of surreptitious testing have been cited and described in a variety of contexts, from New York City artists to medical researchers to celebrity stalkers to battling parents. Although each case and context is different and raises a different set of privacy concerns and potential consequential harms, the victims in each case deserve protection of their privacy. Wisconsin, for example, only prohibits employers from conducting genetic tests without consent [16]. It takes care to prohibit any use of a genetic test result by an employer, whether the employer ordered the analysis or gathered data from an intermediary [16]. This state attempted to protect its citizens from unauthorized use of samples and genetic information gained from those samples in the context of employment, in which a particular harm such as discrimination might result, but did not circumscribe genetic testing in other contexts.

Exceptions. It is important to acknowledge exceptions in order to avoid prohibitions on genetic testing for legitimate, legally sanctioned, and beneficial purposes. States might disagree about which exceptions are legitimate and should be state-sanctioned because a given state’s statutes or regulations hope to confer a privacy protection benefit that outweighs the potential privacy violation. But each state, in crafting laws prohibiting surreptitious testing, must be sure to consider which exceptions are important to their citizenry and avoid accidentally sweeping in scenarios that the legislature means to continue to allow. In crafting exception provisions, states can enumerate legitimate kinds of genetic testing and exempt them from coverage [7]. For example, Alaska statutes exempt genetic testing for the purposes of law enforcement, storage in the state criminal offender database, court-ordered determination of paternity, legally required newborn screening, and emergency medical treatment [17]. These are all examples of genetic testing that is legal in that state without obtaining the consent of the individual from whom the sample is derived and for which there are stated reasons, i.e., those pertaining to individual and public welfare, not to require consent.

Penalty. A perfectly crafted statute with comprehensive coverage and appropriate exemptions is nonetheless toothless without associated penalties for violation. Thus, it is important that a prohibition against surreptitious testing also provides for a remedy or a penalty, either in the form of fines or prison time (criminal law) or in the potential for private suit (civil law) in order for the law to achieve adequate protection of citizens’ privacy. If a state has a law prohibiting certain kinds of surreptitious genetic testing but does not stipulate a remedy or a penalty, then the existence of the statute might make it easier for an individual to sue a violator under tort law. Without any cases on the issue it is unclear whether such a statute would have any impact.

Alaska state law, for example, specifically defines violation of the surreptitious testing prohibition as a Class A misdemeanor [18]. In addition, it explicitly provides that a person may bring a civil action to recover monetary damages related to surreptitious testing [19]. Laws that provide for civil damages and criminal penalties ensure both remedy for the violated and deterrence for future violators.

There is still room for flexibility in state lawmaking, despite these necessary components of an adequately comprehensive law. For example, in Massachusetts, the prohibition on surreptitious testing places the burden on the laboratories and health care professionals, as opposed to individual persons doing the sequencing [20]. In crafting this law, Massachusetts’s legislature expressed its desire to protect citizens against surreptitious testing but also to place most of the responsibility for good genetic testing practices on companies, laboratories, hospitals, and clinicians.


We shed our DNA everywhere, but should we also shed our right to the privacy of the information that can be gleaned from that DNA? The Presidential Commission asserted in 2012 that the answer is clearly no [7]. But technology and industry have moved quickly, and law needs to catch up. A variety of laws regulate genetic privacy and genetic discrimination at the federal level, including the Genetic Information Nondiscrimination Act [21], the Health Insurance Portability and Accountability Act [22], and the Common Rule regulating federally funded human subjects research [23]. But DTC advertising is still inadequately regulated. Loopholes that allow surreptitious genetic testing to occur must be closed to ensure that privacy is adequately protected. States considering drafting prohibitions against surreptitious testing should ascertain that all of the elements of protection discussed in this article are included. Sealing up the current patchwork of protections will allow genome science and technology to continue to advance, with less threat of privacy breaches and other harms resulting from unauthorized collections and analyses of genetic material or unauthorized disclosures of genetic information.



  1. 23andMe. How it works. https://www.23andme.com/howitworks/. Accessed January 15, 2015.

  2. Madonna is scared of fans stealing her DNA. IBNLive. June 25, 2012. http://www.ibnlive.com/news/music/madonna-is-scared-of-fans-stealing-her-dna-484158.html. Accessed November 27, 2015.

  3. Wilkinson P. DNA tests reveal Prince William’s Indian ancestry. CNN. June 14, 2013. http://www.cnn.com/2013/06/14/world/europe/britain-prince-william-india/. Accessed November 27, 2015.

  4. Test Infidelity. Forensic infidelity test. http://www.testinfidelity.com/forensic-infidelity-test.php. Accessed November 27, 2015.

  5. Identigene. How does the paternity test kit work? https://dnatesting.com/how-the-paternity-test-kit-works/. Accessed December 16, 2015.

  6. Gymrek M, McGuire AL, Golan D, Halperin E, Erlich Y. Identifying personal genomes by surname inference. Science. 2013;339(6117):321-324.
  7. Presidential Commission for the Study of Bioethical Issues. Privacy and Progress in Whole Genome Sequencing. October 2012:79-80, appendix IV. http://bioethics.gov/sites/default/files/PrivacyProgress508_1.pdf. Accessed November 7, 2015.

  8. Skloot R. The Immortal Life of Henrietta Lacks. New York, NY: Broadway Paperbacks; 2011.

  9. Lacks family reach understanding to share genomic data of HeLa cells [news release]. Bethesda, MD: National Institutes of Health; August 7, 2013. http://www.nih.gov/news-events/news-releases/nih-lacks-family-reach-understanding-share-genomic-data-hela-cells. Accessed January 15, 2016.

  10. Wash Rev Code sec 26.26.450.

  11. Wash Rev Code ch 70.02 RCW.

  12. NH Rev Stat Ann. sec 141-H:1-141-H:6.

  13. Ga Code Ann sec 33-54-2.

  14. NY Civ Rts Law sec 79-1.

  15. Angley N. Artist creates faces from DNA left in public. CNN. September 4, 2013. http://www.cnn.com/2013/09/04/tech/innovation/dna-face-sculptures/. Accessed November 27, 2015.

  16. Wis Stat sec 111.372.

  17. Alaska Stat sec 18.13.010.

  18. Alaska Stat sec 18.13.030.

  19. Alaska Stat sec 18.13.020.

  20. Mass Ann Laws ch 111 sec 70G.

  21. Genetic Information Nondiscrimination Act of 2008, Pub L No. 110-233, 122 Stat. 881.

  22. Protection of Human Subjects, 45 CFR sec 46 (2009).

  23. Health Insurance Portability and Accountability Act, 29 USC sec 1181-82, 42 USC sec 300gg-41.


AMA J Ethics. 2016;18(3):264-271.



The viewpoints expressed in this article are those of the author(s) and do not necessarily reflect the views and policies of the AMA.