Protective Features for Regulating Law Enforcement

Several states have enacted legislation intended to protect users of consumer genetics platforms. Most of these laws require consumer genetics platforms to provide clear notice of their privacy practices that are written in plain language, obtain express consent from consumers for using and disclosing genetic data, and establish legal policies for non-consensual data disclosure to law enforcement. But a handful of states regulate law enforcement directly, for instance by requiring law enforcement to seek familial matches only through platforms that obtain user consent to law enforcement use.

Compare . . .

These provisions appear to have the same goal—restricting law enforcement to platforms and users who have given consent—but they may have very different results. After all, in several cases already litigated, investigators have sought familial matches in databases that do not permit law enforcement use or without disclosing their law enforcement status. Investigators have posed as regular users, uploaded genetic data from crime scene evidence as if it were their own, and thus been able to seek familial matches among all users in the platform's database—even among users who have opted out of law enforcement use. Statutes regulating platforms, like California's, are unlikely to be fully successful in curbing this kind of deceptive law enforcement conduct. After all, some investigators have already demonstrated a willingness to violate terms of service or privacy policies to find a lead. Regulating law enforcement directly, however, minimizes the risk of such deceptive behavior by making it unlawful.

Requiring law enforcement to obtain judicial authorization before engaging in FIGG can reinforce accountability for compliance with statutory privacy protections. Judicial oversight introduces a neutral third-party decisionmaker outside of law enforcement, which can enhance trust in the system and promote good policymaking by balancing investigative needs with individual rights. States have incorporated judicial oversight in different ways.

States that regulate law enforcement conduct directly have taken divergent approaches.

Compare . . .

Montana requires either user consent or judicial authorization for a direct-match search, while implying that judicial authorization is always required for FIGG. Maryland requires judicial authorization of law enforcement's use of FIGG in every case and specifies the kinds of cases for which authorization is permitted. This authorization is distinct from the general standards for subpoenas or warrants. Utah, by contrast, does not require any judicial oversight before law enforcement undertakes FIGG.

Among state statutes that regulate consumer genetics platforms (rather than law enforcement directly), the language surrounding legal process and court orders varies and can be confusing.

Compare . . .

As these examples make clear, some states—like Minnesota—prohibit platforms from disclosing genetic data without the user's consent unless served with a court order or warrant. Others—like Kentucky—merely require some form of "valid legal process," leaving room for misunderstanding. "Legal process" is typically a legal term of art, including summons, subpoenas, or warrants, not all of which always require judicial authorization. The term, however, is not defined in these statutes. Even more confusingly, some states—like Arizona—require "a valid legal process," which could be interpreted as requiring merely a process that is legal, rather than referring to the narrower term of art. Some platforms that cooperate with law enforcement have instituted internal review procedures for approving casework on the platform. It is unclear whether those procedures would constitute "a valid legal process," though they would not count as "valid legal process."

Finally, states that include provisions allowing criminal defendants to use FIGG typically require court approval for that use.

Compare . . .

Though Utah does not provide for judicial oversight of law enforcement's use of FIGG, it does require judicial involvement if a convicted person seeks to use FIGG to prove their innocence. Maryland requires judicial oversight in both instances, as well as for cases in which a criminal defendant (not yet convicted) seeks to use FIGG in their defense. In other states, defense or postconviction access to FIGG is unaddressed, leaving the power of this method only for the prosecution in most instances.

Nearly all states with legislation relevant to consumer genetic privacy recognize the important role of an individual's control over their genetic data. Some states limit law enforcement use to platforms that obtain affirmative consent from users for law enforcement matching. Consent from a single user can have far flung effects, as that user's genetic data could be used to learn about or identify the user's genetic relatives, even relatives who have never participated in a consumer genetic platform. Since platforms only obtain consent from their users, and not their genetic relatives, explicit consent can play an important role in ensuring that users make a knowing and voluntary choice to participate in law enforcement efforts.

Compare . . .

Both Maryland and Utah expressly limit law enforcement use to platforms that seek and obtain consent from users for that specific use. Maryland's requirement that platforms obtain "express consent" from users may go further than Utah's requirement that users be able to "opt in or out" of law enforcement use. Utah's formulation may allow law enforcement to use consumer genetics platforms that opt users in by default, while Maryland requires affirmative consent. Importantly, however, Utah specifies that users' power to opt out be genuine. That is, Utah mandates that users must be able to opt out of law enforcement use without giving up access to the platform as a whole. This is significant because requiring consumers to consent to law enforcement use as a condition of joining the platform compromises their ability to make free and voluntary choices.

But most states, while intending to "safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data," nonetheless permit law enforcement to get around a user's nonconsent by using some alternate process. The variety in these statutes is discussed above under the "Judicial Oversight" protective feature, though as noted there, not all of these statutes necessarily require judicial oversight at all.

Finally, some states have abandoned individual control and consent entirely where law enforcement is concerned. These states simply exempt law enforcement use from the protections their legislation otherwise creates. These blanket exemptions could confuse the public, who may believe that their legal right to control applies without regard to who is trying to use their data.

Compare . . .

Kentucky's law plainly applies to law enforcement use, though it permits investigators to circumvent consumers' nonconsent by obtaining some form of legal process. In Alabama, meanwhile, wholesale exclusion of law enforcement investigative use from the protections of its law means that the state's "Genetic Data Privacy Act" leaves consumers unprotected against this use.

As described above, law enforcement investigators working on FIGG may sometimes find themselves stumped due to gaps in the genealogical family tree. In those circumstances, investigators may want to collect and test DNA from non-suspect third parties—individuals in the family tree that are not suspects, but whose DNA profiles can help to fill in and complete the family tree. What rules should govern how law enforcement goes about obtaining those DNA samples? After all, the individuals whom investigators want to test are not suspected of any crime.

Most state statutes about consumer genetics platforms do not address these significant questions. Maryland and Utah, however, have addressed this issue as part of their comprehensive regulatory statutes on FIGG.

Compare . . .

Both Maryland and Utah establish informed consent from non-suspect third parties as the typical route that law enforcement must take for obtaining DNA from these individuals. Both states also provide a process for obtaining these DNA samples covertly, such a from a discarded cup. In Maryland, covert DNA collections must be approved by a judge, and the statute does not permit covert DNA collections where a non-suspect third party was previously asked for consent and refused to give it, or where investigators don't want to ask for consent because they think it may be refused. In Utah, investigators must consult with prosecutors before approaching any third party for DNA collection. This goes further than Maryland's law, by requiring investigators to consult with prosecutors for both consented and covert DNA collections alike. Covert collections in Utah, however, do not require judicial oversight and the basis for using covert methods is easier to meet. On the whole, regulating DNA collections from non-suspect third parties, as both Maryland and Utah do, is more protective of the genetic privacy of these innocent individuals.

Promoting justice requires that criminal defendants have fair access to FIGG, which typically requires legislation. Defense and postconviction counsel may have trouble accessing crime scene evidence for testing, since that evidence is usually held by law enforcement who may not be eager to cooperate. Moreover, defense and postconviction counsel are generally at a disadvantage in negotiating with platforms for access, particularly as many platforms limit access in their terms of service to "law enforcement" specifically.

Unfortunately, like platform terms of service, most states neglect this issue. These statutes typically require consent or some other legal process before users' genetic data is shared with "law enforcement or any other government agency." But this leaves defense-side access on unequal footing, compared with the prosecution.

Here again, Maryland and Utah stand apart from other states.

Compare . . .

Both Maryland and Utah have enacted statutes that safeguard FIGG for use in making out innocence claims. While Maryland authorizes both defense and postconviction use, Utah appears only to permit defensive use only after conviction. Both states require judicial approval for this use. Maryland's statute sets out terms for defense and postconviction use that are equivalent to those governing law enforcement.

Meaningful consequences for violations of public policy are essential to ensure accountability and deter misconduct. Accountability, in turn, helps maintain trust in public institutions and promotes fairness and justice. But consequences that are minor or unlikely to be enforced, however, may have the opposite effect, undermining public trust and eroding confidence in the rule of law.

States have taken a variety of approaches in codifying consequences for violating consumer genetic privacy, with some more likely to prompt rule following than others.

Compare . . .

Some states, like Maryland, authorize individuals to sue if their rights to genetic privacy are violated. A larger group of states, including Kentucky, have instead opted to permit the state attorney general or other public official to sue. Although it may appear wise to channel litigation through a state office to make sure that suits are not frivolous, in practice, the many demands on attorneys general may yield under enforcement or non-enforcement even of clear violations. This is particularly so in cases where the defendant's alleged misconduct consisted of cooperating with law enforcement. Wyoming, for its part, provides for suits both by injured individuals and by the state attorney general. Utah, meanwhile, appears to contemplate civil suits, but does not specify who may bring them. Utah's enforcement scheme is further limited by the remedy it offers for wrongdoing: barring the individual who violated the law from participating in FIGG searches for one year. The statute expressly rules out money damages as a remedy.

Public reporting and review can be important because they ensure transparency and accountability, allowing legislators and the public to understand how law enforcement uses consumer genetic data. Yet few statutes today contemplate public reporting. Laws that regulate law enforcement directly top the list of those mandating public information about law enforcement use of consumer genetics platforms.

Compare . . .

State statutes regulating consumer genetics platforms generally do not require these platforms to disclose how many times they permitted law enforcement to conduct FIGG searches each year, though some platforms have voluntarily undertaken such efforts. State statutes regulating law enforcement's interaction with consumer genetics platforms, by contrast, are more likely to require public reporting of relevant law enforcement data. This is the case for both Maryland and Utah, which each require relevant law enforcement entities to report to a central government body the number of FIGG searches undertaken each year, as well as key details about the kinds of cases in which FIGG was pursued. Importantly, both states require the resulting state-wide report to be made publicly available. Maryland goes further still, calling for an interdisciplinary body to review the report each year and make policy recommendations as appropriate.