By: Paul Zajde

In 2018, California detectives famously used forensic evidence from a commercial DNA database to catch the Golden State Killer thirty-five years after his last murder, but privacy experts were not impressed with this scientific feat.[1] The database, GEDmatch, which hosts over a million users, was searched by law enforcement without a warrant or subpoena.[2] This was—and generally remains—entirely legal thanks to the third-party doctrine, which exempts the government from needing a warrant to search information held by a third party.[3] 23andMe and Ancestry, DNA databases with over fifteen million users combined, consider the third-party doctrine bad for business as customer concerns over privacy grow.[4] The industry therefore stands to gain from Montana and Maryland’s new restrictions on law enforcement searches of commercial DNA databases.

Montana passed into law H.B. 602 on May 7, 2021.[5] The statute provides that “a government entity may not obtain DNA search results from a consumer DNA database . . . without a search warrant . . . unless the consumer whose information is sought previously waived the consumer’s right to privacy in the information.”[6] The privacy waiver exception was not in the original bill, and privacy advocates argued that the enacted law will have little effect since most consumer DNA databases require a privacy waiver of some kind.[7] Notably, the privacy waiver exception does not apply to familial DNA search results, which was the method used to identify the Golden State Killer.[8] Search results from partial matching will also require a warrant irrespective of a privacy waiver.[9]

Maryland enacted a similar law on May 30, 2021.[10] However, instead of a warrant supported by probable cause, the Maryland statute only requires “judicial authorization.”[11] Authorization may only be granted in cases of murder, rape, felony sexual assault, “or a criminal act involving circumstances presenting a substantial and ongoing threat to public safety or national security.”[12] Further, before seeking authorization to search a commercial database, law enforcement must first search the Maryland DNA database and the National DNA database to no avail.[13]

Importantly, the Maryland statute prevents law enforcement from searching commercial databases unless the database “[p]rovides explicit notice to its service users . . . that law enforcement may use its service to investigate crimes or to identify human remains.”[14] Law enforcement may also seek authorization to access forensic material in a commercial database if the individual’s informed consent is obtained in writing.[15] This forensic material must be destroyed upon completion of the investigation.[16] The law also provides criminal penalties and a civil cause of action for violations of the statute.[17]

Ancestry claims that it received “no valid requests for access to customers’ DNA data between January 1 and June 30, 2021.”[18] Likewise, 23andMe claims that there have been no instances “where data was produced without prior, explicit consent by the individual specified in the request.”[19] Both companies have publicly stated that they do not voluntarily collaborate with law enforcement, and these laws will likely legitimize those claims and help the companies acquire new, privacy-conscious consumers.[20]

For example, pursuant to Maryland’s new statute, 23andMe and Ancestry could render their databases inaccessible to police by not providing “explicit notice to [their] service users .  .  . that law enforcement” could access their databases.[21] If new user agreements reflect this change, 23andMe and Ancestry should be able to concretely shield their customers from police searches in Maryland.[22] These new Fourth Amendment protections are likely to be featured in marketing campaigns to obtain customers who currently do not trust the relationship between these companies and law enforcement.[23]


[1] See Gina Kolata and Heather Murphy, The Golden State Killer Is Tracked Through a Thicket of DNA, and Experts Shudder, N.Y. Times (Apr. 27, 2018), https://www.nytimes.com/2018/04/27/health/dna-privacy-golden-state-killer-genealogy.html.

[2] See id.; see also GEDmatch partners with Genetic Affairs to offer new tools for users, Verogen (Apr. 7, 2021), https://verogen.com/gedmatch-partners-with-genetic-affairs-to-offer-new-tools-for-users/.

[3] See John Villasenor, What You Need to Know about the Third-Party Doctrine, The Atlantic (Dec. 30, 2013), https://www.theatlantic.com/technology/archive/2013/12/what-you-need-to-know-about-the-third-party-doctrine/282721/. But see Carpenter v. United States, 138 S. Ct. 2206 (2018) (requiring the government to obtain a warrant when seeking seven days of cellphone GPS data from a suspect’s phone provider).

[4] See Alex Gangitano, DNA testing companies launch new privacy coalition, The Hill (June 25, 2019), https://thehill.com/regulation/lobbying/450124-dna-testing-companies-launch-new-privacy-coalition.

[5] H.B. 602, 67th Leg. (Mont. 2021), https://leg.mt.gov/bills/2021/sesslaws/ch0413.pdf (intending the law to be codified in Title 44, chapter 6, part 1 of the Montana Code Annotated).

[6] Id.

[7] See Austin Amestoy, Bill Seeks Warrant Requirement for Searches of Consumer DNA Databases, Mont. Pub. Radio (Apr. 9, 2021), https://www.mtpr.org/montana-news/2021-04-09/bill-seeks-warrant-requirement-for-searches-of-consumer-dna-databases (discussing the evolution of H.B. 602).

[8] H.B. 602; see Familial DNA Searches, FindLaw (Feb. 6, 2019), https://www.findlaw.com/criminal/criminal-rights/familial-dna-searches.html (providing background on the different types of DNA searches).

[9] H.B. 602.

[10] H.B. 240, 2021 Leg. Sess. (Md. 2021), https://mgaleg.maryland.gov/2021RS/Chapters_noln/CH_681_hb0240e.pdf (entering into effect on October 1, 2021 via Title 17 of the Maryland).

[11] Id. § 17-102(A) (“A sworn affidavit shall be submitted by a law enforcement agent with approval of a prosecutor from the relevant jurisdiction . . . .”).

[12] Id. § 17-102(B)(1).

[13] Id. § 17-102(B)(3).

[14] Id. § 17-102(D) (requiring user acknowledgement and consent to the law enforcement notice).

[15] Id. § 17-102(F) (permitting covert DNA collection “[i]f the use of informed consent [will] compromise the investigation . . . [pursuant to § 17-102(G)(1)(II)]”).

[16] Id. § 17-102(F)(3)(VI)(2).

[17] Id. §§ 17-102(I), 17-102(K).

[18] Ancestry Transparency Report July 2021, Ancestry.com (Aug. 2, 2021), https://www.ancestry.com/cs/transparency (reporting five non-DNA law enforcement requests during that time period).

[19] Transparency Report, 23andMe (May 14, 2021), https://www.23andme.com/transparency-report/ (reporting seven unfulfilled data requests regarding ten 23andMe accounts).

[20] Virginia Hughes, Two New Laws Restrict Police Use of DNA Search Method, N.Y. Times (May 31, 2021), https://www.nytimes.com/2021/05/31/science/dna-police-laws.html; see Zack Whittaker, Ancestry says it fought two police requests to search its DNA database, TechCrunch (Feb. 10, 2021), https://techcrunch.com/2021/02/10/ancestry-police-warrant-dna-database/; see also Alex Gangitano, DNA testing companies launch new privacy coalition, The Hill (June 25, 2019), https://thehill.com/regulation/lobbying/450124-dna-testing-companies-launch-new-privacy-coalition.

[21] See H.B. 240, 2021 Leg. Sess. (Md. 2021) § 17-102(D).

[22] See Id.

[23] See Alex Gangitano, DNA testing companies launch new privacy coalition, The Hill (June 25, 2019), https://thehill.com/regulation/lobbying/450124-dna-testing-companies-launch-new-privacy-coalition.

Share this post