For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

The Data We Leave Behind: Limits of Legal Protections for Neurotechnology and Genomic Data


It is almost impossible to go through a day without leaving digital traces through activities ranging from web searches to social media postings to use of smart phone apps. These traces permit providers of web-based services to amass large amounts of personal information that can be used to discern a user’s interests, attitudes, preferences, behaviors, and other characteristics. In recent years, the companies that provide these services have begun to collect new kinds of especially sensitive biometric information, first reflecting genetic makeup and more recently reflecting neurotechnology measures of brain activity. Data on individual genetic traits and on entire genomes reveal the underlying nature of our physiological makeup, and brain data can reveal our innermost thoughts, even unconscious ones. Both kinds of data are collected on a wide scale by companies that offer testing services to customers on a direct-to-consumer (DTC) basis.

While these data are enabling tremendous medical advances, they also create new risks should they be improperly disclosed, including discrimination, psychological, and social stress from unwanted revelations, and identification of third parties. Privacy has been recognized as a human right for almost a century, both in global covenants and in American laws. However, the laws that protect privacy in the United States leave significant gaps, especially regarding personal data collected by DTC testing companies. At the same time, personal data have tremendous economic value, creating an incentive for companies to collect as much as possible. Proposed federal legislation would tighten legal oversight, but, even if enacted, its protections are limited regarding data sharing with external entities and risks to third parties. This Article proposes further reforms that would mandate standardized privacy policies for DTC testing companies that clearly disclose data protection procedures and limit data sharing with outside parties. Nevertheless, these and other new legal safeguards must be designed carefully so they protect individuals without jeopardizing opportunities for continued medical advances.