The recent arrest of the alleged Golden State Killer has ignited law enforcement interest in using consumer genetic databases to crack cold cases. The break in that case came when investigators compared crime scene DNA to other DNA profiles searchable in an online genetic genealogy database called GEDmatch. Yet consumer genetic services have responded to law enforcement interest in markedly different ways. Some have explicitly denounced law enforcement use and vowed to oppose it; others have welcomed law enforcement expressly; and some have cooperated quietly with law enforcement, while keeping their users in the dark. At almost the same time, the Supreme Court gave these platforms a new role in policing police access to their genetic resources. In Carpenter v. United States, the Court upended the seemingly categorical rule that one cannot have an expectation of privacy in data shared with another.
This Article examines the impact of Carpenter for law enforcement use of third-party DNA databases, as in the Golden State Killer case. In so doing, this Article makes three contributions. First, it joins a burgeoning scholarship in identifying Carpenter’s “test,” and demonstrates that genetic information is precisely the sort of data in which individuals may ordinarily maintain an expectation of privacy, even when that data is in third-party hands. Second, it considers the role of consumer genetic platforms in mediating police access to their resources, recasting third-party privacy practices in a more robust and nuanced role as measures of consent. Third, it assesses the privacy practices of genetic genealogy companies specifically, concluding that some plainly reinforce existing expectations of privacy in genetic data, while others have meandered their way closer to legally valid consent to government use—though none has done so with precision.