Who Owns Your DNA? The Legal Fight Behind All of Us.

Let’s talk about something that sounds super scientific but actually hits on some very human questions—like trust, fairness, and control.

The All of Us Research Program is this massive effort led by the NIH. They’re trying to gather health and genetic data from a million people across the U.S. to help build the future of personalized medicine. If you’re thinking: “Cool, but what does that have to do with the law?” — the answer is... a lot.

When you collect blood, DNA, and detailed life info from that many people, you're not just doing science. You're entering serious legal territory: consent, data privacy, who owns your information, and what happens if things go wrong.

So... what is consent in this context?

When someone signs up for All of Us, they’re not just handing over their data for one study. They're saying, "Sure, use this for future research, whatever that may be." This kind of permission is called broad consent and it sounds practical, especially for long-term projects.

But here’s where it gets messy. If you don’t even know what kind of research is coming down the line, can your consent really be “informed”?

Even the folks running All of Us acknowledge this isn’t a simple checkbox situation. They’ve been trying to make the process more understandable, with plain language and transparency. But this is still new legal territory, and it forces us to think about whether our traditional idea of “informed consent” needs a rethink in this kind of world.

Privacy: DNA doesn’t lie or stay anonymous

Now let’s talk privacy. The All of Us team has gone to great lengths to keep people’s data secure. They’ve got encrypted systems, tight researcher access, and firewalls galore.

Still and this is important, DNA is different. You can’t fully anonymize a genome. Your genetic code is your signature. Combine it with a few other details, and it could be traced back to you.

Privacy attorney Kirk Nahra, a partner at the law firm WilmerHale, emphasized: “Does that mean there are no risks? Of course not.”

So even with the best intentions and tech, the risk of someone’s data being linked back to them isn’t zero. Which raises a big question: Are our current privacy laws actually enough? Probably not.

Who owns the data?

Let’s be real, this one hits a nerve.

When people contribute their personal information, their DNA, their story — many feel like that’s theirs. And morally, sure, it is. But legally? Not so clear.

Participants in All of Us can pull out whenever they want. They get some of their results back. That’s something. But they don’t really control how their data is used down the road. And if a company develops a profitable drug using this data... well, participants aren’t getting a check in the mail.

There’s been more and more discussion in legal circles about whether we need new structures like data trusts, or benefit-sharing agreements that could give people more say (and possibly more reward) in how their data is used. All of Us could be a real-world testbed for these kinds of ideas.

Who’s on the hook if something goes wrong?

Here’s a side of this that doesn’t get much attention: it’s not just the researchers who carry the legal weight. It’s the institutions they work for  universities, hospitals, research centers.

To get access to All of Us’ more sensitive data, those institutions have to sign legal agreements promising to play by the rules. That includes strict limits on what the data can be used for and how it’s stored. If someone messes up, the liability doesn’t stop at the individual.

This means legal departments at research institutions need to be thinking ahead not just about risk, but about culture. Are they building systems where ethical behavior is the norm, not just a checkbox?

So what’s the takeaway here?

All of Us isn’t just a science experiment. It’s a legal experiment, too.

It’s poking holes in old definitions of consent. It’s testing how far privacy laws can stretch before they snap. It’s raising uncomfortable but necessary questions about equity and ownership. And it’s putting institutions under the microscope just as much as the data they’re studying.

If you’re in law  especially health law, tech law, or ethics this is a program worth watching. It’s not about stopping progress. It’s about making sure the rules catch up to reality. Because if we get this right, we build something powerful and fair. If we get it wrong... we lose trust. And that’s a cost no one wants to pay.

Genomic Data Protection Act (GDPA)

On March 5, 2025, Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) reintroduced the Genomic Data Protection Act (GDPA)—a federal bill designed to regulate how direct-to-consumer genetic testing companies handle consumer DNA data. The bill applies to companies that sell or analyze genetic testing kits, as well as businesses that purchase genomic data. It excludes healthcare providers using genetic information strictly for diagnosis or treatment.

The GDPA defines “genomic data” broadly, covering DNA, RNA, and related biological material, including deidentified data unless used solely for research in line with HIPAA regulations.

Under the bill, consumers would gain the right to access their genomic data, delete their accounts and associated data, and request the destruction of any stored biological samples. These rights would remain in place even if the company is acquired, with a mandatory 30-day notice required before any corporate acquisition, along with clear instructions for consumers on how to exercise their rights under new ownership.

Companies must also provide transparent, easy-to-read notices that explain these rights and disclose whether deidentified data may be used for research.

Violations of the GDPA would be treated as deceptive or unfair practices under the FTC Act, giving the Federal Trade Commission enforcement power. The bill was referred to the Senate Committee on Commerce, Science, and Transportation and may set a national baseline for genomic data privacy.

You Might Also Like

• Kansas Trooper Rescues 6-Year-Old Kidnapping Victim During Traffic Stop

• Pastor Marvin Sapp Accused of Holding Congregation Hostage Over $40K Offering

• Did North Dakota Mayor Tom Ross Commit Workplace Harassment — Even If It Was “Accidental”?

• CEO Murder Suspect Luigi Mangione at Center of Sex Tape Scandal

• Menendez Brothers: Could a New Confession Lead to Freedom?