AB 1727 makes it a crime in California to handle another person’s DNA or genetic data without that person’s express consent. The bill defines genetic data broadly (including raw sequence data, genotype/phenotype interpretations, and health information submitted for analysis), specifies how ‘‘express consent’’ must be obtained, and creates three criminal tiers—sale/transfer, testing/disclosure, and collection/retention—each carrying jail time and fines.
The measure matters because it moves common civil and commercial practices into the criminal code: data brokers, labs, and private actors who buy, test, or disclose genetic material could face prosecution. At the same time, the bill carves out broad exceptions for law enforcement, HIPAA-covered entities, compliant direct‑to‑consumer firms, and higher education, creating uneven protections and important implementation questions for compliance teams and prosecutors.
At a Glance
What It Does
The bill outlaws, without express consent, (1) selling or transferring someone’s DNA or genetic data, (2) submitting or conducting genetic tests on another person’s sample, and (3) collecting or retaining samples with intent to analyze or by unauthorized computer access. It defines ‘‘genetic data’’ and requires ‘‘clear and prominent’’ disclosures before consent.
Who It Affects
Consumer genetic testing companies, data brokers who buy or sell DNA, independent laboratories, private investigators and employers that collect DNA, and compliance and legal teams advising these organizations. Individuals who test others’ DNA—whether commercially or privately—also fall within the statute’s reach.
Why It Matters
AB 1727 shifts certain commercial and private uses of genetic material from civil exposure to criminal liability, imposes explicit consent mechanics, and leaves sizable carveouts for law enforcement, HIPAA‑covered entities, and universities—altering risk profiles for businesses and sharpening enforcement issues for prosecutors and defense counsel.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill starts by defining key terms. ‘‘DNA sample’’ covers any human biological specimen or the DNA extracted from it; ‘‘genetic data’’ is deliberately broad and includes raw sequencing output, derived genotype or phenotype interpretations, and health details a consumer provides to a testing company. Importantly, the bill excludes ‘‘deidentified data’’ from that definition, but does not specify what degree of deidentification is sufficient.
Consent under the bill is ‘‘express’’ only after a person receives a clear and prominent disclosure about how a sample or genetic data will be collected, used, retained, or disclosed for a specified purpose; consent must be given by an affirmative action. The statute allows a single express‑consent authorization to cover every instance of a specified use—meaning a one‑time agreement can permit repeated downstream uses if the disclosure was broad enough.AB 1727 creates three criminal tiers.
The most serious—first degree—targets intentionally selling or otherwise transferring another person’s DNA sample or genetic data without express consent and carries the heaviest jail terms and fine. The second tier criminalizes submitting a sample for testing, conducting genetic testing, or disclosing genetic data without consent, and includes a narrow safe harbor when the data was previously voluntarily disclosed by the data subject.
The third tier criminalizes collecting or retaining samples with intent to analyze them, and adds a computer‑access clause that reaches genetic information obtained by unauthorized access or exceeding authorized access to a computer system.The bill adds two structural rules: every discrete act (collection, submission, disclosure) is a separate offense, multiplying exposure for ongoing conduct; and a set of exceptions excludes law enforcement and prosecutorial uses, compelled disclosures via court order, DTC testing companies that comply with an existing California civil code section, HIPAA covered entities and business associates, and public or private higher education institutions. Those carveouts narrow who is at criminal risk but also concentrate the statute’s effect on private‑sector actors and non‑institutional individuals.
Practically, enforcement will hinge on proving lack of express consent and the defendant’s intent, and companies will need to reassess consent language, data flows, and contractual arrangements with buyers or labs.
The Five Things You Need to Know
The bill defines ‘‘genetic data’’ to include raw sequence data, derived genotype/phenotype information, and health information provided to a genetic testing company, but explicitly excludes deidentified data.
First‑degree unlawful use covers intentionally selling or otherwise transferring another person’s DNA sample or genetic data without express consent and is punishable by three, four, or five years in county jail, a fine up to $15,000, or both.
Second‑degree unlawful use criminalizes submitting a person’s sample for testing, conducting genetic testing, or disclosing genetic data without consent, with penalties of 16 months, two, or three years in county jail, or a fine up to $7,500; the bill does not penalize disclosures of data the subject previously voluntarily disclosed.
Third‑degree unlawful use targets collection or retention of another’s sample with intent to analyze it and collection/retention obtained through unauthorized computer access, punishable by up to one year in county jail or a fine up to $6,000.
The statute lists broad exceptions: law enforcement and prosecutorial uses, compelled court or federal law disclosures, DTC firms complying with California Civil Code section 56.18, HIPAA covered entities and business associates, and public or private higher education institutions.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope of ‘‘DNA’’ and ‘‘genetic data’’
This section provides the operational vocabulary the rest of the bill uses: DNA, DNA sample, genetic testing, genetic data, and express consent. The genetic data definition is expansive—covering raw sequencing output, interpretations, and user‑provided health information used in analysis—and expressly excludes deidentified data. From a compliance standpoint, this is where organizations must map what in their systems counts as ‘‘genetic data’’ under the statute and whether any datasets qualify as ‘‘deidentified.’"
Express consent: disclosure standard and scope
The bill mandates a ‘‘clear and prominent’’ disclosure about collection, use, retention, or disclosure for a specific purpose before someone may give express consent, and requires an affirmative action to demonstrate consent. It also allows one expression of consent to authorize repeated instances of a specified use. That combination raises operational questions about how granular disclosures must be, how affirmative consent must be logged, and whether broad consent forms used today will satisfy the statute’s specificity requirement.
First‑degree unlawful use: sale or transfer of DNA
This provision criminalizes intentionally selling or otherwise transferring another person’s DNA sample or genetic data without express consent, regardless of whether the original collection was consented to. The phrase ‘‘sell or otherwise transfer’’ is left undefined, meaning transfers for payment, barter, or possibly contractual sharing could trigger liability. The penalty structure places this at the top tier of severity, which signals the legislature’s aim to deter commercial trade in others’ genetic material.
Second‑degree unlawful use: testing and disclosure
The second tier covers submitting someone’s sample for genetic testing, conducting testing, or disclosing genetic data without express consent. It includes a limited carveout: disclosure does not violate the provision if the genetic data was previously voluntarily disclosed by the data subject (or their guardian/representative). Practically, this makes provenance of data critical—companies and third parties must track whether the subject previously disclosed the same genetic data and maintain records proving that voluntary disclosure.
Third‑degree unlawful use: collection, retention, and unauthorized computer access
Third‑degree liability attaches to collecting or retaining someone’s DNA sample with intent to analyze it, and to collecting or retaining samples or genetic information by accessing a computer system without authorization or by exceeding authorized access. This provision imports a computer‑access angle that can reach data thieves and insiders who exfiltrate genetic information, expanding the statute beyond purely physical collection to digital misappropriation.
Multiplying effect: each act is a separate offense
The bill treats each instance of collection, retention, submission, analysis, or disclosure as a separate violation. For ongoing conduct—multiple disclosures to different buyers, repeated testing events, or successive uploads to databases—this multiplication can dramatically increase exposure and potential aggregate penalties for a single defendant or company.
Enumerated exceptions and carveouts
Section (g) lists exceptions that remove many institutional actors from criminal exposure: law enforcement and prosecutors using DNA for enforcement, compelled court or federal law disclosures, DTC companies that comply with a specified California civil code, HIPAA covered entities and business associates, and public/private higher education institutions. These carveouts narrow the law’s bite but raise interpretive questions about borderline actors and downstream data flows from exempt to non‑exempt parties.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers and individual DNA subjects — The bill strengthens criminal penalties against unauthorized sale, testing, and disclosure, giving individuals greater leverage to prevent private actors from exploiting their genetic material and raising the cost of abusive practices.
- Relatives and family members — Because genetic data inherently reveals familial relationships, the statute protects relatives from having their information inferred or exposed through surreptitious testing of a kin member.
- HIPAA‑covered entities and higher education researchers — The explicit carveouts provide regulatory certainty for clinical providers, insurers, and university research programs that already operate under federal privacy rules, reducing their criminal exposure.
- Privacy advocates and compliance officers — The law raises industry norms and creates clearer criminal deterrents that privacy advocates have sought, while compliance teams get a precise statutory target for remediation efforts.
Who Bears the Cost
- Data brokers and third‑party buyers of genetic data — Companies that purchase, aggregate, or resell genetic datasets face heightened criminal risk and will need new provenance controls, contractual protections, and audit trails.
- Independent labs and startups outside HIPAA or university settings — Smaller labs that accept samples from consumers or third parties must reassess intake procedures and consent documentation to avoid criminal liability.
- Private investigators, employers, and individuals who obtain DNA surreptitiously — Practices like picking up discarded items to test DNA could become criminal acts if done without express consent.
- Courts and prosecutors — The statute’s per‑instance counting, intent element, and broad exceptions will create evidentiary and discretionary burdens that could increase caseload complexity and resource demands.
Key Issues
The Core Tension
The bill pits individual genetic privacy against the legitimate commercial, research, and law‑enforcement uses of DNA: it criminalizes many private and commercial practices to protect people from misuse of their genetic information, yet it simultaneously exempts institutions (law enforcement, HIPAA entities, universities) whose access and uses may be extensive—creating a policy trade‑off between strong individual protections and preserving socially beneficial uses of genomic data.
AB 1727 advances a clear policy objective—protecting genetic privacy—but leaves several operationally significant ambiguities. The statute does not define ‘‘sell or otherwise transfer,’’ so ordinary business practices like licensing sequence data, sharing datasets for research, or transferring data between affiliated companies could be caught unless carefully structured.
The exclusion of ‘‘deidentified data’’ is helpful in theory; in practice it raises technical and legal questions about what degree of deidentification suffices given the risk of reidentification from genomic datasets.
The consent rules create another tension. Requiring ‘‘clear and prominent’’ disclosure and affirmative consent raises the bar, but permitting a single consent to authorize recurring uses invites broad, blanket consent forms that may undermine the statute’s privacy protection aim.
The ‘‘intentional’’ mens rea helps protect accidental or negligent acts, but proving intent or disproving that a subject previously ‘‘voluntarily disclosed’’ their data will burden prosecutors and defense counsel alike. Finally, the enumerated exceptions concentrate protections among powerful institutional actors—law enforcement, HIPAA entities, compliant DTC firms, and universities—while pushing criminal liability toward commercial intermediaries and private actors, which could channel valuable genomic data away from independent research or innovation unless carefully managed.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.