GEDmatch, the much beloved “free” site for genetic genealogy, is now the target of two class-action lawsuits that could make its corporate owners liable for billions of dollars in statutory penalties. GEDmatch appears to be taking the allegations seriously; today, they enacted new Terms of Service giving themselves permission to do what they're being sued for doing and asking you as a user to "waive your right to participate in a class action lawsuit or class-wide arbitration."
Judy Russell has written an informative summary of the changes.
If It’s Free, You’re the Product
GEDmatch was founded in 2010 and has a long-standing reputation of being a trustworthy site built by hobbyists for hobbyists. However, that was two corporate sales and more than $150 million ago.
In 2019, GEDmatch was purchased by the forensics company Verogen for approximately $15 million. At the time, the database held roughly 1.3 million DNA kits, so the sale netted about $11.50 per DNA profile.
Three years later, Verogen was, in turn, snapped up by QIAGEN, a multinational biotechnology company, for $150 million. Verogen has other assets besides GEDmatch. According to its founder, GEDmatch’s portion of the deal was valued at $60 million, or more than $33 for each of the 1.8 million kits then in the database. One wonders how they planned to recoup that investment.
There’s nothing wrong with companies making profits, of course, but many genealogists are encouraged to upload to GEDmatch under the misconception that it's just a hobby site and not a business. They don't realize that they’re giving their private genetic data to a for-profit company.
What’s more, while users may be aware that law enforcement uses GEDmatch to identify criminal suspects, they may not know that GEDmatch charges law enforcement to upload to the database. The upload fee has increased steadily since 2020 and is currently $1,000 per forensic kit and $250 per reference kit. In essence, GEDmatch is selling law enforcement access to the personal information and genetic profiles it's recreational users gave for free.
What Is a Class Action Lawsuit?
Class-action lawsuits are primarily a United States phenomenon, so you may not be familiar with them. A class-action suit typically involves one or a few individuals filing on behalf of an entire “class” of people who were all injured in a similar way. The class may represent hundreds or thousands of individuals who may not even know that they are part of the class or that they were injured.
Class-action lawsuits have pros and cons. By consolidating many individual cases into one class, the plaintiffs may benefit from economies of scale with respect to legal fees and recovery amounts. On the flip side, class action suits can be binding on everyone in the class (even if they don’t know they’re involved) and often benefit the lawyers financially more than the plaintiffs.
In the past few months, GEDmatch has been hit with not one—but two—class-action lawsuits claiming that they violated genetic privacy laws by illegally disclosing user data.
I am not a lawyer. I can’t speak to the legal merits of these two cases. What I can do is summarize them as I understand them so that you don’t have to read the legalese if you don’t want to.
Curley v. Verogen
The first case, Kristin Curley v. Verogen, Inc. was filed on 30 August 2024 in Cook County, Illinois, and moved to federal court in early October. Ms Curley represents the class of “all Illinois individuals who, during the applicable statute of limitations, (i) had a Facebook account; and (ii) uploaded their DNA file to GEDmatch.com according to Defendant’s records.”
‘Why Facebook?’ you might ask. According to the lawsuit, Verogen knowingly installed tracking software—the Meta Pixel and Facebook’s Conversions Application Programming Interface (CAPI)—on their website to communicate with Facebook for advertising purposes. Because CAPI stored data on individual user behavior on the GEDmatch website, users were unaware of it, nor could they use ad-blocker or cookie-blocker tools to prevent it from working.
Verogen did not transfer Kristin Curley’s genetic data to Facebook, but under Illinois’ Genetic Information Privacy Act of 1998, merely telling Facebook that Curley had done a DNA test violated her privacy rights. “No person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed” without that person’s written authorization (410 ILCS 513/30(a)). Apparently, that’s precisely what GEDmatch did.
The financial penalties could be substantial. Under Illinois law, the statutory fines are $2,500 per violation if the act was negligent and $15,000 per violation if it was reckless or intentional. My back-of-the-envelope calculations suggest there could be as many as 40,000 Illinoisans who qualify to be in this class, so total penalties could theoretically exceed half a billion dollars in that case alone.
Hutcheson et al. v. Verogen
The second case, Hutcheson et al. v. Verogen Inc., is much broader in both geographic and legal scope. It was filed on 24 October 2024 in the US District Court for the Southern District of California (federal court) with plaintiffs in Alaska, Illinois, New Hampshire, New Mexico, and Oregon.
It makes three claims:
First, as in the Illinois lawsuit, Hutcheson et al. allege that Verogen violated the genetic privacy laws of Illinois, New Hampshire, and Oregon by communicating with Meta/Facebook without user consent.
Second, the suit argues that Verogen violated state privacy laws of Alaska, Illinois, New Hampshire, New Mexico, Oregon, and California1 when QIAGEN purchased it for $150 million. As part of the sale, “Verogen knowingly and purposefully disclosed to Qiagen the genetic information of every individual with a DNA file in its database at that time.” QIAGEN itself boasted that it gained “full access to Verogen’s pioneering GEDmatch database.” The sale gave QIAGEN not only knowledge that specific individuals had tested, but also the genetic information in their DNA file; personal details such as full name, email address, and sex; and any family trees uploaded to the site, all without the written consent of the individuals in the database.
Finally, the plaintiffs claim that GEDmatch disclosed private information to law enforcement against their explicit wishes in violation of the laws of Alaska, Illinois, New Hampshire, New Mexico, and Oregon.
The suit states:
from approximately 2019 (perhaps earlier) through at least July 2023, GEDmatch had a “loophole” that allowed law enforcement or other users acting on behalf of law enforcement, to view DNA files not marked as “opt in”. In so doing, Defendant disclosed the DNA files of an unknown number of individuals to law enforcement not only without their consent, but against their specific wishes. The information disclosed to law enforcement included the DNA files, names, email address, DNA kit number, and the degree to which the file was related to the law enforcement evidentiary sample.
The "loophole" in question was the subject of a shocking exposé in The Intercept involving some of the biggest names in genetic genealogy. Briefly, some forensic genetic genealogists discovered a programming flaw in GEDmatch's system that allowed them to see recreational users who were not opted in to forensic matching. They even compared notes on how best to access the forbidden profiles. (Margaret Press of the DNA Doe Project later issued a public apology.)
Whether Verogen knew about these programming holes will be a critical issue in a successful lawsuit, because the statutory penalties can be much higher for willful or reckless violations than for negligence. In Oregon, for example, Verogen would be liable for at least $5,000 per violation if they were merely negligent (i.e., they didn't know) but at least $100,000 per violation if they were reckless or knowing (i.e., they did know).
Shit Just Got Real
I've long been an advocate for informed consent when it comes to our private information. If you want your genetic profile matched to law-enforcement kits or even your every keystroke shared with Facebook, great! You should have that choice! But it needs to be a choice. You can't consent if you don't know it's happening.
These lawsuits may be the wake-up call this field needs. Our DNA profiles are not just fun and games. They're more than just a useful tool for hobbyists. They contain intensely private information, and it's time everyone started treating them as such.
1 Interestingly, none of the plaintiffs are from California.
So glad to see you here writing! I’m so weary and trying to get the latest genealogy news from Facebook.
Thanks for explaining the detail of what is going on, Leah. It's really helpful. To be honest I have been dithering between leaving data there and deleting it for a long time.