No single law guarantees you full control over what happens to your cells once they leave your body. In the United States, a landmark court ruling established that patients do not have traditional property rights over tissue removed during medical procedures. That legal gap means the question of who should have access to your cells is answered by a patchwork of consent rules, privacy protections, and institutional policies, many of which have only been strengthened after high-profile ethical failures.
The Legal Gap in Cell Ownership
The foundational case is Moore v. Regents of the University of California, widely studied in property law for denying patients ownership rights over their own tissue. John Moore’s cells, removed during cancer treatment, were developed into a profitable cell line without his knowledge or consent. The court ruled he had no property claim. That precedent still shapes how institutions treat biological samples today: once cells are removed, the person they came from has limited legal standing to control their use.
This doesn’t mean anything goes. Federal regulations require researchers to obtain informed consent before involving a person in research. But exceptions exist. If your samples are stripped of identifying information and the researcher has no way to contact or re-identify you, your cells can often be used without your explicit permission. Similarly, if the specimens or linked data are publicly available, consent requirements may not apply.
What Informed Consent Actually Covers
The revised Common Rule, the primary federal framework governing research on human subjects, sets specific expectations for what you should be told before your cells are collected. If a study involves or might involve sequencing your entire genome, the consent form must say so. Researchers collecting tissue for long-term storage and future studies that aren’t yet defined can use what’s called “broad consent,” which covers a range of approved future research rather than one specific project.
The National Institutes of Health goes further for large-scale genomic work. Even if the resulting data will be stripped of your name and other identifiers, investigators generating genomic or phenotypic data from new biospecimen collections must still obtain your informed consent. NIH also encourages researchers to get permission for broad data sharing from the outset, recognizing that genomic information can be surprisingly revealing even when names are removed.
Institutional Review Boards can waive consent for minimal-risk research on existing specimens, but only if the research couldn’t feasibly be done with de-identified samples. In other words, if there’s a way to study your cells without linking them back to you, researchers are expected to take that route.
The Henrietta Lacks Precedent
No discussion of cell access is complete without Henrietta Lacks. In 1951, cells taken during her cancer treatment turned out to be uniquely capable of surviving and dividing in culture indefinitely. These “HeLa” cells became one of the most important tools in biomedical research, used in laboratories worldwide. The original researchers gave them away freely, and the cell line and downstream discoveries became extremely lucrative. The Lacks family received no financial benefits and continued to live in poverty with limited access to health care.
The ethical failures compounded over decades. In 2013, researchers posted the entire genome sequence of a HeLa cell strain online, which was legal but revealed probabilistic genetic information about Henrietta Lacks’s living descendants, all of whom were publicly known by name. After intense criticism, the researchers removed the sequence, and the NIH director met with the family. The resulting agreement requires NIH-funded researchers who sequence HeLa cell lines to deposit data in a controlled-access database, with applications reviewed by a committee that includes Lacks family members. It was a partial remedy, but it illustrated how far the system had to be pushed before donors or their families gained any meaningful say.
Who Can See Your Genetic Information
Two major frameworks limit who can use data derived from your cells. Under HIPAA’s de-identification standard, 18 categories of identifying information must be stripped before health data can be shared without your authorization. These include your name, address, dates (except year), phone number, email, Social Security number, medical record numbers, biometric identifiers like fingerprints, full-face photographs, and any other unique identifying code. If all 18 are removed, the data is no longer considered “yours” in a legal sense, and it can circulate freely.
The Genetic Information Nondiscrimination Act (GINA) provides a different kind of protection. It prohibits employers from using your genetic information in hiring, firing, pay, promotions, or any other employment decision. Employers cannot request, require, or purchase your genetic data. On the insurance side, GINA bars health insurers from using genetic information to deny coverage or set premiums. Genetic information under the law includes not just your own test results but your family medical history. GINA does not, however, cover life insurance, disability insurance, or long-term care insurance.
Consumer Genetic Testing Companies
If you’ve sent a saliva sample to a company like 23andMe or Ancestry, you’ve entered a different access landscape. These companies state they won’t share your DNA with third parties unless you explicitly consent. But consent rates are high: at 23andMe, more than 80 percent of customers opt in to research conducted on behalf of academic, nonprofit, and industry partners. Some studies involve for-profit pharmaceutical companies. If your DNA contributes to the development of a profitable drug, there is nothing governing what the company does with that drug or requiring that profits flow back to you.
Companies like Ancestry note that sharing permission is not permanent. You can revoke it at any time through your account settings. But the practical reality of withdrawal is complicated. Data already incorporated into completed analyses or shared datasets may not be fully retrievable. The right to withdraw consent is a fundamental principle in research ethics, yet scholars have raised serious questions about whether meaningful withdrawal is even possible once biological samples have been widely distributed or used to generate derivative data.
How the EU Handles Cell Data
The European Union classifies genetic data as a “special category” under the General Data Protection Regulation, meaning it receives the highest level of legal protection. Processing genetic data is generally prohibited unless specific conditions are met. One key exception allows processing for scientific research, archiving, or statistical purposes in the public interest, even without the individual’s explicit consent, as long as EU or member state law permits it and appropriate safeguards are in place. Individual EU countries can impose additional restrictions on genetic, biometric, or health data beyond the baseline GDPR requirements, and several have done so.
New Tools for Managing Access
Traditional consent is a one-time event: you sign a form and your involvement ends. Newer approaches try to give you ongoing control. Dynamic consent platforms are personalized online systems that let research participants view study information in accessible formats, ask researchers questions, and grant or revoke consent to individual studies from home at any point. Information is updated regularly rather than provided only at enrollment.
A more flexible variation called meta consent lets you set preferences by category. You might grant broad consent for cancer research but require specific approval for studies involving commercial partners. The platform manages incoming research requests automatically based on your stated preferences, which you can change at any time. These systems reduce the administrative burden on researchers (no paper records, automated recruitment for future studies) while giving participants a genuine communication channel rather than a static signature on a form.
These tools remain relatively uncommon, but they represent a shift in thinking: from consent as a checkbox to consent as an ongoing relationship. For people whose cells sit in biobanks or whose genetic data lives on corporate servers, the difference between those two models determines whether “access to your cells” is something that happens to you or something you actively manage.