Draft Your Own Body Ownership Policy

Mapping the Five Domains of Body Data

Domain 1: Organs and Tissue

This is the most legally mature domain — but maturity doesn't mean clarity.

The foundational principle comes from the 1990 Moore v. Regents of the University of California decision. John Moore's spleen was removed to treat leukemia. Without his knowledge, his doctor used Moore's unique cells to develop a cell line eventually valued at $3 billion. Moore sued. The California Supreme Court ruled against him: once tissue leaves your body, you no longer own it.

[!INSIGHT] The Moore doctrine established that while you have rights over your body before removal, those rights largely vanish after. Your discarded tissue becomes legally abandoned property.

Current Protections:

• The U.S. National Organ Transplant Act (1984) prohibits selling organs — protecting you from exploitation, but also preventing you from capitalizing on your own biological material
• The EU Clinical Trials Regulation requires informed consent for tissue use in research
• The UK Human Tissue Act 2004 requires consent for storing and using human tissue

Critical Gaps:

• No universal right to know how your tissue is used after surgery
• Research exemptions allow broad secondary use of "anonymized" samples
• You cannot prevent your tissue from being used in research you find objectionable

Domain 2: Genetic Information

Your DNA is simultaneously the most personal and least protected data you possess.

When you send a saliva sample to 23andMe or Ancestry, you're not just learning about your heritage — you're contributing to a database of over 40 million genetic profiles. According to 23andMe's 2023 transparency report, they have shared anonymized genetic data with 47 research institutions and 12 pharmaceutical companies.

Current Protections:

• U.S. GINA (Genetic Information Nondiscrimination Act, 2008) prevents health insurers and employers from using genetic data — but doesn't cover life insurance, disability insurance, or long-term care
• GDPR in Europe classifies genetic data as "special category" requiring explicit consent
• Japan's Act on Protection of Personal Information includes genetic data as sensitive

Critical Gaps:

• No federal U.S. law prevents law enforcement from accessing consumer genetic databases (as demonstrated when GEDmatch helped catch the Golden State Killer in 2018)
• Direct-to-consumer companies can share "de-identified" data freely — and re-identification is increasingly trivial
• Family members can implicate you in crimes or reveal family secrets without your consent by uploading their DNA

[!NOTE] A 2018 study in Science demonstrated that 60% of Americans of European descent can be identified from a consumer DNA database through a relative's match — regardless of whether you ever took a test yourself.

Domain 3: Medical Records

This is your strongest legal territory — but strength is relative.

HIPAA in the United States, GDPR in Europe, and similar frameworks globally give you robust rights: you can access your records, request corrections, and limit disclosures. The HITECH Act (2009) strengthened these protections with breach notification requirements.

Current Protections:

• Right to access your complete medical record within 30 days
• Right to know who has accessed your information
• Mandatory breach notification
• Restrictions on marketing use

Critical Gaps:

• Research exemptions allow broad use of medical data without individual consent if it's "de-identified"
• Mental health records often have different, weaker protections
• The U.S. "payor exception" allows insurers extensive access to claims data
• Electronic health record systems log access but rarely audit it meaningfully

Domain 4: Biometric Data

Your face, fingerprint, voice print, and iris scan are increasingly harvested — and the law is struggling to catch up.

Illinois' Biometric Information Privacy Act (BIPA, 2008) remains the gold standard, requiring written consent before collecting biometrics and prohibiting selling that data. It's the reason Facebook paid $650 million in 2020 to settle a class action over facial recognition in photo tagging.

Current Protections:

• BIPA-style laws exist in Illinois, Texas, Washington, and are pending in several other states
• GDPR requires explicit consent for biometric processing
• Some countries (Belgium, Portugal) have particularly strict biometric consent requirements

Critical Gaps:

• No comprehensive federal U.S. biometric law
• Law enforcement exemptions allow widespread facial recognition use with minimal oversight
• Private companies can legally collect biometrics in most jurisdictions simply by posting a policy
• Your face can be scanned in public spaces without your knowledge or consent in most countries

Domain 5: Neural Data

This is the legal frontier — and currently, it's the Wild West.

Brain-Computer Interfaces (BCIs) from companies like Neuralink, Synchron, and consumer neurofeedback devices from Muse and Emotiv can read your neural activity. This data reveals not just your commands to move a cursor, but potentially your emotional states, attention patterns, and even dream content.

[!INSIGHT] Neural data may represent the most intimate information possible — your thoughts before they become speech, your reactions before you're aware of them. Yet it has essentially no dedicated legal framework.

Current Protections:

• Colorado became the first U.S. state to include neural data in consumer privacy law (2024)
• Chile's "Neuro-rights" constitutional amendment (2021) protects mental integrity
• GDPR's general personal data provisions technically apply but aren't neural-specific

Critical Gaps:

• No federal U.S. neural data law exists
• No international framework governs cross-border neural data transfer
• Most consumer BCI apps have terms allowing broad data sharing
• Employers can legally require neurofeedback monitoring in most jurisdictions
• No standards exist for neural data retention or deletion

Diagnosing Your Body Rights: A Framework

To understand where you stand, ask these questions for each domain:

1. Access: Can I see all data collected about me?
2. Control: Can I prevent specific uses or revoke consent?
3. Deletion: Can I require permanent erasure?
4. Portability: Can I transfer my data to another provider?
5. Knowledge: Will I be told if my data is breached or shared?

[!NOTE] Scoring yourself across these five questions in each domain will reveal a stark pattern: your rights decrease as the technology becomes newer and the data becomes more intimate. Medical records score relatively well. Neural data scores near zero.

The Path Forward

The legal gaps exist because technology has outpaced legislation. But awareness is the first protection. Understanding that your genetic data can be re-identified, that your tissue sample becomes abandoned property, and that your neural data has no specific protection lets you make informed choices.

Advocacy is accelerating. The Neuro-Rights Foundation, Electronic Frontier Foundation, and others are pushing for legislation. The EU's AI Act (2024) includes provisions affecting biometric systems. Individual U.S. states are expanding privacy laws.

Sources: Moore v. Regents of the University of California (1990); 23andMe Transparency Report 2023; Science Magazine, "Identity inference of genomic data using long-range familial searches" (2018); Illinois Biometric Information Privacy Act (2008); Colorado Privacy Act Amendment (2024); Chile Constitutional Amendment on Neuro-rights (2021); Dr. Rafael Yuste, Columbia University; Electronic Frontier Foundation; Neuro-Rights Foundation.