Twenty years ago, you had about a 1 in 6 billion chance of knowing someone who’d had their DNA sequenced. Today, almost every American can name someone who’s had some form of genetic testing.

The rise of DNA data has legal experts increasingly concerned that the United States is not effectively protecting consumers from the many privacy risks that now loom before them. “What in heaven’s name is the law in genomics? That is not that easy to answer,” Susan M. Wolf told an audience gathered last Thursday at the University of Minnesota, where Wolf is a professor of law and health policy. “We’ve got 50 states. We’ve got multiple federal agencies involved.” The patchwork of laws means that in practice genetic anonymity is almost never guaranteed. But the legal landscape is so fractured that to fix this situation, the first issue is to resolve what rules apply to what data.

Megan Molteni covers genetic technology, medicine, and sharks for WIRED.

So Wolf and dozens of other lawyers, doctors, and others in the DNA testing world have spent the past three years assembling a searchable public database of every federal and state law, regulation, official guidance, and professional standard that currently regulates the field of genomics. The project, called LawSeq, is also assessing the field’s biggest legal challenges and seeking a consensus about how policymakers should think about a DNA-rich future. The project, funded by $2 million from the National Institutes of Health, tackles other aspects of genetic data law, but it was the discussion of privacy that dominated the group’s third and final conference in Minneapolis last week, which coincided with the one-year anniversary of the Golden State Killer arrest, using DNA evidence.

“In the US we have taken to protecting genetic information separately rather than using more general privacy laws, and most of the people who’ve looked at it have concluded that’s a really bad idea,” said Mark Rothstein, a law professor at Brandeis and the director of the University of Louisville’s Institute for Bioethics, Health Policy and Law. By contrast, the European Union has designated DNA as personal data and made collecting it presumptively illegal under its recent consumer protections overhaul. In the United States, different laws regulate genetic data depending on where it is and what it’s being used for. “It’s basically a shortcut, because legislators here don’t want to enact broad legislation,” Rothstein said.

The problem with this system comes down to the fact that genetic data can have multiple uses beyond its original one. Say you participate in a research study or clinical trial that generates DNA data. A federal law protecting human subjects, called the US Common Rule, mandates that you be informed of how your data might be shared prior to signing a consent document. In 2016, Congress passed the 21st Century Cures Act, which also provides any federal research subjects with a certificate of confidentiality. This restricts the researchers collecting your genetic data from releasing it to law enforcement or other government agencies. And if that information were to somehow be illegally obtained, through a hack or some other breach, it would be inadmissible in court.

But say you want to add that genetic information to your electronic health record, so it’s available to your doctor. Now it becomes a piece of personal health data, governed by the Health Insurance Portability and Accountability Act. Under HIPAA, your genetic data can’t be given to your school or employer, but law enforcement agencies are entitled to access it without a warrant if you’re the victim or suspect of a criminal investigation.

LEARN MORE The WIRED Guide to Genetic Testing

Now that your DNA data is in your health records, your insurance provider can also access it. That’s why, in 2008, Congress passed the Genetic Nondiscrimination Act, or GINA, which prevents health insurers from denying coverage or jacking up prices based on someone’s genetic predisposition to various health conditions. (They can still do that if your genes make you actively sick—GINA becomes basically useless once you show symptoms.) GINA also doesn’t apply to long-term-care insurance, life insurance, or disability insurance, though it does ban employers from using it to decide who gets hired, fired, promoted, or given a raise. Rothstein says the best genetic nondiscrimination law ever enacted in the US was the Affordable Care Act, President Obama’s signature health care reform law. The controversial legislation, which is facing new legal challenges by the Trump administration, specifically guarantees that insurance companies can’t use preexisting conditions to deny coverage.