23andEveryone? The Privacy Problem with At-Home Genetic Tests

Direct-to-consumer (DtC) genetic tests from companies like 23andMe and Ancestry have given consumers unprecedented access to their genetic data. A majority of consumers wrongly assume that federal medical privacy laws, such as HIPAA, protect the results of these tests. Indeed, no federal law directly addresses consumer privacy issues resulting from DtC genetic testing, and most states haven’t addressed it, either. This regulatory gray area puts DtC genetic testing companies in control, so be sure you read the fine print before signing up.

While DNA testing has been used in medical, scientific, and law enforcement contexts for decades, DtC testing kits are still relatively new.

In 2007, the average cost of an at-home genetic test was $1,000; by 2012, one could be purchased for $99.[1] An October 2020 survey by Consumer Reports found that about one in five Americans had taken an at-home genetic test. Among respondents who had not taken a test, one in four said it was because they were “worried about the privacy of [their] data or genetic material.”

There are fewer privacv protections for your data with DtC genetic testing kits than there are with traditional genetic testing administered by healthcare providers. If a doctor takes a DNA sample, its protected by the Health Insurance Portability and Accountability Act (HIPAA) and there are limits on how it can be shared. DtC genetic testing companies aren’t considered healthcare providers, and thus they are not required to comply with HIPAA.[2] Some states have enacted privacy laws aimed specifically at DtC genetic testing, but not Texas.

Because of this regulatory gap, DtC genetic testing companies are largely in control of how they protect, disseminate, and use consumers’ genetic data. This self-governance regime puts the onus on consumers to weigh the privacy risks of taking a test. Just as you compare prices, you should carefully review and compare privacy policies before purchasing an at-home genetic test.

Federal law

About half of consumers think that federal medical privacy laws, such as HIPAA, protect the results of commercial at-home genetic tests. They don’t.  Indeed, no federal law directly addresses consumer privacy issues resulting from DtC genetic testing.

The Food and Drug Administration (FDA) has some oversight over DtC genetic testing, but their main concern is the validity, not the privacy of the results. The FDA’s oversight is generally limited to DtC tests for “moderate to high risk medical purposes, which may have a higher impact on medical care.” DtC tests for non-medical, general wellness, or low risk medical purposes are not reviewed by the FDA before they are offered.

The Genetic Information Nondiscrimination Act (GINA), passed by Congress in 2008, prohibits prejudicial treatment by employers and health insurers on the basis of a person’s genetic information. Its scope is limited and focuses on discrimination based off of genetic information, not the privacy of such information.  

If a company engages in unfair or deceptive business practices, the Federal Trade Commission (FTC) and/or state attorneys general can step in to enforce consumer protection law. The FTC has outlined some best practices for DtC genetic testing companies, such as describing all uses of the genetic data in one featured place and directing the consumer’s attention to that policy using graphics, color, or other cues.

State law

Around one in five states have laws aimed specifically at the privacy of data collected by DtC genetic testing companies.[3] Texas is not one of them, although state lawmakers considered such a bill during the 2021 legislative session.

Under California’s Genetic Information Privacy Act, for example, a DtC genetic testing company must obtain the consumer’s separate and express consent for each of the following:

• the use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed;
• the storage of a consumer’s biological sample after the initial testing requested by the consumer has been fulfilled;
• each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses;
• each transfer or disclosure of the consumer’s genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumer’s genetic data or biological sample will be transferred or disclosed; and
• the marketing or facilitation of marketing to a consumer based on the consumer’s genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.

The California law may be enforced by the state attorney general, district attorneys, county counsel, and city attorneys and prosecutors with appropriate authorization. In addition to court costs, these actors can recover up $1,000 in civil penalties for a negligent violation and up to $10,000 for willful violations. Any recovered penalty will be paid to the individual whose genetic data is at issue.

During the 2021 regular session of the Texas Legislature, Senator Hughes proposed a bill (SB 962) to establish consumer consent and notice requirements for DtC genetic testing. Notably, the bill provided for a private right of action and recovery of attorney fees. SB 962 passed the Senate but died in House committee.

[1] Haley J. Guion, Inconclusive Results, 108 Ill. B.J. 32 (2020).

[2] Emily B. Sklar, Be Careful Where You Spit: Do Hipaa-Covered Genetic Tests Actually Provide Greater Privacy Protection to Consumers?, 44 Seton Hall Legis. J. 177, 184 (2020).

[3] See Alaska Stat. § 18.13.010, et seq. (Alaska); Ariz. Rev. Stat. § 44-8001, et seq. (Arizona); Cal. Civ. Code § 56.18, et seq. (California); 410 Ill. Comp. Stat. 513/1, et seq. (Illinois); Nev. Rev. Stat. § 629.151, et seq. (Nevada); N.M. Stat. § 24-21-1, et seq. (New Mexico); Utah Code § 13-60-101, et seq. (Utah).