By Elisabeth Nations
Direct-to-consumer genetic testing companies such as 23andMe are founded on collecting customers’ private health information, yet this sensitive data is not protected by strong federal legislation. Even the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the touchstone for protecting health data in the United States, does not apply to these genetic testing companies. As great numbers of Americans submit their DNA for analysis to private companies, do we have cause for concern about how this data may be used?
What Is Direct-to-Consumer Genetic Testing?
As of September 2021, nearly 12 million people have had their DNA sequenced by 23andMe. Customers spit in a tube and send the saliva sample in the mail to a 23andMe lab. The company then completes a DNA analysis and returns a report on ancestry, health risks, and inherited traits to customers. 23andMe is one of several direct-to-consumer (DTC) testing services in the U.S.; other companies that provide similar experiences include Ancestry, FamilyTreeDNA, and MyHeritage.
DTC tests are marketed directly to consumers “without the involvement of a health care provider.” The reports that customers receive based on their submitted samples are not necessarily accurate, in part due to the ever-evolving nature of genetics research. Some DTC tests are reviewed by the U.S. Food and Drug Administration (FDA), but not all. Generally, the FDA reviews tests that screen “moderate to high risk medical purposes,” such as tests that assess genetic health risk for conditions like cancer. Reports on ancestry, “general wellness,” and carrier screening tests (those that determine whether an individual carries a genetic variant for a medical condition that could be passed on to children) are not screened by the FDA as a general rule. 23andMe reflects this fact in the “Science” page on their website, stating in small print that the health information they provide includes “both reports that meet FDA requirements . . . and reports which are based on 23andMe research and have not been reviewed by the FDA.”
Regardless of the government approval – or lack thereof – of test results from DTC testing companies, Americans have increasingly flocked to this industry to gain insight into their health and ancestry. DTC genetic testing is usually less expensive than similar tests conducted through healthcare organizations and hospitals. An at-home sample is non-invasive (spitting in a tube), whereas genetic testing at a hospital involves a blood test. Neither a doctor’s appointment nor a prescription is needed. Results from these tests reveal an abundance of genetic information that ties in to a whole host of health, ancestry, and wellness topics: an individual’s potential predisposition to Alzheimer’s, breast cancer, and celiac disease; their ancestral history and extended family; and how their genetics relate to weight, sleep, caffeine and alcohol consumption, and much more. With relatively little effort, the average American can access a wealth of information from genetic testing they’d likely never otherwise receive.
DNA contains all the instructions our bodies need to function, representing a tremendous amount of data. It instructs our bodies “how to make proteins that are vital for our growth, development, and overall health.” Since we receive DNA from each of our parents, DNA can also be used to trace our ancestry. DNA is unique to each person, so much so that “DNA fingerprinting” refers to the practice of identifying individuals based solely on their DNA – a process many of us know from its use in criminal investigations. “DNA fingerprinting” may be a misnomer. As one article puts it, DNA is “far more complex than fingerprints[.] [A] genetic profile is the single most identifiable characteristic an individual has.”
Such a powerful instrument, with information about a person’s health, relations, and identity, can allow not only great insight into one’s health, but a great breach of the most intimate kind of privacy. Are protections in place to keep our DNA private?
Privacy Law in the United States
Privacy laws in the United States are “a cluttered mess of different sectoral rules.” The Constitution does not expressly protect the right to privacy, but privacy protections in some forms exist in the Bill of Rights, such as protections against unreasonable searches and seizures, self-incrimination, and the quartering of soldiers. The Supreme Court has recognized a right to privacy since 1965, when the Court in Griswold v. Connecticut held the Bill of Rights creates an implied right . Since then, the Court has continued to assert Americans have a right to privacy. Both state and federal legislatures have passed some laws to protect privacy, but these laws focus on discrete categories, such as protecting children and financial information. In general, a company in the U.S. can sell, share, or use data they collect from a user without notifying the user or obtaining their consent. Given the explosive speed of digital information transmission, it is practically impossible for individuals to know if their personal information has been shared (or compromised).
The Health Insurance Portability and Accountability Act (HIPAA) specifically protects sensitive health information from being disclosed without a person’s knowledge or consent. Certain entities subject to HIPAA, like healthcare providers, health insurance, and any business associate working with those companies, must keep healthcare data confidential unless the patient gives consent for that data to be shared. You’ve likely signed a HIPAA consent form multiple times at a doctor’s office or pharmacy to allow transfer of your medical records from one doctor to another. HIPAA was designed to give people “more control over their health information,” “set . . . boundaries on the use and release of health records,” “establish . . . appropriate safeguards” for data, and “generally limit . . . release of information to the minimum reasonably needed for the purpose of the disclosure.” However, HIPAA does not apply to many DTC testing companies, including 23andMe and Ancestry – at least, not in the clear-cut way you might expect for companies handling incredible amounts of sensitive data. As the Hastings Center states, HIPAA “does not apply to consumer curation of health data or any associated protections related to privacy, security, or minimizing access.” Since companies like 23andMe and Ancestry are not healthcare providers, they do not fall under HIPAA’s covered entities. Some genetic testing labs are subject to HIPAA, but 23andMe and Ancestry in particular have avoided this obligation. If these companies aren’t subject to any federal law regarding the protection of data, what might happen to the DNA you give away?
Why Should Genetic Testing Companies Be Subject to Greater Data Privacy Regulation?
The primary regulation on DTC genetic testing companies’ protection of data is the companies themselves. 23andMe promises to “never share your genetic or self-reported data” with third parties without “your explicit consent.” Those third parties include law enforcement, as 23andMe states that they will only release “individual-level personal information” to law enforcement if “required to do so by court order, subpoena, search warrant or other requests that [the company] determine[s] are legally valid.” Ancestry makes similar claims in their privacy statement. In addition, customers must depend on the companies’ assurance that their data is safely and properly stored. 23andMe states that they “exceed industry data protection standards,” offering as evidence that they “have achieved 3 different ISO certifications to demonstrate the strength of [their] security program.” Personally identifiable information is stored in a separate database from genetic data, making it harder for a hacker to link a customer with their genetic data. If a user’s data is sent out for research, that data is not linked to the individuals from which it came – it’s stripped of personal information and aggregated before use. However, companies can change their rules at any time – which 23andMe itself acknowledges – and there is no strong federal legislation regarding the protection of this kind of private information outside of HIPAA.
23andMe promises to keep your data safe. Is that promise enough? Even if those currently in charge of 23andMe, Ancestry, and other DTC genetic testing companies are well-intentioned when it comes to protecting personal information, many other parties with less benign objectives have an interest in those companies’ vast archives of data. As the Hastings Center points out, “Google Ventures managing partner Bill Maris (a financial supporter of 23andMe) has dismissively challenged, ‘What are you worried about? Your genome isn’t really secret.’” 23andMe already uses their genetic data for research, and they’re making a pretty penny on it. Financial interests may eventually win out over DTC companies’ current promises of protection.
A. The Value of DNA
As previously discussed, DNA provides a wealth of information about a person, from one’s outward visual characteristics to one’s propensity to develop disease. Such information may well be exploited by others. If you took a genetic test and discovered you had an increased risk of breast cancer, could your insurance company change your policy? Could your employer fire you? These possibilities concerned the federal government enough that in 2008, Congress passed the Genetic Information Nondiscrimination Act (GINA) to prevent discrimination in employment and insurance over genetic information. While GINA undoubtedly provides important protection if your genetic information is hacked or otherwise obtained by third parties, GINA does not apply in every circumstance. Some small employers, the military, and non-health insurance policies, including life, disability, and long-term care insurance, are permitted to consider and discriminate on the basis of genetic information.
23andMe, in particular, emphasizes they de-identify your DNA before sending it off for research – and yet this scrubbing of your personal identifiers is not as powerful or anonymizing as it seems. In 2013, researchers were able to identify almost 50 people who participated in a genomic study based entirely on their genetic data and public information on the Internet. In fact, “more than 60 percent of Americans with European ancestry can be identified through their DNA using open genetic genealogy databases.” If one person has access to DNA and other information databases, “anonymity is a myth.”
B. Companies Have Financial Incentives to Disclose Data
23andMe’s business does more than simply provide customers with DNA analyses. After customers opt-in to having their data used for research, 23andMe is paid for providing that DNA to others. In 2018, 23andMe entered a collaboration with drugmaker GlaxoSmithKline (“GSK”), agreeing to share their genetic database to help GSK research possible treatments for disease. This is a noble cause, but not an entirely selfless one. GSK made a 300-million-dollar equity investment in 23andMe when the collaboration began, and when 23andMe extended their deal with GSK in January 2022, 23andMe received an additional one-time payment of 50 million dollars. Program costs and profits are split evenly between the companies. None of the profits go back to 23andMe customers even though the companies are profiting handsomely off customers’ data. Are those customers aware that their genetic material is enriching corporations? Do they mind? The information on 23andMe’s website does make clear that the customer “will not receive any direct benefits by taking part in 23andMe Research.” Customers can opt out of their data being used for research at any time, although that request does not kick in until 30 days after submission and applies only to new research.
23andMe is not alone in financially gaining from sharing its data. In 2013, pharmaceutical company Amgen bought an Icelandic genetic database that launched in 1996 for 415 million dollars. GSK bought Human Genome Sciences, a genetic research company, for 3 billion dollars in 2012. Genetic testing companies have enormous, highly valuable amounts of data on their servers, and they stand to gain millions, or even billions of dollars if they share it with others.
C. DTC Genetic Testing Legislation
Some states recognize the privacy concern at stake with DTC genetic testing. At the end of 2021, California signed into law the Genetic Information Privacy Act. This act requires direct-to-consumer genetic testing companies like 23andMe to live up to their promises by obtaining customers’ express consent before using their genetic data for research or otherwise sharing it with a third party. Customers can opt out at any time, and their submitted DNA samples must be destroyed within 30 days of that revocation of consent. These companies must also maintain “reasonable security procedures and practices” to protect data. In addition, consumers must be able to access and delete their accounts and genetic data. Violation of the bill imposes civil penalties in the range of 1,000 to 10,000 dollars. Both Utah and Arizona passed similar laws in the last year, each addressing data security, consent, and “an individual’s right to have their genetic data removed and their biological sample destroyed.” Florida has passed a number of laws protecting citizens who submit DNA to DTC testing companies. H.B. 833 heightens the criminal penalties for persons who collect, retain, or disclose DNA or DNA testing results without the person’s “express consent,” and violation of this law is now considered a felony punishable by up to 15 years in prison and a 10,000 dollar fine. H.B. 1189 goes further by prohibiting life, disability, and long-term care insurance companies from using genetic information in determining coverage or “for any insurance purpose.” Laws such as these reveal public concern over the safety of our genetic information and establish a baseline for DTC genetic testing companies to protect customers’ health data.
Strong legislation to protect consumers who submit DNA for genetic testing is needed across the United States. The following standards would go a long way in advancing the protection of direct-to-consumer testing company consumers. Companies ought to obtain express consent to disclose genetic information with strict civil and criminal penalties if they do not. States should consider limiting permissible disclosures to research companies so that insurers, employers, and other third parties cannot exploit genetic information. Consumers should retain a property interest in their own DNA, with the ability to have it destroyed or deleted. Most of all, consumers need explicit information from DTC testing companies about how their DNA is being used. Without an understanding of who is seeing their sensitive data, consumers may remain entirely unaware of the dangers of genetic testing.
Laws such as Florida’s are a step in the right direction toward protecting the sensitive data collected by direct-to-consumer genetic testing companies. With HIPAA’s inapplicability and the frighteningly massive amount of data and money that direct-to-consumer companies control, wide-reaching legislation with specific consent requirements and strong penalties for violation are needed to ensure that we as individuals retain ownership of the very stuff that we are made of.
 David Spiegel, One of Google’s Earliest Genetic Experiments, 23andMe, Paid ff – Here’s What Will Make or Break Its Future, CNBC (Jan. 25, 2022, 10:30 AM EST), https://www.cnbc.com/2022/01/25/how-one-of-googles-earliest-genetic-experiments-23andme-paid-off.html.
 How It Works, 23andMe, https://www.23andme.com/howitworks/.
 Jessica DiGiacinto, Best DNA Testing Kits of 2022, Forbes (Sept. 2, 2022, 4:49 PM), https://www.forbes.com/health/body/best-dna-testing-kit/.
 Direct-to-Consumer Tests, FDA, https://www.fda.gov/medical-devices/in-vitro-diagnostics/direct-consumer-tests (last updated Dec. 20, 2019).
 Id. 23andMe’s ancestry reports are highly accurate “for the vast majority of populations,” according to the company. How Accurate is 23andMe?, 23andMe, https://customercare.23andme.com/hc/en-us/articles/360044957274-How-Accurate-Is-23andMe-#:~:text=Each%20variant%20in%20our%20Genetic,tested%20under%20different%20laboratory%20conditions. However, independent experts caution that while DNA can quite accurately determine “close family relations such as siblings or parents,” reports about much more distant relatives “do not really tell you where your ancestors came from.” Adam Rutherford, How Accurate Are Online DNA Tests?, Sci. Am. (Oct. 15, 2018), https://www.scientificamerican.com/article/how-accurate-are-online-dna-tests/. Genetic tests that look for health factors, like genes that may lead to Alzheimer’s, are often technically accurate, but do not provide a full picture of a person’s health risks. Dan Gray, How Accurate Are Those Genetic Tests You Can Take at Home?, Healthline (Apr. 5, 2019), https://www.healthline.com/health-news/how-accurate-are-home-genetic-tests.
 Direct-to-Consumer Tests, supra note 4.
 Science, 23andMe, https://www.23andme.com/genetic-science/.
 Scott Bowen & Muin J. Khoury, Consumer Genetic Testing Is Booming: But What Are the Benefits and Harms to Individuals and Populations?, Ctrs. for Disease Control and Prevention (June 12, 2018), https://blogs.cdc.gov/genomics/2018/06/12/consumer-genetic-testing/; see Catherine Roberts, Read This Before You Buy a Genetic Testing Kit, Consumer Reps. (Feb. 2, 2021) (stating that “[a]bout 1 in 5 Americans has taken a DTC genetic test”).
 Bermseok Oh, Direct-to-Consumer Genetic Testing: Advantages and Pitfalls, 17 Genomics & Informatics 33 (2019), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6808639/. A 23andMe testing kit costs about $100, while genetic testing through a hospital, if not covered by insurance, can cost between $300 and $3,000. Ancestry + Traits Service, 23andMe, https://www.23andme.com/dna-ancestry/; How Much Does Genetic Testing Cost?, CostHelper, https://health.costhelper.com/genetic-test.html.
 What Kinds of Direct-to-Consumer Genetic Tests Are Available?, MedlinePlus, https://medlineplus.gov/genetics/understanding/dtcgenetictesting/dtctesttypes/; Let’s talk about Wellness, 23andMe, https://www.23andme.com/topics/wellness/.
 Jill Seladi-Schulman, DNA Explained and Explored, Healthline (Feb. 11, 2022), https://www.healthline.com/health/what-is-dna.
 DNA Fingerprinting, Britannica, https://www.britannica.com/science/DNA-fingerprinting (last updated Sep. 27, 2022). See Jason Y. Park et al., Privacy in Direct-to-Consumer Genetic Testing, 65 Clinical Chemistry (2019), https://academic.oup.com/clinchem/article/65/5/612/5608035 (discussing how the Golden State Killer was caught and convicted in large part because of DNA obtained via genetic testing).
 DNA Fingerprinting, supra note 17; Mason Marks & Tiffany Li, DNA Donors Must Demand Stronger Protection for Genetic Privacy, STAT (May 30, 2018), https://www.statnews.com/2018/05/30/dna-donors-genetic-privacy-nih/.
 Thorin Klosowski, The State of Consumer Data Privacy Laws in the US (And Why It Matters), N.Y. Times (Sept. 6, 2021), https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/.
 Douglas O. Linder, The Right of Privacy, Exploring Const. L., http://law2.umkc.edu/faculty/projects/ftrials/conlaw/rightofprivacy.html; U.S. Const. amends. III, IV, V.
 Privacy, Legal Info. Inst., https://www.law.cornell.edu/wex/privacy; Judith Haydel, Privacy, The First Amend. Encyclopedia, https://www.mtsu.edu/first-amendment/article/1141/privacy; Griswold v. Connecticut, 381 U.S. 479, 484 (1965).
 Privacy, supra note 21; Jeannie Suk Gersen, Why the “Privacy” Wars Rage On, The New Yorker (June 20, 2022), https://www.newyorker.com/magazine/2022/06/27/why-the-privacy-wars-rage-on-amy-gajda-seek-and-hide-brian-hochman-the-listeners. When addressing a right to privacy, the Supreme Court normally deals with what qualifies as a Fourth Amendment search or seizure; see United States v. Jones, 565 U.S. 400 (2012); Carpenter v. United States, 138 S. Ct. 2206 (2018).
 Klosowski, supra note 19; 15 U.S.C. § 6502 (the Children’s Online Privacy Protection Act); 15 U.S.C. § 6803 (the Gramm-Leach Bliley Act).
 Health Insurance Portability and Accountability Act of 1996 (HIPAA), Ctrs. for Disease Control and Prevention, https://www.cdc.gov/phlp/publications/topic/hipaa.html (June 27, 2022).
 Office for Civil Rights, What Does the HIPAA Privacy Rule Do?, U.S. Dep’t of Health & Hum. Servs (Dec. 19, 2002), https://www.hhs.gov/hipaa/for-individuals/faq/187/what-does-the-hipaa-privacy-rule-do/index.html.
 Marks & Li, supra note 18; Your Privacy, Ancestry (Aug. 15, 2022), https://www.ancestry.com/c/legal/privacystatement.
 Katherine Drabiak, Read the Fine Print Before Sending Your Spit to 23andMe, Hastings Ctr. (Feb. 26, 2016), https://www.thehastingscenter.org/response-to-call-for-essays-read-the-fine-print-before-sending-your-spit-to-23andme-r/.
 Emily B. Sklar, Be Careful Where You Spit: Do HIPAA-Covered Genetic Tests Actually Provide Greater Privacy Protection to Consumers?, 44 Seton Hall Legis. J. 177, 184 (2020), https://scholarship.shu.edu/cgi/viewcontent.cgi?article=1152&context=shlj.
 Id.; Marks & Li, supra note 18; Your Privacy, supra note 28.
 Privacy and Data Protection, 23andMe, https://www.23andme.com/privacy/.
 Your Privacy, supra note 28.
 Privacy and Data Protection, supra note 32.
 Privacy Statement, 23andMe, https://www.23andme.com/about/privacy/ (June 8, 2022).
 Drabiak, supra note 29.
 Genetic Information Non-Discrimination Act of 2008, 122 Stat. 881, 110th Cong. (2008) (enacted), https://www.govinfo.gov/content/pkg/PLAW-110publ233/pdf/PLAW-110publ233.pdf; Sonia M. Suster, GINA at 10 years: the battle over ‘genetic information’ continues in court, 5 J. of L. and the Biosciences 495 (2019), https://academic.oup.com/jlb/article/5/3/495/5498593.
 What Is Genetic Discrimination?, MedlinePlus, https://medlineplus.gov/genetics/understanding/testing/discrimination/; Genetic Discrimination, Nat’l Hum. Genome Rsch. Institute, https://www.genome.gov/about-genomics/policy-issues/Genetic-Discrimination (last updated Jan. 6, 2022).
 Research, 23andMe, https://www.23andme.com/research/.
 Greg Miller, Scientists Discover How to Identify People From ‘Anonymous’ Genomes, WIRED (Jan. 17, 2013, 2:02 PM), https://www.wired.com/2013/01/your-genome-could-reveal-your-identity/
 Megan Molteni, Genome Hackers Show No One’s DNA Is Anonymous Anymore, WIRED (Oct. 11, 2018, 2:04 PM), https://www.wired.com/story/genome-hackers-show-no-ones-dna-is-anonymous-anymore/.
 Miller, supra note 43; Megan Molteni, The US Urgently Needs New Genetic Privacy Laws, WIRED (May 1, 2019, 8:00 AM), https://www.wired.com/story/the-us-urgently-needs-new-genetic-privacy-laws/.
 Laura Geggel, 23andMe Is Sharing Genetic Data with Drug Giant, Sci. Am. (July 28, 2018), https://www.scientificamerican.com/article/23andme-is-sharing-genetic-data-with-drug-giant/.
 Press Release, GSK and 23andMe Sign Agreement to Leverage Genetic Insights for the Development of Novel Medicines, GSK (July 25, 2018), https://www.gsk.com/en-gb/media/press-releases/gsk-and-23andme-sign-agreement-to-leverage-genetic-insights-for-the-development-of-novel-medicines/.
 Press Release, 23andMe Announces Extension of GSK Collaboration and Update on Joint Immuno-oncology Program, 23andMe (Jan. 18, 2022), https://investors.23andme.com/news-releases/news-release-details/23andme-announces-extension-gsk-collaboration-and-update-joint.
 Research Consent Document, 23andMe, https://www.23andme.com/about/consent/.
 Ben Hirschler, Amgen Buys Icelandic Gene Hunters Decode for $415 Million, Reuters (Dec. 10, 2012, 5:30 AM), https://www.reuters.com/article/us-amgen-decode/amgen-buys-icelandic-gene-hunter-decode-for-415-million-idUSBRE8B90IU20121210.
 Although Human Genome Sciences was a pharmaceutical company focused on genetics, not a DTC genetic testing company, this acquisition shows the financial gain available in the genetics industry. Michael J. De La Merced, Glaxo to Buy Human Genome Sciences for $3 Billion, N.Y. Times (July 15, 2012, 6:07 PM), https://archive.nytimes.com/dealbook.nytimes.com/2012/07/15/glaxosmithkline-in-talks-to-buy-human-genome/.
 S.B. 41 (Cal. 2021), https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220SB41.
 Emily Mullin, States Are Toughening Up Privacy Laws for At-Home DNA Tests, WIRED (Oct. 21, 2021, 9:00 AM), https://www.wired.com/story/states-are-toughening-up-privacy-laws-for-at-home-dna-tests/; Utah Code Ann. § 13-60-201 (LexisNexis, Lexis Advance through 2022 Third Special Session of the 64th Legislature); 2021 Ariz. Sess. Laws 254.
 2021 Fla. Laws ch. 216; Fla. Stat. Ann. § 775.082 (LexisNexis, Lexis Advance through the 2022 regular and extra sessions); Fay Shaulson, How Florida Is Protecting the DNA Privacy Rights You Didn’t Know Need Protection, Univ. of Miami L. Rev. (2021), https://lawreview.law.miami.edu/florida-protecting-dna-privacy-rights-didnt-protection/.
 Fla. Stat. Ann. § 627.4301 (LexisNexis, Lexis Advance through the 2022 regular and extra sessions)