top of page

Informed Consent and Privacy: Threats Posed by Direct-to-Consumer Genetic Testing


ree

Sparking Awareness

               On March 23 2025, the world’s largest direct to consumer (DTC) genetic testing company filed for Chapter 11 bankruptcy protection prompting discussions about the disposition of the company’s most valuable asset, the private genetic and health data of its roughly 15 million customers.  The company assures clients that no changes will be made to the way data is stored, managed, or protected.  However, with the final hearing on June 17 2025, this assurance should provide only short-lived comfort as the new owner will have no legal obligation to follow the current policies and will create their own.  Numerous state Attorneys General and consumer protection groups urgently recommend 23andMe customers delete all of their data from the service while they are still able.

               The recent fall of 23andMe and potential sale of genetic data shines a spotlight on the privacy and informed consent concerns with DTC genetic testing and the commercialization of health and genetic data.  However, these are concerns that consumers should be aware of for any DTC genetic testing company, not just the ones that are struggling. 

 

Privacy and Consent

               As the population becomes more and more acquainted with data collection practices associated with the online ecosystem, the traditional notion of privacy as the right to be left alone has evolved to include the right to control information about oneself.  The idea of consent in the context of genetic data also takes on expanded considerations.  Primarily in the fact that genetic data of one individual has the potential to expose personal information about relatives without their consent.  Consumers may not fully appreciate the risks for themselves or others of sharing this data.  There are a number of ways in which DTC companies may infringe on its customer’s privacy and stretch the definition of informed consent.

 

Threats

               Technical breaches.  In addition to its inherent value, Genetic data is frequently bundled with additional personal information such as health data, demographics, phenotypic characteristics, and social and behavioral determinants of health, which makes the information very attractive to myriad interests.  As with any other digitally stored data, genetic data is vulnerable to hackers and other nefarious actors.  Unfortunately, in contrast to more heavily regulated entities such as healthcare organizations and health insurers, DTC genetic testing companies are not held to the same stringent cybersecurity standards.  This fact can not be made more tangible than by considering the 2023 data breach that contributed to 23andMe’s collapse.  The attack compromised 14,000 23andMe accounts and, due to the networking features associated with its genealogy tools, nearly 7 million accounts were ultimately affected.  The data was offered for sale on the dark web for $10 per profile.  It was noted that 23andMe’s poor security practices such as lack of multifactor authentication and substandard password hygiene policies contributed to the success of the attack.

 

               Uninformed/underinformed consent.  The DTC industry is largely unregulated and, as such, traditional healthcare and research definitions of consent do not apply.  In DTC genetic testing disclosures regarding potential risks and limitations of the test as well as consent for the use and storage of genetic data are generally accomplished via Terms of Service agreements.   It has been well established that these terms of service agreements are unstandardized and frequently written in a way that would not make clear to the average consumer what they are consenting to.  What’s even more concerning is that studies have shown terms of agreement and privacy policy links are frequently unopened and even when they are, time spent on the page is often measured in seconds.

 

Depending on the DTC genetic testing service, consumers may consent to any or all of the following via terms of service agreements:

  • Data may be used internally or in collaboration with 3rd parties such as pharmaceutical companies for development of pharmacologic/therapeutic treatments and new diagnostic tests

  • Data may be used in ways that result in patents

  • Data may be shared/sold/rented to marketing firms or industries that would benefit from this private information such as insurers

  • Degree to which the data is or is not de-identified

  • Non-genetic data such as supplemental health, phenotypic, demographic, and consumer information may be collected and shared/sold/rented

  • Acknowledgement that retraction of consent and/or deletion of data will not remove it from sources with which it has already been shared

  • Data may be used in ways that are not defined or specified in terms of service agreement but are nonetheless permitted in the future


This final item is particularly problematic because it can be argued that informed consent is not possible if the use case isn’t being disclosed.  The consumer cannot evaluate the risks/benefits, or if they agree with the purpose.

 

One way in which consumers are lulled into a false sense of security is by consenting only to the use/sharing of their data in a de-identified state.  In the US, the de-identification process does not currently require removal of raw genetic data as a unique identifier.  This is contrary to the fact that fingerprints and voice prints are considered identifying and as such are removed as part of the de-identification process. 

 

It can be argued that, by its very nature, DNA can never be truly anonymized.  Increasing access to large data sets and improvements in AI and machine learning can no longer rule out the possibility of reidentification of an individual.  Further, principles of autonomy and standards observed in some non-US countries, demand that individuals retain the ability to control use of their anonymized data and/or biospecimens.

 

               Self-identifying breaches.  Open-source databases like GEDmatch and MyHeritage allow users to upload their genetic data, self-identify, and opt in to permit contact.  These databases are usually limited only by what is specified in their terms of service and have the right to change those terms at will.  These services are typically used for family tree tracking or health insights, but unprecedented access to an identified individual’s genome has resulted in unanticipated consequences for some.  Consumers may not fully appreciate the value of their genetic/health data, nor the nuanced ways sharing of their data could affect them or their relatives.   

 

One of the more well-known adjunct uses for these services is for law enforcement using distant relatives to identify victims and criminal suspects.  However, there are many other potential uses.  Consider, for example, using these services and identifying, whether purposefully or accidentally, anonymous organ and gamete donors, biological relatives of adoptees, or genetic health and disease characteristics of relatives, all without their consent.  Further, consider the impact of, for example an individual being denied life or long-term care insurance based on a potentially unknown relative’s decision to consent and share their genetic data.

 

Laws and Protections

DTC genetic testing companies’ terms of service agreements commonly acknowledge their obligation to abide by applicable laws.  Unfortunately for consumers in the US, very few laws are applicable and none of them provide any type of comprehensive protection for customers of DTC genetic testing companies or unregulated genetic databases.  

  • Healthcare Insurance Portability and Accountability Act (HIPAA) – Applies to health care providers, their business partners and healthcare payors/insurers.  HIPAA does not apply to commercial genetic testing companies nor other companies with health interests such as data collected by commercially available wearable health devices or mobile health applications.  In addition, there are many exclusions by which genetic data may be shared by health organizations/insurers and not violate HIPAA laws. 

  • Common Rule for the Protection of Human Research Participants – Applies to privacy protections for federally funded research.  This does not apply to DTC genetic companies or the research they may engage in with third party companies.

  • Genetic Information Nondiscrimination Act (GINA) – Prevents employer discrimination and healthcare insurance discrimination.   Originally only protected individuals while still asymptomatic.  The Affordable Care Act extended the protection to those who have already begun to experience genetic related illness.  GINA does not protect from discrimination by life, disability, or long-term care insurers.

  • Americans with Disabilities Act (ADA) – Only provides discrimination protection after a disability manifests.

  • Federal Trade Commission (FTC) – The FTC’s mission is one of consumer protection against unfair and deceptive business practices.  However, thus far the FTC has only prosecuted one DTC company whose practices were particularly egregious.  Consumer protections related to DTC genetic testing provided by the FTC are in the form of consumer directed blog posts and best practice guidance for businesses handling genetic data.

  • State Laws – A few states have passed consumer protection or data privacy laws that provide varying degrees of protection and have been largely untested in the courts.

 

 

Next Steps

The potential benefits of learning more about the genetic makeup of the world are irrefutable.  Equally undeniable are concerns about privacy and unintended consequences of that genomic knowledge that have existed for decades.  The DTC genetic testing industry has exposed weaknesses in consumer protections, particularly in the US, that could result in serious harm to individuals as well as erode the public’s trust in health data privacy practices.   

 

With limited legal protection at the federal level currently, it is unfortunately up to consumers to protect themselves by scrutinizing terms of service agreements and privacy policies prior to engaging with a DTC genetic testing company and revisiting those terms as they change over time.  Consumers must also better inform themselves regarding risks of uploading identified genetic data and acknowledge their potential responsibility for exposing relatives’ health data or even their identity without consent.  Finally, consumers must push state and federal lawmakers to pass stronger legislation to protect genetic data and privacy rights.

 

 

 

 

References

Arshad, S., Arshad, J., Khan, M. M., & Parkinson, S. (2021). Analysis of security and privacy challenges for DNA-genomics applications and databases. Journal of Biomedical Informatics, 119, 103815. https://doi.org/10.1016/j.jbi.2021.103815

 

Church, S. (2025, March 27). Bankrupt 23andme’s DNA data gets sale nod as concerns linger. Yahoo! Finance. https://finance.yahoo.com/news/bankrupt-23andme-dna-data-gets-223106622.html

 

Clayton, E. W., Evans, B. J., Hazel, J. W., & Rothstein, M. A. (2019). The law of genetic privacy: Applications, implications, and limitations. Journal of Law and the Biosciences, 6(1), 1–36. https://doi.org/10.1093/jlb/lsz007

 

Edge, M. D., & Coop, G. (2020). Attacks on genetic privacy via uploads to genealogical databases. eLife, 9, e51810. https://doi.org/10.7554/eLife.51810

 

Grishin, D., Obbad, K., & Church, G. M. (2019). Data privacy in the age of personal genomics. Nature Biotechnology, 37, 1115–1117. https://doi.org/10.1038/s41587-019-0271-3

 

Holthouse, R., Owens, S., & Bhunia, S. (2025, February 6). The 23andMe data breach: Analyzing credential stuffing attacks, security vulnerabilities, and mitigation strategies (arXiv:2502.04303). arXiv. https://doi.org/10.48550/arXiv.2502.04303

 

Prince, A. E. R., & Spector-Bagdady, K. (2025). Protecting privacy when genetic databases are commercialized. JAMA, 333(8), 665–666. https://doi.org/10.1001/jama.2024.26279

 

Raz, A. E., Niemiec, E., Howard, H. C., Sterckx, S., Cockbain, J., & Prainsack, B. (2020). Transparency, consent and trust in the use of customers’ data by an online genetic testing company: An exploratory survey among 23andMe users. New Genetics and Society, 39(4), 459–482. https://doi.org/10.1080/14636778.2020.1755636

 

Wan, Z., Hazel, J. W., Clayton, E. W., et al. (2022). Sociotechnical safeguards for genomic data privacy. Nature Reviews Genetics, 23(7), 429–445. https://doi.org/10.1038/s41576-022-00455-y


Assessed and Endorsed by the MedReport Medical Review Board


 



 
 

©2025 by The MedReport Foundation, a Washington state non-profit organization operating under the UBI 605-019-306

 

​​The information provided by the MedReport Foundation is not intended or implied to be a substitute for professional medical advice, diagnosis, or treatment. The MedReport Foundation's resources are solely for informational, educational, and entertainment purposes. Always seek professional care from a licensed provider for any emergency or medical condition. 
 

Privacy Policy

Editorial Policy

Terms & Conditions

bottom of page