Illustration of DNA double helix

In exchange for your mailed sample of saliva, direct-to-consumer (DTC) genetic testing companies promise insights about your ancestry, your family connections, and even your health. These widely used tests—from companies such as 23andMe and Ancestry—are advertised as a way to learn more about your family history, better understand your health, and more. They’re often touted as thoughtful gifts, especially around the holidays.

But many people might not have a clear understanding of what happens to their personal genetic data after they mail a tube of spit to a private company for analysis. In a new white paper (PDF) published today, Consumer Reports’ privacy experts argue that part of the reason for this uncertainty is a gap in the regulatory framework surrounding consumers’ genetic data privacy.

Right now, companies write their own privacy policies that consumers agree to when they buy a test. But few laws regulate what companies must do to keep your data private and secure.

“Ideally we’d like to see federal and state laws enacted that will empower consumers to control who has access to their genetic information,” says Justin Brookman, Consumer Reports’ director of privacy and technology policy.  

The Gaps in the Law

A few existing laws regulate some aspects of genetic privacy.

The Genetic Information Nondiscrimination Act (GINA) prevents employers from discriminating against you on the basis of your genetic information. But it doesn’t say anything about what a third-party DTC genetic testing company can do with the information it collects about you.  

more on genetic testing

Also, importantly, GINA’s protections apply only if a person is displaying no symptoms of their genetic condition, says Ellen Clayton, J.D., M.D., a professor of health policy at Vanderbilt University Medical Center in Nashville, Tenn. If a person becomes symptomatic, GINA’s protections against discrimination no longer apply. (The Americans with Disabilities Act protects some people with genetic disorders, but generally only if those disorders cause significant limitations to daily life.)

Under the Affordable Care Act (ACA), health insurance companies cannot refuse coverage or charge more for coverage based on a preexisting condition—a prohibition that also applies to any condition discovered as the result of genetic testing, Clayton says.

Also, the Federal Trade Commission can stop companies from making false claims about what their DTC genetic testing products do, and it can ensure that companies abide by the provisions in their own privacy agreements. Although the federal Health Insurance Portability and Accountability Act (HIPAA) does apply to the results of genetic tests administered by your doctor or another healthcare provider, it doesn’t apply to DTC genetic testing companies.

Currently, however, no federal law directly addresses consumer privacy issues resulting from DTC genetic testing.

That means the companies that provide these services have the freedom to control what happens to a consumer’s genetic information once they receive it, Brookman says. Some companies also encourage consumers to provide additional sensitive family or health information in order to maximize the possible insights from the genetic tests being offered.

In one 2018 study of DTC genetic testing companies’ privacy policies, Vanderbilt University researchers found that 71 percent of companies used consumer information internally for purposes other than providing the results to consumers. Sixty-two percent said they use data for internal research and development, while 78 percent said they provided genetic information to third parties in de-identified or aggregate forms without additional consumer consent.

There are also few laws regulating how consumers’ genetic data should be stored and protected by the companies that collect it, and genetic testing companies have experienced data breaches. For example, the DTC genetic testing company MyHeritage was hacked in 2018, and users’ emails and scrambled passwords were stolen. Their DNA information wasn’t stolen, but such a breach is certainly possible, CR experts say.  

Why Existing Rules Are Not Enough

Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can’t be changed. And recent studies of sites (PDF) such as GEDmatch (where users can publicly post their genetic data) have found that it’s possible for people with nefarious intentions to reidentify individuals from supposedly de-identified genetic data.

So far, many of the harms of having part or all of your genome publicly available or in the hands of a thief are largely hypothetical. In part, that’s because the science of genetics is constantly evolving, says Michael Edge, Ph.D., an incoming assistant professor of biological sciences at the University of Southern California in Los Angeles and the author of one recent study on reidentification of genetic data. “The ground is moving in terms of what this genetic information tells you about a person,” he says.

Still, privacy experts say there are some key concerns. One is that your genetic information could be used in underwriting insurance policies. It can’t be used for health insurance, thanks to the ACA, but—except in Florida where this practice was recently prohibited—it could theoretically be used to determine life, long-term care, or disability insurance plans.

Your genetic information could also potentially be used against you in a court case. If you were to seek damages for a work-related injury, for example, a company might try to use information from your genome to point to potential other causes for your symptoms. Law enforcement agencies have used genetic data to identify criminal suspects through their blood relatives. It’s even conceivable that sensitive information about your family or your health could be used in a blackmail scenario.

Those examples may sound extreme. But the bottom line, Brookman says, is that genetic information could reveal facts about you that you don’t want known. And right now, consumers don’t have many protections against that happening. “An individual’s most personal information is still being bought, sold, and traded without clear understanding or consent,” Brookman says.

A final important consideration is that when your genetic data becomes public, it’s not only revealing information about you. It also reveals information about blood relatives, who may or may not even be aware that you opted to share your genome with a DTC testing company. Clayton at Vanderbilt recommends that consumers take this into consideration when deciding whether to use a DTC genetic testing product.  

One Flawed Policy Solution

To give consumers more control over their own personal data, some—such as computer scientist Jaron Lanier and 2020 Democratic presidential candidate Andrew Yang—have proposed providing a property right for such data. In the context of genetic data, this would mean that you could be monetarily compensated for providing your genome to companies and researchers. But there are several problems with this solution.

One, Clayton says, is that it could be incredibly complex to implement. Imagine, for example, a scientific study that uses genetic data from 25,000 people. Scientists regularly compensate research subjects for their participation. But if the result of the study was some new product, such as a drug, would each of the 25,000 study participants be entitled to royalties from of the sales of the product? The difficulties mount quickly under such a policy, according to Clayton.

And the policy could have other unintended consequences. Consumer Reports’ advocates are concerned that such a policy would have outsized harms on low-income or marginalized communities, who could be targeted for mining of valuable genetic information. People could be coerced into giving up their genetic data, in the face of an immediate need for cash.  

“Privacy should be a right,” Brookman says. “We’re not allowed to sell away our right to speech or our right to vote.” 

A Better Way to Protect Genetic Privacy

Consumer Reports believes lawmakers should enact legislation that would make results from all genetic testing private by default.

That would mean companies or other entities that collect consumer genetic information would face detailed requirements before they could release or sell that information. And CR advocates say that laws should include safeguards that will ensure that an individual’s choice to share their genetic information will not compromise their privacy and that of their blood relatives. Such laws should also require strict safeguards against data theft, they say.

Some state laws are on the right track—those in Missouri and Illinois require that individuals specifically authorize any selling of their information. These laws also stop genetic data from being used in insurance underwriting unless authorized by the individual. 

A proposed law under consideration in California would enact similar protections, limiting the sharing of genetic data with insurers and employers and requiring consumer consent before genetic data could be shared with any third parties.

Consumer Reports is calling on legislators to enact a strong privacy standard that would give consumers control of their genetic data. In the meantime, if you’ve purchased a DTC genetic test and are concerned about the safety of your information, check our guide to deleting genetic data.