By Grace Murphy, J.D. Candidate, 2026
Genome sequencing, the process of determining the DNA sequence of an organism, was first introduced in the 1970s. By 2003, the Human Genome Project had generated the first human genome sequence. Since then, genome sequencing has become more accessible and affordable. This has allowed direct-to-consumer DNA testing to become a reality through companies like 23andMe. These DNA testing services provide users with information about their health and genealogy, unearthing long lost relatives in addition to potential predispositions to diseases. By 2019, more than 26 million people have added their DNA to a commercial ancestry and health database, amassing large collections of DNA in privately held companies.
While millions of users have volunteered their DNA over the years, the implications of companies holding this sort of user data are just beginning to emerge. Large companies stockpiling user information is not exactly a new concept. However, genetic information is unique in that it reveals sensitive information about health risks, ancestry, and family history. Genetic information is also hard to de-identify. Like a fingerprint, certain genetic data, such as a DNA sequence, will still be tethered to its donor even when separated from a donor’s name or other personal information.
Given the immense amount of information held in DNA, users may disclose more information than they intend. While a user may send in their DNA to learn about their lineage, they may not expect that same DNA to be sold to a third party for an alternative purpose, used in a criminal investigation, or exposed in a data breach.
Due to recent events, users are increasingly aware of their exposure to genetic data privacy risks. In September, 23andMe’s entire board of directors resigned following an internal dispute about the future direction of the company. Even prior to the board’s sudden resignation, 23andMe was experiencing issues. Last year, the company experienced a data breach that affected millions of users. This has left the future of 23andMe uncertain – raising questions about what will happen to users’ DNA and the implications of private companies holding this type of genetic data.
However, the rapid pace of development in the field of genome sequencing has left the relatively new direct-to-consumer DNA testing companies largely unregulated. Genetic privacy is currently governed by the Genetic Information Nondiscrimination Act (GINA), Health Insurance Portability and Accountability Act (HIPAA), and state laws. Yet, the impact of these laws on direct-to-consumer DNA testing is somewhat narrow. GINA prevents companies like 23andMe from sharing customer data with employers or insurance companies. However, this protection does not extend to life, disability, or long term insurance or employers with fewer than 15 employees. GINA also does not prevent sharing genetic data with other third-parties, like drug companies. Additionally, direct-to-consumer testing companies avoid the privacy obligations required by HIPAA because they are not classified as a healthcare provider.
Like other state laws, the California Genetic Information Privacy Act (GIPA), which went into effect in 2022, has set up some ground rules for what these companies can and cannot do with users’ genetic data. Among other requirements, GIPA mandates companies to provide information regarding the policies and procedures for the collection, use, maintenance, and disclosure. Companies must also obtain express consent for disclosure of a user’s genetic data. The requirement for express consent is an important step towards protecting against unexpected disclosures of genetic data to third-parties. This also protects users from being at the whims of a changing privacy policy since user consent would be required prior to any policy change that alters the uses or disclosures of user data.
There are, however, residual challenges not resolved by this legislation. First, genetic information does not just reveal information about the user, it reveals data about all of the user’s relatives, whether or not they gave their consent. Take for instance the Golden State Killer case. The killer’s identity was revealed with the help of commercial DNA databases, linking crime scene DNA to relatives of the killer. GIPA does not require companies to obtain consent from every relative of every user, and even if this was a requirement, it would be nearly impossible to do so.
Second, companies are at risk of inadvertent disclosures through cybersecurity attacks. In the 23andMe data breach, a hacker was able to access sensitive health and genetic data of 14,000 users. What hackers might do with user data is unclear. Some are concerned that it may be used to target members of certain ethnic groups or threaten individuals with their own sensitive information. Data privacy concerns, including the risk of data breaches, have caused some cybersecurity experts to advise users to delete their data from the databases altogether.
Today, genetic data privacy and direct-to-consumer genetic testing companies are on uncertain footing. While massive strides have been in the field of genetic sequencing, the same cannot be said for genetic data privacy. Under current federal legislation, there are significant gaps in protection that need to be remedied in order to counter new and existing genetic privacy concerns. While state laws, like GIPA, attempt to fill these gaps, consumer data remains vulnerable. At both the consumer and legislative level, there must be a better understanding of why our DNA and genetic data privacy is worth protecting in order to appropriately calibrate the level of protection needed.