The Law

Today, there is no federal law governing how private companies, including those create direct-to-consumer healthtech products (like AncestryDNA or 23&Me). That means that you as a consumer should understand the extent to which your genetic data collected by such companies could be stored, collected, and shared, and to be an informed user if you so choose to use them.

There are, however, laws which govern genetic information as used in clinical or research settings. The Genetic Information Nondiscrimination Act (GINA) of 2008 prohibits health insurers or employers from requesting or requiring information about a person’s genetics and further prohibits discriminatory use of such information. While GINA prevents entities from using this information against you—such as not promoting you because your genetic sequencing shows a predisposition to a genetic condition—it does not do anything to restrict whether companies can collect or sell your genetic information.

The American College of Medical genetics and Genomics for DTC prototyping includes genetic testing guidelines that:

• Genetic testing should occur in a lab that has been appropriately inspected;

• Genetic experts such as clinical geneticists or genetic counselors should handle requests from consumers and the provision of test results;

• Consumers should be informed by the company about what the test results can and cannot do before DTC genotyping;

• The company should explain that unexpected or unrequested results;

• Users should be informed about the scientific basis upon which the genetic test was conducted;

• Consumers should receive information about who will see the results, and what measures will be taken to protect the genetic information, how the sample will be discarded, how it will impact life or disability insurnace, who owns the genetic information, and whether it can be provided to third parties.

The Tech

Some of the most popular types of genetic healthtech are direct-to-consumer (“DTC”), at-home genetic testing kits, also called like AncestryDNA and 23&Me. Typically, how it works is consumers purchase a specimen collection kit online, collects what is usually a saliva tube or cheek swab, then mails the sample back to the company for testing. Then, they receive results of the test which could range from genetic carrier testing, ancestral testing, whole exome or genome sequencing, and more.

Although DTC tests can offer advantages of accessible and convenient genetic testing, they also come with many pitfalls. In 2023, over one million data points stored in the database of genetic testing company 23&Me were stolen in a targeted attack of Ashkenazi Jewish and Chinese users. Hackers offered to sell genetic profiles containing users’ name, profile photo, birth year, location surname, ethnicity estimates, mitochondrial DNA haplogroup, Y-chromosome DNA haplogroup, and more. The true number of people exposed was 6.9 million, almost half of the company’s customer base.