As Direct-to-Consumer Genetic Analysis Becomes More Popular, Five Privacy Considerations Arise


Christina Perez-Tineo
Associate Editor
Loyola University Chicago School of Law, JD 2020

Direct-to-consumer genetic testing kits have exploded in popularity over the last decade. and 23andMe proudly state they have had ten million and five million customers, respectively, using their DNA testing services. One study projects that improvements in technology and popularity will cause DNA testing to increase tenfold by 2021. Many experts in the field of genetics and bioethics have expressed concern regarding the ability of regulators and privacy infrastructure to keep pace with the expansion of these types of genetic services. We may not be at a point where we understand the full implications of having such large banks of genetic information, but here are five reasons to be concerned.

Genetic Testing Companies Operate in a Legal Gray Area

The genetic information produced through these services isn’t quite a direct-to-consumer good but it also isn’t a medical service that would be regulated by HIPAA. Different organizations have published guidelines or best practices for companies working with genetic information, but there is no real enforcement or accountability mechanism. Therefore, genetics companies largely hold themselves accountable for protecting user privacy as an ethical responsibility. While both and 23andMe and have robust privacy policies, both retain the right to modify at any time and only states it will notify users of material and non-material changes to their policies.

Some Genetic Testing Sites Have a Bring Your Own Genetic Material (“BYOG”) Approach

Sites like GEDmatch and DNALand are free and allow users to upload DNA data obtained from other companies (like and 23andMe, which charge upwards of $100 for more in-depth DNA analysis). These smaller companies argue that they provide a different analysis or connect you with relatives who might not be in the database you used originally. However, these sites present their own privacy concerns. As part of the consent process, both sites ask users to confirm the genetic material they submitted belongs to them or that they were explicitly authorized by the owner to submit it on their behalf. However, one expert has suggested that raw DNA data should come with a key confirming where it originated and who owns it because otherwise there is no way to know that the person is uploading their own genetic material or material they have permission to upload from someone else. Without a verification method like this, anyone (e.g. law enforcement, foreign governments, or stalkers) could upload genetic material they’ve obtained.

Pharmaceutical Companies Are Interested in the Aggregated Data from These Sites

In 2013, 23andMe partnered with Pfizer to allow them to access 80% of 23andMe’s overall dataset. This consisted of genetic information from over 800,000 individuals who allowed 23andMe to share their de-identified information for research purposes. This summer, GlaxoSmithKline, a British drug-maker, bought a $300 million stake in 23andMe, which allowed them access to this same database of de-identified data for research purposes. Drug companies argue that having access to this type of information will allow them to identify targets for drugs and better select patients for clinical trials, making drug development less time and resource intensive. However, critics note that there usually must be information about things like age, height, weight, location, and medical history in order for the information to be useful for medical research. Sharing this type of information could still make individuals identifiable.

Law Enforcement Is Also Interested in Accessing This Data

While some sites like and 23andMe will not release your data to law enforcement without a court order, police will often take advantage of sites with BYOG policies to find people suspected of crimes. The most famous case occurred earlier this year when police found the Golden State Killer using the genetic information from his third cousin, but there have been at least 13 other cases of “long-range familial searches” that successfully identify suspects of crimes. A study published earlier this month concluded that around 60% of Americans of European descent could be matched to a third cousin or closer relation and this number will only grow as more people provide their genetic information to these companies. While some states have identified prerequisites to use familial searches of their own state’s forensic databases, there are not broad rules in place to more clearly define circumstances under which these types of searches are acceptable.

The More Ways Your Data Can Be Used, the More Vulnerable It Is to Abuse

Each of the above scenarios presents its own concerns, but one major takeaway is the more parties that have access to your data and the more ways it is used, the higher the risk of exposure. Experts have expressed concerns about the level of security genetics companies can provide with one expert going so far as to say that people who provide genetic information should be informed that a loss of privacy is likely, rather than unlikely. These concerns are not unfounded. This summer, the third largest genetics site, MyHeritage, announced that they discovered a security breach leaking emails and passwords of 92 million users. While genetic information was stored on a separate server, this breach served as a reminder that genetics sites are just as vulnerable to attack as any other platform or business that holds user data.