Claire Rowe
Associate Editor
Loyola University Chicago School of Law, JD 2026
A recent situation involving millions of 23andMe users has raised significant concerns about data privacy and regulatory oversight. After sending a small tube of saliva to uncover ancestral roots, many individuals discovered that their genetic data had been compromised. 23andMe has transformed genetic testing by offering accessible health and ancestry information to consumers from the comfort of their homes. Since its inception, the company has faced regulatory challenges and became the first direct-to-consumer genetic genealogy test to receive FDA approval. While the company has largely avoided legal trouble over the years, recent data breaches have sparked legal action and underscored gaps in consumer protection.
The rise of 23andMe: a new era in genetic testing
23andMe specializes in genetic testing for ancestry, health, and traits, through various testing formats. The company launched its consumer test in 2007, initially available only to U.S. buyers at a steep price of $1,000. A year later, it expanded its reach, marketing the test internationally with the goal to empower users to access and monitor their own health data without needing to visit a lab. The company began advertising its Personal Genome Service (PGS), promoting it as a $99 product that would allow customers to identify their risk for diseases, assess inherited health conditions in their children, understand personal genetic health risks, and even predict their response to certain medications. At the time, this was information that could be revealed only through lab testing, which caught the attention of federal authorities.
In 2013, the U.S. Food and Drug Administration (FDA) publicly ordered 23andMe to halt the sale and marketing of its genetic tests. The FDA expressed concern that 23andMe had not provided evidence that its PGS tests were “analytically or clinically validated for their intended uses”. The FDA wanted to ensure their accuracy, and the ability of consumers to interpret results without the need for a doctor. Afterward, 23andMe limited its offerings to ancestry reports until 2015, when the company rebranded.
In October 2015, 23andMe launched the FDA-approved “23andMe Experience,” which became the first and only direct-to-consumer genetic service available at that time. According to press releases, the company worked closely with regulators to bring this product to the market. The FDA evaluated data for 23andMe’s GHR tests through a regulatory process designed for novel, low-to-moderate-risk devices that have no substantial equivalent on the market. The FDA also implemented additional controls that ensure the accuracy of the tests and provide clarity regarding consumer expectations. After this launch, the genetic testing industry experienced rapid growth. The number of individuals who had their DNA analyzed through direct-to-consumer genetic genealogy tests more than doubled in 2017, surpassing 12 million.
The data privacy suit and available legal avenues
In 2023, 23andMe informed customers that hackers accessed the ancestry data of 6.9 million connected profiles through approximately 14,000 compromised accounts will be delivered. The breach involved sensitive personal information, including location data, ancestry reports, DNA matches, photos, family names, and other confidential details. While 23andMe notified users of the breach in October, it wasn’t until December that the company disclosed the full extent of the incident, confirming the impact on 6.9 million profiles.
In response, dozens of proposed class action lawsuits were filed against 23andMe in various states, alleging that the company failed to adequately protect user information and neglected to inform certain users that individuals of Chinese or Ashkenazi Jewish heritage were specifically targeted. These lawsuits were based on several state laws, including privacy and trade practice legislation. Eventually these were consolidated in federal court where 23andMe agreed to settle for $30 million, though the company did not admit to any wrongdoing.
The data privacy lawsuit against 23andMe highlights significant gaps in legal protections for consumers of genetic testing services at the national level. Since 23andMe is not classified as a healthcare provider, it is exempt from HIPAA regulations, a heavily enforced protection for consumers and patients. As a result, state privacy laws have become the primary basis for litigation. This raises several key questions: Should 23andMe be required to comply with HIPAA protections? Should the company do more than simply disclose risks in fine print or terms and conditions? Or, given the rapid growth of the genetic testing industry in recent years, should new legislation be enacted to address industry-specific security concerns?
Because customers are using medical-grade laboratory testing materials that produce individualized health results, 23andMe and similar companies should be required to abide by HIPAA regulations. The primary purpose of HIPAA is to protect sensitive health information, and whether or not 23andMe is an insurance company should not be relevant. Requiring compliance with HIPAA would incentivize these companies to better protect this information, reducing the burden on customers to decipher ambiguous fine print until stronger legislation is enacted.
In the meantime, the Department of Justice (DOJ) and regulatory bodies such as the FDA and Federal Trade Commission (FTC) must take greater action to hold 23andMe and the broader genetic testing industry accountable. The lack of regulatory investigations and consequences for data privacy issues raises serious concerns about accountability in a growing digital landscape. Current litigation efforts appear inadequate, particularly given 23andMe’s refusal to admit wrongdoing in its settlement, which undermines the very purpose of litigation: to ensure accountability and remedy misconduct.