Genetic Data and Privacy: The US Debate Over DNA Testing Companies
Share
Genetic testing has surged in popularity over the past decade. Millions of Americans have mailed saliva samples to companies such as 23andMe and AncestryDNA to learn about their ancestry, health risk factors, and family connections. But as genetic testing becomes mainstream, serious concerns have arisen over the privacy and security of genetic information collected by these firms. What happens to your DNA data? Who controls it? And how does U.S. law protect you? This article explores the ongoing U.S. debate over genetic data privacy, highlighting legal gaps, recent controversies, and expert perspectives.
Why Genetic Data Privacy Matters
Your DNA contains deeply personal information about your health, family history, and biological identity. Unlike a credit card number that can be replaced, your genetic code is permanently unique. Once this information is collected, it could be:
- Used for medical research
- Shared with third parties
- Accessed by law enforcement
- Transferred or sold during corporate transactions
- Exploited by bad actors if breached
These concerns have intensified as companies accumulate vast databases of consumer genetic profiles, often without meaningful federal law governing what can be done with that data.
The U.S. Legal Framework: What Protects (and What Doesn’t)
Unlike Europe’s GDPR, the United States lacks comprehensive federal genetic privacy legislation. The result is a patchwork of laws with significant gaps.
Key Laws and Limitations
| Law / Regulation | Applies To | Key Protection | Limitations |
|---|---|---|---|
| HIPAA | Health providers, insurers | Protects medical records | Does not apply to consumer genetic testing companies |
| GINA (Genetic Information Nondiscrimination Act) | Employers & health insurers | Prohibits discrimination | Does not cover life insurance, disability, long-term care |
| FTC Act (Section 5) | All commercial entities | Prohibits deceptive practices | Only regulates companies’ privacy claims, not specific genetic privacy standards |
| State Genetic Privacy Laws | Varies by state | State-level protections | Inconsistent coverage across states |
Federal Protections Are Limited
Most consumer genetic testing companies are not covered by HIPAA, meaning they are not legally required to maintain the same level of data protection as hospitals or doctors. Instead, consumers rely on private terms of service and privacy policies, which can change over time.
To address gaps, U.S. Senators introduced the Genomic Data Protection Act to give citizens the right to delete their genomic data and destroy biological samples from testing companies. This bill reflects growing concern about what happens to DNA data, especially if a company changes hands or goes bankrupt.
Real-World Case Study: 23andMe and the Privacy Fallout
One of the most prominent examples underscoring the debate is the situation with 23andMe, once a Silicon Valley darling. After filing for Chapter 11 bankruptcy in 2025, the company’s database of genetic data from more than 15 million users became part of its assets, potentially subject to transfer to a new owner.
Privacy Concerns and Consumer Alerts
- The California Attorney General issued a warning urging customers to delete their genetic profiles and destroy remaining biological samples to retain control over their data.
- Attorneys General in several states encouraged users to regularly review and withdraw consent for secondary research.
- Members of Congress demanded transparency from potential buyers of 23andMe regarding how they would maintain privacy protections originally promised to users.
This high-profile episode illustrates a core privacy dilemma: consumers may opt in under one set of terms, but those terms may not survive corporate restructuring or sale.
Public Opinion and Law Enforcement
Public attitudes toward genetic privacy are mixed. According to a Pew Research Center survey:
- 48% of Americans found it acceptable for DNA testing companies to share data with law enforcement to help solve crimes.
- One-third said it was unacceptable.
The use of consumer genetic databases in solving cold cases—such as identifying the “Golden State Killer”—demonstrates the potential public safety benefits but also sparks debate about privacy versus justice.
Common Genetic Data Privacy Risks
Understanding the actual risks is essential for informed decision-making.
Top Genetic Data Privacy Risks
- Corporate Data Sharing and Consent Issues
Companies may use genetic data for internal research or share it in de-identified form, often under broad consent terms. - Data Breaches
Genetic companies are not immune to cyberattacks. A 2023 breach at 23andMe exposed millions of users’ data, underscoring the real danger. - Ownership Changes
Bankruptcy sales or acquisition deals can change how data is governed, as seen with 23andMe’s restructuring. - Third-Party Sharing
Some companies share information with researchers or commercial partners, sometimes without granular opt-out options.
What Consumers Can Do
If you’ve submitted DNA to a direct-to-consumer company, consider these expert recommendations:
- Review your privacy settings regularly.
- Delete your genetic profile if you no longer want it stored online.
- Request destruction of physical samples when possible.
- Download your raw data personally so you retain control over an offline copy.
Taking these steps can help mitigate privacy risks, especially when contracts or company status change.
Further Reading
This article references authoritative information from:
- Genome.gov on genetic privacy issues and policy context.
https://www.genome.gov/about-genomics/policy-issues/Privacy - GovFacts on what federal laws do and do not protect regarding genetic data. [
https://govfacts.org/tech-innovation/digital-rights-privacy/data-privacy/can-dna-testing-companies-sell-your-genetic-data/
Frequently Asked Questions (FAQ)
What personal genetic information do DNA testing companies collect?
Most companies collect raw DNA sequences, ancestry markers, and health-related markers (if you consent). This data can reveal disease risks, genetic traits, and familial relationships.
Is my genetic data protected by HIPAA?
No. Consumer DNA testing firms are generally not covered by HIPAA, so your genetic information may not have the same privacy protections that medical records enjoy.
Can companies sell my genetic data?
In the U.S., no federal law broadly prohibits this. Many companies state in their privacy policy that they will not sell data without consent, but policy terms can change and may be affected by corporate transactions.
What rights do I have to delete my genetic data?
Some states have laws that allow you to request deletion. Federal proposals like the Genomic Data Protection Act seek to give broader rights to individuals, but implementation is still pending.
Are law enforcement agencies allowed to access genetic databases?
Some companies permit use of their databases by law enforcement under specific conditions (e.g., with a warrant), but policies vary between firms.
The intersection of genetic data and privacy in the United States highlights a complex debate balancing innovation, personal privacy rights, public safety, and commercial interests. While consumer DNA tests offer unprecedented personal insights, they also expose deeply sensitive information to potential misuse. With current gaps in federal regulation, consumers must stay informed and proactive about how their genetic data is handled. As legislative efforts continue, and as high-profile cases (like 23andMe’s restructuring) evolve, genetic privacy remains one of the most important digital privacy issues of our time.
Leave a Reply