Direct-to-consumer (“DTC”) genetic testing companies are faced with more scrutiny than ever over their privacy practices, security practices, and data use policies. In December 2023, 23andMe experienced a data breach affecting nearly 7 million users and has been forced to reevaluate their data security policies and answer consumers’ and investors’ questions as to what they will be doing differently to prevent this incident from repeating itself. In 2024, the Federal Trade Commission (FTC) reached a settlement with Vitagene, also known as 1Health.io, following a data breach which required Vitagene to strengthen their protections around genetic information.
As the use of DTC genetic testing companies continues to rise in the face of these large-scale data breaches, there has been movement to increase the federal and state protections over genetic data. Although the Genetic Information Nondiscrimination Act (“GINA”) limits the uses and disclosures of genetic data, it focuses on employment and health insurance, leaving gaps in broader data privacy concerns. In the absence of a strong federal landscape protecting genetic data obtained by DTC genetic testing companies, states are taking the lead. This QuickStudy serves as an overview of the legislative landscape regulating DTC genetic testing companies and predictions on where the legal landscape of DTC genetic testing companies will go.
Federal Landscape
There are federal laws that apply to genetic data; however, DTC genetic testing companies often fall outside the scope of these laws. The privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA) include individually identifiable genetic information as part of its definition of protected health information. However, many DTC genetic testing companies are not covered by HIPAA because they are not “covered entities” or “business associates” as they do not engage in electronic transactions with health plans. Congress passed GINA in 2008 to prevent employers and health insurers from discriminating based on genetic information. However, these protections do not apply to (i) life insurance, disability insurance, or long-term care policies, (ii) employers with fewer than 15 employees, or (iii) the military.
The Federal Trade Commission (“FTC”) has recently been active in overseeing DTC genetic testing. The Federal Trade Commission Act (“FTCA”) gives the FTC the authority to stop companies from making false claims about what their products do as well as enforce the FTCA against companies that violate their own privacy policies.
In May 2023, the FTC issued a Biometric Policy Statement warning that false or unsupported claims about the accuracy of efficacy of biometric information technologies may violate the FTCA. Since announcing this policy statement, the FTC has settled two actions against sellers of DTC genetic testing kits, in both cases charging that the sellers of genetic-based products had inadequate data security.
States Stepping In
Increasingly, states are taking steps to regulate DTC genetic testing. On October 1, 2024, Alabama became the most recent state to implement a law regulating direct-to-consumer (“DTC”) genetic testing companies. In 2023, four states (Montana, Tennessee, Texas, and Virginia) enacted genetic privacy laws directly regulating this market. As of today, 13 states have enacted regulation of DTC genetic testing: Alabama, Arizona, California, Florida, Kentucky, Maryland, Montana, Nebraska, Tennessee, Texas, Utah, Virginia, and Wyoming.
Although there is some variation among the state statutes, the majority of the laws follow the same framework and impose the same or similar requirements on DTC genetic testing companies. These laws require that DTC genetic testing companies provide consumers with a high-level overview of the company’s collection, use, and disclosure of genetic data policy, and to provide consumers a publicly available privacy notice. These entities are required to obtain their customers’ express consent before using their data for research, sharing it with a third party, or for targeted marketing. Customers must be given a method to access, delete, and destroy both their genetic data as well as what is remaining of their biological samples. Companies must implement a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure. Most of these laws prohibit DTC genetic testing companies from disclosing their data to insurers or employers.
States’ laws differ markedly in how they address disclosure of genetic data to law enforcement and government agencies. These disclosures are often requested by government agencies for the purpose of identifying criminal suspects, a practice referred to as investigative genetic genealogy. For example, Montana’s law requires a warrant to view data in a consumer DNA database. Maryland limits investigations based on the types of crimes the state is investigating. Many states simply require DTC genetic testing companies to provide a valid legal process for disclosing genetic data to law enforcement or other government agencies without a consumer’s express consent, but provide no additional details on what is required for a valid legal process.
Response to Policies
As more and more states are implementing laws directly regulating the DTC genetic testing market, some stakeholders have been quick to get on board. The Coalition for Genetic Data Protection, an organization made up of 23andMe and Ancestry, has been an advocate for the implementation of these laws and continues to push states to adopt their model law from a 2018 report issued by their partner organization. However, others feel like these laws miss the mark on adequate protection by failing to acknowledge that consumers are expected to read and understand company disclosures.
What is Coming?
The DTC genetic testing market was valued at $1.93 billion in 2023 and is expected to grow at an annual rate of 24.4% from 2024 to 2030. These companies are not going away and consumers are likely to continue to seek access to information about their genetic profiles, either for health reasons or family genealogy. Accordingly, we may see more states implementing laws that regulate these entities. Currently both West Virginia (HB 5110) and Indiana (SB 284) have pending legislation introduced at the beginning of 2024.
Further, it is possible we see some additional activity from the federal government in the DTC genetic testing space. Between the FTC’s 2023 policy statement and their recent action against DTC genetic testing companies, it is likely that we see the FTC continue to take action against companies that are providing inaccurate information or not complying with their own privacy policies.
DTC genetic testing companies should be aware of regulatory changes in data privacy and adjust their policies accordingly. Although most of the laws follow the same framework and have many of the same requirements, there are some differences between states, and DTC genetic testing companies must make themselves aware of these differences and ensure they are following the appropriate state regulations.
