What is direct-to-consumer (DTC) genetic testing?  Think of a company like 23andMe. You, as a consumer, receive a saliva collection kit and return the DNA embedded in your saliva. In exchange, the company provides information about your genetics, such as your ancestry composition, health, and family tree.  For example, information about your health is based on whether your DNA includes genetic variants associated with the risk of developing a particular trait. 

There are many companies like 23andMe across the world, and an estimated 100 million individuals have undergone DTC genetic testing. The DTC genetic testing market is estimated to be approximately $1.5 billion, with the U.S. holding 43% of the market share. Some estimate that the market will surpass $5 billion by 2030.

This expanding database of genetic information raises serious privacy concerns. For example, should law enforcement be granted access to this data?  Although research suggests that consumers have reservations about law enforcement’s access to DTC genetic testing data, some companies have nonetheless voluntarily shared genetic data with the FBI. Recognizing the limitations of existing legislation, several state legislatures have acted to further safeguard consumer privacy rights. For example, Maryland’s Genetic Information Privacy Act, enacted in 2022, requires a company to provide consumers an overview of the company’s privacy policy and to obtain express consent from consumers in various circumstances—e.g., transferring or disclosing the genetic data to third parties or retaining a biological sample after the service is rendered.  

Does this Act sufficiently protect consumer privacy rights? Arguably not, given that the Act does not reach anonymized genetic data, which researchers have shown can be re-identified. But this inquiry gets more complicated when weighing the benefits of data sharing to advances in genetics research, such as to better understand human genetics and to develop personalized medicine as illustrated by the Human Genome Project.  For example, computational models predicting an individual-level risk score are much more well-powered with a greater sample size and heterogeneity of samples.  These models, used in both clinical and translational research, can benefit from accessing the wealth of genetic testing data.

To compromise these competing aims, legislators should adopt a data-centric approach, where different levels of protection are applied depending on the data's vulnerability to identification.  Genetic testing data comes in many different shapes and forms, from raw genotype data to summary statistics, each with varying levels of vulnerability.  For example, p-values obtained from analyzing across samples are not as vulnerable as a raw genotype data that can be used to identify an individual.  To some extent, Maryland’s Genetic Information Privacy Act does create varied levels of protection by distinguishing de-identified genetic data, but this is not enough.  Regulating less vulnerable genetic data may curtail scientific innovation; accordingly, legislators and regulators should pay special attention to the nature and character of particular genetic testing data.  During this process, lawmakers should also engage in active communication with the scientific community to better understand DTC genetic testing.