Begun in 1990, the Human Genome project had the goal of generating the first sequence of the human genome. By 2003, 92% of the genome was mapped and it was declared complete, while the final assembly was completed in January 2022. Today, anyone can download the complete sequence of a human genome from the National Library of Medicine's website.

The increased knowledge of human genomics — and the genomic data that powers it — has led to the development of a host of new health- and wellness-related services. These include things from precision medicine, whereby therapies are tailored to an individual's particular gene profile, to customized diet and exercise regiments, i.e., precision nutrition, to the identification of one's ancestry and long-lost relatives. Genomic data is also used to power innovation in vaccine development, pharmaceutical manufacturing, biofuel development and agriculture, to name just a few emerging domains of use.

Yet, the collection and use of genomic data has eclipsed many information privacy laws and principles designed prior to the advent of things like direct-to-consumer genetic testing services. While the DNA of privacy is evolving in the digital era, the privacy of DNA has not kept pace. Given these developments, U.S. state and federal authorities as well as international regulators have been making data privacy in genetic testing a priority through lawmaking, enforcement actions, guidance and other initiatives.

State genetic privacy laws

Numerous laws at the state level deal with genetic data and testing. Many of these laws prohibit genetic discrimination in areas like employment and health, life and disability insurance. California's Genetic Information Nondiscrimination Act, for example, prohibits genetic discrimination in sectors such as housing, employment, education, mortgage lending and public accommodations.

In addition, state-level proposals have been advanced to establish some form of property rights in one's genetic material. Yet, the landmark decision by the Supreme Court of California in Moore v. Regents of the University of California limited patients' claims to property rights in their cell lines that have been commercialized by researchers and universities.

State-level laws on genetic privacy have perhaps the most storied history. One of the oldest state laws on genetic privacy, the Illinois' Genetic Information Privacy Act, has remained "largely dormant" over its 25-year history. Illinois legislators passed the law in 1998 to protect genetic testing and genetic information and amended it in 2008 in accordance with the federal Genetic Information Nondiscrimination Act of 2008.

Yet, in 2023, over 50 GIPA complaints were filed, with new ones continuing to appear into 2024. Statutory damages under GIPA are steeper than under its much better-known counterpart, the Illinois Biometric Information Privacy Act. Each intentional violation of GIPA may be met with fines of USD15,000, while each negligent violation can be met with fines of USD2,500, compared to USD5,000 and USD1,000 for BIPA, respectively. While GIPA plaintiffs prior to 2023 mainly focused on at-home DNA test kits, more recent cases have dealt with preemployment physicals and inquiries about basic family medical history, which they argue fall within GIPA's scope. It is also important to note BIPA exempts any "biological materials" already regulated under GIPA from its scope.

Moreover, state-level genetic privacy laws have continued to see passage over the past few years. Arizona's 2021 law on the confidentiality of genetic testing results generally prohibits disclosure of genetic testing information except under certain circumstances. Also passed in 2021, Utah's Genetic Information Privacy Act is the most recent of such state laws. Among other things, it requires direct to consumer genetic testing companies to:

  • Provide consumers clear information regarding their collection, use and disclosure of genetic data and a publicly available privacy notice.
  • Obtain consumers' consent for the collection, use and disclosure of their genetic data.
  • Provide protection for such genetic data, and allow consumers to access and delete their genetic data.

The states of Nevada and Alaska also have comprehensive genetic privacy laws, which prohibit the collection, retention and disclosure of genetic data without prior consent from the individual.

Comprehensive state privacy laws applicable to genetic testing

All but a few states that have passed a comprehensive privacy law consider genetic or biometric data used for the purposes of identifying a unique individual as a type of sensitive information. While this definition is limited, at least five states — California, Delaware, Maryland, New Hampshire and Oregon — define any genetic or biometric data as sensitive information. In practice, this means these state privacy laws impose additional obligations on any companies that process genetic data. Generally, these include requiring consent for its collection and processing and for conducting data protection assessments. Additional guardrails with respect to sensitive information are in place in Maryland, where a data minimization requirement and a prohibition on its sale are in place.

In addition to comprehensive state privacy laws, state-level consumer health laws, such as Washington state's My Health, My Data Act, include genetic data within their scope, definitions of and protections for consumer health data. Nevada and Connecticut have also joined the ranks of states passing consumer health data privacy laws, which extend protections to genetic data.

FTC policies and enforcement actions around genetic data

The U.S. Federal Trade Commission's policy on the use of genetic data is driven by its statement on biometric information and Section 5 of the FTC Act, which it released in May 2023. The statement reflects the FTC's most recent thinking on the collection and use of consumers' biometric information — of which genetic information is a subset — across various technologies. Derived from its relevant complaints and settlements on deceptive and unfair business practices involving biometric information over the past decade, the policy statement lays out principles companies should follow. These principles include the FTC's expected behavior regarding businesses' collection and use of biometric information, assessment of foreseeable harms to consumers, mitigation of known or foreseeable risks, evaluation of the practices and capabilities of third parties, provision of appropriate training for their employees and contractors, and conduct of ongoing monitoring of technologies in connection with biometric information.

Several of the FTC's enforcement actions in the broader area of biometric information concern genetic data more narrowly. These include GeneLink, 1Health/Vitagene and CRI Genetics.

GeneLink

Settled back in 2014, GeneLink potentially marks the FTC's first consent agreement with a company for allegations of failing to protect sensitive genetic data. GeneLink is a Florida-based biosciences company that offers "genetically-guided health, beauty, and wellness solutions." It purports to customize nutritional supplements and skincare products for customers based on their genetic profiles. Customers are first provided an at-home cheek swab kit, which they then return to the company for processing by a third-party laboratory for analysis of genetic variations known as single nucleotide polymorphisms. Depending on the results of this analysis, GeneLink then recommends various dietary supplements and skincare products.

While the bulk of the FTC's complaint against GeneLink dealt with allegations that the company made false or misleading statements, it also alleged GeneLink "failed to provide reasonable and appropriate security for consumers' personal information" and prevent unauthorized access. These alleged lapses in data security revolved not only around the genetic information it collected but other kinds of personal information from consumers, including their names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, bank account numbers and credit card numbers. The FTC also alleged the company failed to provide reasonable oversight of third-party service providers as well as limit employees' access to consumers' personal information.

While the consent order did not impose any monetary penalties on GeneLink, it prohibited the company from continuing to make misleading claims that its products can treat or reduce the risk of any diseases without validating such claims through a randomized controlled trial. It also required the company to establish comprehensive data security programs and submit to independent security audits every other year for 20 years.

1Health.io/Vitagene

In June 2023, the FTC charged 1Health.io, formerly known as Vitagene, with leaving sensitive genetic and health data unsecured, deceiving customers about data deletion, and retroactively changing its privacy policy without providing notice and obtaining consent.

The FTC's complaint faulted the company for not conducting settlement, the company was ordered to enhance its protections for genetic information and require third-party contract laboratories to destroy any consumer DNA samples they had retained for more than 180 days.

CRI Genetics

Southern California-based CRI Genetics provides DNA testing kits for the identification of one's "health, ancestry, and traits." A joint enforcement action between the FTC and the California attorney general, FTC and the State of California v. CRI Genetics resulted in a settlement of allegations that it misled consumers about its genetic testing services, presented false and misleading consumer reviews and engaged in deceptive billing practices.

The FTC's settlement with CRI Genetics required the company to halt its deceptive practices and provide consumers with a right to delete their biometric information. It also included a USD700,000 civil penalty.

International guidance and enforcement

Other international data protection authorities are also paying closer attention to the issue of genetic testing. In March, France's DPA, the Commission nationale de l'informatique et des libertés, called for increased vigilance, given that genetic testing websites not only collect and process genetic samples, but also significant amounts of other sensitive personal data through supplementary questionnaires.

Guidance from the CNIL states genetic testing can only be performed under specific circumstances, such as in the context of a judicial investigation, to advance medical care or for research purposes. Even with the individual's consent, the processing of genetic data for recreational purposes is prohibited, with fines of up to EUR3,750 for individuals purchasing such tests and up to EUR15,000 and one year in prison for persons or companies offering such tests.

In addition to privacy concerns, data security incidents have also motivated more involvement from international regulators in genetic testing. In October 2023, the genetic testing company 23andMe first revealed a threat actor had accessed certain profile information that customers had shared using its DNA Relatives feature. In December 2023, 23andMe disclosed that the threat actor had accessed approximately 14,000 user accounts, using those credentials to access the information of 6.9 million profiles connected to one of the compromised accounts. In response to the breach, the company began to require all users to utilize email two-step verification.

In June 2024, the privacy commissioner of Canada and the U.K. Information Commissioner's Office announced a joint investigation into 23andMe. The investigation is set to examine the scope of information exposed in the breach, what safeguards the company had in place to protect sensitive information and whether the company provided adequate notification about the breach to consumers and the two regulators.

What companies can do to protect genetic data

With an increasing strict compliance landscape taking shape around genetic privacy — from evolving U.S. state-level private suits to joint state and federal enforcement efforts as well as investigations by international regulators — there are several steps companies can take to better protect the genetic data they collect and process.

First, companies can carefully map out what genetic data they collect directly or through a third-party and consider whether the information is necessary to provide a requested product or service to a user. Second, they can provide adequate information on the types of genetic data collected and the purposes it is used for. Third, companies can ensure adequate data security practices and procedures are in place for genetic data, as well as for any additional types of sensitive information they collect. Last but not least, genetic testing companies and others that handle any data within the broader bioeconomy should stay up to date with the increasingly complex array of U.S. state, federal and international rules regulating the use of genetic data.

Conclusion

Direct-to-consumer genetic testing has introduced a swathe of new privacy risks for individuals. The genetic testing industry also has unique market incentives to further monetize the data collected. Given that DNA test kits are one-time-use products that will inevitably saturate the market, genetic testing companies have pursued data licensing agreements and drug discovery to build sustainable business models.

While each individual's genome or full complement of DNA is unique to them, variants within that genome can be commonly shared not only with biological relatives, but across the global population. This dual character of genetic information "as a uniquely individual assemblage of widely shared common elements" makes policy discussion of the private/public nature of such information particularly complex. It is not without reason that regulators, lawmakers and policymakers are paying particular attention to genetic data as innovation in the bioeconomy continues.

Müge Fazlioglu is the principal researcher, privacy law and policy, at the IAPP.