The direct-to-consumer genetic testing (DTC-GT) market has grown dramatically in popularity in recent years and it’s predicted to keep going up.The US DTC-GT market size surpassed 3 billion USD and is expected to continue to grow at a compound annual growth rate of 25% from 2024 to 2030, according to a report by Grandview Research. This growth is underscored by the fact that nearly 100 million individuals have completed a DTC-GT Santa Clara University. Amid this growth, recent data breaches have brought privacy concerns into the limelight. Yet, there is still no sign of a comprehensive federal initiative, leaving states and companies to create patchworks. The current discourse for DTC-GT privacy concerns is still largely limited to academic journals, with a greater emphasis on the concerns that face consumers rather than potential solutions. This article aims to provide a comprehensive overview of the privacy concerns from DTC-GT in the U.S., analyze current legislation, and outline key components for federal data privacy regulation.

Self Regulation Will Not Suffice

DTC-GT companies could make the argument that they are capable of self-regulation. Nonetheless, consistent empirical evidence illustrates otherwise. Many studies evaluated DTC-GT companies with shared characters, but in 2018 Hazel and Slobogin expanded upon previous work to create a comprehensive understanding of the data security practices of US based DTC-GT companies across all categories of genetic data Cornell Law Review. They found:

Over 40% of DTC-GT companies lacked a plan that outlined their genetic data storage policies and the ninety companies studied largely fell short of consumer protection in regards to their self-regulatory framework. 73% of policies did not address ownership of genetic material or resulting data or the commercialization of that data. 18% specified that the company retained the right to commercialize the consumer’s genetic data. Only 13% stated that the consumer retained ownership of their genetic material and its resulting data, but among those companies some went on to reserve the right to commercial products generated from the original data. 89% of companies made vague commitments to consumer data privacy and 95% provided no information regarding the response to a potential security breach or whether consumers would even be notified. When it comes to sharing data, only 23% of companies explicitly stated that genetic information would never be shared to any third party for any purpose.

The companies’ self-imposed regulations clarify individuals’ privacy is not centered in their processes. Asides from abstaining completely, the consumer’s input is limited to the consent they provide.

Unfortunately, literally 99% of consumers don’t read several sections of terms and conditions, some of which allow data to be disclosed to third parties whether consent is given or not DNATestingChoice.

The gap between consumers’ understanding of consent terminology and actual implications is particularly well illustrated by a study of Canadian DTC-GT consumers where they commonly expected their genetic data to be destroyed after analysis, but the majority of companies address that the samples will be stored by default Cornell Law Review.

Current Legal Framework

The current legal framework is largely in patches, with little consistency or enforceability.

Federal

While federal laws such as the Common Rule and HIPPA aim to protect individual’s privacy, traditional methods for anonymization are difficult to apply due to the uniqueness of genomic data. HIPPA doesn’t even apply to DTC-GT since there is no physician directly involved.

The three primary federal agencies responsible for genomic data are as follows. (hover over the blocks for more information!)

Supreme Court

According to a Note that explores the relation of DTC-GT and the Fourth Amendment from the Houston Law Review, the Supreme Court and Legislature haven’t yet addressed whether genetic information through DCT is protected by the Fourth Amendment (protections against unreasonable search and seizures, but there is an exception for law enforcement). The Article examines the decision in Carpenter v. The United States in particular understands how the Supreme Court could address Fourth Amendment concerns in genetic testing and concludes that either the Judiciary should choose to not extend the third party doctrine to DTC-GT testing or abolish it entirely. Both options will do little for consumers’ privacy unless the Supreme Court determines that genetic information is protected under the Fourth Amendment. It’s possible, but given the enormous leadership potential and exponentially growing market, it’s unlikely that the Supreme Court will arrive at such a decisive decision before the tests haven’t even entered their maturity phase.

UPHOLD Privacy Act

U.S. Senators Amy Klobuchar, Elizabeth Warren, and Mazie Hirono drove legislation to expand protections for health data for consumers. It was introduced in the Senate in March 2023.

Link to Bill

This bill restricts the collection, retention, use, and disclosure of personal health data by certain commercial entities (as well as individuals, nonprofits, and common carriers). The bill does not apply to health providers, insurance plans, or related business associates that are subject to the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Specifically, commercial entities may not collect, retain, use, or disclose personal health data except (1) with the express written consent of the individual to whom such information relates, or (2) as is strictly necessary to provide a requested product or service. Such entities must (1) provide a reasonable means for individuals to access and delete their health data, and (2) maintain and publish a privacy policy disclosing their practices for handling personal health data.

Additionally, the bill prohibits commercial entities from using personal health data for commercial advertising.

The bill also prohibits the sale of location data to or by data brokers, including data volunteered by an individual, data derived from a medical center, data from a wearable fitness tracker, and data from web browsing history.

The Uphold Privacy Act appears to tackle the root of the problem while still allowing for genomic research to advance. However, its flexibility fails to provide valuable privacy protections. The vague consent caveat would create a false illusion of consumer understanding. Even if a consumer is able to delete their health data from the DTC-GT’s servers, what about the non-advertising third parties that already have access to it? What are the standards for the privacy policy? The location data was a timely touch after the overturn of Roe v. Wade, but its limited scope also offers limited value.

Changes that Ought to be Made to Legal Framework

What Can We Learn From Regulatory Frameworks?

The U.S. may lead the way in innovative DTC-GT companies, but the European Union (EU) leads the way for regulation. In 2018, the EU passed the General Data Protection Regulation GDPR that applied to all companies processing some form of data of EU citizens. The GDPR specified particular policies for genetic data since it is considered sensitive data, which makes their analysis subject to adequate safeguards. The key protections for genomic data under the GDPR are explicit consent, minimizing data collection, consumers’ rights to access and to be forgotten, data portability, and security.

An Article by Perumal from the Notre Dame Journal of International & Comparative Law notes that the GDPR is quite similar to the CCPA, Virginia Consumer Data Protection, and the New York Privacy Act. Hazel and Slobogin note in their Article in the Cornell Law Review that a majority of DTC-GT companies are based in CA or NY, and are technically already subject to regulation similar to the GDPR. So why are these regulations not as effective as intended? I argue it is the challenges in enforcement, and ambiguity that companies exploit.

According to Gassner from the UCI Law Review, while legislation such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) could serve as a legal framework for broader federal legislation, more specific regulations are needed under the CCPA and CPRA aimed at protecting privacy while balancing government and business interests. Perumal’s comparison of the state legislation below provides a helpful overview as we examine the loopholes in current legislation and create a federal framework.

The GDPR applies to any data collecting entity, whereas the U.S. state regulations aim to target larger businesses or businesses whose revenue is driven from selling personal data. While a general data privacy federal framework perhaps shouldn’t be universally applicable since it may place disproportionate burdens on smaller businesses and introduce enforcement challenges, DTC-GT companies and similar entities ought to be treated as an exception due to their unique and valuable nature of their data. The rights for an individual between the CCPA and GDPR don’t vary greatly, although the CCPA only has private right of action for data breaches. The violation penalties, however, vary significantly, and are negligible for DTC-GT companies in the US.

The GDPR isn’t ironclad though. It states that the data protection regulations “should not apply to anonymous information” and that non-identifiable data is where all the means that could be reasonably used to identify a natural person are taken into consideration (Recital 26). A key question is whether the genetic data can always be considered as identifying. A 2013 study illustrates how genomic data can even be de-anonymized when paired with other databases with supplemental genealogical information and public efforts. Even the GDPR hasn’t properly addressed this, but in coming years as widespread breaches de-anonymize data, policies will have no choice but to incorporate more specific technical frameworks and regulation guidelines.

What Do People Want?

How Do They View DTC-GT?

1. People are willing to share their data for research purposes

2. Their most prevalent concerns are a. Privacy concerns Studies confirm that the lack of security + access to personal information and the potential for parties collecting unnecessary data are the two most common risks selected by patients with rare disease and carers (72.6% and 50.3%, respectively). b. Interpretability and Impact of Results

   c. Potential Disruptions Due to Results

3. They are more comfortable sharing their DTC-GT results with academic institutions than third parties.

These concerns can be readily fixed. Consumers are not necessarily demanding the strictness of the GDPR. But they do desire more control and transparency.

DTC-GT companies want their shareholders to be happy. But they are slowly changing. After 23AndMe’s data breach and a tanking stock, the company “just realized that our business really runs on the trust of our customers”.

Key Components of a Comprehensive Legislation Framework

We’ll use the two primary values from the National Human Genome Research Institute as the guiding principles:

1. Share Data Broadly to Maximize Use for Ongoing Scientific Exploration
2. Protect Research Participants’ Privacy

The Institute acknowledges that DTC-GT has limited regulation, and acknowledges that there are no guardrails against federal laws from sharing individual’s genetic information to third parties and providing support for consumers once they download or upload their genetic data. The following framework follows Gassner’s legislation overview structure to illustrate a potential framework for a US privacy legislation for genetic data.

Purpose of the Law:
To protect people’s genomic data and allow them control over how their data is collected, processed, and shared.

Who is Regulated:
Any business that collects genomic data.

Who is Protected:
Any natural resident of the US

Individual Rights:

• Access to one’s data: Individuals have the right to access their genomic data held by businesses.
• Right to Delete: Individuals can request that their data be deleted from a company’s records.
• Right to be Forgotten: Ensuring that once data is deleted, it cannot be recovered or used.
• Restriction of Processing: Individuals can limit how their genomic data is processed.
• Non-discrimination: Ensuring fair treatment regardless of a person’s genomic information.
• Data Portability: Individuals can move their data from one service provider to another.
• Not to be subject to automated decision-making: Protecting individuals from decisions made without human oversight.
• Opt-out for particular purposes (advertising): Giving individuals the choice not to have their data used for advertising.

I would also add more to consent and propose that it follows the principles outlined by the World Economic Forum. Particularly, it must be explicit, explainable, and transparent. The implications of data sharing and of the data analysis must be clearly outlined. Nearly all companies in the space obtain consent, but it is rarely explicit and explanatory.

Enforcement Private Right of Action:
Yes - particularly during data breaches.

Enforcement Violations:
Suggested penalties range from 0% to 4% of Annual Turnover.

For context, after their data breach, 23AndMe’s stock price fell, and CNBC reports that for its full fiscal 2024, the company expects to report between $215 million and $220 million, about $25 million short they guided last quarter. They are facing 30 class action lawsuits following the leak of sensitive information for 6.9 individuals and spent about $2.7 million paying it back, just ~1% of its annual turnover. CNBC Article

Privacy Protections Limitations on Data Sharing:
It’s unclear exactly how much DTC-GT companies rely on data sharing, but it’s significant and unrealistic to outright ban sharing. Nonetheless, explicit consent from consumers and offering the option for them to limit purposes for which the data can be used appears feasible.

Security Breaches:

• Mandatory security protocols: Mandating security protocols including encryption, regular audits, and a robust technical framework to boost public trust.
• Immediate Breach Notification: Requiring companies to notify individuals and regulatory bodies immediately after a data breach occurs.
• Incident Response Plans: Companies should have developed, standardized, and regularly tested incident response plans.

Transparency Reporting Requirements:
Companies should be mandated to publish transparent reports on data use, sharing practices, and prior incidents, ensuring accountability and promoting public trust.

Now more than ever the need for some regulation aimed at protecting individuals’ genetic data is apparent to consumers, governments, and companies. By integrating these measures, privacy legislation for genomic data for DTC-GT can offer a balanced approach that allows for innovation and business growth while ensuring rigorous privacy protections and transparency for consumers.