Last updated 2 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
Americans have mailed over 26 million saliva samples to private companies, paying $79 to $249 each to learn about their ancestry and health risks. What most don’t realize is that their genetic information has become the foundation of a multi-billion dollar industry built on selling that data to pharmaceutical companies.
The promise is simple: spit in a tube, mail it back, and discover your family history or genetic health risks. The reality is more complex. While you pay once for the test kit, companies like 23andMe and Ancestry make far more money by licensing your genetic information to drug companies and researchers.
Companies market privacy and personal discovery to consumers while building their profits on large-scale data monetization. The result is a regulatory gap where your hospital records receive federal privacy protection, but your genetic data held by testing companies operates under weaker consumer protection laws.
The $4.5 Billion Genetic Testing Market
The direct-to-consumer genetic testing industry has exploded from a niche market into a major economic force. In 2024, the U.S. market was valued between $0.91 billion and $1.9 billion, depending on the analyst. Industry projections show the market reaching $4.3 to $4.52 billion by 2034, with growth rates between 8.6% and 18.12% annually.
North America dominates this global market, commanding an estimated 62% of worldwide sales in 2024. The United States leads this expansion, driven by growing health consciousness and the convenience of at-home testing.
Technology Makes Testing Cheaper
The cost of genetic sequencing has fallen dramatically. A human genome that cost approximately $1 million to sequence in 2007 costs around $600 today. This price drop came from innovations in next-generation sequencing and microarray-based SNP chips, transforming genetic analysis from complex laboratory science into mass-market consumer products.
Market Concentration
Five companies control about 55% of the market, with Ancestry and 23andMe leading the pack. Ancestry operates the world’s largest consumer DNA network with over 20 million users. These companies compete by building massive proprietary databases and offering services ranging from carrier testing for genetic diseases to ancestry and relationship matching.
How Companies Profit From Your DNA
The test kit is just the entry fee. The real money comes from what companies do with your genetic data after you send in your sample.
Industry analysis shows that major genetic testing companies generate hundreds of millions of dollars primarily from selling access to customer data, not from kit sales. This data business can yield returns several times greater than the initial test purchase.
Pharmaceutical Companies Pay Premium Prices
The primary buyers are pharmaceutical companies and biotech research institutions. These organizations need large, diverse genetic datasets to accelerate drug development. They use this information to understand disease mechanisms, identify new drug targets, find new uses for existing medications, and predict potential safety issues.
The landmark 2018 partnership between 23andMe and pharmaceutical giant GlaxoSmithKline illustrates this model clearly. GSK invested $300 million in 23andMe for exclusive access to the company’s research platform, built on aggregated, de-identified data from millions of customers who consented to participate in research.
This collaboration has initiated over 40 genetically validated drug discovery programs in GSK’s portfolio. The partnership helped identify thousands of carriers of a rare LRRK2 gene mutation linked to Parkinson’s disease, a group that would have been nearly impossible to assemble through traditional research methods.
Your Genetic Data Has a Price Tag
The 23andMe-GSK deal provides insight into the monetary value of individual genetic data. The partnership, involving data from over 5 million people, valued a single person’s exome at approximately $60 in 2018.
Two years later, when private equity firm Blackstone acquired Ancestry.com and its database of 18 million subscribers for $4.7 billion, that implied value jumped to around $250 per exome.
This reveals the fundamental nature of the transaction: consumers pay to provide companies with their most valuable raw material. The customer becomes both the buyer and the product.
Privacy Policies: What Companies Promise
Understanding a company’s privacy policy is critical for protecting your genetic information. Marketing materials emphasize user control and security, but the legally binding terms of service dictate how data is actually handled.
Here’s how the two market leaders, 23andMe and Ancestry, handle key privacy issues:
| Policy Area | 23andMe | Ancestry |
|---|---|---|
| Data Sharing with Third Parties | Does not sell, lease, or rent individual genetic data without explicit consent. Shares with service providers, affiliated companies, and in mergers/acquisitions. Prohibits sharing with insurers or employers without consent. | Does not share individual genetic data with third parties without additional consent, except with service providers and affiliated companies. Prohibits sharing with insurers, employers, or marketers without express consent. |
| Research Consent | Opt-in model. Users must provide explicit, separate consent for research participation. Data is de-identified. Users can withdraw consent for future research anytime. | Opt-in model. Users must agree to separate research consent document. Consent can be withdrawn, but data cannot be removed from ongoing or completed studies. |
| Law Enforcement Requests | Requires valid legal process. Scrutinizes all requests and notifies affected users unless legally prohibited. Has not released customer data to law enforcement to date. | Requires valid legal process. Will not voluntarily cooperate with law enforcement. Prohibits law enforcement from using services for investigations. Notifies users unless legally prohibited. |
| Data & Sample Deletion | Users can permanently delete accounts and all data through account settings. Physical samples can be destroyed upon request. | Users can permanently delete test results from account settings. Physical sample destruction requires separate request to Member Services. |
The Fine Print Matters
Both companies’ policies allow wholesale transfer of all user data, including genetic information, to new entities in mergers, acquisitions, or bankruptcy. While federal regulators discourage new owners from weakening privacy protections retroactively, this relies on regulatory action rather than contractual guarantees.
Default settings also affect privacy. Ancestry’s family trees are public by default, making information about deceased relatives visible in search results unless users actively change settings to private. 23andMe’s DNA Relatives feature is opt-in, but once enabled, it can reveal sensitive information to a wide network of genetic relatives.
Federal Law Offers Limited Protection
The United States lacks comprehensive federal genetic privacy legislation. Instead, consumers receive protection from a patchwork of laws with specific applications and significant limitations.
HIPAA Doesn’t Apply to Genetic Testing Companies
Many consumers mistakenly believe their genetic data receives protection under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA’s Privacy Rule establishes national standards for protecting sensitive patient health information, but only applies to “covered entities” like healthcare providers, health plans, and healthcare clearinghouses.
Most direct-to-consumer genetic testing companies don’t fall into these categories. They’re commercial businesses selling products directly to consumers, not healthcare providers billing insurance for medical services. Your genetic data held by testing companies is primarily governed by consumer protection law and the company’s privacy policy, not health privacy law.
GINA Protects Against Some Discrimination
The Genetic Information Nondiscrimination Act of 2008 (GINA) provides crucial but narrowly defined protections in health insurance and employment.
Health Insurance Protection: GINA prohibits group and individual health insurers from using genetic information to make decisions about eligibility, coverage, or premium costs. It also forbids them from requiring genetic tests.
Employment Protection: GINA makes it illegal for employers with 15 or more employees to use genetic information in hiring, firing, pay, promotions, or other employment decisions. It also restricts employers from requesting genetic information from employees.
Major Gaps in GINA’s Protection
GINA doesn’t apply to other forms of insurance. Life insurance, disability insurance, and long-term care insurance providers can legally ask for and use genetic information to determine eligibility or set premiums.
The law doesn’t protect members of the U.S. military, veterans getting VA care, or federal employees under the FEHB program. GINA only protects against discrimination based on genetic predisposition to disease, not individuals already diagnosed with or showing symptoms of conditions.
FTC Serves as Primary Regulator
With HIPAA largely inapplicable and GINA’s scope limited, the Federal Trade Commission serves as the primary federal regulator overseeing the genetic testing industry. The FTC uses its authority under Section 5 of the FTC Act, which prohibits “unfair or deceptive acts or practices” in commerce.
The FTC’s enforcement actions reveal its priorities. A key case involved genetic testing company 1Health.io, which operated as Vitagene. The FTC alleged Vitagene promised “rock-solid security” while storing unencrypted health and genetic information on a publicly accessible cloud server.
The company also retroactively changed its privacy policy to share data more broadly with third parties like pharmacies and supermarkets for marketing, without obtaining consent from existing users. The settlement required a $75,000 fine, prohibited sharing health data without express consent, and mandated that labs destroy old saliva samples.
The FTC has issued guidance for the industry, emphasizing that security measures must match the sensitivity of biometric data. The agency warns against exaggerated scientific claims and cracks down on deceptive “dark patterns” that trick users into giving consent.
Law Enforcement’s New Genetic Tool
Consumer genetic data has revolutionized criminal investigation through a technique called Investigative Genetic Genealogy (IGG). This method burst into public consciousness in 2018 with the arrest of the “Golden State Killer,” a serial murderer who had eluded capture for decades.
How Genetic Genealogy Solves Cold Cases
After traditional forensic methods failed, investigators uploaded the perpetrator’s crime-scene DNA profile to GEDmatch, a public genealogy website where users upload their raw DNA data from commercial testing companies to find relatives.
The search yielded a partial match to a distant relative who had uploaded their data for genealogy research. Investigators used this lead to construct a massive family tree, eventually narrowing possibilities to two brothers. After covertly collecting a DNA sample from Joseph James DeAngelo, they found a perfect match.
This technique has solved at least 50 other cold cases. Major testing companies like 23andMe and Ancestry weren’t directly involved and maintain policies requiring valid warrants or court orders before considering data sharing with law enforcement. The IGG method bypasses these policies by using public databases where users voluntarily uploaded their data.
Legal and Ethical Questions
The practice tests Fourth Amendment protections against unreasonable searches. The “third-party doctrine,” established in Smith v. Maryland (1979), holds that individuals have no reasonable expectation of privacy for information voluntarily shared with third parties. Proponents argue this applies to DNA data uploaded to public sites.
Critics contend that genetic information is uniquely sensitive and the doctrine is ill-suited for the digital age. The technique turns relatives into unwitting “genetic informants.” Someone uploading DNA to find family members may inadvertently provide the crucial link leading police to their third cousin suspected in a murder case.
This “networked privacy” concept means one person’s actions implicate their entire genetic family’s privacy, a consequence few users may fully understand.
State Laws Fill Federal Gaps
As federal legislation lags, states have stepped in to provide stronger genetic privacy protections. At least 13 states—including Alabama, Arizona, California, Montana, Tennessee, Texas, and Virginia—have passed laws specifically targeting the direct-to-consumer industry.
Common State Law Provisions
These laws generally require companies to:
- Provide clear and transparent privacy policies
- Obtain express, unambiguous consent before collecting, using, or sharing genetic data for research, marketing, or with third parties
- Establish comprehensive security programs to protect data from unauthorized access
- Provide consumers rights to access their data, delete accounts, and have biological samples destroyed
- Prohibit sharing genetic data with employers or insurers without consent
Inconsistent Protection Across States
This state-by-state approach creates confusing and inconsistent legal protection. A consumer in Virginia or California has more legally enforceable rights over genetic data than someone in a state without such laws. This patchwork makes compliance more complex for nationwide companies and means fundamental privacy rights vary by zip code.
Real Security Threats
Genetic data is exceptionally valuable to cybercriminals because it’s permanent and uniquely identifying. Unlike credit card numbers, genetic information can’t be changed after a breach. Breaches can lead to identity theft, targeted fraud, blackmail, and discrimination in areas not covered by GINA.
The 23andMe Data Breach
This threat became reality in October 2023 when 23andMe disclosed a major data breach. The incident wasn’t a sophisticated hack that defeated encryption. Instead, it was a “credential stuffing” attack where hackers used usernames and passwords stolen from other breaches to access 23andMe accounts.
Because many users reuse passwords across multiple sites, hackers successfully logged into approximately 14,000 accounts. The breach was massively amplified by the company’s DNA Relatives feature. By accessing those accounts, hackers scraped personal information connected to DNA Relatives, ultimately compromising data from approximately 6.9 million users.
The exposed data included display names, birth years, relationship labels, and geographic locations. This incident demonstrates how a simple security failure (reused passwords) can be exploited and magnified by product features to create privacy disasters on a massive scale.
Protecting Your Genetic Privacy
In a landscape of patchwork laws, evolving corporate policies, and real security threats, individuals must take primary responsibility for protecting their genetic privacy. Relying solely on government regulation or corporate promises is insufficient.
Before You Buy
Read the Fine Print: Commit to reading the full privacy policy and terms of service. Pay special attention to sections on third-party data sharing, research use, law enforcement requests, and what happens if the company is sold.
Understand GINA’s Limits: Remember that GINA doesn’t protect against potential discrimination by life insurance, disability insurance, or long-term care insurance providers. Consider securing these policies before genetic testing if you have concerns.
Investigate the Company: Research the company’s history. Have they experienced data breaches? How did they respond? A company’s track record indicates its commitment to security.
When You Register
Practice Strong Account Security: Use a strong, unique password that you don’t use elsewhere. Enable two-factor authentication for essential extra security.
Control Your Identity: Consider using initials or pseudonyms for your public profile instead of your real name. This makes it harder for others to connect your genetic information to your real-world identity.
Make Conscious Research Choices: Research participation is optional. Read consent documents carefully to understand what you’re agreeing to. While you can typically opt out of future research anytime, your data can’t be withdrawn from completed or ongoing studies.
Managing Your Account
Review Privacy Settings Regularly: Don’t set and forget. Periodically log in and review your account’s privacy and sharing settings. You control who can view your profile, whether you appear in DNA relative matching, and how much ethnicity information is visible to matches.
Know Your Right to Delete: Understand that you can permanently delete your data and request biological sample destruction. Familiarize yourself with the specific process, as it may require separate requests for data deletion and sample destruction. This action is irreversible.
Enhance Connection Security: When accessing your account, especially on public Wi-Fi, consider using a Virtual Private Network (VPN). A VPN encrypts your internet connection, making it harder for third parties to intercept your online activity and data.
The Bottom Line
Direct-to-consumer genetic testing offers genuine benefits for understanding ancestry and health risks. However, consumers should understand they’re entering a transaction where they pay to provide companies with valuable raw material for a data business worth billions.
The current regulatory environment provides some protection but significant gaps remain. Companies’ privacy policies offer important safeguards but can change and don’t prevent wholesale data transfers in corporate transactions.
Your genetic information is permanent and uniquely yours. Once shared, it can’t be taken back, changed, or fully anonymized. The decision to take a genetic test should be made with full understanding of how your data will be used, who will have access to it, and what protections exist to keep it secure.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.
