By: Chelsea Wagner, MS, CGC
Reviewed by: Carrie Haverty on 11/25/2025
Key Takeaways
- At-home DNA tests can be useful, and like all genetic tests, they raise privacy concerns about who controls and uses your genetic data.
- Genetic data privacy protections are strongest when testing is completed as a clinical genetic test with oversight by a healthcare provider and weaker in a direct-to-consumer genetic testing setting without oversight by a healthcare provider.
- Your safest tool as a consumer is informed decision-making: carefully read and understand how your genetic data may be used, shared, or sold.
Glossary
- Genetic data: information derived from your DNA, including ancestry information, health risks, and inherited traits.
- Direct-to-consumer (DTC) genetic testing: genetic testing ordered by yourself - typically at home - without involvement of a healthcare provider. This can also be called at-home genetic testing, consumer genetic testing, consumer-initiated genetic testing (e.g. Ancestry.com, 23andMe).
- Clinical genetic testing: genetic testing ordered by a medical professional for diagnosis, medical management, or risk assessment. Results of this testing become part of your medical record.
Curious about at-home DNA testing but unsure how your genetic data is used or shared? This guide breaks down how consumer genetic testing companies collect, store, and share DNA information, and what rights you have to protect it. Learn how to make informed, confident choices about your genetic data and privacy.
When Convenience Meets Privacy
At-home DNA tests from companies like 23andMe and Ancestry.com have made it easier than ever to explore your ancestry, health traits, and genetic risks with just a simple saliva kit. But when 23andMe filed for bankruptcy in 20251,2, the public learned a surprising truth: millions of people’s genetic data could and would be transferred and sold to the highest bidder as part of the company’s restructuring 3.
This raised new urgency around an important question: who really owns your DNA data, and what protections do you have?
To answer that, it’s important to understand how legal protections differ between clinical genetic testing and DTC genetic testing.
What Legal Protections Exist for My Genetic Data?
Key Legal Protections
- HIPAA: a federal law that protects your medical information when it is held by medical providers. Protections do not extend to medical information held by DTC genetic companies.
- GINA (Genetic Information Nondiscrimination Act): A federal law that protects against certain genetic discrimination in health insurance and employment
Your genetic data is covered by a patchwork of federal and state laws in the U.S. and can differ based on the purpose of genetic testing and who is involved in the genetic testing process., some stronger than others.
Clinical Genetic Testing
When genetic testing is ordered by a healthcare provider for the purposes of diagnosis, treatment, management, or risk assessment, this is typically referred to as clinical genetic testing. The results of this testing become part of your medical record, and along with this comes clear, legally enforceable privacy protections.
- ✅ HIPAA applies. HIPAA protects your test results, ordering information, and any associated medical data from unauthorized disclosure 5. It restricts how your medical information can be shared and lets you request corrections or access to your records.
- ✅ GINA applies. GINA prevents health insurers and employers from using your genetic information against you. 4
- ✅ Institutional oversight. Health systems, laboratories, and healthcare providers must follow strict consent, storage, and data-use rules.
Direct-to-consumer genetic testing
When genetic testing is initiated by a consumer, like yourself, without the oversight or guidance of a healthcare provider it is typically not treated as medical data. The results of your testing do not become a part of your medical record, which can mean genetic data privacy policies and protections vary widely.
- ❎ HIPPA does not apply. Because direct-to-consumer companies are not healthcare providers or entities, your genetic data is not protected by HIPAA.
- ❎ GINA does not apply to consumer companies. GINA protects you from discrimination - but it does not regulate how direct to consumer companies collect, store, or share your data.
- ❎ Patchwork system of variable policies and protections. Who has access, how long they have access, and the purpose of their access to your genetic data varies by each company’s own privacy policy and what you consent to as part of the testing process.
Other genetic data privacy considerations
New proposals such as the Genomic Data Protection Act ⁶ and the Don’t Sell My DNA Act ⁷ aim to expand federal protections, especially when companies merge, close, or sell their assets. These laws are still evolving.
Some states, such as California, Nevada, Alaska, Tennessee, Maryland, and Virginia 8, have also enacted laws requiring clear consent before genetic data can be collected, used, or shared. These laws also give consumers the right to access or delete their data.
What Rights Do I Have Regarding My DNA Data?
While rights differ by state and by company, most consumers can:
- Request access to their genetic data.
- Opt in or out of research, partnerships, and data-sharing programs.
- Request deletion of their DNA data and physical samples (though anonymized data may continue to be used).
- Withdraw consent—although previously shared data cannot always be retrieved.
Remember, bankruptcy, mergers, or acquisitions can change who controls your genetic data.
What Should I Consider Before Sending in a DNA Sample?
Before mailing that saliva kit, pause to review the company’s policies and ask yourself:
- How will my data be stored?
Look for details on data-sharing with pharmaceutical partners, research institutions, private companies, or other third parties.
- Who owns my genetic data?
Some companies will claim ownership of your genetic insights from your genetic data. Others allow you to retain full ownership but may still store or use your data with consent.
- How long will my DNA be stored?
Many companies retain DNA and data indefinitely unless you explicitly request deletion.
- What happens if this company is sold or shut down?
What is the company's policy for contacting or notifying you if there is a business restructuring that may affect your data use or storage.
The Bottom Line
Genetic testing - whether clinical or consumer-based - can offer powerful insights into your health and ancestry, but it also carries long-term privacy implications. Clinical genetic testing comes with strong, federally mandated privacy protections, while direct-to-consumer genetic testing relies heavily on individual company policies that may change over time.
Understanding your rights, and the limits of current laws, can help you make an informed decision about when, how, and whether to test. Pre and/or post test counseling via a certified genetic counselor is recommended to help you understand which type of genetic testing meets your needs based on your personal and family history. 9
Your DNA can reveal a lot, but you deserve to control the story it tells.
References
- https://www.washingtonpost.com/technology/2025/07/17/23andme-bankruptcy-privacy/
- https://www.science.org/doi/10.1126/science.adz7229
- https://www.npr.org/2025/06/30/nx-s1-5451398/23andme-sale-approved-dna-data
- https://www.eeoc.gov/genetic-information-discrimination
- https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html
- https://www.congress.gov/bill/119th-congress/senate-bill/863
- https://www.congress.gov/bill/119th-congress/senate-bill/1916/text
- https://fpf.org/blog/the-dna-of-genetic-privacy-legislation-montana-tennessee-texas-and-virginia-enter-2024-with-new-genetic-privacy-laws-incorporating-fpfs-best-practices/
- https://www.nsgc.org/Advocacy/Position-Statements/Position-Statements/Post/consumer-initiated-genetic-testing-position-statement
Back to Resources 