Who Owns Your DNA? The Privacy Nightmare of At-Home Genetic Tests

Lana El-Etr, Contributing Member 2024-2025

Intellectual Property and Computer Law Journal

I. Introduction

“Spit in a tube, mail it in, and unlock the secrets of your DNA.” This is what dozens of direct-to-consumer genetic testing (DTC-GT) companies promise tens of millions of curious consumers. Pitched as a ticket to health insights, ancestry, and even personality traits, these kits have become a global phenomenon. By as early as 2019, more than 26 million people had uploaded their DNA to the top commercial databases[1] —and the industry had grown to nearly $2 billion in valuation by 2023, with no signs of slowing down. Despite growing concerns over how tech companies like Google and Facebook gather and profit from individuals’ personal data, millions of consumers continue to pay to relinquish their genetic information to a largely unregulated industry—an industry where privacy policies often permit the sale or transfer of this highly sensitive data to third parties. [2] 

This rapid growth has been accompanied by high-profile data breaches, such as the 2018 MyHeritage leak that exposed the personal information of 92 million users, raising questions about how consumer DNA is stored, shared, and monetized.[3]More deeply, this rapid rise of direct-to-consumer genetic testing is exposing critical shortcomings in data privacy and intellectual property laws, which were not established to deal with  the uniquely sensitive and long-term nature of genetic data. Current regulations allow companies to assert broad proprietary rights over genetic data and testing algorithms, leaving individuals with little control or recourse. If left unaddressed, these gaps not only erode privacy but also pave the way for corporate monopolization of the building blocks of human biology. To prevent such risks, legislators must implement enforceable regulations that (1) enshrine clear consumer data protections and consent requirements, and (2) limit excessive monopolization of genetic information to encourage ethical research and innovation. 

This blog explores the legal and ethical challenges of direct-to-consumer genetic testing by focusing on gaps in data privacy and intellectual property laws. Part II provides background on the rise of consumer genetic testing and the existing regulations. Part III discusses the risks of inadequate privacy protections and corporate monopolization of genetic data.  Part IV concludes by proposing regulatory reforms to safeguard consumer rights and promote ethical innovation.

II. Background

Genetic testing is often conducted clinically by healthcare providers such as physicians, nurse practitioners, or genetic counselors.[4] The healthcare providers will determine the appropriate test, place an order from a lab, collect a DNA sample, interpret the results, and share the results with the patient. In some instances, health insurance companies cover part of the costs.[5]

By comparison, direct-to-consumer genetic tests (DTC-GT) are marketed directly to consumers through television, the internet, or printed advertisements without the involvement of a healthcare provider.[6] The tests come in the form of a kit.[7] Consumers send the company a DNA sample and will then receive their results directly from a secure website, app, or written report.[8] Because DTC-GT results are typically not considered diagnostic, health insurance companies do not cover the cost.[9] The cost of DTC-GT varies depending on the number of variants examined, the quality of results offered, and the structure of the test.[10] Costs range from under $100 to several thousand dollars. The higher the number of variations being examined, the more expensive the test.[11]

Companies that offer DTC-GT include Ancestry DNA, MyHeritage, 23&Me, DNAfit, CRIGenetics, and QuestDiagnostics.[12] Other third-party interpreters of genetic test results include Genetic code, Xcode, Promethease.[13] When choosing a company, a consumer prefers their offeed results. Consumers choose DTC-GT to get ahead of their own health and wellness, they were influenced, or because they were advised by a healthcare professional. DTC-GT is commonly used to detect diseases leading to down syndrome, cystic fibrosis, sickle cell, phenylketonuria, celiac, Alzheimer’s, and Huntington’s.[14] However, there are several issues surrounding the accuracy of such tests, the difficulty interpreting results, and the leaking of genetic data into the wrong hands.

Current Law

Currently, there is no national legislation specifically aimed at protecting consumers’ genetic information, despite general protections in place through the Federal Trade Commission (FTC) for deceptive practices and privacy violations.[15] Direct-to-consumer genetic testing (DTC-GT) companies can sell genetic data to third parties without the consumers’ knowledge, as the privacy policies often allow for such transactions.[16] However, 14 states have taken action to regulate this market directly by enacting legislation referred to as Genetic Information Privacy Acts (GIPA), to secure genetic privacy at the state level.[17]

In 2022, California enacted their form of GIPA, which requires all DTC-GT companies to provide clear information about their policies and procedures, to get separate consent for collecting and storing genetic data, and to implement security procedures to protect genetic data.[18] Additionally, the Act requires companies to provide methods for consumers to access, delete or destroy their genetic data within 30 days after a consumer revokes consent, and protects discrimination against consumers who exercise their right to keep their information from being shared or sold.[19]

Illinois’ GIPA adopted the definition of “genetic information” from the Health Insurance Portability and Accountability Act (HIPAA).[20] Under HIPAA, “genetic information” is defined as information about an individual’s genetic tests, the genetic tests of family members, and the manifestation of a disease or disorder in family members.[21] The law prohibits both employers and insurers from utilizing any form of genetic tests or information to engage in discriminatory practices. This definition is crucial because it establishes a broad scope of protection, ensuring that genetic data is safeguarded from misuse. Employers and insurers are legally prohibited from utilizing any form of genetic tests or information to engage in discriminatory practices, boosting the value of genetic privacy and preventing adverse decision-making due to an individual’s genetic vulnerability.[22]

Illinois’ Genetic Information Privacy Act (GIPA) adopted the definition of “genetic information” from the Health Insurance Portability and Accountability Act (HIPAA).[23] Under HIPAA, “genetic information” includes information about an individual’s genetic tests, the genetic tests of family members, and the manifestation of a disease or disorder in family members. The law prohibits both employers and insurers from utilizing any form of genetic tests or information to engage in discriminatory practices.[24]

In 2023, Tennessee and Virginia followed suit, implementing GIPAs aimed at regulating DTC-GT companies.[25] One of the most striking similarities between the states’ regulations is the express requirement that DTC-GT companies provide consumers with a comprehensive overview of the company’s collection, use, and disclosure of genetic data policy, and provide consumers an easily accessible privacy notice.[26] These companies must obtain explicit consent from consumers before using their genetic data for research, sharing it with third parties, or engaging in targeted marketing. Consumers must have a way to access, delete, and request the destruction of both their genetic data and any remaining biological samples.[27] Additionally, companies are obligated to implement robust security measures to safeguard genetic data from unauthorized access, use, or disclosure. [28] Most regulations also prohibit the disclosure of genetic data to insurers or employers.[29]

Montana and Texas’s GIPAs, along with requiring such mandates, went further. Montana’s GIPA prohibited the storage of genetic data and biometric samples of Montana residents within U.S. countries sanctioned by the U.S. Office of Foreign Assets Control or designated foreign adversaries.[30] Furthermore, the Act imposed data localization requirements and demanded that individuals give explicit consent before companies can transferring or storing data outside the United States.[31] Texas’s GIPA also uniquely establishes property rights over the genetic samples and data of its residents.[32] Despite the implementation of such state-level regulations, not all legislative efforts have been successful.

At the start of 2024, both West Virginia[33] and Indiana[34] introduced bills aimed at regulating DTC-GT providers, seeking to establish stricter consumer protections regarding data privacy, informed consent, and third-party data sharing. However, neither bill advanced through their respective legislatures, ultimately dying in committee.[35] The failure of these bills demonstrates the difficulties in passing genetic privacy legislation, as industry lobbying, lack of public awareness, and legislative inertia often hinder meaningful reform. In some cases, lawmakers expressed concerns that increased regulation could stifle innovation or place an undue burden on businesses operating in the rapidly evolving biotech field.[36] Others pointed to difficulties in enforcing such laws across state lines, emphasizing the need for a comprehensive federal framework rather than a patchwork of state regulations.[37] The failed attempts in West Virginia and Indiana underscore the broader conflict to finding equilibrium for consumer protection with industry interests, leaving significant gaps in oversight and accountability for DTC-GT companies.[38]

The Federal Trade Commission (FTC) has recently increased its focus on protecting biometric information, which overlaps with genetic data, as both serve as unique personal identifiers that cannot be changed once compromised. In May 2023, the FTC announced its Biometric Policy Statement, which outlined it approach to regulating companies that collect and use biometric information, including fingerprints, facial recognition data, and, by extension, certain genetic markers.[39] The statement emphasized the need for businesses to obtain clear and informed consent before collecting biometric data, implement stringent security measures to prevent unauthorized access, and avoid deceptive trade practices related to data retention and sharing.[40] Since then, the FTC has settled actions against the DTC-GT companies Vitagene and  CRI Genetics for alleged deceptive trade practices, including a claim that Vitagene failed to secure sensitive data and altered its privacy policy retroactively without obtaining user consent.[41]

Despite these protections, concerns persist about the potential sale of genetic data, especially if a DTC-GT company undergoes financial instability or changes ownership. In September 2024, reports surfaced detailing 23&Me’s precarious financial state, raising concerns about a potential sale of consumer data.[42] This concern is supported by the company’s privacy policies, which classify customer information as a “salable asset” in the event of a merger or acquisition.[43]

III. Discussion

The rapid growth of DTC-GT has transformed how individuals’ access and interpret their genetic information. While tests offer the benefits of consumer empowerment and satisfaction of general curiosity, they also raise significant challenges regarding accuracy, data interpretation, privacy risks, regulatory deficiencies, weak enforcement, commercialization issues, and ethical concerns. These issues are further compounded by the limited regulatory framework that lacks comprehensive federal oversight.

Accuracy and Interpretation of DTC-GT Results

Unlike clinical genetic testing, which is conducted under the supervision of trained healthcare professionals, DTC-GT often examines a limited selection of genetic variants associated with certain conditions.[44] Consequently, consumers may receive incomplete, irrelevant, or misleading results.[45] For example, a consumer testing negative for a specific BRCA mutation linked to hereditary breast and ovarian cancer might falsely assume they are not at risk, even though other untested variants could still predispose them to the disease.[46] Similarly, many DTC-GT companies market trait analysis services that claim to predict complex characteristics, such as athletic ability or intelligence, despite little scientific consensus on their validity.[47]  These shortcomings highlight how DTC-GT can leave consumers with a false sense of security or misunderstanding about their genetic health, setting the stage for further concerns about the comprehensiveness of the results.

Another major limitation of DTC-GT results is that it does not test for all pathogenic or disease-causing variants for a particular condition, so the results cannot be interpreted to rule out or accurately portray the risk for inheritance.[48] Moreover, some consumers may be interested in certain conditions that DTC-GT does not cover, and even if DTC-GT shows an actionable result, the results may likely need to be confirmed by a clinical genetic test.[49] Even using the term “actionable result” is hard to define, as some DTC-GT companies may test for traits that do not have confirmed clinical utility or gene to phenotype (physical expression of a genetic variant) correlation.[50] In short, DTC-GT may just prolong the process by adding an additional step, additional costs, and an increased risk of misinformation. There is also a significant risk of consumers’ genetic data being sold to unknown entities, as existing regulations fail to provide sufficient safeguards against misuse.[51]

Regulatory Deficiencies  and Weak Enforcement

The collection and storage of genetic data by private companies poses severe privacy risks, including unauthorized access, data breaches, and potential misuse by insurers, employers, or law enforcement.[52] Many consumers fail to fully grasp how their genetic information is stored, shared, or sold, as privacy policies are often buried in dense legal jargon. While some states have enacted genetic privacy laws, no uniform federal regulations specifically govern DTC-GT companies, creating a patchwork of protections that are difficult to navigate.[53] For example, California’s Genetic Information Privacy Act (GIPA) mandates separate consent for data collection and storage[54], while Texas grants individuals’ property rights over their genetic information.[55] Yet, these protections are far from universal, leaving loopholes that companies can exploit.

Even when privacy violations occur, enforcement is inconsistent. The FTC’s increased scrutiny of companies handling biometric data, evidenced by its Biometric Policy Statement issued in May 2023, highlights the growing importance of informed consent before collecting and using such information.[56] While the policy emphasizes the need for transparency and accountability, its effectiveness is limited by the lack of comprehensive, enforceable standards that would mandate uniform compliance across all sectors. Despite raising awareness and urging companies to adopt clear consent protocols, the policy falls short of providing concrete regulatory frameworks or penalties for non-compliance, leaving gaps in its ability to truly safeguard consumers’ genetic and biometric privacy.

 However, its enforcement actions against DTC-GT companies remain reactive rather than preventative. Cases like Vitagene and CRI Genetics demonstrate how companies have engaged in deceptive trade practices—such as retroactive changes to privacy policies or inadequate data security measures—without facing meaningful deterrents. The FTC’s actions signal progress, but they fail to address the underlying issue: without robust federal legislation, companies can continue exploiting genetic data with minimal accountability.

Commercialization and Ethical Concerns

Beyond privacy risks, the commercialization of genetic data raises significant ethical concerns about consent, data ownership, and corporate responsibility. Many DTC-GT companies classify genetic data as a salable asset, meaning it can be transferred during mergers, acquisitions, or financial instability—often without explicit consumer consent.[57] This concern is not hypothetical. In 2024, reports emerged about 23andMe’s precarious financial position, fueling fears that consumer genetic data could be sold if the company were acquired or restructured.[58] Although 23andMe’s privacy policy states that individual-level data is not sold without consent, its classification of data as a business asset creates a gray area that could be exploited under financial pressure.[59]

Moreover, partnerships between DTC-GT companies and pharmaceutical firms further blur the line between consumer service and corporate profit. While collaborations may lead to valuable medical discoveries, consumers are rarely compensated when their genetic data contributes to lucrative drug development.[60] This imbalance raises fundamental questions about who truly owns genetic information and whether individuals should have greater control—or even financial stake—in the use of their data.[61]

Need for Comprehensive Legal Protections

To address these challenges, a unified legal framework is essential. Federal legislation should require DTC-GT companies to obtain explicit, informed consent before collecting, using, or sharing genetic data. Under an ideal legal framework, consumers would have the right to access, correct, delete, and request genetic information. Additionally, companies would be prohibited from selling genetic data without consumers’ express consent and there would be comprehensive security measures to prevent unauthorized access to third parties.

Moreover, regulatory agencies like the FTC should continue to monitor and enforce compliance under the FTC Act, ensuring that companies provide clear, accessible privacy notices and transparent data usage policies.[62] While the FTC cannot enforce state laws, enhanced coordination between federal and state regulators could help align enforcement priorities and promote a more uniform standard of protection. Such cooperation would reduce confusion and improve consistency for consumers and businesses navigating the complex landscape of genetic privacy regulation.

IV. Conclusion

The rapid expansion of the DTC-GT industry has introduced both promising opportunities and profound legal and ethical challenges. While these tests provide individuals with unprecedented access to their genetic information, they also expose consumers to significant risks, including data privacy vulnerabilities, potential misinterpretation of results, and corporate exploitation of genetic data. Existing regulations, particularly at the federal level, remain fragmented and insufficient to address these concerns comprehensively.

To safeguard consumers, federal legislation must establish uniform protections requiring explicit, informed consent for the collection, use, and disclosure of genetic data. This should include robust security measures, strict prohibitions on unauthorized data sales, and enforceable rights for consumers to access, correct, and delete their genetic information. Additionally, regulatory agencies like the Federal Trade Commission must continue to oversee compliance, expanding legal frameworks to ensure that DTC-GT companies adhere to transparent data policies and ethical business practices.

---

[1] Anisa Patel, Balancing Innovation and Ethics: The Role of Genetic Testing in Health and Identity, 11 Voices in Bioethics (Mar. 26, 2025), https://doi.org/10.52214/vib.v11i.13281 [https://perma.cc/Y5BA-S5JP].

[2] Antonio Regalado, More Than 26 Million People Have Taken an At-Home Ancestry Test, MIT Technology Review (Feb. 11, 2019), https://www.technologyreview.com/2019/02/11/103446/more-than-26-million-people-have-taken-an-at-home-ancestry-test/ [https://perma.cc/997U-4ZLH].

[3] Makena Kelly, MyHeritage Breach Leaks Millions of Account Details, The Verge (June 5, 2018), https://www.theverge.com/2018/6/5/17430146/dna-myheritage-ancestry-accounts-compromised-hack-breach [https://perma.cc/PH8W-9JAQ].

[4] Direct-to-Consumer Genetic Testing FAQ for Healthcare Professionals, Nat’l Hum. Genome Res. Inst., https://www.genome.gov/For-Health-Professionals/Provider-Genomics-Education-Resources/Healthcare-Provider-Direct-to-Consumer-Genetic-Testing-FAQ (last visited Apr. 6, 2025) [https://perma.cc/DT5N-LX47].

[5] Id.

[6] What is direct-to-consumer genetic testing?, MedlinePlus (last updated Feb. 8, 2022), https://medlineplus.gov/genetics/understanding/dtcgenetictesting/directtoconsumer/ [https://perma.cc/B2NJ-9CYA].

[7] Id.

[8] Id.

[9] Michael Ruscio, How Much Does Genetic Testing Cost (And Do You Need It)?, Dr. Ruscio, DC (Nov. 14, 2024), https://drruscio.com/genetic-testing-cost/ [https://perma.cc/MVM3-VZWT]

[10] Id.

[11] Inter-Society Coordinating Committee for Practitioner Education in Genomics, Direct-to-Consumer Genetic Testing FAQ for Healthcare Professionals, Nat’l Hum. Genome Research Inst., https://www.genome.gov/For-Health-Professionals/Provider-Genomics-Education-Resources/Healthcare-Provider-Direct-to-Consumer-Genetic-Testing-FAQ (last updated June 14, 2023) [https://perma.cc/WD6F-EAFD].

[12] Lyndsey Fletcher, Direct-to-Consumer Testing: The Secrets in Your Genome, Front Line Genomics (July 17, 2024), https://frontlinegenomics.com/direct-to-consumer-testing-the-secrets-in-your-genome/ [https://perma.cc/M2EC-3R4S].

[13] Id.

[14] Artin, Michael G., et al. “Cases in Precision Medicine: When Patients Present With Direct-to-Consumer Genetic Test Results.” Annals of Internal Medicine, vol. 170, no. 9, 2019, pp. 643–650. https://doi.org/10.7326/M18-2356 [https://perma.cc/9H55-L25E].

[15] National Human Genome Research Institute, Privacy in Genomics, National Institutes of Health, https://www.genome.gov/about-genomics/policy-issues/Privacy (last visited Apr. 6, 2025) [https://perma.cc/BBT3-G3M4].

[16] Id.

[17] Müge Fazlioglu, Data Privacy and Genetic Testing: Guidance and Enforcement from Regulators, International Association of Privacy Professionals (Sept. 18, 2024), https://iapp.org/news/a/the-dna-of-privacy-and-the-privacy-of-dna [https://perma.cc/V4KA-ERFX].

[18] Stephnie A. John & Lara D. Compton, California’s Senate Bill 41: The Genetic Information Privacy Act, Mintz (Oct. 19, 2021), https://www.mintz.com/insights-center/viewpoints/2826/2021-10-19-californias-senate-bill-41-genetic-information-privacy [https://www.mintz.com/insights-center/viewpoints/2826/2021-10-19-californias-senate-bill-41-genetic-information-privacy [https://perma.cc/Y96N-7J3T].

[19] Id.

[20] 410 ILCS 513/10 (West 2023).

[21] Id.

[22] Id.

[23] 410 Ill. Comp. Stat. 513/10.

[24] Id.

[25] Niharika Vattikonda & Jordan Wrigley, The DNA of Genetic Privacy Legislation: Montana, Tennessee, Texas, and Virginia Enter 2024 with New Genetic Privacy Laws Incorporating FPF’s Best Practices, Future of Privacy Forum (Mar. 7, 2024), https://fpf.org/blog/the-dna-of-genetic-privacy-legislation-montana-tennessee-texas-and-virginia-enter-2024-with-new-genetic-privacy-laws-incorporating-fpfs-best-practices/ [https://perma.cc/32YY-P6U7].

[26] Id.

[27] Id.

[28] Id.

[29] Id.

[30] Reed Abrahamson & John Evans, U.S. Protectionism in Health Data Flows, JD Supra (Mar. 13, 2024), https://www.jdsupra.com/legalnews/u-s-protectionism-in-health-data-flows-5563530/ [https://perma.cc/FS75-LVEM].​

[31]  Id.

[32] Office of the Attorney General of Texas, Texas Data Privacy and Security Act, Tex. Att’y Gen., https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act (last visited Apr. 15, 2025) [https://perma.cc/AW4X-KEUQ].

[33] West Virginia House Bill 5110 (2024):H.B. 5110, 86th Leg., Reg. Sess. (W. Va. 2024),

[34] SB 284, 123rd Gen. Assemb., Reg. Sess. (Ind. 2024).

[35] Id.

[36] Sydney Goldberg, Locke Lord QuickStudy: Trends in State and Federal Regulation of Consumer Genetic Testing, Troutman Pepper (Nov. 18, 2024), https://www.trout .eegv  man.com/insights/locke-lord-quickstudy-trends-in-state-and-federal-regulation-of-consumer-genetic-testing.html [https://perma.cc/5KPN-8MCR].

[37] Id.

[38] Id.

[39] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, File No. P225402 (F.T.C. May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf (last visited Apr. 15, 2025) [https://perma.cc/K5P7-HCN9].

[40] Id. at 3.

[41] Press Release, Fed. Trade Comm’n, FTC Sends Refunds to Consumers Deceived by Genetic Testing Firm 1Health.io Over Data Deletion and Security Practices (Sept. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/09/ftc-sends-refunds-consumers-deceived-genetic-testing-firm-1healthio-over-data-deletion-security [https://perma.cc/A8GG-FTWA].

[42] Kristen V. Brown, Remember That DNA You Gave 23andMe?, The Atlantic (Sept. 27, 2024), https://www.theatlantic.com/health/archive/2024/09/23andme-dna-data-privacy-sale/680057/ [https://perma.cc/346H-R4KV].

[43] Id.

[44] U.S. Nat’l Libr. of Med., What Are the Benefits and Risks of Direct-to-Consumer Genetic Testing?, MedlinePlus Genetics, https://medlineplus.gov/genetics/understanding/dtcgenetictesting/dtcrisksbenefits/ (last visited Apr. 16, 2025) [https://perma.cc/P4LQ-5QH6].

[45] Id.

[46] Sarasota Memorial Health Care System, Limitations of the 23andMe BRCA1/2 Test, SMH Blog (Jan. 28, 2025), https://www.smh.com/blog/limitations-of-the-23andme-brca12-test [https://perma.cc/3YUL-SYED].

[47] Alexander Nill & Gene R. Laczniak, Direct-to-Consumer Genetic Testing and Its Marketing: Emergent Ethical and Public Policy Implications, 175 J. Bus. Ethics 669 (2022), https://epublications.marquette.edu/cgi/viewcontent.cgi?article=1304&context=market_fac [https://perma.cc/8BYW-GZCL].

[48] American College of Obstetricians & Gynecologists’ Committee on Genetics, Committee Opinion No. 816, Consumer Testing for Disease Risk, ACOG (Jan. 2021), https://www.acog.org/clinical/clinical-guidance/committee-opinion/articles/2021/01/consumer-testing-for-disease-risk [https://perma.cc/42BF-P7RH].

[49] Id.

[50] American Heart Association, Direct-to-Consumer Genetic Testing for Cardiovascular Disease, 151 Circulation e1 (2025), https://www.ahajournals.org/doi/10.1161/CIR.0000000000001304 [https://perma.cc/LW4A-APMY].

[51] nat’l hum. genome inst., Healthcare Provider Direct-to-Consumer Genetic Testing FAQ, Genome.gov, https://www.genome.gov/For-Health-Professionals/Provider-Genomics-Education-Resources/Healthcare-Provider-Direct-to-Consumer-Genetic-Testing-FAQ (last visited Apr. 16, 2025) [https://perma.cc/5FTK-ESHW].

[52] Fed. Trade Comm’n, Policy Statement on Biometric Information and Section 5 of the FTC Act (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf. [https://perma.cc/7PG8-WTAY].

[53] Natalie Ram, Consumer Genetic Testing Companies: Empowering Consumers, But at What Cost?, 30 Cornell J.L. & Pub. Pol’y 1 (2020), https://scholarship.law.cornell.edu/cgi/viewcontent.cgi?article=1490&context=cjlpp [https://perma.cc/5MGJ-74ET].

[54] Stephnie A. John & Lara D. Compton, California’s Senate Bill 41: The Genetic Information Privacy Act, Mintz (Oct. 19, 2021), https://www.mintz.com/insights-center/viewpoints/2826/2021-10-19-californias-senate-bill-41-genetic-information-privacy [https://www.mintz.com/insights-center/viewpoints/2826/2021-10-19-californias-senate-bill-41-genetic-information-privacy [https://perma.cc/Y96N-7J3T].

[55] Office of the Attorney General of Texas, Texas Data Privacy and Security Act, Tex. Att’y Gen., https://www.texasattorneygeneral.gov/consumer-protection/file-consumer-complaint/consumer-privacy-rights/texas-data-privacy-and-security-act (last visited Apr. 15, 2025) [https://perma.cc/AW4X-KEUQ].

[56] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, File No. P225402 (F.T.C. May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf (last visited Apr. 15, 2025) [https://perma.cc/K5P7-HCN9].

[57] Alyssa K. McLeod, Sales, Acquisitions, and Mergers of Direct-to-Consumer Genetic Testing Companies: The Risks and a Solution, 8 Tex. A&M L. Rev. 403, 406 (2021), https://scholarship.law.tamu.edu/cgi/viewcontent.cgi?article=1216&context=lawreview [https://perma.cc/JTB2-VG4T].

[58] Kristen V. Brown, Remember That DNA You Gave 23andMe?, The Atlantic (Sept. 27, 2024), https://www.theatlantic.com/health/archive/2024/09/23andme-dna-data-privacy-sale/680057/ [https://perma.cc/346H-R4KV].

[59] Id.

[60] FasterCapital, Genetic Data Ownership: Monetizing Your DNA—The Business of Genetic Data Ownership, https://fastercapital.com/content/Genetic-Data-Ownership-Monetizing-Your-DNA–The-Business-of-Genetic-Data-Ownership.html (last visited Apr. 16, 2025) [https://perma.cc/CCC9-D3XB].

[61] Id.

[62] Federal Trade Commission, Privacy and Security Enforcement, https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement (last visited Apr. 16, 2025) [https://perma.cc/X4SG-XGBK].

---