I Read the Fine Print on At-Home DNA Tests – the Privacy Risks Are Worse Than You Think

I Read the Fine Print on At-Home DNA Tests – the Privacy Risks Are Worse Than You Think

The box arrives in cheerful packaging. Swab. Spit. Mail it back. In a few weeks, you’ll learn something about your hormones, your cancer risk, your predisposition to Alzheimer’s, or your entire genome. At-home DNA testing has become a $5 billion market, fueled by late-night impulse purchases and the promise of self-discovery.

But what exactly are you signing away when you tick that “I agree” box?

ZDNET’s Elyse Betters Picaro did what almost no consumer does: she read the full terms of service and privacy policies for 10 direct-to-consumer (DTC) genetic testing companies – including 23andMe, Everlywell, LetsGetChecked, Nebula Genomics, and CircleDNA – and consulted six experts in bioethics, genetics, health care law, and cybersecurity. What she found is a regulatory patchwork where your most sensitive personal data lives under a company’s privacy policy, not federal law.


The HIPAA Mirage

The biggest misconception, according to every expert ZDNET interviewed, is that at-home test data enjoys the same legal protection as a doctor’s office record.

In the United States, HIPAA – the Health Insurance Portability and Accountability Act – protects personal health information only when it is held by “covered entities”: doctors, hospitals, insurers, and their business associates. Most DTC genetic testing companies do not qualify.

“The health information they have would be governed by a company’s privacy policy rather than considered PHI,” Anya Prince, a professor of law at the University of Iowa College of Law who studies health and genetic privacy, told ZDNET.

Some companies advertise themselves as “HIPAA-compliant” or having “HIPAA-grade security.” Julian Gage, founder of Engage Compliance and a data protection officer for DTC health companies, told ZDNET these are marketing terms, not legal protections.

“HIPAA-grade encryption is a statement about a security setting,” Gage said. “It says nothing about whether HIPAA actually applies to you or what the company can do with your results.”

The practical effect: a consumer’s data can end up with “one thin layer protected and the rest living under the terms you tapped through at checkout,” Gage explained.


The Fine Print’s Real Language

The privacy policies ZDNET examined reveal several patterns consumers should watch for.

Marketing and advertising use. LetsGetChecked’s policy says it may use personal information for “marketing, including targeted marketing on third party sites such as social media websites,” and may share data with third parties for advertising purposes with consent. SiPhox’s policy states that “aggregate data may be used for marketing insights and targeting.”

Research databases. Several companies use de-identified or pseudonymized genetic data for research. LetsGetChecked says it “may include de-identified Genetic Data in our research databases” that may be “accessible and downloadable by third parties.” Nebula Genomics says it will “never disclose genetic data for research purposes” without consent, but its policy adds that de-identified or pseudonymized information may be shared.

The critical issue: de-identification is not irreversible. “Your DNA is the most identifying thing about you, and researchers have shown more than once that supposedly de-identified genomes can be traced back to real people,” Gage said. Dr. Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University, told ZDNET that “when coupled with publicly available data, anonymized data sets can often have private information inferred and revealed.”

Once data is de-identified to the legal standard, it drops out of most privacy rules entirely. The company can use, share, or sell it without asking again.

Law enforcement access. Every policy ZDNET reviewed includes language allowing disclosure in response to legal obligations – subpoenas, court orders, warrants, public health obligations. 23andMe’s policy states it “will not provide information to law enforcement unless required by law to comply with a valid court order, subpoena, or search warrant.”


The Insurance Gap Nobody Talks About

The Genetic Information Nondiscrimination Act of 2008 (GINA) is often cited as a consumer safeguard. But GINA’s protections are narrower than most people assume.

The law bars health insurers and employers from using genetic information to discriminate. It does not apply to life insurance, long-term care insurance, or disability insurance.

“Companies offering life or long-term-care insurance could start asking customers if they have done genetic testing for purposes of ruling out higher-risk customers,” Laura Hercher, a genetic counselor and director of student research at Sarah Lawrence College, told ZDNET. In most states, she said, “they could.”

Prince confirmed that a person “could be denied these insurances or charged a higher premium” based on test results. Only a handful of states – California, Vermont, and a few others – have passed laws extending protections to these insurance categories.


The Bankruptcy Precedent: 23andMe

The risk is not theoretical. In March 2025, 23andMe filed for Chapter 11 bankruptcy protection, putting the genetic data of more than 15 million customers up for potential sale as the company’s most valuable asset.

CNBC reported that the bankruptcy “sparks privacy fears as DNA data of millions goes up for sale.” While 23andMe said data privacy would be an “important consideration” in any sale, experts pointed out that federal law does little to secure genetic data in bankruptcy proceedings. A Harvard Gazette analysis noted that if the acquiring company lacks good data security, there’s a “possibility of breach.”

ZDNET’s review found that most companies’ privacy policies cover data handling during normal operations. What happens to samples and data in an acquisition or bankruptcy is often far less clear.


A New Legal Frontier: Connecticut’s Property Right Approach

In June 2026, Connecticut became the first state to directly address the data asymmetry at the heart of DTC genetic testing. Governor Ned Lamont signed SB 4, an omnibus privacy law that, effective October 1, 2026, grants consumers a property right in biological samples provided to DTC genetic testing companies and in the results of any genetic testing conducted on their DNA.

This is a significant conceptual shift. Rather than asserting privacy rights through HIPAA (which the companies are often not subject to) or consent frameworks (which consumers click through in seconds), Connecticut’s approach frames genetic information as something the consumer owns. The law requires DTC companies to obtain explicit, informed consent before transferring or selling genetic data, and gives consumers the right to demand deletion of both samples and derived data.

Other states, including California and New York, have introduced similar bills in early 2026, signaling that the Connecticut model may become a template for broader regulation.


What Consumers Should Actually Look For

ZDNET’s investigation offers a practical checklist for anyone considering an at-home test:

Before buying:

  • Is the test FDA authorized, cleared, or approved – and does that apply to the whole test or just one specific report?
  • Is the lab CLIA-certified or CAP-accredited? These are quality standards for lab operations, not guarantees of clinical accuracy.
  • Who interprets the results? Is follow-up consultation available?

In the fine print:

  • Search for “HIPAA” – if it’s absent, your data is not protected as medical records are.
  • Look for “third parties,” “partners,” “sell,” “advertising,” and “research” – these reveal who can access your data.
  • Check the policies on sample retention, deletion, and destruction. Some companies destroy samples automatically after processing; others retain them for the maximum period permitted by law.
  • Read the acquisition and bankruptcy clauses. If they read as vague, Gage told ZDNET, “the vagueness is your answer.”

After testing:

  • Deletion requests may not mean complete removal. Some companies reserve the right to retain information that is “still necessary” or for which they have a “legal basis to process.”
  • Terms of service change. Hercher noted that “there are no laws that guarantee DNA data privacy,” and terms “can and do change over time.”

The at-home DNA testing market is not going away. These tests offer real value for the uninsured, the underinsured, and anyone curious about their genetic makeup. But as ZDNET’s investigation makes clear, the transaction is not just $99 for a spit kit. It’s a long-term data relationship with terms that most consumers – and their relatives – never agreed to knowingly.

This article is based on reporting by Elyse Betters Picaro for ZDNET, published June 13, 2026, supplemented with additional research on the 23andMe bankruptcy and Connecticut’s SB 4 genetic privacy law.

Scroll to Top