The Fine Print in Your DNA: Philosophical Analysis of Direct-to-Consumer Genetic Testing’s Autonomy Problem

1. Introduction

The pursuit of self-knowledge through genetic testing leaves us with an interesting paradox. To understand ourselves more deeply, we must first surrender control over our most intimate biological information. This contradiction lies at the heart of direct-to-consumer (DTC) genetic testing, where the promise of personal enlightenment comes at the cost of online genetic disclosure. The more we seek autonomy of our genetic identity, the more we relinquish control over how that identity is used and commodified.

Companies promise empowerment through hereditary information while constructing murky frameworks of consent that few can comprehend. The result is a system where consent is legally obtained but philosophically vacant—a mere procedural checkbox rather than a meaningful exercise of autonomy.

The implications of this contradiction challenge fundamental assumptions about autonomy in healthcare. This paper argues that direct-to-consumer genetic testing violates principles of autonomous choice by creating an illusion of informed consent while simultaneously depriving individuals of meaningful control over their genetic information. The current model, where companies collect permanent and intimate biological data through one-time consent, ignores the philosophical complexity of genetic privacy—that genetic information is inherently collective, culturally significant, and capable of being weaponized against vulnerable populations.

2. The Transformation of Genetic Testing: From Medical Care to Marketplace 

The invention of DTC genetic testing in the early 2000s created a paradigm shift in how individuals can access their genetic information (Majumder). Unlike traditional genetic testing that occurs in clinical settings under medical supervision, DTC testing allows consumers to order genetic tests directly from online companies such as 23andMe and AncestryDNA. Without ever having to leave the couch, users can unlock intimate knowledge of their geographic origins and genetic makeup—all without receiving the crucial medical interpretation provided at in-person medical labs. 

This apparently simple exchange of saliva for genetic information masks a cryptic system of data collection and sharing that extends far beyond the initial testing service. Thus, the emergence of DTC genetic testing transformed not just access to genetic information, but also how genetic data is stored and commercialized (Majumder). While the FDA’s regulatory focus has centered on ensuring technical accuracy and clinical validity, this narrow approach to oversight has left critical gaps in protecting consumer autonomy. As a result, the DTC genetic testing market continues to operate under increasingly opaque data practices. 

3. Undermining Autonomy Through Information Opacity

In order to make an autonomous decision, one must have an adequate understanding of the implications of their choice. In his landmark paper Four Principles Approach to Healthcare Ethics, Philosopher Tom Beauchamp argues that “respect for autonomy obligates professionals in health care and research involving human subjects to disclose information, to probe for and ensure understanding and voluntariness, and to foster adequate decision making” (Beauchamp 37). When we speak about our autonomy, we refer to our capacity to make meaningful choices based on our values and beliefs about what makes a life worth living. Autonomy matters fundamentally because it lies at the heart of what it means to be a person capable of shaping their own life and destiny. Beauchamp’s emphasis on “disclosing information” is often demonstrated when providers willingly discuss the risks of a medical intervention. Consider the case of Susan, a patient with a metabolic disorder who must decide whether or not to receive a bone marrow transplant. Meaningful autonomy in this context extends beyond mere documented consent—it requires that healthcare providers ensure she comprehends both the benefits and adverse outcomes of her procedure. In most medical facilities, Susan is not only told how bone marrow transplantation might cure her metabolic disorder, but also how the procedure might carry the risk of organ damage, infertility, infection, and other unforeseen complications. Susan must weigh the costs and benefits of the medical intervention if her decision is to be truly informed, similar to how a story half-written leaves its deepest meanings untold. Consent without complete understanding of potential risks jeopardizes the autonomy of a person wanting to make an informed choice. This form of meaningful consent is in tension with the process of DTC genetic testing, where users can simply click “I accept” without ever knowing the true risks of having their DNA collected and analyzed without proper protections. 

In the context of genetic testing, autonomy serves as a crucial safeguard against abuse. It protects individuals from commercial exploitation of their personal data and unwanted disclosure of sensitive information. This protective function is especially important because genetic information is unique—once disclosed, it cannot be recalled. Further, its implications may not be fully understood at the time of testing. Say that Susan, recovering from her bone marrow transplant, wants to take a DNA test in order to learn about any potential genetic predispositions that may affect her health in the future. After using a 23andMe kit, she discovers that she carries a mutation in the BRCA1 gene, which significantly increases her breast cancer risk. One might assume that her information is protected from insurance discrimination under the 2008 Genetic Information Nondiscrimination Act (GINA). Yet, this law does not explicitly say anything about what a third-party DTC genetic testing company can do with this information (Roberts). Susan is thus left exposed to potential discrimination from lending institutions. In general, GINA only applies to employment and health insurance, leaving out protections for life insurance, mortgage lending, and disability insurance (Zhang). However, DTC companies do not directly disclose this information when onboarding new customers, inhibiting users from exercising full informational autonomy. 

This is especially true since DTC genetic testing companies are not required to follow the United States’ most fundamental health data protection law: the Health Insurance Portability and Accountability Act (HIPAA) (Grandhi). Unlike the patient-doctor relationship governed by HIPAA, interactions between individuals and genetic testing companies lack these protections. This creates what philosopher Michael Foucault calls “biopower,” a term for when private corporations gain significant control over our biological information without corresponding obligations to protect it (Foucault). The philosophical inconsistency of protecting genetic information differently based on who holds it—formal healthcare providers versus DTC genetic testing companies—challenges the notions of autonomy that users expect when signing up for a health service. 

Consumers further lack autonomy in this process due to proprietary information laws. DTC genetic testing companies are not required to share the specific ways in which they use customer data (Grandhi). For example, it is not stated in privacy policies that personal genetic information can be shared with the police without a warrant. GEDMatch, a genetic technology company, created a database of its users and allowed organizations to gain access. In 2018, they allowed law enforcement to continuously search their user database without any formal warrant (Robinson). The police could upload DNA samples from crime sciences and search for potential matches among users (Robinson). This transformation of GEDMatch from a genealogy service to a law enforcement tool shows us how commercial genetic databases can be repurposed in ways that users could not have reasonably anticipated or consented to when they first submitted their DNA. Worse, it affects not just the individuals who uploaded their DNA, but also their biological relatives who never consented to genetic testing. When police match crime scene DNA to a distant cousin or uncle in the database, they effectively gain access to the genetic privacy of entire family trees. It is reasonable that individuals do not expect medical records shared with a doctor to be freely accessible to law enforcement without a warrant, even if those records might help solve crimes. If consumers had known their genetic information could be accessed by law enforcement, scrutinized for criminal investigations, or used to surveil their relatives, many might have chosen not to use the service altogether. Traditional genetic labs, operating under HIPAA, do not face this same concern. 

4. The Hidden Web of Data Sharing

An objector might say that governments already have access to citizens’ fingerprints and birth certificates—what makes DNA so different? The former are simple identifiers, justified based on the importance of safety and record-keeping. On the other hand, DNA holds intrinsic value as a detailed blueprint of human identity. It is not just a matter of who you are, but a profound record of one’s ancestral origins and personality dispositions. Companies such as 23andMe and AncestryDNA fail to meaningfully inform users that they are surrendering not just an identifier, but a permanent window into their biological truths without proper legal protections against abuse. This objection fundamentally undermines informed consent by obscuring the true scope of and implications of genetic disclosure.

In addition, DTC genetic testing companies violate user autonomy by making legal disclosures deliberately complex. The majority of these companies’ privacy policies are above the average reading level of United States citizens (Litman-Navarro). Notably, almost all are above a college reading level (See Appendix A). Thus, a significant portion of the genetic data collection economy is based on consenting to documents that the majority of citizens cannot understand to begin with. In privacy policies written by lawyers for lawyers, DTC genetic companies obfuscate information that is crucial for an individual’s ability to make an informed decision. 

A society that does not respect autonomy is one that disregards an individual’s choice to shape their own values and choices. History is fraught with countless examples where denying an individual’s autonomy led to their exploitation, ranging from medical experimentation without informed consent to forms of institutional oppression. The Havasupai Tribe study is an excellent case. In 1990, Arizona State University researchers collected DNA samples of the Havasupai Tribe after they agreed to a study surrounding the community’s high rates of diabetes (Garrison). However, without their knowledge or consent, researchers used these samples to study mental illness and theories of tribal origins—deeply sensitive topics that violated the tribe’s cultural beliefs about ancestry and origin. Many community members felt betrayed when they discovered their genetic information had been used for purposes they never agreed to, particularly studies that challenged their spiritual beliefs. 

Like the Havasupai, today’s consumers provide genetic information for one stated purpose (such as ancestry or health information) but face the risk of their data being used for potentially objectionable purposes. In this way, respecting informed decision-making is not just about individual freedom; it is about protecting vulnerable people from having their lives and bodies used for others’ purposes without their meaningful consent.

5. Trading Genetic Privacy for Profit

One might argue that DTC genetic testing consumers sign away their rights to autonomy over their personal data by using the service. However, with unintelligible and opaque privacy policies, the lack of a reasonably predictable informational environment negates the validity of true consent.  When consumers click “I agree” to the privacy policies on genetic testing websites, they enter an asymmetric relationship where companies hold their DNA and the power to determine its future uses. Users consent to the collection of this biological information without being told who it might be shared with or how it could affect their family in the future. Genetic information is inherently shared; our decision affects not just our own future selves but also existing relatives and potential descendants who cannot possibly consent to this permanent exposure of their intimate identity.

In 2018, 23andMe received $300 million from the pharmaceutical company GlaxoSmithKline in exchange for the genetic information of customers (Raz). By selling access to their genetic database, 23andMe commodified their users’ genetic information without ensuring proportional benefits would return to these users. While the company might argue that this partnership could lead to new drug discoveries that benefit society, this potential good cannot justify the permanent surrender of individual genetic autonomy without meaningful consent to share. 

Additionally, once genetic data is shared with third-parties like GlaxoSmithKline, users lose the ability to track or control how their information is being used. While 23andMe might have certain privacy policies, there is no transparent way for users to monitor whether third-parties adhere to these standards or how they might further share or analyze the data. The chain of accountability becomes increasingly murky with each additional corporate partner, further constituting a loss of autonomy.  Third-parties who paid DTC genetic companies for user DNA will possess this information even if a user later requests that the genetic company delete their sample. 

Further, third-party data sharing creates major vulnerability for data breaches, as demonstrated by 23andMe’s 2023 breach where hackers accessed and released the genetic data of 6.9 million users over the span of five months (Carballo). Unlike credit card information which can be changed after a breach, genetic data remains permanently compromised. One cannot request a new DNA sequence. This means that any breaches of trust or misuse of data have permanent consequences. Yet, the companies holding this sensitive information are primarily accountable to shareholders rather than users. Thus, the DTC genetic testing model fails to provide adequate safeguards for such irreversible decisions about personal genetic information.

When confronted with the data breach, 23andMe failed to notify users whose DNA was compiled into edited racial “lists” that were posted on the dark web—a segment of the Internet that is not visible to search engines and requires special browsers. The hackers specifically extracted and exposed information about customers with Jewish and Chinese ancestry, including the user's home addresses, full names, and birth dates (Carballo). If users were made aware of this doxxing, they could have the informational autonomy to decide their best course of action. This might include contacting law enforcement or introducing other safety measures if appropriate. When customers provide their DNA to learn about their heritage, they do not expect their ethnic identity to become a potential target for malicious actors. It is the onus of DTC genetic companies like 23andMe to state the risk of data breaches—a risk not mentioned anywhere in the corporation’s privacy policy—and continuously monitor their database for unauthorized access.

6. Reimagining Informed Consent 

Although the current landscape of DTC genetic testing presents significant challenges to individual autonomy, solutions exist for reforming these practices. Online genetic companies offer invaluable insights that can help users understand their health risks and ancestry—knowledge that can truly be life-changing. But like Susan’s doctors who carefully explained both the benefits and risks of her bone marrow transplants, genetic companies ought to ensure their users understand what they are agreeing to. Building upon Harvard Law Professor Glenn Cohen’s ideas about genetic privacy, I propose a potential framework for informed consent that would transform how users interact with their genetic information while preserving the benefits these services can provide.  This approach directly addresses many of the philosophical concerns surrounding genetic autonomy while acknowledging that DNA testing can empower rather than exploit.

First, Cohen’s idea of genetic privacy centers on the concept of time-inconsistent preferences, where our consent might change over time as technology advances (Cohen). Companies must realize that individuals’ desires about their genetic information naturally evolve as new uses and implications emerge. This temporal understanding is crucial given cases like the 23andMe data breach where genetic information was later exposed in ways that targeted specific ethnic groups. Providing iterative consent would allow individuals to maintain active control over their biological information as technology and practices evolve. 

Additionally, individuals need to have granular control over their DNA, enabling them to make specific choices about different aspects of their genetic information (Cohen). It could prevent situations like GEDMatch’s blanket sharing of customer data with law enforcement, instead allowing individuals to maintain autonomous control over how their genetic information is used across different contexts. The approach also acknowledges what Cohen terms “privacy externalities,” or recognizing that genetic information inherently affects biological relatives, similar to how the Havasupai Tribe’s case demonstrated the communal implications of genetic privacy.

Building upon these ideas, a reformed DTC genetic testing process would transform how individuals interact with their genetic information. The consent process would begin with a short educational module where customers first learn about the multiple dimensions of genetic privacy in clear language. It would include the risks of DNA disclosure as well as the types of entities they share user information with. The platform would feature a dynamic privacy dashboard where customers maintain ongoing control over their genetic information. Unlike current models where privacy settings are often buried in complex menus, this interface would clearly display current uses of their genetic data, pending requests for data access, regular privacy audits, and family impact assessments showing how their privacy choices might affect relatives. 

The “ongoing” consent process would require companies to obtain renewed authorization for new uses of genetic information. For example, if a pharmaceutical company requests access to genetic data for research, customers would receive detailed information about the specific research purpose, who will have access, potential risks and benefits, and any commercial implications. They could share ancestry information while restricting health data, participate in certain research studies while opting out of others, and restrict access to ethnicity-related genetic markers. 

This framework represents just one of the many possible approaches to improve the current model of genetic testing consent. The key is recognizing that comprehensive reform is not just about adding more checkboxes or privacy notes—it is about fundamentally reshaping how we think about genetic privacy as our technology becomes more advanced. We can create a system where genetic testing serves its intended purpose of empowering individuals with knowledge about themselves while also ensuring that this knowledge remains firmly under their control. 

5. Conclusion 

Through their deceptive practices around informed consent, direct-to-consumer genetic testing companies fundamentally undermine individual autonomy and control over genetic information. As our genetic information becomes increasingly valuable in the era of Big Data, the current model of one-time consent for permanent data surrender becomes ethically untenable. We risk creating a future where our most intimate biological essence becomes just another commodity to be bought and sold—all while operating under the illusion of informed consent. The challenge ahead lies not in preventing DTC genetic testing altogether, but in developing frameworks such as the one proposed in this paper that respect individual autonomy while advancing scientific understanding. While DTC genetic testing companies promise to unlock the secrets of our ancestry, they seem to have forgotten the most fundamental principle: our genetic information belongs to us. The time has come to rewrite the code of genetic privacy—not with the four letters of DNA, but with clear rules that protect individual autonomy. Our genetic code may be set in stone, but our right to control it through fully informed consent should not be up for sale.

Appendix

Appendix A: Comprehension Levels of Privacy Policies by Major Technology Corporations

Privacy policy complexity can be measured through metrics like sentence structure and vocabulary sophistication, producing a numerical comprehension score. Educational standards indicate that college-ready ninth graders should be able to comprehend texts at a 1050 level (Litman-Navarro, 2019). However, analysis reveals that most DTC genetic testing companies write their privacy policies well above comprehension levels of 1300 requiring post-secondary education levels for full comprehension. This creates a significant barrier to informed consent, as many users cannot adequately understand the terms to which they are agreeing. The following data from the New York Times illustrates this concerning gap between average reading levels and privacy policy complexity (Litman-Navarro, 2019). The first graph illustrates the reading comprehension levels of top technology companies, while the second shows that many privacy policies exceed comprehension levels needed to understand complex literature like Stephen Hawking’s, A Brief History of Time.

Bibliography

Auxier, Brooke, Lee Rainie, Monica Anderson, Andrew Perrin, Madhu Kumar, and Erica Turner. “Americans' Attitudes and Experiences with Privacy Policies and Laws.” Pew Research Center: Internet, Science & Tech. Pew Research Center, May 26, 2020. 

Beauchamp, Tom L. "The ‘four principles’ approach to health care ethics." Principles of health care ethics 29 (2007): 3-10

Carballo, R., Schmall, E., & Tumin, R. (2024, January 26). “23andMe breach targeted Jewish and Chinese customers, lawsuit says.” The New York Times. https://www.nytimes.com/2024/01/26/business/23andme-hack-data.html 

Cohen, I. Glenn, et al. "Genetic Testing Privacy: The Line Between Private Practice and Public Health." Science, vol. 364, no. 6442, 2019, pp. 721-723.

Foucault, Michel. "The subject and power." Beyond Structuralism and Hermeneutics/Harvester Wheatsheaf (1982)

Garrison, Nanibaa' A, and Mildred K Cho. “Awareness and Acceptable Practices: IRB and Researcher Reflections on the Havasupai Lawsuit.” AJOB primary research vol. 4,4 (2013): 55-63. doi:10.1080/21507716.2013.770104

Grandhi, Sukeshini A., and Linda Plotnick. "Do I spit or do I pass? Perceived privacy and security concerns of direct-to-consumer genetic testing." Proceedings of the ACM on Human-Computer Interaction 6.GROUP (2022): 1-26.

Litman-Navarro, Kevin. "We read 150 privacy policies. They were an incomprehensible disaster." The New York Times 12 (2019)

Majumder, Mary A., Christi J. Guerrini, and Amy L. McGuire. "Direct-to-consumer genetic testing: value and risk." Annual Review of Medicine 72.1 (2021): 151-166.

Nietzel, M. T. (2024,). Percentage of adults with college degrees edges higher, finds new lumina report. Forbes. https://www.forbes.com/sites/michaeltnietzel/2024/02/01/percentage-of-us-adults-with-college-degrees-edges-higher-finds-lumina-report/ 

Raz, Aviad E., et al. "Transparency, consent and trust in the use of customers' data by an online genetic testing company: an exploratory survey among 23andMe users." New Genetics and Society 39.4 (2020): 459-482.

Roberts, Catherine. "Your Genetic Data Isn't Safe With Direct-to-Consumer Testing Companies." Consumer Reports, 28 Jan. 2022.

Robinson, Ashley. "How Far Is Too Far: Police Use of Consumer Genealogy Databases as a Violation of the Fourth Amendment." Syracuse J. Sci. & Tech. L. 36 (2019): 114.

Wee, Sui-Lee, and Paul Mozur. "China Uses DNA to Map Faces, With Help From the West." International New York Times (2019): NA-NA.

Zhang, Sarah. "The loopholes in the law prohibiting genetic discrimination." The Atlantic 3 (2017): 13.