How to regulate recreational medical devices?

"Even if the consumer doesn’t have medical expectations, the privacy implications of the data are just as problematic as when the device is a medical device," writes Dov Greenbaum

Dov Greenbaum 18:3511.12.21
Advanced near-medical-grade devices are often made available to the consumer with little to no regulatory oversight. How so? By self-identifying their technologies as recreational, companies developing emerging technologies have been mostly able to circumvent the frequently onerous and limiting regulation typically reserved for medical devices.


Consider the multibillion dollar direct-to-consumer (DTC) genetic testing industry. There has been a longstanding interest in regulating this area. In 2008, Time Magazine named DTC genetic testing as the Invention of the Year. The same year, a report by the US Department of Health and Human Services (HHS) called for greater oversight, without distinguishing between recreational and medical tests. However, as per the US’s 1976 Medical Device Amendments of the Federal Food, Drug, and Cosmetic Act, the US Food and Drug Administration (FDA) retains discretion as to how to regulate medical devices, including the choice to not regulate at all.


Photo: Shutterstock Photo: Shutterstock


As such, market leaders like the OG, 23andMe --which at one point provided mostly actionable and medical genetic information for its customers are now still collecting arguably medical-grade data from seemingly medical-grade devices, but this time, without the FDA breathing down their neck, simply by selling their product as a recreational service.


23andMe has recently returned to selling medically actionably tests as well. The company’s reappearance in the medical field highlights the difference in oversight between recreational and medical: while there are tens if not hundreds of companies providing recreational direct to consumer genomic data, 23andMe is currently the only DTC genetics company in the United States authorized by the FDA to provide medical data.


Why is there this difference in oversight? Ostensibly recreational DTC genetic testing --which have been used by millions, and likely millions more as the price point continues to plummet-- in contrast to medical-grade DTC genetic testing, comes with less potential harms, such as invasion of privacy, or the potential for mental and physical consequences resulting from newly gained foreboding genetic knowledge.


To some degree, this artificial division between recreational and medical is justified: recreational testing has, for the most part, been about non-actionable results, some more dubious than others, such as ancestry testing, matchmaking, optimal diets, or athletic talent detection. In addition to the often lack of scientific validity in their results, these tests are often inconsistent, with even identical twins sometimes receiving markedly different ancestry results both within the same testing company and among other DTC genomic competitors.


In contrast, regulated medical genomic testing seeks to find, for example, the genetic source of a putative disease based on reproducible peer-reviewed scientific observations.


Despite this arguably justifiable division, there are lingering serious concerns: Those seemingly benign ancestry tests can also disclose non-paternity for example between a putative father of one demographic background and a child that shares little to none of that background. Alternatively, these recreational services can identify unknown family members such as half-siblings from over-enthusiastic sperm donors. Furthermore, there could be legal implications resulting from recreational tests such as when the tests show strong ancestral connections to stigmatized or legally protected demographics, such as Native Americans or other minorities.


There is also the potential for real emotional trauma with recreational genomics. Some recreational tests purport to identify athletic abilities, or lack thereof based on sometimes pseudoscientific claims. While the FDA considers these tests as related only to general wellness, and does not generally review such products, tests these results, regardless of their scientific validity could weigh heavily on parents and their children, creating burdensome expectations where none are justified. And, in general, a recurring concern among recreational DTC genetics is the lack of protection with regard to minors, or whether parents should even have access to their minor children’s results.


Additionally, given all the data created by recreational testing, regardless of the medical applicability of how companies process, analyze and return the data to their customers, that data is likely still replete with private and personal information in the form of the collected raw genetic data. The American Medical Association (AMA) recently agreed with this position. This raw data ought to be overseen by a federal regulatory body to at minimum protect its security and privacy.


In some cases, the raw data can be provided to a requesting consumer. However, studies have shown that this raw data, is often not clinically actionably as it can be full of false positives and other inaccuracies.  


Nevertheless, as long as we maintain this bright line rule dividing recreational DTC genetics from medical DTC genetics, we are buying into the legal fiction that some types of testing are so less problematic than others that the law need not even regulate them, despite their many similarities to their regulated cousins, especially in terms of the data that is collected and analyzed.


The law thrives on legal fictions and legal loopholes. Legal fictions have been around for millennia. Modern legal fictions are even part of general society, such as the application of legal personhood to a corporation granting corporations freedom of religion, free speech, or the right to be considered an author.


Perhaps, the legal fictions in the case of DTC genomics, and conceivably in other areas of biotechnology where there is also a recreational/medical distinction, such as in neurodevices, ought to be rethought or at least redefined: When considering whether a company can rightfully refer to their direct-to-consumer quasi-medical technology as recreational and not medical, the overseeing bodies should consider at least two separate but related concepts in deciding whether a potential medical device should be of the recreational unregulated variety, or a bone fide medical device with all of its regulatory implications.


The first relates to the intended target. Does the individual using the technology believe that they are using a medical device, and do they believe that the data they are receiving from the device is medically actionable? If the answer to both queries is no, then perhaps the device can be considered a recreational device.


The second concept relates more abstractly to the actual data collected by the device. If that data is in fact medically actionable, or clinical-grade, i.e., in any way as privacy-problematic as data collected from an actual medical device, or the knowledge of the data can be potentially harmful to the individual, then perhaps the regulator should consider the device to be medical-grade, or at least not recreational, regardless of the intent of the consumer in the aforementioned first analysis. Maybe the FDA should consider a third in-between descriptor that better fits with the potential harm of being unregulated. Even if the consumer doesn’t have medical expectations, the privacy implications of the data are just as problematic as when the device is a medical device. The data is still informative data. However, at least in medical devices there is likely some oversight vis-à-vis security and privacy. In the recreational, there is no Federal oversight, despite similar security and privacy concerns.


Things are finally changing: In October, Florida’s Protecting DNA Privacy Act went into effect and Gavin Newsom, California’s governor, signed SB-41 into law (slated to go into effect in January 2022).



California’s new Genetic Information Privacy Act (GIPA) requires all DTC genetics companies regardless of the medical/recreational distinction, to provide privacy policies, consent for both the consumer’s intended use, but also any potential third party use, and reasonable security measures. GIPA doesn’t provide a private right of action, but it does provide for civil penalties, albeit modest, in cases of negligent and willful violations, after a short cure period. Florida’s law provides no cure period and includes criminal penalties.


These laws are a good start at protecting consumer-initiated genetic data, i.e., data that consumers choose to create, apparently for recreational/superficial and not medical purposes. Still, these laws are narrow, specific only to genetic testing, and not other medical devices, where there remains a problematic medical/recreational distinction, such as in the aforementioned area of neurodevices.


Prof. Dov Greenbaum is the director of the Zvi Meitar Institute for Legal Implications of Emerging Technologies at the Harry Radzyner Law School, at IDC Herzliya