I'd feel a lot better with customer-centric privacy protections around the collector and storer, a la HIPAA.

Instead of regulating only some of the uses.

HHS already had to administratively extend to cover gaps (we'll see how that goes, post-Chevron) and Congress attempted to repeal it for workplace purposes in 2017.

And there's still the gray market question about 23andme -> Equifax-alike packaging it into a blended proprietary risk score -> insurance companies using that (of course 'without knowing that genetic information was included').