Scholars argue that increased use of direct-to-consumer genetic testing creates hidden privacy risks.
In the last decade, the cost of sequencing the human genome has dropped significantly, enabling the growth of a wide range of direct-to-consumer genetic testing. Companies now offer consumers a chance to “meet your genes,” “get the most out of your DNA”, and “discover your family history.” But when curious consumers use these companies to explore their ancestry or risk of genetic disease, who else is granted access to that genetic information?
Leading direct-to-consumer genetic testing companies recently expressed their commitment to following newly establish industry principles on privacy protection. But a recent study conducted by researchers at Vanderbilt University, which looked at policies from nearly one hundred direct-to-consumer genetic testing companies, has found that the policies fell far short of the principles endorsed by the Federal Trade Commission (FTC).
As part of the FTC’s exercise of its authority to stop advertising practices it deems unfair or deceptive, the FTC has put forward fair information practices, which should guide the privacy policies of genetic testing companies, according to the authors of the study.
The authors of the study—James Hazel and Christopher Slobogin—analyzed the privacy policies and information available to consumers looking to purchase an at-home DNA kit. This information often lacked clarity about what security measures the companies take to protect data from hackers, whether the companies will notify consumers of a data breach, and how the companies use and share the data they collect.
Concerned about these types of privacy risk, Senator Chuck Schumer (D-N.Y.) has called for the FTC to take a closer look at whether the privacy policies of direct-to-consumer genetic testing companies adequately protect consumers’ sensitive personal information. The FTC seems to share Schumer’s concern, since it encourages potential consumers to comparison-shop privacy policies before sending in any DNA.
Although the information returned from genetic testing varies depending on the company, the basic business model remains the same: From the comfort of their own home, consumers can order a test, take a cheek swab to collect their DNA, send it to be analyzed, and then access the results of the test online. Despite the fact that the majority of genetic testing companies provide tests for reasons unrelated to health—for instance, tests to determine ancestry or kinship—they often collect additional information about the consumer’s medical history, physical traits, and lifestyle that can end up stored in the companies’ databases along with genetic data.
Because direct-to-consumer companies electronically store the results of DNA tests, the FTC cites the security of genetic data, or lack thereof, as a risk to consider when making the decision to obtain genetic testing. Hazel and Slobogin found, however, that most companies do not give consumers information about their security measures, and the vast majority have no policy regarding whether the company will notify consumers in the event of a security breach.
Hazel and Slobogin also examined whether privacy policies provided information about whether the genetic testing company would share consumers’ information with third parties and how the genetic testing company itself would use the data. About 50 percent of the privacy policies specified that data would not be shared with third parties, but the rest either did not address sharing or explicitly included sharing. The majority of policies that did include sharing at least specified that any data shared would be de-identified so that it did not include personal information tied to a specific person.
Hazel and Slobogin’s study also revealed that a majority of the privacy policies disclosed that the direct-to-consumer company could use client data for internal purposes other than providing clients with their own genetic information.
Given that two of the largest genetic testing companies, 23andMe and Ancestry, have business models that explicitly rely on the large database of genetic information the companies have compiled, and given that they generate revenue from the sale of large datasets to third parties, these disclosures about data sharing may not be surprising to informed consumers.
Hazel and Slobogin point out, however, that consumers trying to find out exactly how their data would be used would likely have a difficult time doing so. Even the comprehensive policies—which most often show up in “click-wrap” agreements online—lack specific details and clear language.
Once genetic information has been shared with a third party, it becomes very difficult for individual consumers to have their data deleted, Hazel and Slobogin explain. They find this lack of control especially concerning in light of the fact that studies on de-identified genetic data have demonstrated that, with sufficient information and computer power, individuals can be re-identified from a genetic profile. The researchers who conducted that study reportedly say that the risk of re-identification is “phenomenally low” but caution that individuals participating in genetic sequencing should still be warned of the potential discovery of their identities. Although the Genetic Information Nondiscrimination Act protects consumers from discrimination due to their genetic profile by health insurers or employers, life insurance or long-term care companies may use genetic information in underwriting policies.
The most prominent direct-to-consumer genetic testing companies acknowledged the need for privacy protections. Intended to work within the framework of the FTC’s principles, the companies’ document outlining privacy best practices includes principles such as transparency about privacy policies, consent for data sharing, customer access to genetic data, and deletion policies that make clear any limitations to consumers’ ability to have their data destroyed. These best practices also include a mechanism for accountability: Companies should have an official that ensures compliance, and they should give consumers “commitments that are enforceable by the FTC, State Attorneys General, or other authorities.”
Although it remains to be seen whether the genetic testing industry’s stated best practices will become an effective form of self-regulation, self-regulation may be the only option under the current legal framework on which consumers can rely. The FTC’s ability to intervene is limited to matters related to advertising that the FTC finds unfair or deceptive, and the FTC has not filed any complaints in recent years. Short of actions to prevent similar unfair advertising practices, however, Hazel and Slobogin point to comprehensive privacy legislation as the solution to protect consumers’ genetic data.