Late last month, Senate Minority Leader Chuck Schumer took a break from the tax bill debate to talk with reporters about genetics.
In a press conference, the New York senator criticized how direct-to-consumer genetic testing companies — outfits like 23andMe and AncestryDNA — discuss and handle users’ genetic information. “What those companies can do with all that data — your most sensitive and deepest info, your genetics — is not clear, and in some cases not fair and not right,” said Schumer.
“It shouldn’t be that they can sell it and the consumer doesn’t know,” he added.
Schumer called on the Federal Trade Commission to launch an investigation into genetic testing companies’ privacy and disclosure practices, though the commercial and regulatory tides seem — at least for now — to be going in the other direction. Discounted prices for 23andMe dropped below $50 earlier this year, and sales of AncestryDNA kits are breaking records: In the weekend after Thanksgiving, the company said it had sold around 1.5 million genetic tests. That’s more units than 23andMe sold in its first eight years on the market.
Last spring, for the first time, the Food and Drug Administration approved an over-the-counter test that tells consumers their genetic risk for a variety of conditions, from Parkinson’s and Alzheimer’s to Celiac disease and numerous blood diseases. And a new FDA policy announced at the beginning of November is likely to allow a wave of new, health-oriented genetic screening products to enter the market.
The question looming over this exploding marketplace, of course, is whether consumer protections can keep up — and more pointedly, what fair, effective protections would even look like.
There’s a basic asymmetry at work in genetic testing: it takes just a few minutes to put some spit into a vial, sign a few disclosure forms, and pop your saliva in the mail. But that little bit of spit can yield volumes of deeply intimate data about your body. As Undark has reported in the past, that information can last for decades. It can be subpoenaed in court. It can be stolen. And it can be bundled and sold as a commodity.
And those data sales aren’t incidental: For direct-to-consumer companies, selling access to genetic information is a major source of profit. As a 23andMe board member told Fast Company in 2013, “The long game here is not to make money selling kits … Once you have the data, [the company] does actually become the Google of personalized health care.”
To adapt an adage about Facebook, when you use a genetic kit test, you are not just the customer — you are also the product.
Unlike genetic data collected in a hospital, the information that direct-to-consumer tests gather about you is not subject to the Health Insurance Portability and Accountability Act, or HIPAA, which places restrictions on how health care providers can share information about patients. State laws offer some regulations, but they vary widely from state to state.
Do consumers actually realize any of this? It’s all laid out in disclosures and consent forms, of course. But those forms are lengthy and technical, and, unless you’re a lawyer, they probably do not make much sense.
As a result, AncestryDNA’s 1.5 million new users might not realize that they have agreed to “grant AncestryDNA and the Ancestry Group Companies a royalty-free, worldwide, sublicensable, transferable license to host, transfer, process, analyze, distribute, and communicate your Genetic Information.”
Asked whether most customers actually understand that part of the agreement, Eric Heath, Ancestry’s chief privacy officer, told me in an email that the statement should be read in its full context — among other things, customers retain ownership rights to their genetic information, and they can delete it from company databases. Heath added that the company would soon be updating its official privacy statement and terms, as well as the company’s “customer-friendly Privacy Center.”
Some companies make an effort to provide more straightforward, user-friendly pages explaining what happens to all that genetic data. “I think that currently 23andMe is the standard bearer in terms of both transparency and disclosure,” said Kayte Spector-Bagdady, a bioethicist at the University of Michigan and a former associate director of the Presidential Commission for the Study of Bioethical Issues, echoing a point I heard from other experts. The company has a special page, with clear graphics and bright colors, that walks users through many of the ways their data will be used.
Not everyone feels protective of their genetic data. “I think for a lot of people, they just don’t really care. They just don’t necessarily consider their genetic data something they need to watch out for,” said Linnea Laestadius, a professor at the University of Wisconsin-Milwaukee who specializes in intersections of public health and data. She pointed out that having massive pools of genetic data is also necessary for a lot of research. It can be a rewarding experience for people to contribute to that kind of work. “The only bad thing is if people are doing it without fully realizing what they’re signing up for.”
Caveat emptor, perhaps. Regardless, there are troubling privacy-related scenarios. One would be some kind of security breach, in which hackers take large amounts of genetic information from a company. Unlike a credit card number, you can’t change your genome after the data has been stolen. Privacy policies aren’t always very comforting on this score: Family Tree DNA, for example, only assures users that “we use commercially reasonable efforts to prevent this.”
Get Undark's weekly newsletter, delivered right to your inbox!
Another longstanding fear is that insurance companies will use genetic information to assess risk and penalize people with certain high-risk genetic markers. While the Genetic Information Nondiscrimination Act of 2008 blocks much of that kind of behavior, it has gaps that consumers may not be aware of, especially with respect to life insurance.
And, finally, there are the questions — familiar from debates over internet privacy — of what exactly could happen when a handful of corporations, with limited public accountability, come to manage huge amounts of intensely personal, revealing data.
“We’ve had so many data breaches, and people just have this learned hopelessness about their ability to control their information,” said Pam Dixon, the founder and executive director of the World Privacy Forum, an advocacy organization. “So you get this sense of, ‘Oh well, my information is all over anyhow, so what difference does this make?’ Well, actually, this data is a little different.”
Privacy concerns affect different groups in different ways, too. “When it comes to communities of color, they’re disproportionately impacted by the lack of privacy, the lack of protection of their data,” said Christy Gamble, the director of health policy and legislative affairs for the Black Women’s Health Imperative. Gamble, who is working on a study of how communities of color perceive genetic privacy, expressed concern that long-standing fears about medical abuse, combined with concerns about privacy, may make it more challenging for people of color to take advantage of the benefits that these technologies offer.
Should the government take action on all of this? Will that simply involve pushing companies to make their practices clearer to consumers? Or does it require legislation that puts more restrictions on the sale of personal data?
Not everyone is convinced that the issue merits a significant government intervention. “We haven’t seen the harms come to fruition,” said Jennifer Wagner, a bioethicist at Geisinger Health System Research who has training in law and anthropology. If individuals want to give broad consent for the use of their data, Wagner added, “quite frankly, my personal opinion is that individuals should have the ability to do that, and that that’s not necessarily something that we need to be overly paternalistic about.”
Other scholars are more concerned — and more interested in regulatory remedies. “The problem Senator Schumer highlights is a very real problem, but it is not limited to direct-to-consumer genetic data,” wrote Barbara Evans, a scholar of biotechnology and law at the University of Houston, in an email to me. “It also affects, for example, data about your health that FDA-approved medical devices beam back to the device manufacturer, personal data stored by companies that sell fitness tracking devices or at-home sensors, personal data held by non-HIPAA-covered research laboratories and health IT providers, and many others.”
Few people question the idea that massive stores of genetic data have the potential to help scientists tackle all sorts of diseases. As these stores grow, after all, so too does the ability for researchers to spot telling patterns that would otherwise remain hidden in the tangled code of the genome. But that promise comes with sobering questions rooted very much in the here-and-now, and in the lives of ordinary consumers who may or may not know precisely what they are signing up for.
What does it even mean to give informed consent, for example, when your genetic contribution becomes part of a research continuum stretching far into the future? “It’s like an experiment, in that we learn more about genetics every day,” said George Annas, a legal scholar and bioethicist at Boston University who is known for his work on informed consent. “And so your consent is going to be more complicated tomorrow than it is today, just because there’s more known about genetics.”
When I brought this issue up with Spector-Bagdady, the Michigan bioethicist, she told me a story. In the 1980s, sperm donors would often sign consent forms that, among other things, promised them perpetual anonymity: They would give sperm, the sperm bank would seal their information, and their offspring would never be able to track them down.
A few decades later, genetic ancestry tests began to hit the market, and people started using them to find long-lost relatives. Any sperm donor, of course, could choose not to take the test. But as long as one of his known biological relatives (a sibling, a child) took the test, his sperm-bank-conceived offspring could discover the connection.
The consent forms in the 1980s weren’t wrong, exactly — indeed, they were “very honest at the time,” Spector-Bagdady said. They just couldn’t predict the future, so that just a few decades later, informed consent “has been rendered void by the advancement of science.”
Michael Schulson is an American freelance writer covering science, religion, technology, and ethics. His work has been published by Pacific Standard magazine, Aeon, New York magazine, and The Washington Post, among other outlets, and he writes the Matters of Fact and Tracker columns for Undark.
Companies that test your DNA don’t own you, but they own the right to distribute their data. A photographer doesn’t own what he takes a picture of, though the picture is his or hers. And others can buy the genetic info and draw conclusions and possibly take actions… I don’t like the idea of insurance rates being possibly affected.
Any of you ever see Gattica? Awesome movie. Anyhow, just ordered a genetic test kit. First I am doing the National Geographic one, then will upload into some other databases… Then will probably want to try 23 and me. I am not worried, but I get this is a serious issue worthy of discussion. I think this amount of knowledge and information gained from this type of testing over the next several decades is really going to help our understanding of genetics. I am also excited how it also helps our understanding of history. It is also helpful in the solving of crimes, like the Golden State killer for one, though the DNA tracking is creepy. See Gattica. In that dystopian future genetic testing is constant, matter of course, and used to identify everyone, and decide what their jobs should be. Creepy.
As a Canadian, you are not protected because the United States bans a practice. Your government would have to enact its own protections.
The EU makes an art form of this, particularly in agriculture: American food safety practices are far more lax than Europe’s, so as a result, America’s food exporters can sell their goods in the U.S. but not in Europe unless they meet the higher EU standard.
The same with software, social media, and other protections against hacking. American companies peddling their digital wares overseas must meet the standards of each nation in order to sell their goods to those nations’ citizens.
As a result, EU standards make everything safer because American companies do not want to make the product for two different standards. So they make it for the higher, EU, standard and Americans win by default.
“We haven’t seen the harms come to fruition,” said Jennifer Wagner, a bioethicist at Geisinger Health System Research who has training in law and anthropology. If individuals want to give broad consent for the use of their data, Wagner added, “quite frankly, my personal opinion is that individuals should have the ability to do that, and that that’s not necessarily something that we need to be overly paternalistic about.”
Wagner may be smart in her field, but she appears to be clueless in what corporations will do–and legislators will allow them to do–in search of profits. In one word, “anything.”
While I am a strong proponent of DNA analysis companies sharing (even for profit) totally anonymized results for research–because society DOES need these cures–my data is my property. I did not sell it to an analysis company, I hired them to perform a service, just like I hire a lab to analyze my tap water. Or I hire a doctor to set my broken bone. I sold neither the doctor nor the water company the right to my bone or tap water.
More protections to consider:
–Any data transferred must be made unidentifiable to an individual.
–Big Pharma and Big Medicine cannot obtain individual tracers to the donators of the spit.
–To ensure protection against hacking and/or accidental release of that information, laws must prohibit public AND private businesses and agencies from using genetic markers for any purpose but research. In other words, insurance companies, health care providers, and government agencies are forbidden from using DNA results to deny any product or service to an individual.
Longer term, enacting Medicare for All with a ban on carve-outs for pre-existing conditions would go a long way to “terror-proofing” the use of this genetic information for the legitimate hunt to cure what ails us.
Long story short, I did not sell 23andMe my spit. I hired 23andMe to provide me a service. Ownership did not transfer, just like ownership of my credit card information did not transfer when I bought a hammer from Home Depot. If 23andMe’s sales of my genetic testing results to outsiders identifies me personally, 23andMe can expect a slate-wiper of a lawsuit.
That ain’t “paternalistic,” Doc Wagner, that’s individual rights and freedom being protected from a profit-obsessed corporate culture.
I can assure readers hackers already have access to most or all genetic information submitted to these testing companies ..
Like many articles, this is a USA-centric article. I live in Canada. How am I protected if the US passes protective legislation but my country does not? Is the company bound world-wide by the laws enacted in one country? Doubtful.
Is a US citizen protected if the company resides offshore. If my DNA sample is mailed to a third country, whose laws apply? Canada’s, USA? or the third country’s?
The issues explored in this article go beyond the protection of DNA information.
i also live in Canada,, it is my experience that it doesn’t matter what country you are in,, these are global companies. They rarely concern themselves with location, worldwide, these genetic companies share data, your data, and even if you contributed your sample without knowledge or consent, your signature on the form they send you, is what they are going to use to say that you gave they all they needed to do as they wish with your sample or information from it. Even the hospital labs doing genetic testing for the courts, have no regulatory body that is watching them, they have the same forms, and claim the same rights. no genetic company will speak up to expose the errors or frauds or thefts of another. Like the medical field, they falsify whatever they have to. in order to hide their deception., They are private for profit companies, and large ones at that,, they will NOT allow anyone to slander them and cost them profits. So, the truth is money talks here,, and the bullshit is everywhere it needs to be to make the money keep talking.
Most of the testing is for the purpose of sharing in order to find related persons. Even this requires a lot of study to be effective, although the companies typically provide matches labeled as probable with some measure of genetic distance. The more roadblocks you put in the way of finding your matches, the more useless you render the testing. You can take a test and find some very general indication of your ethnic background, which is a nice-to-know but pretty much useless for any other purpose, and by not signing a release, this is what you get.
The author seems to subscribe to the principal that what people do must be regulated by some supposed expert, when the staff who will be hired to regulate will be less knowledgeable than the user. Why didn’t you talk to experts in genealogy? How about the users? And what is with this unchallenged assertion that “When it comes to communities of color, they’re disproportionately impacted by the lack of privacy?”
you get NOTHING if you do not sign the contract. relentlessly these dna companies have said to me over and over,, sign the contract or we do no testing. And the stuff you think they are testing for??? you have no idea what is happening with your information and who else is using it for what purpose yet unknown. And they track you as well .it would seem that all genetic companies share their data with each other. So, you may show up as a different person, but they know all about you on your second contact with them. please,, use the experiences of others,, learn to be aware.
I want HIPAA to apply to ALL genetic testing so that MY rights are protected if my parents, siblings, or identical twin get one of these tests. I shouldn’t have to surrender the 4th Amendment which I personally believe applies.
All databases of personal data should belong to the people who are in the database and not the companies. They should be deleted if the company is sold or bankrupt. Instead of counting them as an asset, they should be counted as a liability with costs offset only by data protection measures.
I agree, however, they have been making tons of money from sharing and selling your data since dna came on the scene, The courts handed them their profits, and their controls. I suggest we also look at the government bodies who allowed this,, who started ordering dna testing to be used in courts, without regard for the usual protections for privacy or a humans rights. There are currently none, look at the contracts,, if you do not sign it,, they will not run testing,, I have had several labs make that very clear to me. If you do sign they own you. bad situation., and one that it can be said to be a very dishonest state of business for a very long time for these labs.