26 million people used take-home genetics testing kits by the start of 2019, according to a recent study by the MIT Technology Review. In fact, as many people purchased consumer DNA tests in 2018 as in all previous years combined. But as the genetics testing market explodes, we should be wary. You and I may love to learn about where we came from and if we have genetic predispositions towards particular illnesses. But after they’ve analyzed our data, what do genetics testing companies like 23andMe, Ancestry.com and FamilyTreeDNA do with our genetic information? Quite a lot, as it turns out.
“Employers and insurers are salivating to get their hands on this information. There are a lot of gray areas and companies are taking advantage of it,” one expert told Bloomberg Law
Maybe you don’t care what they do with your own genetic info. But consider: you share 50% of your genes with your immediate family. So you’re not just giving away your data, you’re giving away your family’s genetics, too.
In this article, we explore how pharmaceutical companies, law enforcement agencies and others use your genetic data. And then we’ll talk about the idea of informed consent in the age of genetics testing kits and massive commercial DNA databases.
Pharma, Biotech, Retailers and Others are Buying Your Genetic Data
Just last year, pharmaceutical giant GlaxoSmithKline paid $300 million for access to 23andMe’s customer data. The terms of the deal say that GSK can analyze 23andMe’s stored DNA samples, and then use that data to investigate new drugs to develop and plan out how to select patients for clinical trials.
“A genome is not your average piece of data.”
Meanwhile, back in 2015, Ancestry.com sold their customer data to Google-backed biotechnology firm Calico. The deal between Ancestry and Calico quietly ended in 2018. But in the meantime, Calico got access to more than 1 million sets of DNA, which the biotech company said they’d use to research how to extend the human lifespan.
These two deals aren’t outliers. Genetics testing companies have a long history of selling their customer’s DNA to pharma companies, biotech firms, and academic institutions. Many retail companies buy your data too, including P&G Beauty, makers of Crest toothpaste, Ivory soap and the antacid Pepto-Bismol.
Every time, the companies involved in these deals say that their customers have opted in for “informed consent research” when they sign up for their genetics testing kits. But what does “informed consent” mean in this context? (We’ll talk about this momentarily.)
“…our DNA, just like our posts on social media or our location data, is at the mercy of user agreements none of us have any control over or even bother to read.”
“A genome is not your average piece of data — it is inherently identifiable, it is familial (revealing your genomic data can reveal sensitive information about your family members as well), and its value is long-lasting,” says Loeb & Loeb attorney Jessica B. Lee. “These characteristics of genomic data present a unique privacy risk, and there is no broad, all-encompassing law that addresses these risks.”
And as machine learning and artificial intelligence continue to improve, it’s quickly becoming easier and easier to “re-identify” people from their genetic data.
The FBI is Using Consumer DNA to Solve Crimes – But Look Beyond the Headlines
During the summer of 2018, the “big 4” genetics testing/ancestry companies promised that they wouldn’t let police agencies access their databases. That lasted all of a few weeks. In August this year, the Wall Street Journal published an article detailing how the FBI used FamilyTreeDNA’s customer’s DNA to solve a couple of cold cases.
In essence, FamilyTreeDNA president Bennett Greenspan unilaterally decided to allow the FBI to upload their own DNA data from corpses and blood splatters, and then surf the database like any other customer to compare “their” DNA to the database. Greenspan was, he says, moved to make the decision by the horrifying nature of the crimes. But as the WSJ article points out, “This wasn’t what his customers signed up for, Mr. Greenspan knew.”
“First rule of data: once you hand it over, you lose control of it.”
In an open letter dated February 3rd, 2019, Mr. Greenspan apologized to his customers and clarified that law enforcement “cannot search or ‘dig through’ FTDNA profiles any more than an ordinary user can.” The key words being, of course, “ordinary user”.
On the one hand, this is a story of the FBI using consumer DNA to solve crimes. But it’s also the story of the CEO of a multimillion-dollar company with millions of people’s genetic information on tap knowingly subverting the idea of informed consent. In Greenspan’s own words, “I have been a CEO for a long time. I have made decisions on my own for a long time. In this case, it was easy. We were talking about horrendous crimes. So I made the decision.”
As this MIT Technology Review article puts it, “The unilateral change in policy—which users weren’t alerted to—is troubling because it means that our DNA, just like our posts on social media or our location data, is at the mercy of user agreements none of us have any control over or even bother to read.”
Greenspan’s intentions were good, but his actions highlight some massive gaps in consumer data privacy laws. Evidently, a single person can waive away an individual’s rights to privacy and informed consent.
This isn’t an isolated case. On April 24th, 2018, police arrested a serial killer who’d murdered at least 12 people between 1974 and 1986. How did they catch him? By comparing crime-scene DNA with a freely-accessible commercial DNA database, GEDMatch, to find the killer’s family tree. From there, they zeroed in on the suspect using other clues. According to MIT Technology Review, GEDMatch said it was “not approached by law enforcement or anyone else about this case or about the DNA.”
Want to Get Your DNA Sample Back? Too Bad
Have you already sent in your DNA to one of the big genetics testing companies? Just now learning about what can happen to your genetic data? Wondering if you can have your DNA sample returned to you? The answer is unequivocally no – despite the fact that genetic testing companies acknowledging that you are still the owner of your DNA.
“Your saliva sample, once submitted to and analyzed by us, is processed in an irreversible manner and cannot be returned to you.” — 23andMe Terms of Service
“You understand we will store any remaining DNA samples after your sample has been processed, and once submitted to us, your DNA sample cannot be returned to you.” — FamilyTreeDNA Terms of Service
“…in any case, once submitted to us, your saliva and DNA sample cannot be returned to you” — Ancestry.com Terms and Conditions
But not being able to get your sample back isn’t the only problem. It’s also unclear just how long each company will actually hold on to your DNA. Ancestry says that, “the DNA and saliva (also referred to as “biological samples”) are stored so that they can be available for future testing.” But they don’t offer a clear timeframe.
23andMe, meanwhile, says, “Unless we notify you otherwise, we will store your sample for a minimum of one year and a maximum of ten years.”
Sounds clear, right? Not so fast – note the qualifying phrase, “Unless we notify you otherwise.” In other words, they can keep extending that deadline for as long as they like, so long as they let you know.
The Idea of “Informed Consent” Fails In the Age of Take-Home Genetics Testing Kits and Massive Commercial DNA Databases
So, what’s the best way to protect the personal data stored by genetics testing companies? One view is that governments should mandate stronger privacy protections. For example, the United States government could expand HIPAA to cover genetics testing companies.
But fighting to regulate what happens to genetic data once it’s in a commercial database will be an exhausting endeavor. As Elizabeth Joh, law professor at UC Davis, so eloquently tweeted: “First rule of data: once you hand it over, you lose control of it. You have no idea how the terms of service will change for your “recreational” DNA sample.”
For now, you and I should focus on the idea of informed consent.
“Informed consent” usually means agreeing to something only after you understand all the relevant facts and disclosures. For example, say you agree to an mobile app’s Terms of Service (ToS) and start using it. But then you discover that nowhere in the ToS did it say that the app’s maker would be collecting data about you from other apps on your phone. In this hypothetical scenario, you were never told about their practices. So, you did not give informed consent to have your data collected in this way.
Now imagine that the Terms of Service did, in fact, disclose the data collection practices. Sure, you signed the document. But it was dozens of pages long and full of complex jargon and legal-ese. Could anyone reasonably expect you to have read it all the way through in the first place?
Things get even trickier when it comes to genetics testing and commercial DNA databases. Some experts are warning that we need to re-consider the entire idea of informed consent by an individual. Why? Because we share our genetic data with so many other people.
Writing in the Columbia Law Review, Natalie Ram explains out that your genetic information is not like other forms of data. In part, “because it is shared—immutably and involuntarily—in ways that are identifying of both the source and that person’s close genetic relatives.” Therefore, she writes, “Standard approaches to addressing interests in genetic information have largely failed to recognize this characteristic, treating such information as individualistic.”
What Should Informed Consent Really Mean for Genetics Testing and Genetic Information?
This raises the question: How should we define informed consent in regards to genetics testing and sharing genetic information?
I’d argue that in this context, informed consent should require that companies clearly and concisely explain to their customers:
- What genetic data they’re collecting
- How they store that data, and for how long
- What they plan to do with that data (including who they sell it to, or which government agencies they grant access)
In addition, companies should start giving their customers some choice in the matter. At the very least, it should be easy to to opt-out from having your genetic data sold to other companies.
But if nothing else, just talk to your friends and family about this stuff. So many people are worried about how Facebook, Google, and Amazon collect and sell their shopping history and web browsing habits. But the same people don’t bat an eyelash at handing over their DNA. And yet, as we’ve seen, genetic codes are far more “personal” than an address or browser history.
By spreading awareness and understanding of these issues, you can help your friends and family protect their data (and, yours, too).