September 24, 2020 – As genetic testing companies increasingly pivot to medical and pharmaceutical ventures, a regulatory gap in consumer privacy protections is drawing calls for change and even legislative proposals.
At-home DNA test kits from companies like 23andMe and Ancestry have enabled customers to trace their heritage and piece together family trees. A lack of strict data privacy protections has allowed these companies to rack up hundreds of millions in revenue through the collection of DNA samples and sales of genetic data, all with the consent of customers who may not have read the fine print.
As it stands, there is no comprehensive federal privacy law in the U.S. Other laws, including HIPAA and the Genetic Information Discrimination Act, only keep genetic information off-limits to certain types of insurers and employers. Further, the agency that is supposed to enforce privacy rules by DNA testing companies, the Federal Trade Commission, has limited authority.
Exposed genetic information poses risks from the mundane to the extreme, experts say. Long-term care, disability and life insurers, for example, can still legally inflate their rates based on a customer’s predisposition to adverse health conditions. And if a person takes a DNA test, the information could be used to profile unsuspecting relatives as well.
Some have warned of more dire consequences. One DNA data security startup, Geneinfosec—which counts former U.S. assistant secretary of defense Andrew C. Weber among its advisors—claims that someone’s DNA profile could be used as blackmail, or even to create bioweapons that target specific people. In 2019, Pentagon officials advised military troops to avoid taking consumer DNA tests because they could, “create unintended security consequences and increased risk to the joint force and mission.”
In 2018, the nonprofit Future of Privacy Forum issued a set of voluntary “privacy best practices,” with several large DNA test companies signing on, including Ancestry and 23andMe. The guidelines aimed to increase transparency, provide consumer choices and ensure protection. But the genetic testing landscape has “transformed” since then, said Rachele Hendricks-Sturrup, the forum’s health policy counsel.
“The best practices that are in front of us here today, they’re great, but as these companies begin to engage more in health care, should there be additional consideration?” Hendricks-Sturrup asked, adding that some may feel more protective of personal health information than details about their heritage.
Earlier this year, private equity giant Blackstone acquired Ancestry.com for $4.7 billion, raising speculation about what Blackstone was up to. In a statement to FairWarning, Ancestry was unequivocal: “Blackstone will not have access to Ancestry customer data, nor will any of their portfolio companies.” But in the acquisition announcement, Ancestry president and CEO Margo Georgiadis said the company expected to collaborate with Blackstone on “bringing to life our long-term vision of personalized preventive health.” Blackstone has also invested heavily in medical devices for diabetes patients and treatments for high cholesterol and kidney disease.
The best practices prohibit sharing with third parties genetic data that isn’t “aggregated” or “de-identified”—that is, data that has been stripped of names and contact information, and pooled together in group health statistics. But the same rules would not apply in the case of the corporate acquisition of a company that held the data, as with Blackstone and Ancestry, said Hendricks-Sturrup.
“Interestingly our best practices don’t really speak to business acquisition instances,” she explained. “But we do state that consumers should be offered choices, they should be given the opportunity or option to express consent.”
Blackstone reiterated to FairWarning that it would have no access to Ancestry’s genetic data, but declined to answer specific questions for this story.
Exposure of genetic information does not carry the obvious risks of bad actors getting hold of credit card or social security numbers, said Lisa Parker, the director of the Center for Bioethics and Health Law at the University of Pittsburgh.
However, in the case of the Blackstone acquisition, she added, “there are concerns about the sale of a company and its assets. How the purchaser is going to make use of these assets is not clear.”
In 2018, 23andMe entered into an exclusive four-year deal with drugmaker GlaxoSmithKline The companies said in a joint announcement that 23andMe would comply with the best practices and only share anonymous, pooled health statistics. But the arrangement also allows those with specific conditions or mutations to agree to be identified and invited to participate in clinical trials.
23andMe sells a health package with its DNA tests featuring “150+ personalized reports” with insights on everything from the breast cancer mutation and sickle cell anemia to muscle composition and something it calls “genetic weight.”
Given such offerings, consumers may not understand what partnerships like that of 23andMe and GlaxoSmithKline mean for their personal data, said Peter Pitts, president and co-founder of the New York-based nonprofit Center for Medicine in the Public Interest.
This is not about medical treatments tailored to a person’s DNA profile, he said. “What we’re talking about is the ability of pharmaceutical research and development people to find it easier for people to be in clinical trials by DNA identifier, which saves time and money and expedites medicine to market.”
According to the voluntary best practices, which were unveiled just days after the 23andMe-GlaxoSmithKline deal, sharing anonymous group statistics “may provide strong assurance” of privacy to individuals. But experts point out that data could be hacked and participants identified.
“Even if Ancestry has the best security system, the people with whom it does business may not,” said Pitts of the Center for Medicine in the Public Interest. “There are many opportunities for people who want to do bad things to get a hold of this data.”
“Protecting consumers’ sensitive personal information—such as health or DNA data—is a Commission priority,” an FTC spokesperson told FairWarning. When asked for examples of FTC consumer protection enforcement cases involving DNA testing companies, the agency provided just one, and cited four other cases involving data privacy unrelated to genetic information.
The genetics-related case, from 2014, targeted Genelink Biosciences, which claimed to customize nutritional supplements and skin-care products to customers’ “DNA disadvantages” obtained by a cheek-swab test kit. In its complaint, the FTC disputed the scientific validity of such products. It also said the more than 30,000 genetic samples the company had collected since 2008 had been vulnerable to identify theft and other privacy violations by third party contractors hired by the company.
But a search of the FTC case database using the words “genetic,” “DNA,” and “biosciences” turned up only one other DNA testing case related to consumer protection.
“The FTC doesn’t have enough authority to adequately regulate these companies,” said Maureen Mahoney, a policy analyst for magazine and advocacy group Consumer Reports. “We need a privacy law that requires privacy by default that limits what companies can collect in the first place and requires disclosure.”
State-level privacy laws are cropping up to fill the gap. In August, California lawmakers passed a bill that enshrines some of the voluntary best practices into law—specifically, that genetic data cannot be shared with third parties without the individual’s prior written consent.
“We wanted to ensure that these companies don’t decide to change their collection and disclosure practices and that there be repercussions if they do,” said Mahoney, who advised lawmakers on the bill.
23andMe and Ancestry formed the two-member Coalition for Genetic Data Protection, which consulted with the sponsor of California’s privacy bill.
“I think they have indeed advocated for privacy protections and for strong security measures,” said Parker of the Center for Bioethics and Health Law. “It’s certainly in their interest to do so.”
But other experts say that major consumer DNA test companies can improve how they communicate what they will do with DNA samples—especially as they expand into health services.
“People need to be made aware that their data may be shared or sold with third parties,” Pitts said. “This needs to be more than just clicking ‘I Agree’ at the bottom of a lengthy text. It needs to be written in plain English, on a number of different screens.”
Lawrence Brody, a senior investigator in medical genomics at the National Institutes of Health, said that while many of the major DNA testing companies are well-intentioned, “the industry should do a better job” of informing consumers.
“I don’t know that anyone can bear to read those 15 pages of fine print,” he said. “You want to know under what circumstances they might share your information. It’s the business model, sharing your information is part of what they do to earn their own returns ”
A federal data privacy bill sponsored by U.S. Senator Sherrod Brown, D-Ohio, would challenge this business model in a fundamental way: barring companies across different industries from sharing data with anyone other than their customers.
For critics like Peter Pitts, such a proposal makes perfect sense.
“I don’t understand why a consumer would pay for the privilege of having a third party sell their personal genetic information for profit,” he said.
FairWarning is a nonprofit (501(c)(3)) investigative news organization that focuses on public health, consumer, workplace and environmental issues, and related topics of government and business accountability. www.FairWarning.org