DNA Testing Is Popular, But Many Are Unaware of Privacy Concerns
By Amy Brown
Originally published on TriplePundit
Genetic testing is a booming business. The global DNA testing market is set to reach over $10 billion by 2022, according to a study by Grand View Research. More than 12 million Americans have already sent their DNA to be analyzed by companies like 23andMe and AncestryDNA. And that number is rising: AncestryDNA sold about 1.5 million testing kits between Black Friday and Cyber Monday last year. With the top testing companies advertising holiday specials on their websites, there’s no doubt these kits will be found in many a stocking again this season.
But as DNA testing continues to grow in popularity, a key concern is often ignored: privacy. Testing companies have acknowledged that DNA data is sometimes shared with or sold to third parties for use in research. In July, 23andMe announced a partnership with GlaxoSmithKline through which the pharmaceutical company will use home DNA results from 23andMe’s 5 million customers for new drug research.
The thorny ethical questions that come along with handling such deeply personal data have become the keen focus of Peter Pitts. A former commissioner of the Food and Drug Administration, he now serves as president of the Center for Medicine in the Public Interest Forensic Genetics Policy Initiative, which advocates for greater scrutiny about the implications of data privacy around DNA testing.
“The industry’s rapid growth rests on a dangerous delusion that genetic data is kept private,” Pitts wrote in Forbes last year. “Most people assume this sensitive information simply sits in a secure database, protected from hacks and misuse. Far from it. Genetic-testing companies cannot guarantee privacy. And many are actively selling user data to outside parties.”
The popularity of these kits is understandable. For less than $100, people can discover their ancestry and uncover potentially dangerous genetic mutations. The problem, as Pitts sees it, is that these DNA results are increasingly leveraged for applications that go far beyond customer curiosity.
DNA testing companies profit, for example, from lucrative deals with pharmaceutical firms, yet customers rarely get a share of the revenue generated from their DNA results. In the case of the GSK partnership, customers can opt out of having their data used for research, but Pitts says the companies should pay the 23andMe customers whose DNA is used.
“There is almost a complete lack of awareness among the public about this issue,” Pitts told TriplePundit. “The DNA kits are being viewed as stocking stuffers or cocktail party conversation. People don’t think about the security of their DNA as they don’t realize its value. You can change your Social Security number or your computer password, but you can’t change your DNA. I’m not saying DNA testing doesn’t have value, but people don’t understand the privacy and security implications.”
Potential for misuse of data
Once genetic data has been linked to a specific person, the potential for abuse is vast and frightening, Pitts said. “Imagine a political campaign exposing a rival’s elevated risk of Alzheimer’s. Or an employer refusing to hire someone because autism runs in her family. Imagine a world where people can have their genomic building blocks held against them. Such abuses represent a profound violation of privacy. That’s an inherent risk in current genetic-testing practices.”
The problem, he explained, starts with the Health Insurance Portability and Accountability Act (HIPAA), a 1996 federal law that allows medical companies to share and sell patient data if it has been “anonymized,” or scrubbed of any obvious identifying characteristics.
The Portability Act was passed when genetic testing was just “a distant dream on the horizon of personalized medicine,” Pitts noted. “But today, that loophole has proven to be a cash cow.”
For instance, 23andMe has sold access to its database to at least 13 outside pharmaceutical firms. One buyer, Genentech, paid $10 million for the genetic profiles of people suffering from Parkinson’s disease.
Data in the wrong hands
“Customers are wrong to think their information is safely locked away. It’s not; it’s getting sold far and wide,” Pitts told us. Further, many testing firms that generally don’t sell patient information, such as Ambry and Invitae, give it away to public databases, he explained.
Such transfers leave a big gap in privacy protections. “Hacks are inevitable. Easily accessible, public genetic depositories are obvious targets.”
If genetic data does fall into the hands of “nefarious actors,” Pitts warned, “it’s relatively easy for them to de-anonymize it. New lab techniques can unearth genetic markers tied to specific, physical traits, such as eye or hair color. Sleuths can then cross-reference those traits against publicly-available demographic data to identify the donors.”
Lost in the fine print
Pitts says that direct-to-consumer testing companies have been less than forthright about these dangers, usually burying privacy disclaimers deep in their contracts and refusing to disclose how long they keep customer data or how it can be used. New research published in the journal Nature found that genetic-testing companies frequently fail to meet even basic international transparency standards.
While Pitts maintains that AncestryDNA “all but owns the data that customers submit,” an AncestryDNA spokeperson said, “Ancestry very clearly disclaims any ownership of our customers’ genetic information.”
AncestryDNA’s Privacy Statement describes user provided content as information individuals provide about themselves or other living individuals when they voluntarily contribute to Ancestry.com’s services. The section on Genetic Information states that DNA data is stored so that it is “available for future testing,” but that such testing may be done only if users agree to Informed Consent for Research or otherwise consent to future testing. The section also states that genetic information may be used for “conducting scientific, statistical, and historical research.” It further states that if requested, it will delete all genetic information that an individual has submitted within 30 days. Those who have agreed to the Informed Consent to Research will not be able to have genetic information removed from active or completed research projects but Ancestry states it would not use it for any new research projects.
23andMe customers, Pitts said, have to wade through pages of fine print before learning that their information may be “shared with research partners, including commercial partners.”
Meanwhile, Invitae’s privacy policy reveals that it may use patients’ “de-identified” data for “research and development” or “general research purposes.” And the company can share that data with third parties such as public databases, other laboratories and universities.
Further, federal genetic privacy laws do not apply to life, long-term care or disability insurers. These companies are legally permitted to access genetic testing data and charge people higher prices or deny coverage based on their findings, Pitts said.
Regulators enter the fray
Some legislators have recently raised concerns about the privacy implications of DNA testing. In November, Senate Democratic leader Chuck Schumer of New York called for increased federal scrutiny of consumer DNA testing companies and their privacy practices. While the FDA regulates consumer DNA tests related to health, Schumer wants the Federal Trade Commission to force testing firms to extract all of the buried fine print about how they might distribute DNA data and broadcast it loud and clear.
“I think if most people knew that this information could be sold to third parties, they would think twice,” Schumer said at a press conference last month. “The last gift any of us want to give away this holiday season is our most personal and sensitive information.”
The state of Minnesota is also exploring legislation around direct-to-consumer DNA testing. While genetic testing companies doing business in Minnesota are subject to the state’s existing consumer protection laws, it lacks an enforcement mechanism for such companies, legislators noted. Pitts testified before the Legislative Commission on Data Practices in December.
Minnesota is looking toward Alaska, which has a Genetic Privacy Act that the Electronic Privacy Information Center, a privacy advocacy organization, described as “exemplary” and “comprehensive.” The Alaska statute requires written informed consent for the collection, analysis, retention, or disclosure of DNA samples and test results. It also declares that a DNA sample and the results of any genomic analysis are the “exclusive property of the person sampled or analyzed.”
It comes down to trust and transparency
Pitts isn’t sold on regulation as the sole solution. “Honest, robust self-awareness is better than regulation,” he told us, adding that most DNA-testing companies have been “standoffish” in the face of regulation.
“These companies have to ramp up their awareness about government relations and overall be better partners in the genetic testing system,” Pitts said. “Trust and transparency” is at the heart of the issue, he continued. “There should be responsible parties on all sides of this conversation.”
For their part, the leading consumer genetic and personal genomic testing companies—23andMe, Ancestry, Helix, MyHeritage and Habit—joined the nonprofit Future of Privacy Forum to release Privacy Best Practices for Consumer Genetic Testing Services. They were joined by African Ancestry, FamilyTreeDNA and Living DNA in supporting the Best Practices as “a clear articulation of how leading firms can build trust with consumers.”
Some critics, however, have called out these best practices for being voluntary and for lacking restrictions on the use or release of de-identified data.
Both Ancestry and 23andMe have acknowledged the criticism that has come with more widespread use of their products. But the companies maintain that their customers understand the trade-offs and have the opportunity to opt out at any time.
Linda Avey, co-founder of 23andMe, concedes that nothing is foolproof. “It’s a fallacy to think that genomic data can be fully anonymized,” she told Undark, an independent digital magazine.
In short, it’s up to consumers to decide whether or not to use DNA-testing kits or similar services, but Pitts encouraged people to keep these acknowledged risks in mind when making their decision. “What you risk reveals what you value,” he concluded. “In the 21st century, we must learn to value our personal genetic code.
NOTE: This article was updated on 12/19/18 to include comments from an AncestryDNA spokesperson.