This story was originally published by Undark.
Late last month, Senate Minority Leader Chuck Schumer took a break from the tax bill debate to talk with reporters about genetics.
In a press conference, the New York senator criticized how direct-to-consumer genetic testing companies—outfits like 23andMe and AncestryDNA—discuss and handle users’ genetic information. “What those companies can do with all that data—your most sensitive and deepest info, your genetics—is not clear, and in some cases not fair and not right,” said Schumer.
“It shouldn’t be that they can sell it and the consumer doesn’t know,” he added.
Schumer called on the Federal Trade Commission to launch an investigation into genetic testing companies’ privacy and disclosure practices, though the commercial and regulatory tides seem—at least for now—to be going in the other direction. Discounted prices for 23andMe dropped below $50 earlier this year, and sales of AncestryDNA kits are breaking records: In the weekend after Thanksgiving, the company said it had sold about 1.5 million genetic tests. That’s more units than 23andMe sold in its first eight years on the market.
This spring, for the first time, the Food and Drug Administration approved an over-the-counter test that tells consumers their genetic risk for a variety of conditions, from Parkinson’s and Alzheimer’s to Celiac disease and numerous blood diseases. And a new FDA policy announced at the beginning of November is likely to allow a wave of new, health-oriented genetic screening products to enter the market.
The question looming over this exploding marketplace, of course, is whether consumer protections can keep up—and more pointedly, what fair, effective protections would even look like.
There’s a basic asymmetry at work in genetic testing: It takes just a few minutes to put some spit into a vial, sign a few disclosure forms, and pop your saliva in the mail. But that little bit of spit can yield volumes of deeply intimate data about your body. As Undark has reported in the past, that information can last for decades. It can be subpoenaed in court. It can be stolen. And it can be bundled and sold as a commodity.
And those data sales aren’t incidental: For direct-to-consumer companies, selling access to genetic information is a major source of profit. As a 23andMe board member told Fast Company in 2013, “The long game here is not to make money selling kits. … Once you have the data, [the company] does actually become the Google of personalized health care.”
To adapt an adage about Facebook, when you use a genetic kit test, you are not just the customer—you are also the product.
Unlike genetic data collected in a hospital, the information that direct-to-consumer tests gather about you is not subject to the Health Insurance Portability and Accountability Act, or HIPAA, which places restrictions on how health care providers can share information about patients. State laws offer some regulations, but they vary widely from state to state.
Do consumers actually realize any of this? It’s all laid out in disclosures and consent forms, of course. But those forms are lengthy and technical, and unless you’re a lawyer, they probably do not make much sense.
As a result, AncestryDNA’s 1.5 million new users might not realize that they have agreed to “grant AncestryDNA and the Ancestry Group Companies a royalty-free, worldwide, sublicensable, transferable license to host, transfer, process, analyze, distribute, and communicate your Genetic Information.”
Asked whether most customers actually understand that part of the agreement, Eric Heath, Ancestry’s chief privacy officer, told me in an email that the statement should be read in its full context—among other things, customers retain ownership rights to their genetic information, and they can delete it from company databases. Heath added that the company would soon be updating its official privacy statement and terms, as well as the company’s “customer-friendly Privacy Center.”
Genetic data can also be subject to the whims of the market. Family Tree DNA’s eight-page-long privacy policy informs users that if the company is sold or dismantled, “Personal Information including test results will, as a matter of course, be one of the transferred assets.”
Some companies make an effort to provide more straightforward, user-friendly pages explaining what happens to all that genetic data. “I think that currently 23andMe is the standard-bearer in terms of both transparency and disclosure,” said Kayte Spector-Bagdady, a bioethicist at the University of Michigan and a former associate director of the Presidential Commission for the Study of Bioethical Issues, echoing a point I heard from other experts. The company has a special page, with clear graphics and bright colors, that walks users through many of the ways their data will be used.
Still, as we talked, Spector-Bagdady started counting all the pages of forms that 23andMe customers have to wade through. According to her, this includes 12 pages for the privacy policy, plus five more for the consent form. A few more pages lay out the terms and conditions. “And they all need to be read in conjunction to fully understand the scope of each individual document,” Spector-Bagdady said. “Transparency, of course, is not the same thing as informed consent.”
Not everyone feels protective of their genetic data. “I think for a lot of people, they just don’t really care. They just don’t necessarily consider their genetic data something they need to watch out for,” said Linnea Laestadius, a professor at the University of Wisconsin–Milwaukee who specializes in intersections of public health and data. She pointed out that having massive pools of genetic data is also necessary for a lot of research. It can be a rewarding experience for people to contribute to that kind of work. “The only bad thing is if people are doing it without fully realizing what they’re signing up for.”
Caveat emptor, perhaps. Regardless, there are troubling privacy-related scenarios. One would be some kind of security breach, in which hackers take large amounts of genetic information from a company. Unlike a credit card number, you can’t change your genome after the data has been stolen. Privacy policies aren’t always very comforting on this score: Family Tree DNA, for example, only assures users that “we use commercially reasonable efforts to prevent this.”
Another long-standing fear is that insurance companies will use genetic information to assess risk and penalize people with certain high-risk genetic markers. While the Genetic Information Nondiscrimination Act of 2008 blocks much of that kind of behavior, it has gaps that consumers may not be aware of, especially with respect to life insurance.
And, finally, there are the questions—familiar from debates over internet privacy—of what exactly could happen when a handful of corporations, with limited public accountability, come to manage huge amounts of intensely personal, revealing data.
“We’ve had so many data breaches, and people just have this learned hopelessness about their ability to control their information,” said Pam Dixon, the founder and executive director of the World Privacy Forum, an advocacy organization. “So you get this sense of, ‘Oh well, my information is all over anyhow, so what difference does this make?’ Well, actually, this data is a little different.”
Privacy concerns affect different groups in different ways, too. “When it comes to communities of color, they’re disproportionately impacted by the lack of privacy, the lack of protection of their data,” said Christy Gamble, the director of health policy and legislative affairs for the Black Women’s Health Imperative. Gamble, who is working on a study of how communities of color perceive genetic privacy, expressed concern that long-standing fears about medical abuse, combined with concerns about privacy, may make it more challenging for people of color to take advantage of the benefits that these technologies offer.
Should the government take action on all of this? Will that simply involve pushing companies to make their practices clearer to consumers? Or does it require legislation that puts more restrictions on the sale of personal data?
Not everyone is convinced that the issue merits a significant government intervention. “We haven’t seen the harms come to fruition,” said Jennifer Wagner, a bioethicist at Geisinger Health System Research who has training in law and anthropology. If individuals want to give broad consent for the use of their data, Wagner added, “quite frankly, my personal opinion is that individuals should have the ability to do that, and that that’s not necessarily something that we need to be overly paternalistic about.”
Other scholars are more concerned—and more interested in regulatory remedies. “The problem Senator Schumer highlights is a very real problem, but it is not limited to direct-to-consumer genetic data,” wrote Barbara Evans, a scholar of biotechnology and law at the University of Houston, in an email to me. “It also affects, for example, data about your health that FDA-approved medical devices beam back to the device manufacturer, personal data stored by companies that sell fitness tracking devices or at-home sensors, personal data held by non-HIPAA-covered research laboratories and health IT providers, and many others.”
Few people question the idea that massive stores of genetic data have the potential to help scientists tackle all sorts of diseases. As these stores grow, after all, so too does the ability for researchers to spot telling patterns that would otherwise remain hidden in the tangled code of the genome. But that promise comes with sobering questions rooted very much in the here and now, and in the lives of ordinary consumers who may or may not know precisely what they are signing up for.
What does it even mean to give informed consent, for example, when your genetic contribution becomes part of a research continuum stretching far into the future? “It’s like an experiment, in that we learn more about genetics every day,” said George Annas, a legal scholar and bioethicist at Boston University who is known for his work on informed consent. “And so your consent is going to be more complicated tomorrow than it is today, just because there’s more known about genetics.”
When I brought this issue up with Spector-Bagdady, the Michigan bioethicist, she told me a story. In the 1980s, sperm donors would often sign consent forms that, among other things, promised them perpetual anonymity: They would give sperm, the sperm bank would seal their information, and their offspring would never be able to track them down.
A few decades later, genetic ancestry tests began to hit the market, and people started using them to find long-lost relatives. Any sperm donor, of course, could choose not to take the test. But as long as one of his known biological relatives (a sibling, a child) took the test, his sperm bank–conceived offspring could discover the connection.
The consent forms in the 1980s weren’t wrong, exactly—indeed, they were “very honest at the time,” Spector-Bagdady said. They just couldn’t predict the future, so that just a few decades later, informed consent “has been rendered void by the advancement of science.”
