You are more than a data point. The Opt Out is here to help you take your privacy back.
IN THE LAST DECADE, direct-to-consumer genetic tests like those from Ancestry.com and 23andMe have become ubiquitous in the US. These services cater to Americans looking for distant relatives, a missing piece of their history, or insight into their health. But if you can’t wait to swab your cheeks or spit into a plastic tube (or have done so already), you should know the privacy risks involved in putting your entire genome in the mail.
Maybe your information becomes a financial asset in a merger, or the service’s terms and conditions change without notice, or the company stores your biological sample in perpetuity. All of these scenarios might allow companies to handle and analyze your data in a way you haven’t consented to. This could be especially perilous if upcoming technologies and methods permit others to use your genome in currently unknown ways, creating problems we cannot even imagine.
The law is lacking
There’s a big difference between genetic testing in a medical setting (at places like a hospital, clinic, or doctor’s office) and at home. The first kind is protected by two powerful laws: the Health Insurance Portability and Accountability Act (HIPAA), which says Americans have to explicitly consent before their health data can be shared with third parties, and the Genetic Information Nondiscrimination Act (GINA), which protects against labor and insurance discrimination based on genetic data.
Unfortunately, these two pieces of legislation do not apply to direct-to-consumer genetic testing. The only government agency that has jurisdiction over this market is the Federal Trade Commission, which defends consumers against fraud and unfair practices and can penalize companies whenever they fail to fulfill promises to their customers. This entity does not, however, provide specific protections to consumers when it comes to the sharing of biological data, and it has jurisdiction only when companies do not fulfill an advertised promise for confidentiality or security.
Back in June, the FTC fined 1Health.io after it “deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.” The agency fined the $40 million San Francisco-based company the underwhelming amount of $75,000, which the FTC will use for customer refunds.
“[The FTC has] not been extremely aggressive in this area. They do have a fair amount of authority, but they haven’t exercised it as much as they could have,” says Christopher Slobogin, an expert in criminal law and procedure as well as a faculty member of the Center for Genetic Privacy and Identity in Community Settings (GetPreCiSe) at Vanderbilt University.
Multiple constraints and a lack of clarity and resources have forced the FTC to take a communication-driven approach, concentrating its efforts on issuing consumer bulletins and general guidelines for vendors and manufacturers of direct-to-consumer genetic tests, Slobogin says. As a result, companies are left to self-regulate, and the only documents governing the relationship between them and consumers are the privacy policies and terms and conditions set by the companies themselves. And there’s a whole bunch of problems with those.
At-home genetic testing companies’ terms of service are often lacking
In 2018, Slobogin and his former GetPreCiSe colleague, James Hazel, conducted a study that looked into the privacy policies of 90 US-based at-home genetic testing services and found several reasons to be concerned.
For starters, more than 40 percent either didn’t have readily accessible policies, or the ones they had governed the use of their website but didn’t address the handling, use, analysis, and storage of genetic information. This prevents users from making informed decisions before signing up for the service on the website or purchasing a test kit. Two-thirds of the companies in the study suggested they might make unilateral changes in their privacy policies, which they say they can do at any time. Most didn’t mention an obligation to notify customers of these edits, and instead indicated users should search for privacy policy adjustments on their own.
This unequivocally burdens users with the responsibility of staying up to date with the comings and goings of a specific company and its privacy policies. This is difficult not only because very few people read terms and conditions in the first place, let alone multiple times, but also because these documents are incredibly long and difficult to understand.
“Unfortunately, [reading terms and conditions] can be a real chore—they’re written by lawyers, for lawyers,” says Slobogin.
This gives companies the right to change the rules of the game whenever they want, without having to tell you about it. And that’s not all: Most companies (57 percent) provided only vague information about what exactly they share about you with processing labs, and only 39 percent said they made some effort to remove personal data to keep you as anonymous as possible before sending your biological data for analysis. The study was not precise as to whether this means biological markers in the sample, or identifying information on a sample’s label, for example.
By default, most companies keep your data (and sample) and share it
When you take an at-home genetic test, you can expect that the service will share and sell your genetic information with third parties like universities and other educational institutions, which will usually use the data for scientific research. Some companies don’t give users a choice in whom they share your data with, but others do. For example, GEDmatch and Family Tree DNA allow customers to opt in if they want to share their data with law enforcement, which could help solve violent crimes. It’s good that this isn’t the default for these companies, but the arrangement came only after the companies received consumer backlash for providing customer data to aid ongoing investigations. And unfortunately, opting out is not even an effective way to keep your genomic information away from the police, as they have been able to get their hands on the biodata of people who think they have opted out.
Be it for policing or research purposes, no company provided a full list of all the third parties it shared customer data with (anonymized or otherwise), and corporations were frequently vague or ambiguous regarding this point, GetPreCiSe’s 2018 study says. The situation is similar regarding the biological samples people send in for analysis.
A 2016 study published in the journal New Genetics and Society found that consumers expect at-home genetic testing companies to analyze their sample, share the results with them, and immediately destroy the sample afterward. Sadly, that’s not the usual procedure.
According to the GetPreCiSe study, only a few companies addressed the fate of customer samples in their privacy documents. Among those that did, most said they’d store them. That means these services could use future technologies to reanalyze samples, which could result in them getting more data about you. One of the biggest at-home genetic test companies in the US, 23andMe, will store your saliva for an indefinite time, but you can easily go into your account settings and tell the company to discard your biological sample.
Whether you agreed to let a company keep your sample (or forgot to opt out) or told it to destroy the sample after it sent you your report, it’s essential that you know what will happen to your biological material and biodata if the company you tested with goes bankrupt, merges with another, or is acquired by new owners. Unfortunately, only 36 percent of these services addressed this possibility in their terms of service, according to GetPreCiSe’s study. In those cases, the terms generally dictated that users’ biodata would be treated as financial assets and transferred to new ownership, and only half of the companies even considering this issue promised that the data would be bound to the same privacy practices in effect at the time of testing. This results in consumers having a total lack of control over their biological samples and their genetic data, which new companies could use at their discretion without having to notify them or get their consent. This is important because of the industry’s dynamism: Eight months after the study was conducted, six companies had shut down and three had either changed names or merged with others.
Should you take an at-home genetic test?
There are lots of reasons you might want to pick up a genetic test kit. A 2021 survey published in PLOS One that focused on ancestry and biological relationship tests found that motives vary widely—from mere curiosity and the desire for entertainment to the hope of filling in the gaps of family history. The latter is especially important among those who were adopted or have few living relatives. But to others, Slobogin says, these services often provide a cheaper alternative to more comprehensive medical testing, even though their quality and accuracy is debatable.
Whatever the reason, mailing a vial of your saliva is a personal decision, and only you can determine whether there’s enough potential value there to outweigh the risks. But the truth is that genetic data is extremely sensitive, and several studies have shown that anonymized information can be re-identified. That means that with the right resources and skills, someone could find your anonymized biodata in a raw dataset and trace it back to you, probably learning way more about you than you’d like a stranger to know.
Forgoing at-home genetic testing sounds like a good idea, mainly because it lacks the legal privacy protections you’d find for similar services performed in medical settings. But if you decide to go ahead and buy a kit, Slobogin says you should opt for one of the bigger brands that advertise confidentiality as a selling point. He explains that these companies usually have more comprehensive privacy policies and even provide policy summaries to consumers, which comes in handy when you’re trying to understand the terms and conditions.
Whatever company you choose, just make sure you’ll be able to ask it to delete your data and destroy your biological sample, and do so as soon as you’re done with the service. That’s the best chance you have of ensuring the only one with your sensitive biodata is you.