Even if you haven’t sent a sample of your DNA to a company like 23andMe or Ancestry.com, you probably know someone — perhaps even a close relative — who has. At least 30 million consumers, looking to learn more about themselves and their biological relatives, have had their genetic code analyzed by one of these direct-to-consumer (or DTC) testing companies.
Either way, what you probably don’t know is that there are few rules about what those companies can do with the genetic data that emerges from their testing. That should alarm anyone concerned with keeping the highly sensitive details of their, or their family’s, genetic code private.
But it can, and should, be changed, as Consumer Reports has detailed in a new white paper. In fact, a handful of states already have laws on the books that could serve as models for effective federal legislation. Earlier this month, Florida passed a law prohibiting certain insurance companies from using genetic testing information in insurance underwriting decisions. And Consumer Reports is supporting legislation in California, SB 980, that would also extend important privacy protections to this data. To expand these protections nationwide, it’s important that consumers as well as lawmakers understand the causes and implications of the current legal and regulatory vacuum.
The problem emerges, in part, from the direct-to-consumer business model these companies use. In bypassing the healthcare providers who historically ordered up genetic testing for patients when deemed appropriate, these companies also bypass the fairly robust laws and regulations that currently protect the privacy of patients and patient information in a traditional medical context.
But there are few legal protections around data generated from DTC genetic testing, leaving these companies free to largely do what they want with the genetic data they generate. And too often, they do. According to a survey by researchers at Vanderbilt University, 71% percent of companies could use consumer information internally for purposes other than providing the results to consumers, including to develop new products and services.
In addition, it’s not hard to imagine how this sensitive data could be misused if disclosed inappropriately. In many states, a life insurance company might charge prohibitive prices, or deny coverage altogether, after spotting a potentially life-threatening mutation in a prospective customer’s genetic code. A long-term care provider might deny coverage based on DNA tests showing they have a greater than average likelihood of developing Alzheimer’s.
Even employers could potentially screen applicants based on genetic tests: Though the 2008 Genetic Information Nondiscrimination Act prohibits employment discrimination based on genetic information, the relevant provisions generally do not apply to employers with fewer than 15 employees.
What’s more, because close relatives share large portions of their DNA, it is possible to draw high-probability conclusions about a person’s genetic make-up by looking at that of their family members. In other words, your genetic code could be misused even if you never submit a sample to a DTC testing company. Most of these companies routinely ask customers to supply information about their family members; customers, hoping to learn as much as they can about their ancestry, often comply.
Data security, meanwhile, is a separate but equally troubling issue arising from the industry’s regulatory deficiencies. Few rules govern the collection, storage, and disposal of genetic data by DTC companies, which are not regulated under HIPAA, the law that protects the privacy and security of the health information you share with your doctors and insurance provider. As a result, your genetic privacy and that of your relatives could be vulnerable to a data breach, even if years have passed since you took a DTC test.
First, the law should make the results of DTC genetic tests private by default; and strictly limit the ways that DTC genetic test results may be used, such as forbidding the sale of the information without consent and preventing insurance companies’ access to the results.
Second, it should require additional safeguards to ensure that an individual’s choice to share their genetic information will not impute genetic data for blood relatives.
Third, it should require reasonable security practices to ensure sensitive genetic data is not vulnerable to unauthorized disclosure or breach.
Fourth, it should provide for sufficient enforcement of such laws to incentivize DTC genetic testing companies to comply, including a private right of action.
Finally, we encourage lawmakers to consider broadening the definition of “medical information” and related terms to ensure that DTC genetic testing is protected by state-based medical privacy laws.
In the meantime, think twice before sending a DNA testing kit to one of these companies. If you decide it’s worth the risk, consider not supplying any additional information about yourself or your family members. And consider not using your full legal name. Also, if you happen to be a resident of California, consider saying “no” to sharing your genetic information with third parties, as you have the right to do under the California Consumer Privacy Act.
And to help ensure a strong nationwide privacy standard for this data, please consider signing our petition.
Special thanks to Katie McInnis for drafting this article, which is based on the findings of Consumer Reports’ new white paper, Direct-to-Consumer Genetic Testing: The Law Must Protect Consumers’ Genetic Privacy.