Direct-to-consumer genetic testing companies are facing increased scrutiny over their privacy and data use practices, and with no federal privacy law, states are taking the lead.
California lawmakers on Monday passed what would be the most targeted privacy law to regulate direct-to-consumer testing companies, directing how they can use, sell, and share genetic information. That follows Florida, which this summer enacted a DNA privacy law blocking insurers from using test results from companies including 23andMe Inc. and Ancestry.com LLC.
These new measures may help ease privacy concerns from consumers who turn over their inherently identifiable genetic information. Without protections, attorneys and academics say, genetic data could be used in unforeseen ways.
“The concerns are that the information will be used against somebody to deny them some benefits or opportunities to which they would otherwise be entitled, or that there will be discrimination or stigmatization,” said Leslie Wolf, interim dean of Georgia State’s Law School. “People are also concerned that their data could be used in ways they didn’t anticipate, like for commercial purposes.”
Direct-to-consumer genetic testing tools at companies like 23andMe and Ancestry take people’s DNA and use it for a variety of applications, including identifying long-lost relatives and ethnic origin, as well as genetic predisposition for diseases such as breast cancer and Alzheimer’s.
The use of genetic testing companies has grown in recent years thanks to cheap tests and the willingness of users to turn over their information in exchange for important health metrics.
States Take Lead
23andMe sold 12 million kits through 2019 and Ancestry has over 18 million people in its DNA network, according to a company spokeswoman. 23andMe, founded in 2006, and Ancestry, founded in 1996, are generally regarded as industry leaders. Smaller players like Gene Food and DNAfit use data to provide customers with diets tied to their genetic profiles.
The recent push by state legislatures to regulate the direct-to-consumer market, however, has not been matched by federal legislation. Congress has yet to catch up to new technologies across the board, including comprehensive privacy legislation and measures to regulate facial recognition technology.
There are some federal laws that regulate genetic data, but those, including the Health Insurance Portability and Accountability Act and the Genetic Information Nondiscrimination Act, are tailored to the medical, insurance and employment contexts.
“If there’s no insurance involved, then HIPAA won’t govern the data,” said Sal Phillips, a privacy attorney with Polsinelli’s Chicago office. GINA, which bars the use of genetic information in health insurance and employment, doesn’t usually apply to data from direct-to-consumer companies because it falls outside these two categories, he said.
The new state laws could fill in some of those gaps.
“Direct-to-consumer genetic testing companies need consumer trust in order to succeed,” said Jacquie Haggarty, deputy general counsel and privacy officer at 23andMe.
While some states have passed legislation that prohibits discrimination based on genetic information, laws specifically aimed at genetic privacy remain rarer.
Some states, including Texas, Illinois, and Oklahoma, have laws that protect individuals from compelled disclosure of genetic information pursuant to a court order, such as a subpoena. And eight states, including Alaska and Massachusetts, allow consumers to recover statutory damages if their genetic data was improperly disclosed, Wolf wrote in a paper published last year.
Florida’s new genetic privacy law extends GINA protections to life- and long-term care insurance providers. California’s SB 980 bill, the Genetic Information Privacy Act, would go much further by addressing privacy concerns raised by direct-to-consumer companies in particular.
The bill would require these companies to obtain a consumer’s “express consent” before collecting, using, or disclosing his genetic data. This consent would cover storage of the data and use beyond the primary purpose of the testing service.
And customers would have to separately consent to each type of disclosure, said Justin Yedor, a data privacy attorney with McGuireWoods in Los Angeles, who noted that the bill would also give customers the right to request that companies destroy their biological samples.
Genetic testing companies Ancestry.com and 23andMe support the bill, as does a coalition of consumer groups and privacy advocates that includes Consumer Reports and the Future of Privacy Forum. California Gov. Gavin Newsom (D) hasn’t aken a position on the bill or said whether he will sign it into law.
Companies like 23andMe say they go to great lengths to protect the privacy and security of genetic information given to them by consumers. Informed consent is “fundamental” to the company’s research program, Haggarty said.
23andMe provides data tied to the genetic results to partners like GlaxoSmithKline in an effort to help drug development and medical treatment. This genetic data is de-identified and anonymized so it can’t be traced back to a specific individual, Haggarty said. “Third parties don’t have access to the database,” she said.
The company says it limits what information its teams can use to reduce any privacy and security risks. 23andMe’s own researchers that query DNA data don’t have access to a customer’s name, email, or any other information, Haggarty said. “We have polices to ensure that our researchers’ access is based on the principle of least privileged access,” she said.
Even though 23andMe and Ancestry have a good track record on privacy and transparency, the industry as a whole has some glaring issues, according to a 2018 study published in the Cornell Journal of Law and Public Policy. The study found that over 40% of the 90 companies studied had no readily accessible genetic data policy. Researchers James Hazel and Christopher Slobogin, both of Vanderbilt, found that industry leaders had the most comprehensive policies, but even these policies failed to give a specific list of the third parties with whom data would be shared.
“With a few exceptions, even policies that governed genetic data provided very little information regarding the collection and sharing of a consumer’s genetic data,” they wrote. “These results indicate that a typical consumer is likely not provided with sufficient information to make an informed decision regarding whether to undergo genetic testing with a particular [direct-to-consumer] company.”
The California bill is a good way to provide consumers with “common-sense baseline privacy protections” for their genetic data, said John Verdi, vice president of policy at the Future of Privacy Forum.
“Opt-in consent for processing genetic data, separate opt-in consents for any sharing of information, informed consent for health research, strong security practices, all those protections are in SB 980,” he said.
Opt-in programs, however, come with their own set of issues, attorneys said. Outside of the genetic field, consumers and companies have a direct relationship where you balance the rights of people with the rights of businesses. In genetics, however, that information can reveal information about family members.
“How do you consent for your parents, siblings, future siblings, and offspring?” asked Kirk Nahra, co-chair of WilmerHale’s cybersecurity and privacy practice.
It’s important to strike a balance between privacy concerns and legitimate uses of genetic data, such as medical research, said Ellen Clayton, a law and health policy professor at Vanderbilt. While it’s difficult to give individuals “granular control” over every aspect of their personal data, they should be able to maintain personal privacy, she said.
“The idea of broad consent is problematic in and of itself,” said Clayton, who specializes in the intersection of law and genetics. “We have to think about what the downstream problems are going to be.”
It remains to be seen what effect the California bill would have on companies’ practices across state lines, said Yedor, the McGuireWoods attorney.
“This is just one law in one state,” Yedor said. “Are [direct-to-consumer companies] going to provide these rights strictly for Californians or are they going to extend them to all consumers regardless of jurisdiction?”