Your Genetic Data Isn't Safe
CR says better protections are needed for the intimate data you share when you take a direct-to-consumer genetic test
In exchange for your mailed sample of saliva, direct-to-consumer (DTC) genetic testing companies promise insights about your ancestry, your family connections, and even your health. These widely used tests—from companies such as 23andMe and Ancestry—are advertised as a way to learn more about your family history, better understand your health, and more. They’re often touted as thoughtful gifts, especially around the holidays.
But many people might not have a clear understanding of what happens to their personal genetic data after they mail a tube of spit to a private company for analysis. In a new white paper (PDF) published today, Consumer Reports’ privacy experts argue that part of the reason for this uncertainty is a gap in the regulatory framework surrounding consumers’ genetic data privacy.
Right now, companies write their own privacy policies that consumers agree to when they buy a test. But few laws regulate what companies must do to keep your data private and secure.
“Ideally we’d like to see federal and state laws enacted that will empower consumers to control who has access to their genetic information,” says Justin Brookman, Consumer Reports’ director of privacy and technology policy.
The Gaps in the Law
A few existing laws regulate some aspects of genetic privacy.
The Genetic Information Nondiscrimination Act (GINA) prevents employers from discriminating against you on the basis of your genetic information. But it doesn’t say anything about what a third-party DTC genetic testing company can do with the information it collects about you.
Why Existing Rules Are Not Enough
Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can’t be changed. And recent studies of sites (PDF) such as GEDmatch (where users can publicly post their genetic data) have found that it’s possible for people with nefarious intentions to reidentify individuals from supposedly de-identified genetic data.
So far, many of the harms of having part or all of your genome publicly available or in the hands of a thief are largely hypothetical. In part, that’s because the science of genetics is constantly evolving, says Michael Edge, Ph.D., an incoming assistant professor of biological sciences at the University of Southern California in Los Angeles and the author of one recent study on reidentification of genetic data. “The ground is moving in terms of what this genetic information tells you about a person,” he says.
Still, privacy experts say there are some key concerns. One is that your genetic information could be used in underwriting insurance policies. It can’t be used for health insurance, thanks to the ACA, but—except in Florida where this practice was recently prohibited—it could theoretically be used to determine life, long-term care, or disability insurance plans.
Your genetic information could also potentially be used against you in a court case. If you were to seek damages for a work-related injury, for example, a company might try to use information from your genome to point to potential other causes for your symptoms. Law enforcement agencies have used genetic data to identify criminal suspects through their blood relatives. It’s even conceivable that sensitive information about your family or your health could be used in a blackmail scenario.
Those examples may sound extreme. But the bottom line, Brookman says, is that genetic information could reveal facts about you that you don’t want known. And right now, consumers don’t have many protections against that happening. “An individual’s most personal information is still being bought, sold, and traded without clear understanding or consent,” Brookman says.
A final important consideration is that when your genetic data becomes public, it’s not only revealing information about you. It also reveals information about blood relatives, who may or may not even be aware that you opted to share your genome with a DTC testing company. Clayton at Vanderbilt recommends that consumers take this into consideration when deciding whether to use a DTC genetic testing product.
One Flawed Policy Solution
To give consumers more control over their own personal data, some—such as computer scientist Jaron Lanier and 2020 Democratic presidential candidate Andrew Yang—have proposed providing a property right for such data. In the context of genetic data, this would mean that you could be monetarily compensated for providing your genome to companies and researchers. But there are several problems with this solution.
One, Clayton says, is that it could be incredibly complex to implement. Imagine, for example, a scientific study that uses genetic data from 25,000 people. Scientists regularly compensate research subjects for their participation. But if the result of the study was some new product, such as a drug, would each of the 25,000 study participants be entitled to royalties from of the sales of the product? The difficulties mount quickly under such a policy, according to Clayton.
And the policy could have other unintended consequences. Consumer Reports’ advocates are concerned that such a policy would have outsized harms on low-income or marginalized communities, who could be targeted for mining of valuable genetic information. People could be coerced into giving up their genetic data, in the face of an immediate need for cash.
“Privacy should be a right,” Brookman says. “We’re not allowed to sell away our right to speech or our right to vote.”
A Better Way to Protect Genetic Privacy
Consumer Reports believes lawmakers should enact legislation that would make results from all genetic testing private by default.
That would mean companies or other entities that collect consumer genetic information would face detailed requirements before they could release or sell that information. And CR advocates say that laws should include safeguards that will ensure that an individual’s choice to share their genetic information will not compromise their privacy and that of their blood relatives. Such laws should also require strict safeguards against data theft, they say.
Some state laws are on the right track—those in Missouri and Illinois require that individuals specifically authorize any selling of their information. These laws also stop genetic data from being used in insurance underwriting unless authorized by the individual.
A proposed law under consideration in California would enact similar protections, limiting the sharing of genetic data with insurers and employers and requiring consumer consent before genetic data could be shared with any third parties.
Consumer Reports is calling on legislators to enact a strong privacy standard that would give consumers control of their genetic data. In the meantime, if you’ve purchased a DTC genetic test and are concerned about the safety of your information, check our guide to deleting genetic data.