The privacy risks of at-home DNA tests
In exchange for your mailed sample of saliva, direct-to-consumer (DTC) genetic testing companies promise insights about your ancestry, your family connections and even your health. These widely used tests — from companies such as 23andMe and Ancestry — are advertised as a way to learn more about your family history, better understand your health and more. They’re often touted as thoughtful gifts, especially around the holidays.
But many people might not have a clear understanding of what happens to their personal genetic data after they mail a tube of spit to a private company for analysis. In a white paper published in July, Consumer Reports’ privacy experts argue that part of the reason for this uncertainty is a gap in the regulatory framework surrounding consumers’ genetic data privacy.
Right now, companies write their own privacy policies that consumers agree to when they buy a test. But few laws regulate what companies must do to keep your data private and secure.
“Ideally we’d like to see federal and state laws enacted that will empower consumers to control who has access to their genetic information,” says Justin Brookman, Consumer Reports’ director of privacy and technology policy.
Gaps in the law
A few existing laws regulate some aspects of genetic privacy.
The Genetic Information Nondiscrimination Act (GINA) prevents employers from discriminating against you on the basis of your genetic information. But it doesn’t say anything about what a third-party DTC genetic testing company can do with the information it collects about you.
Also, GINA’s protections apply only if a person is displaying no symptoms of their genetic condition, says Ellen Clayton, a professor of health policy at Vanderbilt University Medical Center in Nashville. If a person becomes symptomatic, GINA’s protections against discrimination no longer apply.
The Americans With Disabilities Act protects some people with genetic disorders, but generally only if those disorders cause significant limitations to daily life.
Under the Affordable Care Act (ACA), health insurance companies cannot refuse coverage or charge more for coverage based on a preexisting condition — a prohibition that applies to any condition discovered as the result of genetic testing, Clayton says.
The federal Health Insurance Portability and Accountability Act (HIPAA) applies to the results of genetic tests administered by your doctor or another health-care provider, but it doesn’t apply to DTC genetic testing companies.
Today, no federal law directly addresses consumer privacy issues resulting from DTC genetic testing.
That means the companies that provide these services have the freedom to control what happens to a consumer’s genetic information once they receive it, Brookman says.
In one 2018 study of DTC genetic testing companies’ privacy policies, Vanderbilt University researchers found that 71 percent of companies used consumer information internally for purposes other than providing the results to consumers. Sixty-two percent said they use data for internal research and development, while 78 percent said they provided genetic information to third parties in de-identified or aggregate forms without additional consumer consent.
There are also few laws regulating how consumers’ genetic data should be stored and protected by the companies that collect it, and genetic testing companies have experienced data breaches.
Existing rules aren't enough
Unlike your credit card number or your bank account password, if your genetic information is stolen or simply given away without your consent by a company that possesses it, it can’t be changed. And recent studies have found that it’s possible for people with nefarious intentions to re-identify individuals from supposedly de-identified genetic data.
So far, many of the harms of having part or all of your genome publicly available or in the hands of a thief are largely hypothetical. In part, that’s because the science of genetics is constantly evolving, says Michael Edge, an incoming assistant professor of biological sciences at the University of Southern California in Los Angeles and the author of one recent study on reidentification of genetic data. “The ground is moving in terms of what this genetic information tells you about a person,” he says.
Still, privacy experts say there are some concerns. One is that your genetic information could be used in underwriting insurance policies. It cannot be used for health insurance because of the ACA, but — except in Florida where this practice is now prohibited — it could theoretically be used to determine life, long-term care or disability insurance plans.
Your genetic information could also potentially be used against you in a court case. If you were to seek damages for a work-related injury, for example, a firm might try to use information from your genome to point to other potential causes for your symptoms. Law enforcement agencies have used genetic data to identify criminal suspects through their blood relatives. It’s even conceivable that sensitive information about your family or your health could be used in a blackmail scenario.
Those examples may sound extreme. But the bottom line, Brookman says, is that genetic information could reveal facts about you that you don’t want known. And right now, consumers don’t have many protections against that happening.
“An individual’s most personal information is still being bought, sold, and traded without clear understanding or consent,” Brookman says.
A final important consideration is that when your genetic data becomes public, it’s not only revealing information about you. It also reveals information about blood relatives, who may or may not even be aware that you opted to share your genome with a DTC testing company. Clayton at Vanderbilt recommends that consumers take this into consideration when deciding whether to use a DTC genetic testing product.
One flawed policy solution
To give consumers more control over their own personal data, some have proposed providing a property right for such data. In the context of genetic data, this would mean that you could be monetarily compensated for providing your genome to companies and researchers. But this solution has several problems.
One, Clayton says, is that it could be incredibly complex to implement on, for example, a scientific study that uses genetic data from 25,000 people.
Consumer Reports’ advocates are also concerned that such a policy would have outsized harms on people in low-income or marginalized communities, who could be coerced into giving up their genetic data, in the face of an immediate need for cash.
“Privacy should be a right,” Brookman says. “We’re not allowed to sell away our right to speech or our right to vote.”
A better way
Consumer Reports advocates believe lawmakers should enact legislation that would make results from all genetic testing private by default. That would mean companies or other entities that collect consumer genetic information would face detailed requirements before they could release or sell that information.
CR advocates also say that laws should include safeguards that will ensure that an individual’s choice to share their genetic information will not compromise their privacy and that of their blood relatives. Such laws should also require strict safeguards against data theft, they say.
Some state laws are on the right track. Laws in Missouri and Illinois require that individuals specifically authorize any selling of their information, and stop genetic data from being used in insurance underwriting unless authorized by the individual. And a proposed law under consideration in California would enact similar protections.
Consumer Reports is calling on legislators to enact a strong privacy standard that would give consumers control of their genetic data. Meanwhile, if you’ve bought a DTC genetic test and are concerned about the safety of your information, CR’s guide to deleting genetic data is at CR.org/dna.