Michelle De Mooy
Much of modern technology is geared toward using data to hyper-personalize products and services, and direct-to-consumer genetic testing is a prime example. Individuals can use at-home kits to provide their DNA to private companies that offer services such as ancestry-mapping, identification of potential medical risks, meal-planning and customized skincare. As the market for these services soars and the technology improves, at-home genetic tests are getting cheaper, but the costs to individual privacy are arguably climbing.
While the ostensible purpose of most personal genomics companies is help the consumer understand their genetic profile, many companies use customer genetic information for internal research and product development. They also may make it available to external researchers, with a customer’s explicit informed consent, or be compelled by law enforcement to turn over consumer data. Genetic information can also be used to determine premiums for life, disability and long-term care insurance, and California officials were recently able to use this method to identify a suspect in the Golden State Killer case. Even a small amount of saliva can reveal a deep well of intimate and sensitive information about a person and their relatives, with potential consequences including implication in criminal proceedings.
While these genetic services undoubtedly provide value for consumers, companies and the scientific community, they mostly exist in an unregulated world. It’s not clear how much ownership consumers really have over their genetic data, which is governed mostly by broad privacy policies that allow companies to share and sell it in anonymized and aggregate form.
The data provided via the tests is only restricted by the Health Insurance Portability and Accountability Act if it is used or accessed by a covered entity such as a doctor, and the Genetic Information Nondiscrimination Act only protects genetic information in an employment or job applicant context.
In the absence of regulation, it falls to the consumer to read about and understand their rights, as well as the company’s internal data policies and practices, before purchasing a direct-to-consumer genetic testing product. Important questions include: Does the company retain genetic information after processing a sample, or do they delete it immediately thereafter? If not, can you request that it be deleted later? With whom is the company sharing aggregate genetic data and how can it ensure it remains de-identified? What is the company’s policy on law enforcement access to customer data?
Data security should also be a serious consideration for any current or would-be customers of genetic testing companies. After enormous data breaches of companies like Equifax and Yahoo!, the narrative that a company is breach-proof should carry little weight in 2018. Genetic data is a jackpot for hackers.
The use and application of biometric identifiers in commercial products and services is still in its early days, so a hacker armed with an individual’s immutable genetic profile may find a lifetime of opportunities for fraud. On top of this, anonymizing highly individual genetic data is somewhere between difficult and impossible. While a company may take extensive steps to protect customer’s data, complete anonymity is still largely unattainable.
Direct-to-consumer genetic testing exists in a space so novel that consumer protections and regulations are struggling to keep pace with technological advancements. While signing up for one of these services may be appealing, consumers should carefully consider the privacy risks related to sharing their genetic information.