Privacy and consumer genetic testing don’t always mix

For a few hundred dollars and a spit sample, you too could take a journey of genetic self-discovery. You may learn some things, but what are you giving away?

Today, hundreds of companies offer to analyze your DNA, or parts of it, to let you in on everything from your health risks and ancestry to more dubious traits like intelligence or athletic ability (SN: 5/26/18, p. 20). The direct-to-consumer market is “a bit of a wild ecosystem right now,” says Robert Green, a medical geneticist at Harvard Medical School who consults for the testing companies Helix and Veritas Genetics.

The results can be enlightening, or at least entertaining. But consumer genetic testing also comes with inherent risks, privacy loss being one of them. “It’s often the price you pay,” Green says.

Before you spit, it helps to know what you’re getting into. 23andMe “does a good job of disclosing all of the information” in the policies posted on its website, says Kayte Spector-Bagdady, a bioethicist at the University of Michigan in Ann Arbor. The same goes for a few other prominent companies. But that’s an exception, not a rule.

Genetic testing goes mainstream

This story is part of a multipart series on consumer genetic testing. See the whole series.

Many consumer genetic testing companies provide lengthy, yet vague, privacy statements written at a college reading level. That makes reading the fine print a slog and deters consumers from doing it. An analysis of the privacy policies of 30 consumer genetic testing companies found that most did not meet international transparency guidelines related to confidentiality, privacy and data use, public health researchers from the University of Wisconsin–Milwaukee reported in 2017 in Genetics in Medicine. And once you click “agree,” you consent to the company’s terms, even if the terms change down the line. And they often do.

After contracts are squared away, the real privacy risk for most people lies in ancestry testing, Spector-Bagdady says. Consumers often don’t realize that their genetic data could be combined with the personal information they share in surprising ways, unintentionally revealing more about themselves and unsuspecting family members. For instance, people conceived through anonymous sperm donation have tracked down their biological fathers through paternal relatives found via ancestry testing, even if the donors themselves haven’t had their DNA analyzed.  “That’s an actual risk. That happens,” she says. And if the data land on publicly available databases, access is wide open, which turned out to be a help in the recent arrest in the Golden State Killer case (SN Online: 4/29/18) and in a 1987 double murder in Washington (SN Online: 5/23/18).

Ancestry tests make up a large share of the millions of genetic testing kits sold. But genetic tests for health and disease risks are becoming increasingly popular. With your consent, testing companies can share your health data with researchers, conduct their own research or sell the data to drug and biotech companies. In 2015, for example, the biotech firm Genentech reportedly forked over millions of dollars to 23andMe for its customers’ DNA sequences. Those data are used for Parkinson’s disease research, according to Forbes.  

Massive databanks of DNA sequences are a boon to the scientific community, and partnerships like these may one day lead to new treatments for various diseases. “Direct-to-consumer genetic testing companies have led us kicking and screaming, to some degree, to the cusp of a world where genomics really can be integrated with the practice of medicine and really can benefit many, many people,” Green says. “I think we should be mindful of that.”

But sharing does bring risks. In the wake of breaches at athenahealth, Equifax and, more recently, Facebook (SN Online: 4/15/18), “there’s an ongoing, slow-motion realization that there are so many avenues where our privacy can be compromised,” Green says. That applies to genetic data, too. Before being shared with third parties, DNA sequences are usually stripped of personal information and encrypted, identifiable only by a bar code. Some scientists have warned, however, that it may be possible to hack and re-identify anonymized genetic data based on publicly available information. So far, those risks remain theoretical. Wide-scale invasions of genetic privacy aren’t yet happening, says Jessica L. Roberts, director of the Health Law & Policy Institute at the University of Houston.

Federal regulations are in place to protect genetic privacy, but their reach is limited. GINA, the Genetic Information Nondiscrimination Act, prevents employers and health insurance companies from using your genetic test results to discriminate against you. Loopholes in the law, however, allow providers of life, disability and long-term care insurance to deny service based on genetic test results. Testing positive for genetic variants tied to a higher risk for certain diseases could prevent you from getting insurance, even if you never develop the disease, Roberts warns.

Where federal laws fall short, state governments are stepping in to fill the gaps. California  and Alaska   have the strongest consumer genetic privacy protections. California’s law, CalGINA, expands the protections list to include housing, mortgage lending, education and public accommodations. The law also allows victims of genetic discrimination to seek unlimited monetary damages. As of May, 17 states have laws that go beyond GINA, to restrict the use of genetic information for determining life, disability or long-term care insurance.

Potential customers should “go in with eyes open,” Green says. That means shopping around, reading the fine print and being aware of how privacy risks may affect you, now and in the future.