DNA sequencing technologies have been nearly perfected in forensic fields to identify criminals and sensationalized in pop culture by the Maury Show. With these advances in genetic sequencing technology, people are curious about how this technology can help them understand their personal genetic information. What is my ancestry? Am I genetically predisposed to develop any health conditions later on in life? Do I unknowingly carry any hereditary diseases? Direct-to-consumer genetic testing services provide users with personalized answers to such questions.

How do genetic testing services answer these questions from DNA? Though 99.9% of DNA between human beings is identical, the remaining 0.01% contains polymorphisms responsible for human genetic variation (Genetics vs. Genomics Fact Sheet, 2018). Most direct-to-consumer genetic testing services examine DNA regions that contain single nucleotide polymorphisms (SNPs)—differences in single nucleotide bases—that are useful in identifying ancestral origin (Sampson et al., 2011) and the likelihood of developing certain diseases (What Are Single Nucleotide Polymorphisms (SNPs)?, n.d.).

For the users of direct-to-consumer genetic testing services, the instructions are simple enough: purchase a kit for around $200, spit in a tube, register an account on the company’s website, ship the tube back to their laboratory, and wait. After a few weeks, consumers receive personalized reports detailing their ethnic origin calculated to tenths of a percent, relative risks in developing breast cancer or Parkinson’s disease, and distant cousins whose DNA sequences are also stored in the company’s database.

Wait…what database?

After testing is completed, saliva samples are kept in storage; genetic testing companies state that their customers’ genetic information is encrypted, but do not explicitly disclose the logistics of how the data is stored. Once users review the information they paid for, discomfort in knowing that the genetic testing companies continue to have access to their saliva samples—and consequently their DNA sequence in its entirety—may settle in. Though one can argue that privacy concerns over identifying information are as old as home addresses, social security numbers, or fingerprinting, DNA sequences are incomparable in that they can never be separated from the individual. Genetic material is unique—ingrained in every cell and left behind in flakes of dead skin or follicles from shed hair strands—and communicates an unprecedented amount of potentially sensitive information about individuals, such as heritable diseases, family ancestry, and even intergenerational trauma (Li, 2016).

With the storage of such sensitive information about their biology, health, and genetics, individuals expect protection and privacy. Usually, the Health Insurance Portability and Accountability Act (HIPAA) protects the confidentiality and privacy of individuals’ health information (Department of Health and Human Services, 2013). However, HIPAA explicitly pertains to covered entities of traditional healthcare providers and plans (Rights (OCR), 2015). Inconveniently for concerned customers, HIPAA’s list of covered entities excludes direct-to-consumer genetic testing services, necessitating separate laws to protect consumer information (Li, 2016).

One such law was recently passed in California. Governor Newsom approved of the Genetic Information Privacy Act (GIPA), effective starting January 2022. GIPA’s primary purpose is to require genetic testing companies to provide full transparency over privacy and security practices and “obtain a consumer’s express consent for collection, use, or disclosure of the consumer’s genetic data” (Bill Text - SB-41 Privacy: Genetic Testing Companies., 2021). At surface level, GIPA does not seem to make any drastic changes to genetic testing companies’ privacy policies and practices, except providing an additional blanket of legally required security for consumers. Genetic testing companies already give customers legal ownership, management, and control over their genetic information—they have to. The Privacy Highlights outlined by 23andMe—one of the premier companies that sell direct-to-consumer genetic testing services—explicitly states that customer consent must be given before data is shared with any internal or external scientific research organizations, public databases, employers, or law enforcement and gives customers the right to opt out of use in future research at any time (23andMe, 2020). However, 23andMe fails to communicate that though customers may opt out of having their anonymized genetic information used in future research, those who have already given consent cannot prevent their sample from being used in research studies already underway nor retract it from third parties who have already received it (Brown, 2018). This omission may have been intentional: customers have higher chances of consenting if they are led to believe that their decision is fully revocable, and genetic testing companies benefit both from supporting internal research and selling to external research. If genetic testing companies are unable to prevent in-progress use, their Privacy Highlights should clarify the true extent to which customers can revoke consent. With an emphasis on full transparency, GIPA may be the catalyst for genetic testing companies to make these much-needed amendments.

Another notable difference that GIPA makes in expanding customers’ rights is allowing customers to choose to delete additional information. Instead of only giving customers the option to discard their saliva after collection (Brodwin, 2018), GIPA would require companies to allow customers to have their genetic data deleted entirely (Bill Text - SB-41 Privacy: Genetic Testing Companies., 2021). Customers’ previous experiences with attempting to delete their genetic information from companies’ databases proved the process to be incredibly tedious: characterized by clueless customer service representatives and vague responses from genetic testing companies (Brown, 2018). GIPA may force genetic testing companies to facilitate these processes.

Accompanying complications arise from conflicts between GIPA and existing laboratory regulations. Deletion of genetic data shortly after genetic testing violates the Clinical Laboratory Improvement Amendments (CLIA), which requires all records following a lab test to be preserved for at least two years (Brown, 2018). It is uncertain how GIPA and CLIA will coexist; CLIA regulations may simply require a two year waiting period before customers can submit a request to erase their genetic information.

Still, most of the consumer rights given by GIPA seem obvious because not violating customers’ consent and protecting customers’ privacy are rudimentary business principles. A genetic testing company that openly defies such basic conduct and admits to sharing and selling genetic data without consent would receive zero business, get buried in legal fees, or quickly shut down.

Therefore, legal acts may be ineffective in diminishing the public’s privacy concerns in genetic testing services. Despite extensive Terms and Conditions and Privacy Statements, much of the suspicion towards direct-to-consumer genetic testing services likely originates from a more general mistrust towards governmental institutions or biotechnology companies in a surveillance capitalist society. Public suspicion stems from fears that seemingly omnipotent government agencies may take advantage of genetic testing companies’ extensive genetic databases, regardless of individuals’ rights to privacy, and that companies may prioritize profit over the interests of customers.

On the other hand, distrust towards biotechnology companies themselves may be more evidence based. 23andMe faced backlash in 2018 when they struck a deal with GlaxoSmithKline worth $300 million, which led many to believe that profitable deals with big pharma had always been 23andMe’s ulterior motive (Zhang, 2018). Pharmaceutical companies reap arguably greater benefits from collected genetic information than the individual customers themselves. Conducting genome-wide association studies highlights genetic traits related to health conditions, advancing research and drug development (23andMe, 2015). Additionally, identifying the frequency of certain genetic variants among the population assists decision-making. For example, if a gene polymorphism linked to a particular disease appears frequently in the genetic database, the disease’s cure would yield a promising profit margin. Thus, there is incentive for pharmaceutical companies to prioritize research regarding the disease and development of its cure.

One last aspect to consider is the digital nature of genetic databases. Genetic data being stored digitally carries privacy concerns that cannot be mitigated by law. In their Privacy Highlights, 23andMe states that digitally stored DNA sequences are secured with security certification and encryption, but admits that there is a possibility of a data breach where genetic data and user-reported identification may be obtained and used by digital thieves (23andMe, 2020). The mysterious permanence of digital data creates additional apprehension. Even if a customer opts to have their genetic data deleted, the novel privilege soon to be protected by GIPA, there is skepticism if data “deleted” is data truly erased.

Genetic testing can answer several personal questions, offering customers both sobering predictions and fun facts for a relatively modest price. However, many questions concerning what is done—and what can be done—with customers’ DNA sequences remain unanswered. How will the Genetic Information Privacy Act expand customer control over their genetic information? Will the act improve anything at all? Is the possibility of a genetic database security breach an irrational fear or an inevitability? Is there a clandestine conspiratorial plot between direct-to-consumer genetic testing services, pharmaceutical companies, and the government? Like customers anticipating DNA test results, we will have to wait and see how the future unfolds in order to answer these questions. Unfortunately for us, it’s probably going to take longer than a few weeks.

References:

23andMe. (2015, January 12). Press Release—23andMe Media Center. https://mediacenter.23andme.com/press-releases/23andme-pfizer-research-platform

23andMe. (2020, October 30). DNA Genetic Testing & Analysis—23andMe. https://www.23andme.com/about/privacy/

About the 23andMe Health Service. (n.d.). 23andMe Customer Care. Retrieved December 7, 2021, from https://customercare.23andme.com/hc/en-us/articles/115013683107-About-the-23andMe-Health-Service

Bill Text—SB-41 Privacy: Genetic testing companies. (n.d.). Retrieved December 6, 2021, from https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220SB41

Bill Text—SB-41 Privacy: Genetic testing companies. (2021, October 7). https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220SB41

Brodwin, E. (2018, July 25). DNA-testing company 23andMe has signed a $300 million deal with a drug giant. Here’s how to delete your data if that freaks you out. Business Insider. https://www.businessinsider.com/dna-testing-delete-your-data-23andme-ancestry-2018-7

Brown, K. V. (2018, June 15). Deleting Your Online DNA Data Is Brutally Difficult. Bloomberg. https://www.bloomberg.com/news/articles/2018-06-15/deleting-your-online-dna-data-is-brutally-difficult

Genetics vs. Genomics Fact Sheet. (2018, September 7). Genome.Gov. https://www.genome.gov/about-genomics/fact-sheets/Genetics-vs-Genomics

Li, J. (2016). Genetic Information Privacy in the Age of Data-Driven Medicine.

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule. (2013). Department of Health and Human Services.

Rights (OCR), O. for C. (2015, November 23). Covered Entities and Business Associates [Text]. HHS.Gov. https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html

Sampson, J., Kidd, K. K., Kidd, J. R., & Zhao, H. (2011). Selecting SNPs to Identify Ancestry. Annals of Human Genetics, 75(4), 539–553. https://doi.org/10.1111/j.1469-1809.2011.00656.x

What are single nucleotide polymorphisms (SNPs)?: MedlinePlus Genetics. (n.d.). Retrieved December 6, 2021, from https://medlineplus.gov/genetics/understanding/genomicresearch/snp/

What Unexpected Things Might I Learn From 23andMe? (n.d.). 23andMe Customer Care. Retrieved December 6, 2021, from https://customercare.23andme.com/hc/en-us/articles/202907980-What-Unexpected-Things-Might-I-Learn-From-23andMe-

Zhang, S. (2018, July 27). Big Pharma Would Like Your DNA. The Atlantic. https://www.theatlantic.com/science/archive/2018/07/big-pharma-dna/566240/