23andMe, Ancestry, and Other DNA Testing Firms Promise Not to Share Data Without User Consent


There are always doubts over how a certain company is going to handle your private and sensitive data. These concerns get more serious when DNA testing services are involved as they are handling not just your names and addresses, but your sensitive genetic data.

In response to these concerns, 23andMe, Ancestry, MyHeritage, and other genetic testing companies have pledged to follow a voluntary set of guidelines. Under these guidelines, they would obtain "separate express consent" from their consumers before they are handing over their data to other businesses or third party companies like insurers. These companies have also promised to publish annual transparency reports to disclose the number of data requests they receive from the law enforcement each year.

[Updated] 23andMe Is Sharing Its Customer Data with Big Pharma (You Can Opt Out)

"The consumer genetic and personal genomic testing industry is producing an unprecedented amount of Genetic Data," the policy framework called "Privacy Best Practices for Consumer Genetic Testing Services" reads [PDF]. "As the industry continues to expand and the technology becomes more accessible, it is vital that the industry acknowledges and addresses the risks posed to individual privacy when Genetic Data is generated in the consumer context."

Genetic Data is sensitive and may contain unexpected information

When someone signs up for a DNA testing service, they do so due to their curiosity about their ancestry or learn about their disposition to certain diseases. However, this data isn't only useful to Big Pharma that could use it (with no monetary benefit to the person whose data is being used) for new drugs, but can also be used against the consumer if, for example, an insurance company get its hands on this goldmine. Add in the hacking attempts and users are in for a number of troubles.

The problem for the consumer becomes serious when this data could be used by the law enforcement. Earlier this year, police arrested a man suspected to be a serial killer by matching a decades-old DNA sample to data uploaded to GEDmatch without needing a court order. Because investigators claimed they did not need a court order before using the service, it raised concerns over law enforcement having an uncontrolled access to genetic data without any oversight.

Even these new rules aren't mandatory. It depends on the company to follow them or choose not to do so. But if they do pledge to do so, these companies will notify consumers if law enforcement has requested their data. However, as The Washington Post pointed out investigators can obtain gag orders to circumvent that.

While these guidelines are voluntary, the WaPo reports that if a DNA testing firm pledges to follow them and then fails to adhere to those promises, they could be penalized by the Federal Trade Commission. The agency "remains vigilant in protecting consumers’ privacy and security," Juliana Gruenwald Henderson, a spokesperson for the FTC, said.

"If companies fail to keep their promises to consumers - whether they made those promises in website privacy policies or by signing onto industry best practices - they could be subject to FTC law enforcement action."