Under the new guidelines, the companies said they would obtain consumers' “separate express consent” before turning over their individual genetic information to businesses and other third parties, including insurers. They also said they would disclose the number of law-enforcement requests they receive each year.
The new commitments come roughly three months after local investigators used a DNA-comparison service to track down a man police believed to be the Golden State Killer, who allegedly raped and killed dozens of women in California in the 1970s and 1980s. Investigators identified the suspect using a decades-old DNA sample obtained from the crime scene, which they uploaded to GEDmatch, a crowdsourced database of roughly a million distinct DNA sets shared by volunteers.
Investigators said they did not need a court order before using GEDmatch, sparking fresh fears that users’ biological data might be too easy to access — and could end up in the wrong hands — without additional regulation on the fast-growing, already popular industry.
Yet adherence to the rules is voluntary. While the policy offers users of participating sites added new protections at a time of great “uncertainty,” it doesn’t have the force of law, said Justin Brookman, the director of consumer privacy and technology policy at Consumers Union.
“In general, I think there should be stronger transparency requirements and legally binding rules for everyone around the transfer and use of super sensitive data like this,” he said.
Jules Polonetsky, the leader of the Future of Privacy Forum, a Washington D.C.-based nonprofit that helped companies draft the new privacy guidelines, said his organization’s work began months before the Golden State Killer incident. But he said hopes the blueprint can serve as a “first effort at showing the sector what the right way to handle some of these challenges is.”
"I don't think the average consumer has wrapped their head around the range of issues they should think about when they make a decision to share [DNA] data,” Polonetsky added.
Consumer DNA testing services have surged in popularity in recent years: One report from research firm Kalorama Information estimates the market could triple in value from $99 million to $310 million by 2022.
The growth has been spurred on by the federal government, which recently opened the door for 23andMe to sell consumers genetic tests that could be used to inform them of their likely risk for contracting certain diseases. And the industry has been supercharged with fresh investment amid heightened interest from academics and drugmakers who hope to tap DNA databases in search of new health insights and cures.
Last week, 23andMe announced it had struck a research deal with GlaxoSmithKline, which would see the pharmaceutical giant invest $300 million in the genomics company. As part of that pact, GlaxoSmithKline can access “de-identified” genetic data about 23andMe users — provided they’ve previously given their consent — so that the firm can “gather insights and discover novel drug targets driving disease progression,” the company said.
Under the “best practices” adopted by 23andMe and its peers, such sharing is permitted. GlaxoSmithKline is “not getting any direct access or receiving any sort of individual customer information,” said Kate Black, the global privacy officer for 23andMe, just insights about broad chunks of users and their medical traits. The DNA testing company also said it previously had asked users' permission to participate in research, and it estimates 80 percent of its users agree to take part in such studies.
Other companies — Helix, MyHeritage, Habit, African Ancestry and FamilyTreeDNA — pledged Tuesday to adopt a similar approach, the Future of Privacy Forum said. When it comes to health research, they said they would explain the “risks, benefits and purpose of the research” to consumers, while providing easy-to-read privacy policies, according to the new guidelines.
Customers of these DNA testing services would gain some limited rights to have their biological data deleted, but they may not be able to withdraw data that was already in use by researchers. Companies, meanwhile, would have to ensure the person submitting DNA data is the actual owner of that data.
“Because privacy is such a hot topic, and consumers are concerned about privacy, this is the equivalent of peer pressure,” said Elissa Levin, who leads policy and clinical services at Helix, a company that connects consumers with apps that analyze genome data. “I think it’ll really be an opportunity to start to have true clarity and transparency between the good players and the not-so-good players.”
Yet users still may not know everything. Under the industry-made rules, DNA testing services don’t have to tell their consumers every time their data has been stripped of their identity, combined with others' genetic information, combed for insights, then turned into statistics, and perhaps shared with a third party for further analysis.
While companies have said they will report each year on the law-enforcement requests they receive, users might not learn about the legal demands if investigators obtain gag orders. Companies like Ancestry and 23andMe have committed to “attempt to notify” their customers about such requests whenever they can. Moreover, the tool tapped by investigators in the Golden State Killer case, GEDmatch, is an open-source database that isn’t covered by the industry’s new best practices.
Those that promise to protect consumers' sensitive personal data — then fail to adhere to those promises — could invite penalties from the Federal Trade Commission.
“The FTC remains vigilant in protecting consumers’ privacy and security. If companies fail to keep their promises to consumers — whether they made those promises in website privacy policies or by signing onto industry best practices — they could be subject to FTC law enforcement action,” said spokeswoman Juliana Gruenwald Henderson.
A few companies already adhere to some of the new industry-made rules. Ancestry and 23andMe, for example, currently report to users the law enforcement requests they receive. In 2017, Ancestry received 34 valid law enforcement requests — all related to credit card or identity theft — and provided data in 31 cases. At 23andMe, the company received five requests but turned over user data on none of them.
Clarification: 23andMe said it has received five law enforcement requests during the company’s entire history, not just this year.