THE SEARCH for the so-called Golden State Killer — who allegedly raped dozens of women and killed at least 12 people in the 1970s and 1980s — had hit a dead end when investigators decided to test DNA evidence from a crime scene against genetic data on GEDmatch, a website of volunteered samples. Eventually, this technique helped investigators close one of the most notorious cold cases in recent history — but it also raised important questions about the privacy rights of customers. How and when should genetic testing companies share data with third parties such as researchers, websites or law enforcement officials? And do companies have an obligation to inform users that their information has been shared?
These concerns were heard in the genetic-testing industry. A number of popular companies, including Ancestry and 23andMe, recently committed to a new set of best practices governing how and when they would collect, use and share customers’ DNA. Among these guidelines are promises that the firms would obtain “separate express consent” from users before sharing their genetic information, use robust information security and publicly disclose the number of law enforcement requests received at least annually.
Though the guidelines do not cover the aggregated data often used in medical research, they apply to riskier forms of genetic data-sharing: that of individual-level, identifiable information. Critics fear that, in the wrong hands, this data could be used to discriminate based on disease risk or medical conditions; reveal information about an entire family, including someone’s future children; and even prove infidelity and parentage without a person’s consent.
With these risks in mind, the new commitments are an important step toward transparency and security in an industry that has faced little oversight. Currently a patchwork of state and federal regulations governs consumer genetic testing. The most relevant federal laws in place are the Genetic Information Nondiscrimination Act, which prohibits employers and insurers from discriminating based on DNA data, and the Health Insurance Portability and Accountability Act, which shields information from genetic tests involving health-care providers. Neither of these laws comprehensively covers at-home genetic testing, resulting in privacy policies that vary dramatically by company. Common guidelines used by industry leaders can help set standards for the rest of the field.
But voluntary commitments from a handful of companies can only do so much, with at least 90 genetic testing providers operating in the United States. The Federal Trade Commission can penalize companies that fail to follow through on promises to consumers, but its broader authority to police the field is limited.
Congress should step in. Genetic-testing technology is progressing rapidly. The rules need to keep up. Even as companies strengthen their privacy policies, lawmakers should consider creating baseline security standards and disclosure requirements to ensure that consumers understand the risks and how their data can be used.