Buzz
Given that companies struggle to keep basic data like passwords and credit card details secure, can we really trust them with our most intimate information: our DNA? Sending a vial of your saliva to a genomics company means just that, and surprisingly, your data may not be as private as you expect.
Years ago, 23andme openly acknowledged that their true objective is not profit from selling DNA tests, but rather to gather vast amounts of personal data. According to their privacy policy, they reserve the right to use your data, without further consent, “as we reasonably believe is permitted by laws and regulations, including for marketing and advertising purposes,” and they may even “disclose it to law enforcement” if necessary.
By using their service, you agree to let them utilize your sensitive information to serve you surveys and to develop and enhance their own products. They also claim that they can share your personal data, without extra consent, if “the information has been anonymized or aggregated so that you cannot reasonably be identified as an individual.” But remember, it's *your DNA*. Your unique, personal data, even if your name isn't attached.
Ancestry.com follows a similar policy, allowing itself to use your data to market products to you, trace your relatives, and conduct internal research. They also state they will disclose your information to third parties for purposes such as “as necessary or appropriate to protect the rights, property, safety, confidentiality, or reputation of Ancestry, its Group Companies, or other Users (including outside your country of residence),” which sounds rather unsettling.
Helix's privacy policy outlines that your data will be shared with its partners, who handle the DNA-based wine subscriptions or weight loss coaching services that you signed up for. Helix keeps your data on file and provides the necessary results to each partner you authorize. This is convenient since you only pay for sequencing once, but it also means you need to be mindful of how each company uses your information.
For instance, Vinome will use your data and $30 to suggest wines they think suit your preferences. Their privacy policy states: 'By submitting DNA to Vinome, you grant Vinome a perpetual, royalty-free, worldwide, transferable license to use your de-identified DNA and to use, host, sublicense and distribute the anonymous resulting analysis to the extent and in the form or context we deem appropriate on or through any media or medium and with any technology or devices now known or hereafter developed or discovered.'
DNAFit, which offers weight loss and strength training programs, explains that they 'may disclose to third parties Aggregated Genetic and Self-Reported Information. If we use your information, we will take steps to protect your privacy by making this information non-identifiable. To achieve this, we will remove any identifying details such as your name and email address.'
In addition, these companies track other aspects of your information, like your web browsing behavior, responses to health-related questions, and your mailing address. Combining this data with the most private information stored in the nucleus of your cells doesn't seem very 'non-identifiable' to me.
Your DNA is not entirely yours; it belongs to others too.
You inherit half of your DNA from each of your parents, and approximately a quarter from each of your grandparents. On average, you share half of your DNA with your siblings as well, meaning that every person in your family tree has some genetic link to you. So, if you buy your mother a DNA test to explore wine preferences, keep in mind that Helix, the data giant, now possesses half of your own genetic data.
This raises concerns about privacy, but it also unveils a vast realm of family history. Several personal genomics companies position themselves as tools for discovering distant relatives. However, as George Doe discovered, you may stumble upon unexpected revelations—like finding out your father had another child that no one knew about, and suddenly, your parents are facing divorce. Doe states that relative finders are essentially high-tech paternity tests, a point many don't consider when opting in to find family members.
What's Next?
Yesterday, Senator Chuck Schumer urged the Federal Trade Commission to carefully review the privacy policies of these companies and to establish measures ensuring consumers receive the privacy protections they believe they already have.
If you want to avoid giving these companies unrestricted access to your sensitive data, the smartest move might be to resist those tempting Cyber Monday deals, even though they are incredibly enticing. For instance, 23andme is offering its $199 test at half price if you purchase two; Helix is waiving its one-time $80 sequencing fee; and Ancestry is offering a $49 deal.
If you do decide to make a purchase—or if you've done so in the past—you can request to have your data deleted. Both Ancestry and 23andme allow you to download your raw data, so you can keep that while removing the official record from their system. Third-party services are available to analyze that data, but then you'll have to be cautious about their privacy practices.
Update 12/1/2017: A previous version of this post stated that 23andme would “happily” share your data with law enforcement “if asked.” We've updated the article to clarify that they will only release data if required by law. A spokesperson from 23andme has clarified: “We use all legal means to resist any and all law enforcement requests to protect our customers’ privacy. To date, we have successfully fought these requests and have not released any information to law enforcement.”
