As the holidays approach, many may be considering gifting their loved ones DNA testing kits. However, we encourage you to learn more about the risk to you and your family’s data privacy when placing DNA gifts underneath the tree. These direct-to-consumer (DTC) genetic testing companies make promises about how your “privacy comes first,” but in fact are collecting considerable personal information, far beyond what is reasonably necessary to provide you with familial matches.
Non-DNA Personal Information
According to a 2022 article in Consumer Reports, Consumer Reports’ Digital Lab evaluated genealogy services 23andMe, Ancestry, CircleDNA, GenoPalate and MyHeritage and found that the companies were collecting more data from users than was needed to perform their ancestry services. These companies, like many others, over-collect personal information. Their privacy policies state that the companies share non-DNA data with third parties, including information such as your name, address and facts about your family and health that they require consumers to input to utilize their services. And while Consumer Reports states that these companies “do a relatively decent job of protecting your DNA data,” at least according to their privacy policies, the testing companies’ practices suggest that is not the case with non-DNA data.
First, many of these companies offer a choice to opt into “research.” Opting in allows the company not only to sell your de-identified DNA but also to release any other information you share or that the company collects about you. This can include self-reported health information and information about relatives. And although many opt into such research altruistically, hoping that they are “contribut[ing] to and accelerat[ing] scientific and medical discovery,” according to a vice president, deputy general counsel and privacy officer at 23andMe, the term “research” is used broadly by these companies. For example, internal product development falls under the category of research. Thus, consumers have to be vigilant in checking boxes when creating an account on these sites because they are “only one checkbox away from sharing sensitive information that they would rather keep private.”
Moreover, the companies do not just collect data about you from you, but they also employ data augmentation to collect information about you from third parties such as “newspapers, birth records, marriage records, third-party advertising companies, census records, immigration lists, and social media sites.” Some of these testing sites, like MyHeritage, also include catch-all language such as “and other records,” which could allow for collection of virtually any data about you from third parties.
It is also important to recognize that your DNA test results from these testing sites are not shielded by practices like “de-identifying” DNA data, nor are they protected by federal medical privacy laws, like the Health Insurance Portability and Accountability Act (HIPAA).
In a survey of DTC genetic testing companies, Consumer Reports found that 78% of companies employed broad data-sharing provisions in their terms and conditions which gave implied consent (through use of their platform) to allow the genealogy companies, without additional consent or opt-out options, to provide “de-identified” generic information to third parties. These DTC DNA testing kits purport to de-identify your biometric data, but what does de-identify even mean when it comes to DNA? “Biometric data, namely genetic information and health records, is innately identifiable.” Anonymizing DNA means stripping it “of most of its personally identifying information, such as dates, locations and demographics.” However, as technology advances, removing personally identifiable information is no longer enough to prevent re-identification. Through AI technology which can use algorithms and other publicly available information, including from social media, DNA can be narrowed to a small subset of individuals. Even personal data shared without a DNA profile attached to it is identifiable. When data is stripped of personally identifiable information, such as your name, phone number and email address, other demographic attributes such as your zip code, gender, number of children, number of cars or birth date can be used to re-identify you. In fact, according to a model proposed by Nature Communications, 99.98% of Americans could be accurately “re-identified in any dataset using [only] 15 demographic attributes.” For this reason, their model suggests that the practice of de-identification release-and-forget, like that employed by these genealogy websites, should give us pause as to how safe our personally identifiable information really is.
Even more problematic is that consumers cannot rely on health privacy statutes to protect them when these testing sites’ practices fail them. “Currently, no federal law directly addresses consumer privacy issues resulting from DTC genetic testing.” This includes the security provisions of HIPAA that address the confidentiality of health data which otherwise apply to genetic testing provided by healthcare providers. By contrast, the DTC genetic testing industry is largely self-regulated. And without regulations requiring the implementation of security measures and safeguards to protect data, these companies are vulnerable to data breaches.
Consumers may also be implicitly consenting to broad use of their data without their knowledge. In providing their DNA to these DTC testing companies, consumers are consenting, without notice, to use of personal data on behalf of blood relatives who may not even be aware that their relatives are using these services. Many consumers upload their DNA test results from sites like Ancestry and 23andMe to GEDmatch, which has a genealogical database of 1.4 million users and could therefore result in more matches than the testing company has in its own database. The website is free to use and advertises itself as a “DNA comparison and analysis website for people who have tested their autosomal DNA using a direct-to-consumer genetic testing company, such as 23andMe.” GEDmatch provides users with four options for use of their DNA data: private, opt-in opt-out, and research. The “private” option does not make your DNA profile available for comparison with others and will not identify any matches and is therefore unlikely to be selected by a user using this service. GEDmatch encourages the user to select the “opt-in” option, a term which is, in itself, misleading because it suggests that users need to select this option to opt into receiving comparison results when that is not the case. The opt-in and opt-out options are actually provided to consumers to ask whether their DNA profile can be shared with law enforcement officials. That’s right, consumers are not the only ones making use of this free service.
GEDmatch Pro has famously been used by criminal investigators to identify potential suspects. The “opt-in” option will compare your DNA profile with those uploaded by users of GEDmatch but will also compare it with profiles created by law enforcement officials to identify perpetrators of violent crimes. Users are also able to opt out of having their DNA profile compared with kits submitted by law enforcement and still benefit from comparison matches by selecting “opt-out.” It is likely, however, that a consumer quickly clicking through these questions to get to their matches is likely to read the options “opt-in” and “opt-out” as the difference between receiving comparison matches and not. In April 2018, criminal investigators in California were able to catch the “Golden State Killer” using genetic genealogy. Investigators uploaded the perpetrator’s DNA collected from crime scenes to GEDmatch to identify close relatives of the criminal which—combined with traditional genealogy records (like birth and marriage certificates and obituaries) and online information (such as from social media sites)—assisted investigators in creating a family tree to narrow down the perpetrator.
But, unlike the testing sites that “de-identify” your DNA, GEDmatch stores your raw data (DNA), personal information and genealogy data until a user specially requests that the data be erased. As with other sites that store personal data, users must beware of data breaches that could potentially leak stored private, personal data. In August 2020, a GEDmatch data breach resulted in the overriding of user settings and opted all DNA profiles into law enforcement matching, exposing over one million additional profiles, regardless of the user’s initial selections. Unlike other data breaches which may give third parties access to your email address or expose a password, both of which can be easily changed, release of your DNA profile is irreversible and irreconcilable. Exposed DNA affects not only yourself but also family members, yet the lack of regulation controlling genealogy databases gives them the freedom to police themselves.
While use of DTC DNA testing kits may seem like a conversation-starting holiday project, the dangers of using these data privacy-violating kits should not be overlooked. The harms are potentially far-reaching, extending not only to yourself but also your extended family with whom you share DNA. The lack of regulation and federal laws governing these DTC DNA kits should give consumers pause as to whether their data is actually safe from third party misuse. And remember, unlike your email address, you’re stuck with your DNA regardless of which third parties now have access to it. Lutzker & Lutzker will continue to monitor privacy concerns that are increasingly impacting every aspect of our daily living.