MORE FROM THE SERIES
DNA for Sale
Although Ancestry promises to safeguard its genetic DNA storehouse, can consumers trust that their personal information will remain private and secure? The company has a history of broken promises and security breaches.
Ancestry has a track record with customers and partners that suggests it may not follow through on promises, including protecting consumer privacy.
Ancestry.com sells DNA-testing kits with the promise of connecting people to their ethnic history. In person, company officials concede some limitations.
Ancestry’s main DNA research partner, Google’s Calico, discloses little about its work, and has been derided as vanity project for Silicon Valley billionaires wanting to extend their own lives.
Privacy experts want more federal regulation of the DNA-testing industry, but opponents warn that red tape could discourage development of genetic databases that could deliver cures.
Despite consumer unease about DNA privacy, Congress has made no moves up to update a 2008 law that only partially regulates how insurance companies and others can handle genetic information.
As Ancestry and other consumer testing companies build the world's biggest DNA databases, they will become increasing targets for law enforcement, undermining promises of privacy protection made by those companies.
Millions of people are doing it. They spit into tubes and get their DNA analyzed. Testing companies are mushrooming, selling products to screen for diseases, connect customers to lost relatives or entertain people with the possibility they share some Neanderthal DNA.
Equity firms are pouring fortunes into these companies, not just because of the testing kits they sell but the personal information they collect, which can be shared and monetized. It’s all happening amid a patchwork of laws and regulations that predate the growth of direct-to-consumer DNA testing.
“There is a wild-west aspect to all of this,” said Erin Murphy, a New York University law professor who specializes in genetics and is concerned about the privacy implications. Many people don’t realize that “it just takes one person in a family to reveal the genetic information of everyone in the family,” she said.
As companies such as Ancestry, 23andMe and Helix grow, some lawyers and privacy specialists are urging Congress and the Food and Drug Administration to provide more oversight of the industry, with stronger protections for customers. They argue that, without updated rules, consumers risk having their sensitive DNA information exploited over time by insurance companies, employees, forensics investigators and others.
But it’s a testy debate. Opponents of regulation say it could stifle the growth of DNA databases that could be used to research inherited diseases, and discourage consumers from participating in such testing.
“I am a former regulator, so I understand the value of regulation, but I also understand that regulation has unintended consequences,,” said Peter Pitts, a former associate commissioner of the Food and Drug Administration.
“This is a very important industry,” Pitts said. “Initially what I’d like to see is for these companies to step up to the plate and recognize there are a whole variety of issues and problems they need to address. If they don’t do that, then the government will step in.”
McClatchy this week published a multi-part series on Ancestry LLC. The Utah-based company has a loyal following of customers and a database of more than 9 million DNA samples. But it also has a history of backtracking on promises and overhyping its ability to analyze ethnicity.
Joel Winston, a privacy lawyer who has examined the legal rights of DNA-testing customers, said continuing revelations about Ancestry and other companies should prompt Congress to act. Lawmakers, he said, need to vest people with property rights over their DNA to prevent misuse of their most personal private possession.
Winston notes that Congress recently scrutinized Facebook for allowing a political data firm, Cambridge Analytica, to access data from 50 million customers. He argues that genetic material is a far more sensitive identifier than what Facebook has shared with its commercial partners.
“DNA is different than all the other data,” said Winston, founder of the Winston Law Firm in Pittsburgh. “And the fact you can just give it away by spitting in a tube and putting it in a package is simply amazing to me. Once it is gone, it is gone forever.”
Consumers of DNA tests enjoy some protections in federal law. In 2008, Congress enacted the Genetic Information Nondiscrimination Act (GINA), which prohibits employers and companies from using DNA data to deny employment or health insurance coverage. But the law doesn’t apply to companies selling life insurance and disability insurance, and has difficult enforcement provisions.
If a consumer were to file a discrimination lawsuit against a health insurer, for example, he or she would have to prove the insurer denied coverage based on DNA data, as opposed to other considerations, said Michael Malinowski, a law professor at Louisiana State University who specializes in genetics and biotechnology.
“GINA is great, but you still have to go though all this work to do a cause of action,” he said.
Ancestry and other DNA companies generally promise not to share customers’ DNA data with employers and insurance companies. Ancestry’s “terms and conditions” also allow customers to have their DNA data deleted and genetic sample destroyed, if they go through a two-step process of making that request.
Those terms and conditions amount to a binding legal contract, Winston said, and customers can litigate it if they suspect contract has been broken. But making such a case could be difficult, he said. Consumers, for example, have no way of knowing if Ancestry actually destroys their DNA samples, and the company won’t say where it stores them.
Issues of privacy and bioethics will multiply as DNA-testing customers move beyond mere family history analysis and expand their marketing of medical services, such as interpreting people’s propensities to certain diseases and health conditions.
23andMe, based in Mountain View, Calif., has been offering this DNA interpretation for a decade. Ancestry hasn’t yet branched into the medical market, but company leaders are considering it. “Health certainly represents a potential area for product development and product expansion,” said Eric Heath, Ancestry’s chief privacy officer.
Under current law, the Food and Drug Administration has authority to regulate companies selling medical devices, and in 2010, the FDA informed 23andMe that its medical screening services fell into that category. The agency was concerned both about the company’s testing accuracy and the chance that consumers might overreact if they received test results showing they had a high probability of developing a disease, such as breast cancer.
The FDA ruling tripped up 23andMe’s business model, forcing it to suspend medical screening in 2013. It resumed offering some screening in 2015, after convincing FDA it had developed methods for properly informing consumers of disease probabilities, and the margins of error.
Malinowski, the LSU law professor, said Congress clearly needs to vest FDA with more authority to regulate medical screening services as the industry grows and evolves.
“I share the 23andMe vision of people having control of their information and being able to get screened,” he said. “But to get there, we need the FDA. We need to get to a point where people using these services understand the concept of probabilities and not to jump to conclusions.”
Since Donald Trump became president, the FDA has eased off the restrictions of the Obama era, improving the prospects for DNA medical screening companies. In March, the agency gave approval to 23andMe to market a test analyzing whether consumers carry genes that put them at higher risk for breast and ovarian cancer. It marked the first time the FDA had allowed a U.S. company to market such a cancer-risk test directly to the public.
In the current Congress, Senate Minority Leader Chuck Schumer of New York has called on the Federal Trade Commission to investigate privacy policies of DNA testing companies. But neither the current House or Senate are expected to take up legislation on genetic testing, and prospects after the mid-term elections in November are also uncertain.
In the absence of federal action, some states are exploring their own laws. An initiative proposed for the November ballot, the California Consumer Privacy Act, would give consumers the ability to block companies from marketing their personal information.
The proposed law purposely exempts information that is shared in a de-identified form — stripped of names and other identifiers — in part to assist public research, said Alastair Mactaggart, campaign chairman.
That means the law may not affect companies such as Ancestry, which share de-identified data with research partners. But it would affect DNA testing companies if they decided at some point to start marketing raw consumer data to commercial partners, such as Facebook and Google have done.
Mactaggart said the initiative is a response to the rapid amassing of people’s data, which has been coupled with computer processing power and algorithms for nefarious purposes, such as Cambridge Analytica’s use of Facebook data.
“We are in a situation where technology is outpacing our ability to understand it initially,” he said. “So we need some laws to address that.”