Consumer Genetic Testing: Beginning to Assess Privacy Practices

|

Genetics

Genetic testing is becoming more widely available to consumers; such testing can be an exciting new opportunity to help individuals flesh out family histories, discover cultural connections, and learn about their personal backgrounds.  The availability of low-cost genetic sequencing and analysis has led to numerous businesses offering a variety of services, including some that provide detailed health and wellness reports that explain how genetics can influence risks for certain diseases.  The enthusiastic public response demonstrates that there is great demand for this knowledge.

But, as with so many new technologies, this new data analysis also raises privacy questions.  DNA can be immensely revealing. And by its nature, DNA includes information about an individual’s close relatives – not just data about the person tested.  The broad US law protecting health privacy, HIPAA, only protects health information when handled by specific types of entities, such as health care providers or health insurers.  If your doctor orders a genetic test, all the providers involved are bound by HIPAA requirements.  But if you order a consumer genetic test on your own, those restrictions are not applicable.

To ensure that genetic information isn’t misused, Congress acted, providing protections in some areas.  The Genetic Information Nondiscrimination Act of 2008 (GINA) prohibits the use of genetic information to make health insurance and employment decisions.  GINA was a landmark when it passed, but it does not provide comprehensive protections.  For example, GINA does not apply to decisions about schools, mortgage lending, or housing. And it excludes other forms of insurance like life insurance, long-term care, and disability insurance, although some states do provide some additional protections in these areas.

Given the gaps in legal protection, it is particularly important that companies offering genetic testing to consumers provide rock solid, legally enforceable commitments to consumers that ensure their data won’t be used to harm them.  And consumers need to look for commitments by companies not to share genetic information without explicit permission, the ability to delete their information, and promises to only use the data for the expected purposes.  FPF has begun discussions with a number of consumer genetics companies and hopes to share best practices guidance in the upcoming months.

But before we begin, there are some useful lessons that FPF can share from our work in other sectors.  It’s useful to understand some of the language that is common to the legal construction of policies and terms of service, as well as the underling protections provided by federal and state consumer protection laws.

  1. Companies do not own your data when they claim a perpetual license to use your information. When you provide a company with data – whether that data is DNA, user comments, profile pictures, or other content that the company needs to hold and use to provide services – the company will often declare that it has a perpetual, royalty-free, worldwide license to use your information.  Corporate intellectual property lawyers insist on this language to give themselves the rights to use the data on an ongoing basis, subject to the restrictions they place on themselves – such restrictions can include commitments to only use data for the services described a company’s policies, and users’ right to demand deletion of the data.  Search the phrase “perpetual license,”  and you will find it in the policies of almost every online service that allows the submission of user content.  This does not mean the company owns your data and can use it for any purpose it pleases –companies typically cannot make a book out of your private photos or publish your DNA.  But several times a year, someone reads “perpetual license” and sounds an alarm that is picked up by the media.  The fact that reporters own publications have the same language in their online policies is typically not considered.  Often, a company will respond by making a cosmetic amendment to its terms, explaining that indeed it does not own consumers’ data.  This story is the Groundhog Day story of privacy.  In 2008, Google’s terms were debated. In 2011, Dropbox was critiqued. In 2012, Twitter and Facebook came under scrutiny. In 2015, it was Microsoft .  Last week, AncestryDNA was the latest company to encounter this flap and accordingly updated its terms to explain that it had never asserted legal ownership of consumers data.  Companies can get ahead of this issue by using clear terms from the outset.  Smart consumers and critics should recognize this legal language by now and appreciate that it does not grant a company  “ownership rights to user data.”  Look for the limitations on what a company can actually do or not do with the data and your rights to opt-in or out.
  2. All bets are not off when a company is sold. The Federal Trade Commission (FTC) has repeatedly made clear that it will hold a successor company responsible to use data only in ways compatible with the original privacy policy.  Back in the ToySmart case, where sensitive childrens’ data was involved, the FTC required that ToySmart’s buyer abide by the terms of the Toysmart privacy statement. If the buyer wanted to make changes to that policy, it could not change how the information previously collected by Toysmart was used, unless it provided notice to consumers and obtained their affirmative consent (“opt-in”) to the new uses. The FTC will surely hold companies that collect and process DNA to this standard
  3. Policies cannot be changed at any time. The FTC has been clear that material changes to consumer privacy policies can’t be made without first providing prominent notice to consumers and providing them with choices before data is used in any manner inconsistent with terms they were initially provided. So if a company holds sensitive data, it should not claim that it may change its policy at any time and immediately apply the new terms to data it previously collected.  If the change is material, a company may not apply it retroactively without consumers’ express, affirmative consent.

These are just some of the baseline issues that are worth understanding before beginning to think through the important commitments genetics companies can make to promote trust and responsible data use in this emerging industry.  Stay tuned for that effort!