By Rachele Hendricks-Sturrup and Katelyn Ringrose
On Black Friday and Cyber Monday, millions of consumers will hurry to their nearest doorbuster sale or boot up their favorite sales portal to buy a price-slashed consumer genetic testing kit. Some genetic testing kits will be up to half off this year, and the market as a whole is projected to more than triple from a valuation of $99 million this past year to a projected $310 million in 2022.
Last year on Black Friday, AncestryDNA alone sold about 1.5 million testing kits. According to Wired, that means that consumers sent in around 2,000 gallons of saliva—enough spit to fill a modest above-ground swimming pool. Consumers are drawn to the tests for genealogical purposes, and new market offerings are being used as strategies to help raise consumer awareness on genetic health risks.
With that much genetic material exchanging hands, it is important for consumers to think carefully about which kit provider will prioritize consumer privacy. DNA contains deeply personal information which can be incredibly beneficial for consumers. But that same information may also contain unexpected and deeply personal information that could be unsettling, and reveal information about the test taker’s family members. It deserves a high standard of protection.
However, laws like the Health Insurance Portability and Accountability Act (HIPAA), the central U.S. health privacy law, do not apply to genetic information collected and housed by consumer genetic testing companies. Due to this regulatory gap, consumers should find out from the companies themselves, and prior to buying a test for themselves or a loved one, how the companies will protect and use the genetic data they provide and collect.
Here are five important questions consumers should ask before buying a genetic testing kit on Black Friday or Cyber Monday:
- Does the Company Ask for Your Consent Before Sharing Your Individual-Level Genetic Data with Third Parties? People choose to share their genetic data with third parties for a range of purposes (e.g., to participate in scientific research or connect with unknown biological relatives). However, genetic testing companies should never share your individual-level genetic data with third parties without your knowledge and consent, particularly with insurers, employers, and educational institutions.
- Do You Have the Ability to Delete Your Genetic Data and Destroy Your Biological Sample If You Choose? Companies may have default policies to destroy all samples once testing is completed, retain data or samples for only a finite period of time or in accordance with regulations, or retain data and samples indefinitely or until you close your account. Companies should be clear about their retention practices and offer prominent ways to delete your genetic data from their databases and destroy your biological sample.
- Does the Company Require a Valid Legal Process Before They will Disclose Your Genetic Data to Law Enforcement? As we have seen in prolific cases like the Golden State Killer, genetic data can be a powerful investigative tool for government. However, government access to your genetic data presents substantial privacy risks. Companies should require that government entities obtain valid legal process, like a warrant, subpoena, or a legal order before they disclose genetic data.
- What are the Company’s Notification Practices When it Comes to Conveying Material Changes to Their Privacy Policies? Companies may modify their privacy policies or statements occasionally, and sometimes they significantly change how genetic data is collected, used, and stored. But before changes are implemented, you should be notified and given an opportunity to review the changes to decide if you want to continue using the company’s services.
- Has the Company Committed to Strong Technical Data Security Practices? As more than 26 million individuals have had their DNA tested, the potential for hacking and data breaches is an increasing concern. Given the uniqueness of genetic data, companies should maintain a comprehensive security program through practices such as: secure storage of biological samples and genetic data, encryption, data-use agreements, contractual obligations, and accountability measures.
For consumers who are interested in learning more, the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services set forth standards for the collection, use, and sharing of genetic data. The standards embrace express consent mechanisms for the transfer of data to third parties and have provisions restricting marketing based on genetic data, among other privacy-centric protections. Companies that currently support these best practices include: Ancestry, 23andMe, Helix, MyHeritage, Habit, African Ancestry, and Living DNA.
Before you buy a genetic test kit as a gift or for yourself for this holiday season, take a moment to consider how our genetic information shapes who we are… and whether you are dealing with a company that promises to protect it.