Lawmakers have recently started putting more scrutiny on the privacy practices implemented by at-home DNA testing companies, which is why three of their most famous representatives (23andMe, Ancestry, and Helix) decided to promote the industry the right way by forming a coalition around the best practices for handling sensitive genetic data.
Steve Haro, the newly appointed executive director of the coalition, stated, “Given the high focus that data privacy has currently in Congress, it was important for companies who are doing right by their customers on data privacy make their voice heard.”
He also said that the coalition would allow the at-home DNA testing industry to “let Congress know what the best practices are for protecting customers’ data and also to show their customers that they’re deserving of their trust.”
The government action comes as a result of the growing popularity of direct-to-customer DNA testing options among users who want to learn more about their genetic history and heritage, establish certain biological connections or discover predispositions for hereditary diseases and conditions. What the companies do with the collected DNA samples is also put under the microscope.
According to MIT Technology Review, as of January, over 26 million users have contributed their genetic material to databases owned by 23andMe, Ancestry, MyHeritage, and Family Tree DNA.
The privacy-related questions intensified after the serial killer and rapist known as the Golden State Killer was caught using a DNA database to identify his relatives. He was previously able to elude the pursuit for decades. The police also successfully identified numerous other suspects thanks to ancestry testing data. Following the capture of the Golden State Killer, the largest ancestry DNA testing companies stated that they would not hand over any user data without a warrant. However, privacy advocates still claim that more safeguards should have been implemented.
Vera Eidelman, an attorney on the American Civil Liberties Union’s Speech, Privacy, and Technology Project, stated that “Even if companies take these much-needed steps, the onus remains on government actors to protect our rights. We shouldn’t have to rely on changeable company policies to protect such private information.”
With that in mind, the companies started taking steps toward setting out their own best practices and staying ahead of any future regulations. In July 2018, 23andMe, Helix, and Ancestry teamed up and published a whitepaper on Privacy Best Practices for Consumer Genetic Testing Services.
Steve Haro said that “If Congress is going to codify anything around genetic data, this is what we want them to look to. In order to be a member of this coalition, your company has to adopt and adhere to these best practices. That is part of the bylaws.”
Needless to say, the issue caught the attention of Congress and Charles Schumer, Senate Minority Leader, called on the Federal Trade Commission back in 2017 to ensure the complete transparency of privacy policies implemented by commercial suppliers of DNA testing kits.
At the time, Schumer said that Congress neither wanted to impede research nor empower corporate entities to make quick money with the genetic material of its users. However, since the Genetic Information Nondiscrimination Act in 2008, Congress has not really acted on this issue. State lawmakers in California had a long debate about potential bills that would prevent corporate entities from sharing genetic data without permission and even talked about prohibiting life insurance companies from using it to determine coverage. The bill did not pass the committee, however.
John Verdi, the vice president of policy at the Future of Privacy Forum, would like to see the practices described in the whitepaper implemented within the industry. He stated, “I do think it’s incumbent on leaders in the industry, companies in the industry, policymakers, to ensure that individuals are educated about both the benefits and the risks in each of these circumstances.”
Eric Heath, Ancestry’s chief privacy officer, also called for federal legislation regarding data privacy and said, “Of course we would welcome comprehensive privacy legislation that would be preemptive in nature so that we could have a uniform set of rules to abide by.”
As different states start to pass their own laws, lawmakers are working on a privacy bill in Congress. Ancestry, the biggest provider of DNA tests and genealogical sources, is making preparations to comply with California’s new privacy law.
“When it comes to the federal government, we would like to see a harmonized approach and the purpose of the coalition is to make sure that as that harmonized approach is attempted that genetic data is understood and that our industry is understood and that we don’t get swept in with other industries or another context in a way that would negatively impact our business,” Heath said.
The companies also started boosting their lobbying presence so Ancestry already spent $50k, 23andMe is currently at $75k, and, and Helix spent $120k.
Katty Hibbs, chief legal and regulatory officer for 23andMe, said, “As the legislative interest has risen this year on both the federal and the state level, we all found ourselves getting questions from legislators and staffers. We’re forming the coalition in order to provide interested legislators as well as the public and press with a single voice on these issues because we do agree on the importance of these issues.”
Another issue DNA testing companies are currently facing is using the collected genetic specimens for research purposes. 23andMe requires explicit consent while the other two companies are using genetic material for health research without proactive consent.
23andMe is open to other similar companies joining the coalition if they find the best practices outlined in the whitepaper in accordance with their in-house policies. In other words, we could see a much larger Privacy Coalition in the future as well as the unification of privacy practices across the board.