An estimated 26 million people have taken an at-home ancestry test, willingly giving up a sample of DNA in return for information about their ancestry or health. But advocates are concerned that consumers may not understand the data privacy implications. If you have taken or plan to take an at-home DNA test, do you know how your information is being used and stored? What happens if the company goes out of business, experiences a data breach, or if you want to get your data back? Take these steps to better protect yourself and your family if you choose to spit or swab for a DNA test.
Warning: Your DNA Data Is Most Likely Being Shared
The popularity of at-home DNA testing has brought incredible upsides. Aggregated and often anonymized DNA databases can help scientists learn more about various diseases and conditions in the hope of finding better treatments and cures, and law enforcement has successfully used consumer DNA databases to bring closure to unsolved crimes.
But if you plan on taking a DNA test, or even if you already took one, it’s wise to be aware of who will be able to see your results and in what format, and how it could impact you or your family—both now and in the future.
Case-in-point: It may come as a surprise to many at-home testers that DNA testing providers often sell DNA data to third parties or share it with law enforcement. Providers have reportedly shared anonymized DNA data with universities, pharmaceutical companies, and even consumer product companies. FamilyTreeDNA, one of the larger consumer genetic testing providers, has been criticized for failing to disclose that it was sharing DNA data with federal investigators working to solve violent crimes. (Incredibly, DNA databases have, in fact, helped solve decades-old cold cases.)
Most providers give users the option of whether to share their data or not. But experts worry that the lack of regulations governing direct-to-consumer genetic testing and the complexity of privacy policies and user preferences may be causing providers to use DNA data in ways that customers may not completely understand.
The Law May Not Fully Protect You—At Least Not Yet
Part of the problem is this: Direct-to-consumer DNA testing kits are a relatively new concept, and legal policies that govern the private use of consumer genetic data are still under development.
For example, a DNA sample taken by a doctor in his or her office is protected by the Health Insurance Portability and Accountability Act (HIPAA), which helps limit how DNA results can be shared. However, according to experts, genetic data that is generated outside of a doctor’s office, hospital, or other healthcare setting is likely not covered by HIPAA and may have a relatively low level of legal protection.
For its part, the Federal Trade Commission (FTC) has previously issued warnings to consumers about the privacy implications of at-home DNA test kits. In addition, the agency has issued security and privacy recommendations to the providers of such kits.
According to reports, the FTC is also investigating DNA test providers, including 23and Me and Ancestry.com, regarding their policies for handling personal and genetic data, and how they share that information with third parties.
DNA Databases Can Be a Target for Data Breaches
Experts believe that as DNA databases grow in size, they may represent an increasingly valuable target to potential hackers.
In fact, at least one such breach has already occurred.
DNA testing provider Vitagene exposed thousands of customer health records that included customers’ names, dates of birth, and gene-based health information, such as the likelihood of developing certain medical conditions.
Leaked genetic data could be used by malicious actors to try to blackmail individuals or to create a website where people pay for access to the leaked data, similar to online background searches.
In one of the worst outcomes, it could cause people to be genetically discriminated against by employers, insurance companies, or banks. The Genetic Information Nondiscrimination Act (GINA) prohibits employers and health insurance companies from discriminating against a person based on their genes, but GINA doesn’t apply to providers of life insurance, disability insurance, or long-term-care insurance.
Sharing Your DNA Means Sharing Your Family’s Information Too
The internet is rife with stories of families who unwittingly discovered long-hidden family secrets through DNA testing.
Perhaps one of the most important considerations of at-home genetic testing is that one individual’s decision to take a DNA test could affect close relatives as well. A person who decides to test and share their DNA has by default made a decision on behalf of their family members as well, including their parents, siblings, children, and even future children and future nieces and nephews.
Steps to Better Protect You and Your Loved Ones If You Decide to Take a DNA Test
There are ways that you can help better protect your privacy and that of your family, while also taking advantage of DNA testing’s benefits.
- Test with only reputable, trusted companies - Your choice of DNA testing company is perhaps the most important decision you can make with regard to protecting your privacy. Experts consider the more well-known testing companies to be a safer bet, perhaps because they are in the public spotlight and therefore have been driven to be more accountable. CNET has reviewed several at-home DNA testing providers, as has Wirecutter.
- Read the privacy policy and terms and conditions - Ensure that you know what your genetic information could be used for, whether it will be shared with third parties, and if so, whether shared information will include individual-level data or aggregate data, which is genetic information combined from a number of people. Consider that even if names have been removed from individual-level data, researchers have shown that in some cases a person can be identified based on DNA and some supporting information, such as a zip code or date of birth, which is sometimes still associated with anonymized DNA.
- Pay close attention to your selections during sign-up - After purchasing your DNA test, you will likely be asked to register your test kit and set up an account. This is when you will be given a number of privacy options. The website Innerbody walks through the privacy options of several popular DNA testing providers, and also provides links to the many providers’ privacy policies.
- Carefully consider whether or not to share your data for research - If you choose to give a DNA testing provider permission to share your data with other organizations, you can revoke that permission later. However, it may be difficult or impossible to delete your data from third parties that have already received it. Those third parties may also share your data with yet another company or research organization in the future.
- Consider delaying the decision to upload your DNA to third-party databases - One increasingly popular and relatively inexpensive option to get even more insights from your DNA test is to upload your genetic data to a third-party database such as GEDmatch for ancestry information, or Promethease for health and wellness information. While these databases can be excellent tools, especially for experienced users, they could expose you to increased privacy risk and are in some cases not user-friendly for novices.
- If you have already taken a DNA test, consider reviewing your privacy options - Even if you have already taken a DNA test, you can still read the privacy policy, review or change your sharing options, or even delete your data. Consumer Reports provides instructions for how you can delete your information from three of the larger direct-to-consumer DNA testing providers. Remember that once data has been shared for research or with other third parties, it likely can’t be entirely deleted. For example, research using your genetic data may already be in-progress or completed.
Working Towards More Comprehensive Consumer Privacy for DNA Testing
The non-profit The Future of Privacy Forum has collaborated with several leading providers of at-home DNA testing to create a set of best practices for consumer genetic testing services. The group is working on giving consumers better control over how their data is collected, accessed, corrected, used in research, and deleted.