Anyone who has followed this blog for the past couple of years will know that I have written some harsh words for the recreational DNA industry, observing how these companies take consumers’ most private information for one reason and use it for other purposes, including milking corporate revenue from their vast DNA libraries.
One of my primary concerns is that, while DNA testing performed for medical reasons is protected by federal law, providing DNA to these consumer companies is not. In other words, many people believe that giving up their biological data to these companies is a private transaction with limits on data usage under HIPAA, and this is not true. Providing your DNA for some highly questionable weight loss benefit or to discover your grandmother’s place of birth is not a HIPAA-covered transaction, even if the private company sends you information that could be used as medical insight.
It is difficult to check on everything that may be happening to these oceans of DNA data collected over the years – especially now that private equity companies have started buying DNA repositories like Ancestry. But consumer protection publications analyze how the industry is treating the other consumer data collected by these businesses, and now we have a published example.
This year, Consumer Reports conducted a privacy study of 5 prominent consumer DNA testing companies, primarily examining how those companies treated consumers’ non-DNA collected information. Consumer Reports was not able to run blind tests on the treatment of DNA samples, so it examined what it could – the data collected at websites and by apps, and the data volunteered by consumers. CR found, “The companies’ services over-collect personal information about you and overshare some of your data with third parties. CR’s privacy experts say it’s unclear why collecting—and then sharing—much of this data is necessary to provide you the services they offer.”
Consumer Reports submitted dog blood and saliva to five of the leading recreational DNA testing companies, allowing the editors to open accounts and investigate how the data was used. (All of the DNA companies noted that the samples could not be accurately processed.) Consumer Reports ran tests of each DNA company app and analyzed network traffic while accessing websites of the services. CR used this data to evaluate if the DNA companies’ behavior matched their privacy policies, finding that the DNA companies over-collected and over-shared non-DNA data from consumers and included potentially misleading expansive permissions when consumers opt in to research.
The investigators wrote: “We found in our testing that these apps potentially collect more data than could be needed to deliver their core service. We also found through our privacy-policy analysis that when consumers opt into "research," many are providing third-party access not only to their DNA but also to other types of data the company has about you, which can include information about your relatives and family history. And we learned through both testing and privacy-policy review that all of these companies share non-DNA data that could potentially be used to target ads and develop data profiles on consumers, with few obvious tools to help users protect their privacy.”
Consumers who may expect such data sales elsewhere, probably don’t anticipate blatant commercialism from sites actively seeking their DNA. Activity on these sites could reveal sensitive health conditions or other biological information that consumers do not expect to be shared with the highest bidders.