Companies can’t even keep simple data like our passwords and credit card numbers safe, so should we trust them with our most personal data: our DNA? When you mail a tube of your spit to a personal genomics company, that’s exactly what you’re doing, and it turns out that data isn’t as private as you might have thought.
23andme admitted years ago that its real goal is not to make money selling DNA tests but to collect massive amounts of personal data. Their privacy policy states that they will use your information, without any further consent, “as we reasonably believe is permitted by laws and regulations, including for marketing and advertising purposes,” and that they will turn it over to law enforcement if required.
By using the service you also agree that you will let them use your most sensitive information to serve you questionnaires and to develop and improve their own products. They also say that they will share your sensitive information, without any additional consent, if “the information has been anonymized or aggregated so that you cannot reasonably be identified as an individual.” But it’s your DNA. It’s your personal information, unique to you, even if your name isn’t attached.
Ancestry.com’s policy is similar, granting itself permission to use your information to sell you things, find your relatives, and perform studies internally. They also note they will be happy to disclose your information to third parties for purposes including “as necessary or appropriate to protect the rights, property, safety, confidentiality, or reputation of Ancestry, its Group Companies, or other Users (including outside your country of residence),” which sounds absolutely chilling.
Helix’s privacy policy mentions that it will give your data to its partners. The partners are the ones who actually provide the DNA-based wine subscriptions or weight loss coaching or whatever it is you actually signed up for. Helix keeps your information on file, and hands out the relevant results to each partner that you authorize. That’s handy because you only have to pay for sequencing once, but it also means you have to worry about what each company is doing with your data.
For example, Vinome will take your data and your $30 to recommend wines they think you should buy. Their privacy policy says: “By submitting DNA to Vinome, you grant Vinome a perpetual, royalty-free, worldwide, transferable license to use your de-identified DNA and to use, host, sublicense and distribute the anonymous resulting analysis to the extent and in the form or context we deem appropriate on or through any media or medium and with any technology or devices now known or hereafter developed or discovered.”
DNAFit, which sells weight loss and strength training plans, states that they “may disclose to third parties Aggregated Genetic and Self-Reported Information. If we use your information we will take steps to protect your privacy by making this information non-identifiable. To do so, we will take out any details that could identify you with ease, such as name and email address.”
These companies also track other information about you, typically including web browsing habits, your answers to questions about your health, and your mailing address. That plus the most secret contents of the nucleus of your cells doesn’t sound very “non-identifiable” to me.
But it’s your DNA. It’s your personal information, unique to you, even if your name isn’t attached.You share half your DNA with each of your parents, and likely a quarter with each of your grandparents. Siblings also have half your DNA on average, and everyone on your family tree has some relation to you. That means that if you buy your mom a DNA test to find wines she might like, data giant Helix now has half of your genome on file.
This is a concern for privacy, but it also opens up a huge can of family history worms. Many personal genomics services bill themselves as a way to find distant relatives. But you might also find, as George Doe did, that your dad had another son nobody knew about, and oh look now your parents are divorcing. Doe writes that relative finders are “essentially really advanced paternity tests” and that few people really think about that when they check the box that says they want to find relatives.
Yesterday Senator Chuck Schumer called on the Federal Trade Commission to “take a serious look” at these companies’ privacy policies and come up with some way for consumers to get the privacy they probably assume they already have.
In the meantime, if you don’t want these companies to have unfettered access to your most personal data, your best bet is to not click those great Cyber Monday deals, which are admittedly looking pretty good right now. (23andme’s $199 test is half price if you buy two; Helix is waiving its one-time $80 sequencing fee; Ancestry is running a deal for $49.)
If you do buy one—or if you already have, in the past—you can ask to delete your data. Ancestry and 23andme both let you download your own raw data, so you can keep that while you delete the copy that’s officially on file. There are third-party companies that will analyze that file for you, but then you have to worry about their privacy policies.
Update 12/1/2017: A previous version of this post stated that 23andme will “happily” turn over your information to law enforcement “if asked.” We updated the piece to say that they will turn it over if required. A spokesperson from 23andme writes: “We use all legal measures to resist any and all law enforcement requests to protect the customer’s privacy. To date, we have successfully challenged these requests and have not released any information to law enforcement.”