Read the Fine Print Before You Send Your Spit to 23andMe

Posted on Apr 7, 2016

Our genomic sequence constitutes the most sensitive and personal of information: uniquely identifying us, revealing our propensity to develop certain diseases and conditions, and exposing familial connections of close genetic relatives. In recent years, Big Data has taken firm hold in numerous sectors, revolutionizing the volume and velocity at which businesses can collect, curate, and use digital information. Consumers can track what they eat, their fertility, whether they are exercising, and how much they are sleeping. Combining these pieces of data with genomic and health information such as family history, health conditions, disease state, and demographic information constitutes a gold mine for scientific research.

23andMe capitalized on the quantified self movement and consumers’ effusive willingness to collect and share personal data, transforming it into a highly profitable venture. Within the past year, 23andMe rapidly reinvigorated its business model, introducing Food and Drug Administration-compliant Carrier Screening Reports as part of its new Personal Genome Service, introduced on online recruitment platform for disease specific research cohorts, and publicized multimillion dollar partnerships with pharmaceutical giants such as Genentech.

In numerous media interviews, 23andMe CEO and cofounder Anne Wojcicki beams with positivity about how this model will revolutionize health care; empowering consumers with an awareness of the secrets of their genome while accelerating the speed of research and drug discovery. As one article in theSan Francisco Chronicle characterized it, “23andMe wants to do for health what Google has done for the search: make massive quantities of information digital, accessible, and personal.” 23andMe made this vision a reality by digitalizing and compiling genotypic-phenotypic data into a searchable format for interested investigators to run queries in its Research Portal, an online searchable database of over genotyped individuals with more than 225 million phenotypic data points, including demographic, clinical information, and family history.

An exciting prospect for research scientists, but also attractive to many other business as well. The sheer amount of information 23andMe’s database makes it appealing to a number of external parties, including data brokers, the pharmaceutical industry, employers, health insurers, and law enforcement. Entities may want to use the data for predictive modeling and draw inferences to market a product, decide suitability for employment, deny life insurance coverage, or target suspects pursuant to a criminal investigation. These uses of the data pose significant informational risks: shame, embarrassment, discrimination, or being subjected to law enforcement investigations. Perhaps surprisingly, many of these secondary uses of the data are currently permitted by law.

Just how much information does 23andMe collect? Much more than consumers may imagine unless they read the fine print. Purchasing the test and submitting DNA creates a potentially indelible electronic record of your genomic sequence in 23andMe’s database, along with a composite mosaic of additional health, lifestyle, and consumer generated personal details. In addition to the information the consumer actively sends, 23andMe employs numerous techniques to collect and track additional details through social media, web beacons, and consumer IP addresses such as compiling personal photos, place of employment, a record of every website the consumer clicks on, and real time tracking of the consumer’s location.  23andMe uses this data internally for marketing purposes and shares the data for research if the consumer provides consent.

But- the fine print also contains a provision that permits 23andMe to unilaterally modify its privacy policy at any time, effectively changing current promised limitations. Wojcicki’s positive intentions aside, she is not the sole party controlling the data. If 23andMe follows in Google’s footsteps, then the private information may not stay private. Indeed, Google Ventures managing partner Bill Maris (a financial supporter of 23andMe) has dismissively challenged, “What are you worried about? Your genome isn’t really secret.” If 23andMe modifies its policy to widely sell consumer data without consent, the lightning nature of electronic data sharing means Pandora’s Box is open.

How is this possible? In addition to expediting the process for research, 23andMe also challenged the traditional regulatory and ethical requirements that ordinarily correspond to collecting and disseminating private genomic and health information. The massive paradigm shift to collecting genomic and health information in the commercial arena, as opposed to the health care setting, means the transaction may occur outside the scope of regulatory structures designed to ensure informed consent when subjects provide DNA and to protect health data privacy.

The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule does not apply to consumer curation of health data or any associated protections related to privacy, security, or minimizing access. Similarly, unless a commercial entity conducts research that is supported by a federal department or agency, such as NIH funding, regulations set forth in the Common Rule will not govern that entity’s practice. Even though 23andMe receives NIH funding, 23andMe currently asserts that its data-mining analysis does not constitute research on human subjects under the current version of the Common Rule because it de-identifies the data. This stance is significant because it means 23andMe believes any consent it obtains to retain, use, and share consumer data is not necessary for regulatory compliance, but rather constitutes a transactional courtesy.

The traditional informed consent dialogue intended as a means to convey risks and benefits shifts dramatically when the consent process occurs online via consumer interaction with a website clickwrap interface rather than a physical contact person from the research team. Clicking through to purchase the test constitutes an entangled package consisting of a service, agreeing to receive medical information, and research.Recent litigation over 23andMe’s model of presenting its terms reiterates that just because you don’t read the fine print does not mean you can claim those terms are unfair and erase your decision.

Consumers may be blinded by the genomic technological imperative to know and widely share their genetic profile or assuaged by notions of altruism highlighting their contribution to important scientific research. They may bypass reading the fine print, or alternatively, they may not fully appreciate the implications of the transaction. Read the policies closely, and read them carefully, to assess whether the benefits outweigh such looming informational risks.

Read more: