Genetic testing firms share your DNA data more than you think

Genetic testing companies that trace customers' ancestry are amassing huge databases of DNA information, and some are sharing access with law enforcement, drug makers and app developers.

Why it matters: At-home DNA testing kits are soaring in popularity, but many consumers who take the tests to learn more about their family trees may not realize how that data is being shared for other purposes.

The big picture: What started out as a novelty for genealogists has gone mainstream. There are now more than 50 DNA-testing kit services on the market, estimates Carson Martinez, a health policy fellow at the Future of Privacy Forum.

• MIT Technology Review predicts more than 100 million people may be part of commercial genetic databases within the next two years.
• Amid controversies over internet companies' collection of personal data, millions are paying to hand over DNA samples to a largely unregulated industry.
• Some worry law enforcement, employers or insurance companies could end up using that DNA information against them.

Driving the news: This month FamilyTreeDNA came under fire for voluntarily giving the FBI routine access to its database of more than 1 million users' data, allowing agents to test DNA samples from crime scenes against customers' genetic information to look for family matches.

• FamilyTreeDNA apologized for not disclosing the agreement to consumers. The company told the NYT that users can disable the "matching" option to prevent their data from being visible. Ancestry.com and 23andMe say they require a warrant or subpoena before they consider turning over data to law enforcement.
• It's not the first time genetic data has been used in cold cases. To catch the Golden State Killer last year, police detectives compared crime scene DNA against publicly available genetic data to identify the suspect.

Drugmakers also want access. Ancestry.com and 23andMe — the largest companies that, combined, have DNA data of 15 million users — both share anonymized genetic data with outside researchers and companies.

• Last summer, 23andMe struck a drug-development deal with GlaxoSmithKline, and it's working on developing its own line of drug treatments.
• Ancestry has worked with Google spinoff Calico to study human longevity.
• The companies say they obtain customers' "informed consent" — or explicit permission — before DNA is used in scientific or medical research.
• Kathy Hibbs, 23andMe's chief legal and regulatory officer, said that assembling large aggregated datasets of human DNA can speed up drug development. The company says 80% of its customers opt in to research programs.

"It's not individual data that's interesting for research — it's the ability to look at large groups of people to see what's unique. It's the aggregate data, not individual data, that's meaningful."

A firm called Helix acts like an "app store" platform that gives third-party software developers access to parts of customers' DNA data for apps and personalized services that consumers opt into separately. Helix has partnerships with around 25 companies. Fitness and wellness apps are among the most popular, said Elissa Levin, Helix's senior director of clinical affairs and policy.

• For example, weight-loss app Lose It integrates genetic information to tailor diet and exercise recommendations.
• Helix analysts work closely with third parties to provide privacy guidelines, but does not dictate their policies, Levin said.

Personal DNA tests are used to help predict genetic risk factors for health complications. 23andMe offers FDA-approved genetic risk reports for inherited breast cancer and colorectal cancer.

• The results may allow customers to manage their own health, but can also lead to revelations that are surprising or alarming.
• "We're encouraging companies to provide education to consumers about the risks and benefits and unintended consequences of the results," said John Verdi of the Future of Privacy Forum.

Reality check: Commercial DNA-testing services aren't specifically covered by federal privacy rules, such as HIPAA, because they aren't health providers or insurers.

• They are subject to the FTC's protections around privacy disclosures, as well as some FDA standards for how data is used in drug and medical device research.
• But protections can get murky when genomic data is used for human-subject medical research or for treatment, says Pamela Hepp, a health care attorney at Buchanan Ingersoll & Rooney specializing in data privacy.

• For example, research using de-identified data in a clinical setting may not require participants' consent. But DNA data that is unique is arguably not capable of being fully de-identified and would still be personally identifiable, Hepp said. So use of such data — even if all identifying information is removed — may require consent, and it may even become part of your medical record.

Last year, the Future of Privacy Forum worked with 8 leading DNA testing companies, including 23andMe, Ancestry and Helix, to establish best (but voluntary) practices for data use and security — as well as restrictions on marketing based on DNA data and allowing consumers to delete their data.

• Yes, but: "Even if a consumer deletes their DNA information, that is only effective if the DNA hasn't already been shared," Hepp said. "This is new territory."
• Also, "subsequent researchers may want to use genetic data for future investigations, making it difficult to keep participants abreast of the various uses of their genetic data," according to a paper published in the Mayo Clinic Proceedings journal last summer.

The DNA services have grown popular without most consumers realizing that their data could be used for purposes other than genealogy, such as forensics, said Benjamin Berkman, a bioethicist at the National Institutes of Health, who wrote about ethical issues of using genealogy data to solve crimes in the Annals of Internal Medicine.

• Not so long ago, serious concerns were raised about genetic research because of fears about potential discrimination by insurance companies and employers. In 2009, the Genetic Information Nondiscrimination Act outlawed discrimination on the basis of genetic information.
• "There's still a lot of evidence that people are concerned about those things," Berkman said. "But we are gradually moving away from the hyper-sensitivity to the private nature of genomic data."

The bottom line: Read the fine print before uploading your genetic data, Berkman said, and use care when interpreting the results.

Go deeper:

• Consumer Reports explains how to delete your data from DNA testing sites
• The NYT details how China uses DNA to track its citizens
• AI can target specific genetic markers from massive genomics data sets, writes Eleonore Pauwels for Axios Expert Voices.

Editor's note: An earlier version of this story incorrectly stated that Ancestry shared data with pharmaceutical companies.