By Jeremy Gruber

DNA provides a rich digital source of medical information; as a result it has great scientific value. But it is also ripe for data sharing and has significant commercial value as well.

Purchasing genetic testing services in an online commercial marketplace raises significant privacy concerns, as consumers may turn over their DNA and other personally identifiable information to companies without a clear understanding of the privacy risks and without clear guidance as to their legal and regulatory rights in this area.

There are currently no clear guidelines on the ownership of genetic material and the information derived from it, nor are there clear guidelines with respect to the protection of customer privacy by the direct-to-consumer genetic testing industry. Indeed, consent forms and privacy policies vary widely within the industry and without standards can be unclear and often subject to change.

There are three specific areas where significant privacy concerns arise:

1) Controls on DNA Submitted byCustomers

Current practices related to ensuring that customers are submitting only their own DNA are insufficient. At present, commercial personal genomics companies do require customers to confirm they have the legal authority to submit DNA samples, yet such statements are not clearly and conspicuously posted but rather often hidden within larger privacy and consent documents which are often visible to the consumer only after the registration process has begun. Moreover, they do not explicitly warn customers of the possible issues raised by submitting another individual's DNA for analysis.

Considering how simple surreptitious collection of individual DNA can be, it is not hard to imagine how political, social and personal motivations could compel the improper submission of DNA samples. This is a particular concern since most of these companies allow for an individual to purchase multiple testing kits per order. Yet, few controls are offered beyond such statements to ensure that customers are actually complying with this requirement. No offer of proof is requested beyond the statement. This could easily be included as part of the sample submission process.

2) Security of Genetic Information

Customers are often not limited to providing a DNA sample as part of their participation in the personal genomics marketplace. They are also offered a variety of surveys, blogs and other tools where they can provide personally identifiable information. Whenever identifiable DNA samples are collected and stored, there is a high risk that violations of genetic privacy will follow. The methodology by which this information is secured is essential, yet without standards and oversight we still know very little beyond the assurances of the industry as to what specific controls are used.

Moreover, the privacy policies of DTC companies are not subject to the health privacy regulations issued pursuant to the Heath Insurance Portability and Accountability Act (HIPAA) and there few state and federal privacy laws that apply. It is essential that personal information should be protected by security safeguards appropriate to the sensitivity of the information.

Safeguards should include physical, technical and administrative measures to protect information and biological samples from unauthorized access, use, disclosure, alteration or destruction.

Almost all DTC company privacy policies make statements about security safeguards, though the degree of detail varies substantially. Mistakes and other breaches of security are not uncommon. Just this summer, the DTC company 23andMe accidentally sent data of up to 96 individuals to the wrong customers.1

There is also no transparency as to the degree to which personally identifiable health information is de-identified. As the ability to share, store, and aggregate genomic data progresses, the capability of keeping this data anonymous becomes increasingly important. Because an individual's genetic information is so personal and specific, it is vital to protect it from any unwarranted access or use. There have been several instances where de-identified data has been re-identified and personal information linked back to its owner. One such study2  achieved re-identification of DNA data and established identifiable linkages in 33-100% of surveyed cases, which focused on eight gene-based diseases. The researchers used anonymized DNA database entries, and related the information to publicly available health information despite the fact that the database did not include any explicit identifiers, such as name, address, social security number, or any other personal information. Because not all de-identification techniques adequately anonymize data, it is important that the process employed by the industry is robust, scalable, transparent and shown to provably prevent the identification of customer information.

3) Third Party Disclosure of Customer Data

One significant unresolved issue relating to the DTC industry is exactly who owns the customer's data. Most DTC companies do not explicitly address this issue in their privacy policies. If the DNA sample and other information submitted by the customer are the property of the company, the company is free to sell or otherwise transfer that information to a third party.

Many DTC companies have adopted this approach as part of their business model without sufficiently explaining to customers the extent to which this may occur, what type of data is being transferred and the potential negative consequences. For example 23andMe has partnerships with the Swiss firm Mondobiotech and the Parkinson's Institute and Navigenics is conducting studies with the Mayo Clinic and Scripps Institute.

Moreover how such information is to be treated upon sale of a company or if a company enters bankruptcy proceedings, particularly when the entities potentially acquiring such information have significantly less strict privacy standards, is less than clear and is certainly not expressed to customers.

Most DTC companies do not ask for specific consent for these purposes. Some companies are moving in the right direction. 23andMe has recently begun asking for specific consent for participation in published research. However, they note that even by refusing to participate, we may still use your Genetic and/or Self-Reported Information for R&D purposes…which may include disclosure…to third-party non-profit and/or commercial research partners who will not publish that information in a peer reviewed scientific journal.3

The degree to which these types of partnerships and others have proliferated within the industry is still largely unclear. What is clear is that it is essential that affirmative written consent must be required before DTC companies can use any customer generated genetic information in this way.

There is currently very little guidance on how consumers can protect their privacy. For example, the US Federal Trade Commission gives the following advice to consumers who are considering DTC genetic tests:

Protect your privacy. At-home test companies may post patient test results online. If the website is not secure, your information may be seen by others. Before you do business with any company online, check the privacy policy to see how they may use your personal information, and whether they share customer information with marketers.4

Such advisories are hardly satisfactory to ensure consumer privacy is protected.

It is essential that Congress, the Food and Drug Administration, the Federal Trade Commission, and the Centers for Disease Control all work together to help set privacy standards for the direct-to-consumer genetic testing industry  and ensure that all issues regarding industry practice are adequately supervised to ensure compliance.        


This essay is a modified excerpt from testimony offered at the FDA public meeting on “Oversight of Laboratory Developed Tests 'Direct to Consumer Genetic Testing'” in Silver Springs, Maryland on July 20, 2010.

Jeremy Gruber, JD, is President of the Council for Responsible Genetics.




2. Bradley Malin and Latanya Sweeney, Determining the Identifiability of DNA Database Entries, 2001 Journal of the American Medical Informatics Association 423.

3. 23andme Privacy Statement (accessed on 7/12/10 at

4. See, for example, United States, Federal Trade Commission, At-home Genetic Tests: A Healthy Dose of Skepticism may be the Best Prescription (2006), online: Federal Trade Commission (


Search: GeneWatch
The purpose of the Genetic Bill of Rights is to introduce a global dialogue on the fundamental values that have been put at risk by new applications of genetics.
View Project
CRG has investigated and reported on the commercial claims made about genetically modified crops and transgenic animals introduced into the food supply.
View Project