Companies collecting consumer DNA for non-medical purposes seem
to be playing fast and loose with their customers’ data,
according to a well-regarded consumer watchdog. This category of
private money makers, which could include weight reduction
companies, are capturing the most private information of all,
consumer DNA, and combining it with other data to build profiles
for themselves and third parties.

Anyone who has followed this blog for the past couple of years
will know that I have written some harsh words for the
recreational DNA industry, observing how these companies take
consumers’ most private information for one reason and use it
for other purposes, including milking corporate revenue from their
vast DNA libraries.

One of my primary concerns is that, while DNA testing performed
for medical reasons is protected by federal law, providing DNA to
these consumer companies is not. In other words, many people
believe that giving up their biological data to these companies is
a private transaction with limits on data usage under HIPAA, and
this is not true. Providing your DNA for some highly questionable
weight loss benefit or to discover your grandmother’s place of
birth is not a HIPAA-covered transaction, even if the private
company sends you information that could be used as medical
insight.

It is difficult to check on everything that may be happening to
these oceans of DNA data collected over the years –
especially now that private equity companies have started buying
DNA repositories like Ancestry. But consumer protection
publications analyze how the industry is treating the other
consumer data collected by these businesses, and now we have a
published example.

This year, Consumer Reports conducted a privacy study of 5 prominent
consumer DNA testing companies, primarily examining how those
companies treated consumers’ non-DNA collected information.
Consumer Reports was not able to run blind tests on the treatment
of DNA samples, so it examined what it could – the data
collected at websites and by apps, and the data volunteered by
consumers. CR found, “The companies’ services over-collect
personal information about you and overshare some of your data with
third parties. CR’s privacy experts say it’s unclear why
collecting—and then sharing—much of this data is
necessary to provide you the services they offer.”

Consumer Reports submitted dog blood and saliva to five of the
leading recreational DNA testing companies, allowing the editors to
open accounts and investigate how the data was used. (All of the
DNA companies noted that the samples could not be accurately
processed.) Consumer Reports ran tests of each DNA company app and
analyzed network traffic while accessing websites of the services.
CR used this data to evaluate if the DNA companies’ behavior
matched their privacy policies, finding that the DNA companies
over-collected and over-shared non-DNA data from consumers and
included potentially misleading expansive permissions when
consumers opt in to research.

The investigators wrote: “We found in our testing that
these apps potentially collect more data than could be needed to
deliver their core service. We also found through our
privacy-policy analysis that when consumers opt into
“research,” many are providing third-party access not
only to their DNA but also to other types of data the company has
about you, which can include information about your relatives and
family history. And we learned through both testing and
privacy-policy review that all of these companies share non-DNA
data that could potentially be used to target ads and develop data
profiles on consumers, with few obvious tools to help users protect
their privacy.”

Consumers who may expect such data sales elsewhere, probably
don’t anticipate blatant commercialism from sites actively
seeking their DNA. Activity on these sites could reveal sensitive
health conditions or other biological information that consumers do
not expect to be shared with the highest bidders.

I have written before about the research overreach. The sites
act like permitting your DNA to be used in research is a purely
academic exercise leading to the betterment of knowledge for all
mankind, while the research often is product development for the
benefit of the company itself. The research information exposed or
sold to third parties “can include self-reported health
information and information about relatives,” according to
Consumer Reports. Even if the information is originally
de-identified, there is always a risk of re-identification by your
DNA, as the MyHeritage consent form explicitly states. In fact, the
journal Nature Communications published an article which
posits that nearly every American can be re-identified from a
15-item data set. I imagine that a set including your DNA readings
wouldn’t need too many additional items to re-identify you.

In addition, most consumers wouldn’t expect that Ancestry
augments the data consumers provide with credit reporting data from
Experian. The DNA companies pull additional information about their
customers from other sources and build a more detailed profile than
could be accomplished with the data consumers voluntarily provide
on the DNA collection site. All five of the major DNA testing
companies reviewed by CR allow third parties to track
consumers’ activities as consumers use these services. CR
states, “Such tracking can be used to build profiles of
individual consumers and to target them with advertising, a
practice common with many types of apps.” So even the fact
that you might be interested in testing your DNA, and the reasons
you show for this interest, are likely to appear in the massive
personal profiles held about you with Google, Microsoft, Oracle,
Facebook and others. Once these companies have aggregated your data
into their huge files, the privacy policy and promises of the DNA
sites don’t matter anymore.

If these privacy concerns bother you, fortunately Consumer
Reports also publishes a guide to deleting data from these
sites. CR also recommends that even if you submit DNA to these
consumer genetics companies you should opt out of research because
the companies are not clear on how your information can or will be
used in the next several years.

This new study should not surprise us. This is an industry built
on quietly collecting the most intimate data from the highest
number of people in an unregulated fashion, and then turning the
data into cash. They convince people to pay them to become the
industry’s product. Millions comply.

State laws have started to place limits on uses of some consumer
genetic information. California’s Genetic Information Privacy
Act started enforcement this month. The California law imposes some
obligations on consumer genetic testing companies including the
right for consumers to have their biological samples destroyed and
their accounts and genetic data deleted (with limited exceptions).
Florida passed a law called the Protecting DNA Privacy Act, which
came into force last October. Florida imposes criminal sanctions
for such actions as submitting for analysis the DNA sample of
another person without their consent or disclosing another
person’s DNA analysis results without consent.

The consumer DNA industry is catching the attention of consumer
watchdogs and state legislatures, but still remains a dangerous
repository of intimate data with very few rules.

Originally published 18 January 2022

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.