Companies collecting consumer DNA for non-medical purposes seem to be playing fast and loose with their customers’ data, according to a well-regarded consumer watchdog. This category of private money makers, which could include weight reduction companies, are capturing the most private information of all, consumer DNA, and combining it with other data to build profiles for themselves and third parties.

Anyone who has followed this blog for the past couple of years will know that I have written some harsh words for the recreational DNA industry, observing how these companies take consumers’ most private information for one reason and use it for other purposes, including milking corporate revenue from their vast DNA libraries.

One of my primary concerns is that, while DNA testing performed for medical reasons is protected by federal law, providing DNA to these consumer companies is not. In other words, many people believe that giving up their biological data to these companies is a private transaction with limits on data usage under HIPAA, and this is not true. Providing your DNA for some highly questionable weight loss benefit or to discover your grandmother’s place of birth is not a HIPAA-covered transaction, even if the private company sends you information that could be used as medical insight.

It is difficult to check on everything that may be happening to these oceans of DNA data collected over the years – especially now that private equity companies have started buying DNA repositories like Ancestry. But consumer protection publications analyze how the industry is treating the other consumer data collected by these businesses, and now we have a published example.

This year, Consumer Reports conducted a privacy study of 5 prominent consumer DNA testing companies, primarily examining how those companies treated consumers’ non-DNA collected information. Consumer Reports was not able to run blind tests on the treatment of DNA samples, so it examined what it could – the data collected at websites and by apps, and the data volunteered by consumers. CR found, “The companies’ services over-collect personal information about you and overshare some of your data with third parties. CR’s privacy experts say it’s unclear why collecting—and then sharing—much of this data is necessary to provide you the services they offer.” 

Consumer Reports submitted dog blood and saliva to five of the leading recreational DNA testing companies, allowing the editors to open accounts and investigate how the data was used. (All of the DNA companies noted that the samples could not be accurately processed.) Consumer Reports ran tests of each DNA company app and analyzed network traffic while accessing websites of the services. CR used this data to evaluate if the DNA companies’ behavior matched their privacy policies, finding that the DNA companies over-collected and over-shared non-DNA data from consumers and included potentially misleading expansive permissions when consumers opt in to research.

The investigators wrote: “We found in our testing that these apps potentially collect more data than could be needed to deliver their core service. We also found through our privacy-policy analysis that when consumers opt into "research," many are providing third-party access not only to their DNA but also to other types of data the company has about you, which can include information about your relatives and family history. And we learned through both testing and privacy-policy review that all of these companies share non-DNA data that could potentially be used to target ads and develop data profiles on consumers, with few obvious tools to help users protect their privacy.”

Consumers who may expect such data sales elsewhere, probably don’t anticipate blatant commercialism from sites actively seeking their DNA. Activity on these sites could reveal sensitive health conditions or other biological information that consumers do not expect to be shared with the highest bidders.

Activity on these sites could reveal sensitive health conditions or other biological information that consumers do not expect to be shared with the highest bidders.

I have written before about the research overreach. The sites act like permitting your DNA to be used in research is a purely academic exercise leading to the betterment of knowledge for all mankind, while the research often is product development for the benefit of the company itself. The research information exposed or sold to third parties “can include self-reported health information and information about relatives,” according to Consumer Reports. Even if the information is originally de-identified, there is always a risk of re-identification by your DNA, as the MyHeritage consent form explicitly states. In fact, the journal Nature Communications published an article which posits that nearly every American can be re-identified from a 15-item data set. I imagine that a set including your DNA readings wouldn’t need too many additional items to re-identify you. 

In addition, most consumers wouldn’t expect that Ancestry augments the data consumers provide with credit reporting data from Experian. The DNA companies pull additional information about their customers from other sources and build a more detailed profile than could be accomplished with the data consumers voluntarily provide on the DNA collection site. All five of the major DNA testing companies reviewed by CR allow third parties to track consumers’ activities as consumers use these services. CR states, “Such tracking can be used to build profiles of individual consumers and to target them with advertising, a practice common with many types of apps.” So even the fact that you might be interested in testing your DNA, and the reasons you show for this interest, are likely to appear in the massive personal profiles held about you with Google, Microsoft, Oracle, Facebook and others. Once these companies have aggregated your data into their huge files, the privacy policy and promises of the DNA sites don’t matter anymore.

If these privacy concerns bother you, fortunately Consumer Reports also publishes a guide to deleting data from these sites. CR also recommends that even if you submit DNA to these consumer genetics companies you should opt out of research because the companies are not clear on how your information can or will be used in the next several years.

This new study should not surprise us. This is an industry built on quietly collecting the most intimate data from the highest number of people in an unregulated fashion, and then turning the data into cash. They convince people to pay them to become the industry’s product. Millions comply.

State laws have started to place limits on uses of some consumer genetic information. California’s Genetic Information Privacy Act started enforcement this month. The California law imposes some obligations on consumer genetic testing companies including the right for consumers to have their biological samples destroyed and their accounts and genetic data deleted (with limited exceptions). Florida passed a law called the Protecting DNA Privacy Act, which came into force last October. Florida imposes criminal sanctions for such actions as submitting for analysis the DNA sample of another person without their consent or disclosing another person’s DNA analysis results without consent.

The consumer DNA industry is catching the attention of consumer watchdogs and state legislatures, but still remains a dangerous repository of intimate data with very few rules.