THE PRIVACY RISKS OF DIRECT-TO-CONSUMER GENETIC TESTING: A CASE STUDY OF 23ANDME AND ANCESTRY.

• Author: Garner, Samual A.

ABSTRACT

Direct-to-consumer genetic testing (DTC-GT) companies have proliferated and expanded in recent years. Using biospecimens directly submitted by consumers, these companies sequence and analyze the individual's genetic information to provide a wide range of services including information on health and ancestry without the guidance of a healthcare provider. Given the sensitive nature of genetic information, however, there are growing privacy concerns regarding DTC-GT company data practices. We conduct a rigorous analysis, both descriptive and normative, of the privacy policies and associated privacy risks and harms of the DTC-GT services of two major companies, 23andMe and Ancestry, and evaluate to what extent consumers' genetic privacy is protected by the policies and practices of these two companies. Despite the exceptional nature of genetic information, the laws and agency regulation surrounding genetic privacy and DTC-GT services are fragmented and insufficient. In this analysis, we propose three categories of privacy harms specific to DTCGT-- knowledge harms, autonomy and trust-based harms, and data misuse harms. Then, through the normative lens of exploitation, we argue that 23andMe and Ancestry's data practices and privacy policies provide consumers with insufficient protection against these harms. Greater efforts from both the industry and legal system are necessary to protect DTC-GT consumers' genetic privacy as we advance through the era of genomics and precision medicine.

TABLE OF CONTENTS INTRODUCTION I. REGULATION OF DIRECT-TO-CONSUMER GENETIC TESTING A. Federal Laws That Can Regulate Genetic Information B. Federal Administrative Agencies That Can Regulate DTC-GT Companies C. State Laws D. Common Law II. SERVICES OFFERED BY 23ANDME AND ANCESTRY A. 2 3 and Me and Ancestry Services B. The Potential Benefits of Using 23andMe and Ancestry Services III. GENETIC PRIVACY, RISK, AND HARM A. The Central Normative Concern: Exploitation B. Genetic Exceptionalism and Genetic Privacy C. Defining Risk and Harm IV. ANALYSIS OF 23ANDME AND ANCESTRY POLICIES AND PRACTICES A. The Adequacy of 23andMe's Privacy Policies B. The Adequacy of Ancestry's Privacy Policies C. The Distribution of Benefits V. POTENTIAL SOLUTIONS A. Improving DTC-GT Industry Self-Regulation B. Increased Federal Agency Oversight C. Comprehensive Data Privacy Legislation CONCLUSION INTRODUCTION

The rapid advances in sequencing technology and genomics have fueled the expansion of the Direct-to-Consumer Genetic Testing (DTC-GT) industry. According to industry estimates, over 12 million people had used DTC-GT services by 2017, (1) and the global DTC-GT market was valued at $359 million in 2017. (2) Recent years have been particularly exciting for the industry as the Food and Drug Administration (FDA) authorized 23andMe, a leading DTC-GT company, to sell the first DTC test for Bloom Syndrome in 2015 (3) and, more recently in April 2017, approved 23andMe's Health Predisposition tests, known as genetic heath risk (GHR) tests under FDA regulations, for ten diseases. (4) FDA is continuing its pro-DTC-GT stance by announcing plans to exempt DTC GHR tests from premarket review (5) and authorizing 23andMe's GHR test for three BRCA breast cancer gene mutations in March 2018 (6) and a test for hereditary colorectal cancer syndrome in January 2019. (7) Advertisements for DTC-GT are omnipresent, (8) and Ancestry, another popular DTC-GT company, has partnered with the music streaming service Spotify claiming to offer music tailored to one's DNA. (9)

However, given the sensitive nature of data collected and used, DTC-GT companies have not been free from privacy concerns. For example, in July 2018, 23andMe announced that GlaxoSmithKline (GSK), a large pharmaceutical company, acquired a $300 million stake in the company thereby allowing GSK to use 23andMe consumers' genetic information for drug discovery. (10) The recent arrest of the suspected Golden State Killer using DNA evidence from a public database brings additional scrutiny to DTC-GT services. (11)

Worries about genetic privacy, while not new, are one part of the growing concerns over health information privacy as the collection of nontraditional medical information grows. For example, an increasingly large number of devices, such as the Apple Watch or One Drop's Bluetooth Glucose Meter, (12) collect an individual's medical information, from electrocardiogram (ECG) to blood sugar levels, and send it to private companies. (13) The concern over genetic privacy is also a part of the "privacy crisis" our society seems to be facing. Almost every month, we seem to be hearing about another large data breach or the alarming data practices of major technology companies concerning user data. (14)

However, some of our most private and essential information is in the possession of DTC-GT companies, which are subject to an inadequate patchwork of laws. (15) The Health Insurance Portability and Accountability Act (HIPAA) (16), for example, does not have jurisdiction to regulate medical information outside of the traditional healthcare context, and traditional federal agency regulation appears inadequate, (17) And, among medical information, genetic information may be particularly sensitive because it is immutable and uniquely identifiable. (18) Genetic information, because it is hereditary, may also implicate genetically related family members, as well as a racial or ethnic group.

Meanwhile, the existing legal scholarship on genetic privacy and DTCGT companies has largely been surveys of companies' privacy policies and guidelines. Some studies have either provided an overview of the problems posed by the DTC-GT service (19) or consumer understanding of the companies' privacy policies. (20) One study conducted a framework analysis on thirty DTC-GT companies' privacy policies and practices using a "codebook" developed by synthesizing guidelines from professional societies and public bodies, (21) and another recent paper used the FTC's Fair Information Practice Principles (FIPPs) as a baseline framework to evaluate the privacy policies of ninety DTC-GT companies. (22) While instructive, the survey studies have remained largely descriptive. In addition, although there have been concerns about the risks of DTC-GT--the validity and utility of the tests, inappropriate healthcare decisions, emotional harm, data security--since the advent of DTC-GT, (23) a focused and rigorous legal analysis of particular DTC-GT company practices has been wanting.

This Article contributes by being the first to conduct a rigorous analysis, both descriptive and normative, of the privacy policies and associated privacy risks of the DTC-GT services of two major companies--23andMe and Ancestry (focusing on AncestryDNA)--and evaluates to what extent consumers' genetic privacy is protected by the policies and practices of these two companies. The reason we focus on these two companies is that 23andMe and Ancestry are industry leaders. As industry leaders, they can set the industry standard and lead the industry for better data practices and privacy protection.

Our analysis is structured into five parts. Part I provides an overview of the current legal landscape in the United States surrounding DTC-GT companies and their consumers, including federal laws and agencies, state law, and common law. We address that while there are many laws and agencies that appear to govern the DTC-GT industry, they do so in a piecemeal and incomplete manner. As a consequence, consumers' genetic privacy is left particularly vulnerable. This work focuses on the practices of 23andMe and Ancestry, and, thus, Part II will briefly review the services provided by these two companies. Part III introduces exploitation theory as the guiding normative framework, which requires consideration of the distribution of benefits and risks in a transaction. We break risk into a three-part analysis, including defining the type of harm, the magnitude of that harm, and the probability that the harm will materialize. (24) We propose three categories of harms that most helpfully capture the potential privacy harms of DTC-GT: (1) knowledge harms; (2) autonomy and trust-based harms, which include worries about notice, choice, and deception; and (3) the harms related to data misuse. We further argue that the risks associated with genetic information are heightened relative to other consumer or even health data because of the special nature of genetic information, supporting the notion of genetic exceptionalism. Part IV will assess to what extent these companies adequately protect against the privacy risks discussed in Part III through a combination of their consent, privacy policies, and data management practices. We concludc in Part V by examining how the DTCGT consumers' genetic privacy can be better protected by valuing trust, more stringent agency oversight, and potentially comprehensive data privacy legislation.

1. REGULATION OF DIRECT-TO-CONSUMER GENETIC TESTING

   In the United States, a number of laws and agencies have jurisdiction to regulate genetic information or govern the DTC-GT industry. However, the regulation is fragmented and incomplete. (25) Genetic privacy of DTC-GT consumers can be protected in two ways: directly by regulating the collection, processing, use, and/or storage of genetic information; or indirectly by regulating the DTC-GT companies themselves. This Part examines the legal landscape surrounding the DTC-GT industry by categorizing the relevant laws and agencies into four groups and analyzing whether they are effective in regulating DTC-GT companies and/or genetic information produced by those companies: (1) federal laws that can regulate genetic information; (2) federal agencies that can regulate DTC-GT companies; (3) state laws that supplement the federal laws and agencies; and (4) common law privacy torts, in particular, the disclosure and...