Over the last decade, major direct-to-consumer (DTC) genetic testing companies, like 23andMe and Ancestry, have fashioned themselves into monolithic “banks” of genetic information. These firms subsequently adopted business models that prioritized the sale of consumer genetic data to third parties—namely, academic institutions and pharmaceutical companies. Take, for example, GlaxoSmithKline (GSK), a pharmaceutical company that recently purchased a $300 million stake in 23andMe that permits it to use consumer genetic information for drug development purposes. To that end, the DTC industry has effectively granted itself  “the right to manage our genomic information, to store it, and to profit from it.”

This practice has, unsurprisingly, led to a slew of privacy and broader bioethical concerns. Some point out that permitting DTC firms to wield such authority over genetic data—whether by housing it under one roof or sharing it with the highest institutional bidder—carries a host of increasingly novel and untenable consumer risks. A single data breach resulting in the exposure of genetic information could, for example, ultimately subject affected consumers to certain forms of insurance discrimination, military discharge, or—if DNA replaces biometric information as a currency for security systems—infiltration of their home or bank account. Moreover, because DNA (1) cannot be changed and (2) serves as a potent human identifier, both the consumer and her family may bear these risks for the rest of their lives. Others focus on the DTC industry’s exclusive reliance on clickwrap contracts to govern its management of consumer data, leading to speculation that at least some customers are misled regarding when and where their genetic information will be shared or how it will be protected. This form of self-regulation is largely enabled by the fact DTC firms do not fall within the purview of the Health Insurance Portability and Accountability Act (HIPAA), which proscribes the federal regulatory scheme of personal health information.

The 2018 server breach of Israeli DTC firm MyHeritage—which exposed the personal (non-genetic) information of more than 92 million consumers—effectively brought these concerns to a head. In June of that year, the Federal Trade Commission (FTC) publicly hinted to its launch of an investigation into the data management practices of the DTC industry. Because the FTC takes extreme precaution to protect the secrecy of its investigations, nothing else is known about the nature or status of the inquiry. It’s worth noting, however, that FTC investigations are incredibly lengthy, often taking more than a year to complete. While no agency has exerted any regulatory authority over private use of genetic data by non-healthcare firms, the FTC—which carries the broad power to police “unfair and deceptive” privacy and security practices—is the most likely candidate to do so. The Commission has the flexibility to bring enforcement actions when (1) there is no specific intent to deceive or harm the public, (2) the public has not yet been injured, or (3) a specific data security practice is commonplace. Its recent dealings with the credit card industry also indicate that it is no stranger to setting heightened, industry-specific data security practices when sensitive personal information is at issue. To that end, DTC firms and any other private, non-healthcare entities that traffic genetic data may do well to anticipate stricter regulatory scrutiny of their data collection, storage, and sharing practices in the near-future.

Noah Spector

Tagged with:
 

Leave a Reply

Your email address will not be published. Required fields are marked *