It’s Not Just Me, It’s Also You: How Shared DNA Complicates Consent

by Ethan Magistro

With just a sample of your DNA, you, your immediate family members, and many other distant relatives can be identified. Your genetic information can be used to determine you and your families’ insurance policies, expose medical conditions you didn’t even know you had, and, in the worst case, be used to identify and arrest someone you may be distantly related to. The deoxyribose nucleic acid (DNA) contained within every cell of our bodies holds intimate details about each of us. Yet when users send sample DNA to direct-to-consumer (DTC) testing kit companies, only their consent is needed to share information that belongs to many of their family members. Because of this, I argue we should drastically rethink our understanding of DNA. Rather than conceptualizing DNA as analogous to other types of private property that can be traded with individual consent, DNA trade should require the shared consent of family members. The difficulty in obtaining that consent points to a colossal need for the development of genetic privacy laws.

To understand why DNA should be understood as a form of shared property, it will be helpful to outline the economic and legal landscape of consumer genetic testing. The past few years saw a spike in interest for DNA testing and an explosion in the DTC testing kit market, which is dominated by AncestryDNA and 23andMe. Although the market has died down since then, worries about political and enforcement abuses of genetic information and medical privacy concerns are still in focus. 

Concerns about enforcement abuses of genetic information usually involve the Fourth Amendment, which protects citizens from unreasonable searches and seizures. This was exemplified in Maryland v. King, a U.S. Supreme Court case which held that genetic testing is similar to fingerprinting, and is therefore a reasonable search under the Fourth Amendment, to the chagrin of privacy advocates. The latter issue of medical privacy deals with Title I and II of the Genetic Information Nondiscrimination Act Of 2008 (GINA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), both of which are notoriously lackluster in protecting privacy, especially regarding DTC testing, which neither law protects. Beyond this, some states have genetic privacy laws with varying levels of consent required by companies. Many of them provide little extra protection. This lack of privacy protection has caused the DTC industry to mostly self-regulate, which has been spotty at best: in their privacy policies, some genetic-testing companies wrongly claim they comply with HIPAA, while some companies have no privacy policies at all.

A lack of strong DNA privacy laws presents an imminent threat to genetic privacy because of how valuable a sample of DNA can be. Genetic information’s longevity, immutability (you cannot change your DNA like you can a lost password) and predictive ability about future health make it extremely valuable. Yet DNA is unique in that it is able to identify an individual as well as their family members, since people share large portions of DNA with their relatives. This is why it has been so often used to gain leads in criminal cases

Being so valuable, it makes sense why shoddy privacy policies exploit a lack of laws to gain control of DNA. Deceptive policies mislead individuals to give away most of the control over genetic information, and, therefore, their family’s genetic information, without ever knowing it. With that control, companies can trade or exchange this data, often selling it to unknown third-party companies who can use it as they wish. Bigger companies like AncestryDNA or 23andMe are no safer. They may truthfully claim they do not sell your genetic data to third party companies, but the independent labs they send the sample to for analysis make no such guarantees

It is hard for consumers to notice that. A large company’s connection to third parties is often inconspicuously snuck into their privacy policies. Before it was shut down in late 2020, AncestryHealth, the division of AncestryDNA designed to identify genetic health risks, sent DNA samples to a third-party group called PWNHealth for analysis. A link to PWN’s privacy policy is at the very end of AncestryDNA’s terms and conditions, which itself is in small print at the bottom of the AncestryDNA webpage. PWNHealth’s privacy policy is far less robust than Ancestry’s. Two points stick out:

You have the right to request in writing that we restrict how your health information is used or disclosed. For most requests, under the law, we are not required to agree to your request.

and

“If you request that Ancestry delete your information held by Ancestry, such request will not result in the deletion of information held by PWNHealth. Such information will be retained by PWNHealth in accordance with applicable law and this Privacy Policy.”

It is clear that PWNHealth has no intention of removing or restricting its use of submitted genetic data. Even if PWNHealth claims that they will only trade “non-identifiable data,” the shocking ease with which genetic data can be re-identified makes this claim essentially worthless. So while AncestryDNA will not sell your genetic data, PWNHealth can and will.

Despite all of these concerns, PWNHealth is still acting within the law so long as a user consents to its terms of use and, therefore, how it uses your genetic data. But is an individual’s consent enough considering that their DNA sample contains information about their relatives? It should not be. DNA contains valuable, identifiable information about a user’s family and distant relatives that should not be shared without their knowledge. Instead, companies who offer DTC genetic testing should require consent from those with whom an individual shares the majority of their DNA.

Already that idea sounds burdensome. Should someone really have to call their parents, grandparents, and siblings if they want to understand more about their own medical information? What about those who are estranged from their families, or people who are adopted and do not know their biological relatives? Here, a middle path exists between individual consent and shared consent. Perhaps for medical information, relevant to an individual who may want to alter their lifestyle to decrease the risk of a condition manifesting, an individual should use a DTC without providing shared consent. A kit designed to find unknown relatives who may wish to remain private, on the other hand, should require companies to ask for consent from those relatives.

Yet this argument ignores the threat that third-party actors pose. The importance of genetic privacy is less about keeping individual issues private from the family and more about keeping familial DNA out of the hands of third parties like PWNHealth who can trade that genetic information and other groups who could de-identify it or sell it. If you must get a genetic test for medical reasons, it would be wiser to do so in a clinical setting, where HIPAA and GINA offer comprehensive privacy and protection. Without that same protection, DTC tests put many of your relatives’ information at risk.

What could a stronger form of shared consent look like in the DTC arena? One analogy that provides some insight comes from a complaint filed by the Federal Trade Commission (FTC) against Facebook in which the FTC challenged Facebook’s misleading privacy policies and deceptive practices. The complaint alleged that Facebook “told its users that they could limit those who could see their posts to just ‘Friends,’ when in reality—and without warning to the user—doing so would also allow developers of third-party applications used by their ‘Friends’ to access the post.” In other words, “third party applications” of a user’s Facebook friends could look at that user’s posts even if the user did not consent to that action.

This is not a perfect analogy. A post shared with a friend, which is then unwittingly shared with a third-party application, is not the same as DNA, which is physically shared by multiple people. Nonetheless, the FTC acted when Facebook gave third parties access to a user’s post, even when that user had no option to consent to this. In a case involving genetic data, it’s feasible that the FTC could challenge DTC companies for not adequately informing users that their familial genetic data, which they provided without their family’s consent, was now in third-party companies’ hands.

Like those users who had a reasonable expectation that only their friends would see their posts, people who have never taken a DNA test or given away a DNA sample would not expect their genetic information to be in the hands of a group such as PWNHealth. There is a reasonable expectation that genetic information is private. If someone wants to give away valuable information about you — even if it is partly their information too — they ought to seek out your consent.   

Ultimately, the easiest remedy for the lack of genetic familial privacy and the need for shared consent would be stronger genetic privacy laws. The lack of robust genetic privacy laws already leaves consumers unprotected against bad actors looking to profit from their DNA. As genetic testing technology improves and we become able to gain more information from smaller samples of someone’s genome, not having ownership over your DNA could pose a threat to your descendants in the future. Technology that fails to respect these repercussions and ignores the need for consent from multiple parties cannot continue to outpace legislation. Although the complexity of shared consent and its complication of privacy policies leave room for the FTC to police weaker terms and conditions, it would be far more beneficial for all parties if strict regulation, created through legislation, protected the blueprint of life.