23andMe and other DNA-testing firms promise not to share data without consent

A number of companies that offer consumer genetic testing, including 23andMe and Ancestry, have pledged to protect customer privacy under a new set of voluntary guidelines. The firms say they will now obtain “express consent” from customers before transferring their genetic data to third parties, and they promise to publish annual transparency reports detailing how and when their data is accessed by law enforcement.

The guidelines — which were also signed by Helix, MyHeritage, and Habit — are a reaction to public fears about how private companies share individuals’ sensitive genetic data. Customers pay for tests in the hopes of learning about their ancestry or disposition to certain diseases, but often do not consider how this information might be used by others. (Or, indeed, how hackers might try to access it.)

The issue was brought into the spotlight following the April arrest of a man who was thought to be the Golden State Killer, a serial killer and rapist who was active in the 1970s and 1980s. The suspect was identified by matching a decades-old DNA sample to a public dataset of genetic information uploaded to ancestry site GEDmatch, with police claiming that the site’s privacy policy meant a court order was not needed to search the database.

GEDmatch is not covered by these new privacy guidelines, but some firms already publish annual reports on requests from law enforcement. 23andMe received five requests last year but did not turn over any data; Ancestry received 34 and provided data in 31 cases. Under these new guidelines, the companies say they will “attempt to notify” individuals when their data is requested, although they may be blocked from doing so by court gag orders.

One area of data-sharing these best practices won’t affect is anonymized medical research. Last month, for example, 23andMe announced a partnership with GlaxoSmithKline that gives the pharmaceutical giant access to “de-identified” genetic data from the roughly 80 percent of 23andMe users who permit their information to be used for drug research. In return, 23andMe received a $300 million investment from GSK. Nothing would change with this deal under the new guidelines, although 23andMe stresses that the information shared only covers broad trends and insights and no personally identifiable data.

Although these new guidelines are only voluntary, if the companies that have signed up to the pledge break their promises, they could be the target of federal censure. Juliana Gruenwald Henderson, a spokesperson for the FTC, told The Washington Post that companies that fail to keep these promises could be fined. “The FTC remains vigilant in protecting consumers’ privacy and security,” said Henderson.