Over the last couple of months, a number of articles have appeared in the media and blogosphere highlighting the issues of data ownership and privacy in relation to direct-to-consumer (DTC) genetic ancestry testing.
In the past four years, sales of personal DNA tests from companies like AncestryDNA, 23andMe, Family Tree DNA, the Genographic Project, among others, have risen steeply. 23andMe has now passed its 2 millionth customer mark, while AncestryDNA is estimated to have sold over 1 million tests worldwide in 2016 alone (the company currently claims to have over 4 million customer samples in its database).
These figures indicate that increasing numbers of the public are sending in saliva samples or cheek swabs to private companies in exchange for an estimate of their ancestral origins, a chance to discover lost relatives, or to find out about their genetic predisposition to certain health conditions. But what concerns – if any – should DNA ancestry customers have about how their genetic material and personal information may be used by these companies?
In this blog post, we review the terms and conditions, privacy statements, and research consent documents of two leading DNA ancestry testing companies, AncestryDNA and 23andMe (links to all of these documents can be found at the end of this post). Our aim is to give an overview of how customers’ data are used by these enterprises and their commercial and research partners, and help prospective test-takers to understand how they can maintain a level of control over their own genetic information when thinking about taking an ancestry test.
To agree or not to agree?
The first thing to know is that when buying a DNA ancestry test from AncestryDNA or 23andMe, customers are presented with two legal documents. The first is the company’s terms and conditions (including a privacy statement), which customers are shown at the time of purchase. These are the general conditions that customers must agree to in order to receive the company’s services (i.e. to be able to see and explore your genetic results, and to use the online tools and products offered by the company). In other words, if you decide not to agree to the T&Cs, you cannot go ahead and buy a DNA test from the company.
The second is an informed consent document, which customers are usually shown when registering their kit, and which relates to additional research projects being run by each company: respectively, the “Ancestry Human Diversity Project”, and the “23andMe Research” project. Unlike with the terms and conditions, agreeing to the informed consent document is absolutely voluntary: if you prefer not to be involved in the company’s additional research initiatives, you can refuse to agree to the informed consent document and you will still receive all of the normal services you signed up for when buying the DNA test in the first place.
So what is in these documents? Let’s start by looking at the companies’ T&Cs and privacy statements…
The small print
How will the company use my data?
Both of the companies state that they will use customers’ genetic data for their internal research, which is used to provide customers’ individual ancestry reports, and improve the services and products they offer.
Specifically, AncestryDNA states that its customers’ genetic data will be used for
On an individual level, the company uses this research to provide customers with their ancestry results and to identify potential relatives among their customer base for the “DNA matches” feature (NB: AncestryDNA does not currently offer personalised health reports to its customers). The company also states that it uses its customers’ data in an anonymised, aggregated form to
This research is all carried out within the company, and is separate from the Ancestry Human Diversity Project (see below).
For its part, 23andMe’s privacy highlights document informs users that the company will collect and analyse
– in order to provide customers with their ancestry and health results, and to monitor and develop the company’s products and services. Again, these activities are separate from the studies carried out under the 23andMe Research project, which are covered by an additional informed consent document (see below).
By taking a test, do I give up ownership of my genetic data?
Both of the companies state in their terms and conditions that by agreeing to take a test, customers are giving them permission to handle and analyse their genetic material, with the purpose of providing their personal ancestry results.
Here is the specific wording from AncestryDNA:
And from 23andMe:
Both companies, however, emphasise in their terms and conditions that customers retain ownership of the personal genetic information extracted through their services.
In the words of AncestryDNA:
And according to 23andMe:
While these statements seem reassuring, it is nonetheless an open question as to what customers’ ownership rights to their genetic data actually consist of in these situations. Although this point is too broad and complex to discuss here, you can read more about current ethical and legal debates surrounding genetic ownership in the context of DTC genetic testing on this page of the Genetics Generation website and in this recent article by Jessica L. Roberts, director of the Health Law and Policy Institute at the University of Houston.
How can I control the privacy of my data if I decide to take a test?
The ancestry reports offered by both AncestryDNA and 23andMe include various sets of information that users can share with other individuals both within and outside of the company database. For the most part, that sharing is voluntary: for instance, users can invite friends and relatives who have not taken a test with the company to view their genetic “ethnicity” or “ancestry composition” report by emailing them a personalised weblink.
However, the “DNA matches” or “DNA relatives” features offered by the two companies work specifically by linking together customers on the basis of their shared DNA. In these features, the companies make calculations based on the amount and size of genomic segments shared between customers, and use these to offer an estimate of their degree of genealogical relatedness to one another. In other words, these are tools that are designed to let users discover and get in contact with “genetic relatives” they didn’t know they had.
Both companies offer some privacy settings that users can alter in order to limit the amount of personal information that is shared with other customers, e.g. through these DNA matching tools.
AncestryDNA states, for instance, that its users can limit or increase the amount of personal information they submit to the company by using the privacy tools on their customer profile. They can also change their display name, and limit how much of their ethnicity estimate is shown to other members they are matched to through the “DNA matches” feature.
However, there is no way for customers to opt out of the “DNA matches” feature altogether [*Update: as of November 2017, AncestryDNA customers are now able to choose whether or not profile should appear in DNA match lists*]. Underlying this stance is the idea that the more information customers share about themselves, the greater the benefits they will gain from using AncestryDNA’s services. This is also hinted at in the company’s terms and conditions, which advise potential customers that “your experience on the AncestryDNA website may suffer if you choose to provide no additional information”.
23andMe customers, on the other hand, have to purposefully opt in to the “DNA relatives” feature in order for their information to be shared with potential “genetic relatives”. Users can also opt out at any time by changing their privacy settings.
23andMe users can also choose whether to allow their personal details (full name, ancestry composition, report and overlapping DNA segments) to be shared openly with all “DNA relatives” identified by the company, or whether to share these details only on request.
Will the company share my information with other companies or agencies?
Both of the companies pledge not to share users’ individual genetic or personal information with third parties (for instance employers, insurance providers, marketers) without explicit consent, except in special circumstances.
23andMe’s document informs customers that the company may surrender individual-level genetic and self-reported information if “required by law”.
Meanwhile, AncestryDNA states that it may share customers’ personal information with third parties without the former’s consent under the following circumstances:
- “as may be required or permitted by law, regulatory authorities, legal process or to protect the rights or property of AncestryDNA, Ancestry Group Companies or other Users (including outside your country of residence)”;
- “to enforce our terms and conditions”;
- “to prevent fraud or cybercrime”;
- “to permit us to pursue available remedies or limit the damages that we may sustain”.
Given the very vague wording of these terms, is difficult to envision what specific events could lead genetic ancestry testing companies to share customers’ data with third parties under such “special circumstances”. To date there has been one mediatised case in which AncestryDNA was asked to reveal the name of a particular genetic test-taker to US police forces, who were hoping to link a DNA sample to a suspect in a murder case (the company did provide the individual’s name after being presented with a search warrant). However, in the past two years both companies have produced regular transparency reports, providing details of how many law enforcement requests they have received, and how many they have provided information for: Ancestry.com declares that it received no requests relating to health or genetic data in 2015 or 2016; and to date 23andMe states that it has received 4 requests from US law enforcement agencies, but has not provided information for any of them (see also this 23andMe blog post on customer data and law enforcement).
It is also worth noting that while both companies state that they do not share their users’ information with employers, healthcare officials, or insurance providers without customers’ consent, 23andMe’s terms of service document also alerts prospective test-takers to the potentially negative consequences of voluntarily sharing their genetic data with third parties.
For instance, the company reminds potential customers that sharing their personal genetic results could allow others to use that information “against your interests”. In particular, the text mentions that, in the US, if an individual’s genetic report becomes incorporated into their medical records, those details may be shared in future with health care providers and insurance companies. Currently, the Genetic Information Nondiscrimination Act (GINA) offers some protection to US citizens by prohibiting employers and health insurers from taking genetic data into account in relation to their hiring decisions and insurance coverage (NB: GINA does not cover life, long-term care, or disability insurance providers). However, a new bill proposed to the US Congress in March 2017 could soon diminish the protections offered to members of the public by GINA, meaning that test-takers could be obliged to share health information provided to them by companies like 23andMe with employers and health insurers.
As for test-takers in Europe, national regulations control how predictive genetic health data can be used by insurers and employers in different countries. In the UK, for instance, a Concordat and Moratorium on Genetics and Insurance, drawn up in 2012, currently ensures that members of the public can take a DNA test without having to disclose the results to health insurers. Details of the current regulations in other European countries can be found on this page of the EuroGenTest website.
How long will the company store my genetic material and data for? Can I delete my account?
Some genetic ancestry testing providers offer customers the option of having their DNA sample stored by the company after the initial analysis is completed. Usually, this is so that the company can conduct additional analyses on the genetic material at a later date, updating customers’ results as new technologies and techniques are developed.
With regards to the storage and deletion of customers’ samples, the two companies have slightly different policies.
By default, AncestryDNA stores not only its customers’ genetic data (in digital format) but also their original genetic samples for an indefinite time period once they have been used for the initial genetic testing process. However, users can request the deletion of their genetic data and/or the destruction of their genetic sample at any time by written request to the company’s Member Services.
23andMe’s Privacy Highlights document states:
This phrase may give the impression that not storing customers’ data is the company’s default position. In fact, customers must notify the company if they do not want to store their sample with 23andMe, by changing the settings in the “preferences” section of their user profile.
If customers choose to store their sample with 23andMe, the company’s Biobanking Consent Document states that they will be stored for a minimum of one year and a maximum of ten (unless otherwise notified by the company).
23andMe’s terms of service also state that users can cancel their genetic account by sending a written request to the company’s physical address (899 West Evelyn Ave., Mountain View, CA 94041), or by using the online Customer Care form. However, it is not clear from the terms of service what happens to their genetic data and personal information after the account is closed.
From customer to research participant?
In addition to agreeing to AncestryDNA or 23andMe’s terms and conditions and privacy statement, customers buying a DNA ancestry test from these providers are also given the option to participate in further research projects organised by the companies, by agreeing to an informed consent document (usually presented when registering a DNA test kit online). It is worth re-emphasising that signing off on these research consent forms is entirely voluntary, and customers will not miss out on access to any of their personal genetic reports by deciding not to participate.
Here is a summary of the information given about each company’s research project in their informed consent documents, and an overview of how customers’ data may be used if they agree to these terms.
What’s the research for?
Both companies state two similar purposes for their research projects:
- To learn about human history and migration;
- To discover links between genetic factors and human diseases, traits or conditions.
Beyond this, AncestryDNA also states an intention to “develop new or improved diagnostic tools and therapies to treat diseases or other conditions”, while, 23andMe also intends to “understand how people react to their personal genetic information”.
What data are they interested in, and how will they use it?
AncestryDNA collects four types of data from its customers to be used in its research project. These are: genealogical information, provided by users or gleaned from documents on Ancestry.com or other sites; genetic data; health data provided by users or gathered from other publicly available documents; and phenotypic data relating to traits, characteristics, behaviours and other personal information, provided to the company through its website, email surveys, or mobile apps.
23andMe’s research project uses all personal data entered into the website, excluding registration data (e.g. credit cards, etc.). This includes: genetic data, information provided through “surveys, forms and other features labeled with the 23andMe Research logo”; data that customers authorise the company to import for research; customers’ age and ethnicity.
Who has access to the data?
Both companies state that their research projects involve researchers within the company, and potentially also researchers from other organisations and companies, including academic institutions, as well as non-profit and for-profit businesses, agencies and companies.
While neither of the companies provides a comprehensive list of organisations and companies that are currently carrying out research using their datasets, a page on the AncestryDNA website names the USTAR Center for Genetic Discovery, the American Society of Human Genetics, Calico Life Sciences LLC, and the National Marrow Donor Program as current research collaborators. AncestryDNA does not mention whether or not it receives payment from these institutions in return for access to the company’s proprietary datasets.
For its part, since 2014, 23andMe has been inviting academic and private research groups to submit research proposals to the company for the chance to collaborate on some of its proprietary genetic datasets and to conduct studies into particular traits or diseases. Currently, the 23andMe website lists collaborations with academic and non-profit institutions including the University of Chicago, the MRC Epidemiology Unit at Cambridge University, the Broad Institute of MIT and Harvard, Stanford University, the Lupus Research Institute, the Michael J. Fox Foundation, the National Parkinson Foundation, and the Parkinson’s Institute and Clinical Center.
In addition, the company has signed deals with large pharmaceutical companies such as Pfizer, Genentech, Reset Therapeutics, Alnylam Pharmaceuticals, Inc., Biogen, and P&G Beauty, some of which are reported to have pledged or paid tens of million dollars in return for access to certain datasets through 23andMe’s research platform.
Customers participating in either company’s research projects are not entitled to remuneration. However, both companies provide regular updates on the results of their research projects through their blog sites.
What steps are taken to protect the privacy of my data?
Both companies give some details about the precautions taken to protect customers’ privacy while their data are being used in research studies.
AncestryDNA’s consent document states, for instance, that participants’ data that are destined for research are digitalised and segregated from other datasets handled by the company, and protected by encryption as they are shared among researchers within the company. Data shared with third party collaborators the latter are also pooled and anonymised to prevent the identification of specific individuals. The document also notes:
The 23andMe consent document also outlines its procedures for segregating and anonymising participants’ data, using a double blind system to ensure that participant identifiers and contact information are kept separate from personal and genetic data at all times. In cases where data are shared with external research partners and in scientific publications, the data are summarised to minimise the chances that users’ personal information will be exposed. The company also notes:
What are the risks to volunteers?
AncestryDNA’s informed consent form contains only a brief statement about risks to participants, stating that there is no physical risk to volunteers, although results may “reveal information about you or your biological family”.
23andMe, on the other hand, states that participating in the research could imply some psychological risks – for example, participants and their biological relatives (who share some of the same genetic material) may feel “uncomfortable” upon learning about certain health risks in relation to their genetic makeup. The company also acknowledges the possibility that users’ data could be stolen and/or become public as the result of a security breach, thus potentially revealing genetic information about the user and his/her biological relatives.
Finally, 23andMe’s document mentions the possibility that users’ personal data might become identifiable through study publications, noting:
This possibility is also addressed briefly by AncestryDNA, who state that although data shared in the context of the research project does not include information that “traditionally permits identification” of participants, in future new ways might be found to reverse engineer de-identified genetic data to reveal the identity of donors. The company affirms:
Can I stop participating if I have second thoughts?
Both of the companies make it clear that participants have the right to withdraw from their research whenever they like. However, there are certain caveats to this process.
Both companies state that if users decide to withdraw from the project, their data will not be used in future research (although 23andMe’s consent document mentions that processing withdrawal requests may take up to 30 days). However, both companies also state that participants’ data cannot be withdrawn from ongoing studies, so that once their data have been selected for a particular research dataset, there is no limit to how long they may be used for in that particular study.
- Terms and conditions (United States)
- Terms and conditions (outside the United States)
- Privacy statement (United States)
- Privacy statement (outside the United States)
- Informed consent (for the Ancestry Human Diversity Project)
- Terms of service
- Privacy highlights
- Privacy statement
- Research consent document
- Biobanking consent document
Update: This blog post was modified on 12 July 2017 to reflect that 23andMe currently claims to have over 2 million customers (the post originally stated that the company passed its 1 millionth customer mark in 2015), and to include details of AncestryDNA and 23andMe’s transparency reports regarding law enforcement agency requests for information. Thanks to Debbie Kennett for providing this additional information.
If you enjoyed this post, sign up below to have future blog posts from CitiGen delivered straight to your inbox!