DNA testing companies launch new privacy coalition

Genetic testing companies are forming a new coalition on best practices for handling DNA information and to promote the industry in Washington as lawmakers put more scrutiny on their privacy practices.

Three companies — Ancestry, 23andMe and Helix, which provide DNA testing and analysis — formed the Coalition for Genetic Data Protection, first reported by The Hill. 

{mosads}“Given the high focus that data privacy has currently in Congress, it was important for companies who are doing right by their customers on data privacy make their voice heard,” said Steve Haro, a principal at Mehlman Castagnetti Rosen & Thomas, who is serving as executive director of the coalition.

Haro said the coalition would allow the industry to “let Congress know what the best practices are for protecting customers’ data and also to show their customers that they’re deserving of their trust.”

The move comes as genetic data companies are becoming increasingly popular in the U.S., with consumers turning to the tests to learn more about their family history. But the companies are also under the microscope on what they do with the vast amounts of DNA data they collect.

As of January, more than 26 million consumers have added their DNA to the four leading commercial ancestry and health databases, believed to be Ancestry, 23andMe, MyHeritage and Family Tree DNA, according to MIT Technology Review.

Questions intensified after law enforcement officials in California used an ancestry database to help identify the Golden State Killer, a serial killer and rapist who eluded authorities for decades. The suspect was identified in 2018 after police used a database to find the killer’s relatives. In cases across the country, police have used ancestry testing data to help identify other suspects.

Following the controversy, the largest ancestry companies said they wouldn’t allow police to access their databases without a warrant. But privacy advocates said more safeguards were needed.

“Even if companies take these much-needed steps, the onus remains on government actors to protect our rights,” wrote Vera Eidelman, an attorney on the American Civil Liberties Union’s Speech, Privacy and Technology Project. “We shouldn’t have to rely on changeable company policies to protect such private information.”

“The stories that are out there tend to focus on bad actors or methods that law enforcement use,” Haro told The Hill. “These companies do not work hand and hand with law enforcement.”

The industry is taking steps to set out its own best practices to get ahead of any potential regulation.

In July 2018, Ancestry, 23andMe and Helix teamed up with the Future of Privacy Forum to publish a white paper on Privacy Best Practices for Consumer Genetic Testing Services.

“If Congress is going to codify anything around genetic data, this is what we want them to look to,” Haro said. “In order to be a member of this coalition, your company has to adopt and adhere to these best practices. That is part of the bylaws.”

{mossecondads}The issue has the attention of Congress.

Senate Minority Leader Charles Schumer (D-N.Y.) called on the Federal Trade Commission in 2017 to ensure that the privacy policies of DNA test kits are transparent and fair to consumers.

“We don’t want to impede research, but we also don’t want to empower those looking to make a fast buck or an unfair judgment off your genetic information. We can find the right balance here, and we must,” Schumer said at the time.

But Congress hasn’t officially acted on genetic testing issues since passing the 2008 Genetic Information Nondiscrimination Act, which prevents a person from being discriminated against by an employer or insurer over their genetic information.

California state lawmakers have debated bills to prohibit companies from sharing genetic information without permission. The Florida Senate debated a bill earlier this year to block life insurance companies from using genetic tests to determine coverage, but that bill died in committee.

John Verdi, the vice president of policy at the Future of Privacy Forum, said the think tank would like to see widespread adoption of the white paper’s practices within the industry.

“I do think it’s incumbent on leaders in the industry, companies in the industry, policymakers, to ensure that individuals are educated about both the benefits and the risks in each of these circumstances,” Verdi said.

Ancestry’s chief privacy officer, Eric Heath, said the company, like its customers, views privacy concerns as “increasingly vital” and called for federal data privacy legislation.

“Of course we would welcome comprehensive privacy legislation that would be preemptive in nature so that we could have a uniform set of rules to abide by,” Health said

Lawmakers are working on drafting a privacy bill in Congress as states begin to pass their own tough laws. Ancestry, which is based in California, is preparing to comply with that state’s new privacy law.

“When it comes to the federal government, we would like to see a harmonized approach and the purpose of the coalition is to make sure that as that harmonized approach is attempted,” Heath said, “that genetic data is understood and that our industry is understood and that we don’t get swept in with other industries or other context in a way that would negatively impact our business.”

The companies have also boosted their lobbying presence.

Ancestry spent $50,000 on lobbying so far in 2019, all with Monument Advocacy.

23andMe has spent $70,000 on lobbying in 2019 and has four firms on retainer. The company was founded 12 years ago and is focused on genetic health information.

“As the legislative interest has risen this year on both the federal and the state level, we all found ourselves getting questions from legislators and staffers,” said Kathy Hibbs, chief legal and regulatory officer for 23andMe. “We’re forming the coalition in order to provide interested legislators as well as the public and press with a single voice on these issues because we do agree on the importance of these issues.”

Another issue for gene testing companies is how to use the data they obtain going forward for research purposes.

Hibbs said 23andMe seeks proactive consent for using gene data for research, while others are using data they obtain without explicit consent for health research.

“I think the legislators, as they work through these issues, just need to be aware … not everybody has those same policies that many might find suspect,” she said.

Helix, which was founded four years ago, spent $120,000 on lobbying in 2018, all to Mehlman Castagnetti. It has no firms on retainer for 2019 yet.

Elissa Levin, Helix’s senior director of clinical affairs and policy, said the company joined the coalition to help push forward unified privacy standards.

“We really want to be able to make sure that there is federal legislation that is able to provide that umbrella and that guidance so that we can all align and really set standards,” Levin said, adding that it was important legislation “doesn’t undermine real innovation and … the progress that can result from genetics and genetic research.”

The coalition could also grow.

Hibbs said 23andMe is open to other companies joining the coalition, but they would have to agree to adhere to the best practices in the white paper to join.

“We want to essentially ensure that as lawmakers go about their jobs that they understand what we do and how we do it,” Heath said, “so that the rules that apply to us are crafted not to impede innovation or the ability of the businesses to succeed.”