Protecting Your Genetic Information: The New Frontier of Data Privacy

An important new law took effect in Illinois on January 1, 2020 – no, not that one. This law, rather, deals with the issue of genetic privacy.

Why is this issue important to the average person? The answer is simple – DNA, unlike other sensitive data such as social security numbers, credit card information and online passwords, is an immutable characteristic that cannot be changed. Genetic test results can provide information about a person’s ancestry and can also predict health conditions. In the right hands, this information might be useful, but in the wrong hands, this data can create all sorts of problems for an individual.

The Illinois Genetic Information Privacy Act

The new Illinois law is meant to address the exploding popularity of at-home DNA testing kits, which we wrote about last year. Companies such as ancestry.com and 23andMe offer consumers a saliva-collection kit. The consumer provides their saliva to the company, and the company runs a DNA test and provides you with a report on your ancestry. Of course, even putting aside the questionable accuracy of the ancestry results, this means that the testing company now has your genetic information. And as we know, there are many other parties – law enforcement, insurance companies, and even hackers – who might be interested in obtaining your DNA information.

Illinois legislators recognized this in 2018 by amending the Illinois Genetic Information Privacy Act. The Act already barred health and life insurance companies from seeking information “derived from genetic testing,” and from using such information for underwriting purposes. The amendment took effect on January 1, and updated the definition of “genetic testing” to include direct-to consumer commercial genetic testing companies. The amendment also bars these companies from sharing genetic testing information (or any other personally identifiable information) with insurers without the written consent of the consumer.

Why is This Important?

At first blush, there may appear to be no connection between genealogy websites and health insurance companies. Can somebody really end up being denied health insurance (or charged higher premiums) simply because a DNA test shows that they have a genetic predisposition to a certain illness? At the moment, no – the federal Genetic Information Nondiscrimination Act (passed by Congress in 2008) prohibits health insurers from doing this.

The Illinois law is broader in that it applies to life insurance companies as well. However, even putting aside the fact that it only protects citizens of one state, the issue of genetic privacy is much broader. The business model of consumer genetic companies like 23andMe entails selling purportedly anonymized, de-identified genetic information to “third-party research partners” such as drug companies. Unfortunately for consumers, human DNA is less “anonymized” than they may suspect. Scientists have repeatedly been able to unmask the identities of individuals with nothing more than portions of their genetic code and publicly available information.  Even if you’ve never submitted your DNA to a genetic testing company, you may have a relative who has. Since family members share many genetic traits, your genetic data may be searchable anyway.

Of course, there are positive aspects to having this information available. In 2018, law enforcement used a genealogy website where people publicly share their full genetic information to track down and arrest the suspected Golden State Killer. The suspect himself had never shared his genetic information on the website, but a relative had.

Few people will be upset over an alleged serial killer being arrested. If law enforcement can use these publicly available databases to identify people, though, other less trustworthy parties will be able to as well. Hackers routinely target hospitals and medical providers, with tens of millions of patient records compromised in 2019 alone. While the scenario of hackers targeting and blackmailing individuals over illegally obtained genetic data might be farfetched, the bigger danger is having this material posted online or on the “dark web.” As experts have noted, once this material is hacked and on the web, it will very likely be used at some point, regardless of its origins.

So what can you do to protect your genetic information? As we noted last year, DNA test kits are a terrible idea for consumers. Beyond that, perhaps the best thing to do is simply to keep up to date on the ongoing debate over privacy laws and privacy rights. The Illinois law is a start, but this issue obviously cannot be dealt with on the state level alone. Some have suggested amending HIPAA – the federal U.S. health privacy law – to make its privacy rights applicable to consumer DNA testing companies. Another possibility is to require these companies to make their privacy policies clearer and more easily understandable to consumers, although that will still not guarantee that all consumers actually read these policies. In the long run, consumer awareness of the issues surrounding genetic privacy may be just as important as new (badly needed) laws.