23andMe, Ancestry and others agree to genetic privacy guidelines

They’ll obtain ‘express consent’ before sharing certain data.

A number of genetic testing companies, including 23andMe and Ancestry, have signed onto a set of guidelines that aim to address consumer privacy concerns, the Washington Post reports. The privacy best practices, drafted alongside the Future of Privacy Forum, state that companies should acquire "separate express consent" from customers before handing over their individual-level information -- like genetic data and personal information -- to certain third parties. It also says companies should disclose how many requests for information they receive from law enforcement. MyHeritage, Habit and Helix have agreed to the voluntary guidelines as well.

The move comes as recent events have put genetic testing companies in the spotlight, and specifically their policies on sharing customers' data. In April, California officials announced the arrest of Joseph James DeAngelo, a man suspected to be the elusive Golden State Killer. Law enforcement were pointed to DeAngelo after running a DNA profile obtained from a crime scene sample through the open-source ancestry site GEDMatch. Since then, reports have documented how GEDMatch has been used to solve a handful of other cases.

In those cases, the police weren't required to first obtain a warrant, and GEDMatch's privacy policy now expressly states that law enforcement can access the site's data in order to solve murder and sexual assault cases. But that sort of access has stirred a lot of privacy concerns, and other genetic sites, like 23andMe and Ancestry, have been clear that they don't give law enforcement access to their databases without a court order. "I don't think the average consumer has wrapped their head around the range of issues they should think about when they make a decision to share [DNA] data," Future of Privacy Forum CEO Jules Polonetsky told the Washington Post.

Per the best practices guidelines, companies will "attempt to notify consumers on the occurrence of personal information releases to law enforcement requests" unless they're legally required to keep it under wraps, by a gag order, for example. As for yearly law enforcement request disclosures, Ancestry and 23andMe already provide that information. Ancestry reported 34 valid requests in 2017 -- all of which concerned credit card misuse and identity theft -- and provided information in response to 31 of them. 23andMe says it has only received five such requests throughout its history, none of which were fulfilled.

The guidelines don't require companies to obtain separate consent when sharing anonymized user data with other parties. An example of such a use would be 23andMe's deal with GlaxoSmithKline, through which the genetic testing company will provide data to aid in the development of new drugs. In those cases, a company would need to have obtained prior consent to use their data for research, and 23andMe estimates around 80 percent of its customers have agreed to that type of participation.

These guidelines are all voluntary and some think more stringent, legally binding rules should be implemented throughout the growing industry. But an FTC spokesperson told the Washington Post that if companies don't keep their promises, whether that be those made through its own privacy policies or via best practice agreements, "they could be subject to FTC law enforcement action.​​​​​"