As DNA testing services kicked off their sales last Thanksgiving weekend, US Sen. Charles E. Schumer of New York issued a warning about the possible dangers of testing. “Popular at-home DNA test kits are putting consumer privacy at great risk,” according to a Nov. 26, 2017, statement in the senator’s online newsroom. “Different policies amongst the most popular DNA kit firms grant unknown third parties broad access to your most sensitive info.” The release accuses AncestryDNA, in particular, of claiming the rights to monetize customers’ DNA without revealing how they’ll do so. Schumer calls for the Federal Trade Commission to “ensure that the privacy policies of all DNA test kits are clear, transparent, and fair to consumers.”
A few months later, news broke that California police used genetic genealogy to identify the Golden State Killer, whose rape and murder spree terrorized the state in the 1970s and 80s. Privacy advocates warned that genealogists could become unwitting informants against their relatives—even their yet-unborn grandchildren and great-grandchildren.
It’s true that even basic consumer DNA tests can reveal a lot about you: your ethnicity, how you’re related to other test-takers and some physical and health traits. Your testing company does have access to this information, as well as any personal data in your member profile. They might use customer data for medical or genetic research. And, yes, your DNA results can potentially identify relatives (even future descendants) who are “persons of interest” in criminal investigations.
Should you be worried that your genetic genealogy test—or that of a relative—could put your privacy at risk? In this article, the “Legal Genealogist” Judy G. Russell offers answers to your questions about DNA testing and privacy, along with some guidelines to help you make decisions about DNA testing and using your results.
Q. What determines how companies can use your DNA test results?
A. Several different types of rules may be in place: laws, terms of service (TOS) agreements, genealogical ethics and your own good sense. Laws in the United States, Europe and elsewhere provide some level of protection for your DNA results. They may control whether an employer or insurance company can use a genealogical DNA test to make decisions about employment or benefits, and whether law enforcement agencies need court approval to obtain your data (see page 52 for more on this). But these laws aren’t in place everywhere, and they don’t cover every possible use of your DNA.
TOS agreements—also called “terms and conditions”—are rules companies and websites put in place to which you must agree in order to use their services. Just about any genealogy website has TOS, whether you’re purchasing a DNA test kit or subscribing to a website where you search for ancestors’ old records. These agreements affect your legal rights, so you should always read them (see page 50 for more details on TOS). Clicking that little box to agree to a company’s TOS is akin to signing a contract, and it’s generally enforceable by the terms of contract laws.
Q. Do any laws protect you from misuse of your genetic information?
A. The answer varies depending where you live. Laws are pretty much a patchwork around the world that can change in unpredictable ways.
In the United States, current federal laws offer a fairly low level of protection against misuse of your DNA test results. The Genetic Information Non-Discrimination Act of 2008 says health insurers can’t use genetic tests to refuse (or charge more for) coverage, and companies with more than 15 employees can’t use them to discriminate at work. But life, disability and long-term care insurance isn’t included in this law, and small employers aren’t covered either unless a state law steps in to fill the gap.
In Europe, the new General Data Protection Regulation directly controls access to genetic information. Elsewhere, tests and test-takers are subject to the laws of each country. And of course, you may give up some or all of these legal protections when you agree to a testing company’s TOS.
Q. Do you have to agree to a DNA company’s terms of service?
A. Yes, if you want to use the services of that particular DNA company. TOS are offered on a take-it-or-leave-it basis; whether you like it or not, whether you think it’s fair or not. The TOS may offer you options about whether your results can be used for medical research, but you’ll still have to sign the TOS before you can register for the site. So particularly when it comes to DNA testing, please stop, read the terms carefully, and be sure you can live with them before you check that “Agree” checkbox.
Q. What rights do you give up when you test with a genealogy DNA testing company?
A. Every DNA testing company has its own TOS, and provisions vary. They all have one thing in common: You grant the company the right to analyze your DNA and use it, combined with the results of all other testers, for basic research. At AncestryDNA, for example, agreeing to the TOS means you give AncestryDNA the right to “perform genetic tests …; compare your DNA results with other DNA data in the Ancestry database…; disclose to you, and others that you authorize, the results of the tests performed; [and] allow certain … laboratory partners to use … samples to calibrate or validate instruments, equipment, or laboratory methods… .”
Customers also must agree that AncestryDNA can use their results in “studying aggregated Genetic Information to better understand population and ethnicity-related health, wellness, aging, or physical conditions; conducting scientific, statistical, and historical research; and, improving features and functionality in our existing DNA-related products…and building new products and services, including services related to personal health and wellness.” This means customer results can be used in research to provide and improve the DNA testing product. You’ll see essentially the same terms at any of the testing companies, including 23andMe, MyHeritage DNA, Family Tree DNA and Living DNA.
To withdraw permission for a testing company to use your results according to the TOS, you have to ask the company to destroy your sample and remove your test results from its database.
Q. Does the testing company claim ownership of your DNA?
A. No. You own your DNA and your test results. You’re giving the company permission to use results for limited purposes. It’s like allowing a cousin to publish a picture you took in a family history book: You still own the photo, but you’ve licensed its use to someone else.
The MyHeritage DNA TOS explain this well: “We do not claim any ownership rights in the DNA samples, the DNA Results and/or the genetic information in the DNA Reports. Any genetic information derived from the DNA samples, the DNA Results and/or appears in the DNA Reports continues to belong to the person from whom the DNA was collected, subject only to the rights granted to MyHeritage in this Agreement.”
Q. What about third-party websites like GEDmatch, Promethease or DNA.Land? Do they have TOS, too?
A. Yes, they do, and the TOS make it clear that your data doesn’t have as many protections as they might at a testing company:
- GEDmatch a site that lets testers compare results across companies, bluntly says in its TOS that: “…if you require absolute privacy and security, we must ask that you do not upload your data to GEDmatch. … While the results presented on this site are intended solely for genealogical research, we are unable to guarantee that users will not find other uses. If you find the possibility unacceptable, please remove your data from this site.”
- Promethease, which compares DNA markers to medical databases, notes that its system was designed to maximize privacy, but adds: “Visitor uses this information and related software at their own risk.”
- DNA.Land, which provides genetic reports in return for participation in research, says in its policy statement, “We will do our best to protect the information you provide to us. Despite our efforts, we cannot guarantee that your identity and/or data will never become known, which could have significant implications in some scenarios. We estimate that the risk for such a confidentiality breach is low but not zero.”
Q. Is there any way to be completely safe online with my DNA data?
A. Yes—don’t take a test. There’s no way to be 100 percent sure that your data won’t ever be exposed in a way you wouldn’t like. DNA testing inevitably involves a trade-off: You have to share information with DNA cousins in order to use this tool effectively in your research, and that means accepting some level of risk.
Q. Are testing companies selling our DNA data to pharmaceutical companies or other organizations?
A. Some testing companies have partnered with pharmaceutical, medical and other research firms and will use anonymized, aggregated data to try to make scientific breakthroughs. You have the option to fill out an online consent form (separate from the TOS you must agree to) that allows the testing company to disclose personally identifying information, which can be helpful in researching diseases with a genetic component.
23andMe explains that it may share anonymous, aggregated information such as “‘30 percent of our female users share a particular genetic trait,’ without providing any data or testing results specific to any individual user.” It also makes it clear that it “will not sell, lease, or rent your individual-level information (i.e., information about a single individual’s genotypes, diseases or other traits/characteristics)…without your explicit consent.”
Similarly, AncestryDNA explains, “We share your Genetic Information with research partners only when you provide us with your express consent to do so through our Informed Consent to Research. Research partners may include commercial or non-profit organizations that conduct or support scientific research, the development of therapeutics, medical devices or related material to treat, diagnose or predict health conditions.” At Family Tree DNA, individually identifying information is disclosed only to research partners with express consent of the test taker.
Q. What does this additional research consent involve?
A. The research consents that some companies ask for allow them to use and disclose personally identifying information to their research partners. That includes individual DNA results for a variety of research purposes, including medical and pharmaceutical research. At 23andMe, that consent covers test results, age, ethnicity and health information provided by consumers. At AncestryDNA, the consent covers DNA samples, test results, personal and family health information provided by testers, medical conditions, diseases, lifestyle or other traits and family tree data. Those who consent receive no financial benefit for participating in research, even if the research results in commercial products.
Q. Do you have to give consent to this research in order to take a DNA test?
A. No. Unlike the TOS to which every test-taker must consent, this additional level of research consent is voluntary. You can say no and, if you begin by saying yes, you can change your mind later on and opt out of further research by third-party companies.
Q. Does withdrawing consent wipe out all your data?
A. No. The hitch is that all of the companies combine your data with the data of all others who test (with identifying information stripped off) to conduct scientific research. Because identities are removed from the data, the company can’t pull back an individual’s data once it’s been combined with that of other testers. And once you consent to use of personally identifying information in a research study, the company can’t pull that back either.
Q. How can law enforcement use your DNA information?
A. Law enforcement can use genealogical DNA test results to identify suspects, in the same way you might use your results to identify a cousin or a birth parent. In the Golden State Killer case, police had a lab generate a DNA profile from crime scene DNA. They uploaded the profile to GEDmatch, a free DNA analysis and matching site (not a testing service) that works with users’ raw DNA data.
They researched the family trees of matches until they found a descendant who fit the killer’s profile. They then confirmed the identification using DNA from the suspect. The same strategy also can be used to identify “John Doe” and “Jane Doe” crime victims and unclaimed remains. Laws governing these uses aren’t fully developed and the courts may have a lot to say as time goes on about what constitutes proper use of genealogy databases.
Q. Do company TOS address criminal investigations?
A Each testing company’s TOS states the company will comply with lawful court orders requiring them to disclose information about individual test takers. For example, Family Tree DNA notes that it “may be required by law to comply with a valid court order, trial, grand jury, subpoena, or search warrant for genetic or personal information.” This doesn’t necessarily mean DNA results; it may refer to member names and residences. (DNA samples stored at genetic testing companies don’t have the documented chain of custody necessary for use in court.)
In its TOS, 23andMe says it may “disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to … comply with legal process (such as a judicial proceeding, court order, or government inquiry)… .”
Q. Do testing companies encourage police to use genealogical tests?
A. Not at all. In fact, 23andMe’s web page for law enforcement states that “use of the 23andMe Personal Genetic Service for casework and other criminal investigations falls outside the scope of our service’s intended use.” But testing companies may not be able to stop such use. The TOS require people who submit tests to guarantee the samples they submit are theirs (or that they have legal authority over them). Courts may rule that police have legal authority over crime scene samples, and may rule that they don’t have to identify themselves as police if they submit crime scene profiles to DNA databases.
Q. Is this happening a lot?
A. No. Through 2017, AncestryDNA had received one search warrant relating to the identity of a DNA tester from a public database, and in 2018, Family Tree DNA received one law-enforcement request.
This method of identifying criminal suspects may become more common. Shortly after the high-profile Golden State Killer arrest, Snapshot DNA Analysis launched with renowned genetic genealogist CeCe Moore on staff to help investigators identify DNA samples. GEDmatch reminded its users that “It is important that GEDmatch participants understand the possible uses of their DNA, including identification of relatives that have committed crimes or were victims of crimes. If you are concerned about non-genealogical uses of your DNA, you should not upload your DNA to the database and/or you should remove DNA that has already been uploaded.”
Q. I’d like my relatives to take DNA tests for my research, but I’m worried privacy concerns will scare them off. What can I do?
A. Ethics is at the core of DNA testing. It’s crucial that when you test or ask others to test, you’re doing it only with “informed consent.” At a minimum, anyone who tests has to be aware of and consent to the risks—not just related to privacy, but also the risk of learning unexpected information about themselves and their families. That includes misattributed parentage, adoption, unknown heritage, health problems, previously unknown family members, and errors in family tree research.
Other risks include breaches in privacy or security. There’s no way to guarantee DNA results will always be protected, identities will never be known, a testing company’s security won’t fail, or a third-party database won’t be hacked. Anyone who tests must personally and individually consent to these risks—including relatives who test at your request, or whose test results you may manage online. You can’t ever consent for someone else unless you’re the parent or legal guardian of that person, acting with full legal authority.
Q. What does informed consent mean when it comes to sharing results?
A. It means, in a word, permission. Get informed consent before sharing what you learn through DNA testing. Never share anything about living people without their approval. That includes names, addresses, emails, all aspects of the DNA results themselves, and more. If you’re taking a screen shot of your results, blur out your matches’ names and emails (if you haven’t gotten their permission to share their information in this way). Don’t publish any identifying information about them, even in email or social-media posts, unless they agree. And never upload another person’s DNA test results to another website (like GEDmatch, Promethease, DNA.Land or another testing company’s website) without getting the test-taker’s permission.
Q. How can I ensure I have a relative’s informed consent?
A. Leading genetic genealogists including Blaine T. Bettinger, author of The Family Tree Guide to DNA Testing and Genetic Genealogy, have created templates to help you explain the risks and benefits of testing. They also have space for a relative’s signature as proof of permission. You’ll find examples and a link to Bettinger’s form on the International Society of Genetic Genealogy wiki. These templates aren’t intended as legal advice—only a lawyer can provide that—but they do give you a starting point.
Q. Where can I get more information on DNA and privacy issues?
A. Genetic Genealogy Standards, a free guide by a team of genealogists and geneticists, covers most ethical concerns about testing and sharing results. Another free guide that applies to all genealogical research, not just DNA testing, is the National Genealogical Society’s Guidelines for Sharing Information with Others. Once on their site, look under Research References, then select NGS Guidelines. The best guide of all to respecting DNA privacy may be your own good sense of right and wrong. You know the Golden Rule: treat others (and their DNA) as you’d want yourself (and your own DNA) to be treated.