New laws leave consumers unprotected against third parties accessing their genetic data.
Over the past 3 years, 26 bills across 16 states were introduced to protect genetic privacy for direct-to-consumer genetic testing. There were 11 states that adopted these bills, often with near-unanimous bipartisan support.1 The bills carry a promising title—the Genetic Information Privacy Act; however, this title may not be what it seems. Although the bills do offer sensible and important protections, there are areas within left open for interpretation, according to the authors of an analysis published by JAMA Network Open. Many of these areas fail to address some of the most important genetic privacy concerns raised by the public and those in medical and research fields.
Although it is encouraging to see so much legislative action being taken over these past 3 years, much of the current effort is driven by a model law developed by the Coalition for Genetic Data Protection, according to the study. The coalition’s membership includes just 2 companies, 23andMe and Ancestry. Given that the coalition is proposing regulation for its own industry, it is not surprising that these laws do not provide protections that fully address public concerns.1
The model law is based on a 2018 report by the Future of Privacy Forum, an advisory partner of the coalition. The model law seeks to codify legal principles including transparency, consent, and security for consumer genetic testing services. Under the model act, companies must provide clear notices of their privacy practices that are written in plain language and must obtain express consent from consumers for numerous practices, including the collection, sharing, and continued storage of their genomic data, as well as other activities, such as marketing. Consumers must be able to revoke their consent and have their biospecimens destroyed. Companies also are required to establish strong security protections to minimize risk of unintended disclosure.2
At first glance, the enforcement of these regulations seems to be all-encompassing; however, there is still interpretation left open for consumers. Ultimately, a level of self-management is expected from consumers as they are expected to understand how their data are collected and shared and then make informed choices about whether to participate in the service.
There is reason to believe this is a step forward, though. For example, a recently passed Maryland law offers a more robust model. Key elements of Maryland’s law include judicial supervision of use of genealogy testing for forensic purposes, affirmative consumer consent for use of data, and protections for third parties believed to be related to a suspect.5 There are other examples of more robust privacy laws as well, following the same general principles.
The bottom line is that ultimately more needs to be done in this space to protect consumers, according to the commentary. The enacted legislation does not robustly address the fact that third parties, particularly law enforcement and insurers, can still access and use consumer genetic data.