Questions Arise Over Recently Passed Genetic Privacy Legislation

Image Credit: © Murrstock - stock.adobe.com

Over the past 3 years, 26 bills across 16 states were introduced to protect genetic privacy for direct-to-consumer genetic testing. There were 11 states that adopted these bills, often with near-unanimous bipartisan support.¹ The bills carry a promising title—the Genetic Information Privacy Act; however, this title may not be what it seems. Although the bills do offer sensible and important protections, there are areas within left open for interpretation, according to the authors of an analysis published by JAMA Network Open. Many of these areas fail to address some of the most important genetic privacy concerns raised by the public and those in medical and research fields.

Although it is encouraging to see so much legislative action being taken over these past 3 years, much of the current effort is driven by a model law developed by the Coalition for Genetic Data Protection, according to the study. The coalition’s membership includes just 2 companies, 23andMe and Ancestry. Given that the coalition is proposing regulation for its own industry, it is not surprising that these laws do not provide protections that fully address public concerns.¹

The model law is based on a 2018 report by the Future of Privacy Forum, an advisory partner of the coalition. The model law seeks to codify legal principles including transparency, consent, and security for consumer genetic testing services. Under the model act, companies must provide clear notices of their privacy practices that are written in plain language and must obtain express consent from consumers for numerous practices, including the collection, sharing, and continued storage of their genomic data, as well as other activities, such as marketing. Consumers must be able to revoke their consent and have their biospecimens destroyed. Companies also are required to establish strong security protections to minimize risk of unintended disclosure.²

At first glance, the enforcement of these regulations seems to be all-encompassing; however, there is still interpretation left open for consumers. Ultimately, a level of self-management is expected from consumers as they are expected to understand how their data are collected and shared and then make informed choices about whether to participate in the service.

The main concern with this is that the public generally does not read privacy notifications—across all industries, meaning that any consent to privacy practices is not truly informed. A recent study³ found that only 44% of people were aware that a company’s privacy policy can allow sharing of personal data. Misunderstandings of health data protections are even worse. Only 18% of people were aware that health-related apps are not barred from selling collected data to third parties.⁴

There is reason to believe this is a step forward, though. For example, a recently passed Maryland law offers a more robust model. Key elements of Maryland’s law include judicial supervision of use of genealogy testing for forensic purposes, affirmative consumer consent for use of data, and protections for third parties believed to be related to a suspect.⁵ There are other examples of more robust privacy laws as well, following the same general principles.

The bottom line is that ultimately more needs to be done in this space to protect consumers, according to the commentary. The enacted legislation does not robustly address the fact that third parties, particularly law enforcement and insurers, can still access and use consumer genetic data.

References

1. The Genetic Information Privacy Act: Drawbacks and Limitations. JAMA Network. October 31, 2023. Accessed November 2, 2023. https://jamanetwork.com/journals/jama/fullarticle/2811606
2. Future of Privacy Forum. Privacy best practices for consumer genetic testing services. Published July 31, 2018. Accessed November 2, 2023. https://geneticdataprotection.com/wp-content/uploads/2019/05/Future-of-Privacy-Forum-Privacy-Best-Practices-July-2018.pdf
3. Turow J, Lelkes Y, Draper NA, Waldman AE. Americans can’t consent to companies’ use of their data: they admit they don't understand it, say they're helpless to control it, and believe they're harmed when firms use their data—making what companies do illegitimate. Published February 15, 2023. Accessed November 2, 2023. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4391134
4. Gupta R, Iyengar R, Sharma M,et al.Consumer views on privacy protections and sharing of personal digital health information. JAMA Netw Open. 2023;6(3):e231305. doi:10.1001/jamanetworkopen.2023.1305
5. Ram N, Murphy EE, Suter SM. Regulating forensic genetic genealogy. Science. 2021;373(6562):1444-1446. doi:10.1126/science.abj5724