On January 12, 23andMe announced an agreement with Pfizer to provide the drug company with access to anonymous, aggregated information from consumers who bought 23andMe’s test over the past seven years to learn about their own genetic history.  This furthers 23andMe’s plan to become a repository for human genetic makeup and to turn data gathered from its $99 saliva tests sold to consumers into a large information sharing deals with drug companies.  However, the creation and use of this database raises potential privacy concerns.

About two-thirds of 23andMe’s 800,000 customers have agreed to let their test data be used for research.  23andMe collects deeply personal information which includes the customer’s genome, the information provided when registering for the site such as name and email, sex, date of birth, credit card number, and the results of any health or behavior-related quizzes on their site.  When consumers who bought the kit return to 23andMe’s website for results, they are prompted to answer more questions about themselves.  The company claims that the additional information can help researches make more connections about people’s characteristics and their health.

While 23andMe is not a covered entity subject to the Health Insurance Accountability and Portability Act (HIPAA) it has put in place certain privacy protections.   The company outlines their privacy obligations in a detailed privacy policy and only sells information from those customers who have given their consent to do so through a consent form.  The company removes customer names when selling data.  Customers of 23andMe give their consent by checking on a box and it is unclear if customers fully understand the repercussions of doing so.  Additionally, if companies such as 23andMe are able to make selling this information possible there are concerns that authorization for the customer’s names could be included on consent forms and then be included in future data sets in order to provide a better product to companies.

It is unclear how this type of data collection will be used in the future.  However, it will be important to ensure that consumer privacy is not eroded when the focus of the company shifts from providing genetic testing services to customers into providing large companies with databases of consumer information.