Last week the California legislature passed an important first step in protecting the American public from itself. The Genetic Information Privacy Act (GIPA) helps fill a gap in U.S. healthcare privacy that most people don’t know exists. The Act places obligations on consumer companies that collect DNA samples from their customers, requiring these companies to protect that information and only to use it for limited purposes without explicit consumer consent.
The well-known HIPAA law and regulations protect the privacy of many health-related tests, but HIPAA only applies to entities providing medical care. So giving health information to determine whether you are descended from Danes, Hausa, or Cherokee, or to find out from a weight loss company whether you have an inclination toward eating sweets, is not protected in any manner under Federal and nearly all state laws. The company taking your DNA can use it against you, can give it to the police for searchable databases putting your entire extended family in the crosshairs, or sell it to insurance companies who can discriminate against you based on your inherent physical make-up.
GIPA addresses some of these concerns. It targets the companies that offer consumer-initiated genetic testing or otherwise analyze DNA provided by consumers, but exempts licensed providers diagnosing or treating medical conditions. The law requires that unlicensed testing companies obtain the consumer’s express consent for the collection, use, and disclosure of genetic information – this includes separate consents for transfers of the DNA data to others or marketing to the consumer bases on DNA results. Under this Act, if a consumer chooses to revoke her consent, then any biological samples provided by that consumer must be destroyed within 30 days.
The California Legislature included a data protection requirement and a prohibition from discriminating against consumers for exercising their DNA privacy rights. Like a law passed earlier this year in Florida, GIPA prohibits consumer DNA collections from being sold or otherwise disclosed to entities making decisions regarding employment, health insurance, and life insurance. Companies that violate GIPA could be subject to civil penalties.
The Florida DNA privacy protection law passed this summer is much more limited, essentially extending federal prohibitions against health insurance providers accessing results from DNA tests to cover direct-to-consumer DNA collection. The law targets exclusionary insurance procedures and raising fees on policy-holders due to DNA information gathered from the recreational DNA industry. According to the National Conference of State Legislatures (NCSL), Florida is among 16 states that require informed consent for a third party to perform, require or obtain genetic information, among 24 states that require informed consent to disclose genetic information, and among five states that define genetic information as personal property.
Who would give their DNA to a company as part of a consumer transaction with no legal protections over the crucial information to all of that person’s physical being and much of behavior? Apparently many people would. According to Bloomberg Law, consumer genealogy leaders 23andMe sold 12 million kits through 2019 and Ancestry has over 18 million people in its DNA network. Weight loss companies like Jenny Craig and Weight Watchers are now offering dubious benefits in exchange for customer’s DNA samples.
In books and in this blog I have previously covered the lack of privacy protections for this recreational DNA industry, including a call for state legislation and an impassioned plea for Americans to test their DNA through their doctors – where the results are protected by law and you will be given a meaningful analysis – rather than through charlatans who provide little but entertainment and may use or sell your DNA for any purpose.
The case became more urgent this summer as the nation’s largest private equity company, Blackstone, announced that it was paying $4.7 billion to acquire Ancestry.com. The only part of the target company that would be worth that much money was the huge DNA database that could be mined, analyzed, used for biological and pharma research, and sold to anyone for nearly any purpose. 23andMe had already announced sales of its customers’ DNA data to the pharma industry.
In a CBS News article on why private equity firms would want your DNA, New York University School of Law privacy professor Erin Murphy said, “Private equity firms have businesses across industries with a duty to their investors to maximize profits, and the whole idea for collecting a large amount of personal data is to leverage it across different business lines.” She also noted the permanence of this biometric information, saying, “You can change your credit card information or even your name. You cannot change your DNA.”
Google and others are currently using DNA from health care companies to develop and train artificial intelligence and likely for other reasons. As more big companies see synergies in building huge DNA databases which include the basic building blocks of your life, legislators like those in California need to build protections for consumers. Once your DNA is included in the database for Google, Blackstone, Merck, or the FBI, there is no removing it – and no way to change it.