Getting your DNA sequenced is now so cheap and easy that you don’t need to see a medical professional. A variety of online companies are offering direct-to-consumer (DTC) genetic tests for health or recreational purposes. These tests claim to detect a wide range of characteristics, from the risk of diseases such as breast cancer or Alzheimer’s or other conditions such as baldness, to specific talents or even romantic compatibility. But when you purchase one of these tests there’s a good chance you don’t know everything you’ve agreed to.
The DTC industry is new, growing and largely unregulated. As with many online companies, genetic testing firms rely on contracts to govern relations with their customers. Contracts are everywhere online, appearing as terms and conditions that you agree to with a click of a button or even just by browsing a website – and so they are known as clickwrap or browsewrap contracts.
Whether logging into Facebook or downloading a film, you’ve probably “signed” one of these contracts, perhaps without even realising. But do you have any idea what you have agreed to? Avoiding the internet completely is now practically impossible for most of us, yet the content of the contracts we enter into is to a large extent unknown. After all, who has the time to read all these documents, which can be many tens of pages long? Amazon’s and iTunes' contracts are longer than Hamlet and Macbeth respectively. Even if the contracts are displayed clearly on a website you may not notice them.
It’s the same when you purchase a DNA test online. DTC contracts and privacy policies often resemble those of large internet firms, using standard terms that are not tailored to the services they offer. Under UK and EU regulations, some of these contracts may even qualify as containing unfair terms.
Serious privacy risks
Having read and reviewed 71 contracts of DTC companies that provide health tests in the course of my doctoral research, I believe consumers need to be more aware of what they are getting into. Aside from the dubious reliability of some of the claims made by some companies, online genetic testing raises serious privacy and information security issues. When DNA is sequenced and stored, it can serve as a unique way to identify you, and potentially your (known and unknown) relatives.
Your DNA could reveal things that could significantly affect your lifestyle and that you may not want others to know. This could include your potential risks for diseases such as Alzheimer’s, cancer and diabetes, or other traits such as how likely you are to become addicted to different substances. In fact, as genomic science is progressing so rapidly, we don’t yet know the limits of what your DNA might reveal.
We also increasingly use biometric data in security systems, and your sequenced DNA might one day be used in this context. If your genetic code was linked to your bank account you might not want this stored insecurely or shared widely without safeguards. You can change a bank account password, but you cannot change your genetic sequence in the same way.
At the same time, industry doesn’t have a great track record in using and storing sensitive information. Yet companies often acquire significant intellectual property rights through their contracts. By entering into these contracts, you will often be effectively relinquishing some of your rights to your DNA sample and sequenced data.
Who can access your data?
So you need to know how companies store your data, how long they store it for, who has access to it, who they will share it with, and what purposes they will use it for. It could be sold on to third party companies for marketing purposes, allowing them to target you based on the highly personal information contained in your DNA.
There are also the questions of what happens if the company is sold or dissolved, or if its servers are hacked and the data stolen? And what happens if you change your mind and want your information deleted? Imagine that in a moment of doubt you purchased a test for infidelity or paternity. You may object to your child’s DNA being stored indefinitely so you would need to know for how long the sequenced data will be kept.
Worse still, reading the contract in full may not actually protect you. It is common to include clauses allowing the company to alter terms at any time, often without notice to you. This means that even if the contract seemed acceptable when you clicked “I agree”, they could later use your data in ways you might not like. This could even mean sharing it with marketing companies, your employer, your insurer or with law enforcement.
While you may not think you have time, you really should be reading the small print if you’re thinking about genetic testing. And given the nature of these services, we really need more effective regulation to protect consumers. I hope that contracts will be improved in the future, but we need to be more aware of terms and conditions online, not just in the DTC context, but in everything we do.