The aspirations of private genetic testing to aid self-discovery, improve medicine, or advance research often obscure a multimillion-dollar market for customers’ genetic data. This market’s legality and operation is founded on testing companies’ promise that in selling individual genetic information, they will still guard their customers’ privacy. These companies rely on the techniques of de-identifying and aggregating data to create massive genetic databases that they can sell to both public and private researchers. By selling deidentified, aggregated data, these companies avoid nearly all regulations limiting the collection and disclosure of medical information. Instead, customers are promised that internal measures can assure “privacy by design.” At least 26 million people have already been tested by private companies and their data is sold on this promise: their privacy will be preserved.
However, a growing body of research indicates that genetic information is exceedingly difficult to “de-identify” because an individual’s DNA sequence and other genetic data are some of the most identifying pieces of information about them. Multiple researchers have been able to use publicly available, supposedly “de-identified” genetic data and trace it back to the individuals who donated their DNA. Moreover, private companies like AncestryDNA (Ancestry) and 23andMe have based their business models on being able to sell customer genetic data, relying on de-identification and aggregation to justify their lack of regulation and the continued operation of a private genetic data market. As this market grows in size, it is also attracting more and more interest from insurance carriers, employers, law enforcement, and a host of other groups who see new potential in acquiring individuals’ genetic data.
This Note argues that to prevent the most damaging consequences of the trade in genetic data, U.S. law should impose tailored fiduciary duties on private genetic testing companies to ensure that their business practices do not harm their own customers. These testing companies rely on their customers’ genetic information to turn a profit, while all of the risk of this information’s exposure or misuse falls on customers. This Note will proceed as follows: Part I will describe the fundamental difficulties of de-identifying and aggregating genetic data to the point that it cannot be reidentified; Part II discusses how de-identification and aggregation serves to obscure customers’ rights in their own genetic data while allowing testing companies to evade federal privacy laws; Part III argues that Ancestry and 23andMe, genetic testing’s two largest companies, use privacy agreements that largely deprive customers of any rights in their genetic data in order to keep the data marketable to as many buyers as possible, and Part IV argues that the concept of an information fiduciary should be applied to private genetic testing companies to counter these companies’ massive informational advantage over their customers and to guard against genetic data’s potential for abuse.
To read more, click here: Demanding Trust in the Private Genetic Data Market.