‘Golden State Killer’ Case Exposes Genetic Data Privacy Concerns

• Consumers don’t have privacy rights to genetic material turned over to third parties
• Genetic testing companies’ privacy policies control consumers’ DNA rights

Many people are turning over sensitive genetic data through common testing kits without recognizing privacy pitfalls, health care attorneys told Bloomberg Law.

Consumers have bought up DNA testing kits to find risks for certain diseases and to trace their ancestral history. The services have generated attention in recent days for a different reason—law enforcement officials used DNA testing services to track down the so-called “Golden State Killer” in California. Data collected from open-source genetic testing company GEDmatch, along with DNA information collected from the alleged killer’s garbage, led to the his capture in Sacramento.

Although not involved in the Golden State Killer case, popular genetic testing companies 23andMe Inc. and Ancestry.com Inc. also collect consumer DNA to provide ancestral and hereditary reports.

Consumers, however, shouldn’t expect a right of privacy when turning over their DNA to testing companies, Kirk Nahra, health-care and privacy partner at Wiley Rein LLP in Washington, told Bloomberg Law. Users of such products should be mindful of the company’s privacy policy when providing DNA, he said. Otherwise their information could be bought and sold to third parties or law enforcement without recourse, he said.

A federal health law, the Health Insurance Portability and Accountability Act (HIPAA), aims to protect patient information. But beyond HIPAA, there is generally no privacy right to consumer genetic data turned over to third parties, Nahra said. “When you have a non-HIPAA business collecting data, privacy policies control” consumer rights, he said.

Other than HIPAA, U.S. citizens don’t have a right to privacy in their genetic information. A doctor that collects genetic information in the course of patient care must abide by privacy protections under HIPAA, Nahra said. But, if consumers turn over the same genetic material to companies like 23andMe or Ancestry.com, they don’t have privacy rights in that data, he said.

Representatives for 23andMe and Ancestry.com didn’t immediately respond to Bloomberg Law’s email requests for comment on their privacy policies and data collection practices.

Legal Risks

Companies that collect DNA data to produce genetic reports for consumers must still be careful how they handle DNA and related data. The companies could face federal enforcement actions if they don’t abide by their own privacy policies, Joseph J. Lazzarotti, principal at Jackson Lewis P.C. in Morristown, N.J. and chair of the firm’s privacy, e-communication, and data security practice, told Bloomberg Law.

“You can’t just change data usage policies and would need to get additional consent” to further share genetic data to third parties or to a new company, Lazzarotti said.

The Federal Trade Commission, the U.S. lead privacy and data security regulator, provides oversight of companies’ privacy practices through its Section 5 authority under the FTC Act to regulate unfair and deceptive trade practices. The agency has used the power to go after companies that don’t live up to privacy promises.

Consumers can rely on the FTC to enforce rights under a privacy policy, Lazzarotti said. The FTC has done so in data security enforcement when there is inadequate security and would bring actions against companies that violate their privacy policies as well, he said.

The FTC has shown it will step in to enforce privacy issues when other federal regulatory authorities stay silent, Lisa Clark, health information technology partner at Duane Morris in Philadelphia, told Bloomberg Law.

In the early days of HIPAA enforcement, the Department of Health and Human Services and the Food and Drug Administration struggled to enforce privacy protections, Clark said. The FTC has more broad authority to act on behalf of consumers to enforce laws and regulations when other agencies doddle, she said.

Genetic testing companies should be acutely aware of their privacy policies if and when they attempt to sell consumer data, according to Lazzarotti.

Many privacy policies include exceptions to sharing or selling consumer data when reaching a deal with another company, he said. Companies, however, must be careful with these policies because the FTC has said that businesses must live by the privacy policy consumers consented to, he said.