Genetic-testing companies that have decoded the DNA of millions just introduced new guidelines to protect data privacy.


But those best practices failed to address a major concern: what happens to customers’ data that is shared for research with pharmaceutical giants, academics and others, often for a profit.


Just how lucrative the business of genetic testing is came into light last week when British drugmaker GlaxoSmithKline Plc agreed to buy a $300 million stake in 23andMe Inc., gaining access to anonymized data with the hope of identifying new targets for drugs. That kind of data — stripped of identifying details and aggregated — isn’t strictly subject to new rules in the guidelines unveiled this week. That means consumers will still have little way to know when and how their information is combed for research.


“This new policy is a positive step forward in the sense that it’s starting a conversation,” said James Hazel, a researcher at Vanderbilt University in Nashville, Tennessee, who recently surveyed the privacy policies of 90 direct-to-consumer genetic-testing companies. “The glaring gap is that it doesn’t apply to de-identified genetic data.”


Amid increased public focus on privacy, the largest genetic-testing companies had already taken action — for instance, by providing annual reports on requests from law enforcement. The new guidelines reflect those efforts.


‘Important Step’


“It’s a really important step forward for the industry, to take a stand as an entire industry to say individual privacy is important to us,” said Kate Black, 23andMe’s chief privacy officer.


Ancestry and Helix, another DNA-testing company, echoed Black’s comments.


“This is really a jumping-off point,” said Elissa Levin, Helix’s director of clinical affairs and policy, who worked on the guidelines. “We know privacy is a large issue.”


Under the guidelines, genetic-testing companies must obtain “express consent” before sharing an individual’s data with third parties. They can’t hand it over to employers, insurance companies, educational institutions, or government agencies without being legally compelled.


That addressed mounting concerns that a company could share a customer’s information with the authorities — an issue that became front and center in recent months after police combed an open-source genealogy websites to track down a suspect believed to be the Golden State Killer, a serial murderer and rapist who terrorized California in decades past.


But most genetic-testing companies, like social networks before them, have also made a business out of DNA data collected from customers. They have partnerships with companies like Glaxo or Pfizer Inc., giving access to their trove of data for research.


Typically, customers must opt in to having their data shared for research by signing separate consent polices. When shared for research purposes, the information is usually anonymized and aggregated. That data is exempt from transparency rules in the new guidelines, as the anonymity is supposed to protects customers.


Without more insight into how consumer data is being anonymized, though, it’s difficult to tell how secure it really is, said Marc Beebe, senior director of strategic research, public imperatives, and corporate development at the Institute of Electrical and Electronics Engineers, a trade association.


Fine Print


For consumers, the risk of exposure is in the fine print. “There is a very small chance that someone with access to the research data or results could expose personal information about you,” 23andMe says in its policy.


Some companies already pledge to provide additional insight. 23andMe, for instance, says it will notify customers should it seek to include their data in research on “sensitive topics” such as sexual orientation or drug use. The new industry guidelines, however, don’t call for specific transparency in how research data is used.


The best practices, developed with the help of Washington-based think tank Future of Privacy Forum, also suggest companies provide clear instructions on how to delete an account. Under federal law, a company that offers health-related DNA analysis can’t delete genetic information.


Three federal agencies — the Food and Drug Administration, the Federal Trade Commission and Centers for Medicare and Medicaid Services — have some oversight over the booming U.S. genetic-testing industry.


The industry effort, said 23andMe’s Black, is an attempt to “fill the void of a lack of clear legal standard.”


The guidelines could lead to more scrutiny from regulators.


“Generally speaking, if a company fails to keep their promises to consumers — whether they made those promises in website privacy policies or by signing onto industry best practices — they could be subject to FTC law enforcement action,” said Juliana Gruenwald, a spokeswoman for the agency.


While no policy could ever eradicate risks for consumers who agreed to give their DNA, the industry guidelines are attempting to address some of the biggest fears. They forbid marketing based on DNA data or require setting up instructions for what should happen to users’ data after they pass.


“What remains to be seen is whether this will be widely adopted in the diverse direct-to-consumer genetic-testing industry,” said Hazel, the Vanderbilt University researcher. “The industry leaders involved in producing this document, while certainly occupying a large market share, represent only a small fraction of the many companies offering these services.”