Montana Nudges the Needle on Genetic Security
Table Of Contents:
U.S. states are increasingly giving consumers more privacy rights over their digital information, but what about their biological data? Your email address and phone number are sensitive enough, but they pale compared to what’s in your DNA. Genetic information enables people to infer various things about you, from your predisposition to multiple diseases to whether you’re the thrill-seeking type or not.
Less than a quarter-century after we mapped the human genome, direct-to-consumer (DTC) genetic testing is a growth industry. According to YouGov, one in five Americans have already mailed in their DNA for testing. Over half of YouGov’s respondents felt that privacy was a worry, but tempted by the allure of an exciting new technology, they use DTC genetic services anyway.
These fears over genetic privacy are well-founded. Unlike a phone number, you can’t change your genes – and yet the privacy of your genetic information is largely unregulated. Now, thanks to privacy-conscious Montanans, that’s slowly changing. The state has passed a law called the Genetic Information Privacy Act that imposes strict rules for collecting and using genetic data.
The new law interprets ‘genetic data’ broadly to include not just any sequenced DNA but also any phenotype information from that sequencing, which enables people to predict behavior and physical characteristics. Beyond that, it also includes any self-reported information on health conditions that an entity uses for research along with that DNA data.
From October 1, when the law is enacted, any organization controlling genetic information must get the consumer’s consent to transfer, use, and retain it. The consumer must grant consent before transferring the data to a third party for research.
Why Do We Need A Genetic Law?
When Consumer Reports tested well-known DTC genetics services, it found them generally responsible with customers’ DNA data. They didn’t sell the genetic data to data brokers and required customers to opt in if they wanted the data used for research. However, without appropriate laws, this relies mainly on their self-restraint. The report also noted that ‘research’ might cover some unexpected non-altruistic use cases, including internal product development, and that in many cases, non-DNA data about an individual, including health information, might be passed on, too.
The Consumer Reports investigation didn’t cover 1Health. In September 2023, the Federal Trade Commission settled with this DTC genetics company, formerly known as Vitagene, for mistreating consumers’ data. The Commission claimed that the company retroactively changed its privacy policy without informing customers, broadening the scope of third parties to which it would provide data. The expanded list included supermarket chains and nutritional supplement manufacturers.
According to the FTC’s complaint, 1Health/Vitagene also failed to de-identify customer data by storing it without their accompanying identity information, such as their names. It reportedly kept some customers’ genetic data along with other identifying information, including health reports and partial or full names. Some data was stored unencrypted in the cloud, the Commission said.
In any case, genetic information is especially difficult to anonymize. This notion – that the data can be somehow sanitized to avoid its use to identify a patient – is questionable. Simply storing the data without any accompanying identifying data is not enough. The U.S. government’s National Human Genome Research Institute warns of the possibility of re-identifying people through their genome information. This is possible in various ways, including cross-referencing against other database types or membership of identifiable populations such as ethnic groups.
It was up to the FTC to target 1Health in its $75,000 settlement because existing law doesn’t regulate genetic data comprehensively. For example, DTC genetics testing companies don’t fall under the federal privacy regulation for medical data, HIPAA, which governs health providers or insurers. The federal Genetic Information Nondiscrimination Act 2008 (GINA) prevents health insurers or employers from forcing people to hand over their genetic data or using it to discriminate against them. Still, it doesn’t cover DTC genetics service providers.
Suing companies for deceptive practices in the absence of appropriate genetic privacy protection laws is not enough. In 2021, Justin Sherman, fellow and research lead for the Duke University Sanford School of Public Policy’s Data Brokerage Project, urged the Senate Committee on Finance to control the sale of genetic data to third parties strictly.
A History Of Privacy-Conscious Legislation In Montana
Montana has a history of enacting ground-breaking privacy laws. In 2013, it became the first state to force police to get a warrant before harvesting location information from electronic devices. It has also followed other states in introducing general consumer privacy protection laws with its Consumer Data Privacy Act, passed in April 2023.
Montana also isn’t the only state to tackle genetic privacy. In 2021, Maryland joined it in passing legislation requiring a warrant for forensic genetic genealogy searching (FGGS). This kind of dragnet searching of genealogy databases led to the capture of Golden Gate killer Joseph James DeAngelo. Montana’s GIPA reinforces that anti-dragnet law by preventing DTC genetic testing companies from divulging data without consumer consent or due legal process.
In October 2021, California also passed two bills directly relevant to genetics security. The Genetic Privacy Act (S.B. 41) required direct-to-consumer genetic testing customers to get consumers’ consent before collecting, using, or disclosing their genetic data. The second, AB 825, added genetic data to its data security and data breach notification frameworks.
What Will The Effect Be?
Law enforcement has a way of working around privacy legislation, often by going to other channels. Police have resorted to buying cellphone location data legally from data brokers, even as other states followed Montana’s example by imposing location data privacy rules. However, laws that restrict the upstream sale of data rather than just tackling downstream surveillance use cases make it more challenging to source the data elsewhere in the first place.
Montana’s GIPA doesn’t allow for private lawsuits but enables the state’s attorney general to bring cases against offenders, recovering actual and statutory damages. This doesn’t give it the sharpest possible teeth, but a sympathetic attorney general could still give DTC genetics companies that don’t respect customer privacy a nasty nip. At the very least, it’s a start.
