Consumer genetic testing companies including Ancestry and 23andMe have adopted a set of guidelines for when they share customers' data with other companies or law enforcement officials, the Washington Post reports.
Concerns regarding privacy for users of direct-to-consumer genetic testing services have increased in recent months, in part as police have turned to genetic genealogy websites to track down suspects. California police arrested a man in the Golden State Killer case who allegedly raped and killed numerous people in the 1970s and 1980s after matching decades-old DNA left at a crime scene to a relative who'd used the GEDMatch service. Police in Washington State similarly tracked down a suspect in the 1987 murders of a young Canadian couple. At the same time, a data breach of email addresses at MyHeritage also made some users nervous.
Under these new guidelines — which the Future of Privacy Forum's Jules Polonetsky tells the Post were in development before the Golden State Killer arrest — companies agree to secure customers' separate, express consent when giving their individual genetic data to third parties and to disclose the number of requests they receive each year from law enforcement. In addition, the guidelines call for easy-to-read privacy notices, informed consent for research participation, and for ways for customers to have their data deleted, as far as it is possible. Companies would still be able to share bulk, de-identified data.
According to the Future of Privacy Forum, which helped develop the guidelines, 23andMe, Ancestry, Helix, MyHeritage, and Habit are adopting the guidelines, as are African Ancestry and FamilyTreeDNA.