Millions of consumers have purchased services from direct-to-consumer (DTC) genetic testing companies like 23andMe in search of insights about themselves—and their family members—that only genetic analysis can provide.
For example, these tests have attracted consumers seeking to find out whether they are susceptible to cystic fibrosis or breast cancer.
But many Californians likely don’t realize that these tests typically aren’t protected by strong heath privacy laws including Health Insurance Portability and Accountability Act (HIPAA)—and that by default, some of their most private information could be sold without their knowledge or consent.
This data isn’t even covered by the state’s requirement on companies to keep personal information secure from unauthorized access.
Help could be on the way for California consumers thanks to SB 980, a bill that was recently approved by the California legislature with strong bipartisan support. If signed into law by Gov. Gavin Newsom, the bill would provide strong privacy and security requirements over deeply personal data that Californians currently lack.
The bill is supported by a coalition of privacy groups, including Consumer Reports, as well as Ancestry and 23andMe. But opposition from tech industry trade groups like TechNet and CompTIA is threatening to kill the bill.
Why? They’re concerned that the bill’s strong definition of consent, which explicitly prohibits the use of “dark patterns”—deceptive interfaces that trick consumers into sharing more information than they intended—could interfere with the manipulative business practices of their member companies.
SB 980 broadly limits companies from doing anything with your genetic data without your permission—for example, a DTC genetic testing company has to get the consumer’s permission before they can sell the data to another company or to use for it for an unrelated purpose. The problem is that across the web, many companies use a variety of methods to get consumers to provide that consent without even being aware of it.
Sites often make it much easier to agree to a potential transaction than to say no, relying on consumers’ limited attention span and the habit of clicking “OK.”
A 2019 Princeton University study of 11,000 shopping sites found more than 1,800 examples of dark patterns, many of which clearly crossed the line into illegal deception.
Use of these interfaces is already illegal under Unfair and Deceptive Acts and Practices (UDAP) law, but that hasn’t been enough to deter businesses from using them.
Just last week, the Federal Trade Commission (FTC) sued Age of Learning, an online education service for children, for its deceptive interface that led consumers to believe they were signing up for one year of service, when in fact, by default, they were charged each year. Given how widespread these interfaces are, and how sensitive the data held by DTC genetic testing companies, it’s important to explicitly clarify that they are illegal, and expand the Attorney General’s authority to act.
California could become one of the first states to provide much-needed protections over the sensitive data collected by DTC genetic testing companies.
There have been several security breaches at these companies in recent years, including one involving genetic data at GEDMatch in July.
In a survey of DTC genetic testing companies, 71 percent percent reported that they could use consumer information internally for purposes other than providing the results to consumers, including to develop new products and services.
The California legislature stepped up to safeguard the personal data of its citizens. Gov. Newsom shouldn’t let tech companies torpedo this common-sense, bipartisan privacy bill due to fears that their own bad practices could come under attack.