Direct-to-consumer genetic testing (DTC-GT) has become a convenient method to help people to understand their genetic makeup. Owing in part to concerns regarding confidentiality, privacy, and secondary use of data, professional and government bodies created guidelines to promote transparency among these companies. Using a comprehensive and systematic approach, this study assessed DTC-GT company compliance with international transparency guidelines.
A framework analysis was performed on 30 DTC-GT health and/or ancestry websites identified using a US-based online search strategy during the summer of 2015. A codebook was developed from a synthesis of relevant guidelines from seven DTC-GT guideline documents and applied to each website.
Although most companies met guidelines related to transparency regarding security protocols, storage procedures, and third-party disclosures, few met guidelines regarding sharing risks from data disclosures. Additionally, few companies disclosed how long data would be kept for services or research. Use of data for research was frequently mentioned only in privacy policies and terms of service documents, and only two-thirds of companies required an additional consent to use consumer data for health-related research.
Our analysis shows that DTC-GT companies do not consistently meet international transparency guidelines related to confidentiality, privacy, and secondary use of data.
Genet Med advance online publication 22 September 2016
Direct-to-consumer genetic testing (DTC-GT) companies have been a feature of the personal genetics landscape for more than a decade.1 Offering consumers the opportunity to undergo genetic testing for a variety of purposes (e.g., to understand their ancestry and to understand their inherited risk for diseases), these companies and their services have been met with significant concern from researchers and physicians alike. Concerns with analytic and clinical validity, clinical utility, emotional harms to consumers, and inappropriate health-care decisions quickly became prominent.2,3,4 Over time, researchers also raised significant concerns about transparency related to confidentiality, privacy, and secondary use of data.5 Accordingly, many professional and government bodies began to issue broad guidelines for the ethical conduct of DTC-GT.6
Since this early period in the history of DTC-GT, the landscape has shifted somewhat in light of slow-moving policy and regulatory developments. With a few US states now requiring physician involvement in health-related genetic testing and the US Food and Drug Administration (FDA) taking a more active in role in regulating the activities of these companies as medical devices,7 several companies appear to have left the market or changed their offerings.8 Most notably, many companies appear to have shifted from direct-to-consumer sales to direct-to-consumer advertising, in many ways mimicking the US practice of direct-to-consumer pharmaceutical advertising.9 It should be noted, however, that the recent FDA authorization of 23andMe’s DTC Bloom Syndrome test and intention to exempt autosomal recessive carrier screening tests from FDA premarket review will probably breathe new life into DTC sales.10
Although recent developments have mitigated some of the concerns mentioned above, those related to confidentiality, privacy, and secondary use of data remain critical. These risks are present not only in the actual provision of GT services purchased by consumers but also because companies have strong financial incentives to use or share collected data for health research.1 With the increase in next-generation whole-genome sequencing technology, risks related to re-identification, sharing of data without consent, and the inability to withdraw from research are more pressing than ever.11
The limited prior research regarding transparency practices among DTC-GT companies suggests a clear weakness in current corporate policies. A recent study of 86 unidentified DTC-GT company websites targeting Canadian consumers found that 67% provided information insufficient for consumers to determine how their data and sample would be treated.12 Previous work suggests that a majority of companies also fail to mention risks of genetic discrimination.13 More in-depth studies of a small number of DTC-GT companies suggest that companies may be failing to convey the risks of re-identification and failing to obtain proper consent for secondary use of data.5,14 Indeed, rather than having improved since the emergence of more detailed guidelines, Niemiec and Howard14 suggest that the ethical challenges associated with research by DTC-GT companies has instead been “amplified” in light of new sequencing technologies.
This study aimed to build on prior work with a comprehensive and systematic analysis of the extent to which DTC-GT companies are complying with international guidance on the transparent provision of information related to confidentiality, privacy, and secondary use of the genetic samples and data they collect. Failure in any of these areas would signal that consumers are unable to make fully informed decisions about GT services and signal a need for meaningful discussion about the sufficiency of current regulatory approaches. To achieve this aim, we synthesized relevant portions of guidance documents for DTC-GT services across multiple professional societies and public bodies into one unified coding tool reflecting best practices and then used this coding tool to perform a systematic framework analysis of confidentiality, privacy, and secondary-use procedures and policies among the top listed health and ancestry DTC-GT company websites appearing in a US-based Internet search.
Materials and Methods
Identification of DTC-GT companies
Using an online search strategy, we sought to identify DTC-GT websites that advertise genetic testing services to members of the US public. This broad DTC-GT company definition has been recognized and shared by prior researchers3,14 and includes both companies from which consumers can order tests online themselves and companies that require consumers to go through their health-care professionals to place an order. Given concerns about secondary data usage for research, we focused on companies that collect genetic data that could be useful in research. Thus, we included companies performing health-related testing (including nutrigenomic testing) and ancestry testing. Sites offering only paternity testing and prenatal testing were excluded. Additionally, websites promoting specific medical clinics rather than focusing on genetic testing services were excluded.
The search engine Google was used to perform the following search: (genetic OR genome OR DNA) AND (test OR testing OR screening) AND (home OR kit OR service) AND (disease OR health OR personal OR nutrition OR nutrigenomic OR ancestry). Each website returned by the search was reviewed (by J.R.) to determine whether it met the aforementioned inclusion criteria, with a target of identifying 30 websites. To replicate the search experience of a member of the public, Google advertising results (located directly above and adjacent to the search results) were also reviewed and included when relevant. Data collection continued from mid-July through mid-September 2015; 194 sites were reviewed before 30 relevant websites had been identified. When websites were linked to larger corporate websites, both were examined. Given the importance of verifying findings,15 each website was screen-captured and the name of each company is disclosed.
Coding and analysis
A codebook was developed and refined by all coauthors from a synthesis of the confidentiality, privacy, and transparency guidelines from seven DTC-GT position statement, policy, and recommendation documents authored by professional societies and public bodies. In addition to searching for relevant provisions in the updated versions of guidelines noted in the systematic review by Skirton et al.,6 two additional guidelines were added. Relevant provisions were found in guidelines from the following societies and bodies: the American College of Medical Genetics and Genomics,16 the American Society of Clinical Oncology,17 the American Society of Human Genetics,18 the European Academies Science Advisory Council,19 the European Society of Human Genetics,20 the Human Genetics Commission,21 and the Nuffield Council on Bioethics.22 See Table 1 for a summary of relevant guidelines from each document. These guidelines were transformed into a Microsoft Excel–based coding document into which relevant text from privacy policies (PP), terms of service (TOS), frequently asked questions, and any other descriptive text from websites could be pasted. Primary categories for data collection and coding included company disclosures related to the following:
1. Personal and professional risks from the disclosure of test results and collected data
2. Procedures and policies for the storage and destruction of genetic samples and data
3. Plans for samples and data in the event of company sale or bankruptcy
4. Security and confidentiality procedures and policies, including third-party disclosures
5. Plans and consent policies to use samples or data for research, including commercialization and rights to profit sharing
Readability statistics were executed for each TOS and PP (when available) using Microsoft Word 2013 to determine the Flesch-Kincaid Grade Level score. Additionally, each website was examined to determine whether the company provided health and/or ancestry services and whether physician involvement was required to place an order.
Two websites were chosen for initial double coding and discussion to refine the codebook. Then, all 30 sites were coded (by J.R.), concluding in September 2015. To address issues of subjectivity, one-third of the websites (n = 10) were double-coded (by L.L. or P.A.) and found to have good congruency.23 A framework analysis approach was then used for analysis,24 with the data from the coding document charted and summarized into a more refined “framework matrix” to allow for pattern recognition and a clear overview of trends. In conjunction with charting, all websites were also reexamined (by L.L. or P.A.) between December 2015 and February 2016 to ensure validity and to capture any updates made during that time. Any discrepancies or questions were adjudicated (between J.R., L.L., and P.A.) to reach a consensus. During this time period, one company (EasyDNA) removed health-related testing from their US website. However, because they continued to offer ancestry testing, the company remained in the sample.
Of the 30 DTC-GT websites included in our analyses, 12 were identified as offering genetic testing for health and/or nutrigenomic purposes, 15 were identified as offering genetic testing for ancestry, and 3 were found to include genetic testing for both health and ancestral purposes. The names of the companies and the types of testing they offer, in the order in which they appeared in the search results, are displayed in Supplementary Table S1 online. Twenty-four companies (80.0%) offered direct-to-consumer sales and five (16.7%) required physician involvement to place an order. One DTC-GT company was determined to have an unclear policy due to discrepancies between its two public websites. To assess the extent to which DTC-GT companies adhere to professional guidelines regarding confidentiality, privacy, and secondary use of data, we conducted a systematic framework analysis of the company websites. All but one of the companies examined had some form of PP or TOS page, with the average Flesch-Kincaid Grade Level score of these materials being 13.9. For clarity, we split the findings into the following categories: (i) compliance with guidelines related to the provision of customer-commissioned GT and (ii) compliance with guidelines related to secondary use of samples and data. The results for each included company are provided in Supplementary Table S1 online.
Both the European Society of Human Genetics and the American Society of Clinical Oncology recommended that companies communicate risks of potential disclosure to third parties such as insurers or employers (Table 1). Of the 30 companies we analyzed, 6 (20%) discussed specific risks related to disclosure to third parties of results from purchased services (Figure 1). Companies that discussed such risks typically mentioned limitations in protections provided by the Genetic Information Nondiscrimination Act of 2008 (GINA).
Almost all of the seven societies recommended that security and confidentiality procedures be explained to customers (Table 1). Twenty-eight of the 30 companies (93.3%) provided at least some language regarding consumer confidentiality, including procedures for de-identifying data and samples, or references to the Health Insurance Portability and Accountability Act (HIPAA). Seventeen companies (56.7%) described their procedures for storage of biological samples, and 21 companies (70.0%) described their procedures for storage of genetic data. The descriptions were highly variable; some companies included detailed descriptions of how data are accessed, secured, and stored, whereas others simply mentioned where the data are stored (e.g., “data are stored at our facility in Houston, TX”). The results in Figure 1 reflect both types of responses. Although the ways in which data are stored and protected were well addressed, only four companies (13.3%) provided concrete specifics regarding how long data would be stored by the company. Fourteen (46.7%) promised that data would eventually be destroyed or could be destroyed upon request. Several other companies were coded as partial for storage time and destruction because they mentioned that data and samples “may” be destroyed or did not give specific timeframes.
Four of the seven societies recommended that companies provide a list of all third parties that may have access to data or samples (Table 1). Twenty-eight companies (93.3%) provided, at minimum, a blanket statement indicating that data and/or samples may or may not be shared with third parties. The level of detail was extremely variable and a minority of these companies provided what appeared to be a fully enumerated list of third parties to which they may disclose data or samples. However, companies commonly disclosed sharing with law enforcement. Twenty-five of the 30 companies (83.3%) specifically mentioned that they may be compelled to disclose data to legal authorities without the customer’s consent.
Although four of the seven societies included clear language that companies should explain the fate of data and/or samples if the company were to be sold or were to go bankrupt (Table 1), only 13 (43.3%) of the DTC-GT companies we examined explicitly discussed the fate of genetic data in the event of these occurrences. Two companies (6.7%) partially addressed how biological samples would be handled in the event of a bankruptcy or change in ownership.
Secondary usage of consumer data for research
The DTC-GT companies we examined disclosed plans to use collected data for research primarily in their TOS and PP sections. Of the 30 companies, 4 (13.3%) explicitly stated that they would not use data for research or any secondary purpose (Figure 1). Nine companies (30.0%) mentioned their intention to conduct health-related research in their TOS/PP. Only one company also mentioned their health-related research plans on their patient-oriented website. A second company mentioned research plans only on their main corporate website rather than on their patient-focused site. Twelve companies (40.0%) disclosed in their TOS or PP that they used data for nonhealth research (such as ancestry) or unspecified research, with three companies also mentioning these plans on their main website. This left eight companies that did not mention secondary usage of the data anywhere on their websites.
Given the sensitivity and profitability of health-related research, we considered additional questions specific to the companies stating use of genetic data for this purpose. Despite the clear and specific recommendations to seek additional informed consent for secondary usage of collected data (Table 1), only six of the nine companies (66.7%) stating an intention to use data for health-related research mentioned some form of additional consent, and several of these were coded as partial consent because they required consent only for certain types of research or waived consent requirements with IRB approval. Two of the three companies that do not require any additional consent specified an opt-out policy for research. Additionally, the specific purpose of health-related research was disclosed by only two companies. Five of these nine companies (55.6%) articulated a policy regarding withdrawing from health-related research, which in some instances included notices that that full withdrawal was not possible and in one instance that “once given, consent cannot be revoked.”
Although three societies recommended that DTC-GT companies disclose the period of time for storing genetic data, no company addressed the issue of how long data would be stored for use in research of any type. Although it is possible that any general provisions on data storage also apply to data used in research, the absence of specific provisions may imply that the companies who use the data for research purposes will store the genetic data indefinitely (unless the customer requests that it be deleted).
Finally, the European Society of Human Genetics recommends that DTC-GT companies include information on whether the research may lead to commercialization or patents and explain the customer’s right to commercial benefits (Table 1). Four of the nine companies (44.4%) that perform health-related research included information on whether their health-related research may lead to commercialization or patents (Figure 1). All four addressed whether customers would have rights to commercial benefits; in each case, it was explicitly stated that customers have no such rights.
Although there is clear variation between companies, our analysis demonstrates that DTC-GT company customers across the board continue to face a challenging task if they attempt to determine exactly how long their samples and data will be kept and what their ultimate fates will be. The majority of companies examined did have PPs or TOS documents, which is an improvement from an earlier study that found that only two-thirds of DTC-GT companies had posted privacy policies.1 However, compliance with international guidelines on the provision of information related to confidentiality, privacy, and secondary use of data is, in many instances, poor. The impossibility of ensuring absolute confidentiality of uniquely identifiable human genetic information makes it essential that consumers be given a full understanding of what they are agreeing to before purchasing genetic testing services.11
Companies should be given credit for the consistent provision of information regarding security protocols, storage procedures, and third-party disclosures. However, there are significant weaknesses that must be addressed. Singleton et al.13 stressed that a lack of transparency regarding the risks and benefits of DTC-GT represents a violation of the ethical principle of informed choice. Our findings suggest that this particular violation continues with regard to articulating privacy risks. For example, companies frequently mentioned disclosure to insurance companies, but in most instances they failed to mention that the GINA does not cover genetic discrimination by life, disability, and long-term care insurance providers.25
Limited transparency also spans across several additional areas. Although some companies stated that consumers retain ownership of their genetic materials, the fate of data derived from those materials was not regularly shared with customers. Only half of the companies mentioned that genetic data would eventually be, or could be requested to be, destroyed. Even fewer mentioned how long they would store data. Only two-thirds of companies disclosing health-related research plans stated that they required an additional consent to use consumer data for this purpose, and none mentioned how long data would be kept for use in new research efforts. This failure to collect additional consent for research represents a clear example of a violation of recommendations and a continued blurring of the lines between consumers and research subjects.5
Further, only a small minority of companies mentioned their plans to conduct research on their main website, which is problematic because a recent study suggested that only 64% of Canadian DTC-GT customers read privacy policies.12 Transparency of research plans is a particular concern for the companies that cast themselves primarily as ancestry-focused but engage in health-related or unspecified research. Even when consumers do read these documents, it is not a given that they fully understand the materials because the average readability score represented a grade level equivalent to almost 2 years of college education. Although this is a slight improvement from the grade 15 reading level identified by Lachance et al. in 2010,26 the US National Library of Medicine recommends that health materials be written at a seventh- to eighth-grade reading level.27
More broadly, the lack of compliance with current guidelines raises questions about the sufficiency of a voluntary approach as the sector continues to expand. Many of the concerns identified in our study were first documented years ago,1,5,13 yet there have been only modest developments toward improvements in transparency about privacy risks, the fate of data, and secondary use of data over the past decade. Niemiec and Howard14 came to a similar conclusion in their qualitative analysis of four whole-genome sequencing companies. Although companies have an incentive to promote more transparency in order to build public trust in genetic research,1 there are also clear disincentives to the provision of accessible and comprehensive information.26 Prior research indicates that consumer interest in DTC-GT decreases with the provision of additional risk information28 and that privacy concerns and beliefs that data will be used for research are more common among those who have considered purchasing services but decided against it.12 Data are also clearly financially valuable when used for health-related research,1,29 which may create incentives for opt-out arrangements.
There has been some movement to regulate DTC-GT, but recent regulatory efforts have focused on a different set of concerns than those addressed here. US state and federal efforts to involve physicians and genetic counselors in the genetic testing process, ensure clinical validity, and ensure the sharing of results in an understandable and actionable manner,3,8,10 although extremely valuable in their own right, leave concerns about privacy, confidentiality, and secondary use of data unaddressed. We note that two of the three companies that failed to require additional consent for research did require physician involvement in ordering services. There is also a risk that recent FDA involvement with DTC-GT will create the perception that DTC-GT is now government-sanctioned, thus resulting in more consumer interest in testing. This may have benefits for consumers seeking health and ancestry information, as well for those who would benefit from eventual research discoveries. It may also lead consumers to lose control of their genetic data and expose them and their families to risks that they are not made fully aware of.
As DTC-GT becomes more common, the risk of insurance discrimination not prohibited under GINA (such as life, disability, and long-term care insurance) becomes increasingly pressing. As Taylor et al.30 noted in their analysis of DTC Alzheimer testing and long-term care insurance, “from a pure risk-adjustment standpoint, using a genetic marker is no different from charging smokers higher premiums for life insurance.” Use of data for research, even when relying on de-identification, is also a concern because advancements in genomic technology have made complete withdrawal from research almost impossible and have given genetic samples an inherent risk of re-identification.11,31,32 This is not to say that secondary use of data for research is inappropriate, but rather that explicit consent that takes into account these realities is essential. Several novel means of obtaining consent for research and outlining potential harms have been outlined in the literature and should be explored by DTC-GT companies.11,31,33
This study had several limitations. First, we only examined information publicly available online in a specific period of time. Although this accurately reflects what consumers would see in late 2015 when deciding whether they wanted to place an order, it is possible that more detailed information would be provided when an order is placed or that website content has changed since that time. Second, our study considers only the stated policies of the companies without consideration of the extent to which companies exceed or fail to comply with these stated minimums in practice. Because our focus was primarily on transparency, we also did not engage in in-depth analysis of the appropriateness of the specific procedures that are disclosed. Future research should engage with nuances such as the appropriate length of time for storing samples and the politics of not sharing commercial benefits. Finally, this study was not intended to highlight any specific corporations as bad actors, but rather to address concerns in the field as a whole.
This analysis of 30 DTC-GT companies identified both strengths and weaknesses in several areas where international guidelines have recommended transparency. The weaknesses pose a concern not only for consumers but also to the genetic research community because poor practices may jeopardize public trust in genetic research.5,14 Although self-regulation would probably be preferable for all parties owing to lower costs and the importance of flexible standards,15 calls for lobbying to establish policy interventions may be justified if transparency practices do not improve with continued growth in the industry.6,26 That said, major DTC-GT companies such as 23andMe and Ancestry may have strong incentives to push the field toward self-regulatory initiatives to prevent both government action on these issues and eventual negative public relations incidents. Additionally, the relatively strong compliance with some disclosure guideline topics and by some of the companies examined signals that meeting self-imposed guidelines would be far from an impossibility if companies chose to participate in such an effort. Although self-regulation in other fields has, at times, been problematic, guidelines for successful efforts have been developed.34 A self-regulatory initiative by DTC-GT companies that strives to be transparent, sets meaningful codes of conduct with input from the scientific community, and builds in accountability and objective oversight would make a significant contribution to protecting both consumers and corporate interests. Future research should consider the desired content and viability of such an initiative.
The authors declare no conflict of interest. No external funding was received to support this research. L.I.L. has received compensation from the University of Wisconsin–Milwaukee. She received compensation in 2015 from Texifter for hourly work. J.R.R. has received compensation from the University of Wisconsin–Milwaukee. P.L.A. has received compensation from the University of Wisconsin–Milwaukee.