On Wednesday, DNA-testing kit company 23andMe, announced a new partnership with drug giant GlaxoSmithKline (GSK). GSK gets exclusive access to 23andMe’s troves of customer data — which it plans to use to develop a whole host of new drugs — and 23andMe gets a $300 million dollar investment. The company was quick to clarify that 23andMe customers had the option to opt-in or out of sharing their genetic information for research purposes, stating that “As always, customers choose whether or not to participate in research. Customers can choose to opt-in or opt-out at any time.” But a look at the company’s policies reveals that things aren’t that simple. It’s the same confusing mess of provisions every company uses to gloss over the rights people are signing away to their own personal information. But unlike most privacy policies, the information at stake isn’t something as unimportant as your midnight browsing habits or Facebook likes — it’s DNA.
In short, most — if not all — of the information 23andMe has on its users has probably been shared with someone that isn’t 23andMe itself, and money might have even changed hands. Which is all perfectly within the company’s rights to do, since they agreed to it (probably blindly) when they signed up.
“What happens if you do NOT consent to 23andMe Research?” reads one section of the company’s infuriatingly contradictory Privacy Statement. “If you choose not to complete a Consent Document or any additional agreement with 23andMe, your Personal Information will not be used for 23andMe Research. However, your Genetic Information and Self-Reported Information may still be used by us and shared with our third party service providers as outlined in this Privacy Statement.” (Emphasis ours.)
This statement is in and of itself confusing, mostly because there seems to be no clear consensus on the meaning of words used to describe all of the various types of information 23andMe collects from its customers. For example, “personal information,” is broadly defined as “information that can be used to identify you, either alone or in combination with other information,” however it is also used as an umbrella term for a variety of other forms of information, including but not limited to “genetic information” and “self-reported information,” which are defined as “information regarding your genotypes (i.e. the As, Ts, Cs, and Gs at particular locations in your genome), generated through processing of your saliva by 23andMe or by its contractors, successors, or assignees; or otherwise processed by and/or contributed to 23andMe;” and “information you provide directly to us, including your disease conditions, other health-related information, personal traits, ethnicity, family history, and other information that you enter into surveys, forms, or features while signed in to your 23andMe account,” respectively.
In other words, yes, you can choose to opt-out or not give consent for your “personal” information to be shared with 23andMe’s Research program, which it describes vaguely as a “large pool of customer data for analyses aimed at making scientific discoveries.” But that won’t stop the company from sharing any of the genetic information they derived from processing your spit, or any of the biographical, familial, or medical information you provided when setting up your account with the laundry list of third parties it specifies as “service providers.” These include marketers, advertising networks, the feds (if they ask), and other companies under “common ownership or control of 23andMe,” like subsidiaries or parent companies. 23andMe confirmed to The Outline that research collaborators like GSK are excluded from this list, stating that only aggregate data from a pool of explicit 23andMe Research opt-ins would be available, however, those that do consent to the Research program lose the ability to get their genetic information back from those it was shared with after the fact, even if they delete their account.
There’s also a whole separate clause dedicated to hammering in 23andMe’s right to share any and all aggregate information about its customers, with third parties of shapes and sizes, a right it asserts it’s entitled to since aggregated data technically “does not identify any particular individual or disclose any particular individual’s data.” While anonymized aggregate datasets may sound innocuous enough, they aren’t, as the primary use of such information — for an advertiser or data broker, at least — isn’t tied to an individual’s particular name or identifiers, but rather comes from its predictive power as a whole. The datasets maintained by companies like 23andMe — which has over 5 million customers — are large enough to conceivably be used to train algorithms to target particular subgroups for advertising or other purposes.
Companies are still within their rights to bury these sorts of compounding clauses behind a headache-inducing wall of text. The European Union’s landmark General Data Protection Regulation has forced companies to give people options, like for tracking cookies when visiting a site (if you’re a European user, that is), but the terms and conditions binding the long term use of users’ data remain as esoteric and ironclad as ever, especially for Americans and other non-EU citizens who aren’t allotted those basic data rights as outlined by GDPR.
Even if the whole world was to adopt stringent data protection laws tomorrow, we’ve been agreeing to these sorts of predatory privacy policies for decades now. Our information is already out there, in the hands of data brokers and companies like Facebook, and has been for a while. The issue is no longer taking away companies’ access to our data; they already have it. The question is how we will ever get it back.