[BreachExchange] Consumer Genetic Testing: Beginning to Assess Privacy Practices

Destry Winant destry at riskbasedsecurity.com
Thu Jun 1 23:59:36 EDT 2017 

https://fpf.org/2017/05/31/consumer-genetic-testing-beginning-assess-privacy-practices/

Genetic testing is becoming more widely available to consumers; such
testing can be an exciting new opportunity to help individuals flesh out
family histories, discover cultural connections, and learn about their
personal backgrounds.  The availability of low-cost genetic sequencing and
analysis has led to numerous businesses offering a variety of services,
including some that provide detailed health and wellness reports that
explain how genetics can influence risks for certain diseases.  The
enthusiastic public response demonstrates that there is great demand for
this knowledge.

But, as with so many new technologies, this new data analysis also raises
privacy questions.  DNA can be immensely revealing. And by its nature, DNA
includes information about an individual’s close relatives – not just data
about the person tested.  The broad US law protecting health privacy,
HIPAA, only protects health information when handled by specific types of
entities, such as health care providers or health insurers.  If your doctor
orders a genetic test, all the providers involved are bound by HIPAA
requirements.  But if you order a consumer genetic test on your own, those
restrictions are not applicable.

To ensure that genetic information isn’t misused, Congress acted, providing
protections in some areas.  The Genetic Information Nondiscrimination Act
of 2008 <https://www.eeoc.gov/laws/statutes/gina.cfm> (GINA) prohibits the
use of genetic information to make health insurance and employment
decisions.  GINA was a landmark when it passed, but it does not provide
comprehensive protections.  For example, GINA does not apply to decisions
about schools, mortgage lending, or housing. And it excludes other forms of
insurance like life insurance, long-term care, and disability insurance,
although some states do provide some additional protections in these areas.

Given the gaps in legal protection, it is particularly important that
companies offering genetic testing to consumers provide rock solid, legally
enforceable commitments to consumers that ensure their data won’t be used
to harm them.  And consumers need to look for commitments by companies not
to share genetic information without explicit permission, the ability to
delete their information, and promises to only use the data for the
expected purposes.  FPF has begun discussions with a number of consumer
genetics companies and hopes to share best practices guidance in the
upcoming months.

But before we begin, there are some useful lessons that FPF can share from
our work in other sectors.  It’s useful to understand some of the language
that is common to the legal construction of policies and terms of service,
as well as the underling protections provided by federal and state consumer
protection laws.

   1. *Companies do not own your data when they claim a perpetual license
   to use your information.* When you provide a company with data – whether
   that data is DNA, user comments, profile pictures, or other content that
   the company needs to hold and use to provide services – the company will
   often declare that it has a perpetual, royalty-free, worldwide license to
   use your information.  Corporate intellectual property lawyers insist on
   this language to give themselves the rights to use the data on an ongoing
   basis, subject to the restrictions they place on themselves – such
   restrictions can include commitments to only use data for the services
   described a company’s policies, and users’ right to demand deletion of the
   data.  Search the phrase “perpetual license,”  and you will find it in the
   policies of almost every online service that allows the submission of user
   content.  This does not mean the company owns your data and can use it for
   any purpose it pleases –companies typically cannot make a book out of your
   private photos or publish your DNA.  But several times a year, someone
   reads “perpetual license” and sounds an alarm that is picked up by the
   media.  The fact that reporters own publications have the same language in
   their online policies is typically not considered.  Often, a company will
   respond by making a cosmetic amendment to its terms, explaining that indeed
   it does not own consumers’ data.  This story is the Groundhog Day story of
   privacy.  In 2008, Google’s terms were debated
   <https://gawker.com/5044902/the-5-most-laughable-terms-of-service-on-the-net>.
   In 2011, Dropbox was critiqued. In 2012, Twitter and Facebook
   <http://www.nyccounsel.com/business-blogs-websites/who-owns-photos-and-videos-posted-on-facebook-or-twitter/>
came
   under scrutiny. In 2015, it was Microsoft
   <http://cohornlaw.com/what-attorneys-and-their-clients-need-to-know-about-windows-10-and-microsofts-new-privacy-policies/>
.
   Last week, AncestryDNA was the latest company to encounter this flap and
   accordingly updated its terms to explain that it had never asserted legal
   ownership of consumers data.  Companies can get ahead of this issue by
   using clear terms from the outset.  Smart consumers and critics should
   recognize this legal language by now and appreciate that it does not grant
   a company  “ownership rights to user data.”  Look for the limitations on
   what a company can actually do or not do with the data and your rights to
   opt-in or out.
   2. *All bets are not off when a company is sold.* The Federal Trade
   Commission (FTC) has repeatedly made clear that it will hold a successor
   company responsible to use data only in ways compatible with the original
   privacy policy.  Back in the ToySmart case
   <https://www.ftc.gov/enforcement/cases-proceedings/x000075/toysmartcom-llc-toysmartcom-inc>,
   where sensitive childrens’ data was involved, the FTC required that
   ToySmart’s buyer abide by the terms of the Toysmart privacy statement. If
   the buyer wanted to make changes to that policy, it could not change how
   the information previously collected by Toysmart was used, unless it
   provided notice to consumers *and* obtained their affirmative consent
   (“opt-in”) to the new uses. The FTC will surely hold companies that collect
   and process DNA to this standard
   3. *Policies cannot be changed at any time.* The FTC has been clear that
   material changes to consumer privacy policies can’t be made without first
   providing prominent notice to consumers and providing them with choices
   before data is used in any manner inconsistent with terms they were
   initially provided*.* So if a company holds sensitive data, it should
   not claim that it may change its policy at any time and immediately apply
   the new terms to data it previously collected.  If the change is material,
   a company may not apply it retroactively without consumers’ express,
   affirmative consent.

These are just some of the baseline issues that are worth understanding
before beginning to think through the important commitments genetics
companies can make to promote trust and responsible data use in this
emerging industry.  Stay tuned for that effort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170601/eafdbee3/attachment.html>

More information about the BreachExchange mailing list