Since the launch of its DNA testing service in 2007, genomics giant 23andMe has convinced more than 5 million people to fill a plastic tube with half a teaspoon of saliva. In return for all that spit (and some cash too), customers get insights into their biological inheritance, from the superficial—do you have dry earwax or wet?—to mutations associated with disease. What 23andMe gets is an ever-expanding supply of valuable behavioral, health, and genetic information from the 80 percent of its customers who consent to having their data used for research.
So last week’s announcement that one of the world’s biggest drugmakers, GlaxoSmithKline, is gaining exclusive rights to mine 23andMe’s customer data for drug targets should come as no surprise. (Neither should GSK’s $300 million investment in the company). 23andMe has been sharing insights gleaned from consented customer data with GSK and at least six other pharmaceutical and biotechnology firms for the past three and a half years. And offering access to customer information in the service of science has been 23andMe’s business plan all along, as WIRED noted when it first began covering the company more than a decade ago.
But some customers were still surprised and angry, unaware of what they had already signed (and spat) away. GSK will receive the same kind of data pharma partners have generally received—summary level statistics that 23andMe scientists gather from analyses on de-identified, aggregate customer information—though it will have four years of exclusive rights to run analyses to discover new drug targets. Supporting this kind of translational work is why some customers signed up in the first place. But it’s clear the days of blind trust in the optimistic altruism of technology companies are coming to a close.
“I think we’re just operating now in a much more untrusting environment,” says Megan Allyse, a health policy researcher at the Mayo Clinic who studies emerging genetic technologies. “It’s no longer enough for companies to promise to make people healthy through the power of big data.” Between the fall of blood-testing unicorn Theranos and Facebook’s role in the 2016 election attacks, “I think everything from here on out will be subject to much higher levels of public scrutiny,” Allyse says.
23andMe maintains that transparency is a core tenet of the company. “I think a really important distinction to make is that 23andMe operates under an independent ethical review board that oversees all of our research,” says Emily Drabant Conley, 23andMe’s vice president of business development, who oversaw the announcement of the GSK deal. “The guidelines we follow are essentially the same as what other research institutions follow.” So they should apply to any of the analyses GSK might want to run on 23andMe data, like a PheWAS, which connects constellations of symptoms and conditions across many people with a single genetic mutation they all share.
Yet they’re not identical. Researchers point out that medical and academic institutions will often assign someone to walk through consent documents with potential study participants, to make sure they understand all the risks and benefits. With 23andMe, that process is distilled into a number of screens and boxes to click through.
“If you read the documents carefully, all the information is there,” says Kayte Spector-Bagdady, a lawyer and bioethics researcher at the University of Michigan who has reviewed 23andMe’s customer policies. “They really do disclose it all. The challenge is that people don’t read it.”
To register a DNA kit on 23andMe, customers are required to accept the company’s privacy policy and terms and conditions, which together disclose what data 23andMe collects, how it’s protected, and how it can be used and shared. Then customers are given the option to participate in 23andMe research. A lengthy document explains what that entails, and if they click a green box at the bottom saying “I DO GIVE CONSENT,” then the majority of their data—their genetic profile plus any information they enter into surveys or authorize 23andMe to import—can be used for research in de-identified and aggregated form.
It’s a lot of fine print that looks like a lot of other fine print people on the internet click through every day—to browse, buy, watch, and listen online. “They’re so used to sharing data that they may not realize it’s just going in the front end and out the backend,” says Spector-Bagdady.
23andMe customers can withdraw consent at any time, but it may take up to 30 days for their requests to go into effect. And any data shared prior to that date can’t be clawed back from any third parties that might be using it. Deleting your data entirely is even harder—nearly impossible, as Bloomberg reporter Kristen Brown reported, because federal laws require clinical laboratories to keep de-identified DNA test results on file for a minimum of 10 years.
It’s also worth pointing out that 23andMe can, in theory, unilaterally change those terms and conditions and privacy policies at any time, says Katherine Drabiak, a legal expert in health law and research ethics at the University of South Florida. As a commercial enterprise, it’s not bound by the same obligations as medical professionals. 23andMe doesn’t have to take an oath to act in the interest of consumers or to promote their well being.
There’s a tension between…