SALT LAKE CITY — Utah lawmakers are considering a bill that would require companies such as 23andMe and Ancestry to disclose what they’re going to do with people’s personal data.
Senate Bill 227, sponsored by Curtis Bramble of Provo, states direct-to-consumer genetic testing companies must also get a customer’s consent before any of their data is shared outside of the company’s scope.
Rich Engelhardt, the Director of Government Affairs for Ancestry, said he supports the bill. 23andMe also supports the bill.
Sen. Bramble said he had to make several revisions to the final bill.
“We had several concerns that were raised by various – from higher ed to public safety, etc. Those have all been resolved with this substitute,’ Bramble said.
The bill has passed unanimously and is up for a second reading in the Utah Senate next week.
23andMe has released the following questions and answers about its support for S.B. 227:
Why does 23andMe support/not support Genetic Information Privacy Act?
We support the Genetic Information Privacy Act and continue to welcome legislation that provides transparency and control to consumers over their genetic data. We are proud of the work we have done as a founding member of the Coalition for Genetic Data Protection, as well as our work with the Future of Privacy Forum, a consumer privacy advocacy group, and others in the industry to develop best practices in privacy for consumer genetics companies.
What privacy protections are in place to ensure customers their genetic data is safe?
Choice and transparency are the two cornerstones of our privacy approach. Our customers have control — they are in the driver’s seat when it comes to their data. 23andMe is a mission-driven company founded to empower people by giving them access to their genetic information.
Part of empowering our customers is giving them choices throughout the customer experience, such as the choice about whether or not they want to participate in research or find new genetic relatives. We also support our customers by allowing them to easily update their choices at any time.
For our research program, customers have to explicitly opt in to participate, and we employ an independent external ethics board to review our studies and consent process. The data we analyze is de-identified — that is, it does not include personally identifiable information such as name or email — and results that are shared are aggregated datasets so that individuals cannot reasonably be re-identified. Customers can also separately choose to participate in research with individual-level data sharing. And of course, customers can decide to opt-out at any time from research.
Our information security management system, which protects 23andMe systems, has been certified under the ISO 27001, ISO 27701, and ISO 27018 certification. 23andMe is the first direct-to-consumer genetic testing company to be assessed against all three standards.
Personal, identifiable customer information (such as name and email) and genetic information are stored separately in segmented databases.
Do customers have the choice of opting into research conducted on behalf of academic, nonprofit, and industry organizations?
Our customers have the opportunity to separately participate in our research program. They must explicitly opt-in to participate, and participation is entirely voluntary. Customers can withdraw their research consent at any time. Our research program is overseen by a third party Institutional Review Board (IRB), which ensures we comply with all legal and ethical guidelines in our research, including in our consent process. Our Research consent and Privacy Statement are published online for everyone to read.