Two weeks ago I interviewed health law professor at the University of South Florida College of Public Health, Katherine Drabiak, JD on an article she wrote,  “Caveat Emptor: How the Intersection of Big Data and Consumer Genomics Exponentially Increases Informational Privacy Risks” published in Health Matrix: Journal of Law-Medicine that discusses consent and privacy policies of which consumers should be aware with 23andMe.

LISTEN to the podcast: 23andMe: USF professor warns of privacy risks

I was soon contacted by a representative from the company who said that there were numerous inaccuracies and mistakes in the podcast and wanted to correct the record. I agreed to post their statement below:

A podcast featuring Katherine Drabiak regarding privacy and 23andMe included numerous misstatements of 23andMe’s policies, as well as sweeping comments about how we conduct research and handle our customers’ data.

Unfortunately 23andMe was not contacted to clarify these misstatements before. We regularly make our privacy officer and researchers available to answer these types of questions. Our policies are also readily available on our website.

Here are a few of the most inaccurate statements that we wish to correct:

  • 23andMe does not operate outside the scope of U.S. federal law. We are regulated by both state and federal agencies. 23andMe is also the first and only direct-to-consumer genetic testing company to have reports authorized by the FDA. That authorization came on the heels of a multi-year regulatory process overseen by the FDA, and we continue to work with federal agencies to get additional reports to consumers. All of our testing is done in CLIA certified labs, and an outside Institutional Review Board oversees our research.
  • 23andMe does not, and never has, given data to marketers, insurance companies, employers or the government. We do not use customer data for research without a customer’s specific consent. In addition, contrary to what Ms. Drabiak said, under GINA it is illegal to discriminate against someone for employment or health insurance based on their genetics. 23andMe continues to advocate for protections against genetic discrimination both in the US and worldwide.
  • 23andMe created a unique research model that allows customers to participate in research if they choose. Customers are asked if they wish to consent to research, but do not forfeit any of their experience if they choose not to. 
  • 23andMe’s research is overseen by an independent IRB, a third party board that ensures we adhere to federal research protocols. For customers who opt-in to our research experience, all data is aggregated and de-identified, unless customers explicitly and separately agree to share their individual level data. Customers can opt-out at any time. 23andMe also consistently publishes its research in peer-reviewed journals and shares our findings with customers, allowing them to see for themselves how their data are being used for research.
  • Although 23andMe, like most online companies, uses “cookies” to learn more about potential customers, how this information is used is also easily found on our website. That data is unrelated to our research data. We do not “know where you work” or your “GPS coordinates,” as Ms. Drabiak erroneously stated.
  • 23andMe has never turned over customer data to any government agency. Like any U.S. company we are subject to federal law and would have to abide by a legal court order or subpoena to turn over records, but with more than 2 million customers we’ve received only four requests in the last decade. 23andMe has successfully resisted each one of these requests. We have an online transparency report where we update customers about these requests. For many reasons, the data used by 23andMe is not useful for law enforcement. You can read more about this on our blog.