Study: DNA Test Agreements Disregard Consumer Privacy

Most borrow the boilerplate used in standard "clickwrap" e-commerce contracts, but few prevent a customer's data from being sold—or the terms of the contract from being amended without notice.

3 min read

Study: DNA Test Agreements Disregard Consumer Privacy
Photo-Illustration: iStockphoto

human os icon

Some personal genomics companies rely on so-called “clickwrap” contracts—agreements to which consumers could one day regret having clicked “Agree.”

Anyone today who spends time in the digital world also enters into contracts in the digital world. And while many consumers today just click through so-called “clickwrap” contracts without reading them, one new study suggests that they take greater caution when clicking “Agree” to the legal terms underpinning, say, a personal DNA test. 

The new study also leaves the door open for consumer advocates to begin pushing toward stronger consumer standards in personal genome contracts, starting with questioning the very logic of the clickwrap model in the personal genome industry. It’s one thing, after all, to breeze through a lengthy contract when the worst-case scenario is the possible dissemination of, say, your history of iTunes purchases or the contents of your Amazon shopping cart.

It’s quite another to blithely risk losing control of parts or the whole of your own genome sequence—arguably the one string of personal data that is both the core of a person’s identity, and a nugget of information that could never be changed if it were compromised.

Andelka Phillips, a doctoral (D.Phil.) candidate at the University of Oxford law school in the U.K., recently completed her thesis, which looked at the practices of some 228 personal genetics companies around the world. For detailed analysis and comparison of their personal genomics contracts, she zeroed in on the 71 companies that sold health-related genomics services and made the whole of their consumer contracts available for public perusal.

Phillips says she was struck by how much they resembled standard clickwrap contracts for conventional tech companies on the Internet.

“They’ve inherited this model which they didn’t really adapt,” Phillips says of the genomics company contracts her study considered. “Because no one has really been policing the terms, often companies include clauses that give them additional advantage that doesn’t really relate to the purpose of the contract…From what I’ve seen, a lot of people are still not reading these things in the way they should be.”

For instance, she discovered that less than half of the documents contained any contractual language about the privacy protections the companies have in place. Indeed, probably because of the standard clickwrap contract’s Web-based origins, she found that much of these contracts’ privacy assurances concerned browser cookies and Web metadata—with less emphasis on the more pressing matter of keeping private a consumer’s genome.

Phillips found that 48 percent of the contracts discussed disclosure of personal and genetic data to third parties, while just 28 percent precluded the company from selling a customer’s data.  Only 10 percent of the documents explicitly stated that the company would destroy a customer’s physical sample after sequencing or communicating test results.

Meanwhile, clickwrap contracts for genomics have also inherited a provision that Phillips says favors the company over the consumer. Of the contracts studied, 72 percent reserved the company’s right to change the contract after the consumer clicked Agree; 39 percent of the documents said the companies could do this at any time, and 23 percent said they could make these changes without notice. On the other side of the coin, only 6 percent of the agreements obligated the companies to notify consumers by e-mail of any contractual changes.

By contrast, Phillips says, companies could enact a few simple changes to their contracts that would go a long way towards restoring some balance back to the consumer.

“If we’re going to use these kinds of contracts, they need to be a lot shorter,” she says of the often lengthy clickwrap agreements. “And it could be more interactive. They could have things that allow people to opt out and opt in to services. And while that might not be perfect either, it would at least give a little bit of control back to the consumer.”

Traditional tech company clickwrap agreements have grown like weeds to the point that today, Amazon and Apple’s iTunes contracts are longer than Hamlet and Macbeth, respectively. The latter has even inspired an extended graphic novelization. And while courts have often validated clickwrap contracts, Phillips says the sanctity of a genomics consumer’s data raises the stakes.

“I think things can be improved,” she says.

This is a relatively new industry. And e-commerce more generally, in the scheme of things, is relatively new. … It might just be that we really need to police some of these terms and think about how to improve some of these contracts. My feeling is some of these documents overall shouldn’t be treated as valid contracts. Because I don’t think people are necessarily validly agreeing to the contract.

“The person has to be giving their free and informed consent,” she says. “There shouldn’t be any undue influence or coercion. And I think, at present, sometimes people don’t have enough information to be making informed decisions about this.”

The Conversation (0)