Monday, June 15, 2009

Reading about Consents, Risks, and Privacy - Now the Fun Starts

I remember how excited I was when the test kit arrived in the mail. It felt so new millennium. Ordering the test online was in fact easier than buying an airline ticket - and compared to many fares, even less expensive! I was also lucky that the Utah Department of Health officials were not overly zealous like those from New York and California. I was still allowed the choice to investigate my biology on my own terms. But 23andMe made sure I read several pages of Consent, Risk, and Privacy policies before the order could be completed.

The Consent and Waiver section

“23andMe's service is not a test or kit designed to diagnose disease or medical conditions, and it is not intended to be medical advice.” This is probably the most important statement to be aware of. In other words, don’t make your own diagnosis, and don’t print your report and expect your doctor to review the entire thing with you. Another declaration includes “… accessing your genetic information through 23andMe does not translate into a personal prediction”. As you read further you learn that other disease factors are environmental and not genetic, that our understanding of genetically influenced disease may be incomplete, and that gene/disease associations are based on populations and not individuals.

The Risks section

This section presented statements about risks I might be exposed to by using the service.

“You may learn information about yourself that you do not anticipate.” Isn’t this true for any medical information we get as part of receiving healthcare services? Besides, I’ve already heard some interesting positive stories from what others have learned from their genetic test. For some reason I don’t have any fears of what I might learn, so no worries for me here.

“The laboratory process may result in errors.” Errors? In healthcare? With our advanced technology? That never happens. (Just joking). Again, not worried.

“You should not change your health behaviors on the basis of this information.” I’m male, so I’m genetically predisposed to difficulty with changing behavior. Add to that the fact that I’m single. I think I need to get a wife first to ‘encourage’ me change. For men with wives, don’t show them your test results. (To anticipate questions as to why I’m single - I do have the commitment gene, just not the lucky in love gene.)

“Genetic research is not comprehensive and future scientific research may change the interpretation of your DNA.” This simply means we do not have all the answers yet. Everybody should understand this. Actually, this just means job security (which today is worth its weight in gold).

“Genetic data you share with others could be used against your interests.” One option of the service is to share your results with other 23andMe customers. This is done by one person sending a share request to another, and the receiving person accepting or rejecting the offer. Obviously, I‘ve already decided to be all-in on the sharing business. Besides, I agree with an article that appeared in the London Times titled “Our genetic code should be no big secret ".

“23andMe Sponsored Research: We will analyze your genetic and other voluntarily contributed personal information as part of our scientific research with the purpose of advancing the field of genetics and human health.” I think many service customers will see this as a bonus. We want to volunteer, as it makes us feel we are part of something greater than ourselves.

And finally, “Collaborative Research will be de-indentified”. The collaborative research with this blog will be completely identified of course. We have to keep it interesting.

The Privacy section

This section informs the customer about the choices they have related to their private data.
• Participation in activities and services that involve personal information beyond initial account and Genetic Information is voluntary and permission-based.
• It is entirely within your discretion to provide information or answer survey questions.
• At your request we will delete your account and personal information linked to your account from our systems.

My first thought was I don’t need any more protection than this. I guess I will find out if that’s true or not. I have to admit though that I read all of this privacy stuff because I knew Dr. Williams would ask me if I did.

So after reviewing and contemplating the consequences, I opened the box, spit in the tube, and sent it off. A more detailed description of this step will be in the next blog. My DNA would not come back in the mail, but would be converted into electronic bits and travel over the Internet. What a futuristic voyage.

Perspective from a medical geneticist

Caveat Emptor!!

I have a confession to make. I don’t read all the end user agreements that come with my software and computers. For all I know representatives from a software company could show up at my door informing me that I agreed to pick grapes in Sonoma. Bill Gates may have a lien on my spleen!! My approach to the ubiquitous end user agreement is best summed up in the words of Blanche DuBois, “Whoever you are, I have always depended on the kindness of strangers.” I can only hope it turns out better for me than Blanche.

Seriously, the problem of the end user agreement is not a trivial one. Many view them as contracts of adhesion—essentially a take it or leave it agreement where the purchaser has no leverage with which to negotiate with the seller. So how does this relate to direct-to-consumer genetic tests? In order to purchase the service the user must agree to certain things. In the case of 23andMe the purchaser must agree to both consent and waiver and terms of service. I certainly don’t have the background to determine whether these documents meet the criteria to be called contracts of adhesion, but there are some points I think worth considering, particularly given the concern that the public has expressed about privacy of medical and genetic information.

General issues

I reviewed three documents from 23andMe; the privacy statement, the consent and waiver and the terms of service. These documents were respectively 8, 6 and 13 pages long, the last printing in 9 pt. type. I imported the first two into Word and ran the readability statistics package. The ease of reading was 31.6 and 34.4 (target being in the 60-70 range) and grade level was nearly 14. Medicare requires that its patient materials have a readability grade level of 5, and most health educators recommend nothing higher than 8th grade reading level for patient-directed material. This raises the question of how well the materials are understood by the reader (recognizing that in many if not most cases, the documents aren’t even read). As I sit here in my glass house heaving rocks the reader should know that the ease of readability of this post is 41.6 with a grade level of 13.4.

Potential contradictions

In the privacy statement, 23andMe states that, “We will not release your personal information to any outside company without your explicit consent.” Given my experience with HIPAA, medical records and research, I would interpret that to mean that I will be asked to give my consent for this information to be released each time. However, that explicit consent seems to reside in the terms of service which states in clause 9: “…you acknowledge and agree that 23andMe is free to preserve and disclose content to non-profit or commercial partner organizations conducting scientific research…” Finally in the research section of the consent and waiver it states, “We will analyze your genetic and other voluntarily contributed personal information as part of our scientific research with the purpose of advancing the field of genetics and human health.” As best as I can determine, by sending in your saliva you are giving explicit consent to contribute your DNA results to any and all research approved by 23andMe. If you add any information to your profile such as a health condition, age, weight, ethnicity, survey result etc. you have now given explicit consent for that to be added to the data available for release. This consent extends indefinitely unless you close your account at which time your information is removed from their database, however regarding any information already sent to outside collaborators “…we cannot guarantee that it will be destroyed upon request.” (Consent and waiver—Collaborative Research)

Saliva sample

In the privacy document under Genetic Information it states, “…DNA and saliva samples are destroyed after the laboratory completes its work…” However, in the terms of use in clause 17 it states, “Your saliva, once submitted to and analyzed by us, becomes our property.” (this is repeated in clause 18). The destruction of the sample is not referenced at all in the terms of service. As I understand it, the privacy statement has no legal standing—only the consent and waiver and terms of service.

Promises, promises

So what is really warrantied by 23andMe? From clause 3 of the terms of service (the omissions are not intended to disrupt the context): “…genetic information you receive…cannot be relied upon at this point for diagnostic purposes…Genetic discoveries…have not, for the most part been clinically validated…and the technology…has also not yet been validated for clinical utility.”; “…our testing service is not licensed by the relevant state and federal authorities for genetic testing conducted for health and disease-related purposes. Reliance on any information provided by 23andMe, 23andMe employees, others appearing on our website at the invitation of 23andMe, or other visitors to our website is solely at your own risk.” (Emphasis added) From clause 19 (Disclaimer of Warranties, which by the way is all capitalized which is known to reduce readability, so I eliminated them in this post): “…23andMe makes no warranty that…the service will be…unfailingly secure, or error-free…results …of the service will be accurate or reliable…any errors in the software will be corrected…23andMe specifically disclaims any liability with regard to any actions resulting from your participation in the service.”

Felons beware

23andMe in both its privacy statement and terms of use notes that it will disclose your information “…pursuant to judicial or other government subpoenas, warrants, or orders.” (insert your Bill Clinton joke here) This has been a concern for creators of DNA databases and in fairness there are no standards to guide anyone with regards to requests from law enforcement seeking to match a DNA specimen obtained at a crime scene to a DNA database.

What’s new with you?

We all know that genetic knowledge changes rapidly. Will you be able to take advantage of this new knowledge—given that you may have contributed to generation of this knowledge through the 23andMe research program? According to clause 13 of the terms of service the answer is: “You acknowledge that 23andMe may offer different or additional technologies to collect genetic data in the future and that your purchase of our Service today does not entitle you to any different or additional technologies for collection of your genetic data without fee, and you will have to pay additional fees in order to have your genetic data collected on any future or additional technologies.

Bottom line

Having now read these documents, I would certainly encourage anyone wanting to purchase the service to read them carefully and seek help for understanding what they say if necessary. I should also note that while I am “picking” on 23andMe in this post, it’s only because they were the service Grant purchased. All direct-to-consumer testing companies have similar end user agreements that deserve scrutiny. Now if you’ll excuse me I have to run home to read all my software agreements!!

Read the next post - Research 2.0 - For the genetic extrovert in all some of us


  1. Marc, the analogy to software end user agreements is strong but there are arguable distinctions. The end user and provider basically need different protections for the transfer of genetic results vs. software programs. Both parties take some different risks, benefits, and legal ramifications out of the agreement. Also, genetic tests are just increasing in popularity and thus do not have as large a body of regulatory or case law to be governed by (software law is still growing). Further reading from a google search...

    Grant, thank you for sharing all of this. You are doing a great job at creating suspense. Wish you luck, no genes necessary.

  2. Marc,
    I have to admit I found the last post entertaining. And it's uncanny how you knew, because Bill Gates actually holds the paper on my left lung! I traded it for a version of Vista that works.

    But from the standpoint of what I'm most interested in as a potential consumer, I also have to admit that I felt like privacy and disclosure issues, important as they are, sort of put the horse sideways to the cart. Particularly in light of the kind of debate that's shaping up on the national healthcare front, I'm hoping to learn more that takes me farther into the subjects that were coming up on the previous string. I'm not sure what the exact intended audience for your project is, but it seems to me that direct to consumer testing is sort of a ground zero point for examining the intersection between medicine and commerce, and the question of utility seems like a crucial one to answer in order to think about that. I'd love to see more about that as you go along.

  3. Glad to hear you put up your left lung and stuck Gates with your lingula while holding on to your right middle lobe. Vista is clearly a 2 lobe operating system (neither of them cerebral). I must admit to some discomfort regarding the question of our intended audience. There are two reasons for this: First, having minimally explored the blog space as a reader and never as a blogger, I remain for the most part ignorant about who inhabits this space and more importantly why they are there in the first place? More fundamentally being egocentric, historically my writing has for the most part been targeted toward an audience of one—me! If there is anything that separates me from the multitude of other self-indulgent bloggers (an unfair characterization to be sure) it is that others seem to be interested and in some cases entertained by what I write. An unsatisfying answer to be sure. A less philosophical response is that as Grant, Janet and I were having conversations about the testing, we seemed to identify themes that we thought could have some interest for others, and that’s where the blog idea emerged. I can’t say that we ever intentionally considered the audience question. I’ll ask Grant to provide his thoughts as well. I appreciate your input and apologize in advance that the next post on research issues will probably not get to your core area of interest. For better or worse, we’ve reflected a chronologic approach to the DTC testing in the first three posts. Now that we’re receiving feedback (and defining our audience on the fly), we will attempt to be more responsive going forward. Thanks for being patient with our tentative first steps.

  4. Marc,

    I too have no idea who your actual target audience is, and however flattering I am to myself in my self-aggrandizing moments, I would be hard-pressed in anyone's world to make the case that it was just ME! :) I have great respect for anyone who gathers the kick to put together anything as ambitious as this project, and regardless of my small nitpicks, I will gladly follow your future posts as you continue to define your path through it all. Best of luck.