Ancestry, 23andMe, and the acquisition of your genetic data

In April 2018, the world of commercial DNA testing was permanently rocked. Police used GEDmatch, an open database where people upload their DNA results from companies like Ancestry and 23andMe, to solve the decades-old Golden State Killer case. While the public was captivated by the detective novel characteristics of the discovery, advocates foresaw darker implications for the privacy of genetic information.

Following the success of the case, law enforcement began trawling genetic databases for matches to suspects, and at least one consumer testing company changed its privacy rules to allow it. Observing this shift, UC Davis law professor Elizabeth Joh tweeted, “First rule of data: once you hand it over, you lose control of it. You have no idea how the terms of service will change for your ‘recreational’ DNA sample.”

Genetic testing has been plagued by a low roar of privacy concerns since it gained popularity in the 2010s, but this week, Blackstone’s $4.7 billion purchase of Ancestry dramatically turned up the volume. Blackstone is a private equity firm and the largest real estate owner in the world. While Blackstone says it will keep Ancestry the way it is, it remains to be seen exactly how Blackstone will leverage Ancestry’s database of millions of genetic profiles.

As Alan Butler, interim executive director and general counsel for the Electronic Privacy Information Center, told CBS News, “The big concern when there is a big deal like this is that investors might be interested in that data for other reasons, and not in the ways that consumers intended when they gave over that information."

Sharing genetic data can be risky. The DNA that you hand over to genetic testing firms, after all, is a fingerprint that only corresponds to you. Unlike facial recognition software, which can be flouted by masks or visual modifications, a person’s DNA fingerprint cannot be altered. Data leaks, whether from a doctor’s office, public database, or private company, are always possible.

But private genetic testing companies like Ancestry and 23andMe, recognizable for their playful commercials of people finding their ancestors and “meeting their genes,” introduce an additional layer of risk, because they don’t exclusively hold on to the genetic data they collect. They sell it. The companies’ business models are premised on two streams of revenue: the upfront $99 that consumers pay to spit in a tube and receive a genetic profile, and the more lucrative selling of anonymized data sets to pharmaceutical companies and researchers.

“Meet your genes” 23andMe ad; screencap from YouTube

The second stream of revenue, selling to interested pharmaceutical companies, doesn’t get cute commercials, but it is the bedrock of the company. Ancestry and 23andMe don’t even do their own genetic testing. 23andMe has contracts with LabCorp, while Ancestry uses Quest Diagnostics for its DNA testing and LabCorp’s physician network for its AncestryHealth service. 23andMe and Ancestry are essentially data analysis and storage warehouses, holding information harvested from consumers’ spit.

If you’ve ever read interviews with 23andMe executives, this won’t come as a surprise. In a 2019 interview with Forbes, 23andMe’s chief scientist Richard Scheller noted that “I thought it was genius actually, that people were paying us to build the database. People want their data to be used and to help scientific discoveries.” In 2013, 23andMe board member Patrick Chung told Fast Company that “[t]he long game here is not to make money selling kits, although the kits are essential to get the base level data. Once you have the data, [the company] does actually become the Google of personalized health care.”

The datasets that 23andMe and Ancestry compile are unique and lucrative. They hold the largest datasets of certain genetic profiles—for example, people who have tested positive for a gene associated with Alzheimer’s—available to researchers anywhere in the world. This is exciting for pharmaceutical companies looking for research subjects. In 2018, 23andMe and pharma giant GlaxoSmithKline entered a partnership wherein GSK invested $300 million in 23andMe, and the two agreed to split the profits and costs of new drug discovery equally.

As the only two major players in the game, 23andMe and Ancestry have reaped the benefits of a growing consumer genetic test market (despite a slight slowdown this year). In 2015, MIT Technology Review estimated 1.5 million people had taken tests, split nearly equally between Ancestry and 23andMe. By 2019, 14 million had used Ancestry’s service and 9 million had used 23andMe’s, for a total of 23 million tests (26 million, if you count services outside the Ancestry/23andMe duopoly). Their datasets grow and become more nuanced with every spit test they receive.

Privacy advocates are so concerned with this mass sharing of data because DNA (especially as science and computing power gets better) is the key to some potentially dangerous information, including a person’s predisposition to certain diseases. Although there is a law, the Genetic Information Nondiscrimination Act (GINA), that forbids insurers and employers from discriminating on the basis of genetic information, it’s difficult to enforce. Attorney Jeffrey Taren, whose firm litigated one of the first GINA cases, told Fast Company that “Your genetic test results should still be guarded as closely as possible. It cannot be used in any way by an employer, but believe me it’s not going to be ignored if it comes across their desks.”

23andMe and Ancestry offer relatively straightforward privacy statements, telling customers that their genetic information will only be shared with third parties if the customer consents to be part of anonymized research up front. But the recent Blackstone acquisition of Ancestry throws reassuring privacy statements into question. Blackstone presumably sees financial opportunities in this large pile of patient data, and privacy statements are always subject to change.

Ancestry ad; screencap from YouTube

Ancestry and 23andMe’s privacy policies are essentially the same; the two companies, running away with the market, don’t compete on privacy. Consumers have few options with where to send their data anyway. It’s unclear how this will play out: on one hand, consumer pressure may force these companies to hold a strict line on how they sell data. On the other hand, Ancestry and 23andMe’s business models are fairly opaque. Once a consumer’s data is in the system, they have to explicitly seek to exclude it from further research, a process many people might not know about. Furthermore, there’s no guarantee that, as in the case of Blackstone and Ancestry, another corporation less committed to privacy won’t acquire the company and its DNA.

The market is especially noncompetitive for racial minorities. Consumer DNA testing firms use genetic reference groups to determine the ancestry of a particular person, so the accuracy of the results are reliant on network effects. In other words, ancestry determinations are partially dependent on how many people of different racial and ethnic categories have already used that service and been included as part of a specific reference group. Because racial minorities comprise a relatively small proportion of Americans, Black and Hispanic Americans have struggled to get accurate test results, even when using 23andMe and Ancestry. Some smaller DNA testing companies have tests only accurate in white people.

When all of the data is concentrated in one of two companies, there are fewer choices for consumers, and less pressure on the companies to keep their (voluntary) privacy commitments. It also means that when Blackstone decides to buy one of the two, Blackstone is, with a single purchase, acquiring a large percentage of the consumer genetic data available in the market. What they do with it, and how that changes Ancestry’s data sales, remains to be seen.

Thanks for reading! Let me know your thoughts in the comments or by responding to this email.