DNA Test Kits, Law Enforcement and TOS

23andme just issued a report that indicates that it has received 4 requests for  customer information from law enforcement agencies and the FBI.  The company was able to fend off those requests.  Given that the company has over a million customers, that’s not a large number, but the implications are chilling.  As Jeremy Telman and I argue in a forthcoming article, the personal data collected by private companies may be used by the government in ways that may surprise us (and, in some cases, deprive of us basic constitutional rights….)  23andme extracts its customers consent by including the following in its TOS:

“Further, you acknowledge and agree that 23andMe is free to preserve and disclose any and all Personal Information to law enforcement agencies or others if required to do so by law or in the good faith belief that such preservation or disclosure is reasonably necessary to: (a) comply with legal process (such as a judicial proceeding, court order, or government inquiry) or obligations that 23andMe may owe pursuant to ethical and other professional rules, laws, and regulations; (b) enforce the 23andMe TOS; (c) respond to claims that any content violates the rights of third parties; or (d) protect the rights, property, or personal safety of 23andMe, its employees, its users, its clients, and the public. In such event we will notify you through the contact information you have provided to us in advance, unless doing so would violate the law or a court order.”

Nevermind that this provision is not one that most customers would have bothered to read, hidden as it is behind a hyperlink and buried in the text.  You can read more about the potential use of DNA test kits by law enforcement agencies here and here. 

But wait – there’s more!  As I was scrolling through 23andme’s terms, I found another provision that potentially affects even more customers:

“Genetic Information you share with others could be used against your interests. You should be careful about sharing your Genetic Information with others. Currently, very few businesses or insurance companies request genetic information, but this could change in the future. While the Genetic Information Nondiscrimination Act was signed into law in the United States in 2008, its protection against discrimination by employers and health insurance companies for employment and coverage issues has not been clearly established. In addition, GINA does not cover life or disability insurance providers. Some, but not all, states and other jurisdictions have laws that protect individuals with regard to their Genetic Information. You may want to consult a lawyer to understand the extent of legal protection of your Genetic Information before you share it with anybody.

Furthermore, Genetic Information that you choose to share with your physician or other health care provider may become part of your medical record and through that route be accessible to other health care providers and/or insurance companies in the future. Genetic Information that you share with family, friends or employers may be used against your interests. Even if you share Genetic Information that has no or limited meaning today, that information could have greater meaning in the future as new discoveries are made. If you are asked by an insurance company whether you have learned Genetic Information about health conditions and you do not disclose this to them, this may be considered to be fraud.”

This is information that might be very useful to a potential customer.  So why is this buried way down in the TOS?  Maybe because it might make potential customers think twice about purchasing the kit?  (Ya think?)  Back in the good old days, companies posted potential dangers relating to the use of their products and services where you could see them.  We used to call them notices and they had to be conspicuous.  Now they bury them in the fine print and call them “contracts.”