California bill would prevent genetic-testing firms from using surreptitiously obtained DNA

by Jessica Shugart, San Jose Mercury News

If you want to keep your DNA to yourself, be sure not to leave any stray hairs, Q-tips or underwear lying around. There are genetic testing companies out there willing to reveal your most intimate biological secrets to anybody — without your knowledge or permission.

And under California law, such genetic snooping is perfectly legal.

Now, legislators in Sacramento are considering a bill to change that. Senate Bill 222, which faces a key hearing Thursday, would require a donor’s consent to collect, analyze or share genetic information. While the legislation might seem like a slam-dunk in the ever-evolving battle between technology and privacy, it’s generating opposition from unlikely quarters: major research universities such as Stanford and the University of California, which argue that providing those protections will create unnecessary red tape and costs.

"We have privacy laws in place to protect health and financial information," said the bill’s author, Alex Padilla, D-Pacoima. "But arguably the most personal information about us — our own genetic profile — isn’t protected."

Most Californians are probably familiar with genetic testing companies such as 23AndMe that will screen customers’ DNA for their predisposition to cancer, diabetes, Parkinson’s, Alzheimer’s and a host of other diseases. But less known is that a growing number of firms are also offering paternity testing — with or without a person’s knowledge — as well as
"infidelity testing," in which an allegedly unfaithful partner’s underwear is secretly screened for genetic traces.

Padilla cites Elk Grove-based EasyDNA, which makes no attempt on its website to discourage customers from secretly sending in someone else’s genetic material under its "discreet DNA samples" program.

"Sometimes it is not possible to directly obtain samples from the person who needs to be tested," says the website. "In this case, discreet samples can be submitted instead. Samples that can be used include strands of hair, blood, clothing, cigarette butts and other items that may contain traces of DNA."

EasyDNA representatives did not return repeated phone calls.

Mountain View-based 23AndMe says it has an extensive privacy policy in place — and that the company doesn’t do paternity or infidelity testing.

"We require that the person who’s submitting the sample is the person who has legal authorization or consent on behalf of the person they’re providing samples for," said 23AndMe spokeswoman Catherine Afarian.

But given that all of 23AndMe’s consent forms are filled in online, what’s to stop a person from sending in someone else’s DNA without their consent?

For one thing, Afarian
A device checks the quality of a sample of DNA at the Mayo Clinic in Rochester, Minn., 2006. (AP Photo, Christina Paolucci)
said, it would require a whole lot of saliva.

"We require eight milliliters of spit, which is actually quite a lot of spit," she said. "It usually takes people at least five to 10 minutes to gather that amount, so it really minimizes the ability for anyone to nefariously collect someone else’s saliva."

At least 30 other states have laws in place providing safeguards against the collection or sharing of genetic information, although the laws differ on the types of genetic information they protect. Some states protect the privacy of only health-related genetic information, while others treat all DNA as private property. But "California, where a lot of this industry and innovation is taking place, doesn’t have those protections," Padilla said.

The protections that Californians now have over their genetic information are embedded within the health care system. The federal Health Insurance Portability and Accountability Act — better known as HIPAA — protects the genetic information of patients along with their personal health information. Similar state level protections are also in place.

But Padilla argues that the laws don’t protect Californians against privacy threats posed by companies outside of the health care setting.

An MIT graduate with a degree in mechanical engineering, Padilla says the bill is not aimed at institutions that perform vital research.

His first attempt to pass similar legislation died last year in the Appropriations Committee. The new version of the bill — which narrowly passed the Senate Judiciary Committee and faces an Appropriations Committee hearing Thursday — includes a specific exemption for institutions that already comply with health care privacy laws such as HIPAA. It also allows for the use of genetic information that has been stripped of information that links the DNA back to its source.

But UC asserts that these exceptions don’t go far enough and that SB222 could slow the progress of research and clinical trials. In particular, the university is concerned that written consent will need to be obtained from thousands of people who previously donated samples now being used in research and clinical trials — a process they claim could cost millions of dollars for extra administrative work. It would also "put the state’s biomedical industry at a distinct economic disadvantage," UC legislative director Angela M. Gilliard wrote to the Senate Judiciary Committee.

Privacy advocates, however, argue that protection of Californians’ genetic profiles must be a priority.

"Americans very much want medicine to incorporate research into genetics,” said Michael Risher, a staff attorney with the ACLU, which has not taken a position on the bill. But "at the same time they want to make sure that information about their genetic makeup is not misused."