Last week, 23andMe, the direct-to-consumer genetic testing service, announced its strategic license agreement with Almirall, a leading global pharmaceutical company, for the rights to a bispecific monoclonal antibody designed to treat Il-36 cytokines in autoimmune and inflammatory diseases. The antibody was discovered by 23andMe’s Therapeutics team, using the genetic information from more than 8 million personal testing kits from customers who consented to use of their data for genetic research. While the finances surrounding this particular license agreement are currently unknown, 23andMe’s $300M deal with GlaxoSmithKline in 2018 for a four-year drug research and development partnership gives us some idea of the potential profit from this joint venture.

Putting aside the obvious health and research benefits from such a massive data pool, the use of millions of consumer saliva samples naturally raises the ethics question of who should be profiting from what is arguably your most intimate and valuable data – your DNA. Despite the lucrative partnerships with big pharma, consumers who provide their genetic blueprint to testing services aren’t getting a piece of pie. A review of the Terms of Service for 23andMe, for instance, along with those from other industry giants like and FamilyTreeDNA, reveals that consenting users waive all potential claims to a share of the profits arising from the research or commercial products that may be developed.[1]

A larger issue, however, relates to the privacy and data security concerns with regard to these large databases of genetic data. In addition to finding out that you have a fourth cousin living just down the road or that your Italian grandmother is anything but, your DNA may also be used to identify you specifically, more so than your name or even your SSN. And depending on who has access to these databases – be it big pharma, insurance companies, hackers, law enforcement, or otherwise – even if the data is de-aggregated or de-identified, because your genetic makeup is a direct personal ID, there is always the potential for your identity and health data to be compromised or used against you. For instance, California’s notorious Golden State Killer was caught and arrested in 2018 after investigators matched a DNA sample from the crime scene to the results of a genetic testing kit uploaded to a public genealogy website by a relative of his. Notably, the Contra Costa County District Attorney’s office was able to obtain that genetic matching without any subpoena, warrant, or similar criminal legal process, which raises additional privacy and security concerns. And last December, the Pentagon issued a memo advising members of the military not to use consumer DNA kits, citing security risks.

Consumers seem to be getting wind of these privacy concerns, as evidenced by declining sales of genetic testing kits and genealogy service providers, including 23andMe, struggling to stay afloat.

[1] This arrangement tends to evoke an ethical inquiry similar to that surrounding Henrietta Lacks, who received no compensation for her bodily cells taken post-mortem (and without her consent) and which have been used for decades in the development of countless vaccines, medical research, and drug formulations.