A Conversation About Privacy Protections at 23andMe

Editor’s note: Today is “Data Privacy Day” so we thought it was a good time for a chat with Jacquie Haggarty, who among other roles, is 23andMe’s Privacy Officer.

Jacquie joined 23andMe in 2015 and serves as the company’s Vice President, Deputy General Counsel, and Privacy Officer. 

Prior to her work at 23andMe, Jacquie served as Senior Commercial Counsel at Genomic Health, where she focused on global legal and health care compliance. She spent the first six years of her legal career at Latham & Watkins LLP, working directly with a diverse portfolio of public and private companies on securities, employment, and general commercial litigation. 

Jacquie earned her J.D. from Georgetown University Law Center, her Masters in Public Policy from Harvard Kennedy School, and her B.A. from U.C. Berkeley.

We sat down with Jacquie to hear her perspective on privacy and data protection within the consumer genetics industry.

 

Portrait of Jacquie Haggarty
Q: How do you see your role as the Privacy Officer for 23andMe? 

Privacy is complex in practice, but my focus is simple — to ensure the privacy of our customers’ data and support customers’ choice and access throughout their experience as they explore their DNA. That involves working across the company to educate on our privacy commitments to our customers, to support the design and build of systems, policies, and processes that maintain and strengthen data protection, and to foster the development of content that provides transparency. As Privacy Officer, it’s important to me that we are being clear with our customers about our data practices and then doing what we say. 

So on top of making sure that we adhere to our own strict privacy policies, my job is also to ensure 23andMe adheres to what is an extremely complex set — and growing set — of local, federal, and international privacy laws, such as the European Union General Data Protection Regulation (GDPR), and the California Consumer Privacy Act of 2018 or “CCPA” which was recently amended and expanded by the California Privacy Rights Act of 2020 (CPRA) ). 

Beyond that, as 23andMe’s Privacy Officer, my job is to educate and inform people about what we do to protect customers’ data. I remind people that customer choice and consent is core to our service and the customer experience — what you learn from your DNA with 23andMe and with whom it may be shared is up to you. And I let people know that 23andMe does not share our customer data with public databases. We don’t share it with employers, or insurance companies, and we have never provided customer information to law enforcement. 

I also am continuing our work with the Future of Privacy Forum through which we collaborated with other genetic testing companies to develop the consumer genetic testing industry privacy best practices. 23andMe is also a member of the Coalition for Genetic Data Protection (CGDP) where we work to advance legislation and policies that support the privacy and security of individual genetic data so that all genetic testing companies will be held to the same high standards for protecting customers’ data. 

 

Q: What should customers know about how 23andMe approaches the privacy of customer data?

Customers should know that choice and transparency are the two cornerstones of our privacy approach to what we do. 

Our customers have control — they are in the driver’s seat when it comes to their data. 23andMe is a mission-driven company founded to empower people by giving them access to their genetic information. Part of empowering our customers is giving them a choice, such as the choice about whether they want to view certain sensitive health reports and the choice about whether they want to share any of their information. We do not make assumptions about the way our customers want to share their information when we build features; customers choose with whom they share their information and whether they want to participate in various features, such as DNA Relatives which allows customers who opt-in to participate to find genetic relatives in our database who have also opted into DNA Relatives. 

Giving customers choice also means allowing them to change their minds. At 23andMe, customers can simply revoke their consent to participate in research or opt-out of participation in any feature at any time.

We listen to customers and work closely with our Customer Care team to make sure we address privacy topics and concerns most important to them. Meaningful choice requires transparency and we work hard to make information accessible, including presenting information in ways that are easy to understand.  

We give our customers the choice to participate in our research, and we communicate with our customers about the published studies where their data was used, if they chose to participate. We want our research participants to know how they are helping fuel scientific discoveries in this new genomic age. I know as a customer myself who is participating in research, being able to see that I have contributed to published discoveries on topics as varied as knee pain, depression, and Parkinson’s disease is immensely gratifying.

Q: What are some of the most common misconceptions about 23andMe’s approach to privacy?

The three biggest misconceptions are around law enforcement, selling data, and how our research works. 

First, 23andMe does not allow law enforcement to access its database, nor does it voluntarily cooperate with any law enforcement investigation. We require all law enforcement inquiries to follow a valid legal process, such as a court order or search warrant and are prepared to exhaust available legal remedies to protect customer privacy. 

We are committed to transparency in our interaction with law enforcement, which led us in 2015 to be the first direct-to-consumer genetic testing company to publish a Transparency Report. This report details the number of requests we receive from law enforcement, and the number of times we have produced customer information to law enforcement without the customer’s prior, explicit consent – to date, we have never provided customer information to law enforcement. 

Second, 23andMe does not sell customer’s personal information. We do not share customer data with any third party without the customer’s consent. And, we do not share customer information with insurance companies or employers.

Finally, our Research program is no exception — customers have to separately opt-in to participate in Research. Research is at the core of our mission as a company and it has been from the start. 23andMe’s pioneering research model engages people and invites them to participate online, from anywhere. Traditional research was often limited to physical, onsite recruitment with limited numbers of participants. About 80 percent of our customers choose to participate in our Research program, many tell us they want to accelerate new insights into disease. 

Our Research program is overseen by an independent institutional review board or “IRB” — this is an ethics review board that ensures 23andMe is meeting ethical and legal obligations for research and consent. We are also transparent about our research collaborations, sharing our projects and their findings via email, blog posts, and press releases when published. 

23andMe does sometimes collaborate on research with third parties. In doing so, we only analyze data from customers who have consented to participate in Research. The data we analyze is de-identified — that is, it does not include personally identifiable information such as name or email — and results that are shared are aggregated datasets so that individuals cannot reasonably be re-identified. Customers can also separately choose to participate in Research with individual-level data sharing. And of course, customers can decide to opt-out at any time from any research. 

Q: Why do you like working at 23andMe? 

I’m disruptive — I love challenging the status quo — and I love working for a company that is focused on disrupting healthcare by empowering customers with their own data. For over five years, I’ve been inspired by our customers’ life-changing stories, inspired by our research efforts based on a pioneering, crowdsourced model. I’m hopeful that our efforts will lead to novel therapeutics that address unmet medical needs. It’s incredibly meaningful to be able to work in an ecosystem built on empowering today’s customers, today’s research participants – each as individuals – to be able to be a part of a collective that can turn healthcare on its head and accelerate drug discovery to help tomorrow’s patients. It’s an opportunity that is as unique as your DNA.