One recent trend that makes privacy professionals very nervous is the “what’s my DNA say about me” fad. You swab your cheek, mail it off to a lab, and presto: you learn that you’re 99% Irish/Scottish and 1% Pacific Islander with a high chance of getting appendicitis. Obviously, unlocking the mysteries of our ancestry is an alluring concept, and moving beyond the simple “family tree” model presents exciting possibilities for understanding who we are. The added benefit is that we can identify potential risks related to our health. In fact, bespoke medical treatment based on genetic factors has become big business, as has identifying matching your DNA to an optimal diet.
This is, of course, the part where we get into why genetic testing from a box is riven with risk, and that handing your most sensitive, revelatory, immutable personal data to a company with opaque privacy practices is a dangerous prospect, and that you should be very cautious about what the end product is. So, you know…that.
“Yes, yes,” you might say, “those companies don’t have a strong background or pedigree – but look, the Mayo Clinic has started to offer genetic testing! Surely — surely — so trusted an institution as the Mayo Clinic would understand that data privacy hucksterism is beneath it’s dignity. Right? You guys?”
Down the Privacy Policy Rabbit Hole
Understanding the Mayo Clinic’s genetic testing plan requires a bit of investigation into their privacy practices, which means understanding privacy policies generally.
Reading privacy policies is a difficult business, largely because it’s designed to be a difficult business. Writing them is no easy task either, but if you’re approaching the project from the perspective of making them understandable, it’s actually much harder, because when you’re simply using legalese to make operations opaque, you can copy and paste what every other confusing policy or terms of service says.
In our view, there are two primary kinds of “bad” practices when it comes to privacy policies. For an example of the first practices, look at just a small portion of the LA Times privacy policy:
We may automatically collect certain information about the computer or devices (including mobile devices) you use to access the Services. For example, we may collect and analyze information such as (a) IP addresses, geolocation information (as described in the next section below), unique device identifiers including mobile advertising identifiers and other information about your mobile phone or other mobile device(s), browser types, browser language, operating system, the state or country from which you accessed the Services; and (b) information related to the ways in which you interact with the Services, such as: referring and exit pages and URLs, platform type, clicked items, interaction with advertisements, domain names, landing pages, pages and content viewed and the order of those pages, the amount of time spent on particular pages, mouse hover including location and time spent on each area of the page, the date and time you used the Services, the frequency of your use of the Services, error logs, and other similar information. As described further below, we may use third-party analytics providers and technologies, including cookies and similar tools, to assist in collecting and analyzing this information.
It’s fine, I know you didn’t read it. Why would you? It’s 1) dense, 2) written in techy/legally terms, and 3) overly long. This is what we call a “Information Overload Model,” where the site gives you so much information that you can’t process it all and so don’t understand what’s being said. It’s like hiding in plain sight.
The second kind of bad practice makes an appearance, frankly, in virtually all privacy policies. Here’s a sample from Vanguard’s:
We may combine the information collected on our website or through our mobile application with information collected from or about you in other contexts. This may include information collected online, such as through our email exchanges with you, or from offline sources, such as information that we collect when you establish your account with us or call customer service. We will treat such combined information in accordance with this policy. If you do not wish to provide information to Vanguard, we may be unable to provide certain products or services to you.
This was shorter, so maybe you read it, but if so, did you come away with any understanding of what Vanguard actually does? Of course not! It’s so utterly couched in qualified terms (“we may do X with data which may include Y”) that you can’t be at all sure what they’re talking about. We call this the “Equivocation Model,” where the policy expresses is so vague that it lets you know that something is going on, but you really don’t know what it is.
Taking this to its logical conclusion, when a privacy policy adopts both the Information Overload Model and the Equivocation Model, it’s often because the company is 1) tracking/profiling you, 2) selling/sharing your data with third parties in an undisclosed data partnership, and 3) creating data products based off of the information it collects. A bad privacy policy doesn’t necessarily mean that the company is bad, but it definitely means that they’re not being as transparent as they should about how they use your data.
Mayo’s Genetic Testing
That brings us back to Mayo’s “GeneGuide,” which promises to do many of the same things that other genetic testing programs do – identify genetic traits, highlight potential risk factors, and looking into heredity and family background. And, as mentioned, it’s the Mayo Clinic, so there’s more than a patina of trust involved here: the institution is universally well-regarded, and considered one of the best hospital systems in the world. It has the kind of brand recognition and brand respect that most businesses could only dream of having — a point we’ll return to later.
The issue here is not with the testing itself: we have no reason to suspect the program is anything other than exactly what it says and, relying on the reputation we just mentioned, we expect that it will be carried out properly. The point of our discussion is an examination of what Mayo says it will do with your data, and why, an examination we hope will shed some light on just how carefully you have to parse privacy policies to understand them.
So, let’s say you want to find out how your data will be used. You’ll need to know what documents to read and how to find them. How complicated can that be? As it turns out, it takes finding, and then reading, four fairly involved documents. Don’t worry: we did it for you.
Document One – Terms of Service for Mayo Websites
The first document governing your encounter is the Mayo Clinic Terms of Service for its websites. To be clear, this isn’t for any specific website, it’s just the policy that applies to every internet property Mayo controls. Interestingly, it’s dated February 6, 2015, which makes it older than Apple Music and Periscope. In Internet years, that’s ancient. It’s also definitely not GDPR or CCPA compliant, and so, one wonders, how much attention has gone into privacy practices in the past four years.
The Terms themselves are awash in the “by using this site you agree to everything below” approach to disclosures that calls itself “Notice and Consent” but is emphatically more of a take-it-or-leave-it character. For instance, by visiting the site, you “agree” to:
- Indemnify Mayo against all claims by third parties for any actions you take on the site;
- Waive any claim that information, including health information, on the Mayo website was incorrect, and;
- Submit to the jurisdiction of another state, depending upon whether you obtained services from Mayo.
Even assuming that you find a way to bring a claim against Mayo for an action arising out of your use of their site, the Terms limit your remedy to….stop using the site. No, we’re not making this up. (“YOUR SOLE AND EXCLUSIVE REMEDY FOR DISSATISFACTION WITH THE SERVICE IS TO STOP USING THE SERVICE”).
Document Two – Mayo Websites Privacy Policy
This one is a little more recent, bearing the now-familiar May 25, 2018 effective date, which means that they were obviously thinking about GDPR. That’s a good sign. And, overall, this policy is substantially more direct about Mayo does with the data it collects about you and its approach to privacy. The problem is that the more direct story isn’t a particularly good one.
Most glaringly, they come right out to say:
We may share the information we collect about you with third parties who we have engaged to help us provide the services. In each case, we will ensure that these third parties have agreed to safeguard your data.
If you ignore the “we may share” language and replace it with the more accurate “we absolutely will share,” this statement at least makes clear what’s going on. Any and all information Mayo obtains through its websites can go to a third party — other than restricted personal health information protected by HIPAA, explained in yet another document you have to read to understand what happens to your personal data.
There are some other traditional privacy policy shenanigans, too. For instance, they don’t honor “do not track” requests, and Mayo will share data with third parties that identifies individual data subjects if they’ve consented to being identified. That latter point might be fine if accompanied by an explanation of how and when such consent is given: for some companies, simply using their website is taken as a blanket consent to disclosure of any and all data. You simply can’t know if it isn’t disclosed, and there’s no explanation here about how to find out more.
Document Three – General and Specific Privacy Policy
Next, you’ll have to read Mayo’s overall privacy policy to understand what happens to your data — but only after you’ve finished the terms and conditions for the genetic testing and the informed consent for the program, which we aren’t even counting in our little survey here.
This is not a privacy policy as much as a privacy practice document – it sets out what actually happens with the data Mayo collects, as opposed to the more generalized “here is what happens on our website” policies we’re used to. In a sense, it is much closer to what people would expect to read when they search for privacy policies (which almost never happens).
The general policy sets out many of the standard HIPAA requirements for privacy and uses of personal health information (PHI). It also explains how Mayo uses, or restricts its uses, of PHI. For instance, Mayo warrants that it won’t use personal health data for marketing purposes without express written consent, and sets out, in some detail, many of the purposes for which PHI is used. The details are fairly substantial here, and it’s much easier to understand exactly what is going on.
That is, with one exception. Mayo says that “does not sell or rent our patients’ names or addresses to any organization outside of Mayo Clinic.” That may sound reassuring, but remember that not every data partnership involves sharing data for money: the first valuation bucket of data assets to trade is the “zero-dollar” bucket, where information is exchange, without charge, for benefits. So unless you hear the magic words “we don’t transfer or otherwise share your data,” you should be very wary.
Document Four – Program Specific Privacy Policy
At last, you come to GeneGuide’s specific privacy policies with respect to the program. It is a brief document, given the kind of sensitive data involved in genetic testing, and simply added on to the terms and conditions for using the program at all. In fact, it largely points back to Document Three, the privacy policy for how PHI can be used.
The closest this document comes to a meaningful disclosure is the statement that Mayo “may share the information you provide to us and that we collect about you, in aggregate, de-identified basis, with third parties we have engaged for research to improve our products and services or for other business purposes.” That’s a red flag, because “aggregate, de-identified basis” can mean almost anything, as multiple reports on the weakness of “pseydonymized data” show. We’ve made this point many times: if it was easy to de-identify data, it’s just as easy to re-identify it.
More important, though, is the contrast between this document and the general privacy policy. Why are there not more details? Why are the exact uses of this highly sensitive data not clearly spelled out and, in our time-crunched culture, why is it necessary to click through to a second policy to get more detail?
The Problem with Privacy in a Policy
The answer is, unfortunately, that this is simply how we’ve come to think of privacy online: a never-ending series of links, unclear policies, and some combination of the Information Overload and Equivocation Models. Mayo’s policies aren’t morally evil — in fact, they’re more honest and straightforward than many others we’ve seen. But the policies are still confusing, disconnected, disaggregated, and almost impossible to decipher without a JD.
Are we saying that you should never do genetic testing? Of course not. We know virtually nothing about how the tests themselves are run, and certainly can’t give you any insight into what’s done to reach conclusions about health risks or family background. That’s kind of our point, though: without a meaningful background, or at least meaningful data to examine, you can’t just make decisions that have long-term consequences and assume everything will be fine.
In the end, this crisis of privacy has many causes, but one of them is certainly the reduction of privacy to a concept that can, and often is, simply a fig leaf in the form of a vague privacy policy. As long as consumers, business partners, and regulators accept that privacy can be “handled” by obfuscating what a company does in a series of documents that no one (no one) reads, we can’t be surprised when privacy rights erode or personal data is abused.
These privacy policies always start the same way: “We take your privacy seriously.” In many cases, that’s demonstrably untrue. But how can we blame a company for not taking our privacy seriously when we don’t either?
