Behind at-home DNA testing companies sharing genetic data with third parties

It's estimated more than 12 million Americans have sent their DNA to be analyzed by companies like 23andMe and AncestryDNA. The data is then sometimes shared with or sold to third parties for use in medical research. Recently, 23andMe announced GlaxoSmithKline invested $300 million in their company for a "four-year collaboration" where the pharmaceutical company would use 23andMe's data to develop drugs. 

"Using it for research – I'm all excited if Harvard University is going to study and learn about a disease. But a pharmaceutical company, it's a very different story," said CBS News medical contributor Dr. David Agus, director of USC Norris Westside Cancer Center. One concern, he said, is that "this is a select group of patients who can afford to do it. So do we want drug development only done on the 'haves' and not on the whole population?"

Both DNA companies say data isn't used without consent. "Customers can choose to opt-in or opt-out at any time," 23andMe said in a statement on its website. An AncestryDNA spokesperson told CBS News, "Customers must explicitly opt-in to participate in scientific research & can revoke permission at any time."

An editorial in Thursday's New England Journal of Medicine called for more oversight in the industry, saying: "Our current regulatory approach to privacy in direct-to-consumer (DTC) genealogic testing has permitted the creation of a Wild West environment."  

Law enforcement has used public DNA databases to identify criminal suspects as well, like the alleged "Golden State Killer."

"What the police did was, they took DNA evidence from the scene and they sent it in to one of these companies," Agus said. (Police in that case reportedly used a site called GEDMatch.) "And then they said, 'Who is he related to?' And then they went to those relatives and they figured out who he was. And so what's amazing is that, you can send in DNA, I could take DNA from that coffee cup and send it in and learn about Norah [O'Donnell]. And so what does that imply?"

While it's fun for some people to learn more about their heritage or discover distant relatives, Agus said the opt-in and privacy agreement is very long.

"Can you imagine? Is there anybody in history that's ever read all this stuff?" Agus said, flipping through a stack of printouts of the agreement. "I tried to read it in the green room and I was asleep by page two. And so while there is privacy, and described here, it's very hard to understand or even read."