Spotify Wants Your DNA?

Remember when Ancestry and Spotify announced a partnership back in September of last year? Us neither. So for those who weren’t paying attention, the two launched a service available for members of Ancestry.com who have used the AncestryDNA test kit. The new feature allows AncestryDNA users to use their DNA results from the test kits to generate Spotify playlists based on the heritage gleaned from the results of the DNA test kits. It’s been a little while since the launch of the service and we’re not sure exactly how many users are taking advantage of it. But considering how the U.S. is on the cusp of major social media privacy policy change, it makes sense to question how two powerful companies plan to treat your sensitive, personal information. While this may sound like a simple, benign feature to offer to users, there is clear pause about what data Ancestry plans to share with Spotify.

 

“That’s because we are firmly in the era where your DNA is seen as a commodity and Ancestry has a license to that commodity.”

 

First off, let’s be clear that Ancestry representatives have tried to assuage privacy concerns, saying explicitly that DNA info is not currently shared with Spotify and that Spotify does not have access to DNA info, according to BuzzFeed News. But, that does not mean that Ancestry doesn’t have the right to share that DNA information with Spotify.

If you have, or are considering using the new feature, it’s worth revisiting the terms & conditions of Ancestry.com. That’s because we are firmly in the era where your DNA is seen as a commodity and Ancestry has a license to that commodity. Theoretically, DNA services like Ancestry and 23andMe could outright own the data from the test kit someone has submitted to them. This becomes even more alarming when these companies start to do business with those such as Spotify that likely have no clear policies on how to treat the potential access to DNA data. But let’s take a closer look at Ancestry’s privacy policies to see what exactly they are allowed to do.

It’s been well documented that as Ancestry’s DNA service has grown, it has struggled to inform users about what it’s allowed to do with DNA data and how much control users have over the data. In fact, Ancestry has had to issue multiple statements to clarify that users own their raw DNA data, and that they merely grant a license to Ancestry to use the data for specific purposes. Those purposes include (1) sending the sample submitted by users to be tested by an approved third party  (with no identifying information) (2) analyzing the DNA data and providing results to users (3) using aggregated information (stripped of identifiable info) for research purposes, and several other reasonable internal purposes. However, Ancestry makes it clear, or at least attempts to make clear, that they will seek out users express consent before providing DNA info to third parties...with exceptions though. This is where the Spotify part becomes relevant.

 
Ancestry

Ancestry

“But, that does not mean that Ancestry doesn’t have the right to share that DNA information with Spotify.”

 

From Ancestry.com’s Privacy Policy:

“Ancestry does not share your individual Personal Information (including your Genetic Information) with third-parties without your additional consent other than as described in this Privacy Statement. In particular, we will not share your Genetic Information with insurance companies, employers, or third-party marketers without your express consent. The circumstances described below explain when sharing might occur:

Service Providers. We use other companies to help us provide the Services to you. As a result, these partner companies will have some of your information in their systems. Our partners are subject to contractual obligations governing data security and confidentiality consistent with this Privacy Statement and applicable laws.

These processing partners include our:

  • Laboratory partners;

  • DNA test shipping providers;

  • Payment processors;

  • Cloud services infrastructure providers;

  • Biological sample storage facilities;

  • Vendors that assist us in marketing; analytics, and fraud prevention; and,

  • Some Member Services functions.

If Spotify is viewed as a partner/vendor providing “Member Services functions” by Ancestry, then Ancestry would not need to ask permission from users to share their DNA info with Spotify. Meaning users would just have to wonder and hope that the “contractual privacy and confidentiality obligations” are up to par to keep companies such as Spotify from running amuck and going rouge with the newly shared DNA info.

Now to be fair, users are not actually linking their AncestryDNA results to their Spotify accounts. But it is worth noting that you must sign into your Ancestry.com account before being able to access the feature that allows you to input your top 5 regions from your results. Then the playlist is generated and launches in Spotify. So while their is not explicit sharing of DNA results with Spotify, there is a clear importance to the connection of having users log into their Ancestry accounts before being able to access the Spotify feature. And thus, it makes sense to question what information is being shared with Spotify unbeknownst to users and what safeguards the two companies are taking to make sure that this feature does not operate as a backdoor into user accounts for the theft of DNA info.

All of this only matters if you have a good sense of how valuable your DNA is to companies. Some of the more nefarious purposes that DNA info could be used for include health insurance exclusion, employment discrimination, identity theft, and my personal sci-fi favorite: cloning. So yes, you should care about how Ancestry and Spotify plan to use and protect your DNA information. If not for you, for your future cloned self.


Tyrone ScottComment