SINCE THE LAUNCH of its DNA testing service in 2007, genomics giant 23andMe has convinced more than 5 millionpeople to fill a plastic tube with half a teaspoon of saliva. In return for all that spit (and some cash too), customers get insights into their biological inheritance, from the superficial—do you have dry earwax or wet?—to mutations associated with disease. What 23andMe gets is an ever-expanding supply of valuable behavioral, health, and genetic information from the 80 percent of its customers who consent to having their data used for research.

So last week’s announcement that one of the world’s biggest drugmakers, GlaxoSmithKline, is gaining exclusive rights to mine 23andMe’s customer data for drug targets should come as no surprise. (Neither should GSK’s $300 million investment in the company). 23andMe has been sharing insights gleaned from consented customer data with GSK and at least six other pharmaceutical and biotechnology firms for the past three and a half years. And offering access to customer information in the service of science has been 23andMe’s business plan all along, as WIRED noted when it first began covering the company more than a decade ago.

But some customers were still surprised and angry, unaware of what they had already signed (and spat) away. GSK will receive the same kind of data pharma partners have generally received—summary level statistics that 23andMe scientists gather from analyses on de-identified, aggregate customer information—though it will have four years of exclusive rights to run analyses to discover new drug targets. Supporting this kind of translational work is why some customers signed up in the first place. But it’s clear the days of blind trust in the optimistic altruism of technology companies are coming to a close.

“I think we’re just operating now in a much more untrusting environment,” says Megan Allyse, a health policy researcher at the Mayo Clinic who studies emerging genetic technologies. “It’s no longer enough for companies to promise to make people healthy through the power of big data.” Between the fall of blood-testing unicorn Theranos and Facebook’s role in the 2016 election attacks, “I think everything from here on out will be subject to much higher levels of public scrutiny,” Allyse says.

23andMe maintains that transparency is a core tenet of the company. “I think a really important distinction to make is that 23andMe operates under an independent ethical review board that oversees all of our research,” says Emily Drabant Conley, 23andMe’s vice president of business development, who oversaw the announcement of the GSK deal. “The guidelines we follow are essentially the same as what other research institutions follow.” So they should apply to any of the analyses GSK might want to run on 23andMe data, like a PheWAS, which connects constellations of symptoms and conditions across many people with a single genetic mutation they all share.

Yet they’re not identical. Researchers point out that medical and academic institutions will often assign someone to walk through consent documents with potential study participants, to make sure they understand all the risks and benefits. With 23andMe, that process is distilled into a number of screens and boxes to click through.

“If you read the documents carefully, all the information is there,” says Kayte Spector-Bagdady, a lawyer and bioethics researcher at the University of Michigan who has reviewed 23andMe’s customer policies. “They really do disclose it all. The challenge is that people don’t read it.”

To register a DNA kit on 23andMe, customers are required to accept the company’s privacy policy and terms and conditions, which together disclose what data 23andMe collects, how it’s protected, and how it can be used and shared. Then customers are given the option to participate in 23andMe research. A lengthy document explains what that entails, and if they click a green box at the bottom saying “I DO GIVE CONSENT,” then the majority of their data—their genetic profile plus any information they enter into surveys or authorize 23andMe to import—can be used for research in de-identified and aggregated form.

It’s a lot of fine print that looks like a lot of other fine print people on the internet click through every day—to browse, buy, watch, and listen online. “They’re so used to sharing data that they may not realize it’s just going in the front end and out the backend,” says Spector-Bagdady.

23andMe customers can withdraw consent at any time, but it may take up to 30 days for their requests to go into effect. And any data shared prior to that date can’t be clawed back from any third parties that might be using it. Deleting your data entirely is even harder—nearly impossible, as Bloomberg reporter Kristen Brown reported, because federal laws require clinical laboratories to keep de-identified DNA test results on file for a minimum of 10 years.

It’s also worth pointing out that 23andMe can, in theory, unilaterally change those terms and conditions and privacy policies at any time, says Katherine Drabiak, a legal expert in health law and research ethics at the University of South Florida. As a commercial enterprise, it’s not bound by the same obligations as medical professionals. 23andMe doesn’t have to take an oath to act in the interest of consumers or to promote their well being.

There’s a tension between the way 23andMe portrays itself as a health company, and simultaneously wants to be treated like every other tech company that makes its money from big data, says Allyse. “You can’t have it both ways. That’s why we have HIPAA, it’s why we have all these regulations that say health information is privileged information that can’t be commodified.”

But 23andMe, with its hybrid model, has been commodifying health and genetic data for years as it wades further into the field of drug discovery. In 2015, Forbes reported that the company had inked its first pharmaceutical company deal with Genentech, for $10 million up front, and up to $50 million if its data turned out to be useful for developing Parkinson’s treatments. Pfizer signed a data-sharing agreement of its own shortly after. That was back when 23andMe had data from only 650,000 consented individuals in its proprietary database. Its critics were unsure of the value of that information, self-reported as it was (and still is). But as the database has grown to the millions, differences in how customers interpret survey questions matter less and less to the company’s potential research partners, according to Spector-Bagdady.

“The hypothesis of this company was to circumvent medical records and just self-report,” Wojcicki told a room full researchers at an event on 23andMe’s campus in May. “Anyone can go get genomes. What’s really hard is phenotypic data.”

To get that kind of health and behavioral information, 23andMe is continually pushing surveys out to its customers. A few questions here, a few questions there; it’s kind of like going on a first date every time you log on. And people love talking about themselves. “We specialize in capturing phenotypic data on people longitudinally—on average 300 data points on each customer,” Wojcicki said. “That’s the most valuable by far.”

GSK’s $300 million investment, which 23andMe says is separate from the research collaboration, gives a good sense of just how valuable. Besides publicly disclosed deals with Genentech and Pfizer, 23andMe has also partnered with Lundbeck, Janssen, Biogen, and Alynlam Pharmaceuticals to share genetic analyses run on deidentified customer data. According to Drabant Conley, those prior collaborations will continue unchanged. But for the next four years—five if GSK decides it wants to extend the deal—23andMe won’t be entering into any new partnerships focused on drug target discovery.

The GSK collaboration also offers 23andMe an opportunity to more seriously test its theory that its data will deliver cures faster than the traditional medical research model. In 2015 the company hired Richard Scheller, a pharmaceutical industry veteran, to spin out an in-house therapeutics division based in South San Francisco. Since then, the group has identified 10 drug targets from 23andMe customer data, all of which are in various stages of pre-clinical development. Now, with the papers signed, 23andMe will work with GSK to decide which of the 10 they will jointly move toward human trials.

Even as it is adding an additional revenue stream in drug development, 23andMe’s future success is still dependent on growing its database with customers willing to participate in research. And that will mean staying in the public’s good graces. On Tuesday, a number of genetic testing companies, including 23andMe, pledged to protect customer privacy under a new set of voluntary guidelines they drafted in collaboration with Washington, DC-based nonprofit, Future of Privacy Forum. However, the new best practices won’t impact any of 23andMe’s medical research because there are no restrictions on the use or release of de-identified data.

“It’s largely a meaningless gesture,” says Allyse. “But the fact is that they felt they needed to make the gesture.”