23andMe faces an uncertain future — so does your genetic data 

Financial and security chaos at the once-pioneering genetic testing firm has intensified concerns about user data. Here’s how to take action.
© 2024 TechCrunch. All rights reserved. For personal use only.

DNA and genetic testing firm 23andMe is in turmoil following a data breach last year and its ongoing financial decline. The once-pioneering giant now faces an uncertain future amid efforts to take the company private, intensifying concerns about what might happen to the genetic data of 23andMe’s some 15 million customers.

Best known for its saliva-based test kits that offer a glimpse into a person’s genetic ancestry, 23andMe has seen its value plummet more than 99% from its $6 billion peak since going public in early 2021 after failing to turn a profit.

That lack of profit was attributed to waning consumer interest in 23andMe’s use-once test kits and lackluster growth of its subscription services. The company was also floored by a huge months-long data breach that saw hackers steal the ancestry data of almost 7 million users throughout 2023. The company agreed in September to pay $30 million to settle a lawsuit related to the breach. 

Less than a week later, 23andMe founder and CEO Anne Wojcicki said she was “considering third-party takeover proposals” for the company. Wojcicki quickly walked back the statement, instead saying she planned to take the company private. But the damage was done, and all of the company’s independent board members resigned with immediate effect.

Where does that leave millions of people’s genetic data?

As evidenced by last year’s data breach, which saw hackers steal information such as users’ genetic predisposition and ancestry reports, 23andMe collects a ton of information on its users.

If you’re one of the many millions that have shipped your saliva to 23andMe to learn about your ancestry, you may have assumed that this data will remain private under law, such as the Health Insurance Portability and Accountability Act. HIPAA, as it’s known, sets the standards for protecting sensitive health information from being disclosed without a person’s knowledge or consent. 

However, 23andMe is not a company covered under HIPAA. As such, 23andMe is largely bound only by its own privacy policies, which it can change at any time.

Andy Kill, a spokesperson for 23andMe, told TechCrunch that the company believes this is a “more appropriate and transparent model for the data we handle, rather than the HIPAA model employed by the traditional healthcare industry.” 

A lack of federal regulation and a cluttered mess of state privacy laws ultimately means that if 23andMe faces a sale, the data of millions of Americans is also on the table. The company’s privacy policy says that its customers’ personal information “may be accessed, sold or transferred” as part of a bankruptcy, merger, acquisition, reorganization, or sale.

The fact that customer data is a saleable asset has also been made clear by Wojcicki, who reportedly told investors that 23andMe will no longer pursue its cost-intensive drug development programs and will instead focus on marketing its vast database of customer data to pharmaceutical companies and researchers.

23andMe maintains that its data privacy policies would not change in the event of a sale. These policies state that the company will never share users’ information with insurance companies, or with law enforcement without a warrant. The latter have increasingly turned to third-party DNA companies for genetic information, but 23andMe has so far resisted all U.S. law enforcement requests for such data, according to its long-running transparency report

Potential buyers of 23andMe may have entirely different ideas about how to use the company’s potentially valuable trove of DNA data. Privacy advocates at the digital rights group Electronic Frontier Foundation have already urged 23andMe to resist a sale to any company with ties to law enforcement, warning that customers’ genetics data could be used by police to indiscriminately search for evidence of crimes.

“Our own commitment to apply the terms of our privacy policy to the personal information of our customers in the event of a sale or transfer is clear: the 23andMe Terms of Service and Privacy Statement would remain in place unless and until customers are presented with, and agree to, new terms and statements — and only after receiving appropriate notice of any new terms, under applicable data protection laws,” Kill told TechCrunch. 

While 23andMe appears to be resisting a sale to a third-party company for now, Wojcicki’s recanted comments have already sounded alarm bells among privacy advocates, who are urging 23andMe customers to take action now to protect their data from being sold by requesting that 23andMe deletes their data.

Meredith Whittaker, the president of end-to-end encrypted messaging app Signal, said in a post on X: “It’s not just you. If anyone in your family gave their DNA to [23andMe], for all of your sakes, close your/their account now.”

Eva Galperin, the director of cybersecurity at the EFF, also warned users to take action. “If you have a 23andMe account, today is a good day to login and request the deletion of your data,” said Galperin in a post on X.

Requesting the deletion of your data on 23andMe is relatively easy. 

Log in to your 23andMe account and navigate to Settings > Account Information > Delete Your Account. 23andMe will prompt you to confirm your decision, warning that deleting your account is permanent and irreversible.

There is an important caveat. As noted in 23andMe’s privacy policy, account deletion is “subject to retention requirements and certain exceptions,” which means the company may hold on to some of your data for an unspecified amount of time. 

For example, 23andMe will retain your genetic information, date of birth, and gender “as required for compliance” and will retain limited data related to your deletion request, “including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements.”

Similarly, if you’ve already agreed to 23andMe sharing your data for research purposes, you can reverse that consent, but there’s no way for you to delete that information. Kill tells TechCrunch that around 80% of 23andMe customers — roughly 12 million people — consent to participate in its research program. 

 


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *