What a popular genetic testing company’s bankruptcy means for your privacy
By Shant Karnikian
You place an order. A few days later, an attractive, colorful, user-friendly kit arrives. You spit in a tube, register a little information online, send the package back, and… presto! In a few weeks, you have access to a genetic report that can tell you all kinds of interesting and useful things about your ancestry, health, and traits.
Direct-to-consumer (DTC) genetic test kits can help you trace your genealogy, understand your ethnic makeup and family origins, discover long-lost relatives or historical figures with whom you share a lineage; find out where you got your darling dimples or red hair, and what diseases or health conditions you might be at risk for, as well as genetic conditions for which you may be a carrier.
Numerous companies currently offer such services: MyHeritage DNA, AncestryDNA, and Family Tree DNA, to name a few. Since its founding in 2006, more than 15 million people have used 23andMe, a California-based biotech firm that provides DTC genetic test kits and several types of report packages.
Although DTC tests have certain limitations—they’re not as reliable or comprehensive as those provided by a healthcare provider—they can be fascinating and beneficial. For example, although this type of test can’t diagnose a disease, knowing that you have a predisposition to, say, lactose intolerance or significant weight gain can help you take better charge of your health and relevant lifestyle choices. DTC is accessible, affordable, and non-invasive.
“Welcome to you,” 23andMe’s saliva test kit says.
Your access to all this information, of course, relies on the testing company having your data. When engaging 23andMe services, customers encounter various consent agreements regarding what the company can do with it—account settings and preferences offer users the ability to opt/in out of participation in data sharing and research, for example. DNA data, for obvious reasons, is among the most sensitive forms of personal data—your unique biological blueprint. And, in today’s digitally-driven economy, data is widely viewed as one of the most valuable assets—including in bankruptcy proceedings.
In March, 23andMe, once valued at over $6 billion, filed for Chapter 11 bankruptcy after several years of financial difficulty and has announced its intention to sell.
In a press release, 23andMe said the company is seeking court authorization to begin the sale process and that it “plans to conduct an auction to maximize the value of its assets.”
This raises very serious concerns about the management and safety of millions of customers’ genetic data.
Exposed genetic data carries a wide range of risks and privacy concerns, such as:
Identification. Although 23andMe has sought to reassure customers that “all genetic data it shares with researchers is stripped of identifying information, such as names and birth dates,” according to NPR, studies have shown that it is possible to re-identify anonymized genetic data.
Discrimination. While the Genetic Information Nondiscrimination Act (GINA), a federal law, prohibits discrimination based on genetic information, concerns remain that insurers or employers could use genetic data to deny coverage, raise premiums, or impact hiring decisions.
Family privacy. Your genetic data is unique to you, but it connects you to your relatives and ancestry. Revealing family relationships has potentially wide-ranging implications, for example, individuals could be linked to family members who committed crimes.
Potential misuse in criminal investigations. 23andMe’s privacy rules state that they turn over data to law enforcement only with a “valid subpoena, search warrant or court order.” Still, experts caution that, currently, there are few restrictions on how law enforcement can use genetic data obtained from commercial databases.
Consumer profiling. AI tools could be used to profile consumers based on genetic information, predicting buying behavior to create targeted advertising.
Unwanted/upsetting information. A data breach could reveal, to an individual or family, health information that they did not wish to know, such as a predisposition to certain cancers or Alzheimer’s disease.
“We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction,” 23andMe said in its statement. “Any buyer will be required to comply with applicable law with respect to the treatment of customer data.”
However, as the AP reported, “experts note that laws have limits — for instance, the U.S. has no federal privacy law and only about 20 states do.”
California’s Genetic Information Privacy Act (GIPA) and the California Consumer Privacy Act (CCPA) provide some additional protections, including the consumer’s right to request data deletion. However, enforcement may be challenging once data is transferred to a new owner. Further, security could be compromised during the upheaval of bankruptcy and sales.“Job cuts could leave fewer employees to protect customers’ data against hackers,” the AP said. Indeed, 23andMe found itself in legal trouble in 2023 due to a data breach that exposed the personal genetic information of close to 7 million customers. A class action lawsuit was settled for $30 million, and last November, the company laid off 40% of its employees.
Some science/technology pundits have argued that genetic data is not inherently more sensitive than other kinds of personal information, such as medical records, which are not only potentially easier to misuse but also easier for hackers to get their hands on.
However, the concerns are serious enough that California Attorney General Rob Bonta quickly issued an urgent consumer alert, providing an 8-step guide to deleting your personal genetic data from 23andMe.
Basic steps you can take to protect your genetic data and privacy:
- Download your data from 23andMe.
- Before you delete your account, log in and download a copy of your profile or any data you wish to save.
- Permanently delete your data and account. Once you’ve downloaded any data you want to keep, delete your entire 23andMe account. The 23andMe website provides instructions for account deletion.
- Ask 23andMe to destroy your biological sample. If you previously asked the company to preserve your saliva sample, you can request that it be destroyed.
- Withdraw consent. If you previously granted permission for your genetic data to be shared with third parties and/or used in research initiatives, adjust the preferences in your account settings.
- Stay informed. Follow this evolving story, including 23andMe’s official communications, to understand ongoing developments and implications.
It’s important for 23andMe users to realize that some of your data may already have been shared and used, and is therefore past the point of retrieval or deletion. Even customers who trusted 23andMe may not trust a new owner when the company is sold to the highest bidder.
Our firm is committed to protecting consumer rights, which includes privacy rights. We have a proven track record of standing up to big businesses that engage in fraud or unfair practices to gain an advantage over competitors. This includes protecting the public from false or misleading advertising in situations like “bait and switch” advertising tactics, warranty misrepresentation, defective products, forced arbitration clauses, and identity theft. Class action lawsuits can provide recourse for consumers whose rights have been violated by companies that engage in abusive business practices.