DNA and genetic testing company 23AndMe is in disarray following a 2023 data breaches and its continued financial decline. The once-pioneering giant faces an uncertain future as bankruptcy looms on the company, increasing concern about what will happen to genetic data for around 15 million customers at 23andMe.
Best known for its saliva-based test kits that allow you to get a glimpse into a person's genetic ancestors, 23andMe has plummeted more than 99% from its $6 billion peak since its release in early 2021 after not passing profits.
That lack of benefits was attributed to the inactive growth of subscription services, waning consumer interest in 23andMe usage test kits. The company was also stuck on the floor due to a massive, multi-month data breaches that saw hackers steal ancestral data from around 7 million users throughout 2023. The company agreed to pay $30 million in September to resolve the lawsuit related to the violation.
Less than a week later, 23andMe founder and CEO Anne Wojcicki said she was “considering a third-party acquisition proposal” for the company. Wojcicki immediately walked the statement and said he was going to make the company private instead. However, the damage was done, and all the company's independent board members immediately resigned.
After filing for bankruptcy protection in March 2024, the company's assets, including a vast bank of DNA data, will be sold through the sale of court teachers. Wojcicki has also resigned from the company.
Where does it leave genetic data for millions of people?
23AndMe is primarily bound by its own rules
23andMe collects a ton of information about users, as evidenced by the 2023 data breaches in which hackers saw information such as user genetic predispositions and ancestral reports.
If you're one of the millions who shipped your saliva to 23andMe to learn about your ancestors, you might have assumed that this data remains private under the law, including the Health Insurance Portability and Accountability Act. HIPAA, as is known, sets standards for protecting sensitive health information without human knowledge or consent.
However, 23Andme is not a company qualifying for HIPAA. Therefore, 23andMe is primarily bound by its own privacy policy and can be changed at any time.
23andMe spokesman Andy Kill told TechCrunch that the company believes it is “a more appropriate and transparent model of the data we process, rather than the HIPAA model adopted in the traditional healthcare industry.”
The lack of federal regulations and the confusion in state privacy laws means that if 23andme ultimately faces sales, data from millions of Americans will also be on the table. The company's privacy policy states that customer personal information may be “accessed, sold or transferred” as part of a bankruptcy, merger, acquisition, reorganization or sale.
The fact that customer data is a saleable asset is also revealed by Wojcicki. Wojcicki reportedly told investors that 23andme would no longer pursue a cost-intensive drug development program and instead focused on marketing the vast database of drug data.
23AndMe claims that its data privacy policy will not change in the case of sales. These policies say companies never share user information with law enforcement without insurance companies or warrants. The latter is increasingly turning to third-party DNA companies for genetic information, but 23AndMe has so far resisted all of the US law enforcement requests for such data, according to a long-term transparency report.
Potential buyers of 23andMe may have completely different ideas about how to use potentially valuable trobes of DNA data. Privacy advocates for the Digital Rights Group Electronic Frontier Foundation have asked 23andMe to resist sales to businesses with law enforcement ties, warning that client genetic data can be used by police to indiscriminately search for evidence of crime.
“Our own commitment to applying the terms of our Privacy Policy to your personal information in the case of a sale or transfer is clear. 23AndME Terms of Service and Privacy Statement will only remain until the customer has been presented, presented and agreed to the new terms and statement, and received appropriate notice of the new terms and conditions under applicable data protection laws.”
Deleting your account aggressively
With 23Andme currently facing bankruptcy, we are calling for 23andMe customers to take action to protect their data.
California Attorney General Rob Bonta said in a statement that state residents have the right to request the removal of genetic data under state law after 23AndME filed for bankruptcy.
In an X post, Meredith Whitaker, president of end-to-end encrypted messaging app signals, said: [23andMe]For all your souke, close your account now. ”
Eva Galperin, director of cybersecurity at EFF, warned users to take action. “If you have a 23AndMe account, today is a good day to log in and request that you delete your data,” Galperin said in an X post.
Requesting data deletion in 23andMe is relatively easy.
Log in to your 23andMe account and[設定]>[アカウント情報]> Delete your account. 23AndMe warns you that your account deletion is permanent and irreversible and urges you to confirm your decision.
There are important considerations. As mentioned in 23AndMe's Privacy Policy, deletion of an account is “a subject to retention requirements and certain exceptions.” This means that a company can retain some of its data for an unspecified period of time.
For example, 23andMe holds genetic information, date of birth, and gender “necessary for compliance” and limited data related to deletion requests.
Similarly, if you have already agreed to share your data for research purposes, you can reverse that consent, but there is no way to delete that information. Kill tells TechCrunch that about 80% of its 23 customers (approximately 12 million) have agreed to participate in the research program.
It was first published on October 19, 2024 and has been updated ever since.