DNA and genetic testing company 23andMe is in turmoil following last year's data breach and continued financial deterioration. The once pioneering giant now faces an uncertain future amid efforts to go private, amid growing concerns about what will happen to the genetic data of 23andMe's roughly 15 million customers. There is.
23andMe, best known for its saliva-based test kits that offer a glimpse into a person's genetic ancestry, has failed to turn a profit and has been valued at $6 billion since going public in early 2021. It has plunged more than 99% since its peak.
This profit shortfall can be attributed to waning consumer interest in 23andMe's one-time test kits and slower growth in its subscription services. The company also suffered a massive data breach that spanned several months throughout 2023, with hackers stealing the ancestry data of approximately 7 million users. In September, the company agreed to pay $30 million to settle a lawsuit related to the infringement.
Less than a week later, 23andMe founder and CEO Anne Wojcicki said the company was “considering third-party acquisition offers” for the company. Mr. Wojcicki quickly retracted his statement and said instead that he intended to take the company private. However, the damage was so great that all of the company's independent directors immediately resigned.
Where will the genetic data of millions of people remain?
23andMe is largely bound by its own rules
23andMe collects vast amounts of information about its users, as evidenced by last year's data breach in which hackers stole information such as users' genetic predispositions and ancestry reports.
If you're one of the millions of people who sent saliva to 23andMe to learn about your ancestors, this data is kept private under laws like the Health Insurance Portability and Accountability Act. You might think that it will stay that way. HIPAA, as it is known, sets standards to protect sensitive health information from disclosure without an individual's knowledge or consent.
However, 23andMe is not a HIPAA covered company. As such, 23andMe is primarily bound only by its own privacy policy, which may change at any time.
23andMe spokesperson Andy Kill told TechCrunch that the company believes this is “a model that is more appropriate and transparent for the data we handle than the HIPAA model used in the traditional healthcare industry.” He said he believed it.
A lack of federal regulation and a mess of state privacy laws ultimately means that if 23andMe faces a sale, the data of millions of Americans will also be on the table. The company's privacy policy states that customers' personal information “may be accessed, sold, or transferred” as part of a bankruptcy, merger, acquisition, reorganization, or sale.
The fact that customer data is a salable asset is also highlighted by Wojcicki. Wojcicki said he told investors that 23andMe will no longer pursue costly drug development programs and will instead focus on selling its vast database of customer data to pharmaceutical companies and pharmaceutical companies. It is. researchers.
23andMe claims that its data privacy policy will not change in the event of a sale. These policies state that the company will never share your information with insurance companies or law enforcement without a warrant. Although the latter increasingly rely on third-party DNA companies for genetic information, 23andMe has so far failed to comply with all U.S. law enforcement requests for such data, according to a longstanding transparency report. is resisting.
Potential buyers of 23andMe may have very different ideas about how to utilize the company's potentially valuable treasure trove of DNA data. Privacy advocates from digital rights group the Electronic Frontier Foundation have already called on 23andMe to resist sales to companies with ties to law enforcement, saying customers' genetic data could be used indiscriminately by law enforcement as evidence of crimes. It warns that it may be used to search for people.
“Our own commitment to applying the terms of our Privacy Policy to our customers' personal information in the event of a sale or transfer is clear. 23andMe's Terms of Service and Privacy Statement provide our customers with the following information: Unless and until provided, you must agree to the new terms and statements, subject to applicable data protection laws, but only after receiving appropriate notice. ,” Kill told TechCrunch.
Proactively delete your account
While 23andMe appears to have resisted the sale to a third-party company for now, Wojcicki's retracted comments have already set off alarms among privacy advocates, with 23andMe customers asking 23andMe to delete their data. We urge you to take action now to prevent your data from being sold. their data.
Meredith Whitaker, president of end-to-end encrypted messaging app Signal, said in a post on X: If someone in your family has donated their DNA [23andMe]As a precaution, please close your account now. ”
Eva Galperin, EFF's director of cyber security, also warned users to take action. “If you have a 23andMe account, today is a good day to log in and request data deletion,” Galperin said in a post on X.
Requesting data deletion on 23andMe is relatively simple.
Log in to your 23andMe account and[設定]>[アカウント情報]>[アカウントの削除]Move to. 23andMe will ask you to confirm your decision and warn you that account deletion is permanent and irreversible.
There is an important caveat. As stated in 23andMe's privacy policy, account deletion is “subject to retention requirements and certain exceptions,” so the company may retain some of your data for an unspecified period of time. .
For example, 23andMe retains your genetic information, date of birth, and gender “as necessary for compliance” and in connection with deletion requests “including, but not limited to, email address, account deletion request ID, and the content of communications.” We retain limited data. In connection with inquiries, complaints and legal agreements. ”
Similarly, if you have already consented to 23andMe sharing your data for research purposes, you can revoke that consent, but there is no way to delete that information. Kill told TechCrunch that about 80% of 23andMe customers, or about 12 million people, have agreed to participate in the company's research programs.