23andMe's Future & Your Genetic Data: What You Need to Know
23andMe's Current Challenges and Future Outlook
23andMe, a company specializing in DNA analysis and genetic testing, is currently navigating a period of significant difficulty. This follows a substantial data breach in 2023 and a continuing downturn in the company’s financial performance.
Financial Struggles and Data Breach
The company, once a leader in the direct-to-consumer genetic testing market, is now facing a precarious situation with potential bankruptcy. This raises serious questions regarding the security and future of the genetic information held for approximately 15 million customers.
23andMe initially gained prominence through its direct-to-consumer saliva-based testing kits, which provide insights into an individual’s genetic heritage. However, the company’s valuation has decreased by over 99% from its peak of $6 billion, achieved shortly after its public offering in early 2021, due to a consistent inability to generate profits.
This lack of profitability can be linked to diminishing consumer demand for the one-time use test kits and slow expansion of its subscription-based services. Furthermore, a prolonged data breach throughout 2023, impacting nearly 7 million users, significantly harmed the company’s reputation.
Leadership Changes and Bankruptcy Filing
In September, 23andMe reached an agreement to pay $30 million to resolve a lawsuit stemming from the data breach. Shortly thereafter, Anne Wojcicki, the founder and CEO, indicated the possibility of exploring acquisition offers.
Wojcicki subsequently retracted this statement, announcing plans to take the company private. However, this move prompted the immediate resignation of all independent members of the board of directors.
Following a filing for bankruptcy protection in March 2024, the company’s assets, including its extensive DNA databases, will be liquidated through a court-approved process. Anne Wojcicki also stepped down from her role as CEO.
Implications for Genetic Data
The central concern now revolves around the fate of the genetic data entrusted to 23andMe by millions of individuals.
The potential sale of these assets raises questions about data privacy and security.
- What safeguards will be in place to protect sensitive genetic information?
- Who will have access to this data?
- How will the privacy preferences of customers be honored?
23andMe’s Data Protection: Primarily Self-Regulated
The 2023 data breach experienced by 23andMe, involving the compromise of user genetic predispositions and ancestry details, highlights the substantial amount of information the company collects.
Many of the millions who have submitted DNA samples to 23andMe for ancestry analysis might assume their data is legally protected, perhaps under the Health Insurance Portability and Accountability Act (HIPAA). This act establishes standards for safeguarding sensitive health information and preventing unauthorized disclosure.
However, 23andMe does not fall under the purview of HIPAA regulations. Consequently, the company is primarily governed by its own privacy policies, which are subject to change at its discretion.
According to a statement given to TechCrunch by 23andMe spokesperson Andy Kill, the company views its current approach as a “more appropriate and transparent model” for handling data, contrasting it with the HIPAA framework utilized by traditional healthcare providers.
The absence of comprehensive federal regulation, coupled with a complex landscape of varying state privacy laws, creates a situation where the data of millions of Americans could be vulnerable in the event of a 23andMe sale.
The company’s privacy policy explicitly states that customer personal information “may be accessed, sold or transferred” during processes like bankruptcy, mergers, acquisitions, or sales.
Wojcicki has reportedly indicated to investors that 23andMe will shift its focus away from expensive drug development and towards leveraging its extensive customer data for marketing purposes to pharmaceutical companies and research institutions, further emphasizing the data’s commercial value.
23andMe asserts that its data privacy policies would remain consistent even if the company were sold. These policies guarantee that user information will not be shared with insurance providers or law enforcement agencies without a valid warrant. The company has consistently resisted U.S. law enforcement requests for genetic data, as documented in its transparency reports.
However, prospective buyers of 23andMe might have differing perspectives on how to utilize the company’s valuable DNA data. The Electronic Frontier Foundation, a digital rights advocacy group, has urged 23andMe to avoid a sale to any entity connected to law enforcement, citing concerns that customer genetic data could be misused for broad, indiscriminate crime investigations.
Kill reiterated to TechCrunch that 23andMe is committed to upholding its privacy policy’s terms in the event of a sale or transfer. He stated that the Terms of Service and Privacy Statement would remain in effect unless customers are presented with, and consent to, new terms, following proper notification as required by applicable data protection laws.
Taking Action: Account Deletion at 23andMe
With 23andMe currently navigating bankruptcy proceedings, concerns are rising regarding the potential sale of customer data. Individuals are now being advised to proactively safeguard their personal information.
California Attorney General Rob Bonta issued a statement following 23andMe’s bankruptcy filing, asserting that residents of California possess the legal right to request the removal of their genetic data, as stipulated by state legislation.
Meredith Whittaker, President of Signal, the encrypted messaging application, emphasized the importance of this action in a recent post on X. She stated that account closure is advisable not only for individual users but also for their family members who may have submitted DNA to 23andMe.
Eva Galperin, Cybersecurity Director at the EFF, echoed this sentiment, recommending that users promptly initiate data deletion requests. She conveyed this advice through a post on X, highlighting the urgency of the situation.
How to Delete Your 23andMe Account
The process of requesting data deletion from 23andMe is straightforward.
Begin by logging into your 23andMe account. Then, navigate to Settings, followed by Account Information, and finally select Delete Your Account. The platform will then ask you to confirm your choice, clearly stating that account deletion is a permanent and irreversible action.
However, it’s crucial to understand a significant limitation. As outlined in 23andMe’s privacy policy, account deletion is not absolute and is “subject to retention requirements and certain exceptions.” This means the company may retain certain data for an indefinite period.
For instance, 23andMe will preserve your genetic information, birthdate, and gender “as required for compliance.” Additionally, limited data pertaining to your deletion request, such as your email address and request identifier, will also be retained, alongside any related communications or legal agreements.
Furthermore, if you previously consented to 23andMe utilizing your data for research initiatives, you can withdraw that consent. However, complete deletion of the data already shared for research purposes is not possible. According to reports, approximately 80% of 23andMe’s customer base—around 12 million individuals—have opted into the research program.
Originally published on October 19, 2024, with subsequent updates.
Related Posts
Coupang CEO Resigns After Data Breach | South Korea
Petco Vetco Data Breach: Customer Information Exposed
FTC Upholds Ban on Stalkerware Founder Scott Zuckerman
Google Details Chrome Security for Agentic Features
Petco Data Breach: SSNs, Driver's Licenses Exposed
