Genetic testing company 23andMe filed for bankruptcy in the United States, raising concerns about the fate of highly sensitive genetic data from its 15 million customers. The company, best known for its at-home DNA testing kits, has stated that it will continue to operate and will not change the way it protects consumer data while in bankruptcy court. Despite these reassurances, the potential sale of the company to another firm has left many customers worried about the future of their genetic information.
1. Understanding the Implications of 23andMe’s Bankruptcy
The bankruptcy announcement has alarmed data privacy experts. The Attorneys General of California and New York each issued rare “consumer alerts,” urging 23andMe customers to delete their data from the site. Co-founder Anne Wojcicki stepped down as CEO and is attempting to buy the company back. If she succeeds, the company’s data policies may remain intact. However, if another firm purchases 23andMe, the privacy policy and data usage agreements could change significantly. This uncertainty has led many customers to consider deleting their data to avoid potential misuse.
Founded in 2006, 23andMe pioneered inexpensive, direct-to-consumer genetic testing. Customers could simply send in a saliva sample and receive a report about their family tree, demographics, and even their risk for certain hereditary health conditions. The company also attempted to help develop new medical treatments, both in partnership with pharmaceutical companies and independently. However, these efforts proved costly, leading to financial difficulties. This year, a data breach exposed the personal data of some 7 million users. This scandal, combined with financial blunders and dwindling demand for genetic tests, ultimately led to the company’s bankruptcy.
2. What Could Happen to Your Genetic Data?
The current 23andMe policy states that the company will not voluntarily share customers’ personal information with public databases, insurance companies, employers, or law enforcement unless there is a valid court order, subpoena, or search warrant. However, this policy could change if a new company acquires 23andMe. A group that buys the information from 23andMe could use it to set life and disability insurance policies or may have more lenient policies around sharing data with law enforcement.
The 23andMe privacy statement explicitly states: “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your personal information may be accessed, sold, or transferred as part of that transaction.” Customers will be made aware of any new terms with “appropriate advance notice,” and the current privacy policy will apply until then. Given this, individuals who decide to keep their accounts should carefully review the privacy policy and understand the fine print. Despite three international security certifications, hackers previously accessed the personal data of millions of 23andMe users, indicating that future breaches are possible.
3. How to Protect or Delete Your Genetic Data
The most reliable way to ensure your genetic information doesn’t pass from 23andMe to a different company is to delete it before the company is sold. Here are the steps to delete your data:
- Log into your 23andMe account.
- Navigate to Settings.
- Scroll to 23andMe Data at the bottom of the page and click View.
- If you wish to obtain a copy of your genetic data, select the option to download it to your device.
- Scroll to Delete Data and click Permanently Delete Data.
- You will receive an email from 23andMe. Follow the link in the email to verify your deletion request.
Once you hit the confirmation button, the deletion process will begin immediately and cannot be reversed. It is recommended to download a copy of your information to create a personal archive. You can download data reports directly, but must submit a request to download your genetic information in its raw form. Ensure that the downloaded information is stored in a secure location. Protect the file with a password and avoid storing it on a shared computer or hard drive.
4. Revoking Consent for Future Research
Users who previously consented to having their genetic data used for medical research can email 23andMe to revoke their consent for future research. According to 23andMe, more than 80% of users allow the company to use de-identified data for medical research. The company has made at least 30 deals with pharmaceutical and biotech companies, giving them access to information stripped of personal details. If you previously agreed to store your saliva sample and DNA, you can update your authorization in the “preferences” portion of your account. Revoking consent to let 23andMe and third-party researchers use your genetic data for research can be done on the account settings page under “Research and Product Consents.”
Deleting your account will automatically opt you out of research and discard your sample. It is crucial to take these steps if concerned about the potential misuse of your genetic data.
5. Rights to Genetic Data Privacy
Most medical information is protected under the Health Insurance Portability and Accountability Act (HIPAA). However, HIPAA rules don’t apply to 23andMe because people interact with the company as customers rather than as patients. People in the U.S. benefit from the Genetic Information Nondiscrimination Act (GINA), a law prohibiting employers and health insurance companies from discriminating based on genetic information. However, GINA doesn’t protect individuals from discrimination in disability, long-term care, or life insurance.
California has the strongest genetic data privacy protections in the U.S. A 2018 law allows California residents to delete data from companies that collect it. The Genetic Information Privacy Act gives Californians the right to delete their account, have their biological samples destroyed, and revoke consent for the use or sharing of their genetic data. Additional genetic privacy laws exist in several states, including Texas, Washington, Arizona, and Connecticut. In California and Virginia, residents can file a complaint with their attorneys general if they think their rights have been infringed.
What This Means and Final Thoughts
Genetic testing company 23andMe has filed for bankruptcy in the United States, sparking concerns over the security and privacy of sensitive genetic data belonging to its 15 million customers. Recognized for its at-home DNA testing kits, the company has assured users that it will maintain its operations and uphold its data protection practices while navigating bankruptcy proceedings. Despite these assurances, the possibility of the company being sold to another entity has caused unease among customers, who are anxious about the future management of their genetic information. The uncertainty surrounding the fate of their personal genetic data has heightened anxiety, as customers wonder if the new ownership will honor the same level of security and privacy previously guaranteed by 23andMe. Users have invested not just money, but trust into the company, and the potential change in ownership raises significant questions about data protection and privacy policies moving forward.
