DNA and genetic testing agency 23andMe is in turmoil following a 2023 information breach and its ongoing monetary decline. The once-pioneering large now faces an unsure future as chapter looms over the corporate, intensifying considerations about what may occur to the genetic information of 23andMe’s some 15 million prospects.
Greatest identified for its saliva-based check kits that supply a glimpse into an individual’s genetic ancestry, 23andMe has seen its worth plummet greater than 99% from its $6 billion peak since going public in early 2021 after failing to show a revenue.
That lack of revenue was attributed to waning shopper curiosity in 23andMe’s use-once check kits and lackluster development of its subscription companies. The corporate was additionally floored by an enormous months-long information breach that noticed hackers steal the ancestry information of just about 7 million customers all through 2023. The corporate agreed in September to pay $30 million to settle a lawsuit associated to the breach.
Lower than every week later, 23andMe founder and CEO Anne Wojcicki mentioned she was “contemplating third-party takeover proposals” for the corporate. Wojcicki rapidly walked again the assertion, as an alternative saying she planned to take the company private. However the harm was performed, and the entire firm’s unbiased board members resigned with rapid impact.
After submitting for chapter safety in March 2024, the corporate’s belongings — together with huge banks of DNA information — will likely be offered by way of a court-supervised sale. Wojcicki additionally resigned from the corporate.
The place does that go away tens of millions of individuals’s genetic information?
23andMe certain largely by its personal guidelines
As evidenced by its 2023 information breach, which noticed hackers steal data equivalent to customers’ genetic predisposition and ancestry studies, 23andMe collects a ton of data on its customers.
For those who’re one of many many tens of millions which have shipped your saliva to 23andMe to find out about your ancestry, you will have assumed that this information will stay non-public underneath legislation, such because the Well being Insurance coverage Portability and Accountability Act. HIPAA, because it’s identified, units the requirements for shielding delicate well being data from being disclosed with out a particular person’s data or consent.
Nonetheless, 23andMe isn’t an organization coated underneath HIPAA. As such, 23andMe is basically certain solely by its personal privateness insurance policies, which it could change at any time.
Andy Kill, a spokesperson for 23andMe, instructed TechCrunch that the corporate believes it is a “extra acceptable and clear mannequin for the information we deal with, fairly than the HIPAA mannequin employed by the normal healthcare business.”
A scarcity of federal regulation and a cluttered mess of state privateness legal guidelines finally signifies that if 23andMe faces a sale, the information of tens of millions of People can be on the desk. The corporate’s privateness coverage says that its prospects’ private data “could also be accessed, offered or transferred” as a part of a chapter, merger, acquisition, reorganization, or sale.
The truth that buyer information is a saleable asset has additionally been made clear by Wojcicki, who reportedly told investors that 23andMe will now not pursue its cost-intensive drug improvement packages and can as an alternative deal with advertising its huge database of buyer information to pharmaceutical firms and researchers.
23andMe maintains that its information privateness insurance policies wouldn’t change within the occasion of a sale. These insurance policies state that the corporate won’t ever share customers’ data with insurance coverage firms, or with legislation enforcement with out a warrant. The latter have more and more turned to third-party DNA firms for genetic data, however 23andMe has to date resisted all U.S. legislation enforcement requests for such information, in accordance to its long-running transparency report.
Potential consumers of 23andMe could have fully completely different concepts about methods to use the corporate’s probably precious trove of DNA information. Privateness advocates on the digital rights group Digital Frontier Basis have already urged 23andMe to resist a sale to any firm with ties to legislation enforcement, warning that prospects’ genetics information could possibly be utilized by police to indiscriminately seek for proof of crimes.
“Our personal dedication to use the phrases of our privateness coverage to the private data of our prospects within the occasion of a sale or switch is obvious: the 23andMe Phrases of Service and Privateness Assertion would stay in place except and till prospects are introduced with, and comply with, new phrases and statements — and solely after receiving acceptable discover of any new phrases, underneath relevant information safety legal guidelines,” Kill instructed TechCrunch.
Proactively deleting your account
Now as 23andMe faces chapter, there are requires 23andMe prospects to take motion now to guard their information from being offered.
California’s lawyer common Rob Bonta mentioned in an announcement after 23andMe filed for chapter that state residents have a proper to demand the deletion of their genetic data underneath state legislation.
Meredith Whittaker, the president of end-to-end encrypted messaging app Sign, mentioned in a post on X: “It’s not simply you. If anybody in your loved ones gave their DNA to [23andMe], for your whole sakes, shut your/their account now.”
Eva Galperin, the director of cybersecurity on the EFF, additionally warned customers to take motion. “You probably have a 23andMe account, right this moment is an efficient day to login and request the deletion of your information,” mentioned Galperin in a post on X.
Requesting the deletion of your information on 23andMe is comparatively straightforward.
Log in to your 23andMe account and navigate to Settings > Account Data > Delete Your Account. 23andMe will immediate you to verify your determination, warning that deleting your account is everlasting and irreversible.
There is a crucial caveat. As famous in 23andMe’s privateness coverage, account deletion is “topic to retention necessities and sure exceptions,” which implies the corporate could maintain on to a few of your information for an unspecified period of time.
For instance, 23andMe will retain your genetic data, date of delivery, and gender “as required for compliance” and can retain restricted information associated to your deletion request, “together with however not restricted to, your electronic mail handle, account deletion request identifier, communications associated to inquiries or complaints and authorized agreements.”
Equally, in case you’ve already agreed to 23andMe sharing your information for analysis functions, you possibly can reverse that consent, however there’s no method so that you can delete that data. Kill tells TechCrunch that round 80% of 23andMe prospects — roughly 12 million folks — consent to take part in its analysis program.
First revealed on October 19, 2024 and up to date since.