DNA and genetic testing agency 23andMe is in turmoil following a 2023 knowledge breach and its ongoing monetary decline. The once-pioneering large now faces an unsure future as chapter looms over the corporate, intensifying issues about what would possibly occur to the genetic knowledge of 23andMe’s some 15 million prospects.
Best identified for its saliva-based check kits that supply a glimpse into an individual’s genetic ancestry, 23andMe has seen its worth plummet greater than 99% from its $6 billion peak since going public in early 2021 after failing to show a revenue.
That lack of revenue was attributed to waning client curiosity in 23andMe’s use-once check kits and lackluster development of its subscription providers. The firm was additionally floored by an enormous months-long knowledge breach that noticed hackers steal the ancestry knowledge of virtually 7 million customers all through 2023. The firm agreed in September to pay $30 million to settle a lawsuit associated to the breach.
Less than every week later, 23andMe founder and CEO Anne Wojcicki stated she was “contemplating third-party takeover proposals” for the corporate. Wojcicki shortly walked again the assertion, as a substitute saying she deliberate to take the corporate non-public. But the harm was finished, and all the firm’s impartial board members resigned with fast impact.
After submitting for chapter safety in March 2024, the corporate’s belongings — together with huge banks of DNA knowledge — will likely be bought by means of a court-supervised sale. Wojcicki additionally resigned from the corporate.
Where does that go away tens of millions of individuals’s genetic knowledge?
23andMe sure largely by its personal guidelines
As evidenced by its 2023 knowledge breach, which noticed hackers steal data similar to customers’ genetic predisposition and ancestry stories, 23andMe collects a ton of data on its customers.
If you’re one of many many tens of millions which have shipped your saliva to 23andMe to find out about your ancestry, you will have assumed that this knowledge will stay non-public beneath regulation, such because the Health Insurance Portability and Accountability Act. HIPAA, because it’s identified, units the requirements for shielding delicate well being data from being disclosed with out a individual’s information or consent.
However, 23andMe just isn’t an organization lined beneath HIPAA. As such, 23andMe is basically sure solely by its personal privateness insurance policies, which it might probably change at any time.
Andy Kill, a spokesperson for 23andMe, instructed TechCrunch that the corporate believes it is a “extra acceptable and clear mannequin for the information we deal with, fairly than the HIPAA mannequin employed by the standard healthcare business.”
A scarcity of federal regulation and a cluttered mess of state privateness legal guidelines in the end signifies that if 23andMe faces a sale, the information of tens of millions of Americans can also be on the desk. The firm’s privateness coverage says that its prospects’ private data “could also be accessed, bought or transferred” as a part of a chapter, merger, acquisition, reorganization, or sale.
The undeniable fact that buyer knowledge is a saleable asset has additionally been made clear by Wojcicki, who reportedly instructed buyers that 23andMe will now not pursue its cost-intensive drug growth applications and can as a substitute give attention to advertising and marketing its huge database of buyer knowledge to pharmaceutical firms and researchers.
23andMe maintains that its knowledge privateness insurance policies wouldn’t change within the occasion of a sale. These insurance policies state that the corporate won’t ever share customers’ data with insurance coverage firms, or with regulation enforcement with out a warrant. The latter have more and more turned to third-party DNA firms for genetic data, however 23andMe has to date resisted all U.S. regulation enforcement requests for such knowledge, in line with its long-running transparency report.
Potential consumers of 23andMe could have solely completely different concepts about the best way to use the corporate’s probably invaluable trove of DNA knowledge. Privacy advocates on the digital rights group Electronic Frontier Foundation have already urged 23andMe to withstand a sale to any firm with ties to regulation enforcement, warning that prospects’ genetics knowledge could possibly be utilized by police to indiscriminately seek for proof of crimes.
“Our personal dedication to use the phrases of our privateness coverage to the non-public data of our prospects within the occasion of a sale or switch is evident: the 23andMe Terms of Service and Privacy Statement would stay in place except and till prospects are offered with, and comply with, new phrases and statements — and solely after receiving acceptable discover of any new phrases, beneath relevant knowledge safety legal guidelines,” Kill instructed TechCrunch.
Proactively deleting your account
Now as 23andMe faces chapter, there are requires 23andMe prospects to take motion now to guard their knowledge from being bought.
California’s legal professional common Rob Bonta stated in a press release after 23andMe filed for chapter that state residents have a proper to demand the deletion of their genetic knowledge beneath state regulation.
Meredith Whittaker, the president of end-to-end encrypted messaging app Signal, stated in a publish on X: “It’s not simply you. If anybody in your loved ones gave their DNA to [23andMe], for your entire sakes, shut your/their account now.”
Eva Galperin, the director of cybersecurity on the EFF, additionally warned customers to take motion. “If you might have a 23andMe account, in the present day is an effective day to login and request the deletion of your knowledge,” stated Galperin in a publish on X.
Requesting the deletion of your knowledge on 23andMe is comparatively straightforward.
Log in to your 23andMe account and navigate to Settings > Account Information > Delete Your Account. 23andMe will immediate you to verify your resolution, warning that deleting your account is everlasting and irreversible.
There is a crucial caveat. As famous in 23andMe’s privateness coverage, account deletion is “topic to retention necessities and sure exceptions,” which implies the corporate could maintain on to a few of your knowledge for an unspecified period of time.
For instance, 23andMe will retain your genetic data, date of beginning, and gender “as required for compliance” and can retain restricted knowledge associated to your deletion request, “together with however not restricted to, your e-mail deal with, account deletion request identifier, communications associated to inquiries or complaints and authorized agreements.”
Similarly, in case you’ve already agreed to 23andMe sharing your knowledge for analysis functions, you’ll be able to reverse that consent, however there’s no means so that you can delete that data. Kill tells TechCrunch that round 80% of 23andMe prospects — roughly 12 million individuals — consent to take part in its analysis program.
First revealed on October 19, 2024 and up to date since.
