DNA and genetic testing agency 23andMe is in turmoil following a 2023 data breach and its ongoing monetary decline. The once-pioneering big now faces an unsure future as chapter looms over the corporate, intensifying considerations about what would possibly occur to the genetic information of 23andMe’s some 15 million clients.
Finest identified for its saliva-based take a look at kits that provide a glimpse into an individual’s genetic ancestry, 23andMe has seen its worth plummet greater than 99% from its $6 billion peak since going public in early 2021 after failing to show a revenue.
That lack of revenue was attributed to waning shopper curiosity in 23andMe’s use-once take a look at kits and lackluster progress of its subscription companies. The corporate was additionally floored by an enormous months-long data breach that noticed hackers steal the ancestry information of virtually 7 million customers all through 2023. The corporate agreed in September to pay $30 million to settle a lawsuit associated to the breach.
Lower than every week later, 23andMe founder and CEO Anne Wojcicki mentioned she was “contemplating third-party takeover proposals” for the corporate. Wojcicki shortly walked again the assertion, as a substitute saying she deliberate to take the corporate personal. However the injury was executed, and the entire firm’s unbiased board members resigned with rapid impact.
After submitting for chapter safety in March 2024, the corporate’s property — together with huge banks of DNA information — might be offered by a court-supervised sale. Wojcicki additionally resigned from the corporate.
The place does that depart hundreds of thousands of individuals’s genetic information?
23andMe sure largely by its personal guidelines
As evidenced by its 2023 data breach, which noticed hackers steal data equivalent to customers’ genetic predisposition and ancestry reviews, 23andMe collects a ton of knowledge on its customers.
When you’re one of many many hundreds of thousands which have shipped your saliva to 23andMe to study your ancestry, you could have assumed that this information will stay personal below regulation, such because the Well being Insurance coverage Portability and Accountability Act. HIPAA, because it’s identified, units the requirements for safeguarding delicate well being data from being disclosed and not using a individual’s information or consent.
Nevertheless, 23andMe isn’t an organization coated below HIPAA. As such, 23andMe is basically sure solely by its personal privateness insurance policies, which it will probably change at any time.
Andy Kill, a spokesperson for 23andMe, informed information.killnetswitch that the corporate believes this can be a “extra acceptable and clear mannequin for the information we deal with, moderately than the HIPAA mannequin employed by the normal healthcare trade.”
A scarcity of federal regulation and a cluttered mess of state privateness legal guidelines in the end signifies that if 23andMe faces a sale, the information of hundreds of thousands of People can be on the desk. The corporate’s privateness coverage says that its clients’ private data “could also be accessed, offered or transferred” as a part of a chapter, merger, acquisition, reorganization, or sale.
The truth that buyer information is a saleable asset has additionally been made clear by Wojcicki, who reportedly informed buyers that 23andMe will not pursue its cost-intensive drug growth packages and can as a substitute give attention to advertising and marketing its huge database of buyer information to pharmaceutical firms and researchers.
23andMe maintains that its information privateness insurance policies wouldn’t change within the occasion of a sale. These insurance policies state that the corporate won’t ever share customers’ data with insurance coverage firms, or with regulation enforcement and not using a warrant. The latter have more and more turned to third-party DNA firms for genetic data, however 23andMe has thus far resisted all U.S. regulation enforcement requests for such information, in line with its long-running transparency report.
Potential patrons of 23andMe could have solely completely different concepts about how one can use the corporate’s doubtlessly precious trove of DNA information. Privateness advocates on the digital rights group Digital Frontier Basis have already urged 23andMe to withstand a sale to any firm with ties to regulation enforcement, warning that clients’ genetics information could possibly be utilized by police to indiscriminately seek for proof of crimes.
“Our personal dedication to use the phrases of our privateness coverage to the non-public data of our clients within the occasion of a sale or switch is obvious: the 23andMe Phrases of Service and Privateness Assertion would stay in place except and till clients are introduced with, and comply with, new phrases and statements — and solely after receiving acceptable discover of any new phrases, below relevant information safety legal guidelines,” Kill informed information.killnetswitch.
Proactively deleting your account
Now as 23andMe faces chapter, there are requires 23andMe clients to take motion now to guard their information from being offered.
California’s legal professional basic Rob Bonta mentioned in a press release after 23andMe filed for chapter that state residents have a proper to demand the deletion of their genetic information below state regulation.
Meredith Whittaker, the president of end-to-end encrypted messaging app Sign, mentioned in a publish on X: “It’s not simply you. If anybody in your loved ones gave their DNA to [23andMe], for your whole sakes, shut your/their account now.”
Eva Galperin, the director of cybersecurity on the EFF, additionally warned customers to take motion. “When you have a 23andMe account, right now is an effective day to login and request the deletion of your information,” mentioned Galperin in a publish on X.
Requesting the deletion of your information on 23andMe is comparatively straightforward.
Log in to your 23andMe account and navigate to Settings > Account Data > Delete Your Account. 23andMe will immediate you to substantiate your determination, warning that deleting your account is everlasting and irreversible.
There is a crucial caveat. As famous in 23andMe’s privateness coverage, account deletion is “topic to retention necessities and sure exceptions,” which implies the corporate could maintain on to a few of your information for an unspecified period of time.
For instance, 23andMe will retain your genetic data, date of beginning, and gender “as required for compliance” and can retain restricted information associated to your deletion request, “together with however not restricted to, your e-mail handle, account deletion request identifier, communications associated to inquiries or complaints and authorized agreements.”
Equally, for those who’ve already agreed to 23andMe sharing your information for analysis functions, you’ll be able to reverse that consent, however there’s no means so that you can delete that data. Kill tells information.killnetswitch that round 80% of 23andMe clients — roughly 12 million individuals — consent to take part in its analysis program.
First printed on October 19, 2024 and up to date since.
