23andMe is not doing well. Its stock is on the verge of being delisted. It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the entire board of directors quit, save for Anne Wojcicki, a co-founder and the company’s CEO. Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
23andMe’s trove of genetic data might be its most valuable asset. For about two decades now, since human-genome analysis became quick and common, the A’s, C’s, G’s, and T’s of DNA have allowed long-lost relatives to connect, revealed family secrets, and helped police catch serial killers. Some people’s genomes contain clues to what’s making them sick, or even, occasionally, how their disease should be treated. For most of us, though, consumer tests don’t have much to offer beyond a snapshot of our ancestors’ roots and confirmation of the traits we already know about. (Yes, 23andMe, my eyes are blue.) 23andMe is floundering in part because it hasn’t managed to prove the value of collecting all that sensitive, personal information. And potential buyers may have very different ideas about how to use the company’s DNA data to raise the company’s bottom line. This should concern anyone who has used the service.
DNA might contain health information, but unlike a doctor’s office, 23andMe is not bound by the health-privacy law HIPAA. And the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same. It says so right there in the fine print: The company reserves the right to update its policies at any time. A spokesperson acknowledged to me this week that the company can’t fully guarantee the sanctity of customer data, but said in a statement that “any scenario which impacts our customers’ data would need to be carefully considered. We take the privacy and trust of our customers very seriously, and would strive to maintain commitments outlined in our Privacy Statement.”
Certain parties might take an obvious interest in the secrets of Americans’ genomes. Insurers, for example, would probably like to know about any genetic predispositions that might make you more expensive to them. In the United States, a 2008 law called the Genetic Information Nondiscrimination Act protects against discrimination by employers and health insurers on the basis of genetic data, but gaps in it exempt providers of life, disability, and long-term-care insurance from such restrictions. That means that if you have, say, a genetic marker that can be correlated with a heart condition, a life insurer could find that out and legally deny you a policy—even if you never actually develop that condition. Law-enforcement agencies rely on DNA data to solve many difficult cases, and although 23andMe says it requires a warrant to share data, some other companies have granted broad access to police. You don’t have to commit a crime to be affected: Because we share large chunks of our genome with relatives, your DNA could be used to implicate a close family member or even a third cousin whom you’ve never met. Information about your ethnicity can also be sensitive, and that’s encoded in your genome, too. That’s all part of why, in 2020, the U.S. military advised its personnel against using consumer tests.
Spelling out all the potential consequences of an unknown party accessing your DNA is impossible, because scientists’ understanding of the genome is still evolving. Imagine drugmakers trolling your genome to find out what ailments you’re at risk for and then targeting you with ads for drugs to treat them. “There’s a lot of ways that this data might be misused or used in a way that the consumers couldn’t anticipate when they first bought 23andMe,” Suzanne Bernstein, counsel at the Electronic Privacy Information Center, told me. And unlike a password that can be changed after it leaks, once your DNA is out in the wild, it’s out there for good. Some states, such as California, give consumers additional genetic-privacy rights and might allow DNA data to be deleted ahead of a sale. The 23andMe spokesperson told me that “customers have the ability to download their data and delete their personal accounts.” Companies are also required to notify customers of any changes to terms of service and give them a chance to opt out, though typically such changes take effect automatically after a certain amount of time, whether or not you’ve read through the fine print. Consumers have assumed this risk without getting much in return. When the first draft of the human genome was unveiled, it was billed as a panacea, hiding within its code secrets that would help each and every one of us unlock a personalized health plan. But most diseases, it turns out, can’t be pinned on a single gene. And most people have a boring genome, free of red-flag mutations, which means DNA data just aren’t that useful to them—at least not in this form. And if a DNA test reveals elevated risk for a more common health condition, such as diabetes and heart disease, you probably already know the interventions: eating well, exercising often, getting a solid eight hours of sleep. (To an insurer, though, even a modicum of risk might make someone an unattractive candidate for coverage.) That’s likely a big part of why 23andMe’s sales have slipped. There are only so many people who want to know about their Swedish ancestry, and that, it turns out, is consumer DNA testing’s biggest sell.
Wojcicki has pulled 23andMe back from the brink before, after the Food and Drug Administration ordered the company to stop selling its health tests in 2013 until they could be proved safe and effective. In recent months, Wojcicki has explored a variety of options to save the company, including splitting it to separate the cash-burning drug business from the consumer side. Wojcicki has still expressed interest in trying to take the company private herself, but the board rejected her initial offer. 23andMe has until November 4 to raise its shares to at least $1, or be delisted. As that date approaches, a sale looks more and more likely—whether to Wojcicki or someone else.
The risk of DNA data being misused has existed since DNA tests first became available. When customers opt in to participate in drug-development research, third parties already get access to their de-identified DNA data, which can in some cases be linked back to people’s identities after all. Plus, 23andMe has failed to protect its customers’ information in the past—it just agreed to pay $30 million to settle a lawsuit resulting from an October 2023 data breach. But for nearly two decades, the company had an incentive to keep its customers’ data private: 23andMe is a consumer-facing business, and to sell kits, it also needed to win trust. Whoever buys the company’s data may not operate under the same constraints.
Every platform Every time
I should be able to copyright my DNA so they can’t use it without paying me royalties.
If Lays can bother potato farmers in africa about it I should be able to own an organism too (myself)
US government should buy them, not for the data, but the research and disease information. That was the most eye-opening thing about the results. Until I got results, my family had no idea that we carried the CF gene.
Some countries, like Finland, already started collecting their population’s DNA sequences of willing individuals for research purposes.
And as far as I’ve researched it is nowadays very hard to deny the finnish biobanks of access, storage and sharing of your collected samples. Which are used as a marketing leverage to honeypot healthcare investors and researchers to Finland from abroad by granting access. The sample data is “anonymized”. I would like to opt out, but it is made so hard that it is generally impossible. Nobody asked if this is okay to us or not. And we are talking about private data that was collected for national research.
The least the legislators could’ve done for the participiants would’ve been to make an effective way to opt out from the databases, and deny all personal collection in the future. No such general solution available.
Disgusting from privacy point of an individual. And alarming that your state does something like this.
which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
Wild to me that this isn’t categorized as sensitive health data you aren’t allowed to sell.
HIPAA does categorize genetic information as protected health information: https://www.hhs.gov/hipaa/for-professionals/faq/354/does-hipaa-protect-genetic-information/index.html
That said… it wouldn’t surprise me if all of that data gets sold right before 23andMe tanks, the higher-ups take the cash and split, and there isn’t much left of a company to fine. Company tanks and that’s the end of it.
HIPAA only applies to Covered Entities. 23andMe does not meet the HHS definition of a Covered Entity.
https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
Disclaimer: I am not a lawyer.
I don’t know.
If a company is dissolved before lawsuits or charges are filed, the argument could be made that the entity in question no longer exists and the filings are invalid. Just like you can’t sue somebody who’s dead. It might not hold up in court but I wouldn’t put it past some very expensive lawyers to try it anyway because it might work.
This article says that “it depends.” There might be a period of time after a company dissolves that it can still be sued, namely, if the legal process to go about it wasn’t followed precisely. If there are no assets remaining sometimes the former owners can be sued. There is also the question of whether or not you’ll spend more on a lawsuit than you’ll get from the settlement.
I just realized something: Most of the time when talking about stuff like this, people seem to implicitly be talking about getting some money out of it (as punishment, maybe). Rarely do folks ever talk about suing for the express purpose of preventing the thing (in this case, selling customers’ genomic information to third parties) from ever happening.
This article talks about suing for undistributed assets. Suing to get your genomic data back and verifying that it’s been destroyed before it could be sold to anyone else is a possibility. It also talks about suing shareholders; if 23andMe is being delisted that seems like a legal gray area to be exploited: If a company is delisted are there still shareholders? Logically, yes (people hold worthless shares of stock in a company that doesn’t exist anymore) but legally? It might be state-dependent as this article suggests (per Favila v. Katten Muchin Rosenman LLP (2010) 188 Cal.App.4th 189, 213).
Maybe under a quiet title action to get the genomic data back?
I always wanted to check out my genome, but never did so because of shady companies like this.
Is there any genome sequencing service for consumers that actually respects your privacy? Especially for full genome sequencing.
This site walks you through how to take a DNA test anonymously. That’s as close as I’m aware of that you can get to privacy.
Same. I’d love to know any privacy-respecting companies…that is, if they even exist.
Well, Swiss has some companies and strict laws to handling of health data (including DNA). But i dunno if you can just send your sample via package.
I as well was curious, but it was clear to me that this was a bad idea from the get go. Long before I became truly privacy focused, it was still blatantly obvious this was a bad idea. It sucks that it was such a hot trend and terms written in a horrible, and dare I say predatory fashion.
I’ve had bots scouting for such a thing for a couple of years. So far, we haven’t found any that aren’t way sketchy. Your best bet might be to social engineer the folks at a cellular biology lab at a big college or something, get them to sequence your DNA, and have them copy the data onto a flash drive or something. Then the trick is finding somebody who can analyze the data and make sense of it all.
I think the safest bet would be to get a PhD in medical genetics and manually go through your data base pair by base pair
