As 23andMe files for bankruptcy, what to know about protecting your data
With Sunday’s announcement by genetic testing firm 23andMe that it has filed for bankruptcy, customers of the site may be wondering what will happen to their data and what, if anything, they can or should do to protect it.
The company explained Sunday in a news release that it has entered a voluntary Chapter 11 restructuring and sale process, saying it intends to continue operations as normal, with no changes to how it stores, manages or protects customer data.
The company also addressed data concerns in an open letter to customers posted Sunday on its blog.
“We remain committed to our users’ privacy and to being transparent with our customers about how their data is managed,” it said. “Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.”
Hackers and bankruptcy leave personal info vulnerable
The company has been dealing with a wave of lawsuits after the personal data of about 7 million customers was accessed by hackers in 2023.
In an article published this month in the New England Journal of Medicine, three law professors expressed concerns that existing protections may not be enough and called on Congress to do more to shield consumer data from such corporate changes.
“If 23andMe goes bankrupt, these data will most likely be sold to the highest bidder, a successor company that customers might not want to entrust with their genetic data,” the authors wrote, describing the issue as “a structural problem in a legal system relying heavily on privacy policies to protect consumer data, while also treating those data as a valuable asset.”
The company's consumer agreements offer little comfort, the authors wrote, because the company reserves the right to transfer customer data in case of sale or bankruptcy, and customers can’t fully protect their data from being “accessed, sold or transferred as part of that transaction.”
Though the company’s privacy statement would cover personal information transferred to a new owner after the sale, "the new entity could simply change the terms of service, including the privacy statement, and people might agree to it without reading these lengthy documents," said Sara Gerke, associate professor of law at the University of Illinois Urbana-Champaign and lead author of the Journal of Medicine article. "Customers need to be proactive now and be aware of this issue until Congress intervenes to address this problem at the federal level."
Treated as 'customers,' not patients
The genetic and self-reported data, including saliva samples and questionnaires, held by such companies represent some of people’s most guarded information, including family history and health-related data.
But such companies aren’t covered under Health Insurance Portability and Accountability Act (HIPAA) requirements, the authors of the Journal of Medicine article said.
“From a legal standpoint, people therefore interact with the company as ‘consumers,’ not ‘patients,’” they wrote. Though the Genetic Information Nondiscrimination Act prevents discriminatory use of such information by employers and health insurers, it doesn’t cover uses by other parties, nor does it prevent companies like 23andMe from selling people’s data.
The U.S. lacks a comprehensive federal privacy law, unlike the European Union’s General Data Protection Regulation, created in 2018. Individual states such as California and Illinois have enacted their own privacy laws, but enforcement is limited to those states.
Customers can have their data deleted ...
On March 21, California Attorney General Rob Bonta issued a consumer alert to the state's 23andMe customers given the company’s financial distress, reminding them of their right to have their genetic data deleted.
“California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” Bonta said. “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.”
According to 23andMe’s website, users can remove personal information by opting out of the 23andMe data section of account settings. The data is deleted once a user submits and confirms the request.
... but some data will remain available
It also says, however, that 23andMe is legally required to retain certain information.
"23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth and sex as required for compliance with applicable legal obligations … even if you chose to delete your account," the company's privacy statement says.
In a post on technology-focused 404 Media, Jason Koebler said the genetic data of millions of people is up for grabs.
“The filing shows how dangerous it is to provide your DNA directly to a large, for-profit commercial genetic database,” wrote Koebler, a co-founder of the site. “Once you give your genetic information to a company like 23andMe, there is no way to have any clue what is going to happen to that data, how it is going to be analyzed, how it is going to be monetized, how it is going to be protected from hackers, and who it is going to be shared with for profit.”
Mark Jensen, who chairs 23andMe’s board of directors, said in a statement that the company decided a court-supervised sale was “the best path forward to maximize the value of the business. … We believe in the value of our people and our assets and hope that this process allows our mission of helping people access, understand and benefit from the human genome to live on for the benefit of customers and patients.
“We will seek to find a partner who shares our commitment to customer data privacy and allows our mission of helping people access, understand and benefit from the human genome to live on.”
Contributing: Marley Malenfant
(This story has been updated to add new information.)