DNA and genetic testing agency 23andMe is in turmoil following an information breach final 12 months and its ongoing monetary decline. The once-pioneering big now faces an unsure future amid efforts to take the corporate non-public, intensifying issues about what would possibly occur to the genetic knowledge of 23andMe’s some 15 million clients.
Greatest recognized for its saliva-based check kits that supply a glimpse into an individual’s genetic ancestry, 23andMe has seen its worth plummet greater than 99% from its $6 billion peak since going public in early 2021 after failing to show a revenue.
That lack of revenue was attributed to waning client curiosity in 23andMe’s use-once check kits and lackluster progress of its subscription providers. The corporate was additionally floored by a big months-long knowledge breach that noticed hackers steal the ancestry knowledge of virtually 7 million customers all through 2023. The corporate agreed in September to pay $30 million to settle a lawsuit associated to the breach.
Lower than per week later, 23andMe founder and CEO Anne Wojcicki stated she was “contemplating third-party takeover proposals” for the corporate. Wojcicki shortly walked again the assertion, as a substitute saying she deliberate to take the corporate non-public. However the harm was carried out, and all the firm’s impartial board members resigned with speedy impact.
The place does that go away hundreds of thousands of individuals’s genetic knowledge?
23andMe sure largely by its personal guidelines
As evidenced by final 12 months’s knowledge breach, which noticed hackers steal data comparable to customers’ genetic predisposition and ancestry stories, 23andMe collects a ton of knowledge on its customers.
Should you’re one of many many hundreds of thousands which have shipped your saliva to 23andMe to find out about your ancestry, you’ll have assumed that this knowledge will stay non-public below regulation, such because the Well being Insurance coverage Portability and Accountability Act. HIPAA, because it’s recognized, units the requirements for safeguarding delicate well being data from being disclosed with out a particular person’s information or consent.
Nonetheless, 23andMe is just not an organization coated below HIPAA. As such, 23andMe is essentially sure solely by its personal privateness insurance policies, which it might probably change at any time.
Andy Kill, a spokesperson for 23andMe, informed TechCrunch that the corporate believes this can be a “extra applicable and clear mannequin for the info we deal with, reasonably than the HIPAA mannequin employed by the standard healthcare business.”
An absence of federal regulation and a cluttered mess of state privateness legal guidelines finally signifies that if 23andMe faces a sale, the info of hundreds of thousands of Individuals can be on the desk. The corporate’s privateness coverage says that its clients’ private data “could also be accessed, bought or transferred” as a part of a chapter, merger, acquisition, reorganization, or sale.
The truth that buyer knowledge is a saleable asset has additionally been made clear by Wojcicki, who reportedly informed buyers that 23andMe will not pursue its cost-intensive drug improvement applications and can as a substitute deal with advertising and marketing its huge database of buyer knowledge to pharmaceutical firms and researchers.
23andMe maintains that its knowledge privateness insurance policies wouldn’t change within the occasion of a sale. These insurance policies state that the corporate won’t ever share customers’ data with insurance coverage firms, or with regulation enforcement with out a warrant. The latter have more and more turned to third-party DNA firms for genetic data, however 23andMe has to this point resisted all U.S. regulation enforcement requests for such knowledge, in accordance to its long-running transparency report.
Potential patrons of 23andMe might have completely totally different concepts about how one can use the corporate’s probably worthwhile trove of DNA knowledge. Privateness advocates on the digital rights group Digital Frontier Basis have already urged 23andMe to withstand a sale to any firm with ties to regulation enforcement, warning that clients’ genetics knowledge may very well be utilized by police to indiscriminately seek for proof of crimes.
“Our personal dedication to use the phrases of our privateness coverage to the non-public data of our clients within the occasion of a sale or switch is evident: the 23andMe Phrases of Service and Privateness Assertion would stay in place until and till clients are offered with, and conform to, new phrases and statements — and solely after receiving applicable discover of any new phrases, below relevant knowledge safety legal guidelines,” Kill informed TechCrunch.
Proactively deleting your account
Whereas 23andMe seems to be resisting a sale to a third-party firm for now, Wojcicki’s recanted feedback have already sounded alarm bells amongst privateness advocates, who’re urging 23andMe clients to take motion now to guard their knowledge from being bought by requesting that 23andMe deletes their knowledge.
Meredith Whittaker, the president of end-to-end encrypted messaging app Sign, stated in a submit on X: “It’s not simply you. If anybody in your loved ones gave their DNA to [23andMe], for all your sakes, shut your/their account now.”
Eva Galperin, the director of cybersecurity on the EFF, additionally warned customers to take motion. “You probably have a 23andMe account, immediately is an efficient day to login and request the deletion of your knowledge,” stated Galperin in a submit on X.
Requesting the deletion of your knowledge on 23andMe is comparatively straightforward.
Log in to your 23andMe account and navigate to Settings > Account Data > Delete Your Account. 23andMe will immediate you to substantiate your determination, warning that deleting your account is everlasting and irreversible.
There is a crucial caveat. As famous in 23andMe’s privateness coverage, account deletion is “topic to retention necessities and sure exceptions,” which suggests the corporate might maintain on to a few of your knowledge for an unspecified period of time.
For instance, 23andMe will retain your genetic data, date of delivery, and gender “as required for compliance” and can retain restricted knowledge associated to your deletion request, “together with however not restricted to, your electronic mail handle, account deletion request identifier, communications associated to inquiries or complaints and authorized agreements.”
Equally, in case you’ve already agreed to 23andMe sharing your knowledge for analysis functions, you may reverse that consent, however there’s no approach so that you can delete that data. Kill tells TechCrunch that round 80% of 23andMe clients — roughly 12 million individuals — consent to take part in its analysis program.
