DNA and genetic testing firm 23andMe is in disarray today after a data breach last year and the steady erosion of its finances. Once a pioneering giant, the company now stands at a crossroads with an uncertain future ahead as efforts to take it private heighten concerns over what might happen to the genetic data of 23andMe's some 15 million customers.
The company is perhaps best known for its saliva-based test kits, which give consumers a peek into someone's genetic ancestry. From its peak of $6 billion since going public in early 2021 after failing to turn a profit, 23andMe's value has plummeted more than 99%.
That lack of profit was attributed to waning consumer interest in 23andMe's use-once test kits and lacklustre growth in its subscription services. The company was also floored by a huge, months-long data breach that saw hackers steal the ancestry data of nearly 7 million users throughout 2023. The company agreed in September to pay $30 million to settle a lawsuit related to the breach.
Just over a week on from that move, 23andMe founder and CEO Anne Wojcicki said she was "considering third-party takeover proposals" for the company. Wojcicki within hours of this clarifying that, instead, she planned to take the company private. That had already sunk in by then, and all of the company's independent board members resigned with immediate effect.
Where does that leave millions of people's genetic data?
23andMe largely bound by its own rules
23andMe draws much information from its users as proved by last year's data breach where hackers made away with peoples' genetic predisposition and ancestry reports.
If you're one of the hundreds of millions who have sent your spit to 23andMe in order to understand your family history, you probably believed that this information will stay confidential due to law, for instance, the Health Insurance Portability and Accountability Act. HIPAA, for one, outlines the rules of keeping sensitive health care information confidential, unavailability to be issued out without a person's consent or knowledge.
However, 23andMe is not a HIPAA-covered entity, so it is generally limited only by its own policies, which it can change whenever it wants.
Andy Kill, a spokesman for 23andMe, wrote in an email to TechCrunch that the company believes that this is a "more appropriate and transparent model for the data we handle, rather than the HIPAA model employed by the traditional healthcare industry".
Lack of federal regulation plus a cluttered mess of state privacy laws will ultimately mean that if 23andMe faces a sale, the data of millions of Americans is also up for grabs. The company's privacy policy says that the personal information of its customers "may be accessed, sold or transferred" as part of a bankruptcy, merger, acquisition, reorganization, or sale.
But of course, now that this fact has been made public by Wojcicki in a report distributed to investors stating that 23andMe will not longer seek funding for its expense-laden drug development programs, but instead will market its gargantuan database of customer data to pharmaceutical companies and researchers, nothing more need be said.
23andMe asserts that the data privacy policies do not change with ownership. The company's policies explain that the company will never disclose information to insurance companies, nor to law enforcement agencies without a warrant. The latter increasingly lately have started requesting genetic information from third-party DNA companies, though 23andMe till now has rejected all U.S. law enforcement requests, according to the company's long-running transparency report.
Owners of 23andMe may have very different ideas about how the company's potentially goldmine of DNA data should be used. Already, privacy advocates at the digital rights group Electronic Frontier Foundation have urged 23andMe to resist a sale to any company with ties to law enforcement, warning that customers' genetics data could be used by police to indiscriminately search for evidence of crimes.
It appears it is the 23andMe Terms of Service and Privacy Statement that would apply to the personal information of the customers unless and until customers are presented with, and agree to, new terms and statements — and only after receiving appropriate notice of any new terms, under applicable data protection laws,," Kill told TechCrunch.
Proactively delete your account
While 23andMe may be holding out on the sale of its company to another third-party company at this point, Wojcicki's retracted statements have already set off warning alarms in the privacy advocacy community, who are calling out to 23andMe customers now to take action of their own at this point to ensure their data is not sold as they ask of 23andMe to delete them.
Meredith Whittaker, president of the end-to-end encrypted messaging app Signal, tweeted on X: "It's not just you. If anyone in your family gave their DNA to [23andMe], for all of your sakes, close your/their account now."
In fact, the director of cybersecurity at EFF, Eva Galperin, warned people to take the step immediately. "If you have a 23andMe account, today is a good day to login and request the deletion of your data," she said in a post on X.
It is relatively easy to request deletion of your data on 23andMe.
Login to the account on 23andMe and go to Settings > Account Information > Delete Your Account. After this, 23andMe will request you confirm that you would want your account deleted permanently and irreversibly.
An important caveat: There's important language in 23andMe's privacy policy when it states that deletion is "subject to retention requirements and certain exceptions," meaning the company may hold on to some of your data for an unknown period of time.
For example, 23andMe will retain your genetic information, date of birth, and gender "as required for compliance" and will retain limited data related to your deletion request, "including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements."
Similarly, if you have already agreed to the company sharing your data for research purposes, that, too, can be reversed, but there is no way to delete that information. Kill reports to TechCrunch that about 80% of 23andMe customers - around 12 million people - opt-in to participate in its research program.