The DNA testing company 23andMe is on the brink of financial collapse. What is going to happen to their genetic database of 15 million customers?
As of 2021, the marketplace reported 90 million direct-to-consumer sales of DNA testing kits sold by over two dozen companies.
“Having to rely on a private company's terms of service or bottom line to protect that kind of information is troubling,” says Vera Eidelman, attorney with the American Civil Liberties Union. She adds that the data could be transferred, sold off, or mined by the government or law enforcement.
On the 23andMe user interface, customers appear to have a right to delete their data. But this is largely illusory.
According to their privacy policy, "If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction," "and this Privacy Statement will apply to your Personal Information as transferred to the new entity."
The company also reserves the right to “retain Personal Information for as long as necessary.” Any account deletions are, "subject to retention requirements and certain exceptions."
With no federal omnibus privacy law, it could come down to a patchwork of state laws on genetic data. On its face, federal HIPAA protection does not extend to direct-to-consumer companies like 23andMe. It is more likely that the Federal Trade Commission Act could be pressed into service for its prohibitions against unfair or deceptive trade practices.
New York is one of 16 states with a thorough genetic privacy law. New York State Civil Rights Law Sect. 79-l states no genetic testing shall be performed without signed informed consent, and subsection (2)(d) states, “Any further disclosure of genetic test results to persons or organizations not named on the informed consent shall require the further informed consent of the subject of the test.”
23andMe says it obtained this consent, compliant with all state laws, when users first signed up.
23andMe says it is already sharing its massive DNA research database with pharmaceutical giant GlaxoSmithKlein (GSK). But they say their agreement with GSK provides the data shared has been anonymized.
DNA testing companies including Ancestry and 23andMe are regularly subpoenaed by law enforcement. 23andMe says they do not allow law enforcement to mine their genetic data. This could change if ownership changes hands.
The plans for 23andMe have been in chaos. Formed in 2006, 23andMe never turned a profit, largely because customers came for the initial testing, but few bought a larger subscription for additional services. The company went public in 2021 but was soon hit with a massive data breach.
Stock values are down 99%. The company says it may file bankruptcy or find a new buyer. The CEO offered, then withdrew her offer, to buy back all its shares herself, taking the company private once again, and then effectuate a sale to a third party. The entire 23andMe Board of Directors resigned en masse in October.
“Having to rely on a private company's terms of service or bottom line to protect that kind of information is troubling,” Vera Eidelman, Esq., American Civil Liberties Union.
https://www.npr.org/2024/10/03/g-s1-25795/23andme-data-genetic-dna-privacy