What Users Need to Know About Privacy and Data After 23andMe's Bankruptcy Filing
In a shocking turn of events, 23andMe, one of the first companies to provide direct-to-consumer genetic testing kits, has filed for bankruptcy under Chapter 11 of the United States Bankruptcy Code. The company, which was founded in 2006 and sold over 12 million DNA kits since its inception, has secured $35 million in financing to restructure its finances and operations under court supervision.
Despite the bankruptcy filing, 23andMe has stated that it will continue operating and maintaining customer access to their accounts, reports, and data. However, this raises concerns about what happens to customers' personal and genetic information, particularly in light of the company's past challenges and controversies.
A Brief History of 23andMe's Challenges
In 2023, hackers exploited old passwords to gain access to the personal information of 6.9 million people, resulting in a data breach that exposed family trees, birth years, and geographic locations. Although no genetic data was compromised, the breach highlighted the vulnerabilities of interconnected data.
In addition to the breach, 23andMe has faced financial struggles since 2021, including a significant reduction in workforce and the resignation of its independent directors in response to CEO Anne Wojcicki's decision to take the company private. Wojcicki has since stepped down as CEO.
Concerns About Data Privacy
The possibility of new ownership raises concerns about how sensitive genetic information will be handled in the future. 23andMe's privacy policies state that if the company is involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, customer data may be accessed, sold, or transferred as part of that transaction.
This means that 23andMe could potentially sell customer information to ensure competitive bids during the bankruptcy process. The company's privacy policies also allow for licensing agreements with pharmaceutical companies, which would enable them to use customer information for research purposes.
Regulatory Frameworks and Protections
The extent to which customers should be concerned about their genetic data depends on where they are located. In the European Union and United Kingdom, customers have additional protections under the General Data Protection Regulation (GDPR). In Canada, customers have some protection under the Personal Information and Protection and Electronic Documents Act (PIPEDA), although this may still be limited by legal or contractual agreements.
In the U.S., the situation is more complicated due to a lack of harmonized legal approach to consumer privacy. Some states have enacted laws to better protect consumer privacy, such as California's Consumer Privacy Act and the Illinois Genetic Information Privacy Act. However, federal legislation like HIPAA does not apply to 23andMe because it is not classified as a healthcare agency.
What Customers Can Do
Given the uncertainties surrounding 23andMe's future and the potential for changes in its privacy policies, concerned customers should err on the side of caution and delete their accounts. It is also essential to withdraw consent and request the deletion of both individual-level and de-identified data from the database.
A Call for Regulatory Action
The anxiety and concern surrounding 23andMe's future highlight the need for a harmonized and effective framework to regulate consumer privacy. As legal scholars Sara Gerke, Melissa B. Jacoby, and I. Glenn Cohen noted in their recent research article, "a legal system that relies heavily on privacy statements to protect customer data leaves customers vulnerable to unexpected uses of their data, with limited remedies."
Without clear regulations, consumers are forced to rely on the word of companies, which can be unreliable. With genetic data at stake, it is imperative that policymakers take action to protect consumer privacy in the face of uncertainty.
Delete Your Account and Protect Yourself
If you're concerned about 23andMe's future and the potential risks associated with your genetic data, consider deleting your account and requesting the deletion of both individual-level and de-identified data from the database. By taking proactive measures, you can protect yourself from potential risks.