The direct-to-consumer genetic testing company 23andMe has filed for bankruptcy. This means that the fate of its assets—including the genetic information of some 15 million users and, by inference, their blood relatives—is up in the air. Legal experts, including California’s attorney general Rob Bonta, are urging consumers to delete their information from the site to protect it from potential misuse.
The company “23andMe sits on this massive amount of data” that is extremely sensitive, says Sara Gerke, a professor at the University of Illinois College of Law, who focuses on health and privacy law. The case highlights the need for federal laws to ensure people’s genetic privacy, Gerke adds, because right now “it literally comes down to where you are living, whether you have proper rights over what’s going to happen to your data.”
What’s Protecting Your Genetic Data?
On supporting science journalism
If you’re enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.
The privacy policy of 23andMe allows for the sale of data in the event of bankruptcy, but it also allows customers to delete their accounts, along with their information. The policy also says, however, that the company may nonetheless retain some information “for compliance with applicable legal obligations,” potentially including one’s date of birth, sex and some genetic information.
“We remain committed to our users’ privacy and to being transparent with our customers about how their data is managed,” the company said in an open letter to its users.
At least 13 states require companies to obtain consent from users before transferring their genetic data in the event of an acquisition, according to the Electronic Frontier Foundation. And in 19 states, companies must delete users’ data upon their request.
“In many states, nothing is going to kick in” to protect users, Gerke says. “That means it goes back to the privacy statement.”
What Happens Next?
If 23andMe is sold, the buyer would initially be required to comply with the original privacy policy, which limits how customers’ data can be shared. But it could then make changes to the policy.
“If individuals are not reading what is in [the new privacy policy],” Gerke warns, “then they might have just sold away their data.”
Those changes could potentially be quite substantial, Gerke says. For example, 23andMe currently says it won’t share data with insurance companies. A buyer could update the policy to allow for the sale or sharing of data, for example, with life, long-term care or disability insurance companies, she explains. (The new owner could not share the data with health insurers, however, because this would violate a federal nondiscrimination law called the Genetic Information Nondiscrimination Act, or GINA.)
If 23andMe is not sold to another company, its assets could be sold off to repay creditors. “The biggest asset that they have is all of this information,” says Mark Rothstein, a bioethicist at the University of Louisville.
For now, “there are no changes to the way [23andMe stores, manages or protects] customer data,” according to a press release that announced the bankruptcy.
The Bigger Ethical Questions
The fate of 23andMe’s data may also impact the blood relatives of its customers. “Not only [does your DNA sample] have information about you but also about your close relatives,” Rothstein says.
This is a long-standing bioethical question regarding genetic testing, but “it is an even more problematic question now, if this data might get into hands that we don’t want it in,” Gerke says.
Even a relatively small repository of genetic data can be used to infer information about a large swath of the population. A 2018 study of the genealogy platform MyHeritage found that from as dataset of 1.28 million individuals, an estimated 60 percent of the U.S. population of northern European descent could expect to have a third-cousin or closer match. And 23andMe reports around 15 million users worldwide.
Law enforcement routinely uses these genetic information databases to look for potential suspects. In 2018 the “Golden State killer” was identified by law enforcement officials after they used the genetic repository GEDmatch to find third-cousin connections to crime-scene DNA, and many similar cases have followed. The researchers in the 2018 study determined that a genetic database that covered only 2 percent of a population would have a third-cousin match for almost any given person in that population.
What Can We Do?
“The U.S. is an outlier internationally for not having a federal law that protects privacy, including genetic privacy,” Rothstein says. The country’s health privacy protections rest on one law, the Health Insurance Portability and Accountability Act (HIPAA), which applies to health insurers and health care providers but not to direct-to-consumer companies such as 23andMe, whose users are designated as “consumers” and not “patients.”
“HIPAA’s scope is too narrow,” Gerke says, because it “was developed at a time where we were thinking about traditional health care systems,” not today’s expanded landscape of health-related providers and services. She urges lawmakers to expand HIPAA or GINA or to pass a new law that could safeguard the privacy of people across the country.
“We are going to potentially see other cases with similarly massive amounts of data in the future,” Gerke says. “We do need to start to think, as a society…, about how much control individuals should get over their data—that if they don’t want this…, they could say no.”
