23andMe Bankruptcy Poses Severe Privacy Risks for Genetic Data, Experts Say

When changes occur within a company, whether a merger, acquisition or bankruptcy, ownership of consumer personal data is altered and poses privacy concerns and risks, especially in cases of immutable genetic data, privacy experts said Sunday, after 23andMe filed for bankruptcy. The company said a sale is the best way to maximize business value.

“So much of our personal information and what happens to it -- how it's collected, used, processed, retained -- is governed by policies or Terms of Service set by companies that can be changed unilaterally by these companies,” said Sara Geoghegan, senior counsel at the Electronic Privacy Information Center. “This genetic information is a valuable asset that is going to be sold off in a bankruptcy proceeding where it will be owned and accessed by a new entity, an outcome that most customers could not have expected when they gave their swab to 23andMe.”

Genetic information is uniquely sensitive because it cannot be changed, said Geoghegan: It can reveal immutable sensitive health characteristics about a person and even their family members, or at least reveal who their family members are.

“These customers have no way of knowing who will buy the company,” she said. “This means they don't know who will have access to their genetic information and what motives the buyer will have for accessing the genetic information of over 15 million people. We don't know what the new policies will be that control the use and retention of this genetic information, and what safeguards, if any, will be employed to protect their genetic data under a new owner.”

Similarly, Electronic Frontier Foundation Staff Attorney F. Mario Trujillo, in an email, said, “23andMe selling off a giant trove of our most sensitive data through bankruptcy is a horrible idea that should be avoided at all costs.” Trujillo added, “At minimum, the company has a responsibility to its customers to make it as easy as possible for people to delete all their data before anything like this happens. 23andMe should give every user a real choice to say 'no' to a data transfer.”

"This news should be a wake-up call for lawmakers, who must work to pass stronger comprehensive privacy protections in general and genetic privacy protections in particular,” said Trujillo. "While many of the state-based genetic privacy laws are a good start, they generally lack a private right of action and only protect a slice of the U.S. population.”

Andrew Crawford, senior counsel for the Center of Democracy and Technology's Privacy & Data Project, agreed. "This is just another case of where consumer privacy is taking a backseat to other interests, including the sale of that consumer's data," he said. "People might not appreciate that sensitive data, like their genetic data, isn't always [as] protected as they'd like it to be, and it could potentially be shared and used and even sold in ways they don't know about, and in ways they don't want. And that's due to the fact that we don't have a comprehensive federal privacy law here in the United States."

Crawford added, "The rules that govern how that data is going to be used, how it's going to be collected, how it's potentially going to be shared, how it might be sold in a bankruptcy" depend on "what that company says in its terms and its privacy policies." Crawford acknowledged, "Unfortunately, those policies can be really long" and "difficult to digest." As a result, people often "don't read them, and may have consented to data practices that they aren't necessarily comfortable with."

The Health Insurance Portability Accountability Act (HIPAA) doesn't apply to 23andMe, though bankruptcy laws offer some protection for customers, said Glenn Cohen, faculty director of the Petrie-Flom Center at Harvard Law School, in a Harvard Gazette article Thursday. "One thing we want to highlight is that when most people have given their genetic information, they’ve never thought about this."

HIPAA is "a bit out of date compared to our peer countries in Europe," Cohen said. A solution "would be to have more general data privacy protection that would cover all personal data, including genetic data, and that would apply in bankruptcy cases as well."

There are data protections for bankruptcies, noted John Verdi, senior vice president-policy at Future of Privacy Forum. Companies are "typically prohibited" from transferring sensitive consumer data they've promised not to share, or if the buying company would handle data in ways that violate the original company's privacy policies, he said in a statement. Additionally, 23andMe and any potential purchaser must follow state laws granting consumers the right to delete that data, he added.

“In the age of AI, your DNA data can be used now or in the future in ways that could cause you and your family members profound harm,” said a blog Monday from Transparency Coalition. “The most obvious concern is the misuse of your DNA by health insurers, who could refuse you or your family members coverage based on markers in your data.”

Regulators Watching

The Connecticut attorney general's office has been investigating 23andMe since October 2023, when a data breach exposed the personal information of almost seven million people, according to a press release Monday. Since that breach, 23andMe said it has faced more than 50 class actions and lawsuits from around 35,000 claimants, according to its bankruptcy filing.

“23andMe collected incredibly sensitive genetic data from millions of Americans, and their inability to protect that data irreparably harmed their business,” said Connecticut AG William Tong (D). “Regardless of this bankruptcy filing, they need to honor their promises to protect consumer privacy and the security of the data they maintain… We are watching this bankruptcy filing closely and expect to be actively engaged to ensure sensitive records are protected and 23andMe is held accountable.”

On Friday, California Attorney General Rob Bonta (D) issued a consumer alert to 23andMe customers about how they can protect their sensitive information. “California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” said Bonta. “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company” via the California Consumer Protection Act and the Genetic Information Privacy Act.

Indiana AG Todd Rokita (R) on Monday suggested state residents consider deleting their 23andMe accounts. “This is a company that holds very sensitive information pertaining to the individuals who use its services,” he said. “This data could be considered an asset to be sold or transferred as part of any potential bankruptcy proceeding. The best way for Hoosiers to protect their information is to delete their accounts now.”

In the U.K., ICO has also been investigating the biotech company since the data breach. In a LinkedIn post Monday about the bankruptcy, the U.K. privacy regulator said it's "monitoring the situation closely and [is] in contact with the company."

23andMe said in its Monday announcement that it “intends to continue operating its business in the ordinary course throughout the sale process. There are no changes to the way the Company stores, manages, or protects customer data.”

Yet Geoghegan said “people deserve more than pinky promises by a company which, as shown here, can be changed unilaterally at any point, to protect their most sensitive information.”

Crawford agreed. "It's just another unfortunate example of how the notice and consent regime that we currently operate under just doesn't really work very well to protect consumers and give them the agency over their data."