Concern over Potential 23andMe Data Sale Highlights Weaknesses of State Privacy Laws 

While the United States’ lack of a comprehensive federal privacy law allows privacy harms to continue threatening Americans daily, 23andMe’s recent bankruptcy shines a spotlight on the problem.

The direct-to-consumer genetic testing company has more than 15 million customers, so a massive amount of highly sensitive information—now 23andMe’s most valuable asset—will be sold off to the highest bidder. After a federal judge gave permission for the company to sell its sensitive customer data, millions of customers have no control over who their information is sold to. While research shows that most Americans believe—incorrectly— that the personal health information they give to health apps and websites is protected by the federal Health Information Portability and Accountability Act (HIPAA), the law does not apply to 23andMe’s handling of consumer genetic information. 

Some concerned customers who have attempted to delete their genetic data have reported an inability to access their 23andMe accounts. Even those who have successfully deleted their accounts have expressed fear that their data has not been fully purged from the company’s records and could still end up in the hands of an unknown buyer—in fact, the company’s own privacy policy acknowledges that even after a customer deletes an account, 23andMe will retain some personal data. 

Amid these uncertainties, leaders of the House Energy and Commerce Committee sent a letter to 23andMe asking for information about how the company handles customers’ sensitive data. In the letter, the Congressmen expressed their “great concern about the safety of Americans’ most sensitive personal information” because of the “lack of a federal comprehensive data privacy and security law.” 

Over the past several years, states have been working to fill the federal gap in privacy legislation with state comprehensive privacy laws. Nineteen states have passed comprehensive laws so far, but unfortunately, most of these laws do little to protect the sensitive information of 23andMe’s customers in this situation. 

A breakdown of the problem:

• State privacy laws give consumers the right to request that a company delete their personal data, but this puts the onus on consumers to protect their privacy.
  • It is also not clear that customers requesting that 23andMe delete their information or attempting to delete their own data or accounts are succeeding in truly removing their personal information from the company’s assets. 
• With the exception of California’s, no comprehensive state privacy law gives 23andMe customers the ability to protect their highly sensitive genetic data from being sold to the highest bidder. 
  • State privacy laws all have an exemption in their definitions of “sale” that excludes the transfer of data during a bankruptcy proceeding, which renders consumers’ right to opt out of data sales useless in terms of 23andMe’s sale resulting from bankruptcy. (California amended its privacy law last year to remove this exemption and clarify that consumers can opt out of the sale of their data even in the context of a bankruptcy proceeding.) Even health-specific privacy laws, such as Washington’s My Health My Data Act and Nevada’s Consumer Health Data Privacy Law, also contain this problematic exemption in their definitions of “sale,” meaning even the sectoral laws meant to address health data do not protect 23andMe customers.
  • Most state privacy laws require companies to obtain consent from consumers before processing—which includes disclosing—their sensitive data. However, this requirement further highlights how ineffective consent frameworks are at protecting consumer privacy; because “processing” also includes actions like collecting and storing data, 23andMe customers likely consented to this processing when signing up for the service or making their accounts without realizing the scope of what they were consenting to. 
  • Additionally, most of these laws only categorize genetic data as “sensitive data” if that genetic data is used to identify a consumer, meaning the immutable DNA consumers provided to the company may not even be considered sensitive data. 

How can policymakers protect consumers’ sensitive data during mergers and sales?

Policymakers seeking to protect the privacy of their constituents can learn from these regulatory gaps to go further and meaningfully protect privacy.

EPIC and Consumer Reports recently released a model state privacy bill (the State Data Privacy Act) that includes meaningful data minimization requirements and heightened protections for sensitive data that would protect 23andMe customers as the company continues through bankruptcy proceedings. The model bill uses the Connecticut Data Privacy Act as its base text but closes many of the loopholes that prevent it and similar laws from meaningfully protecting consumers’ personal data. 

The State Data Privacy Act specifically addresses the issues that 23andMe’s bankruptcy has brought to light. The bill removes the exemption for data transfers during a bankruptcy proceeding from the “sale” definition and bans the sale of sensitive data. This means that 23andMe customers’ genetic data may not be sold, even during a merger or bankruptcy proceeding. Additionally, the State Data Privacy Act requires companies seeking to transfer any personal data (even non-sensitive data) during a bankruptcy proceeding to provide consumers with a notice describing who the data will be transferred to and giving them a reasonable opportunity to withdraw any previously provided consent and to request deletion of their personal data before any transfer takes place. 

In addition to these protections, the State Data Privacy Act would likely also entirely prevent issues like 23andMe using customers’ highly sensitive genetic data in unexpected ways like a sale because the bill relies on data minimization as its core protection. Under the model bill, sensitive data can only be processed if it is strictly necessary to provide or maintain a product or service requested by the consumer. The sale of customers’ genetic information during a bankruptcy proceeding is not strictly necessary for the service the consumer requested: genetic testing. Thus, 23andMe could not process consumers’ genetic information to do anything other than the genetic testing consumers requested. 

State lawmakers should test their bill language against cases like the 23andMe sale to ensure that any privacy legislation actually protects their constituents’ personal data in similar situations. The State Data Privacy Act provides a model that does.