Analysis

Somebody Spilled the Genes: 23andMe’s Downturn Highlights Insufficient Privacy and Data Security Safeguards for Consumer Genetic Data

December 5, 2024 | by Suzanne Bernstein (EPIC Counsel), Abigail Kunkler (EPIC Law Fellow), and Matthew Contursi (EPIC Fall Semester Clerk)

23AndMe is facing an uncertain future. The direct-to-consumer genetic testing company has lost 98% of its value and recently laid off nearly 40% of its workforce. In addition to the massive 2023 data breach that compromised at least 6 million users’ genetic data and resulted in a $30 million settlement, the entire board of directors resigned in protest of a plan to take the company private. The company continues to report year-over-year losses and the stock of the company has dropped below $1. As 23andMe likely heads towards bankruptcy or sale, many consumers are understandably concerned: what will happen to their genetic data?

23AndMe offers two primary services: customer-facing genetics testing and business-facing data sales. On its consumer-facing side, anyone can purchase a testing kit, spit in a tube, and receive information about themselves ranging from their genetic ancestry to select health conditions. On its business facing side, 23AndMe acts as a private biobank and database for organized genetic information. This was 23AndMe’s intended business model: as Wired noted in 2007, 23andMe’s goal was to amass “a treasure trove of data. . . [to] drive further research.” 23AndMe has since sold access to its genetic datasets to Genetech and other pharmaceutical companies.

I. Consumer Privacy Risks for Direct-to-Consumer Genetic Testing

Direct-to-consumer (DTC) genetic testing companies, including 23andMe, collect and retain sensitive health data, including genetic data, without much regulatory oversight. While many consumers are likely aware of the Health Insurance Portability and Accountability Act (HIPAA) from a visit to the doctor’s office or an interaction with their insurance company, most are unaware of HIPAA’s narrow scope. HIPAA only applies to certain entities like hospitals, insurance companies, or other related business associates. DTC genetic testing companies like 23andMe are not generally subject to HIPAA.

Consumers are rightfully concerned about how a 23andMe bankruptcy or sale would impact them and their privacy. The more sensitive data is, the more valuable it is in the hands of malicious actors. Genetic data is uniquely sensitive, revealing immutable characteristics about an individual. It can also reveal intimate health information about a person, and secondary uses for genetic data continue to evolve.

A similar situation occurred in 2008 with Pay By Touch, a company offering fingerprint-based services for banking. Pay By Touch prompted security concerns when it went belly up and sold off customers’ fingerprints in its bankruptcy proceedings. The Illinois state legislature responded swiftly. Recognizing the danger of losing control of one’s sensitive and immutable data, both the state Senate and House passed the Biometric Information Protection Act (BIPA) unanimously. BIPA remains one of the most effective privacy laws in the country due in large part to its private right of action enabling individuals to sue businesses that misuse or mishandle their biometric data.

Today, companies offering DTC genetic testing to consumers seem poised to repeat history. Like Pay By Touch, DTC genetic testing companies collect and store sensitive, immutable information about individuals. And, like biometric information, the genetic information held by DTC genetic testing companies can be used or misused to uncover or expose deeply personal attributes about a person and cause them significant harm.

DTC genetic testing companies are not generally held to specific regulatory standards for safeguarding customer genetic data, nor are they expressly required to limit sharing of that data in most circumstances. If one of these companies enters bankruptcy, consumers’ genetic information may come under the control of a data broker. Data brokers engage in commercial surveillance practices that fuel their ability to create and market extremely detailed consumer profiles and analytics. The data security risks for consumer data as a result of a data breach or unauthorized access increases as their information continues to trade hands. Genetic information is uniquely sensitive because it is unchangeable. Traditional remedies for limiting the danger of compromised information, such as changing important passwords, are not an option. And because data brokers are largely unregulated, consumers may not even know their information has been used to profile them or sold to another party.  

When a data broker adds immutable information like genetic data into a consumer’s profile, it also raises the likelihood of discrimination and opportunity loss across every area of that person’s life. This includes a person’s ability to get life, long-term care, and disability insurance. Although the U.S. enacted the Genetic Information Nondiscrimination Act (GINA) in 2008, gaps in that law allow insurers to deny coverage or unreasonably hike prices based on a consumer’s genetic risk factors that the insurer requires them to disclose.  

Concerns over genetic discrimination in the workplace are widespread as well. In fact, workplace protections, along with insurance, motivated the initial push for federal genetic discrimination protections. While GINA prohibits employers from using genetic information in employment decisions (at least as long as a condition has not produced symptoms), it can be hard to tell if an employer has made a determination based on genetics or other medical or health information.

Unlike the employment and insurance contexts, law enforcement use of commercially available genetic data has no explicit federal legal restrictions. Law enforcement can access and use commercially available genetic information for criminal and other investigations. Forensic genetic genealogy, the investigative method by which law enforcement compares crime scene DNA to consumer genetic profiles, also pulls in the data of a person’s family members. This not only subverts the privacy expectations of family members (who cannot change or avoid their relations), but is also a potentially unconstitutional warrantless search.

Commercial uses of genetic data may also impact a person in ways that are not readily obvious, such as housing determinations. For example, it may be used to limit someone with a genetic predisposition to a condition like Alzheimer’s from purchasing, renting, or obtaining financing for property or limit their options for residential communities in their old age. Genetic data could impact education, as well: some claim that genetic data can predict a person’s talents or capabilities, increasing the risk of discrimination if these predictions are inaccurate.

As a result of these various risks to privacy and autonomy, the unregulated sale and acquisition of genetic information from DTC genetic testing companies can chill people’s willingness to seek necessary medical or emergency help and erode public trust in medical and legal institutions. The fear of genetic discrimination is also harming advances in medical research, as people avoid signing up for research studies.  

Genetic information can be critical to developing incredible, life-saving advances in medicine and medical technology. But the largely unregulated commercial collection and use of genetic data also reduces a person’s control over their personal information and identity, and its impacts their freedom and access to critical goods and services. Establishing thoughtful data protection and security safeguards for genetic data in commercial settings can protect privacy and autonomy without slowing important scientific innovation.

II. Fractured Regulatory Landscape and Unclear Privacy Protections for 23andMe Consumers

23andMe customers are rightly concerned about the privacy of their health and genetic data. When a consumer purchasing a 23andMe kit agrees to its terms and conditions, they are nominally agreeing to the company’s Privacy Statement. Not only is an average consumer unlikely to read or understand these lengthy disclosures, but 23andMe’s privacy promises to consumers are relatively toothless. The Privacy Statement (which is difficult to find on 23andMe’s website) concludes by warning that “we make changes to this Privacy Statement from time to time.” In the event of a change of ownership or bankruptcy, “Personal Information may be accessed, sold, or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.” In addition to the Privacy Statement being subject to change at any time, it is difficult or impossible to guarantee that any privacy protections for personal information will carry forward through a change of ownership or bankruptcy. For example, when Meta (then Facebook) acquired WhatsApp, the popular messaging app promised consumers that it would maintain the same heightened privacy protections. However, just two years later, WhatsApp changed its terms of service and started sharing phone numbers and consumer analytics with Facebook. 

So then what protections do consumers have if 23andMe strays from or changes their Privacy Policy? What if the company is sold or declares bankruptcy? The flimsiness of 23andMe’s privacy promises underscores how sparse U.S. legal protections are against the commercial misuse of genetic data.

Although the U.S. does not have a comprehensive federal privacy law, there are three federal laws which explicitly protect the privacy of genetic data in certain contexts. The HIPAA protects patients’ health information, which includes genetic information, in a medical environment like a hospital or in the hands of an insurance company. The Genetic Information Nondiscrimination Act (GINA) amended HIPAA to ensure that genetic information cannot be used by health insurers to make certain decisions about benefits, coverage, or premiums. GINA’s other impact is in the employment context, where it prohibits employers from using genetic information in hiring or requesting genetic information as a condition of employment. Finally, the Affordable Care Act prohibits health insurers from refusing coverage to people with genetic diseases as pre-existing conditions. None of these protections apply to 23andMe consumers.  

While Congress has considered bills like the American Genetic Privacy Act of 2023, it has not taken meaningful action to provide safeguards for genetic data outside of the HIPAA context. The Federal Trade Commission (FTC) has used its consumer protection authority to bring enforcement actions against direct-to-consumer genetic testing companies Vitagene and CRI Genetics in recent years. The consent order with Vitagene resulted from the FTC’s five-count complaint alleging that Vitagene misrepresented the company’s data security and privacy practices involving consumers’ genetic information and retroactively revised material privacy policies without providing direct notice to consumers. Still, the FTC’s authority to regulate DTC genetic testing companies is generally limited to unfair and deceptive data practices, and individuals cannot bring their own lawsuits against offending companies under the FTC Act.

In the absence of more robust federal protections, the extent to which consumers’ genetic data is protected varies by state. There is a patchwork of state comprehensive privacy laws, state laws concerning consumer health data, and state laws regulating genetic data specifically. Nineteen states have enacted comprehensive data privacy laws, most of which include heightened protections for categories of sensitive data that typically includes health data. There has also been momentum on the state level to privacy laws specifically safeguarding consumer health data. In addition to Washington State’s landmark My Health My Data Act, Nevada and Connecticut have also passed health data privacy laws. Ten states have enacted genetic privacy laws that regulate direct-to-consumer genetic testing.  

In the event of a 23andMe bankruptcy, merger, or acquisition, it not always clear which state-level privacy protections (if a consumer is fortunate enough to live in a state that has enacted an applicable privacy law) would outlive such a restructuring. Some states are facing this uncertainty head on. Just this fall, California Governor Gavin Newsom signed AB 1824 into law, amending the California Privacy Rights Act to require that existing consumer rights to opt out of the sale or sharing of data extends to data transferred in the context of bankruptcy, merger, or acquisition.  

The durability of state-level consumer genetic and health privacy safeguards will soon be tested if 23andMe changes ownership. In the meantime, 23andMe consumers can request that the company delete their data and accounts. Consumers can also download their raw genetic data. But the extent to which 23andMe will still retain some consumer data after a request to delete an account is unclear. A recent MIT Technology Review article detailing how consumers can delete their 23andMe data explained that 23andMe may still “hang onto some of your genetic information, plus your date of birth and sex – alongside data linked to your account deletion request, including your email address and deletion request identifier.”  

The privacy and data security concerns raised by the potential downfall of 23andMe should encourage state and federal legislators to act now to safeguard the privacy of consumer genetic data—and health data generally. Industry self-regulation, easily changeable privacy policies, and an uneven patchwork of existing laws is insufficient to protect highly sensitive, immutable genetic data.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.

Donate