With genetic testing company 23andMe filing for Chapter 11 bankruptcy protection and courting bidders, the DNA data of millions of users is up for sale.
A Silicon Valley stalwart since 2006, 23andMe has steadily amassed a database of people’s fundamental genetic information under the promise of helping them understand their disposition to diseases and potentially connecting with relatives.
But the company’s bankruptcy filing Sunday means information is set to be sold, causing massive worry among privacy experts and advocates.
“Folks have absolutely no say in where their data is going to go,” said Tazin Kahn, CEO of the nonprofit Cyber Collective, which advocates for privacy rights and cybersecurity for marginalized people.
“How can we be so sure that the downstream impact of whoever purchases this data will not be catastrophic?” she said.
California Attorney General Rob Bonta warned people in a statement Friday that their data could be sold. In the statement, Bonta offered users instructions on how to delete genetic data from 23andMe, how to instruct the company to delete their test samples and how to revoke access from their data’s being used in third-party research studies.
DNA data is extraordinarily sensitive.
Its primary use at 23andMe — mapping out a person’s potential predisposed genetic conditions — is data that many people would prefer to keep private. In some criminal cases, genetic testing data has been subpoenaed by police and used to help criminal investigations against people’s relatives.
Security experts caution that if a bad actor can gain access to a person’s biometric data like DNA information, there’s no real remedy: Unlike passwords or even addresses or Social Security numbers, people cannot change their DNA.
A spokesperson for 23andMe said in an emailed statement that there will be no change to how the company stores customers’ data and that it plans to follow all relevant U.S. laws.
But Andrew Crawford, an attorney at the nonprofit Center for Democracy and Technology, said genetic data lawfully acquired and held by a tech company has almost no federal regulation to begin with.
Not only does the United States not have a meaningful general digital privacy law, he said, but Americans’ medical data faces less legal scrutiny if it’s held by a tech company rather than by a medical professional.
The Health Insurance Portability and Accountability Act (HIPAA), which regulates some ways in which health data can be shared and stored in the United States, largely applies only “when that data is held by your doctor, your insurance company, folks kind of associated with the provision of health care,” Crawford said.
“HIPAA protections don’t typically attach to entities that have IOT [internet of things] devices like fitness trackers and in many cases the genetic testing companies like 23andMe,” he said.
There is precedent for 23andMe’s losing control of users’ data.
In 2023, a hacker gained access to the data of what the company later admitted were around 6.9 million people, almost half of its user base at the time.
That led to posts on a dark web hacker forum, confirmed by NBC News as at least partially authentic, that shared a database that named and identified people with Ashkenazi Jewish heritage. The company subsequently said in a statement that protecting users’ data remained “a top priority” and vowed to continue investing in protecting its systems and data.
Emily Tucker, the executive director of Georgetown Law’s Center on Privacy & Technology, said the sale of 23andMe should be a wake-up call for Americans about how easily their personal information can be bought and sold without their input.
“People must understand that, when they give their DNA to a corporation, they are putting their genetic privacy at the mercy of that company’s internal data policies and practices, which the company can change at any time,” Tucker said in an emailed statement.
“This involves significant risks not only for the individual who submits their DNA, but for everyone to whom they are biologically related,” she said.