By definition, there is nothing more personal than someone’s unique genetic code — the chemical combination that makes a person who they are. So when California Attorney General Rob Bonta warned residents this past week that the looming bankruptcy of genetic testing and analysis company 23andMe could put the biological data of some 14 million users at risk, his consumer rights alert struck a particularly sensitive nerve. Here, it seems, is the nightmare scenario about which many privacy experts had long warned.
Given California’s “robust privacy laws,” residents should “consider invoking their rights” to demand 23andMe “delete their data and destroy any samples of genetic material held by the company,” Bonta said in a press release. The company, meanwhile, claimed in an open letter that its Chapter 11 bankruptcy filing does not “change how we store, manage, or protect customer data.” Crucially, 23andMe said, any future buyers will be “required to comply with applicable law with respect to the treatment of customer data.” Even so, data security specialists remain concerned about what could potentially happen — and who might have future access — to 23andMe’s genetic treasure trove.
‘Several fronts’ of concerns
Beyond the company’s assertion that any potential buyers would be legally bound to “observe applicable privacy laws,” 23andMe has also attempted to assuage user fears by claiming “any customer data it shares with other parties is anonymous and can’t be traced to individual users,” said CBS News. Still, concerns about 23andMe’s ability to protect its customers’ genetic data have “swirled in recent years,” said CNBC, particularly after “hackers accessed the information of nearly 7 million customers” in late 2023. That hack, which “appeared to target Jewish and Chinese customers,” was followed by a drop in earnings “attributed to fewer test kits being ordered,” The New York Times said.
Privacy experts are “watching the company’s challenges with concern on several fronts,” said Geoffrey Fowler at The Washington Post. Not only is safeguarding against hacks like the one in 2023 “hard for any company to do under bankruptcy proceedings,” but new ownership of 23andMe could choose to use your data for “new purposes” not included in the original user agreement. If that happens, “it would be on you to keep on top of the changes.”
What protections are available to users?
Many customers may have assumed their private genetic data is legally protected by laws such as the Health Insurance Portability and Accountability Act, commonly known as HIPAA, which “creates rules about what can be shared under what context,” said I. Glenn Cohen, Harvard Law School professor and health law expert, to the Harvard Gazette. But since 23andMe is a direct-to-consumer business and not a medical provider, the law treats those clients “essentially as a consumer, not as the patient.” Bankruptcy laws, on the other hand, offer “some protections, but they’re not perfect.” Broadly, there is a “lack of federal regulation and a cluttered mess of state privacy laws” under which 23andMe’s user data is protected (or not), said TechCrunch.
Ultimately, 23andMe’s bankruptcy represents “one of the biggest threats to Americans’ personal data in decades,” said Sen. Ron Wyden (D-Ore.) on Bluesky. “I strongly urge you to delete your data to protect it from whoever the new buyer might be.”