23andMe is not doing well. Its stock is on the verge of being delisted. It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the entire board of directors quit, save for Anne Wojcicki, a co-founder and the company’s CEO. Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
23andMe’s trove of genetic data might be its most valuable asset. For about two decades now, since human-genome analysis became quick and common, the A’s, C’s, G’s, and T’s of DNA have allowed long-lost relatives to connect, revealed family secrets, and helped police catch serial killers. Some people’s genomes contain clues to what’s making them sick, or even, occasionally, how their disease should be treated. For most of us, though, consumer tests don’t have much to offer beyond a snapshot of our ancestors’ roots and confirmation of the traits we already know about. (Yes, 23andMe, my eyes are blue.) 23andMe is floundering in part because it hasn’t managed to prove the value of collecting all that sensitive, personal information. And potential buyers may have very different ideas about how to use the company’s DNA data to raise the company’s bottom line. This should concern anyone who has used the service.
DNA might contain health information, but unlike a doctor’s office, 23andMe is not bound by the health-privacy law HIPAA. And the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same. It says so right there in the fine print: The company reserves the right to update its policies at any time. A spokesperson acknowledged to me this week that the company can’t fully guarantee the sanctity of customer data, but said in a statement that “any scenario which impacts our customers’ data would need to be carefully considered. We take the privacy and trust of our customers very seriously, and would strive to maintain commitments outlined in our Privacy Statement.”
Certain parties might take an obvious interest in the secrets of Americans’ genomes. Insurers, for example, would probably like to know about any genetic predispositions that might make you more expensive to them. In the United States, a 2008 law called the Genetic Information Nondiscrimination Act protects against discrimination by employers and health insurers on the basis of genetic data, but gaps in it exempt providers of life, disability, and long-term-care insurance from such restrictions. That means that if you have, say, a genetic marker that can be correlated with a heart condition, a life insurer could find that out and legally deny you a policy—even if you never actually develop that condition. Law-enforcement agencies rely on DNA data to solve many difficult cases, and although 23andMe says it requires a warrant to share data, some other companies have granted broad access to police. You don’t have to commit a crime to be affected: Because we share large chunks of our genome with relatives, your DNA could be used to implicate a close family member or even a third cousin whom you’ve never met. Information about your ethnicity can also be sensitive, and that’s encoded in your genome, too. That’s all part of why, in 2020, the U.S. military advised its personnel against using consumer tests.
Spelling out all the potential consequences of an unknown party accessing your DNA is impossible, because scientists’ understanding of the genome is still evolving. Imagine drugmakers trolling your genome to find out what ailments you’re at risk for and then targeting you with ads for drugs to treat them. “There’s a lot of ways that this data might be misused or used in a way that the consumers couldn’t anticipate when they first bought 23andMe,” Suzanne Bernstein, counsel at the Electronic Privacy Information Center, told me. And unlike a password that can be changed after it leaks, once your DNA is out in the wild, it’s out there for good. Some states, such as California, give consumers additional genetic-privacy rights and might allow DNA data to be deleted ahead of a sale. The 23andMe spokesperson told me that “customers have the ability to download their data and delete their personal accounts.” Companies are also required to notify customers of any changes to terms of service and give them a chance to opt out, though typically such changes take effect automatically after a certain amount of time, whether or not you’ve read through the fine print. Consumers have assumed this risk without getting much in return. When the first draft of the human genome was unveiled, it was billed as a panacea, hiding within its code secrets that would help each and every one of us unlock a personalized health plan. But most diseases, it turns out, can’t be pinned on a single gene. And most people have a boring genome, free of red-flag mutations, which means DNA data just aren’t that useful to them—at least not in this form. And if a DNA test reveals elevated risk for a more common health condition, such as diabetes and heart disease, you probably already know the interventions: eating well, exercising often, getting a solid eight hours of sleep. (To an insurer, though, even a modicum of risk might make someone an unattractive candidate for coverage.) That’s likely a big part of why 23andMe’s sales have slipped. There are only so many people who want to know about their Swedish ancestry, and that, it turns out, is consumer DNA testing’s biggest sell.
Wojcicki has pulled 23andMe back from the brink before, after the Food and Drug Administration ordered the company to stop selling its health tests in 2013 until they could be proved safe and effective. In recent months, Wojcicki has explored a variety of options to save the company, including splitting it to separate the cash-burning drug business from the consumer side. Wojcicki has still expressed interest in trying to take the company private herself, but the board rejected her initial offer. 23andMe has until November 4 to raise its shares to at least $1, or be delisted. As that date approaches, a sale looks more and more likely—whether to Wojcicki or someone else.
The risk of DNA data being misused has existed since DNA tests first became available. When customers opt in to participate in drug-development research, third parties already get access to their de-identified DNA data, which can in some cases be linked back to people’s identities after all. Plus, 23andMe has failed to protect its customers’ information in the past—it just agreed to pay $30 million to settle a lawsuit resulting from an October 2023 data breach. But for nearly two decades, the company had an incentive to keep its customers’ data private: 23andMe is a consumer-facing business, and to sell kits, it also needed to win trust. Whoever buys the company’s data may not operate under the same constraints.
Great. Now how do I get them to delete my data and account?
That’s funny, you paid to give them your data. They get to keep it now, that’s what you agreed to.
Not funny, it’s fucked up is what it is. Don’t blame consumers for a companies shady tactics.
Consumers are fully to blame, though. Thats basically like selling your entire web browser history to a company so they can tell you what your personality is. Like, did people actually think these companies weren’t gonna sell this data sooner or later? State of capitalism.
What a bunch of libertarian bullshit. Every layman can’t be expected to be an expert on literally everything so as to make sure they don’t buy or consume a product that will hurt or damage them in some way, or do business with a corporation that will screw them over. This is literally the reason government exists.
You do not have to be an expert to know you shouldn’t willingly give a non-medical company your entire genetic map. This is common sense, but perhaps not for people like you who thinks the gov exists solely to protect citizens. Also very confused how my take is “libertarian bs”? I swear more than half the people using this website are truly insufferable.
People like me? I would never do such a thing. That doesn’t mean I’m going to blame people who did, for the actions of avaricious capitalists.
It’s really easy to not be a scumbag.
And for the people that their doctors reccomended it to them? It’s their fault for trusting their medical provider? No. You should hold these corporations accountable for their shitty behavior. I guess people should stop buying oil & gas because that is killing the very planet they walk on. Oh wait! They can’t without an alternative that the government could easily provide! The company didn’t need to do shitty things in the first place. Fuck capitalism and fuck companies.
If you trusted the literal definition of you to an American company, after two centuries of American companies proving no capitalist entity can be trusted, you fully deserve everything that happens as a result. And I do mean everything. If a random state actor clones you after purchasing a license for your DNA, and replaced you with that replicant, you deserve it. You agreed to those terms.
I mean, if I could be cloned, that’d be great? I’d love to have clones. Immortality, baby!
You my friend are an idiot. I already said this above but what about the people who trusted their medical provider who reccomended this service to them to find a proper diagnosis? They should just get fucked for trusting a professional in the field. We fucking rely on companies to a fault. It’s ass. we could you know blame the company for the shitty actions of collecting this data rather than the average ignorant consumers. That’s like blaming the person who told you your significant other is cheating on you for ruining your marriage, or even blaming yourself. It’s asinine.
I’m sorry they were dumb enough to trust that this time, a company would totally not do the worst thing possible, after decades on decades of every single company doing the worst thing possible, including the company employing their doctor.
That’s a truly awful take. Especially for people who have since learned to be more mindful about their data. We need solidarity to fight corporations, not punitive treatment.