- A Genetic Goldmine at Risk
23andMe’s repository of 15 million DNA profiles, amassed over nearly two decades, is now a potential prize in its bankruptcy sale—a treasure trove that could be exploited by buyers ranging from pharmaceutical giants to data brokers, with little federal oversight to constrain them. - The Illusion of Protection
Unlike medical records shielded by HIPAA, 23andMe’s data operates under its own malleable privacy policies, leaving users vulnerable to shifts in ownership and purpose. State laws offer a patchwork of defenses, but gaps remain wide and treacherous. - Power in Your Hands—For Now
California’s Attorney General Rob Bonta has sounded the alarm, urging residents to leverage the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA) to demand deletion of their genetic data before it’s too late. Yet, even this lifeline comes with hidden catches.
Founded in 2006 by Anne Wojcicki, Linda Avey, and Paul Cusenza, 23andMe burst onto the scene with a tantalizing pitch: spit in a tube, uncover your roots, and glimpse your genetic destiny. By 2021, buoyed by a merger with a Richard Branson-backed SPAC, the company’s valuation soared to $6 billion, fueled by a boom in ancestry testing kits. Wojcicki, however, harbored loftier ambitions. She envisioned transforming 23andMe into a biotech juggernaut, leveraging its vast genetic database to pioneer drug development and personalize healthcare. “We’re not just a testing service,” she once declared. “We’re building a future where genetic insights drive medical breakthroughs.”
That future never materialized. Demand for one-and-done DNA kits waned, and a 2023 data breach exposed the personal information of nearly 7 million users—half its customer base—over five months.
At the heart of this unraveling lies a data trove unlike any other: 15 million genetic profiles, each a unique map of identity and vulnerability. For customers, the allure of discovering distant cousins or inherited traits came with an unspoken trade-off—surrendering control over their most indelible data.
The assumption that DNA data enjoys robust protection is a comforting myth. The Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, safeguards health information held by providers and insurers—but not direct-to-consumer companies like 23andMe.
This exclusion leaves genetic data in a regulatory no-man’s-land, governed solely by corporate policies. 23andMe’s privacy statement, for instance, warns that personal information “may be accessed, sold or transferred” during bankruptcy or acquisitions—a clause now looming large.
Federal law offers little recourse. While the company insists any buyer must comply with “applicable law,” experts argue that such laws are toothless when it comes to consumer genetics.
State laws provide some bulwarks. California’s GIPA and CCPA empower residents to demand data deletion, while Montana’s 2023 genetic privacy law requires explicit consent for transfers, naming the buyer. Over a dozen states, including Alabama, Arizona, and Wyoming, have similar measures, with Wyoming offering a rare private right of action for enforcement. Yet, this patchwork approach leaves millions outside these jurisdictions exposed, and even in protected states, compliance hinges on 23andMe’s willingness—or ability—to honor requests amid bankruptcy chaos.
The ethical implications of 23andMe’s predicament are staggering. If sold, its genetic database could fuel pharmaceutical research, targeted advertising, or even darker ends—think foreign entities or data brokers hungry for biometric gold. Privacy advocates warn that unlike passwords or credit card numbers, DNA is immutable. You can’t change your genetic code. Once it’s out there, it’s out there forever.
California Attorney General Rob Bonta isn’t waiting for the gavel to fall. In a March 21 consumer alert, he urged 23andMe users to act swiftly, citing GIPA and CCPA rights to delete genetic data and destroy saliva samples. “Given 23andMe’s reported financial distress,” Bonta said, “I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples.”
The process is simple: log in, navigate to Settings, and select “Permanently Delete Data,” confirming via email. Users can also revoke research consents under “Research and Product Consents” and adjust sample storage preferences.
But there’s a hitch. 23andMe’s policy admits that “certain exceptions” and “retention requirements” may preserve some data—genetic profiles, birth dates, even email addresses—for legal compliance. For those who shared data with researchers, full erasure is elusive. This opacity has sparked outrage among privacy advocates, who argue it undermines user autonomy.
23andMe’s collapse isn’t just a corporate failure—it’s a referendum on the unregulated frontier of consumer genetics.
For a deeper dive into this unfolding saga, join me on Patreon.
