23andMeand who else?
The bankruptcy of direct-to-consumer genetic testing firm 23andMenamed as Invention of the Year in 2008 by Time magazineis a cautionary tale, says Boston College Law Assistant Professor Shelly Simana, not only for business-related reasons, but in its implications for consumers private information.
The publicly traded retail DNA analysis service, valued as high as $5.8 billion, filed for Chapter 11 on March 23, spurring consumer advocates to implore the company 15 million customers to delete their personal data and prevent access by a prospective or the eventual buyer.
23andMe saliva-based testing not only can aid in tracing one ancestry but also uncover genetic predispositions ranging from diabetes to some cancers. But while this information can assist customers with their health-related decisions, noted Simana, it also raises significant privacy concerns, particularly as the company confronts a potential sale.
When customers initially registered for 23andMe, they consented to terms that allowed the company to use their data for research and development and to share de-identified, aggregate information with third parties, explained Simana, who studies the ethical and legal issues in genetics, reproduction, and biotechnology. Deleting your account doesnt retroactively undo those uses. Once data have been incorporated into research or shared externally, there no meaningful way to retrieve or erase it. Moreover, 23andMe policies make clear that in the event of a bankruptcy or asset sale, user data may still be transferred.
23andMewhose name is derived from the 23 chromosome pairs, one set from each parenthas assured customers that data privacy will be a priority, but skeptics point to other legal measures, such as a court-appointed, independent consumer privacy ombudsman (CPO) as a means to achieve additional accountability.
Appointing a CPO would be a valuable step, said Simana. A CPO can provide independent oversight of any data-related transactions, ensuring they align with 23andMe stated privacy commitments and broader legal obligations. This role becomes especially important given that 23andMe privacy policy allows for unilateral changes at any timeleaving consumers vulnerable in the absence of additional safeguards.
That said, it important to acknowledge the potential tension: Meaningful privacy oversight might require limiting how certain data can be transferred or used, which could conflict with the company financial goals. Still, from a consumer protection standpoint, the added accountability is well worth it.
Simana noted that in the absence of a CPO, customers arent powerlessthey can still make their privacy concerns heard through public advocacy.
Joining forces with consumer rights organizations can amplify their voices. Customers can also submit complaints or concerns directly to regulators like the Federal Trade Commission or state attorneys general, who may intervene or provide oversight.
Good digital hygiene isnt a one-time fix; it requires ongoing attention.
Although 23andMe is free to take the highest bid when its assets are up for sale, it unclear whether the top buyer would be required to possess or prove that it has the necessary privacy protection capabilities and cybersecurity sophistication to guard the genetic information. This would likely pose a serious conflict in the selling process, pitting privacy laws that require due diligence when sharing personal information with a third party versus a tendering proceeding and selection that do not, said Simana.
The bidding process can create a conflict between financial recovery and data protection. Bankruptcy law prioritizes maximizing value for creditors, which often means selling assetsincluding personal datato the highest bidder. While 23andMe claims that any buyer will be required to honor its existing privacy policies, those policies are subject to change, and a new owner may revise them post-sale. That creates a significant risk: Users data could end up under a very different, potentially weaker, privacy regime than the one they originally agreed to.
Customers who have privacy concerns should consider deleting their data, said Simana, but expunging your 23andMe account doesnt necessarily erase everything. Information that has already been de-identified and aggregated may still be retained, and some data may be held for legal or regulatory compliance.
That why it not enough to delete your digital records; you should also ask for any remaining biological samples to be destroyed. Taking that extra step can help limit future use or unintended access to your genetic material.
High-quality digital hygiene begins with regularly reviewing your data permissions and deleting any information you no longer want stored, said Simana.
Dont just rely on in-app settings: Ask companies to confirm both the deletion of your digital files and the destruction of any biological samples, if applicable. Stay alert to privacy policy changes, especially after mergers or acquisitions, when terms may quietly shift. Avoid uploading your genetic data to third-party platforms, which often lack the same privacy safeguards as the original testing company, and if youre uncomfortable with research or data-sharing practices, revisit your consent settings and opt out where possible. Good digital hygiene isnt a one-time fix; it requires ongoing attention.