With genetic testing company 23andMe filing for bankruptcy in order facilitate a sale, millions of customers may be wondering if their genetic data and personal information is now at risk.
“A new company could potentially use the data in different ways,” University of Iowa law professor and genetic privacy expert Anya Prince told CTVNews.ca. “That’s where the concerns are.”
In a press release and letter to customers on Sunday, 23andMe attempted to downplay potential privacy concerns related to the bankruptcy filing.
“Through the sale process, 23andMe will look to secure a partner who shares in its commitment to customer data privacy,” the company said in an open letter to customers. “Our users’ privacy and data are important considerations in any transaction, and we remain committed to our users’ privacy and to being transparent with our customers about how their data is managed.”
23andMe’s privacy policy, for example, says that genetic data is not shared with employers, insurance companies or law enforcement – unless required by a valid legal process, such as a warrant.
“All sounds great, but the privacy policy also says that it can be changed at any time,” Prince explained.
Founded in 2006, 23andMe claims to have more than 15 million customers worldwide. The business was centred around at-home DNA testing kits that use saliva samples to provide genetic insights about health risks and ancestry. The California-based company went public in 2021, but never made a profit.
23andMe previously agreed to pay US$30 million to settle a lawsuit after hackers accessed the personal data of nearly seven million customers and posted their information for sale on the dark web.
Should you delete your 23andMe account?
Katie Hammond is an associate professor of law at Toronto Metropolitan University who researches medical technology-related issues like genetic testing.
“Even if the company wants the data to be protected, once the data moves into the hands of another company, the original owners of 23andMe won’t really have a huge say in what happens to the data any longer,” Hammond told CTVNews.ca. “A company that takes over may not have good data security, in which case there could be a possibility of a breach, or it could also potentially do different things with the data, such as share it, which will put consumers at risk.”
Echoing those concerns, California’s attorney general has even issued a consumer alert that includes step-by-step instructions on how to delete your 23andMe data and account.
“Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” California Attorney General Rob Bonta said in news release.
Customers also have the option of opting out of allowing the company to share their data for research. Although data that has previously been shared or sold for medical research is not supposed to contain personal information, such data cannot be retroactively deleted.
“Deleting your account might not completely get rid of all of your genetic information that’s out there in the world,” Prince said. “It just might not have your name attached to it anymore.”
Yann Joly is a lawyer, professor and the director of McGill University’s Centre of Genomics and Policy. Joly, who researches genetic testing, says while the risk is small, he would still recommend closing 23andMe accounts and deleting personal data.
“The most likely buyer would be a pharmaceutical or biotech company looking to use the data for research,” Joly told CTVNews.ca. “However, it seems unlikely that the next owner will provide (customers) any services or benefits, so why take any chances, and leave personal data in the hands of an unknown party?”
With files from CNN
