Genetic testing company 23andMe has filed for Chapter 11 bankruptcy protection, raising serious concerns about the future of user data stored within its vast genetic database. Since its founding in 2006, 23andMe has become a Silicon Valley stalwart, amassing a trove of genetic data from millions of users. Initially promising to help people understand their genetic predispositions to diseases and connect with distant relatives, the company’s bankruptcy filing has now put its data up for sale, causing an outcry among privacy experts and advocates.
23andMe’s business model has always revolved around collecting and analyzing users’ DNA. By submitting a saliva sample, individuals could gain access to detailed information about their genetic health, potential hereditary conditions, and even find connections to biological relatives. However, with this convenience comes a profound concern: the privacy and security of the DNA data entrusted to the company. The implications of the sale of this data are now at the forefront of debate, with critics arguing that users are being left with little say in what happens to their most sensitive personal information.
Tazin Khan, CEO of the nonprofit Cyber Collective, highlighted the stark reality: “Folks have absolutely no say in where their data is going to go.” The nonprofit advocates for privacy rights, and Khan raises an essential question about the lack of control users have once their data is sold off to the highest bidder. “How can we be so sure that the downstream impact of whoever purchases this data will not be catastrophic?” she asks.
California Attorney General Rob Bonta issued a warning to consumers last week, urging users to consider deleting their genetic data from the company’s systems. Bonta outlined steps for revoking consent for third-party research and deleting DNA samples from the company’s storage.
Genetic data is incredibly sensitive because it contains information that is, in many cases, irreplaceable. Unlike passwords or other personal identifiers, people cannot change their DNA once it’s exposed or compromised. This makes it particularly attractive—and dangerous—if it falls into the wrong hands. Genetic testing data has been subpoenaed in criminal investigations, with law enforcement using it to build family trees to identify suspects or locate missing persons. This precedent underscores the potential risks to individuals if their genetic data is accessed by unauthorized or malicious actors.
Andrew Crawford, an attorney at the Center for Democracy and Technology, pointed out that there is little federal regulation protecting genetic data when held by tech companies like 23andMe. “There’s no meaningful digital privacy law in the U.S., and HIPAA protections only apply when data is held by health professionals, not by tech companies,” Crawford said. This leaves many people in the dark about how their genetic information may be shared, sold, or even exploited without their informed consent.
The potential sale of 23andMe’s data should serve as a wake-up call for individuals who may have casually submitted their DNA for analysis without fully understanding the consequences. Emily Tucker, the executive director of Georgetown Law’s Center on Privacy & Technology, stressed the importance of acknowledging the risks involved in giving DNA to a corporation. “When you give your DNA to a corporation, you are putting your genetic privacy at the mercy of that company’s internal data policies and practices, which the company can change at any time,” Tucker said.
The bankruptcy of 23andMe opens the door for new conversations about the regulation and protection of genetic data. With no federal law protecting consumers’ genetic privacy when it comes to tech companies, lawmakers and privacy advocates will likely face increased pressure to address this issue head-on.
READ NEXT: Jack The Ripper’s Identity Revealed After DNA Breakthrough: Report
