Your DNA is now a corporate asset
Before we dive in, help us improve the Project Liberty newsletter by taking our quick three-minute survey. Make your voice heard and help shape the future of the newsletter. Take the survey here.
~~~
If you are one of the 15 million people who sent their DNA samples to 23andMe, your entire genetic code might end up in the hands of a third-party data broker or some other buyer.
Your data is 23andMe’s greatest corporate asset, and now that the genetic testing company has filed bankruptcy, it could be sold. The fundamentals of your personhood—your family tree, your heritage, and all the details of your DNA—are now on the open market and could be owned by someone else.
In this week's newsletter, we explore the data privacy implications of 23andMe's bankruptcy filing, what it means for consumers, specific steps you can take today, and the implications for the future of data privacy.
// The fall of 23andMe
Last month, 23andMe filed for bankruptcy. The company had been struggling for some time. Due to many factors including its failure to turn a profit and a 2023 data breach that affected seven million users and led to a $30 million settlement, the company’s value has declined more than 99% from its $6 billion peak valuation after going public in 2021.
The company stated it “intends to continue operating its business in the ordinary course throughout the sale process.” Today, its website still sells its saliva test kits, but this might be the worst time to give the company your data.
An article in the New York Times ran with the alarmist headline: 23andMe Just Filed for Bankruptcy. You Should Delete Your Data Now.
// Your DNA is a corporate asset
In its Chapter 11 bankruptcy filing documents, 23andMe indicated it intends to sell all of its assets, including what is considered its core asset—the genetic data it accumulated from more than 15 million customers.
The company’s privacy policy reads: “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”
Ginny Fahs, director of product R&D for Consumer Reports’ Innovation Lab, wrote in a blog post last year, “The DNA data could be used to discern your relatives and ancestry, unearth family secrets, and reveal clues about diseases you have or could be predisposed to. If the data makes its way to certain insurers, they may deny you coverage or charge you more for life, disability, or long-term care insurance because of your genetics.” For now, we’re unsure who this buyer might be and how they might use the data.
Genetic testing companies are not governed by existing health data laws, such as the Health Insurance Portability and Accountability Act (HIPAA).
- Signed into law in 1996, HIPAA protects sensitive health information from being disclosed without a person’s knowledge or consent—you’ve probably signed a HIPAA release form at your doctor’s office.
- 23andMe is not covered under HIPAA. Instead, how it protects, shares, or sells your genetic data is dictated by the company’s privacy policy, which could change at any time (including when that data is sold to a different company with a different approach to privacy).
- In an open letter last month, 23andMe emphasized that, “Your data remains protected. The Chapter 11 filing does not change how we store, manage, or protect customer data. Our users’ privacy and data are important considerations in any transaction, and we remain committed to our users’ privacy and to being transparent with our customers about how their data is managed. Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.”
The risk extends beyond 23andMe customers. Because DNA is passed down through families, information on relatives of 23andMe customers might be exposed, even if those relatives never personally provided DNA data to the company.
The possible sale of data has garnered the attention of California Attorney General Rob Bonta, who issued a rare “consumer alert”: “I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” he said.
// How to delete your data
If you have provided your genetic data to 23andMe, or you are a relative of someone who has, you can take steps to protect yourself and your family by removing your data in just a few minutes. Here are the steps:
- Log into your 23andMe account.
- Go to your Profile, then tap Settings.
- Scroll to the “23andMe Data” section at the bottom of the page and click View.
- If you want to download your data, select what you want.
- Scroll to the “Delete Data” section and click Permanently Delete Data.
- Confirm your request: You’ll receive an email from 23andMe, and click the link in the email to confirm.
The company still might retain “limited” data about you. Per its privacy policy, “your account deletion is subject to retention requirements and certain exceptions.”
// What comes next
The fact that our most personal data is a liquidatable corporate asset, unregulated by the nation’s existing HIPAA laws, is, according to Frank McCourt, Founder of Project Liberty, “a five-alarm fire for anyone who wants to control their destiny in this digital world.”
Americans agree. Research conducted by Project Liberty Institute last year found that two-thirds of Americans say they have little or no control over the personal data collected by social media platforms or online companies.
In a post about 23andMe on the Project Liberty website, McCourt wrote, “It's tragic and immoral that such precious extensions of ourselves are traded without recourse and for practically nothing, massively exploited in centralized platforms, and treated as collateral damage by those companies after they go belly up.”
The example of 23andMe is emblematic of the state of data privacy today. Our data isn’t controlled or owned by us. But what does a way forward look like? What gives us hope? We see three opportunities:
- Migrate: You can migrate to platforms with better data protection and control. Consumers want greater control over their data, and platforms are taking notice—from data-privacy-focused social media platforms like Bluesky to new genetics/health data platforms like Soar AI, founded by Ancestry.com Co-founder Paul Allen. Soar AI offers a secure family health and genetic platform that allows people to control and safeguard the privacy of their health and genetic data. It will integrate the Frequency blockchain and Decentralized Social Networking Protocol (DSNP), ensuring members' data is protected.
- Mobilize. You can push for data protection policies at the federal and state levels. There is no federal data privacy policy in the U.S. (and last year, the American Privacy Rights Act (APRA) stalled in Congress), but some states like Utah are taking steps to ensure that users can decide what they do with their data. As we wrote about last week, Utah passed the Digital Choice Act, the first law in the nation that gives users the ability to own, control, and manage their social media data.
- Minimize. You can shift your relationship to data altogether by avoiding its collection in the first place. Meredith Whittaker, President of the messaging app Signal, has argued that the real issue isn’t who owns our data but that it exists at all. True privacy isn’t about managing or reclaiming data—it’s about ensuring it was never collected in the first place. “We need to rethink what data is and de-naturalize this idea of data as an organic off-gas of ourselves that has been captured in a jar by these companies. A lot of data is methodologically shoddy answers to questions that help sell ads and not actually an organic production of who we are,” she said at the World Economic Forum in Davos earlier this year.
As McCourt said, “The 23andMe case is a sign of more to come if nothing changes. We cannot let this become the norm. Instead, we must take action, join together, and choose platforms that put us back in charge.”
.jpg?upscale=true&width=1160&upscale=true&name=newsletter_23N3%20(1).jpg)
