Jillian Bloom – On March 23, 23andMe announced that it had initiated Chapter 11 bankruptcy proceedings and proposed a court-supervised auction scheduled for May 14. As these proceedings unfold and test the efficacy of today’s fragmented data privacy protections, customers are reminded of the troubling truth: the fate of their genetic data ultimately lies in the hands of 23andMe’s future buyer.
In 2006, 23andMe revolutionized genetic testing. As the first company to offer direct-to-consumer DNA tests, millions of customers eagerly shared saliva samples, hoping to get a glimpse into their ancestry or to uncover health risks buried deep within their genetic makeup. However, in light of its bankruptcy filing, all of 23andMe’s assets—including the highly sensitive, unique genetic data of over 15 million customers—are now up for grabs.
23andMe was a pioneer in the personal genomics industry, paving the way for many companies that have since followed suit. Late 2023, however, marked the beginning of the end for 23andMe when a data breach caused irreparable harm to its business and enormous anxiety for its customers. This breach resulted in the unauthorized access of over 7 million customers’ genetic data. Since then, 23andMe has been unable to rehabilitate its stock price or reputation. Thus, 23andMe’s bankruptcy declaration is not necessarily surprising. Nonetheless, the sale justifiably invokes questions and concerns, as it must navigate the fragmented system of data protections currently in place.
Although 23andMe has pledged to uphold its privacy commitments and promised that any buyer will be subject to strict data compliance requirements, the ultimate data use decisions will rest with the buyer once the sale is complete and court oversight ends. While one would hope that any new owner will proceed in a manner that ensures privacy protections, this remains to be seen.
23andMe’s sale announcement prompted a frenzied response, leading to several state attorney generals advising 23andMe customers to delete their genetic information and revoke all data consents. These warnings may be partly rooted in the erosion of trust following the breach. However, the state of concern underscores a deeper issue: the lack of robust, or even sufficient, protections governing genetic data and its transfer.
At the federal level, data privacy laws fail to adequately cover data derived from direct-to-consumer genetic testing companies like 23andMe. The Health Insurance Portability and Accountability Act (HIPAA) provides privacy protections for medical information, but only applies to certain entities, such as healthcare providers and health plans. 23andMe’s genetic testing provides services directly to customers, rather than through healthcare providers. Resultingly, 23andMe falls outside HIPAA’s scope. The Genetic Information Nondiscrimination Act (GINA) prohibits health insurers and employers from discriminating based on genetic data, but it does not address how genetic data should be stored, secured, or transferred. Therefore, like with HIPAA, GINA’s narrowly tailored scope excludes 23andMe from its protections.
Absent a comprehensive federal framework, data privacy protections are governed by state laws. The result is a patchwork of protections with no universal oversight. This is troublesome considering the varying degrees of data protection from state to state. Many states, like California, Illinois, and Virginia, have consent requirements for the transmission of genetic information, providing their residents with certain rights over their personal data. However, many other states have no such requirements, leaving personal data vulnerable to uninformed and unauthorized uses and transmissions.
Although bankruptcy proceedings customarily involve the sale of customer data, the unique value and individuality of genetic data make the stakes of 23andMe’s sale especially high, warranting special consideration and treatment. As these proceedings unfold, policymakers, regulators, and consumers alike will be watching closely, assessing whether today’s legal framework is equipped to safeguard the most intimate data a person can possess: their DNA.
