23andMe faces an uncertain future: its genetic data too


DNA and genetic testing company 23andMe is in crisis following a data breach last year and its continued financial decline. The once-pioneering giant now faces an uncertain future amid efforts to take the company private, intensifying concerns about what could happen to the genetic data of 23andMe's roughly 15 million customers.

Best known for its saliva-based testing kits that offer a glimpse into a person's genetic ancestry, 23andMe has seen its value fall more than 99% from its peak of $6 billion since going public in early 2021. after not making a profit.

That lack of profit was attributed to declining consumer interest in 23andMe's single-use test kits and lackluster growth in its subscription services. The company was also blindsided by a massive, months-long data breach in which hackers stole the ancestry data of nearly 7 million users throughout 2023. It agreed in September to pay $30 million to resolve a breach. claim related to non-compliance.

Less than a week later, 23andMe founder and CEO Anne Wojcicki said she was “considering third-party acquisition proposals” for the company. Wojcicki quickly retracted the statement and instead said she planned to privatize the company. But the damage had already been done and all independent members of the company's board of directors resigned with immediate effect.

Where does that leave the genetic data of millions of people?

23andMe is largely subject to its own rules

As evidenced by last year's data breach, in which hackers stole information like users' genetic predisposition and ancestry reports, 23andMe collects a ton of information about its users.

If you are one of the many millions who have submitted your saliva to 23andMe to learn about your ancestry, you may have assumed that this data would remain private under the law, such as the Health Insurance Portability and Accountability Act. HIPAA, as it is known, sets standards for protecting confidential health information from disclosure without a person's knowledge or consent.

However, 23andMe is not a HIPAA-covered company. As such, 23andMe is largely subject only to its own privacy policies, which it may change at any time.

Andy Kill, a spokesperson for 23andMe, told TechCrunch that the company believes this is a “more appropriate and transparent model for the data we handle, rather than the HIPAA model employed by the traditional healthcare industry.”

The lack of federal regulation and a mess of state privacy laws ultimately mean that if 23andMe faces a sale, the data of millions of Americans will also be on the table. The company's privacy policy says that its customers' private information “may be accessed, sold or transferred” as part of a bankruptcy, merger, acquisition, reorganization or sale.

The fact that customer data is a salable asset has also been made clear by Wojcicki, who reportedly told investors that 23andMe will no longer continue its expensive drug development programs and will instead focus on commercializing its extensive database of customer data between pharmaceutical companies and researchers.

23andMe maintains that its data privacy policies would not change in the event of a sale. These policies state that the company will never share user information with insurance companies or law enforcement without a court order. The latter have increasingly turned to third-party DNA companies for genetic information, but 23andMe has so far resisted all requests for such data from US authorities, according to its long-running transparency report.

Potential buyers of 23andMe may have completely different ideas about how to use the company's potentially valuable trove of DNA data. Privacy advocates from the digital rights group Digital Frontier Basis have already urged 23andMe to resist a sale to any company with ties to law enforcement, warning that police could use customers' genetic data to indiscriminately search for evidence. of crimes.

“Our own commitment to applying the terms of our privacy policy to our customers' private information in the event of a sale or transfer is clear: 23andMe's Terms of Service and Privacy Statement would remain in effect unless and until to customers, and accept new terms and disclosures, and only after receiving appropriate notice of the new terms, in accordance with applicable data protection laws,” Kill told TechCrunch.

Proactively delete your account

While 23andMe appears to resist a sale to an outside company for now, Wojcicki's retracted comments have already raised alarm bells among privacy advocates, who are urging 23andMe customers to take steps now to protect their data from the sale requesting that 23andMe remove them. your data.

Meredith Whittaker, president of end-to-end encrypted messaging app Sign, said in a post on X: “It's not just you. If someone in your family gave their DNA to [23andMe]For everyone's sake, close your account now.”

Eva Galperin, head of cybersecurity at the EFF, also warned users to take action. “If you have a 23andMe account, today is a good day to log in and request deletion of your data,” Galperin said in a post on X.

Requesting deletion of your data on 23andMe is relatively easy.

Sign in to your 23andMe account and navigate to Settings > Account information > Delete your account. 23andMe will ask you to confirm your decision and warn you that deleting your account is permanent and irreversible.

There is an important caveat. As stated in 23andMe's privacy policy, deleting an account is “subject to retention requirements and certain exceptions,” meaning the company may retain some of your data for an unspecified period of time.

For example, 23andMe will retain your genetic information, date of birth, and gender “as necessary for compliance” and will retain limited data related to your deletion request, “including, but not limited to, your email address, deletion request identifier accounts, communications related to queries or complaints and legal agreements.”

Comparably, if you have already agreed to let 23andMe share your data for research purposes, you can reverse that consent, but there is no way to delete that information. Kill tells TechCrunch that about 80% of 23andMe's customers (approximately 12 million people) agree to participate in its research program.



2st">Source link

Leave a Comment