Amid mounting challenges, 23andMe, a prominent US genetic testing firm, has sought bankruptcy protection to pave the way for a potential sale, a move that champions individual privacy in an era of escalating data concerns.
Late Sunday, the company announced it had voluntarily entered Chapter 11 proceedings in the US Bankruptcy Court for the Eastern District of Missouri, aiming to โfacilitate a sale process to maximize the value of its business.โ This strategic shift coincides with the resignation of its co-founder and CEO, Anne Wojcicki, who stepped down to spearhead an independent bid to acquire the company after facing repeated rejections from its board.
Wojcicki, who launched 23andMe in 2006 alongside Linda Avey and Paul Cusenza, has encountered significant hurdles in her vision to transform the company into a drug development powerhouse. Her ambition faltered as revenues plummeted, driven by a wave of customers โ out of a total of 15 million โ rushing to erase their DNA records from the companyโs systems post-breach.
23andMeโs vast repository of user data, amassed through years of saliva-based ancestry testing, lies at the mercy of its own self-imposed guidelines rather than robust federal oversight.
The companyโs 2023 data breach, which exposed sensitive details like genetic predispositions and ancestry reports for nearly 7 million users, underscored the sheer volume of personal information it holds. For the millions who entrusted their DNA to 23andMe, the assumption might have been that such intimate data enjoys the ironclad protections of the Health Insurance Portability and Accountability Act (HIPAA), a law designed to shield sensitive health information from unauthorized disclosure. Yet, 23andMe operates outside HIPAAโs reach, leaving it tethered only to its own privacy policies โ rules it can rewrite at will.
This regulatory gap casts a long shadow over the companyโs future, especially as it teeters on the brink of a sale following its bankruptcy filing. A patchwork of inconsistent state privacy laws, coupled with the absence of a cohesive federal framework, means that the genetic profiles of 15 million Americans could be up for grabs.
According to 23andMeโs privacy policy, customersโ personal information โmay be accessed, sold or transferredโ in scenarios like bankruptcy, mergers, or acquisitions. While the company insists its data practices will remain unchanged post-sale โ pledging never to share user information with insurance providers or law enforcement without a warrant โ privacy advocates should remain skeptical. Notably, 23andMeโs transparency report highlights its defiance against US law enforcement requests for DNA data, a stance that has held firm thus far.
Still, the prospect of new ownership raises alarm bells. Potential buyers might eye 23andMeโs treasure trove of genetic material as a lucrative asset to exploit in ways the current management has resisted.
In theory, 23andMe needs user approval to transfer data during an acquisition, but users could withhold it. Over a dozen states, including Montana, have enacted genetic privacy laws requiring explicit consent โ Montanaโs 2023 law, for instance, mandates standalone consent naming the buyer. Comparable rules apply in states like Alabama, Arizona, California, and others, with Wyoming uniquely offering a private right of action for consumers to enforce their rights in court.
With the companyโs fate hanging in the balance, advocates are urging users to act swiftly to shield their data from an uncertain future.
California Attorney General Rob Bonta has championed this cause, asserting in a statement after the bankruptcy announcement that state residents can legally demand the erasure of their genetic records.
Deleting a 23andMe account is straightforward: users can log in, head to Settings, select Account Information, and choose Delete Your Account, confirming the irreversible step after a prompt.
However, the process comes with a catch. The companyโs privacy policy notes that deletion is โsubject to retention requirements and certain exceptions,โ meaning some data โ like genetic profiles, birth dates, gender, and even email addresses tied to deletion requests โ may linger for unspecified periods to meet compliance obligations.
Likewise, for those who previously consented to research use of their data, retracting that permission is possible, but erasing the information entirely is not.
