23andMe: What Recent Challenges Mean for Users' Data Privacy
U.S. Laws & Regulations

23andMe’s Struggles: What Recent Challenges Mean for Users’ Data Privacy

Known for its innovative approach to personalized genetic information, 23andMe, once a prominent player in the field of direct-to-consumer genetic testing, is currently facing significant legal and financial hurdles. After gaining popularity for its accessible DNA testing kits and promises of personalized genetic insights, the company has encountered both privacy concerns and operational difficulties. A recent data breach and financial pressures have raised questions about the complexities of managing sensitive genetic data responsibly.  

In a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.” Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads. This event, whether a breach due to cybersecurity gaps or spurred by user password insufficiency, brings to light the concern about privacy in relation to biometric data.  

23andMe’s $30 Million Data Breach Settlement  

One of the most significant issues confronting 23andMe is a high-profile data breach, which exposed millions of users’ sensitive genetic information. The breach was followed by a lawsuit, which the company recently settled for $30 million. The settlement, while providing some closure, underscores serious privacy and security concerns for 23andMe’s customers. 

  • The Breach Incident: In late 2023, 23andMe disclosed a security breach that exposed data belonging to millions of users. The breach raised red flags about how the company manages and secures personal genetic information. Sensitive information, such as ancestry details, was leaked, leaving users vulnerable to potential misuse or identity exploitation. 
  • Settlement Terms and Impact: As part of the settlement, 23andMe has agreed to improve its security practices to better protect user data, while paying out $30 million to affected customers. The settlement amount may seem substantial, but many privacy advocates argue that it does not adequately address the depth of the breach or the potential long-term consequences of compromised genetic data. 
  • Lingering Concerns: While the lawsuit’s settlement may bring some relief, the breach has left lingering concerns about the company’s commitment to privacy. Genetic information is uniquely sensitive; unlike a password, it cannot simply be changed once exposed. The risks of misuse are particularly high, and users might feel uneasy about the safety of their data in 23andMe’s hands. 
Financial Instability and the Threat of Bankruptcy  

Alongside legal troubles, 23andMe is grappling with financial instability, with speculations of a potential bankruptcy. A report by Science Alert in September 2024 suggested that 23andMe may soon face bankruptcy as it struggles to stay financially viable. The implications of this are considerable, especially for customers who have entrusted their genetic information to the company. 

Reasons Behind Financial Hardship: 
  • Costly Settlements and Legal Fees: The $30 million settlement is just one of the company’s financial burdens, as legal fees and other obligations have stretched resources. 
  • Decreasing Consumer Trust: Following the data breach, consumer confidence in 23andMe has taken a hit. Users are increasingly cautious about sharing genetic information, leading to reduced demand for the company’s services. 
  • Competitive Market Pressures: The market for direct-to-consumer genetic testing has become saturated, and competitors are continually emerging with new features, making it difficult for 23andMe to maintain its competitive edge.    
Bankruptcy’s Potential Implications for Users: 
  • Data Management in Bankruptcy: In the event of bankruptcy, 23andMe’s assets, including its vast genetic database, could be sold or transferred. This raises critical questions about data privacy, as new ownership may not honor the same privacy commitments. 
  • User Data at Risk: Genetic information has become a valuable commodity, and some analysts fear that 23andMe’s database could be auctioned off to the highest bidder in bankruptcy proceedings. This scenario could expose users’ data to third-party companies with unknown motives or limited interest in preserving data privacy. 
What This Means for User Data Privacy 

The ongoing troubles at 23andMe highlight the inherent vulnerabilities in handling sensitive data like DNA information. As the company navigates financial uncertainty and public scrutiny, users are left wondering about the future of their data. Below, we explore potential concerns and what they mean for user privacy, especially if the company is sold. 

  • Data Security Enhancements: Following the data breach settlement, 23andMe is expected to implement improved security measures to protect user data. However, with financial difficulties looming, maintaining and funding these enhancements could be challenging, potentially affecting the effectiveness of any new security measures.
  • Ownership Transfer and User Consent: When users submit DNA samples to companies like 23andMe, they typically agree to terms of service based on the company’s privacy policies at that time. However, in a sale or bankruptcy scenario, the new ownership might not be bound by the original policies or commitments, introducing uncertainty about who truly controls the data.
    • Shifting Privacy Commitments: New ownership might seek to revise or reinterpret the terms under which the data was initially collected, potentially allowing data to be used in ways that the original company had not considered or promised. 
    • Consent Gaps: Users may have limited control or visibility into the new terms and may not even be notified if their data is transferred, leaving them without an opportunity to consent or opt out.
  • Potential for Data Commercialization: 
    • Sale of Genetic Data as an Asset: In the event of bankruptcy or acquisition, genetic data could be treated as a valuable asset in the sale. The company’s extensive database of genetic information has significant commercial value, as it contains highly detailed insights into users’ health, ancestry, and potential genetic predispositions. A buyer interested in research, marketing, or insurance might find this data extremely useful, but such uses could run counter to users’ expectations of privacy. 
    • Use in Unintended Research or Marketing: Buyers from sectors like pharmaceuticals, health insurers, or marketers could use genetic data for targeted research or customer segmentation without users’ knowledge. This means that genetic information could end up informing targeted drug ads or even insurance premium calculations based on genetic predispositions, raising ethical concerns around user autonomy and fairness.
  • New Owner’s Business Model: If 23andMe’s assets are sold to a company with a different business model, such as a research institution, biotech firm, or insurance provider, the handling and application of data could shift substantially. Unlike 23andMe, which primarily focused on consumer insights, a new company might leverage genetic data for purposes that were not originally disclosed to users. For instance: 
    • Integration with Medical Records: A medical or biotech company might combine genetic data with other health data to create profiles for research or health predictions. While this could lead to medical advancements, it also poses risks of privacy breaches and potential discrimination. 
    • Targeted Health Interventions and Insurance Risks: Genetic data has implications for life, health, and disability insurance. If this information is accessible to insurers, they could make coverage decisions based on genetic risks, impacting users’ access to affordable insurance options. Such uses of genetic data without explicit consent are legally and ethically questionable, potentially violating users’ rights to data privacy and control.
  • Potential Data Exposure to Foreign Entities: If acquired by a foreign company, especially one operating in countries with less stringent data protection laws, 23andMe’s data could be subject to different legal standards. This means users’ genetic information might be handled in ways inconsistent with U.S. privacy expectations and laws, complicating regulatory oversight and legal recourse for affected users.
  • Increased Vulnerability to Data Breaches: A sale could introduce additional security risks, especially during the data transition process. Data migrations are complex and can expose sensitive information if not managed carefully. Furthermore, if a new owner does not prioritize cybersecurity to the same extent, the data might be at greater risk of unauthorized access or additional breaches.
  • Difficulty for Users to Erase Data: Although users can request data deletion with some companies, an acquisition may complicate this process. New ownership might impose different rules or limitations on data deletion requests, making it difficult for users to completely remove their information from the database. This can be especially concerning for users who no longer wish to participate due to privacy concerns but find themselves unable to ensure their data is fully removed.
  • Challenges in Monitoring and Enforcing Privacy Rights: With ownership transferred to a new entity, users might face barriers in monitoring how their data is used or enforcing their privacy rights. Users may find it challenging to keep track of who currently has access to their data and whether the new entity is adhering to agreed-upon terms. Regulatory frameworks around data privacy in genetic testing are evolving but may not fully address these scenarios, leaving users in a vulnerable position.
Protecting Personal Data in the Age of Genetic Testing 

The situation at 23andMe serves as a cautionary tale for both consumers and companies in the genetic testing industry. Users should remain vigilant about their data privacy and take steps to safeguard their personal information. 

  • Informed Consent: Before using genetic testing services, users should read and understand the company’s privacy policy, particularly regarding how data might be handled if the company changes ownership. 
  • Privacy-Focused Alternatives: Some newer companies emphasize data privacy and offer encrypted services or allow users to control data sharing preferences. Consumers concerned about privacy may want to consider these options. 
  • Monitoring Legal and Policy Changes: As privacy regulations evolve, new laws may help protect genetic data. Being aware of these changes can help users make informed decisions about their data. 

23andMe’s current troubles underscore the complexities and risks involved in the handling of sensitive genetic data. For consumers, the potential bankruptcy and data breach raise concerns about data privacy, ownership, and the future use of their genetic information. As more people turn to genetic testing for insights into health and ancestry, companies and regulators alike must prioritize robust security measures and transparent policies. For now, consumers should exercise caution and consider their options carefully, recognizing that DNA data is both uniquely valuable and uniquely vulnerable. The future of 23andMe remains uncertain, but the lessons from its challenges are clear: data privacy and ethical practices are paramount in the rapidly evolving world of genetic technology. 


Author

Dan Clarke
Dan Clarke
President, Truyo
November 7, 2024

Let Truyo Be Your Guide Towards Safer AI Adoption

Connect with us today