23andMe (andMyGeneticData)

After a massive data breach impacting almost 7 million users in October 2023, the DNA testing company 23andMe has been struggling to recover. Last month, they filed for bankruptcy. This means the company (and all its data) is up for sale.

Even before the breach, 23andMe struggled to become profitable. Now that their reputation has taken a hit, the company’s most/only valuable component is the genetic information they’ve collected from millions of users.

A new owner would inherit the current privacy policy and terms. But they would be free to change these terms going forward. These changes are typically buried in a boring-sounding “we’ve updated our privacy policy” email - the kind many of us have been conditioned to immediately delete without reading.

Genetic information would be attractive to a range of entities. Here are a few hypothetical uses:

• Retail giants like Amazon  could use this for “personalized” upcharges. Users predisposed to certain health conditions or diseases may see an increase in prices¹ on products related to management or treatment.

• Data brokers could consolidate genetic information with other personal data they’ve already collected, allowing anyone willing to pay (including government agencies, journalists, militant advocacy groups, etc.) to purchase lists like "home addresses of people with ancestry in [country]"

• So-called “grandparent scams”, in which an attacker contacts a grandparent pretending to be a grandchild in distress and urgently in need of money, are already widespread. The ability to purchase a database of genetic information/familial connections would supercharge this type of scam.

Is any of this legal? For the most part, yes. (Apart from the scams, but scammers aren’t famous for strict adherence to the law). In the United States, the Genetic Information Nondiscrimination Act of 2008 prevents health insurers from denying coverage and calculating premiums and employers from making employment decisions based on genetic information. But uses outside of these contexts are fair game. And as consumer protection agencies in the U.S. get de-fanged and dismantled, there’s no guarantee the law will be enforced.

So what do we do?

If you’ve used the service and want to limit how your information is shared, NPR has an easy-to-follow guide to delete your 23andMe data. If you want to delete your data, do so sooner than later - once the company is acquired, the new owner may decide to remove this option.

If you have blood relatives who have used 23andMe (even if you haven’t), you may want to consult with them as well. Because of the nature of DNA, your relatives’ data could still come back to haunt you.