Alan North
Genetic testing company 23andMe, once a Silicon Valley darling valued at $6 billion, filed for Chapter 11 bankruptcy protection late Sunday as it prepares for a sale of the business. CEO Anne Wojcicki, who cofounded the company in 2006, has also stepped down after months of failed attempts to take the firm private.
As uncertainty about the company’s future reaches its peak, all eyes are on the trove of deeply personal—and potentially valuable—genetic data that 23andMe holds. Privacy advocates have long warned that the risk of entrusting genetic data to any institution is twofold—the organization could fail to protect it, but it could also hand over customer data to a new entity that they may not trust and didn’t choose.
California attorney general Rob Bonta reminded consumers in an alert on Friday that Californians have a legal right to ask that an organization delete their data. 23andMe customers in other states and countries largely do not have the same protections, though there is also a right to deletion for health data in Washington state’s My Health My Data Act and the European Union’s General Data Protection Regulation. Regardless of residency, all 23andMe customers should consider downloading anything they want to keep from the service and should then attempt to delete their information.
“This situation really brings home the point that there is still no national health privacy law in the US protecting your rights unless you live in California or Washington,” says Andrea Downing, an independent security researcher and cofounder of the patient-led digital rights nonprofit The Light Collective. “Meanwhile, we continue to evolve our understanding of how genetic information has value, but also has unique vulnerability.”
John Verdi, senior vice president of policy at the Future of Privacy Forum, says 23andMe’s new owner could revise the company’s privacy policies for new customers and new data collection, but the data it has already collected from current customers is subject to existing terms. “The company has legal obligations regarding information collected under the current policies,” he says.
Still, researchers emphasize that in practice, such a large transition will create real data exposure that is outside of 23andMe customers’ control. “In my opinion, these privacy policies—especially in the context of acquisitions in the venture capital and private equity space—aren’t worth the paper they’re printed on,” says longtime security researcher and data privacy advocate Kenn White. “For regular people out there who use these services, you’re pretty much on your own. My advice is to request your data get deleted as soon as possible”
To delete your genetic data through 23andMe’s website, log in and then go to Settings in your profile. Scroll to 23andMe Data and then click View. At this point, you can choose to download a copy of your genetic information. Then scroll to Delete Data and click Permanently Delete Data. Once you initiate the process, you’ll receive an email from 23andMe to confirm. Click the link in the email to complete the deletion process. Additionally, you can direct 23andMe to destroy the biological sample it used to extract your DNA data if you previously authorized the company to keep it. Go to Settings and then Preferences.
