iStockphoto
If you were ever told or ever thought that giving your genetic data to a company like 23andMe is a bad idea, the company recently filing for bankruptcy is one of the main reasons why. Now, the more than 15 million people who have willfully given their DNA to 23andMe are at the mercy of whoever buys the data.
“Folks have absolutely no say in where their data is going to go,” Tazin Khan, CEO of the nonprofit Cyber Collective, which advocates for privacy rights and cybersecurity for marginalized people, told NBC News. “How can we be so sure that the downstream impact of whoever purchases this data will not be catastrophic?”
Short answer? You can’t. And it didn’t start with 23andMe filing for bankruptcy last week. It was a concern well before that.
According to court documents obtained by 404 Media, hackers obtained personal data on around seven million 23andMe customers in October 2023. Among that data was “health-related information based upon the user’s genetics.”
It’s not just those people who gave 23andMe their DNA that could be affected either. Close family members to the company’s customers, who may have had no interest in their genetic information made public, also are now at risk.
“The DNA data could be used to discern your relatives and ancestry, unearth family secrets, and reveal clues about diseases you have or could be predisposed to. If the data makes its way to certain insurers, they may deny you coverage or charge you more for life, disability, or long-term care insurance because of your genetics,” Ginny Fahs, director of product R&D for Consumer Reports’ Innovation Lab, told the Washington Post.
Late last week, California Attorney General Rob Bonta issued a consumer alert to customers of 23andMe reminding them that they have the “right to direct the deletion of their genetic data under the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA).”
In the alert, Bonta explains how to delete genetic data from 23andMe, how to make sure 23andMe destroys your test sample, and how to revoke permission for your genetic data to be used for research.
23andMe stated in a letter to its customers over the weekend, “Your data remains protected. The Chapter 11 filing does not change how we store, manage, or protect customer data. Our users’ privacy and data are important considerations in any transaction, and we remain committed to our users’ privacy and to being transparent with our customers about how their data is managed.”
The company also dubiously claimed that whoever purchases the genetic data will have to “comply with applicable law with respect to the treatment of customer data.” However, as Andrew Crawford, an attorney at the nonprofit Center for Democracy and Technology, told NBC News, genetic data lawfully acquired and held by a tech company is subject to almost no federal regulation.
“People must understand that, when they give their DNA to a corporation, they are putting their genetic privacy at the mercy of that company’s internal data policies and practices, which the company can change at any time,” Emily Tucker, the executive director of Georgetown Law’s Center on Privacy & Technology, said in an emailed statement to NBC News. “This involves significant risks not only for the individual who submits their DNA, but for everyone to whom they are biologically related.”