23andMe is on the brink. What happens to all its DNA data?
Last month, Chenedy Wiles finally got around to it.
The 27-year-old traveling nurse spit into a tube and mailed it to 23andMe, where the genetic testing company’s lab examined her DNA and generated a glimpse of her ancestry.
“One of the reasons I decided to get the test is that as an African American, it’s very common for our heritage to get lost,” said Wiles, who lives in Chicago.
Once her results arrived in the mail, it revealed that she was nearly 40% Nigerian. “Which was exciting and cool to see,” she said, “because I always thought I had cousins who were from West Africa.”
After that, 23andMe contacted her regularly about signing up for add-on services, or to have relatives take the test, but she wasn’t interested.
The one-and-done nature of Wiles’ experience is indicative of a core business problem with the once high-flying biotech company that is now teetering on the brink of collapse. Wiles and many of 23andMe’s 15 million other customers never returned. They paid once for a saliva kit, then moved on.
Shares of 23andMe are now worth pennies. The company’s valuation has plummeted 99% from its $6 billion peak shortly after the company went public in 2021.
As 23andMe struggles for survival, customers like Wiles have one pressing question: What is the company’s plan for all the data it has collected since it was founded in 2006?
“I absolutely think this needs to be clarified,” Wiles said. “The company has undergone so many changes and so much turmoil that they need to figure out what they’re doing as a company. But when it comes to my genetic data, I really want to know what they plan on doing.”
What will 23andMe do with the DNA data of 15 million customers?
Andy Kill, a spokesperson for 23andMe, would not comment on what the company might do with its trove of genetic data beyond general pronouncements about its commitment to privacy. “For our customers, our focus continues to be on transparency and choice over how they want their data to be managed,” he said.
When signing up for the service, about 80% of 23andMe’s customers have opted in to having their genetic data analyzed for medical research. “This rate has held steady for many years,” Kill added.
The company has an agreement with pharmaceutical giant GlaxoSmithKline, or GSK, that allows the drugmaker to tap the tech company’s customer data to develop new treatments for disease.
Anya Prince, a law professor at the University of Iowa's College of Law who focuses on genetic privacy, said those worried about their sensitive DNA information may not realize just how few federal protections exist.
For instance, the Health Insurance Portability and Accountability Act, also known as HIPAA, does not apply to 23andMe since it is a company outside of the health care realm.
“HIPAA does not protect data that’s held by direct-to-consumer companies like 23andMe,” she said.
Although DNA data has no federal safeguards, some states, like California and Florida, do give consumers rights over their genetic information.
“If customers are really worried, they could ask for their samples to be withdrawn from these databases under those laws,” said Prince.
According to the company, all of its genetic data is anonymized, meaning there is no way for GSK, or any other third party, to connect the sample to a real person. That, however, could make it nearly impossible for a customer to renege on their decision to allow researchers to access their DNA data.
“I couldn't go to GSK and say, ‘Hey, my sample was given to you — I want that taken out — if it was anonymized, right? Because they're not going to re-identify it just to pull it out of the database,” Prince said.
23andme says it will not let law enforcement search its database
Vera Eidelman, a staff attorney with the American Civil Liberties Union who specializes in privacy and technology policy, said the patchwork of state laws governing DNA data makes the generic data of millions potentially vulnerable to being sold off, or even mined by law enforcement.
“Having to rely on a private company's terms of service or bottom line to protect that kind of information is troubling — particularly given the level of interest we've seen from government actors in accessing such information during criminal investigations,” Eidelman said.
She points to how investigators used a genealogy website to identify the man known as the Golden State Killer, and how police homed in on an Idaho murder suspect by turning to similar databases of genetic profiles.
“This has happened without people's knowledge, much less their express consent,” Eidelman said.
Neither case relied on 23andMe, and spokesperson Kill said the company does not allow law enforcement to search its database.
The company has, however, received subpoenas to access its genetic information.
According to 23andMe’s transparency report, authorities have sought genetic data on 15 individuals since 2015, but the company has resisted the requests and never produced data for investigators.
“We treat law enforcement inquiries, such as a valid subpoena or court order, with the utmost seriousness. We use all legal measures to resist any and all requests in order to protect our customers’ privacy,” Kill said.
Board resigns after split with CEO Wojcicki
Two recent developments have added even more fuel to privacy concerns: Last year, the company was hit with a major data breach that it said affected 6.9 million customer accounts, including about 14,000 who had their passwords stolen.
And earlier this month, 23andMe’s board of directors and the company’s CEO had a dramatic falling-out. After Chief Executive Anne Wojcicki proposed a plan to purchase all of the company’s outstanding shares herself and take the company private, the board pushed back, and, eventually, resigned en masse.
In a public letter to Wojcicki, the board members said while they still back the company’s mission, they cannot support Wojcicki. They wrote that they had been waiting months for her to detail a plan for the company’s future, but it has yet to arrive, which “leads us to believe no such proposal is forthcoming.”
In a September filing to financial regulators, Wojcicki wrote: “I remain committed to our customers’ privacy and pledge,” meaning the company's rules requiring consent for DNA to be used for research would remain in place, as well as allowing customers to delete their data. Wojcicki added that she is no longer considering offers to buy the company after previously saying she was.
Some analysts predict that 23andMe could go out of business by next year, barring a bankruptcy proceeding that could potentially restructure the company.
And for customers like Wiles, the wait is a little unnerving. She opted out of allowing her data to be studied. “Something about that causes me a bit of pause,” she said.
But given the company’s rickety status, she said, “I hope my genetic data isn’t misused in some way. I do wonder what exactly they intend to do with it all."