What happens to your data if 23andMe collapses?

A recent paper published in the New England Journal of Medicine calls for regulations to protect customers’ personal and genetic data in light of biotech company 23andMe’s uncertain future.

The genetic genealogy firm, launched in 2007, became wildly popular, with millions of customers sending in saliva samples for analysis to learn about their ancestry and genetic makeup.

The company was valued at $6 billion, or $17.65 a share, shortly after going public in 2021. It has since fallen to about $48 million, or $1.78 per share, after a 2023 data breach and resignation of some board members. The firm said in January that it’s exploring “strategic alternatives,” including a sale of the company or assets, restructuring, or business combination, among other options.

In this edited conversation, I. Glenn Cohen, one of the paper’s authors and faculty director of the Petrie-Flom Center at Harvard Law School, explains the legal landscape surrounding genetic data, the reasons for more consumer protection laws, and the steps for consumers to protect their personal and genetic data.

---

If 23andMe were to file for bankruptcy protection, what might happen with the genetic data of 14 million people the company holds?

As 23andMe faces significant financial distress and might be purchased directly or go bankrupt and its assets sold, all of the genetic and health information provided by people is a valuable asset to the company. Many people have used services like 23andMe, Ancestry.com, and others which are direct-to-consumer genetic tests companies, to answer questions about their ancestry or their genetic code.

But in the course of answering these questions for themselves, they’ve also contributed to these huge genetic databases. Our concern is that they may end up in the hands of somebody other than 23andMe, in a way that many people who have given their information to 23andMe never contemplated and might object to.

What are the possible case scenarios, and what are your concerns?

One is about data security. We saw that 23andMe itself was subject to a massive data breach in 2023, and if the company that takes over the data lacks good data security, there’s a possibility of breach.

Interestingly, once upon a time, the Pentagon told military personnel not to use these at-home DNA kits because it was concerned about national security. A more quotidian concern is that your genetic information might become available to others, and it’s possible you could become reidentified.

To give you an example from a study several years ago, a number of researchers used genetic data to try to identify, through what’s called genome-wide association studies (GWAS) technology and approach, what parts of the genome were associated with being gay. Many people who had given their genetic information were understandably upset at the idea this could be a possible use of their information.

So, while customers have made the decision to share with 23andMe, from whom they get a lot of benefit, they really have very little say about what will happen should the company be taken over or should the company go bankrupt, and its assets sold.

 “I would love to see a space where people can get the information they want without feeling as though that information might put them at risk.”

Do federal health privacy regulations offer privacy protections to consumers?

The Health Insurance Portability Accountability Act (HIPAA) is the law that, among other things, when you speak to your doctor, creates rules about what can be shared under what context.

The problem is that HIPAA’s definition of covered entities and business associates means that when you have provided information, including your genetic data, not to a hospital system, not to a physician, but to a direct-to-consumer company like 23andMe, you are not covered by HIPAA. You are treated by the law essentially as a consumer, not as the patient.

Now, there are other federal laws that cover you a little bit. The Genetic Information Nondiscrimination Act prevents health insurers, but also employers, from using genetic information in a way that is discriminatory. So that kind of law still will apply, but health privacy laws at the federal level won’t directly apply when you are dealing with a private company like 23andMe.

What about the privacy protections 23andMe offers to consumers?

We should say at the front end that it asks its consumers for consent to use their data for research purposes. There is the option not to consent although roughly 80 percent of the consumers have given consent.

The consumer agreements have a privacy statement that says all U.S. customers have certain rights, such as a right to opt out of the storage of saliva samples and the right to request the deletion of their account. It also says that it doesn’t share individual-level information, on diseases or genotypes, or de-identify information voluntarily with insurance companies, employers, public databases, or law enforcement agencies without a subpoena.

But the company shares personal information with service providers and contractors for sample analysis, marketing, and analytics. Also, the privacy statement reserves the company’s right to transfer customers’ personal information in the event of a sale or bankruptcy, and customers can’t protect their data from being accessed, sold, or transferred as part of that transaction.

Can bankruptcy laws offer some safeguards to 23andMe consumers?

One of the paper’s co-authors, Melissa Jacoby, is a bankruptcy law scholar. My specialty is health law, but I’ll do my best to explain. Many companies that have held sensitive information have filed for bankruptcy, and in the course of that bankruptcy they’ve sold consumer data to a third party.

Bankruptcy law offers some protections. Bankruptcy itself is a public process. There’s attention from the public, and sometimes regulators, like the [Federal Trade Commission] or state attorney generals, can get involved in cases and can seek to enter the bankruptcy proceedings. A federal court oversees a bankruptcy, and the U.S. Trustee Program, an agency within the Department of Justice, can sometimes get involved as well.

In some instances, bankruptcy law had required a consumer privacy ombudsperson to investigate a sale and determine whether it’s keeping with the bankrupt company’s privacy statements, as well as the law.

These are some protections, but they’re not perfect. One thing we want to highlight is that when most people have given their genetic information, they’ve never thought about this, and we just want people to pay attention to it.

What are your policy recommendations to protect consumers’ personal and genetic data?

The U.S. has a federal health privacy law that’s a bit out of date compared to our peer countries in Europe. One solution to this problem would be to have more general data privacy protection that would cover all personal data, including genetic data, and that would apply in bankruptcy cases as well.

There have been many attempts to get Congress to comprehensively update federal privacy law, including health privacy laws. They haven’t really succeeded. So, we’re not holding our breath.

A more targeted approach might be thinking about expanding the scope of the HIPAA law to cover companies like 23andMe, or potentially expanding what the Genetic Information Nondiscrimination Act covers, in terms of discrimination and genetic information. New regulations could also address instances when you have the overlap of a company that has genetic information and goes bankrupt. That’s what we’d like to see. Whether it will happen, I’m not sure.

What could consumers do in the meantime?

Going forward, I would think about these things as you decide whether the kind of information you are going to get from a direct-to-consumer company like 23andMe is worth the risks.

Also, when you are given the right to choose not to consent to sharing of data, I think that’s worth thinking about. And if this is something that worries you, this might be a time to go in and delete that information in your account, even though it’s not a perfect solve.

There are a lot of reasons why people are curious about their ancestry or genetic information. My hope is that this experience might also cause companies to be more privacy sensitive. I would love to see a space where people can have their cake and eat it too, to get the information they want without feeling as though that information might put them at risk if there’s a bankruptcy and the like.