The genetic testing firm 23andMe, once celebrated in Silicon Valley and valued at $6 billion, has sought Chapter 11 bankruptcy protection as of late Sunday, paving the way for a potential sale of the business. Co-founder and CEO Anne Wojcicki has also resigned following a series of unsuccessful attempts to transition the company to private ownership.
With uncertainty surrounding the company’s future reaching a peak, attention is now focused on the extensive and sensitive genetic data that 23andMe possesses. Privacy advocates have long cautioned about the dual risks involved in sharing genetic information with any organization—the potential failure to safeguard that data, as well as the possibility of transferring customer information to a new entity that individuals may not trust or select.
California Attorney General Rob Bonta reminded consumers in a notification on Friday that residents of California have the legal right to request the deletion of their data from organizations. However, customers of 23andMe in other regions may not enjoy the same level of protection; some rights to deletion do exist under Washington state’s My Health My Data Act and the European Union’s General Data Protection Regulation. Regardless of where they live, all customers of 23andMe should consider downloading any information they wish to retain and then seek to erase their data.
“This situation really underscores the reality that there is currently no national health privacy law in the United States protecting your rights unless you’re in California or Washington,” states Andrea Downing, an independent security researcher and cofounder of the patient-led digital rights nonprofit The Light Collective. “Meanwhile, our understanding of the value of genetic information continues to evolve, along with the recognition of its unique vulnerabilities.”
John Verdi, senior vice president of policy at the Future of Privacy Forum, notes that the new owner of 23andMe may choose to alter the company’s privacy policies for future customers and new data collection, but any data previously gathered from current customers is governed by existing terms. “The company has legal responsibilities concerning the information obtained under the current policies,” he explains.
Nevertheless, researchers point out that such a substantial transition will inevitably lead to real data exposure that customers of 23andMe will be powerless to control. “In my view, these privacy policies—especially in the context of acquisitions within the venture capital and private equity sectors—are essentially meaningless,” asserts long-time security researcher and data privacy advocate Kenn White. “For everyday users of these services, you’re largely on your own. My recommendation is to request the deletion of your data as swiftly as possible.”
To remove your genetic data from 23andMe, log into your account and navigate to Settings in your profile. Scroll to 23andMe Data, then click View. Here, you can choose to download a copy of your genetic information. After that, scroll to Delete Data and click Permanently Delete Data. Once you initiate the process, you will receive an email from 23andMe to confirm your action. Click the link in the email to finalize the deletion process. Additionally, you can instruct 23andMe to dispose of the biological sample used for your DNA extraction if you had previously allowed the company to retain it. This can be done by going to Settings and then Preferences.
