23andMe, a genetic-testing and ancestry-tracing company, collects the most personal kind of data from its customers: their DNA.
Now, after a data breach in late 2023 and a full board resignation, the company faces an uncertain future, and many customers believe the genetic information they once willingly handed over could be vulnerable. CEO Anne Wojcicki has also previously said she’d consider a potential takeover of the company, which has raised concerns among customers about what would happen to their data in the event of a sale.
Wojcicki later clarified that she is not considering third-party takeover proposals, and that she intends to take the company private.
“Anne also expressed her strong commitment to customer privacy, and pledged to maintain our current privacy policy, including following the intended completion of the acquisition she is pursuing,” 23andMe said in a statement to CBS MoneyWatch.
In a social media post on X earlier this month, Eva Galperin, director of cybersecurity at Electronic Frontier Foundation (EFF), suggested that 23andMe account holders take steps to delete data held by the company.
“If you have a 23andme account, today is a good day to log in and request the deletion of your data,” she wrote.
Other cybersecurity experts reinforce that users’ data is no more vulnerable today in the midst of company turmoil, but that all 23andMe customers should review its privacy policies and consider how and with whom they want to share their data.
Is my data safe?
Galperin and other cybersecurity experts are recommending that account holders take steps to protect their data, including by deleting their 23andMe accounts.
“A lot of people are focused now because of concern over a potential change in ownership,” genetic privacy expert University of Iowa law professor and genetic privacy expert Anya Prince told CBS MoneyWatch. “But the data is no more vulnerable today than it was for however 23andMe has been going on.”
In addition to sharing their data with 23andMe, customers have always had the ability to consent to 23andMe sharing their de-identified genetic information with third parties, for a variety of purposes, including to advance medical research. “It could, however, potentially be identifiable because genetic data is so unique. So there are vulnerabilities, but they’re not necessarily unique to where 23andMe is right now,” Prince added.
What can someone do with my genetic data?
One’s genetic information reveals a lot about their family’s and their own health. “So if someone had access to that information, and they could identify you, they could learn something about your health,” Prince said.
Conceivably, a drugmaker could better tailor its advertising to individuals, for example.
“It might be innocuous, as in you’d be marketed products for diabetes if you have a predisposition. It could be annoying but not harmful,” she explained.
23andMe said that roughly 80% of its customers consent to participate in the company’s research program, which it said has generated more than 270 peer-reviewed publications uncovering new genetic insights into disease.
“Some people aren’t happy about the sharing that’s happening. They don’t want their information to go to companies in order for them to advance their research because they might say, ‘I paid 23andMe for genetic testing and they’re making money, and drug companies are making money off my data.’ That might feel like a personal affront,” Prince said.
Can I delete my data?
An individual account holder can request a deletion of their genetic information under the terms of 23andMe’s privacy policy.
“You have the ability do download data and delete your account if you’re no longer interested,” Prince explained.
If you’ve already agreed to the company sharing your data in a de-identified manner for research purposes, however, you can reverse that consent, but cannot retract data that’s already been shared. “You can’t find it at whatever pharmaceutical companies it’s already been shared with, because it doesn’t have a person’s name attached to it. So there’s nothing to be done there,” Prince said.
The process for deleting one’s data from 23andMe’s database is automated and straightforward.
“If, at any time, you are no longer interested in participating in our Services, you may delete your 23andMe account directly within your Account Settings,” the company states on its website.
That requires you to login to your account and submit a request. The company then emails you a data deletion request confirmation, which you must verify. The deletion process then begins.
Jason Kelley, activism director at EFF, urges people to “think very carefully about how much data they are giving away when they use a service like this.”
He noted that few people if any, within his own organization have used the ancestry-tracing service.
“In general, sharing data like this with any third party is something people should take seriously,” he said. “For a long time, people have not known what information they were giving away and how it was used and people becoming more aware of how their information can be used or it can be dangerous if there is a data breach.”
The company’s stock, which in 2021 traded for more than $16, closed Monday at 29 cents.