Image by Matt Winkelmeyer/Getty Images for WIRED25
Biotech company 23andMe was once hailed as one of the most successful businesses selling DNA analysis services to anybody who could afford one of its saliva test kits.
But 18 years after it was founded, the company is on the brink of bankruptcy. To date, 23andMe has yet to turn a profit, despite 14 million people taking its at-home tests.
The company’s valuation was a lofty $6 billion shortly after going public in 2021. Since then, its valuation has plummeted a staggering 99 percent.
The venture was also hit with a massive data breach last year, affecting 6.9 million customer accounts.
Then last month, the company’s entire board resigned on the same day, publicly rebuking CEO Anne Wojcicki.
Now that 23andMe is teetering on the edge, it’s raising glaring questions. Perhaps first and foremost: if it were to go under, what would happen to all of that extremely personal DNA data?
In a piece for The Conversation, University of Melbourne senior law lecturer Megan Prictor explored the possibly disastrous implications of 23andMe going bust.
For one, 23andMe is surprisingly open about its willingness to share private customer DNA data with service providers.
“If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction,” the company notes in its privacy statement, “and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”
In other words, your DNA information could easily be passed on to an entirely separate company, a terrifying prospect for many trying to safeguard their privacy online.
As University of Iowa law professor Anya Prince explained in a recent interview with NPR, federal protections like the Health Insurance Portability and Accountability Act (HIPAA) do not apply.
“HIPAA does not protect data that’s held by direct-to-consumer companies like 23andMe,” she said.
In a statement to The Conversation, a spokesperson reassured that Wojcicki is “not open to considering third-party takeover proposals.” If the company were to change hands, the privacy agreement would “remain in place unless and until customers are presented with, and agree to, new terms and statements.”
Worse yet, for 23andMe’s existing customers, simply deleting the data may not even be on the table. The company reserves the right to “retain Personal Information for as long as necessary,” per its privacy statement. Account deletions are also “subject to retention requirements and certain exceptions.”
“Buying a DNA test online might feel fun and rewarding and it’s certainly been marketed that way,” Prictor concludes in her piece. “There are plenty of good news stories about how getting those test results has helped people to connect with lost family or understand more about their health risks.”
“People just need to buy tests with their eyes open about what this might mean,” she added, especially considering the many “legal conditions attached.”
Other legal scholars tend to agree.
“Having to rely on a private company’s terms of service or bottom line to protect that kind of information is troubling — particularly given the level of interest we’ve seen from government actors in accessing such information during criminal investigations,” American Civil Liberties Union staff attorney Vera Eidelman told NPR.
Wojcicki remains steadfast despite facing a major financial crisis.
“I remain committed to our customers’ privacy and pledge,” she said in a September filing with the Securities and Exchange Commission, announcing that she was considering taking 23andMe private.
But how long the DNA company can stay afloat remains anybody’s guess.
More on 23andMe: Every Member of 23andMe’s Board Except the CEO Just Resigned in Disgust