WASHINGTON, D.C. – The fate of more than 15 million customers’ genetic data remains in limbo after popular DNA testing company 23andMe filed for bankruptcy in March. The data is up for sale, stoking fears about how it might be used and prompting attorneys general from more than a dozen states to warn 23andMe users: Delete your data.
“Your genetic data is your most personal, confidential data, and you should be able to protect who has access to it,” North Carolina Attorney General Jeff Jackson, a Democrat, said in a March statement.
“You have the power to delete your data now — please act quickly.”
Dr. Adam Brown, a Washington, D.C.-based emergency physician and the founder of a health care strategy firm, deleted his information on 23andMe as soon as he learned of the bankruptcy filing, he told Stateline.
For him, the bankruptcy begs a vital question that federal and state laws don’t fully address: What happens to your genetic data when the company holding it collapses?
Federal protections are flimsy. States have beefed up their genetic privacy laws in recent years, but many experts say they don’t go far enough.
There actually are not a lot of data privacy protections for consumers, especially for these direct-to-customer-type businesses.
– Dr. Adam Brown, emergency physician and founder of a health care strategy company
23andMe has said the bankruptcy will not change how it stores, manages or protects its trove of sensitive customer information. In a news release issued shortly after the bankruptcy announcement, the company said any potential buyers would have to agree to comply with 23andMe’s consumer privacy policy and all applicable laws. When contacted by Stateline, the company declined to comment beyond what it has published in news releases and information it posted for customers on its website.
But once the data is in the hands of another company, that company could change its privacy policy at any time, experts noted.
“Once you get to the point of bankruptcy court, there may not be those same guarantees or the same ethos a new company may have around privacy protections for consumers,” Brown said.
“I want people to understand there actually are not a lot of data privacy protections for consumers, especially for these direct-to-customer-type businesses.”
HIPAA doesn’t help
Companies such as 23andMe offer their users potentially game-changing revelations about their health and ancestry. The process is simple: Mail in a saliva sample and the company uses it to build an individual genetic profile that can reveal not only a person’s family connections, but also health insights such as their risk of developing a disease like cancer or Alzheimer’s.
This valuable personal data underpins a direct-to-customer genetic testing market that was valued at $1.93 billion globally in 2023 and is expected to grow, according to market research firm Grand View Research.
23andMe was an industry giant until its stock price plummeted following a massive 2023 data breach that affected the accounts of nearly 7 million customers. Then came the $30 million class-action lawsuit settlement.
The company declared bankruptcy in late March of this year, and announced it’s up for sale.
A flurry of alerts from state attorneys general around the country soon followed. AGs from states including Alabama, Arizona, California, Kentucky, New Hampshire, North Carolina and Texas issued similar press releases that recommended customers ask the company to delete their genetic profile and destroy the saliva sample used to create it.
“We have robust state privacy laws that include data deletion rights, and I would encourage any Texan concerned about their data to exercise the right to have their data securely deleted,” Texas Attorney General Ken Paxton, a Republican, said in an April statement.
The fear is that a new 23andMe owner could choose to use or share sensitive personal genetic data in ways the company’s current privacy policy doesn’t allow. There’s worry it could be used, for example, to inflate people’s life insurance premiums or expose them to employment discrimination.
And there aren’t many guardrails to prevent that from happening.
HIPAA, the Health Insurance Portability and Accountability Act, doesn’t apply to companies like 23andMe. The landmark federal law protects patients’ sensitive health information when it’s handled by doctors, hospitals and health insurers. But direct-to-customer companies such as 23andMe or Ancestry aren’t considered health care providers, and their non-invasive saliva collection kit isn’t considered a medical test.
The main federal law that protects people from discrimination based on their genetic information is nearly 20 years old. The Genetic Information Nondiscrimination Act (GINA) was passed in 2008, long before the rise of at-home testing kits. It applies to employers and health insurers, but not to life insurance companies, mortgage lenders and other non-health entities. And it doesn’t explicitly protect epigenetic information, which is information about the way a person’s genes — and by extension, health — are affected by outside factors such as smoking, disease or stress.
What states are doing
In the past five years, at least 14 states have passed laws regulating direct-to-consumer genetic testing offered by companies like Ancestry and 23andMe. There’s variation, but generally the laws require companies to get customers’ express consent before using or sharing their data, and allow customers to request their genetic data be deleted and biological samples destroyed.
It’s a good start, but doesn’t go far enough, said Anya Prince, a University of Iowa law professor whose research focuses on health and genetic privacy.
Many of those state efforts were built around a model law developed by the Coalition for Genetic Data Protection, an industry group with two member companies: 23andMe and Ancestry.
DNA Databases Are Boon to Police But Menace to Privacy, Critics Say
As DNA testing kits exploded in popularity and attracted increased scrutiny from lawmakers, the coalition pushed to influence legislation and set industry standards. The privacy protections in the laws mirror what 23andMe and Ancestry were already doing with their own privacy policies, experts say.
“They do have some really sensible privacy protections,” said Prince. “It’s great that people can delete their genetic data, and it’s great that law enforcement needs a warrant to access it. But if a privacy advocate had written a model law, there would be the potential for more and broader protections.”
For example, she said, many of the state laws address privacy requirements just for direct-to-consumer DNA testing companies. If 23andMe’s data is bought by, say, a pharmaceutical company, those state laws no longer apply.
The coalition now appears to be inactive, its website defunct.
Since 2020, more than a dozen states have passed some version of a genetic information privacy law, including Alabama, Arizona, California, Florida, Kentucky, Maryland, Montana, Nebraska, South Dakota, Tennessee, Texas, Utah, Virginia and Wyoming, based on a Stateline analysis. This year, the Indiana legislature passed a bill that’s now headed to the governor’s desk. Bills have been introduced this year in other states, including West Virginia.
Prince said state laws rely too heavily on consumers to self-manage their data privacy. They’re expected to understand a company’s policy, when studies have shown the public often doesn’t read privacy notices nor fully understand how companies use their data. Further, many state laws don’t address how third parties, such as law enforcement, can access and use consumer genetic data.
It’s also not always clear how the laws will be enforced, or who’s responsible for oversight.
“In general, I think there’s a disconnect between how people think their privacy is protected and how it’s actually protected,” she said.
But a few states have enacted laws that are more robust. California, for example, has a genetic information privacy law, but also has a general data protection law, as well as a state version of the federal GINA law that extends genetic anti-discrimination protections into areas including housing, education and licensing.
Florida has beefed up its DNA privacy laws in recent years, making the using or selling of an individual’s DNA without informed consent a felony punishable by up to 15 years in prison and up to a $10,000 fine. Florida was also the first state to prohibit life, disability and long-term care insurance companies from using genetic information to determine coverage.
How to delete your 23andMe data
Log in to your 23andMe account on 23andme.com.Under your profile, click “Settings.”Scroll to the “23andMe Data” section.Click the “View” button.If you want a copy of your genetic data, choose the option to download it to your device before proceeding.Scroll to the “Delete Data” section.Click “Permanently Delete Data.”Check your email for a confirmation email from 23andMe, then follow the link in the email to confirm your deletion request.
If you previously opted to have your saliva sample and DNA stored by 23andMe but want to change that preference, you can do so from your account settings page, under “Preferences.”
If you previously consented to 23andMe and third-party researchers using your genetic data and sample for research purposes, you can withdraw that consent from your account settings page, under the “Research and Product Contents” section.
If you have concerns, you can contact your state attorney general’s office. Find yours at www.naag.org/find-my-ag/.
Source: Office of the Attorney General for the District of Columbia
Stateline reporter Anna Claire Vollers can be reached at avollers@stateline.org.
Stateline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Stateline maintains editorial independence. Contact Editor Scott S. Greenberger for questions: info@stateline.org.
