>Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
>
>23andMe’s trove of genetic data might be its most valuable asset. For about two decades now, since human-genome analysis became quick and common, the A’s, C’s, G’s, and T’s of DNA have allowed long-lost relatives to connect, revealed family secrets, and helped police catch serial killers. Some people’s genomes contain clues to what’s making them sick, or even, occasionally, how their disease should be treated. For most of us, though, consumer tests don’t have much to offer beyond a snapshot of our ancestors’ roots and confirmation of the traits we already know about. (Yes, 23andMe, my eyes are blue.) 23andMe is floundering in part because it hasn’t managed to prove the value of collecting all that sensitive, personal information. And potential buyers may have very different ideas about how to use the company’s DNA data to raise the company’s bottom line. This should concern anyone who has used the service.
>
>DNA might contain health information, but unlike a doctor’s office, 23andMe is not bound by the health-privacy law HIPAA. And the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same. It says so right there in the fine print: The company reserves the right to update its policies at any time. A spokesperson acknowledged to me this week that the company can’t fully guarantee the sanctity of customer data, but said in a statement that “any scenario which impacts our customer’s data would need to be carefully considered. We take the privacy and trust of our customers very seriously, and would strive to maintain commitments outlined in our Privacy Statement.”
>
>…
>
>Spelling out all the potential consequences of an unknown party accessing your DNA is impossible, because scientists’ understanding of the genome is still evolving. Imagine drugmakers trolling your genome to find out what ailments you’re at risk for and then targeting you with ads for drugs to treat them. “There’s a lot of ways that this data might be misused or used in a way that the consumers couldn’t anticipate when they first bought 23andMe,” Suzanne Bernstein, counsel at the Electronic Privacy Information Center, told me. And unlike a password that can be changed after it leaks, once your DNA is out in the wild, it’s out there for good.
>
>…
>
>The risk of DNA data being misused has existed since DNA tests first became available. When customers opt in to participate in drug-development research, third parties already get access to their de-identified DNA data, which can in some cases be linked back to people’s identities after all. Plus, 23andMe has failed to protect its customers’ information in the past—it just agreed to pay $30 million to settle a lawsuit resulting from an October 2023 data breach. But for nearly two decades, the company had an incentive to keep its customers’ data private: 23andMe is a consumer-facing business, and to sell kits, it also needed to win trust. Whoever buys the company’s data may not operate under the same constraints.
Leaving the details of how organizations manage sensitive data up to each of them is likely a bad idea, as we’ve been seeing in recent years. It’s long past time that there were mandatory standards for all companies who collect sensitive data, along with significant punishment for those who are found in violation. This kind of protection or coverage should go with the person and their data, and the responsibilities and penalties should apply to any who might purchase or otherwise use the data.
Atheist_Simon_Haddad on
>and anyone who has spit into one of the company’s test tubes should be concerned
also their close relatives
TheDirtyDagger on
This is exactly why I burned off my fingerprints
Dwill1980 on
Jokes on them. If I quit my job I won’t have insurance anyway. So…. There
Not_Associated8700 on
All that data needs to be burned. No buyer should have all this information. None
polly_blockit on
I was sent a free kit because they were testing people with my specific illness. I’m so glad I had second thoughts about sending my genetic material to a company. I tossed the kit in a dumpster
improvedbeats on
Big fucking deal. Get whatever you want from my ounce of spit. We should be more concerned about the morons out there trusting in the pharmaceutical industry and even our healthcare system. These people are here for money. Stop eating Doritos and drinking Mountain Dew. The real criminals are the food companies.
7 Comments
Some of the grim details:
>Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
>
>23andMe’s trove of genetic data might be its most valuable asset. For about two decades now, since human-genome analysis became quick and common, the A’s, C’s, G’s, and T’s of DNA have allowed long-lost relatives to connect, revealed family secrets, and helped police catch serial killers. Some people’s genomes contain clues to what’s making them sick, or even, occasionally, how their disease should be treated. For most of us, though, consumer tests don’t have much to offer beyond a snapshot of our ancestors’ roots and confirmation of the traits we already know about. (Yes, 23andMe, my eyes are blue.) 23andMe is floundering in part because it hasn’t managed to prove the value of collecting all that sensitive, personal information. And potential buyers may have very different ideas about how to use the company’s DNA data to raise the company’s bottom line. This should concern anyone who has used the service.
>
>DNA might contain health information, but unlike a doctor’s office, 23andMe is not bound by the health-privacy law HIPAA. And the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same. It says so right there in the fine print: The company reserves the right to update its policies at any time. A spokesperson acknowledged to me this week that the company can’t fully guarantee the sanctity of customer data, but said in a statement that “any scenario which impacts our customer’s data would need to be carefully considered. We take the privacy and trust of our customers very seriously, and would strive to maintain commitments outlined in our Privacy Statement.”
>
>…
>
>Spelling out all the potential consequences of an unknown party accessing your DNA is impossible, because scientists’ understanding of the genome is still evolving. Imagine drugmakers trolling your genome to find out what ailments you’re at risk for and then targeting you with ads for drugs to treat them. “There’s a lot of ways that this data might be misused or used in a way that the consumers couldn’t anticipate when they first bought 23andMe,” Suzanne Bernstein, counsel at the Electronic Privacy Information Center, told me. And unlike a password that can be changed after it leaks, once your DNA is out in the wild, it’s out there for good.
>
>…
>
>The risk of DNA data being misused has existed since DNA tests first became available. When customers opt in to participate in drug-development research, third parties already get access to their de-identified DNA data, which can in some cases be linked back to people’s identities after all. Plus, 23andMe has failed to protect its customers’ information in the past—it just agreed to pay $30 million to settle a lawsuit resulting from an October 2023 data breach. But for nearly two decades, the company had an incentive to keep its customers’ data private: 23andMe is a consumer-facing business, and to sell kits, it also needed to win trust. Whoever buys the company’s data may not operate under the same constraints.
Leaving the details of how organizations manage sensitive data up to each of them is likely a bad idea, as we’ve been seeing in recent years. It’s long past time that there were mandatory standards for all companies who collect sensitive data, along with significant punishment for those who are found in violation. This kind of protection or coverage should go with the person and their data, and the responsibilities and penalties should apply to any who might purchase or otherwise use the data.
>and anyone who has spit into one of the company’s test tubes should be concerned
also their close relatives
This is exactly why I burned off my fingerprints
Jokes on them. If I quit my job I won’t have insurance anyway. So…. There
All that data needs to be burned. No buyer should have all this information. None
I was sent a free kit because they were testing people with my specific illness. I’m so glad I had second thoughts about sending my genetic material to a company. I tossed the kit in a dumpster
Big fucking deal. Get whatever you want from my ounce of spit. We should be more concerned about the morons out there trusting in the pharmaceutical industry and even our healthcare system. These people are here for money. Stop eating Doritos and drinking Mountain Dew. The real criminals are the food companies.