State AGs Warn: 23andMe Users’ Genetic Privacy Under Threat

The fate of over 15 million customers’ genetic data is uncertain following 23andMe’s bankruptcy filing in March. This troubling development has drawn attention from attorneys general across multiple states, urging users to delete their genetic information now to avoid potential misuse.

“Your genetic data is your most personal, confidential data, and you should protect who has access to it,” North Carolina Attorney General Jeff Jackson stated in March. He advised customers to act swiftly and remove their data.

Concerned individuals, like Dr. Adam Brown, an emergency physician in Washington, D.C., have already deleted their information in response to this uncertainty. He raised a critical issue: What actually happens to genetic data when the company holding it declares bankruptcy?

Federal protections regarding genetic data are minimal. While individual states have enacted stronger laws in recent years, many experts believe these measures are insufficient. Although 23andMe claimed that bankruptcy would not affect its data management practices, concerns remain about how new ownership may alter privacy policies.

“Once you reach bankruptcy court, there may not be the same guarantees about privacy protections for consumers,” Brown cautioned. “Data privacy safeguards are weak, especially for direct-to-consumer businesses.”

Companies like 23andMe offer users insights into their health and ancestry based on genetic testing, valued at $1.93 billion globally. However, the company’s reputation declined significantly after a data breach in 2023 exposed nearly 7 million customer accounts, followed by a $30 million class-action lawsuit settlement, leading to its bankruptcy.

State attorneys general from Alabama, Arizona, California, and several others quickly encouraged users to request the deletion of their genetic profiles and the destruction of associated saliva samples. “Texans should exercise their right to have their data securely deleted,” emphasized Texas Attorney General Ken Paxton.

The possibility that a new owner could exploit or share sensitive genetic information remains a concern. Data misuse could lead to inflated life insurance premiums or discrimination in employment.

HIPAA, the federal law designed to protect health information, does not extend to companies like 23andMe. Their non-invasive methods do not classify as medical tests, leaving a regulatory gap. Existing protections under the Genetic Information Nondiscrimination Act (GINA), passed in 2008, also fail to cover all relevant entities, such as life insurance companies.

In the past five years, at least 14 states have established laws regulating direct-to-consumer genetic testing. Generally, these laws require companies to obtain explicit consent before utilizing or sharing customer data and allow for data deletion requests. However, experts like Anya Prince suggest these laws don’t go far enough.

Many state regulations were modeled after guidelines promoted by the Coalition for Genetic Data Protection, which includes companies like 23andMe. Despite some sensible privacy provisions, Prince argues for broader protections, especially for instances when data is transferred to other organizations.

Since 2020, numerous states have passed genetic information privacy laws, including states like Florida and California, which have enacted more robust protections. California’s laws extend beyond genetic data, incorporating anti-discrimination measures across various sectors, while Florida has strict penalties for unauthorized use or sale of DNA.

The situation highlights a significant disconnect between public perception and actual data privacy protections. As laws continue to evolve, the need for clear and strong regulations is evident, especially in the context of genetic data security.