23andMe is not doing well. Its stock is on the verge of being delisted. It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the entire board of directors quit, save for Anne Wojcicki, a co-founder and the company’s CEO. Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
23andMe’s trove of genetic data might be its most valuable asset. For about two decades now, since human-genome analysis became quick and common, the A’s, C’s, G’s, and T’s of DNA have allowed long-lost relatives to connect, revealed family secrets, and helped police catch serial killers. Some people’s genomes contain clues to what’s making them sick, or even, occasionally, how their disease should be treated. For most of us, though, consumer tests don’t have much to offer beyond a snapshot of our ancestors’ roots and confirmation of the traits we already know about. (Yes, 23andMe, my eyes are blue.) 23andMe is floundering in part because it hasn’t managed to prove the value of collecting all that sensitive, personal information. And potential buyers may have very different ideas about how to use the company’s DNA data to raise the company’s bottom line. This should concern anyone who has used the service.
DNA might contain health information, but unlike a doctor’s office, 23andMe is not bound by the health-privacy law HIPAA. And the company’s privacy policies make clear that in the event of a merger or an acquisition, customer information is a salable asset. 23andMe promises to ask its customers’ permission before using their data for research or targeted advertising, but that doesn’t mean the next boss will do the same. It says so right there in the fine print: The company reserves the right to update its policies at any time. A spokesperson acknowledged to me this week that the company can’t fully guarantee the sanctity of customer data, but said in a statement that “any scenario which impacts our customers’ data would need to be carefully considered. We take the privacy and trust of our customers very seriously, and would strive to maintain commitments outlined in our Privacy Statement.”
Certain parties might take an obvious interest in the secrets of Americans’ genomes. Insurers, for example, would probably like to know about any genetic predispositions that might make you more expensive to them. In the United States, a 2008 law called the Genetic Information Nondiscrimination Act protects against discrimination by employers and health insurers on the basis of genetic data, but gaps in it exempt providers of life, disability, and long-term-care insurance from such restrictions. That means that if you have, say, a genetic marker that can be correlated with a heart condition, a life insurer could find that out and legally deny you a policy—even if you never actually develop that condition. Law-enforcement agencies rely on DNA data to solve many difficult cases, and although 23andMe says it requires a warrant to share data, some other companies have granted broad access to police. You don’t have to commit a crime to be affected: Because we share large chunks of our genome with relatives, your DNA could be used to implicate a close family member or even a third cousin whom you’ve never met. Information about your ethnicity can also be sensitive, and that’s encoded in your genome, too. That’s all part of why, in 2020, the U.S. military advised its personnel against using consumer tests.
Spelling out all the potential consequences of an unknown party accessing your DNA is impossible, because scientists’ understanding of the genome is still evolving. Imagine drugmakers trolling your genome to find out what ailments you’re at risk for and then targeting you with ads for drugs to treat them. “There’s a lot of ways that this data might be misused or used in a way that the consumers couldn’t anticipate when they first bought 23andMe,” Suzanne Bernstein, counsel at the Electronic Privacy Information Center, told me. And unlike a password that can be changed after it leaks, once your DNA is out in the wild, it’s out there for good. Some states, such as California, give consumers additional genetic-privacy rights and might allow DNA data to be deleted ahead of a sale. The 23andMe spokesperson told me that “customers have the ability to download their data and delete their personal accounts.” Companies are also required to notify customers of any changes to terms of service and give them a chance to opt out, though typically such changes take effect automatically after a certain amount of time, whether or not you’ve read through the fine print. Consumers have assumed this risk without getting much in return. When the first draft of the human genome was unveiled, it was billed as a panacea, hiding within its code secrets that would help each and every one of us unlock a personalized health plan. But most diseases, it turns out, can’t be pinned on a single gene. And most people have a boring genome, free of red-flag mutations, which means DNA data just aren’t that useful to them—at least not in this form. And if a DNA test reveals elevated risk for a more common health condition, such as diabetes and heart disease, you probably already know the interventions: eating well, exercising often, getting a solid eight hours of sleep. (To an insurer, though, even a modicum of risk might make someone an unattractive candidate for coverage.) That’s likely a big part of why 23andMe’s sales have slipped. There are only so many people who want to know about their Swedish ancestry, and that, it turns out, is consumer DNA testing’s biggest sell.
Wojcicki has pulled 23andMe back from the brink before, after the Food and Drug Administration ordered the company to stop selling its health tests in 2013 until they could be proved safe and effective. In recent months, Wojcicki has explored a variety of options to save the company, including splitting it to separate the cash-burning drug business from the consumer side. Wojcicki has still expressed interest in trying to take the company private herself, but the board rejected her initial offer. 23andMe has until November 4 to raise its shares to at least $1, or be delisted. As that date approaches, a sale looks more and more likely—whether to Wojcicki or someone else.
The risk of DNA data being misused has existed since DNA tests first became available. When customers opt in to participate in drug-development research, third parties already get access to their de-identified DNA data, which can in some cases be linked back to people’s identities after all. Plus, 23andMe has failed to protect its customers’ information in the past—it just agreed to pay $30 million to settle a lawsuit resulting from an October 2023 data breach. But for nearly two decades, the company had an incentive to keep its customers’ data private: 23andMe is a consumer-facing business, and to sell kits, it also needed to win trust. Whoever buys the company’s data may not operate under the same constraints.
SCP-3008