23andMe, a company specializing in genetic testing and tracing ancestry, gathers highly personal data from its customers: their DNA. Following a data breach in late 2023 and the resignation of the entire board, the company’s future is uncertain, leading many customers to worry about the security of the genetic information they willingly provided. CEO Anne Wojcicki had previously mentioned the possibility of a company takeover, raising concerns among customers about the fate of their data if a sale were to occur.
Wojcicki later clarified that she is not considering third-party takeover proposals and intends to take the company private. In a statement to CBS MoneyWatch, 23andMe conveyed Anne’s strong commitment to customer privacy and her pledge to maintain the current privacy policy, even after the acquisition she is pursuing is completed.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF), urged 23andMe account holders to take action to delete their data in a recent social media post. Additional cybersecurity experts emphasize that the vulnerability of users’ data remains unchanged amidst the company’s turmoil. They advise all 23andMe customers to review the privacy policies and carefully consider how and with whom they wish to share their data.
Galperin and other cybersecurity experts recommend that account holders take steps to protect their data, including deleting their 23andMe accounts. “Many people are concerned about a potential change in ownership, but the data is no more vulnerable today than it has been throughout 23andMe’s existence,” said Anya Prince, a genetic privacy expert and law professor at the University of Iowa.
In addition to sharing their data with 23andMe, customers have always had the option to consent to the company sharing their de-identified genetic information with third parties for various purposes, including advancing medical research. Prince added that while there are vulnerabilities, they are not necessarily unique to 23andMe’s current situation.
One’s genetic information can reveal significant details about their family’s and their own health. Prince explained that if someone gained access to this information and could identify the individual, they could learn about their health.
In theory, a pharmaceutical company could use this information to customize its advertising for individuals. 23andMe indicated that approximately 80% of its customers consent to participating in the company’s research program, which has resulted in over 270 peer-reviewed publications revealing new genetic insights into diseases. “Some individuals are unhappy about the data sharing. They do not want their information to be used by companies to advance research, especially when they paid 23andMe for genetic testing and feel that companies and drug companies are profiting from their data. This may feel like a personal violation,” said Prince.
As per 23andMe’s privacy policy, an individual account holder has the option to request the deletion of their genetic information. Prince explained that users have the capability to download their data and close their account if they lose interest. If consent was previously given for the company to share data for research purposes in a de-identified manner, it can be reversed, but data that has already been shared cannot be retracted.
The process for removing data from 23andMe’s database is automated and simple. The company states on its website that if a user is no longer interested in participating in their services, they may delete their 23andMe account directly within their Account Settings. This involves logging into the account and submitting a deletion request, which is then confirmed via email before the deletion process commences.
Jason Kelley, activism director at EFF, advises individuals to consider the amount of data they share when using such services. He mentioned that very few people within his organization have used the ancestry-tracing service. Kelley emphasized the importance of taking data sharing seriously, as many individuals were previously unaware of how their information was used and the potential risks associated with data breaches.
The company’s stock, which was valued at over $16 in 2021, closed at 29 cents on Monday.
