23andMe Holding Co.’s financial troubles should worry customers who submitted DNA samples for testing using a direct to consumer (DTC) DNA testing kit.
23andMe has reportedly failed to earn a profit since going public, is aggressively burning through cash, faces dozens of class actions arising from a single data breach in October 2023, and is exploring selling or splitting up the company following rounds of layoffs. Trading at less than a dollar per share on the NASDAQ, 23andMe is at risk of being delisted from the exchange.
23andMe’s 14 million customers and those using the services of companies offering similar DTC DNA testing kits, such as those offered by AncestryDNA, CircleDNA, GenoPalate, and MyHeritage should be concerned not only about the salability of their samples and data, but also how that information is used by testing companies.
DTC testing kits have come a long way in recent years and offer an inexpensive way to explore one’s origins, build a family tree, and learn if you might have a genetic marker that makes you more likely to suffer from a disease or condition in the future. However, such tests do not conclusively diagnose any condition or disease or guarantee that the testing results shall belong exclusively to the consumer.
Although consumers have become accustomed to sharing certain personal information in exchange for online services or the use of applications, there is no data more personal than someone’s DNA.
Limited Federal Protections for Genetic Information
Most consumers would be surprised to learn that the Health Insurance Portability and Accountability Act (HIPAA) does not cover DTC testing since genetic testing companies are not considered health care providers. Consequently, DTC customers do not enjoy the same safeguards as health information protected under HIPAA.
While genetic information generated by a testing company is covered by the Genetic Information Nondiscrimination Act (GINA), GINA only makes it illegal to discriminate against employees or applicants because of genetic information and prohibits the use of genetic information in making employment decisions. GINA does not protect against the dissemination of genetic information.
Individual Company Privacy and Use Policies
The use of genetic information is generally subject to the each testing company’s specific privacy policies, which policies can change. Customers are often asked to consent to their genetic information being used for research purposes, but it is unclear with whom such information is shared and whether it is aggregated in a fashion that no single consumer can be identified from the data.
The testing companies often share data with third parties and boiler plate language contained in their contractual or privacy provisions may amount to consumer consent.
Most testing companies will not share data with law enforcement or in a court proceeding with being served with appropriate process in the form a warrant or subpoena. However, again, each testing company may have its own distinct policies.
Given that the use of DTC DNA testing kits is typically one and done, the business model for genetic testing is a poor one since there are few repeat customers. Companies like 23andMe have struggled to develop a core business that generates working capital. Its most valuable asset is likely the data compiled from its 14 million customers.
Customers should be very concerned that even if 23andMe and its competitors are presently circumspect in how genetic information is used that can change at any time.
FTC Interest in the DTC Market
The Federal Trade Commission has taken an active interest in the business of genetic testing and communicated concerns about how data is secured, how customer accounts are protected from hacking, and whether genetic testing companies are misleading the public in promoting their services. A summary of FTC concerns can be found here : https://www.ftc.gov/business-guidance/blog/2024/01/dna-privacy-privacy-dna.
Closing a 23andMe Account
Given 23andMe’s precarious financial condition, security experts recommend that customers to immediately request the destruction of their samples and deletion of their data. PC Magazine recently published an article explaining how to close an account with 23andMe, which can be found here: https://www.pcmag.com/news/23andme-trouble-sparks-calls-for-users-to-delete-their-dna-data-heres-how.
Customers are encouraged to review the terms of thire testing kits and the policies of their chosen testing company as relating to the disposition of their DNA sample, security of their account and data, sharing of the data with third-parties for research and any other purposes, and whether the data can be sold.