Contact The Editor
Articles By This Author
Nearly 2 million people protected their privacy by deleting their DNA from 23andMe after it declared bankruptcy in March. Now it's back with the same person in charge - and I still don't trust it.
Nor do the attorneys general of California, North Carolina, Maryland and Connecticut, who each told me they still recommend people delete their accounts. There are ways to do it even if you have forgotten your log-in information (go to 23andme.customercare.com). Tell family members, too.
Here's why: Bankruptcy made 23andMe the poster child for America's lax privacy protections - and it hasn't substantially changed its ways. As of this week, genetic data from the more than 10 million remaining 23andMe customers has been formally sold to an organization called TTAM Research Institute for $305 million. That nonprofit is run by the person who co-founded and ran 23andMe, Anne Wojcicki.
In a recent email to customers, the new 23andMe said it "will be operating with the same employees and privacy protocols that have protected your data." Never mind that Wojcicki and her privacy protocols are what put your DNA at risk in the first place.
I do not doubt she is committed to genetic research - she self-financed 23andMe's takeover by her nonprofit. But being affiliated with Wojcicki alone doesn't make TTAM a good steward of your DNA.
"We are changing 23andMe's privacy practices - to add to and enhance them," Wojcicki said in an email response to my questions. (She declined an interview.) "We are giving additional notice, have put further restrictions on use of data, and have agreed to an independent privacy advisory board."
The company is legally obligated to maintain and honor 23andMe's existing privacy policies, user consents and data protection measures. And as part of a settlement with states, TTAM also agreed to provide annual privacy reports to state regulators and set up a privacy board.
But it hasn't agreed to take the fundamental step of asking for permission to acquire existing customers' genetic information. And it's leaving the door open to selling people's genes to the highest bidder again in the future.
"I wouldn't say that this sale erases the previous concerns that consumers and Congresspeople and regulators had about data privacy," said Sara Geoghegan, a senior counsel at the Electronic Privacy Information Center. "This wasn't a company with an immaculate record."
America's most well-known health-privacy law, HIPAA, doesn't protect customers of 23andMe's genetics service because it's not a health care provider or insurance company.
The biggest concession the states extracted: locking down the right for people in states without privacy laws to continue to delete their accounts.
"That may be the best way to protect it," said North Carolina Attorney General Jeff Jackson in a statement. "I'd encourage anyone who sent their data to 23andMe to delete it as soon as they can and keep their most personal, confidential data private."
It matters because 23andMe holds arguably "the most sensitive collections of data about identified people ever sought to be discharged in bankruptcy," wrote Neil M. Richards, the Washington University professor who served as privacy ombudsman for the bankruptcy court. Genes can't be changed. They can be used to discriminate. They reveal information about relatives and future generations who never gave their permission. And they become more valuable - and potentially more dangerous - as science advances.
That alone should make most people uncomfortable. But let's get into specifics about four privacy concerns I have with the new 23andMe.
1) They aren't asking permission
Existing 23andMe customers have the right to delete their data or opt out of TTAM's research. But the new company is not asking for opt-in permission before the new company takes ownership of their DNA.
"No action is required by you," the company wrote in its email to customers. In other words: If you don't say or do anything, it receives your information.
Why does that matter? Because people who handed over the DNA 15 years ago, often to learn about their genetic ancestry, never imagined it might be used in this way now.
Asking for new permission might significantly shrink the size (and value) of 23andMe's DNA database - but it would be the right thing to do given the rocky history. Richards, the court privacy ombudsman, pointed out that about a third of 23andMe customers haven't logged in for at least three years, so they may have no idea what is going on. Some 23andMe users never even clicked "agree" on a legal agreement that allowed their data to be sold like this; the word "bankruptcy" wasn't added to the company's privacy policy until 2022.
And then there is an unknown number of deceased users who most certainly can't consent, but whose DNA still has an impact on their living genetic relatives.
"For me, this is an institution I don't know, so I would delete the data," said Justin Brookman, director of technology policy for Consumer Reports, which advocates for consumer rights. "I would go further and say the law shouldn't allow them to get it in the first place."
Indeed, both California and Virginia have argued that their existing genetic privacy laws don't allow 23andMe to receive the information without getting permission from every single person. Virginia has an ongoing lawsuit over the issue, and the California attorney general's office told me it "will continue to fight to protect and vindicate the rights" of consumers.
Wojcicki said the reason TTAM isn't seeking permission is because it involves "the risk of someone missing an email and having their personal data, information and account permanently deleted without their explicit direction."
2) They can sell your DNA again in the future
The main reason people rightly were creeped out by 23andMe's bankruptcy is that DNA data was being sold to the highest bidder. That could happen all over again.
There is nothing in 23andMe's bankruptcy agreement or privacy statement to prevent TTAM from selling or transferring DNA to some other organization in the future.
Wojcicki said the company did agree to some limits on a future sale. Any new buyer needs to be based in the U.S. and adopt TTAM's privacy policies. It didn't specifically agree to get user consent for a future purchase, but it has to follow state laws.
3) They haven't shown they can keep your data safe
In 2023, 23andMe suffered a data breach that impacted some 7 million customers and set trust in its business on a downward spiral. So what plans and resources does this new nonprofit have to secure people's DNA?
"TTAM has dedicated additional resources," Wojcicki said. As part of its agreement with states, 23andMe agreed to implement some security measures including an incident response plan, technical cybersecurity controls and annual security assessments by outsiders.
That's all a good thing. But the truth is, 23andMe's financial struggles could make it hard to run a robust cybersecurity program.
4) There are other ways to contribute to DNA research
It's understandable that some people may want to be part of medical research involving DNA.
But Arthur Caplan, a professor of bioethics at the New York University Grossman School of Medicine, told me he has long been skeptical of 23andMe's business model of selling people genetic heritage reports and then using their DNA for research. "I didn't think the DNA should go in, don't like it there, and still would recommend taking it out," he said.
If you still really want to be a part of genetic research, Caplan pointed me to a program called All of Us (joinallofus.org) run by the National Institutes of Health. It's trying to build a diverse database of more than 1 million people to learn about why some get sick or stay healthy.
In response, Wojcicki said government security and privacy isn't necessarily better.
It's true that nothing is free from hacking risk. But All of Us uses robust technical and legal measures to protect the data, including de-identifying the genetic data. It also has certificates of confidentiality from the U.S. government to protect against legal demands for information.
(COMMENT, BELOW)