The 23andMe Bankruptcy: Privacy Considerations and a Call to Action (Part 2)

After Part 1 of this series was published, 23andMe dropped its bid for an independent customer data representative and agreed to the appointment of a privacy ombudsman.

According to the agreement, which was presented to the bankruptcy court during a hearing on April 29, the privacy ombudsman will investigate and report to the court on the security program of the buyer, the potential costs and benefits of the sale to customers, and whether the sale is consistent with 23andMe’s privacy policies and applicable laws. The privacy ombudsman also will identify for the court any changes to the transaction that would mitigate potential privacy losses and other costs to customers.

One detail that should pique the interest of the privacy ombudsman, as well as the FTC, is the buyer’s position on investigative genetic genealogy. This technique involves uploading an unknown perpetrator’s DNA file to a commercial genetic genealogy database for genetic relative identification. Using proprietary algorithms, the database identifies the perpetrator’s (often distant) genetic relatives among customers, and these relative-match results and other public information are used to construct a family tree that includes the unknown perpetrator. Finally, suspect leads are identified based on relationship and case information, and the leads are investigated using traditional police methods.

Since 2018, investigative genetic genealogy has helped solve hundreds of homicide and sexual assault cases. It also has helped identify hundreds of unidentified human remains and exonerate several people convicted of crimes they didn’t commit.

From the beginning, however, this technique has been plagued by misconceptions. One misconception concerns where it’s practiced. Investigative genetic genealogy is currently limited to commercial databases that accept customer uploads of DNA files that were developed by third parties—typically, another direct-to-consumer genetics company. Databases that accept DNA file uploads include the GEDmatch and FamilyTreeDNA databases, which allow investigative genetic genealogy consistent with customer permissions, as well as the MyHeritage database, which does not allow investigative genetic genealogy but nevertheless has been used for this purpose by law enforcement.

Unlike these databases, the 23andMe database doesn’t accept any uploads of DNA files. Rather, the only way to participate in the 23andMe database is by purchasing genetic testing directly from the company. So far, this requirement has shielded 23andMe from investigative genetic genealogy, consistent with the company’s ban on forensic uses of its products and services. Since 2015, 23andMe also has published a “Transparency Report” stating that it has never provided customer information in response to a request from law enforcement.

Nevertheless, some outlets have suggested—incorrectly—that the 23andMe database is currently an active site for investigative genetic genealogy and even was used to help identify the “Golden State Killer.” This misinformation obscures existing privacy-promoting features of 23andMe’s business that the privacy ombudsman can and should consider in their investigation and recommendations to the court. Similarly, the FTC can and should scrutinize the proposed sale for departures from these features.

After the sale is complete, the buyer can change its privacy policies and data practices. However, any changes will be subject to federal and state consumer protection and data privacy laws. For example, the FTC can take legal action if the buyer makes material changes but does not provide customers sufficient notice or uses inadequate consent procedures.      

Ultimately, news of 23andMe’s impending sale — while not entirely unexpected — has injected uncertainty into a dynamic consumer space that has been marked by controversy. For customers who doubt they will benefit from continued engagement with 23andMe or its successor and prefer peace of mind, they can delete their data. This option is available in each customer’s account settings; many online articles include step-by-step instructions explaining how to act on it. Although some customers had trouble deleting their data soon after the bankruptcy announcement, according to court filings, 23andMe has committed additional resources to manage increased traffic and resolve issues.

But customers who choose to delete should know that the decision is permanent. 23andMe’s customer care page explains that once a customer’s data is deleted, that action cannot be “canceled, undone, withdrawn, or reversed.” For this reason, genetic genealogists recommend that customers electing to part ways with 23andMe should first download their data and reports if they believe they might want this information in the future. Customers who previously consented for their data to be used in research also are reminded that their deleted data will not be used in future research but cannot be removed from ongoing or completed studies.

Another option for customers is to postpone a decision to delete until they have more information. This wait-and-see approach might be appropriate for those whose concerns hinge on who, exactly, buys the company’s data. For example, if the only or highest qualified bidder is Anne Wojcicki, the cofounder and former CEO of 23andMe who resigned to bid on the company, this news might be concerning to customers who do not trust her leadership or intentions. Conversely, it might be reassuring to other customers if she pledges to provide the same products and services that they value under the same privacy terms with which they are comfortable. These products and services can be useful to serious genealogy researchers and individuals investigating specific mysteries in their family trees, who often participate in multiple commercial genetic genealogy databases to increase their chances of learning useful information. These customers might be inclined to put off a decision until they know more about the buyer and terms of sale, especially given that they will need to pay for retesting if they delete now and later come to regret it. 

Each customer will make a decision about their data that is most consistent with their values, preferences, goals, and assessment of risks and benefits. Their decision also will be shaped by the information available to them. Accurate, thorough, and sober reporting on the 23andMe bankruptcy in the days and weeks to come will help customers make informed choices about their data. It also will help to ensure that public dialogues about broader questions of digital data privacy and policy are clear-eyed and constructive. Before 23andMe filed for bankruptcy, scholars already were giving thoughtful attention to legal gaps that expose customer data to serious risks when those data are sold or transferred. The 23andMe bankruptcy could be the stimulus needed to finally close them.

---

About the authors

Christi Guerrini, JD, MPH, is Associate Professor in the Center for Medical Ethics and Health Policy at Baylor College of Medicine.

Amy McGuire, JD, PhD, is the Leon Jaworski Professor of Biomedical Ethics and Director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine.

Any opinions, conclusions, and recommendations expressed in this article are those of the authors and do not represent the views of Baylor College of Medicine.