Biotech company 23andMe was once hailed as one of the most successful businesses selling DNA analysis services to anybody who could afford one of its saliva test kits.
But 18 years after it was founded, the company is on the brink of bankruptcy. To date, 23andMe has yet to turn a profit, despite 14 million people taking its at-home tests.
The company’s valuation was a lofty $6 billion shortly after going public in 2021. Since then, its valuation has plummeted a staggering 99 percent.
The venture was also hit with a massive data breach last year, affecting 6.9 million customer accounts.
Then last month, the company’s entire board resigned on the same day, publicly rebuking CEO Anne Wojcicki.
Now that 23andMe is teetering on the edge, it’s raising glaring questions. Perhaps first and foremost: if it were to go under, what would happen to all of that extremely personal DNA data?
In a piece for The Conversation, University of Melbourne senior law lecturer Megan Prictor explored the possibly disastrous implications of 23andMe going bust.
For one, 23andMe is surprisingly open about its willingness to share private customer DNA data with service providers.
“If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction,” the company notes in its privacy statement, “and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”
In other words, your DNA information could easily be passed on to an entirely separate company, a terrifying prospect for many trying to safeguard their privacy online.
As University of Iowa law professor Anya Prince explained in a recent interview with NPR, federal protections like the Health Insurance Portability and Accountability Act (HIPAA) do not apply.
“HIPAA does not protect data that’s held by direct-to-consumer companies like 23andMe,” she said.
In a statement to The Conversation, a spokesperson reassured that Wojcicki is “not open to considering third-party takeover proposals.” If the company were to change hands, the privacy agreement would “remain in place unless and until customers are presented with, and agree to, new terms and statements.”
Worse yet, for 23andMe’s existing customers, simply deleting the data may not even be on the table. The company reserves the right to “retain Personal Information for as long as necessary,” per its privacy statement. Account deletions are also “subject to retention requirements and certain exceptions.”