What are some important things we should understand about 23andMe and the genetic information it holds?
When they got started, 23andMe did not have very strong privacy policies, but they changed those over time and now they’re pretty good. But that might not matter today, because those policies could change with a new buyer.
It’s especially important to know that 23andMe might have more than just your genetic information. Many customers have allowed them to keep the saliva samples they sent in. So if you checked that box, and now you want them to delete all your data, you’ll have to ask them separately to destroy your saliva sample.
Also, in recent years, 23andMe was marketed as an ancestry site in TV ads, but the early vision for 23andMe was about building disease communities. They brought people together to understand their shared experience with multiple sclerosis, heart disease, or asthma, for example. Those online forums were incredibly valuable to some people, but that means 23andMe has your data if you’ve been talking about what testing you’ve received and what your diagnosis is and what treatments you’ve tried.
In this fire sale that could be coming, people could buy all these things.
What are some things a new owner might do with 23andMe’s data and genetic material?
That’s a great question, because there’s a nebulous fear of your private information being in bad hands, and there are possibilities for that. But there are also possibilities for using this private information for things that most people would probably be OK with. If someone is using the information for further drug development, and it turns out there’s a miracle cure for your condition, you probably would say, “Yes, please do use my information that way.”
The problem here is that you might not be given that option to say yes or no. And it seems just as possible that a life insurance company, for example, could buy the data and use the information to deny certain people life insurance. There’s no rule about who’s going to buy this and how they might choose to use it.
Unlike a hospital or a doctor’s office, 23andMe is not covered by the federal Health Insurance Portability and Accountability Act (HIPAA), which safeguards the privacy of personal medical information. What does that mean in this situation?
It means you don’t have the protection of federal law on the data you sent off to 23andMe. It’s only protected by their privacy policy.
23andMe asks its customers about using their data for research by asking them to check a box if they want to opt out, and reportedly about 80% of customers do not choose to opt out. Should customers have paid more attention to that opt-out option?
I think most people don’t check that box because they’re actually OK with their personal data being used for medical research, as long as it’s used for a legitimate purpose. In surveys, most people are interested in having their data used for research on disorders that they have or that could help their child or their families, as long as their privacy is protected.
The problem is that there are no ironclad protections on this. So, you wonder what happens if 23andMe goes bankrupt and their privacy policies no longer apply under a new owner. Maybe the new owner is even required to send you an email and say they’re changing their privacy policy. But a lot of people will not even see that email. It’ll go straight to their spam folder, or it’ll be in legalese and they won't read it.
A 23andMe saliva collection kit.
If 23andMe’s assets do get sold off as part of the bankruptcy process, are there any legal safeguards for customers?
Generally, they have the right to sell the assets to the highest bidder, but the bankruptcy judge can put limits on this. There have been prior cases where a consumer privacy ombudsperson is assigned to a bankruptcy case to oversee the sales and the conditions of those sales, and to make sure that the privacy of the people whose data are included in the sale is being protected.
This independent arbiter might look at potential deals and say yes or no, or “You can do that deal, but it needs these protections to be in place.”
You talked about types of research that could be done with 23andMe data that many people would likely support. But couldn’t that information be put to less popular research purposes as well? There was a lot of controversy over a 2019 study published in Science, in part using 23andMe data on thousands of people, to explore the role played by genetics in same-sex sexual behavior.
That’s an important nuance. Even though most people will say, “Yes, it’s OK to use my data for legitimate medical research,” there is something in that word “legitimate.” There are people who would say, “You can use my data for that project, but I would not be comfortable with you using my data for this other project.”
Where this most often comes up is in studies involving what’s called “identity based genetic risk.” For example, the “God gene”: Is there a gene that makes people more likely to be religious or more atheistic?
There also are studies that are very controversial about connections between ethnic background and the risk of, say, breast cancer. I might be OK with research on something I or my family has, but I might not be comfortable with labeling everyone of my ethnicity as being at high risk for a disease.
What sorts of laws or regulations do you think we need in this space to better protect people who make use of these services?
I think we need something like HIPAA that would cover sensitive personal information in online spaces. That’s complicated, because people give up sensitive personal information all the time on Facebook or Instagram.
Does legitimate medical research suffer if there’s a firewall between companies like this and the ability to do large studies based on their data?
I don’t think it will harm medical research to get informed consent and to ensure that there is an oversight process for how you use these data.
We do this in health care a lot – it’s called secondary uses of medical information. We can comb through our data from patient care, looking for signals of what works and what doesn’t work. But there are intense privacy protections to make sure individual patient data don’t get released to the researchers, that the data are scrubbed clean of individual identifiers. There are committees that oversee that kind of work to protect privacy. That’s how it ought to be done with data in private hands.
So, given all this, if a patient came to you seeking advice on whether to send off genetic information to a private company, what would you say?
My advice would be to wait for a company that’s covered under a law like HIPAA. Now, you might wind up paying more, because the business model is that they charge less for DNA testing than it costs to do the genetic sequencing, so they’re losing money on every test in hopes of acquiring your genetic data that they can then sell. But it would be safer for patients if a health care system provided services like this under HIPAA protection, even if it costs more.
You should also delete your data with 23andMe, including asking them to destroy your physical saliva sample.
