Legal expert on how 23andMe’s financial struggles could impact customer data

Anya Prince discusses whether people's genetic data is safe.

ByABC NEWS
November 19, 2024, 6:04 AM

Law professor Anya Prince discussed with ABC News how 23andMe's recent layoffs and its drug development division closure could impact customers' genetic data.

Last week, 23andMe announced it would lay off about 200 employees, or 40% of its workforce. The company struggled with issues such as a board resignation and a class-action settlement from a data breach.

The company has sold more than 12 million DNA kits since its founding in 2006. However, its financial struggles are raising concerns about the security of customer information.

Prince discussed the risks consumers face when dealing with companies similar to 23andMe.

Law expert on how 23andMe’s financial struggles could impact customer data
ABCNews.com

ABC NEWS: Genetic testing and ancestry company 23andMe announced this week that it is laying off around 40% of its workforce and closing its drug development arm. The company has sold more than 12 million of its DNA kits since its founding in 2006, and its financial struggles are raising some concerns for many about the security of customers' information.

So we're going to turn to law professor Anya Prince, who specializes in issues concerning health and genetic privacy, for some answers. Professor, it's good to have you with us. Thanks so much. What risk do you think people have who shared their data with 23andMe or similar services like it in a case like this?

ANYA PRINCE: Yeah. So, the question is really whether or not the data would be used in a way that people aren't comfortable with. And so that could be a 23andMe becoming bankrupt or selling the company in and then maybe selling it to a pharmaceutical company, selling information to pharmaceutical company or something like that, where individuals might not be comfortable with how their data is used.

ABC NEWS: And I haven't done this, but I'm sure you sign something when you get that kit that people are going to be looking at the fine print. Now, we reached out to 23andMe about some of these concerns and they said this to us: "We have strong customer privacy protection in place. 23andMe does not share customer data with third parties without customers consent. And our research program is opt-in, requiring customers to go through a separate informed consent process before joining."

They also said the company is subject to state and federal consumer privacy and genetic privacy laws, which you're familiar with. In your view, do you think these safeguards are sufficient?

PRINCE: Yeah. So again, I think it goes to what people are comfortable with. 23andMe is right presumably, they don't share information without people's consent, but that consent is those privacy policies that we click "Yes" to without fully reading. And so people might not realize how broadly the information can be shared.

And the privacy policy itself says that in the case of sale or bankruptcy, the consumer data goes with the new company. And furthermore, the privacy policy says that it can be changed at any time. And so there's a chance that consumers are comfortable with how 23andMe is currently using their data, but that they might not be comfortable with how a new company would slightly alter the privacy policy.

And unfortunately, the U.S. doesn't have a broad privacy, I'm sorry, broad data privacy law. And therefore, companies like 23andMe are really able to share our data much more broadly than some people realize.

ABC NEWS: So then before we go, just a quick tip. What can consumers do to safeguard their information? It's a very broad question because as you, as you point out, every other day we're getting a notice from some company or some credit card saying here's three years of protection monitoring because we had a data breach. But what, if anything, can we as consumers do to safeguard our information?

PRINCE: Yeah. I think one thing is to just know that health information in our country is not as protected as most people think, unfortunately. So our main health law, HIPAA, only applies within the health care setting, not to our health information when it's held by companies like this.

So people really need to be careful and only share data that they're interested in, are comfortable with that data being shared further. If you've already shared data and you say, 'well, I didn't realize that,' there are steps to that can be taken. So for example, 23andMe privacy policy does state that you can request to delete your account and they would delete the account and automatically opt you out of future research.

ABC NEWS: Good to know. All right, Professor Anya Prince, thanks so much for taking the time to talk to us.

PRINCE: Thanks. My pleasure.