If you’re one of the 15 million people who’ve used 23andMe’s genetic services over the past 19 years, do you want the company now to be able to sell your data?
Such a possibility is on the table in the wake of the company’s bankruptcy proceedings. Illinois, along with 26 other states and the District of Columbia, has asked the courts to prevent it.
As the lawsuit spells out, 23andMe has quite a bit of “immutable” — meaning unchanging — personal data. For anyone unfamiliar with how it worked, 23andMe sold kits to customers who wanted a variety of genetic testing services, from tracing their ancestry to identifying predispositions to health issues.
This isn’t just about your email address. It’s your genome — your most personal and unchangeable data — along with family-tree information that can reveal details about relatives too. Genetic data from similar consumer databases has been used to help solve crimes, such as the Golden State Killer case. While that case involved GEDmatch, not 23andMe, it illustrates the extreme sensitivity of this kind of information.
The use of personal data for profit is part of life these days — social media companies leverage your data to sell ads, loyalty programs share your purchase history with advertisers, and many of the “free” apps people enjoy regularly share GPS location.
If you use one of those apps, you can delete it or stop sharing your information. But you can’t change your DNA.
According to the states’ lawsuit, many 23andMe customers who signed up before 2022 never explicitly agreed to the sale of their data. Changing terms after the fact, the suit alleges, is misleading and undermines consumer trust.
23andMe, on the other hand, contends that the data sale is legal under bankruptcy law, that users have already agreed to the company’s privacy policies, and that even if the company does sell this asset, former customers will receive the same level of protection. But without specific legal safeguards and enforcement mechanisms, that’s a promise that may prove difficult to uphold.
Of course, there’s always the option not to share your DNA, the safest bet by a mile. Many people have rightly been skeptical about companies having access to this most sensitive information, in spite of the titillating information they offer to provide in exchange.
Still, millions trusted 23andMe with their sensitive data, believing they could explore their roots or health risks without being turned into a commodity. According to news reports, about 2 million people have requested data deletion from 23andMe in just the past two months, signaling widespread alarm over how that data might be used.
That public concern is exactly why strong legal protections matter. Privacy laws in states like Illinois, Texas and New York also generally require specific consent before sharing genetic or health information. Illinois has long been a leader in privacy legislation, and its Biometric Information Privacy Act forbids the sale or exploitation of biometric data.
Thank goodness for that.
For our part, we’re glad to see Illinois and neighboring Wisconsin among the states standing up for consumers, who have a right to control how their most intimate biological information is used. The Wall Street Journal reported late Friday that a nonprofit controlled by 23andMe co-founder Anne Wojcicki is set to buy the company, although that would need court approval. Regardless of who ends up controlling 23andMe, the need for vigilance surrounding data privacy remains.
Our bottom line is that our DNA is more than just data, it’s our identity, and it deserves protection.
Submit a letter, of no more than 400 words, to the editor here or email letters@chicagotribune.com.