21st CENTURY QUESTIONS: Who Owns Your DNA Now?
23andMe’s vast repository of user data, amassed through years of saliva-based ancestry testing, lies at the mercy of its own self-imposed guidelines rather than robust federal oversight.
The company’s 2023 data breach, which exposed sensitive details like genetic predispositions and ancestry reports for nearly 7 million users, underscored the sheer volume of personal information it holds. For the millions who entrusted their DNA to 23andMe, the assumption might have been that such intimate data enjoys the ironclad protections of the Health Insurance Portability and Accountability Act (HIPAA), a law designed to shield sensitive health information from unauthorized disclosure. Yet, 23andMe operates outside HIPAA’s reach, leaving it tethered only to its own privacy policies — rules it can rewrite at will.
This regulatory gap casts a long shadow over the company’s future, especially as it teeters on the brink of a sale following its bankruptcy filing. A patchwork of inconsistent state privacy laws, coupled with the absence of a cohesive federal framework, means that the genetic profiles of 15 million Americans could be up for grabs.
Related: 23andMe files for bankruptcy, Anne Wojcicki steps down as CEO.