Since it was founded nearly two decades ago, 23andMe has grown into one of the largest biotechnology companies in the world. Millions of people have used its simple genetic testing service, which involves ordering a saliva test, spitting into a tube, and sending it back to the company for a detailed DNA analysis.
But now the company is on the brink of bankruptcy. This has raised concerns about what will happen to the troves of genetic data it has in its possession.
The company's chief executive, Anne Wojcicki, has said she is committed to customer privacy and will "maintain our current privacy policy".
But what can customers of 23andMe themselves do to make sure their highly personal genetic data is protected? And should we be concerned about other companies that also collect our DNA?
[...] 23andMe has had a rapid downfall after the 2021 high of its public listing.
Its value has dropped more than 97%. In 2023, it suffered a major data breach affecting almost seven million users and settled a class action lawsuit for US$30 million.
Last month its seven independent directors resigned amid news the original founder is planning to take the company private once more. The company has never made a profit and is reportedly on the verge of bankruptcy.
What this might mean for its vast stores of genetic data is unclear.
Previously:
(Score: 3, Insightful) by Unixnut on Monday October 28, @02:54PM (3 children)
You don't have to be paranoid to assume they will screw over everyone to make as much as they can. After all 23andMe has obviously failed as a company, it has never turned a profit. All the "value" left in the business that you could extract can be broken down into two things:
1. Physical assets (leases on commercial buildings, office and IT equipment, etc...)
2. Intellectual assets (i.e. intellectual property , patents, customer information, etc...)
The owners of the company, having failed at turning a profit, will now seek to extract as much value as they can from the carcass. Paradoxically had the company made a profit and was being sold then I would expect them take great pains to not screw over their customer base for extra money, simply because that is a fast way to ruin a profitable business.
It brings an interesting point though. If you agree to a privacy policy with a company who then goes defunct and sells the data to another company, is that new company required to follow the privacy policy that was agreed with an entity that no longer exists?
Normally all agreements are void when a company goes bankrupt, so in my mind the answer is "no". However when it comes to sensitive personal data that is impossible to change (i.e. biometric/DNA data) this seems like a massive legal loophole.
As an example, if I were a hypothetical Dr.Evil and I wanted to acquire everyone's data for some nefarious purpose, I could not just ask them all to submit the data to "Dr.Evil Corp". Instead I would make some shell company that shows a nice friendly face and I get people to voluntarily submit their data in return for some service. As the goal is to collect the data it is in my specific interest that the shell company never make a profit. Once I have enough data I pull the plug on the non-profitable shell , it goes bust (and nobody is surprised it went bust, in fact people wonder how it went so long without making a profit) and I can buy up the already collected data in bulk for my nefarious purpose, sometimes even at a discount to equivalent cost of acquiring it.
(Score: 4, Informative) by Ox0000 on Monday October 28, @03:12PM
Have you actually met an MBA before?
That depends on how the sale happens: are they buying the assets or the business? If they are buying the assets, then the sale of those assets is what is subject to the privacy policy and the agreement you had with the company. Typically, the ToS say something to the effect of "we can sell this information", and in the case of 23andme, I believe this was their explicit business model. If the business gets sold with the intention of continuing business as the same entity (bankruptcy does not mean that the entity no longer exists, it just means that it is given protection in order to restructure itself which if successful could mean that business continues) then the agreements that were in place before, continue to be in place because there is continuity of entities on the business side and your side.
Now when a business goes 'out of business' and liquidates, then it's a case of the first one: sell everything, for anything! What I've frequently seen in practice is that your Privacy Policy and ToS becomes meaningless because what are you going to do? Sue a non-existing/liquidating entity post-factum after your data has already been pilfered and copied and consumed by the buying party? These agreements become worthless because they also typically contain a clause that says "we can unilaterally change this at our whim", which they do just before they sell this stuff on and send you a nice e-mail saying "We're selling your stuff 30 days from today and have changed the ToS to reflect our ability to do that, if you don't want this, first stop using the site for 90 days starting today to inform us you don't want this happening".
(Score: 2) by JoeMerchant on Monday October 28, @04:20PM
>is that new company required to follow the privacy policy that was agreed with an entity that no longer exists?
Absolutely.
Deed restrictions run with the land, when you buy a home from a seller who agreed to a deed restriction, you are agreeing to the same deed restriction.
In practice? In practice bottom feeders who go around buying out bankrupt entities are going to liquidate whatever they can for whatever they can get and abscond with the profits to whatever jurisdiction won't prosecute them for their illegal profits - what's their incentive otherwise?
🌻🌻 [google.com]
(Score: 2) by VLM on Tuesday October 29, @12:15PM
I think we're kind of talking past each other. Aside from TOS issues, there are various laws.
Back "in the old days" before those laws existed or were as enforced or as much attention was paid to 23andme, under must less restrictive legal environment, they couldn't make money.
Now things are more restrictive and they can't make money.
The paranoid part is thinking if they roll back in time and go vaguely felony gangster they'll make money so they'll "have to" break the law and go gangster and post all out G's C's A's and T's in order on 4chan, although nobody can figure out how that would make them money, AND back in the wild west days it did indeed make them no money. So they'll "have to" release our private data or have it stolen just because or something, I don't understand the reasoning.
We seems to agree (I think?) that the most likely privacy breech is some construction crew contractor removes all the hard drives as scrap, sells them on ebay not knowing or caring whats on the drives, someone gets data. Data that you can't actually make money with, but a privacy violation none the less.