• Blog

GRC Complications for 23andMe

The profound implications of 23AndMe’s bankruptcy.

GRC Complications for 23andMe

The news that troubled DNA testing company 23andMe has filed for Chapter 11 bankruptcy protection, while it searches for a buyer for the business and its assets, has profound privacy implications. 

The company’s entire board of independent directors resigned in October last year, after rejecting her offer to take the company private. Around the same time hackers stole the personal data of 6.9 million 23andMe customers, about half its customer base. The data, which was offered for sale on a hacking forum, included names, birthdates, location, DNA details, and relationships to other users on the platform.

23andMe gathers some of the most sensitive PII that an individual can share — a map of their DNA, which in turn can indicate their likelihood of contracting specific health conditions.  

California Attorney General Rob Bonta is just the most high profile advocate urging 23andMe customers to delete their data from the platform, using their rights under the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA), and has gone as far as providing explicit step-by-step instructions on how to request deletion. Users of 23andMe are not protected by HIPAA because even though they are receiving a quasi-medical service, they are customers rather than patients. 

Not only is 23andMe storing highly sensitive data, its processing of that data is complex as based on similarities in DNA it highlights relationships between users that may not have been aware of them. Over 80% of 23andMe customers also consent to take part in 23andMe’s research programs, which involves sharing customer data with third party service providers and contractors. However, the company has repeatedly stated that it does not share data with public databases, insurance companies, employers, or law enforcement (unless it receives a valid court order, subpoena, or search warrant).  

The company’s end user privacy agreement specifically covers what happens in the event of a bankruptcy and/or sale of assets, suggesting that the privacy statement will still apply and transfer to the new owner. An article published in the New England Journal of Medicine earlier this year cautioned that while the privacy rights would transfer the new entity could “create new terms of service”. 

23andMe now faces a potential tsunami of consumers exercising their DSR rights to understand what data the Californian firm holds on them and requesting deletion of that data. Without automated processes in place 23andMe could buckle under the pressure of complying with those requests. Not only is the data extremely sensitive, connections have been made between users (a vector that was apparently exploited by the hackers last year), and for the over 80% of customers who agreed to take part in research, that data now also exists on third party systems. 

While 23andMe is clearly an extreme example, Ethyca works with some of the most privacy-focused organizations in the world, where personal data flows through complex, interconnected systems. Responding to DSRs in these environments is far from trivial and is not just a case of deleting data. Our privacy-as-code approach provides our customers with deep insights into where personal data resides and allows us to support companies in the event of an incident that drives a very high volume of requests to delete data. 

  • The profound implications of 23AndMe’s bankruptcy.

    Read More
  • Ethyca announces fundraise, doubles annual revenue with new enterprise clients, and reveals new brand.

    Read More
  • Today we’re announcing faster and more powerful Data Privacy and AI Governance support

    Read More
  • See new feature releases enhancing user experience, adding new integrations and support for IAB GPP

    Read More
  • Learn more about the privacy and data governance enhancements in Fides 2.27 here.

    Read More
  • Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.

    Read More

Ready to get started?

Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!

Speak with Us

Sign up to our Newsletter

Stay informed with the latest in privacy compliance. Get expert insights, updates on evolving regulations, and tips on automating data protection with Ethyca’s trusted solutions.