Californians have the right to direct the company to delete their genetic data
OAKLAND — California Attorney General Rob Bonta today issued a consumer alert to customers of 23andMe, a genetic testing and information company. The California-based company has publicly reported that it is in financial distress and stated in securities filings that there is substantial doubt about its ability to continue as a going concern. Due to the trove of sensitive consumer data 23andMe has amassed, Attorney General Bonta reminds Californians of their right to direct the deletion of their genetic data under the Genetic Information Privacy Act (GIPA) and California Consumer Protection Act (CCPA). Californians who want to invoke these rights can do so by going to 23andMe’s website.
“California has robust privacy laws that allow
17 Comments
timewizard
"Why would you spit into a tube then mail it to the internet?"
— Bill Burr
hayst4ck
It's worth pointing out that this is a pro-corporate attack by the US/california government against citizens who have their data in 23andme. This is one more item of clear evidence that it is not the citizens government, but corporations government. This is also why democrats lose. They can't even wrangle corporate power in their own stronghold states.
Politicians have the responsibility of creating legislation to protect citizens, but by abandoning that responsibility and creating an "opt-out" system, those without knowledge or who aren't paying active attention lose, and companies win. The company loses almost nothing if a handful of people opt out, and only a handful of people at most will opt out, so corporations win, the politicians continue to have the support of corporations so they win, and citizens who have things being done with their data, that they absolutely would not consent to, lose.
*edit: If you did 23andMe for health information or ancestry purposes, would you consent to that data being sold to an insurance company who might raise your rates, or in a crazy world, to a background check company that would inform a potential employer of any medical conditions that might be relevant to your stability as a worker?
Of course not. You would absolutely not consent to that.
This policy of warning people to delete their data instead of stopping action that no informed citizen would consent to not only doesn't scale, but it is an abandonment of responsibility in order to retain corporate support (such as donations to run a campaign).
ronnier
> The California-based company has publicly reported that it is in financial distress and stated in securities filings that there is substantial doubt about its ability to continue as a going concern
This is one reason I use signal over other texting apps — I don't want my private messages sitting in a database waiting to be sold during a fire sale when the company goes under. Also why I try to locally host my apps such as security cameras, password manager, home automation, storage, wiki, among others
Guvante
If 23andme has an agreement with its consumers on how it will handle the data it should not matter whether they are bought that agreement should be maintained in perpetuity unless those consumers actively choose to change their agreement.
After all we wouldn't talk about Dropbox being sold resulting in ransacking of your personal data why is that in the conversation with 23andme?
(I am not being critical of the AG here but instead pointing out how lax consumer protections have gotten that we even need to have this be a talking point)
pmags
I work in population genomics (non-human organisms), and myself participated in an early near-whole genome genotyping study back when microarrays were still the predominant technology (academic NOT commercial).
But for nearly 20 years I've been telling my extended family NOT to participate in any large scale genotyping with 23 and Me or similar commercial companies where they retain rights to your data, anticipating that something like the current scenario would likely play out.
Somehow, 23 and Me genotyping became the "gift du jour" for Xmas some years back — I never personally understood that or why someone would want to turn over so much data to a commercial entity.
This is not to say that large scale sequence information is not appropriate for *some people*. But if that's something you need, make every effort to make sure you own your own data.
levocardia
So, what rich billionaire wants to buy the company, anonymize the data, then release it open-source? Would be a genuine boon to biohackers everywhere, privacy be damned.
arjie
The practice of how this does damage isn't clear to me. But I'm going to test this in the very skin-in-the-game sense. My genome (sequenced by Nebula Genomics) is available to anyone who would like it. I have raw FASTQ files which you will have to pay a nominal fee to access.
Once upon a time, a friend and I decided we should launch a site where people can submit their genomes and health information so that broad population scale studies can be done. I did submit my stuff to All Of Us and so on, but I think the fact that you need to be special-cased to access the data is probably a loss.
So I think it's time to revisit this whole thing. Perhaps I should make VCFs available instead. They're much smaller and may be more accessible for people. In any case, if you want my FASTQs, just email me.
IncreasePosts
23andme stock is down 99.12% from 5 years ago. Sheesh. What happened? Is it just not a viable business model or was it extremely mismanaged?
999900000999
[flagged]
fnord77
Bonta himself is about to be indicted by the feds in relation to the Duong family/Sheng Thao corruption probe.
slevis
It would be imo worse if the information just gets lost once 23andMe shuts down. Make genome and health information open access.
steelframe
Whenever I start feeling smug about how cagey I've been about data brokers in the past, I remind myself that enough of my relatives have handed over their DNA to operations like 23andMe so as to render my efforts futile.
Animats
The problem, not stated, is that a bankruptcy can wipe out the obligations of a company to its customers. This includes privacy obligations.[1] Especially if the assets are sold to a company outside California or outside the US.
[1] https://harvardlawreview.org/print/vol-138/data-privacy-in-b…
ripped_britches
Why is it his prerogative to suggest this? Doesn’t he have better things to do?
huitzitziltzin
The fact that 23andme is at risk as a going concern tells you what you need to know about the potential of monetizing large amounts of generic data. It turns out you can’t get much value from it. If you could, they would have.
And no I don’t think all of that DNA data would be valuable to the likes of a large health insurer like Humana or Aetna either.
The medical records you are imagining an insurer can link to genetic data are worth even less than these DNA sequences turned out to be worth.
Sincerely,
A former health economist who has worked both with tens of millions of inpatient discharge records, and (separately) a detailed survey which is complemented by genetic data.
quantified
After you go through the steps to request deletion and physical destruction of the sample, you still need to trust them, a dying concern with the desire to monetize anything remaining, to actually carry it out.
scoofy
If only we had any actual privacy laws in the United States.
I hate that I'm having my samples destroyed and removed from research. It feels wrong. But the idea that some company can quietly change the privacy terms on me is unacceptable. I would happily share my genetic data with researchers if I knew that the privacy agreement we had was irrevocable.