The 23andMe company offered DNA tests for recreational purposes. It’s in a particularly delicate situation, and its data is in danger of being sold to the highest bidder. In this article, I explain the risks involved and the likely scenarios.
You’ve probably never heard of it, and yet you should. The American company 23andMe is on the verge of bankruptcy and owns the genetic data of 15 million people. Before long, this data will be out in the wild and sold to the highest bidder without the people concerned being able to do anything about it. This was stipulated in the terms and conditions of sale. A textbook case of data privacy.
Contact IntoTheMinds market research agency
23andMe: a company specializing in DNA testing for the general public
23andMe specializes in DNA testing for the general public. It is likely to go bankrupt in a few days.
23andMe has faced a fall in its stock market value and internal upheaval. All its directors have resigned, employees have left, and the company may be sold. This would include selling the genetic information of its 15 million customers. According to the terms of use of their services, there is nothing to prevent this.
This data represents one of the world’s largest sets of people’s DNA and raises significant concerns about the security and use of sensitive medical data (see also our article on consumer perceptions of data types). Unlike traditional medical records, the American HIPAA law does not protect this genetic information, and a change of ownership could alter the company’s commitment to confidentiality. Moreover, it is explicitly stated that 23andMe reserves the right to update its privacy policy at any time. Therefore, the risks for users are heightened, even though any change should logically lead the company to ask for its customers’ consent. But out of every 100 people who receive an email informing them of a change in the terms of service, how many will do anything about it?
DNA testing: a $2.5 billion market by 2028
In 2022, the market for consumer genetic testing was estimated at $1.1 billion and is expected to reach $2.5 billion by 2028. These tests are easy to perform and allow you to understand your ethnic origins. Therefore, they are “recreational” tests requiring you to send some genetic material for analysis.
The company 23andMe was one of the leaders in this sector, with 12 million tests performed. Prices for this type of test have become very affordable, and it will cost you just over €100 and a little of your saliva to access a complete genetic profile.
What accounts for the success of DNA testing?
The success of these tests can be attributed as much to affordability as to a healthy dose of marketing. It is remarkable to analyze the extent to which the marketing discourse of companies selling this type of kit has been based on “gamification.”
To see for yourself, look at the design of these companies’ websites and the functionalities offered on their mobile applications. Let’s take a look at 23andMe (see screenshots below):
- Access to results via a mobile application
- Tangy colors
- Fun features
Everything is done to blur codes and move away from the austere world of medicine. For example, gamification enables two customers to compare their genetic heritages on their app (leftmost screen below).
Screenshots from the 23andMe website. The mobile application to consult results offers “gamified” functionalities
What are the implications for data privacy?
The 23andMe case naturally raises several questions. Seen from Europe, where data privacy regulations are particularly strict, these questions are even more numerous.
First, 23andMe was fined $30m for inadequate protection of customer data. Secondly, as I wrote in my preamble, the general terms and conditions of sale are quite broad and give the company a great deal of latitude:
- it can change the terms of the contract at any time
- it can transfer ownership of the data to a third party in the event of resale
Of course, the conditions also specify that customers can close their accounts and delete their data. But honestly, do you know many consumers who exercise their rights? Consumer laxity is the breeding ground for bad practices when protecting confidential data.
Consumer laxity is the breeding ground for bad data protection practices.
The chances are that this data will end up in the wild, especially in a country where protection rules are very slim (except in California, where a law strictly surrounds genetic data).
And yet, in addition to revealing our ethnic origins, DNA data can also tell us about a natural predisposition to disease. And when we talk about disease, we’re talking about risk. So, this data would be a godsend for insurers. Fortunately, a law prevents them from using it in the United States. And in Europe, the right to be forgotten concerning insurance is beginning to be well established. In France, the February 2022 law known as the “Loi Lemoine” reduced the right to be forgotten to 5 years for people who have had cancer or hepatitis C. The insurance sector is, therefore, quite strict.
However, this data could be recovered by other players in unregulated sectors, who would have free rein to cross-reference it and experiment outside any legal framework. Primarily, I am thinking of pharmaceutical companies for whom these genomic profiles provide access to giant market research. These 15 million profiles would create population segments based on potential health problems and, who knows, target them with distinct marketing actions.
The possibilities are immense, and the repercussions go beyond the United States. I certainly hope this doesn’t happen.
Posted in Data & IT.