By Anna Claire Vollers, Stateline.org

The destiny of greater than 15 million prospects’ genetic information stays in limbo after widespread DNA testing firm 23andMe filed for chapter in March. The information is up on the market, stoking fears about the way it is perhaps used and prompting attorneys normal from greater than a dozen states to warn 23andMe customers: Delete your information.

“Your genetic data is your most personal, confidential data, and you should be able to protect who has access to it,” North Carolina Lawyer Basic Jeff Jackson, a Democrat, mentioned in a March assertion.

“You have the power to delete your data now — please act quickly.”

Dr. Adam Brown, a Washington, D.C.-based emergency doctor and the founding father of a well being care technique agency, deleted his data on 23andMe as quickly as he realized of the chapter submitting, he advised Stateline.

For him, the chapter begs an important query that federal and state legal guidelines don’t totally handle: What occurs to your genetic information when the corporate holding it collapses?

Federal protections are flimsy. States have beefed up their genetic privateness legal guidelines in recent times, however many specialists say they don’t go far sufficient.

However as soon as the information is within the palms of one other firm, that firm might change its privateness coverage at any time, specialists famous.

“Once you get to the point of bankruptcy court, there may not be those same guarantees or the same ethos a new company may have around privacy protections for consumers,” Brown mentioned.

“I want people to understand there actually are not a lot of data privacy protections for consumers, especially for these direct-to-customer-type businesses.”

HIPAA doesn’t assist

Corporations equivalent to 23andMe supply their customers probably game-changing revelations about their well being and ancestry. The method is easy: Mail in a saliva pattern and the corporate makes use of it to construct a person genetic profile that may reveal not solely an individual’s household connections, but in addition well being insights equivalent to their danger of creating a illness like most cancers or Alzheimer’s.

This priceless private information underpins a direct-to-customer genetic testing market that was valued at $1.93 billion globally in 2023 and is predicted to develop, in line with market analysis agency Grand View Analysis.

23andMe was an trade large till its inventory value plummeted following a large 2023 information breach that affected the accounts of almost 7 million prospects. Then got here the $30 million class-action lawsuit settlement.

The corporate declared chapter in late March of this yr, and introduced it’s up on the market.

A flurry of alerts from state attorneys normal across the nation quickly adopted. AGs from states together with Alabama, Arizona, California, Kentucky, New Hampshire, North Carolina and Texas issued comparable press releases that beneficial prospects ask the corporate to delete their genetic profile and destroy the saliva pattern used to create it.

“We have robust state privacy laws that include data deletion rights, and I would encourage any Texan concerned about their data to exercise the right to have their data securely deleted,” Texas Lawyer Basic Ken Paxton, a Republican, mentioned in an April assertion.

The concern is {that a} new 23andMe proprietor might select to make use of or share delicate private genetic information in methods the corporate’s present privateness coverage doesn’t permit. There’s fear it may very well be used, for instance, to inflate folks’s life insurance coverage premiums or expose them to employment discrimination.

And there aren’t many guardrails to forestall that from taking place.

HIPAA, the Well being Insurance coverage Portability and Accountability Act, doesn’t apply to corporations like 23andMe. The landmark federal legislation protects sufferers’ delicate well being data when it’s dealt with by docs, hospitals and well being insurers. However direct-to-customer corporations equivalent to 23andMe or Ancestry aren’t thought of well being care suppliers, and their non-invasive saliva assortment package isn’t thought of a medical take a look at.

The primary federal legislation that protects folks from discrimination based mostly on their genetic data is sort of 20 years previous. The Genetic Data Nondiscrimination Act (GINA) was handed in 2008, lengthy earlier than the rise of at-home testing kits. It applies to employers and well being insurers, however to not life insurance coverage corporations, mortgage lenders and different non-health entities. And it doesn’t explicitly shield epigenetic data, which is details about the way in which an individual’s genes — and by extension, well being — are affected by exterior elements equivalent to smoking, illness or stress.

What states are doing

Up to now 5 years, at the very least 14 states have handed legal guidelines regulating direct-to-consumer genetic testing supplied by corporations like Ancestry and 23andMe. There’s variation, however usually the legal guidelines require corporations to get prospects’ specific consent earlier than utilizing or sharing their information, and permit prospects to request their genetic information be deleted and organic samples destroyed.

It’s a great begin, however doesn’t go far sufficient, mentioned Anya Prince, a College of Iowa legislation professor whose analysis focuses on well being and genetic privateness.

Lots of these state efforts had been constructed round a mannequin legislation developed by the Coalition for Genetic Knowledge Safety, an trade group with two member corporations: 23andMe and Ancestry.

As DNA testing kits exploded in reputation and attracted elevated scrutiny from lawmakers, the coalition pushed to affect laws and set trade requirements. The privateness protections within the legal guidelines mirror what 23andMe and Ancestry had been already doing with their very own privateness insurance policies, specialists say.

“They do have some really sensible privacy protections,” mentioned Prince. “It’s great that people can delete their genetic data, and it’s great that law enforcement needs a warrant to access it. But if a privacy advocate had written a model law, there would be the potential for more and broader protections.”

For instance, she mentioned, most of the state legal guidelines handle privateness necessities only for direct-to-consumer DNA testing corporations. If 23andMe’s information is purchased by, say, a pharmaceutical firm, these state legal guidelines now not apply.

The coalition now seems to be inactive, its web site defunct.

Since 2020, greater than a dozen states have handed some model of a genetic data privateness legislation, together with Alabama, Arizona, California, Florida, Kentucky, Maryland, Montana, Nebraska, South Dakota, Tennessee, Texas, Utah, Virginia and Wyoming, based mostly on a Stateline evaluation. This yr, the Indiana legislature handed a invoice that’s now headed to the governor’s desk. Payments have been launched this yr in different states, together with West Virginia.

Prince mentioned state legal guidelines rely too closely on shoppers to self-manage their information privateness. They’re anticipated to grasp an organization’s coverage, when research have proven the general public typically doesn’t learn privateness notices nor totally perceive how corporations use their information. Additional, many state legal guidelines don’t handle how third events, equivalent to legislation enforcement, can entry and use shopper genetic information.

It’s additionally not all the time clear how the legal guidelines can be enforced, or who’s chargeable for oversight.

“In general, I think there’s a disconnect between how people think their privacy is protected and how it’s actually protected,” she mentioned.

However just a few states have enacted legal guidelines which might be extra strong. California, for instance, has a genetic data privateness legislation, but in addition has a normal information safety legislation, in addition to a state model of the federal GINA legislation that extends genetic anti-discrimination protections into areas together with housing, training and licensing.

Florida has beefed up its DNA privateness legal guidelines in recent times, making the utilizing or promoting of a person’s DNA with out knowledgeable consent a felony punishable by as much as 15 years in jail and as much as a $10,000 wonderful. Florida was additionally the primary state to ban life, incapacity and long-term care insurance coverage corporations from utilizing genetic data to find out protection.

Learn how to delete your 23andMe information

Log in to your 23andMe account on 23andme.com.
Below your profile, click on “Settings.”
Scroll to the “23andMe Data” part.
Click on the “View” button.
If you’d like a replica of your genetic information, select the choice to obtain it to your machine earlier than continuing.
Scroll to the “Delete Data” part.
Click on “Permanently Delete Data.”
Verify your electronic mail for a affirmation electronic mail from 23andMe, then comply with the hyperlink within the electronic mail to verify your deletion request.
In the event you beforehand opted to have your saliva pattern and DNA saved by 23andMe however need to change that desire, you are able to do so out of your account settings web page, below “Preferences.”

In the event you beforehand consented to 23andMe and third-party researchers utilizing your genetic information and pattern for analysis functions, you may withdraw that consent out of your account settings web page, below the “Research and Product Contents” part.

When you have issues, you may contact your state lawyer normal’s workplace. Discover yours at www.naag.org/find-my-ag/.

Supply: Workplace of the Lawyer Basic for the District of Columbia

Initially Printed: Might 6, 2025 at 5:23 PM EDT