23andMe’s struggles are a sign that direct-to-consumer DNA testing needs stronger oversight


wp header logo 181.png
wp header logo 181.png

23andMe, a major company providing direct-to-consumer genetic testing, has been struggling financially since late 2023. In September 2024, the company’s stock hit a rock-bottom of US$0.30, down 96 per cent from its peak share price of US$17.65 in 2021.

Since its founding in 2006, 23andMe has sold more than 12 million testing kits globally and attracted high-profile customers, including Snoop Dogg, Oprah Winfrey and Warren Buffett. While some companies like Ancestry and myHeritage just focus on tracing the ancestry and ethnicity of their customers, 23andMe also provides health-related testing and reports.

In September 2024, seven of the company’s eight board members resigned, stating it was “clear that we differ on the strategic direction for the company going forward,” leaving CEO Anne Wojcicki its sole board member. Two months later, in November, 23andMe announced plans to cut 40 per cent of its workforce — approximately 200 jobs — and discontinue its therapeutics division to stay afloat.

These developments raise questions about how 23andMe’s future might affect customers’ genetic information, raising age-old concerns about the need for stricter privacy laws and regulations over the use and commercialization of genetic information.

A pile of black-and-white photographs and yellowed documents seen on a table
23andMe is one of the most popular direct-to-consumer genetic testing companies, along with Ancestry and myHeritage.
(Shutterstock)

Issues and controversies

23andMe’s current troubles may have been caused by various issues and controversies over its 18-year lifespan, including a data breach that began in April 2023 but was only reported in October of that year.

A hacker accessed personal identifiable information belonging to around 6.9 million users. While 23andMe stated this didn’t include DNA records, customers’ family trees, birth years and geographic locations were compromised. While these may not be as sensitive as genetic information, they can still be used to build detailed profiles of individuals.




Read more:
The 23andMe data breach reveals the vulnerabilities of our interconnected data


Some users felt that more could have been done to protect their data. A group of Canadian customers are suing 23andMe over the breach. A separate lawsuit filed in the United States has resulted in a US$30 million settlement.

The breach has also prompted investigations by international regulators. In June 2024, Canada’s Office of the Privacy Commissioner and the United Kingdom’s Information Commissioner Office launched a joint investigation into the breach. Their findings have yet to be released.

This breach is only one example of the growing concerns around data security in the expanding field of direct-to-consumer genetic testing.

Genetic information

Genetic information receives some legal protection in many jurisdictions, including Canada and the United States.

In Canada, the Personal Information Protection and Electronic Documents Act regulates how organizations collect, use or disclose any personal information, including genetic data, while conducting commercial activities.

Additionally, the Genetic Non-Discrimination Act prohibits companies from collecting, using or disclosing genetic test results without written and voluntary consent. Similar restrictions also exist in the U.S. under the Genetic Information Nondiscrimination Act of 2008.




Read more:
Canada’s Genetic Non-Discrimination Act has only had a limited impact on the use of genetic information by life insurers


These restrictions are not absolute, but they limit 23andMe’s ability to transfer, sell or release their users’ genetic information in Canada and the U.S. However, their effectiveness in protecting customers’ privacy depends on how specific terms such as “personal information” and “genetic information” are interpreted, as well as what constitutes a “legitimate purpose” that would permit disclosure.

Individuals, though, are still anxious even with protections in place, expressing “feeling naked and exposed at a next level” in light of 23andMe’s struggles. This has led some experts to urge customers to withdraw their consent and/or delete their accounts as an additional precaution.

Data privacy and information exploitation

The recent controversies surrounding 23andMe, including its financial struggles and concerns over data security, have reignited calls from customers, scholars and members of the public for stricter regulations over genetic information and the companies that handle it.

While some restrictions exist, genetic information doesn’t receive the same level of protection as health records do. Unlike other personal information, genetic information is permanent, individually unique yet shared with others, offers deep insights into a person’s biology, and cannot be retracted once shared. This makes genetic data particularly vulnerable to misuse.

A tube and set of instructions for collection saliva sit on top of an open carboard box
A 23andMe DNA testing kit.
(Shutterstock)

There also needs to be better regulation of the accuracy and reliability of results provided by genetic testing companies. One of the most troubling examples of this is 23andMe’s testing for the BRCA1 and BRCA2 genetic mutations, which have been linked to higher risks of breast and ovarian cancer.

Early diagnosis of these mutations ensures treatments are more effective, but 23andMe’s test for these mutations has been shown to be highly inaccurate. A 2019 study found that nearly 90 per cent of participants who carried a BRCA mutation would have been missed by 23andMe’s test.

The issue is compounded by the fact that companies like 23andMe, while often partnering with certified clinics and laboratories, are themselves not certified or “regulated [as a] health services provider.” While this is clarified in the fine print of their terms of service, their marketing often leads users to think otherwise.

A call for stricter regulations

Beyond the accuracy of tests, there is increasing concern that the business model of companies like 23andMe may not be in the best interests of their customers.

Some critics argue these companies’ tests to be “mechanism[s] meant to be a front end for a massive information-gathering operation against an unwitting public.”

Companies like 23andMe require users to opt in to have their data used in licensing agreements with other businesses. Just last year, 23andMe was paid $20 million to let pharmaceutical company GSK “conduct drug target discovery and other research using the 23andMe database.” Additionally, in the case of a merger or acquisition, 23andMe’s repository of customer information could be sold as a valuable asset.

These instances highlight the need for stricter limits and controls for direct-to-consumer genetic testing companies more generally. Without tighter oversight, consumers may continue to face risks regarding the accuracy of their test results and the security of their personal data.

As the field of direct-to-consumer genetic testing expands in an ever-digital world, it is critical that laws and regulations evolve to protect the safety and well-being of customers.

source