23andMe’s Business Strategy Highlights the Need for More Data Privacy Laws

by | Nov 18, 2021 | Blog | 0 comments

23andMe rose to success by selling at home DNA tests ultimately purchased by more than 11 million individuals. By some estimates 1 in 5 Americans have handed over their DNA to 23andMe or companies like it.[1] But for many of these individuals, while they may believe that 23andMe is only using their DNA to provide them with their ancestry or health information, they may have actually signed up for much more than they originally anticipated.

During the set-up process, 23andMe prompts individuals to provide consent so that the company can use their DNA to participate in “genetic research.”[2] 23andMe hopes to use this information to study the relationship between ancestry, traits, and certain diseases. While these goals may seem admirable to some, it’s likely that many individuals were not aware they agreed their DNA could be used for these purposes because they failed to read the Terms and Conditions or fully understand exactly what they signed up for. In fact, according to Deloitte, a whopping 91% of people consent to terms and conditions without reading them.[3]

In the case of 23andMe, for the individuals who didn’t read—but agreed—to participate in genetic research, their DNA is now being used to develop pharmaceutical products. 23andMe has partnered with a traditional drug maker to now develop pharmaceuticals based on its findings from individuals’ DNA and to develop its own pharmaceutical product, complete with clinical trials, by the end of 2022.[4] Would individuals feel comfortable knowing that their DNA was used to develop a new cancer treatment? Even if they did, would they feel slighted knowing a company has profited off their DNA without providing them compensation? According to 23andMe, it doesn’t matter because you checked a box you may not have read or understood.

23andMe’s new business venture is just one example of the widespread effects of allowing large companies access to highly personal information, especially information related to health. There are hundreds of health-related apps and wearable devices that collect intricate health data about individuals and what they do with it isn’t always readily available or is buried within terms and legal jargon.

When a company fails to disclose—or even worse, lies—about its data collection practices, there are certain avenues to deter these practices, whether through litigation or a government enforcement action. For instance, the Federal Trade Commission recently reached a settlement with the company Flo Health, Inc., behind the popular period-tracking app Flo, for sharing its users’ health related information after promising such information would be kept private.

But the same isn’t always true when that information is buried on a company’s website or when a consumer fails to read what exactly they’re consenting to, despite the heavy consequences. While there is some regulation for health information, such as the Heath Insurance Portability and Accountability Act of 1996, the act went into effect decades before some health apps, devices, and services were created and doesn’t cover certain companies like 23andMe.

While there has been a push in recent years to pass laws to govern how companies disclose their use of consumers’ health data collected from wearable devices, apps, and services like 23andMe, such as the SMARTWATCH Data Act, introduced by Senators Bill Cassidy and Jacky Rosen[5], and the Protecting Personal Health Data Act,[6] by Senators Amy Klobuchar and Lisa Murkowski, neither have been passed. Until there is a national law requiring clear disclosures and affirmative consent to consumers, companies will continue to have free reign over certain health data.

[1] Kristen V. Brown, All Those 23andMe Spit Tests Were Part of a Bigger Plan, Bloomberg Buinessweek (Nov. 4, 2021, 5:00 AM EDT), https://www.bloomberg.com/news/features/2021-11-04/23andme-to-use-dna-tests-to-make-cancer-drugs.

[2] 23andMe Webpage, Becoming part of something bigger, https://www.23andme.com/research/.

[3] David Medine and Gayatri Murthy, Nobody Reads Privacy Policies: Why We Need to Go Beyond Consent to Ensure Data Privacy, Next Billion (Dec. 16, 2019), https://nextbillion.net/beyond-consent-for-data-privacy/.

[4] All Those 23andMe Spit Tests Were Part of a Bigger Plan, https://www.bloomberg.com/news/features/2021-11-04/23andme-to-use-dna-tests-to-make-cancer-drugs.

[5] Eric Wicklund, Congress Eyes Privacy Protections for Data on mHealth Wearables, mHealth Intelligence               (Nov. 15, 2019), https://mhealthintelligence.com/news/congress-eyes-privacy-protections-for-data-on-mhealth-wearables.

[6] News Release, Klobuchar, Murkowski Introduce Legislation to Protect Consumers’ Private Health Data,  (Feb. 2, 2021), https://www.klobuchar.senate.gov/public/index.cfm/2021/2/klobuchar-murkowski-introduce-legislation-to-protect-consumers-private-health-data.