23andMe Bankruptcy Puts Spotlight on Genetic Privacy Compliance

This article was published by Bloomberg Law. https://news.bloomberglaw.com/us-law-week/23andme-bankruptcy-puts-spotlight-on-genetic-privacy-compliance

23andMe has filed for Chapter 11 bankruptcy, and a major factor contributing to its downfall was growing public concerns over genetic data privacy. These concerns intensified after a massive security breach that compromised the genetic information of millions. The bankruptcy and data breach calls attention to concerns around genetic data privacy and misuse.

This bankruptcy also raises critical questions: What are the key takeaways for businesses that collect and use genetic data—from direct-to-consumer genetic testing companies to health-care providers, insurers, AI developers, and research organizations? Why should the Trump administration urgently intervene with stronger regulations?

Risks

Consumers’ concerns over their genetic data stem from its uniqueness. “Genetic data” refers to any information about a consumer’s genetic characteristics, including raw DNA sequence data, genotypic and phenotypic information derived from DNA analysis, and self-reported health information. Unlike other personal data, genetic data is permanent and intimate. It contains unchanging information about health susceptibilities, familial connections, and biological attributes. In the event of a data breach, you can change a password or obtain a new credit card, but you can’t revise your genetic data.

The 23andMe 2023 data breach heightened public concerns over genetic data privacy. First, misuse of genetic data may lead to discrimination. For example, life insurers may charge higher premiums or deny coverage to individuals with a proven genetic risk. Employers may use genetic testing to avoid hiring workers with genetically predisposed illnesses in order to reduce potential health-care costs and absences.

Second, breaches of genetic data may result in sophisticated synthetic identity fraud, where criminals exploit genetic information to create false identities or impersonate relatives for financial gain.

Third, national security risks are a significant concern. If hostile foreign governments obtain Americans’ genetic and medical data, they could develop biological weapons targeting the population or food supply, and gain significant strategic and economic power over the US.

Even de-identified genetic data, which is often considered safe, may pose risks. With the emergence of large genomic databases, de-identified genetic data for research and business purposes can be linked to individuals using genomic software and public information, creating a significant re-identification risk.

Existing Legal Framework

Both federal and state governments have passed a series of anti-discrimination and privacy laws to mitigate these issues. At the federal level, the Genetic Information Nondiscrimination Act protects Americans from genetic discrimination in two key areas: health insurance and employment. Title I prohibits health insurers from using genetic information for coverage, premium, or eligibility decisions, excluding long-term care, life, and disability insurance. Title II, enforced by the Equal Employment Opportunity Commission, prevents employers from using genetic information in employment decisions, with exceptions for the US military and small employers.

GINA works alongside Health Insurance Portability and Accountability Act and the Affordable Care Act to prevent genetic discrimination in health insurance. HIPAA classifies genetic information as protected health information, and the ACA mandates “guaranteed issue,” preventing insurers from denying coverage based on pre-existing genetic conditions. The American with Disabilities Act was used to challenge genetic testing, notably in a 2001 EEOC lawsuit against BNSF Railroad for secretly testing employees for a genetic condition, which was ultimately settled.

The Federal Trade Commission also plays a role penalizing deceptive or unfair practices involving biometric or genetic information. This includes false claims, misleading collection or use practices, and failing to address foreseeable risks such as data security breaches or discriminatory outcomes. However, the FTC’s enforcement powers are reactive, rather than proactive.

While federal law provides baseline federal protections against discrimination, state laws often go further. California’s Genetic Information Nondiscrimination Act extends protections to housing, mortgage lending, education, and public accommodations. Other states such as Arizona, Utah, Kentucky, Maryland, and Wyoming have enacted laws requiring some combination of clear privacy policies, informed consent for data use, robust data security, user control over data access and deletion, and restrictions on sharing data with insurers or employers.

Most states with broad privacy laws classify genetic data as sensitive information, imposing stricter regulations on companies handling it. Maryland further restricts genetic data through data minimization and a ban on its sale. States such as Washington, Nevada, and Connecticut have passed specific consumer health data privacy laws that extend protections to genetic information by requiring opt-in consent and restricting its sharing or sale.

This patchwork of state laws creates a complex and often confusing compliance landscape for businesses operating across state lines.

Compliance Strategies

To address these risks, and to comply with the complex legal framework, the following compliance strategies are recommended.

• Publish clear privacy notices outlining companies’ data practice. The notice should include the purposes for which genetic data is processed, with whom data will be shared, data retention periods and instructions on how to delete the data.
• Inform consumers about their rights under applicable laws, and set up process for consumers to access their genetic data, delete their accounts, and request the destruction of biological samples.
• Establish a robust consent management mechanism to obtain explicit consent from individuals before collecting, processing, or sharing genetic data. Consent should be specific to each purpose, such as research or marketing, and users should be allowed to revoke consent at any time.
• Implement an industry-standard data security system to prevent potential data breaches. Regularly review security practices and conduct audits to ensure compliance with state and federal laws.
• Conduct data protection assessments to evaluate risks associated with processing genetic data and implement measures to mitigate those risks.

While federal laws, such as HIPAA and GINA, protect the public against genetic discrimination, they don’t fully address consumer genetic privacy or national security risks. New federal genetic privacy legislation should standardize protection of genetic data, such as consent requirements, data minimization, and restrictions on data resale.

The 23andMe bankruptcy is a wake-up call. Businesses need to prioritize consumers’ genetic privacy not only for survival but also to maintain public trust, while the federal government must establish a consistent, nationwide regulatory framework to protect national interests.