Delete Your Data: The Case for Better Consumer Protection

The popular DNA testing company 23andMe filed for bankruptcy recently. This comes after the demand for their at-home DNA kits tanked after a significant data breach in 2023. 

Their decision to continue operations during Chapter 11 proceedings suggests that they hope to maintain business as usual, even as they restructure. With $277 million in assets and $214 million in debt, they will be seeking a buyer, meaning your data could be up for grabs to the highest bidder.

In January, I introduced HB 1521 on Consumer Genetic Testing. Passed by the Indiana House and Senate and signed by Gov. Braun, this bill aims to protect Hoosiers’ privacy when using one of these genetic testing kits, which are most commonly utilized by companies such as 23andMe and Ancestry.com. 

HB 1521 ensures that consumers are provided with explicit disclosures regarding the company’s privacy policies, requires specific and unambiguous consent on how the data can be used, and provides protections for the data processing and destruction of the DNA if desired. Moreover, once offered, the DNA can be requested to be destroyed. 

Lastly, the bill grants the Attorney General the authority to seek an injunction to restrain any violation of the bill and impose a civil penalty of $7,500 per violation. 

Almost one in five Americans has undergone genetic testing to learn more about their family history, genealogy, and health, as these kits are easy to use and affordable. These kits can also reveal potential underlying genetic conditions that can significantly impact an individual’s life. This information would typically be protected under HIPAA regulations as personal health information.

Companies like 23andMe, which provide this service, have access to some of the most personal information a person possesses, including their genetic makeup at the most basic level.

So, imagine submitting a genetic test, learning about your ancestry and other interesting facts, and then unexpectedly being kicked off an employer’s insurance after they purchase a data package from a genetic testing facility and find out you carry the genetic marker for a high-risk form of cancer. Or worse, you are denied a promotion because you have a genetic marker for being at high risk for heart disease. 

Among other things, HB 1521 requires:

Informed Consent: Require informed consent for collecting, storing, and sharing genetic information. Individuals should be fully aware of what information is being collected, how it will be used, and with whom it will be shared.

Access and Control: Ensure individuals have the right to access their genetic information and have the ability to control who can access it. This includes the right to request the deletion or correction of inaccurate information.

Research Protections: Balance individual privacy with scientific research. Establish guidelines for using genetic information in research, ensuring that personal identifiers are removed whenever possible to protect individual privacy.

Non-Discrimination: Prohibit discrimination based on genetic information. This includes protections against genetic discrimination in employment, education, healthcare, and insurance coverage.

No one could have predicted these outcomes when home genetic tests became popular. However, in light of this breach of public trust, we must take steps to protect consumers and their data. Currently, consumers can delete their data from 23andMe by following these steps.

About a dozen states have addressed this issue and passed similar laws. Indiana will hopefully join that shortlist. Congress has not addressed the problem; therefore, states can take a leading role in protecting individuals’ data and privacy when using DNA commercial services. 

For Hoosiers, House Bill 1521 protects individual health information privacy, prohibits discrimination using already-released data, and returns our private information to our control where it belongs.