JUANA SUMMERS, HOST:
By now, millions of Americans have spit into a tube and sent it to 23andMe for a detailed DNA analysis. But the California biotech company struggled for years to overcome the fact that many of them were one-and-done customers. Now 23andMe is filing for bankruptcy, with the goal of finding a buyer, and that has raised questions about what could happen to the sensitive information of its more than 15 million users. John Verdi is senior vice president for policy at the Future of Privacy Forum, and he joins me now to talk about all of it. Welcome.
JOHN VERDI: Thanks so much for having me.
SUMMERS: So John, if you could just start by laying out exactly what this bankruptcy filing means for users - what kinds of laws protect the types of data that we're talking about here?
VERDI: Well, there are some state laws. There are some federal laws that protect the data, but what it really comes down to is that those laws typically focus on the uses and not parties. There's no obligation that 23andMe delete the data before, you know, selling the company. And that means that this information in past bankruptcies, involving other sorts of data, personal information has been transferred to successor entities, and some folks are worried about that. Some folks are not worried about that, but that's the reality from where it is in the United States these days in terms of regulation.
SUMMERS: The company is trying to find a buyer, and in a press release about the bankruptcy filing, the company says they are, quote, "committed to continuing to safeguard customer data and being transparent about the management of user data going forward." I have to tell you as someone, full disclosure, who has used 23andMe, I was a little concerned. So I'd love to know, in your view, how big of a risk is there of a user's genetic information ending up in someone else's hands.
VERDI: Well, given the statements, I think it's pretty clear that genetic information is going to end up in another entity's hands unless individuals delete their information, and that's something that they can do on the 23andMe website. 23andMe does provide the ability for folks to go ahead and delete their genetic profile, which is the data that was generated from the sample that you submitted. They also have the ability to go ahead and ensure that the company has destroyed the underlying biological sample. And that's typically more relevant for folks who have submitted the test more recently, but it's an important distinction between the data and the actual physical sample that the company did collect.
SUMMERS: What types of protections exist in the event that a buyer does purchase 23andMe? Could a different company do whatever they want to with that data at that point?
VERDI: A new company can definitely not do whatever they want to at that point. The successor entity would be bound by the original privacy promises and the terms and conditions that 23andMe made. And what that means is that if 23andMe could legally use the information for research, for example, today, then the successor entity could use that for research in the future. But if 23andMe promised not to, say, engage in targeted advertising with third parties using that genetic data, then the successor entity would likewise not be allowed to engage in that sort of activity.
SUMMERS: Say someone listening to our conversation, they've sent in their genetic sample. They're now worried about where that data could end up, what it could be used for. What would you say to them?
VERDI: I'd say, if you're one of those one-and-done users who hasn't really engaged with 23andMe since they sent in their sample and got their test results and learned a little bit about their heritage or their health, those folks might want to think seriously about either deleting the data or rethinking whether or not they are comfortable with an entity that is not 23andMe - which is somebody who they trusted, who they'd sent their information to - whether they're comfortable with another entity who's kind of unknown at this time, collecting, using that data in a way that is consistent with 23andMe's practices, but they're a different entity, right? They don't necessarily have that trust relationship today because that successor entity is, by definition, unknown.
SUMMERS: That's John Verdi. He's senior vice president for policy at the Future of Privacy Forum. Thanks so much for joining us.
VERDI: Thank you.
SUMMERS: And if you're looking to delete your data, npr.org has a helpful step-by-step guide.
(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.
