In the rapidly evolving landscape of recreational genetic testing, companies like 23andMe have amassed some of the largest repositories of consumer DNA data worldwide. While this explosion of personal genetic information holds immense promise for advancing personalized medicine and public health research, it simultaneously raises pressing concerns about privacy, ownership, and the fate of such sensitive data when these companies face financial collapse. A recent paper co-authored by Sara Gerke, Richard W. & Marie L. Corman Scholar at the University of Illinois College of Law, delves into this precarious intersection of bankruptcy, genetic information, and privacy, shedding light on vulnerabilities inherent in current regulatory frameworks.
When a recreational genetic testing company goes bankrupt, the destiny of its vast trove of genetic data becomes uncertain. Unlike traditional patient data governed under the Health Insurance Portability and Accountability Act (HIPAA), direct-to-consumer (DTC) genetic data often falls outside stringent privacy protections, instead treated as a business asset subject to sale or transfer. Gerke emphasizes that this data, amassed from millions of individuals who submitted saliva samples and personal health information, is likely sold to successor firms during bankruptcy proceedings. Such transactions occur without explicit ongoing consent from the original data providers, effectively transferring intimate genetic blueprints to unknown entities, which might wield this information in unanticipated or unwanted ways.
The legal tapestry protecting genetic data in the United States remains fragmented and inadequate to address these complexities. While laws like the Genetic Information Nondiscrimination Act (GINA) prevent misuse of genetic information in employment and health insurance contexts, they do not extend to other domains such as life insurance or long-term care policies. More crucially, GINA and HIPAA provide limited protection against genetic data commercialization via DTC companies. Consumers often unknowingly relinquish control over their genomic information upon submitting samples, unaware of potential future financial transactions involving their data if the company fails financially.
From a technological perspective, companies like 23andMe function as custodians of massive datasets comprising DNA sequences coupled with self-reported health and lifestyle information. The integration of big data analytics, machine learning algorithms, and artificial intelligence within these repositories enables unprecedented insights into human genetics. However, this same technological capability exacerbates privacy risks. Without robust legal safeguards, the commodification of such data not only threatens individual privacy but also risks eroding public trust in genomic science and healthcare innovation.
The narrow scope of HIPAA is another significant barrier to effective genetic data protection. Conceived during an era focused on traditional clinical settings, HIPAA’s privacy rule predominantly governs protected health information in healthcare delivery contexts, excluding data collected by third-party consumer tech companies. Consequently, DTC genetic testing results and associated personal data rarely qualify as protected health information, leaving consumers’ genetic fingerprints vulnerable to potential misuse or transfer during corporate restructuring or liquidation. This legal gap signals a wider systemic problem in the U.S. approach to healthcare data privacy.
Gerke warns that the problem extends beyond genetics. Fitness trackers, health monitoring apps, and other digital wellness platforms collect sensitive personal health data under similarly lax regulations. As these devices become ubiquitous, the aggregation of diverse data streams—from genomic profiles to biometric metrics—compounds privacy risks. The potential for bankruptcy-driven data sales or unexpected corporate mergers introduces new vectors of exposure for consumers, often without clear recourse or informed consent.
The absence of a comprehensive federal privacy law in the United States further exacerbates these challenges. Unlike the European Union’s General Data Protection Regulation (GDPR), which enshrines broad rights for individuals over their personal data—including the right to access, correct, and delete information—no equivalent nationwide statute exists in the U.S. to regulate how genetic or other sensitive information is collected, stored, or sold by DTC companies. The EU’s GDPR mandates that companies processing genetic data must adhere to strict transparency and accountability standards, granting individuals meaningful control over their sensitive information.
Some U.S. states have enacted stricter privacy laws, but this patchwork creates compliance challenges and inconsistent protections. For example, Illinois’ Genetic Information Privacy Act (GIPA) stands out for its stringent requirements, demanding explicit written consent before DTC genetic data can be shared with third parties such as insurance companies. However, such state-level protections are geographically limited and do not specify data fate during corporate bankruptcies. The lack of uniformity undermines trust and complicates governance for companies operating nationally.
Legally, the reliance on privacy policies as the primary mechanism for protecting genetic data is insufficient. These policies often emphasize company discretion rather than enforceable consumer rights and can be unilaterally changed without consumers’ explicit approval. In bankruptcy scenarios, these policies provide no safeguard against the sale or transfer of databases containing millions of individual records. Gerke calls this reliance on corporate good faith “a structural problem” within the U.S. legal system, exposing an urgent need for statutory intervention.
Proposals to amend existing laws or enact new federal privacy protections are gaining momentum among scholars and policymakers in light of high-profile cases like the rumored bankruptcy of 23andMe. Expanding the scope of HIPAA and GINA to encompass genetic data collected outside clinical settings, along with enacting data protection regulations modeled after the GDPR, could offer robust safeguards. Such reforms would empower consumers with rights to control their data, enforce transparency obligations on companies, and establish mechanisms to address data ownership in bankruptcy cases.
The ethical implications of genetic data commodification and resale are profound. Genetic information is inherently personal and immutable. Its misuse could lead to discrimination, stigmatization, or unauthorized profiling. Additionally, once data enters secondary markets—often opaque and unregulated—tracking its use or securing deletion rights becomes nearly impossible. Ensuring the integrity of genetic privacy is thus not merely a legal or financial concern, but a cornerstone of individual autonomy and dignity in the genomic age.
Ultimately, consumers must approach recreational genetic testing with heightened awareness of potential privacy trade-offs. Transparency from companies about data retention, ownership rights, and contingency plans during insolvency events is critical. Until comprehensive privacy laws emerge, individuals should consider the long-term implications of surrendering genetic data to entities whose corporate futures are uncertain. Gerke acknowledges that while legislative change is ideal, informed consumer vigilance remains an important line of defense.
The paper, published in the New England Journal of Medicine, serves as a clarion call for policymakers, researchers, and industry stakeholders to confront the fragility and risks embedded in the current management of genetic data. As big data continues to redefine healthcare and consumer technology boundaries, establishing clear, enforceable, and ethically grounded data privacy standards is imperative—not only to protect individuals but also to sustain the transformative potential of genomic science in society.
Subject of Research: People
Article Title: Bankruptcy, genetic information, and privacy — Selling personal information
News Publication Date: 1-Mar-2025
Web References: http://dx.doi.org/10.1056/NEJMp2415835
References: Gerke, S., Jacoby, M.B., & Cohen, I.G. (2025). Bankruptcy, genetic information, and privacy — Selling personal information. New England Journal of Medicine.
Image Credits: Photo by Fred Zwicky
Keywords: Genetic privacy
