The genetic testing company 23andMe will go public through a partnership with a firm backed by the billionaire Richard Branson, in a deal that has raised fresh privacy questions about the information of millions of customers.
Launched in 2006, 23andMe sells tests to determine consumers’ genetic ancestry and risk of developing certain illnesses, using saliva samples sent in by mail.
Privacy advocates and researchers have long raised concerns about a for-profit company owning the genetic data of millions of people, fears that have only intensified with news of the partnership.
“The question in all situations like this is where the data is going and why these different companies and investors have a financial interest in your genetic data,” said Jennifer King, a privacy specialist at the Stanford Institute for Human-Centered Artificial Intelligence who has studied 23andMe.
23andMe and Branson’s company will team up through a special purpose acquisition company (Spac), also known as a blank-check company. Such firms are created by investors with the sole purpose of raising capital as an alternative to the traditional IPO process, in which capital is raised before a company goes public. The acquisition is expected to close in the second quarter, after which the company will begin trading on the New York stock exchange under the ticker symbol ME.
Branson and Anne Wojcicki, the 23andMe CEO and co-founder, each donated $25m to the $250m Spac fund. The merger valued the company – with its 10 million-customer genome database – at $3.5bn, including debt. According to a spokesperson, 23andMe shareholders are retaining 81% ownership of the combined company and its research program will continue to be overseen by an independent institutional review board.
In a presentation by the Virgin Acquisition Group announcing the deal, the firm said research and health treatments offered by 23andMe represented the largest long-term value to its investors. The group cited the “vast proprietary dataset” of DNA that would allow Virgin to “unlock revenue streams across digital health, therapeutics, and more”.
The presentation also noted that products like a subscription service with health insights could be the future of 23andMe.
That shift from ancestry testing to health tests at 23andMe has been under way for a while. Wojcicki told the Wall Street Journal last week that the core ancestry testing line of their product had weakened in recent years. “There is absolutely that slowdown,” she told the newspaper regarding 23andMe’s shift into the health market. “We have always seen health as a much bigger opportunity.”
The company has also shared user data with GlaxoSmithKline for use in developing drugs. In 2018, 23andMe was investigated by the FTC for its privacy practices, but the inquiry was closed in 2019 after the FTC found 23andMe followed best practices for data privacy.
A spokesperson from 23andMe told the Guardian all its DNA samples were processed in the US and it did not share customer data with any third parties “without the separate, explicit consent of the customer”. Customers could opt to have their DNA sample destroyed or stored at the 23andMe lab, and they could close their accounts at any time.
“No customer data is shared with Virgin or anyone else as part of the proposed transaction,” the spokesperson said.
23andMe claims user data is only shared outside the company through opt-in agreements (80% of users opt in to research) and says data is only shared when anonymized and in aggregate, unless customers separately agree to have their anonymized data shared individually. The company’s privacy statement notes that in the event of a merger, customer data “would remain subject to the promises made in any pre-existing privacy statement”.
The explosion in access to DNA testing has had a number of unintended privacy effects, including outing family secrets, uniting the children of previously anonymous sperm donors, and solving decades-old cold cases. Some DNA companies have reportedly shared data with the FBI. Pentagon leadership has encouraged military personnel not to take 23andMe tests due to privacy concerns. By the nature of DNA, a user who takes a test also shares insights into their ancestors and children.
Even if 23andMe does prioritize consumer privacy, the risk of others accessing the data in a security breach could be catastrophic, said Greg Touhill, a professor of cybersecurity at Carnegie Mellon University’s Heinz College.
Incidents at other DNA companies show this risk is not theoretical: in 2019 a breach of one genetics website exposed the DNA data of more than 1 million people.
“The cybersecurity implications regarding the safeguarding of this data are huge,” said Touhill. “If your computer is hacked, you can change your passwords. You can’t change your DNA.”
23andMe takes a number of intensive security measures to keep data secure, its spokesperson said. Its information management system has been certified under three different independent security standards and all data is encrypted in transit. The company also stores personal, identifiable customer information (such as name and email) separately from DNA data.
This article was amended on 10 February 2021. A earlier version misstated the status of the FTC investigation, which concluded in 2019.