SALT LAKE CITY (ABC4) -- The genetic testing company 23andMe recently filed for bankruptcy and announced it was looking to sell "substantially all of its assets." Here's what experts say that could mean for Utahns.
"Utah's protections for genetic information are more robust than what is available at the federal level," Clark Asay, Associate Dean and professor of law at BYU Law School, told ABC4.com. "Utah law includes both the Utah Consumer Privacy Act and the Genetic Information Privacy Act."
The Utah Consumer Privacy Act (UCPA) and the Genetic Information Privacy Act (GIPA) give Utahns the right to rescind a company's access to their genetic data, request the destruction of their genetic sample, and delete their account, according to the Utah Department of Consumer Protection (DCP).
"If you previously submitted a test sample to 23andMe and wish to ensure that it is no longer stored or used, you have the right to make this request," the DCP explained in a consumer advisory.
It's also possible to delete your 23andMe account directly through your account settings on the company's website. The DCP says 23andMe should automatically discard your sample and opt you out of any research after your account is deleted.
What could the sale of 23andMe mean for my data?
"Under Utah law, you have a right to control your personal data -- like the kind that 23andMe has," Utah Attorney General Derek Brown said.
In a press release, 23andMe said there will be "no changes to the way the Company stores, manages, or protects customer data" throughout the sale process. However, experts warn that there are risks with the collection of personal data.
Sameer Patil is an associate professor at the University of Utah's Kahlert School of Computing. He told ABC4.com that it is unclear who may buy 23andMe next, which means it is also unclear what may happen with people's data stored by the company.
"Perhaps you trusted 23andMe, and you shared the data with 23andMe -- that same level of trust, whether that's warranted with the next buyer, you don't know that because you don't even know who that next buyer is going to be," Patil explained.
He also said the new buyer's privacy policies and data handling policies may not offer the same protections as 23andMe's policies.
"The whole manner in which this data is stored, shared, used, sold, handled could be completely different from how it is now," Patil said. "The big point here is, because there's no guarantee who the next buyer is going to be, you have no idea of evaluating that until you know who the next buyer is going to be."
How do I delete my genetic data from 23andMe?
"This is a new frontier in terms of bankruptcies," Brown said. "This time, the assets are the most sensitive, confidential types of information you can have, which is your genetic fingerprint. And so, it's critical that people understand that, and are aware of their rights as it pertains to this issue."
The Utah Attorney General's Office and the DCP have provided steps you can take to remove your information from the company's databases. The steps to delete your data (as provided in the consumer advisory) are as follows:
- "Sign in to your 23andMe account at www.23andme.com.
- "Navigate to your profile’s 'Settings' section.
- "Scroll down to the '23andMe Data' section at the bottom of the page.
- "Click 'View' next to the '23andMe Data' heading.
- "If you would like to keep a copy of your genetic data, download your data before continuing.
- "Locate the delete data option.
- "Select 'Permanently Delete Data'.
- "Check your email for a confirmation link and follow it to complete the deletion process."
It is also possible to change your settings to opt out of allowing 23andMe to store your saliva sample and DNA through the "Preferences" on your 23andMe account page. You can also withdraw consent to have your genetic information be used by third-party researchers under "Research and Product Consents," the DPC said.
Asay warned that the company may have "already secured consent for transferring data to third parties as part of their standard business practices." That means that it's possible your information or sample has already been shared -- but you can still delete your account and samples to keep it from happening after the company is sold.
"As long as 23andMe is complying with their own privacy policies and with the law, they're obligated to delete that information," Patil said. "As long as that happens before any sale, merger, acquisition even takes place, then you don't even have to worry about who the new buyer is going to be because your data no longer exists for it to be transferred or sold."
Does HIPAA apply to genetic data?
No, genetic data is not protected by the Health Insurance Portability and Accountability Act (HIPAA).
Patil said genetic information is not considered health information or a healthcare record. He also said 23andMe is not considered a healthcare provider, so HIPAA doesn't apply. Asay confirmed that HIPAA does not cover genetic data.
"HIPAA applies to entities that transmit 'protected health information' in standard HHS formats (i.e., basically entities that take payment in the form of insurance or government benefits)," Asay told ABC4.com.
Asay explained that, while Utah has UCPA and GIPA, private citizens cannot enforce those laws -- they have to be enforced by the state attorney general.
Additionally, the DCP said that the UCPA gives Utahns the right to opt out of allowing companies to sell their data, and the right to obtain a copy of the data you may have previously provided. More information about rights under the UCPA and GIPA is available on the DPC's website.
The Associated Press, Renisha Mall, and Matthew Drachman contributed to this report.