Please enable JavaScript to view this website.

23andMe(and Almirall and GlaxoSmithKline and now Virgin Group Too?)

In February 2021, 23andMe announced its intention of going public via a special purpose acquisition (SPAC) IPO backed by Richard Branson, Founder of Virgin Group.1 The deal currently values 23andMe at $3.5 billion dollars, and Wojcicki and Branson each invested $25 million of their own money as part of the $250 million fund formed to take the company public.2 Through the deal with VG Acquisition Corp, 23andMe will receive $759 million from a range of investors including Branson, Wojcicki, funds managed by Fidelity Management & Research Co, Altimeter Capital, Casdin Capital and Foresite Capital.3

Anne Wojcicki founded her company, 23andMe, in 2006.4 Although 23andMe originally started as a company specializing in selling genetic tests that would reveal a client’s genetic predispositions for various traits using only a vial of saliva, the company pivoted into drug development using their vast collection of customer genetic data.5 The company currently has an estimated 10-million customers and states that over 80% of its customers have agreed share their genetic information for medical research.6

In 2018, 23andMe signed an agreement to collaborate with London-based pharma company GlaxoSmithKline (GSK).7 Using 23andMe’s genetic data of over 5-million customers and GSK’s scientific medical knowledge and commercialization expertise, the companies hoped to make major progress in developing cures and treatment for various diseases.8 Just 3 years later, 23andMe developed and licensed an antibody used to treat inflammatory diseases to Spanish drug maker Almirall SA.9. This licensing agreement gives Almirall the right to develop and commercialize 23andMe’s antibody.10 Although the development of new drugs and cures is positive, 23andMe’s partnerships with major pharmaceutical companies including Almirall, GlaxoSmithKline and its new venture with Virgin Acquisition Group do raise some data privacy concerns. 23andMe was investigated by the Federal Trade Commission regarding its privacy practices in 2018, although the inquiry was closed later that same year upon a finding that 23andMe followed the best practices for data privacy.11 However, this does not mean that 23andMe customers have nothing to worry about.

Since the recent explosion in DNA testing, there have been a number of unforeseen effects on privacy such as the outing of family secrets, the leak of previously anonymous sperm donors, and the sharing of genetic information by DNA companies with the FBI.12 The Pentagon has gone so far as to encourage military personnel to avoid taking 23andMe tests due to these potential privacy concerns.13

Three of the largest privacy risks to consumers who opt to share their DNA information include: (1) susceptibility to hacking of their information; (2) lack of genetic protection from current laws; and (3) the risk that a company’s privacy statement may change.14

First, like any other industry, 23andMe faces significant cyber-security risks. Although 23andMe has yet to have a public breach, another competitor in the genome space, MyHeritage, suffered a breach in 2017 including the account details of over 92-million people.15 23andMe maintains that it shares data outside of the company only through customer opt in agreements and that the data is anonymized and aggregated unless the customer separately agreed to have their data shared individually.16 However, accordingly to Greg Touhill, a professor at Carnegie Mellon University, even if 23andMe is prioritizing consumer privacy, “the risk of others accessing the data in a security breach could be catastrophic.”17 Touhill additionally warns that  “if your computer is hacked, you can change your passwords… You can’t change your DNA.”18

Second, the current legal framework may not provide adequate protection for customers’ genetic information. The primary law concerning genetic privacy is the Genetic Information Nondiscrimination Act of 2008 (GINA) which prevents health insurers from engaging in genetic information discrimination and also prevents employers from using genetic information in employment decisions or requesting/requiring genetic information from employees or job applicants.19 However, GINA is one of the only laws in the field. The lack of genetic information protection is already becoming evident as genetic testing companies begin to increasingly receive requests from law enforcement and courts for genetic data.20 Although the use of private genetic information databases has proved particularly useful in solving cold cases such as that of the Golden State Killer, law enforcement’s ability to use an individual’s DNA poses a thorny legal issue.21  Maria Darnovsky, the executive director at the Center for Genetics and Society, comments that “when you provide your genetic information to a DNA testing company, you are also providing information about those related to you – including distant cousins…when your relatives, including distant ones whom you may not even know, provide their DNA, they are also providing genetic information about you.”  22 Although 23andMe states that it will stand with their customers, its website states that “under certain circumstances, personal information may be subject to disclosure pursuant to judicial or other government subpoenas, warrants or orders, or in coordination with regulatory authorities.”23

Lastly, there is a risk that the company’s privacy statement may change in response to major company events – as is happening now with 23andMe’s SPAC IPO. Jennifer King, director of consumer privacy at Stanford Law School’s center for Internet and Society, commented on the risk of trusting company privacy statements by saying that “there are no limits on what these companies can do; they just have to state it in their privacy policies, which they can change at any time (though you may have to consent to it again).”24 23andMe’s privacy statements facially protects customer information, even if it goes through a business transition.25 However, 23andMe’s new business with Virgin Acquisition Group does raise some eyebrows as 23andMe’s vast DNA database would be invaluable to many third parties permitted to access it.26 Ray Walsh, a digital privacy expert at ProPrivacy, comments that “it was inevitable that someone like Richard Branson would be interested in 23andMe, this merger only goes to show that the data being amassed has massive commercial value.”27

Although 23andMe currently allows users have their accounts erased at any time, by the time the users do so, it may be too late.28 Even if a user opts to have their account deleted, the data may be deleted from 23andMe’s servers, but it may not necessarily be recalled from all of the corporate entities 23andMe has partnered with such as Almirall, GlaxoSmithKline and now Virgin Acquisition Group, all of whom may have already accessed and saved the information.29

Additionally, as a new public company, 23andMe will have to deliver value to its shareholders to justify its existence and be under increased scrutiny from investors such as Branson.30 Like many other companies that go public, this increased scrutiny and decrease in independence may lead to changes to 23andMe’s privacy policy and business model that may cause consumers to be more wary of allowing large corporations to handle their genetic data in the future. Any further regulatory protection of consumer genetic data will not only have to take into account the rapidly changing landscape of genetic testing but also the pace at which companies like 23andMe are expanding via partnerships and IPOs at rates not previously seen.

  1. Kim Lyons, Genetic Testing Firm 23andMe is Going Public via a SPAC Backed by Richard Branson, The Verge (Feb. 4, 2021, 4:01 PM),

  2. Kim Lyons, Genetic Testing Firm 23andMe is Going Public via a SPAC Backed by Richard Branson, The Verge (Feb. 4, 2021, 4:01 PM),

  3. DNA-Testing Firm 23andMe to go Public Through Branson-Backed SPAC in a $3.5 Billion Deal, CNBC Disruptor 50 (Feb. 4, 2021, 8:15 AM),

  4. Erika Check Hayden, The Rise and Fall and Rise Again of 23andMe, Nature (May 24, 2020, 12:15 PM),

  5. Id. 

  6. Kim Lyons, Genetic Testing Firm 23andMe is Going Public via a SPAC Backed by Richard Branson, The Verge (Feb. 4, 2021, 4:01 PM),

  7. 23andMe Media Center, https://mediacenter.

  8. Id. 

  9. Kristen V Brown, 23andMe Licenses its own Drug Compound to Spanish Firm Almirall, Bloomberg (May 24, 2020, 1:05 PM), 

  10. Id. 

  11. Kari Paul, Fears Over DNA Privacy as 23andMe Plans to Go Public in Deal with Richard Branson, The Guardian (Feb. 9, 2021, 4:52 PM),

  12. Id. 

  13. Id. 

  14. Eric Rosenbaum, 5 Biggest Risks of Sharing Your DNA with Consumer Genetic-Testing Companies, CNBC Disruptor 50 (Jun. 16, 2018, 2:18 PM),

  15. Makena Kelly, MyHeritage Breach Leaks Millions of Account Details, The Verge (Jun. 5, 2018, 2:00 PM),

  16. Kari Paul, Fears Over DNA Privacy as 23andMe Plans to Go Public in Deal with Richard Branson, The Guardian (Feb. 9, 2021, 4:52 PM),

  17. Id. 

  18. Id. 

  19. Genetic Discrimination, National Human Genome Research Institute (Sept. 16, 2020),

  20. Eric Rosenbaum, 5 Biggest Risks of Sharing Your DNA with Consumer Genetic-Testing Companies, CNBC Disruptor 50 (Jun. 16, 2018, 2:18 PM),

  21. Id. 

  22. Id. 

  23. Id. 

  24. Id. 

  25. Id. 

  26. Id. 

  27. Id. 

  28. C. Ip, How Secure is DNA Testing, Engadget (Aug. 27, 2019),  

  29. Id. 

  30. J. Fingas, 23andMe is Going Public as it Pushes Further into Healthcare, Engadget (Feb. 4, 2021),