A Collective Vision for 23andMe
A Fork in the Road to Population Genomics
The Fall of a Pioneer
23andMe, once valued at $6 billion, now trades at a market cap of ~$90 million. The company that pioneered direct-to-consumer genetic testing finds itself at an existential crossroads: either find a sustainable business model or risk losing control of 15 million customers' most personal data.
This dramatic decline represents more than just another startup struggle—it raises fundamental questions about the future of personal genetic data in our increasingly data-driven and AI-infused world. When a company holds the genetic data of millions of people, its financial decisions become matters of public interest. This reality is forcing us to grapple with unprecedented questions about privacy, consent, and the proper handling of humankind’s most intimate data.
23andMe essentially popularized the consumer genetics category, convincing millions to spit in tubes with promises of ancestry insights and health discoveries. But like many platform businesses before it, 23andMe is learning that accumulating valuable data is different from monetizing it sustainably.
It's a fascinating case study of how technological capabilities can outpace business model innovation.The recent moves tell the story: laying off 40% of staff, discontinuing therapeutics development, and pivoting hard toward subscription services. CEO Anne Wojcicki maintains unwavering faith in the mission: "I believe in the company... But I believe it's essential for us to restructure."
The company expects these changes to yield annual cost savings exceeding $35 million. While still posting a Q2 FY2025 net loss of $59.1 million, the company has improved its efficiency by 21% year-over-year. As Wojcicki notes, "Market cap and reality of a company are always two different realities." This situation is particularly concerning because current regulations don't prevent 23andMe from selling or transferring this genetic data to third parties who might use it in ways customers never anticipated or approved.
What should happen to 23andMe? I posed this question to the healthcare and genomics communities. Your responses revealed fascinating potential futures for 23andMe and new visions for how we might approach the management of genomic data. Let's explore them:
1. Non-Profit Transformation
Several respondents, including Vineet Daniels, advocated for converting 23andMe into a non-profit focused on genomic research. The argument? It would "prioritize transparent operations, ethical data use and privacy" while enabling the merger of AI and genomic data for research purposes.
2. Privacy-First Revolution
A former Google Research medical sandbox developer proposed what might be the most technically sophisticated solution: DNA profiles should be hashed/encrypted with unlock keys returned to individual owners, managed through two-party authentication with open-source code. Victor Angel Mosti built on this concept, suggesting a data custodian model using "soul bound tokens" – allowing users to control and potentially profit from their genetic data's use in research.
3. Academic Integration
Dr. David Eisenberg proposed an interesting hybrid: a private acquisition with mandatory data de-identification, splitting into non-profit (academic access) and for-profit (commercial access) arms. Jeremy Friese specifically suggested Mayo Clinic's Center for Individualized Medicine as a potential steward.
4. Deletion
Dan Vorhaus offered what a thought-provoking perspective: maybe the outcome will be "a bit more anticlimactic, and just a bit sad: deletion." His argument? Our genes aren't as individually predictive as the initial hype suggested. Biobanks might balk at the effort required to integrate this data.
5. Public Good Partnerships
Some commentators focused on public-private partnerships. One respondent proposed sharing de-identified data with the Cancer Moonshot initiative to drive public health initiatives and develop new diagnostic and therapeutic strategies, offering a template for how private genetic databases can serve public health goals while maintaining privacy.
6. A Practical Three-Step Solution
Another respondent offered what might be the most implementable solution - allow the company to continue to operate, and give 23andMe customers three clear options:
1. Delete their data forever (with a potential legal release)
2. Keep their data with 23andMe under updated terms
3. Opt into research sharing with profit participation
This framework could offer a template for how genetic testing companies handle customer data going forward.
7. A Privacy-First Future
Perhaps the most contrarian suggestion came from Vera Mucaj: transform 23andMe into "the leading genomic data privacy company in the world." As she notes, "No one has learned more over the years about how important it is to win and keep trust in the genomics data space, and 23andMe can take those learnings and turn it into their superpower."
8. The Biobank Alternative
Many in the community, including Nikhil Krishnan, suggested transforming 23andMe into a biobank. This could solve multiple problems:
1. Preserve the research value of the dataset
2. Maintain the engaged user base
3. Remove commercial pressures that could compromise privacy
4. Create clearer governance structures
The engagement piece is crucial. As Nikhil notes, "23andMe customers generally seem to want to be engaged in their health and contribute to studies." This willingness to participate in research could be better leveraged in a biobank structure than under commercial pressures, “23andMe has an extremely active user base that fills out surveys all the time, and engagement is something biobanks struggle with.”
9. A Hybrid Future
Some respondents proposed more innovative structures. One compelling model would:
1. Transfer data to a non-profit trust
2. Create separate commercial and research arms
3. Give users control over their data's use
4. Share revenue from commercial applications with participants
This approach could preserve both research potential and commercial viability while better-protecting user interests.
10. The M&A Chess Board
Finally, several respondents mapped out potential strategic acquisitions that could reshape 23andMe's future. The most compelling targets?
First, Illumina. As one respondent noted, investors have long used Illumina's sequencer install base as a leading indicator for companies like 23andMe and Ancestry. The company has served as upstream infrastructure for consumer genetics – why not own the downstream too? An acquisition could create a full-stack genomics ecosystem, combining Illumina's sequencing technology with 23andMe's massive consumer database.
Then there's the clinical lab play: Quest or LabCorp could integrate consumer genetics with their existing diagnostic offerings, similar to Labcorp’s Invitae asset acquisition in August 2024, but with a direct-to-consumer twist. Or Tempus, which could leverage 23andMe's data to enhance its genomic testing capabilities for precision medicine and clinical trial applications.
A different respondent suggested Function Health as a buyer, noting that "longitudinal biomarker and health monitoring is more defensible as a subscription business model," highlighting a fundamental issue with 23andMe's current approach: "You can't even do a longitudinal study if the client only spits in a tube one time with no follow-up."
Transforming the 23andMe user experience from a one-time interaction to a platform with recurring engagement raises questions about managing consent for genomic reinterpretation—both within 23andMe itself and in the context of potential mergers and acquisitions.
In the next section, I explore the evolution of genetic data privacy, analyze case studies of M&A deals that could inform 23andMe's strategy, and share my personal perspective on the path forward.The Evolution of Genetic Data Privacy
The regulatory framework underpinning genetic data protection has evolved in distinct phases. The foundational legislation emerged in 2008 with the Genetic Information Nondiscrimination Act (GINA), which established precedent by classifying genetic information as a protected category requiring specific safeguards. Under GINA, health insurers cannot use genetic information to deny coverage, charge higher rates, or claim that a member has a preexisting condition. Similarly, employers cannot use genetic test results in hiring, firing, promotion, or other employment decisions.
However, GINA has notable gaps - particularly in disability, long-term care, and life insurance where genetic information can be used to deny coverage or adjust rates based on predispositions revealed through genetic testing. Additionally, HIPAA's scope is generally limited to health insurers and providers that work with insurance, leaving a major gap in health privacy regulation in the United States.
Imagine finding out from 23andMe that you carry a gene that increases your risk of Alzheimer's. Under GINA, a health insurer couldn't deny you coverage, but a long-term care insurer could use that information to decline your application or charge you significantly higher premiums. As a side note, I’m surprised more people do not get disability, long-term care, and life insurance before undergoing genetic testing…
The Federal Trade Commission has emerged as a crucial enforcer of genetic privacy, though it doesn't directly regulate genetic data. Instead, the FTC's authority stems from federal prohibitions on false and deceptive advertising, requiring companies to accurately describe their data use practices and obtain proper consent. The Commission actively warns companies against weakening privacy protections after acquisitions and has established clear guidance: any purchasing company must comply with the selling company's privacy policies unless consumers explicitly agree to different practices. This means any potential 23andMe acquirer would need to obtain affirmative opt-in consent from individuals before materially changing how their data is processed.
State-level legislation has introduced additional protective measures, with twenty states enacting comprehensive consumer privacy legislation. More specifically, states including Texas, California, Tennessee, Virginia, Maryland, Kentucky, Montana, Utah, and Wyoming have adopted privacy laws focused on direct-to-consumer genetic testing. These laws typically apply where HIPAA doesn't and impose strict user consent requirements. For example, Texas's 2023 law establishes that individuals have a property right in their biological samples and genetic testing results, requiring express consent for any disclosure.
Consider Texas's statutory language: "An individual has a property right in, and retains the right to exercise exclusive control over, the individual's biological sample that is provided to or used by a direct-to-consumer genetic testing company and the results of genetic testing or analysis conducted on the individual's DNA... The results of the genetic testing of an individual's DNA are confidential and may not be disclosed to another person without the individual's express consent."
This multi-jurisdictional framework for genetic data privacy and governance transforms seemingly straightforward privacy policy provisions into complex regulatory procedures. Any proposed data transfer, such as those in an M&A scenario, must navigate multiple oversight mechanisms including consumer privacy ombudsman review, state attorney general scrutiny, and FTC oversight. The result is a system where theoretical permission for data transfer exists within a highly constrained practical framework, requiring adherence to the most stringent requirements across multiple jurisdictions.
The Real-World Playbook
So how does this work in practice? Let's examine three deals that show us different approaches:
deCODE Genetics and Amgen
The first major test of genetic data protection in M&A came in 2012 when Amgen acquired deCODE Genetics for $415 million. The acquisition was particularly complex because deCODE's database wasn't just any collection of genetic information; instead, it contained genetic and medical data from approximately half of Iceland's adult population, along with extensive genealogical records and health questionnaire responses.
deCODE's approach to data protection proved innovative in several ways. The company had developed a sophisticated encryption and pseudonymization system that operated for over two decades under the approval of Iceland's Data Protection Authority. This system protected individual identities while preserving the data's research value - a technical solution that demonstrated how pharmaceutical companies could responsibly acquire and utilize genetic databases.
The deal structure itself set also important precedents. Amgen maintained deCODE's existing data protection policies and allowed it to operate as a separate entity, ensuring compliance with EU data protection regulations. Individual participants retained control over their data, and Amgen did not acquire direct access to individual-level information. Instead, the partnership focused on using aggregated data for drug discovery and later expanded into refining patient populations for clinical trials.
However, the transaction also raised important ethical questions about the commercialization of population-level genetic data. While the $415 million price tag reflected the database's value, the Icelandic volunteers who provided their DNA and health records received no direct financial benefit from the sale. This tension between scientific advancement, commercial interests, and participant benefit has since become a recurring theme in subsequent genetic data transactions.
23andMe and GSK
The 2018 partnership between GSK and 23andMe pushed the boundaries of genetic data sharing while establishing new standards for privacy protection. Rather than a full acquisition, this collaboration demonstrated how companies could monetize genetic information while maintaining robust privacy safeguards. The deal structure incorporated several innovative protections: GSK received access only to de-identified, summary-level data rather than individual records; 23andMe implemented a clear opt-in model for research participation; and they maintained strict separation between commercial and research uses.
Most impressively, 23andMe achieved 80% participation rates by building trust through transparency. The partnership's success in obtaining such high opt-in rates while maintaining privacy protections provided important lessons for future genetic data transactions. The commercial structure of the deal itself set important precedents. While GSK made upfront payments for data access, the agreement maintained 23andMe's control over the database and included provisions for downstream royalties. This approach demonstrated how genetic data partnerships could align commercial incentives with privacy protection, though questions remained about the broader ethical implications of monetizing consumer genetic data.
Ancestry.com and Blackstone
The 2020 acquisition of Ancestry.com by Blackstone for $4.7 billion was initially heralded as a model for privacy preservation in M&A, however, closer examination reveals both achievements and challenges.
Blackstone approached the privacy question with unprecedented explicit safeguards. The deal structure incorporated technical and legal barriers preventing Blackstone from accessing raw DNA data, and they maintained all existing privacy policies and consent requirements, demonstrating how acquirers could preserve privacy protections even during ownership transitions. These measures included continuing to honor GINA protections and maintaining existing user control mechanisms over data sharing.
However, the transaction also highlighted several structural challenges in genetic data protection. Ancestry's privacy policy, like many in the industry, contains provisions permitting data use for "scientific research" and "building new products and services." While Blackstone has publicly committed not to access or monetize the genetic data, these broad terms theoretically leave room for future changes in data utilization. Furthermore, the existing regulatory framework provides incomplete protection as HIPAA doesn't cover genetic testing companies, and GINA's scope remains limited to specific use cases in healthcare and employment.
The complexity of protecting genetic data becomes particularly apparent when examining the broader business context. Private equity ownership naturally comes with expectations of value creation, potentially creating tension between privacy preservation and commercial imperatives. This tension isn't unique to Blackstone, but it reflects a fundamental challenge in the consumer genetics industry: how to balance the commercial value of genetic databases with robust privacy protection.
Several structural solutions emerged from this transaction. First, the deal established clear technical and legal firewalls between the acquirer and sensitive data. Second, it demonstrated how existing privacy frameworks could be contractually reinforced during ownership transitions. Finally, it showed how commercial interests could be aligned with privacy protection through careful deal structuring.
Unsolved Questions
The complexity of protecting genetic data becomes even clearer when we look at how companies operate today. Take 23andMe - they operate under different rules for different parts of their business. Their telehealth services must comply with HIPAA, while their direct-to-consumer genetic testing services don't fall under HIPAA's scope. This regulatory patchwork has led many companies to implement voluntary privacy protections that exceed requirements, betting that stronger privacy protections are good for business.
While 23andMe's privacy policy technically permits personal information to be "accessed, sold or transferred" during corporate events like sales or bankruptcies, the reality is more complex. Under Section 363(b)(1) of the U.S. Bankruptcy Code, even conventional customer data transfers face intense scrutiny (just look at what happened when RadioShack tried to sell its customer database during bankruptcy). For genetic data, these challenges multiply exponentially.
Any company trying to transfer genetic data today must navigate consumer privacy ombudsman review, state attorney general scrutiny, FTC oversight, and varying state requirements. It's a system where legal permission to transfer data exists in theory but faces substantial practical limitations in execution.
So what have we learned from all this? First, successful genetic data transfers depend on viewing privacy protections as business assets rather than limitations. Companies that build robust privacy frameworks and explicit consent mechanisms often find these enhance their acquisition value. Second, technical solutions like encryption and anonymization are essential bridges between data utility and privacy protection. Finally, regulatory compliance should be viewed as a starting point, not an end goal, for building user trust.
The challenges aren't going away - genetic information creates unique risks during ownership transitions, especially when new stakeholders bring different priorities. But the industry has responded with innovative solutions: tiered access systems, sophisticated consent management platforms, and novel contractual structures that preserve privacy rights while enabling value creation. The future of genetic data protection will likely continue this trend of innovation within careful bounds.
The real question isn't whether we can protect genetic data in a commercial world - we've shown that we can. The question is how we'll continue to innovate while keeping these protections strong. Based on what we're seeing, I'm cautiously optimistic about the answer.
The De-identification Dilemma
One particularly thorny challenge is the concept of "de-identified" genetic data. While companies often promote de-identification as a privacy solution, genetic information poses unique re-identification risks. Traditional de-identification methods that work for standard medical records become less effective with genetic data for several reasons:
Genetic data is inherently identifying - even small segments of DNA can be unique to an individual
Family relationships can be inferred from genetic similarities, meaning one person's genetic data can reveal information about their relatives
As genetic databases grow larger and more sophisticated, the ability to cross-reference and re-identify individuals increases
Advances in computational methods and AI continue to enhance re-identification capabilities
This reality creates significant challenges for companies trying to monetize genetic databases while maintaining privacy promises. What counts as "de-identified" today might not remain so tomorrow as technology advances.
The Chilling Effects of Legal Uncertainty
The complex and evolving regulatory landscape around genetic data has created significant hesitation within the business community. Companies considering genetic data acquisitions or partnerships face a challenging calculus:
Operational Complexity: The need to comply with varying state requirements creates significant implementation challenges. A company must potentially maintain different data handling procedures for customers in Texas versus California versus Wyoming, multiplying compliance costs.
Future Regulatory Risk: The rapid evolution of genetic privacy laws makes long-term planning difficult. What's compliant today might not be tomorrow, and retrofitting data handling systems can be extremely expensive.
Reputational Stakes: The sensitivity of genetic data means that any privacy missteps can cause devastating reputational damage. Several potential acquirers have explicitly cited these risks as reasons for avoiding genetic data assets.
Consent Ambiguity: Legal uncertainty about what constitutes adequate consent creates ongoing liability concerns. For instance, if a company obtains consent for research use of genetic data, how broadly can that consent be interpreted? Can it cover new types of analysis that didn't exist when consent was given?
This uncertainty has already impacted business decisions in the sector. Several potential acquirers have cited regulatory complexity as a reason for avoiding genetic data assets, while others have implemented extremely conservative data handling practices that may limit innovation. Some companies have reported spending more on legal analysis of genetic data privacy requirements than on the technical infrastructure to handle the data itself.
The impact extends beyond just M&A activity. Companies are hesitant to develop new products or services using genetic data, even when those innovations could provide significant public benefit. The challenge lies in finding a balance between enabling valuable research and commercial applications while maintaining robust privacy protections in an uncertain regulatory environment.
A Note on Consent and Medical Practice
One final consideration that deserves attention is the increasingly blurry line between recreational genetic testing and medical practice. As genetic testing companies provide more health-related information, questions arise about when interpretation of genetic data crosses into medical practice. This has implications for both privacy and liability - medical advice typically requires stricter privacy protections and creates additional obligations for providers. As 23andMe and similar companies continue to expand their health-related offerings, clarity around these distinctions becomes increasingly important.
So what’s my view?
After analyzing the various proposals and examining 23andMe's current trajectory, I take a highly pragmatic stance. While many of the suggested alternatives present intriguing possibilities for reimagining genetic data management, we must ground our discussion in current market and regulatory realities.
First, 23andMe has every right to operate its business within the bounds of existing law. The company built its platform through legitimate means, obtaining consent from millions of customers who willingly shared their genetic information. While we can debate the optimal structure for genetic data management, we cannot discount the company's right to pursue a viable business model while maintaining compliance with regulatory frameworks.
However, this right comes with substantial responsibilities. Any potential M&A transaction involving 23andMe's genetic database must undergo rigorous multi-jurisdictional scrutiny and navigate a complex web of GINA protections, FTC oversight, and varying state-specific requirements. The precedents set by previous genetic data transactions, from deCODE to Ancestry, provide a framework for how to ensure proper handling of sensitive information during ownership transitions.
The market consistently overlooks a critical weakness in 23andMe's foundation: the inherent limitations of their genetic database itself. Despite the company's often-praised collection of genetic data, its use of Single Nucleotide Polymorphism (SNP)-based testing imposes fundamental constraints that limit the utility of the data in research and clinical settings. SNPs only capture isolated points of variation while missing vast stretches of potentially crucial genetic information - akin to trying to understand the plot of a story by reading every hundredth word. This limitation becomes particularly acute when considering that many clinically significant genetic features - from structural variations to rare mutations - cannot be detected through SNP analysis.
The implications for drug discovery are profound. Not only does SNP testing miss critical genetic elements like copy number variations and complex structural changes, but it also does not provide insight into gene expression or somatic mutations (changes that occur after birth)-elements that can reveal both disease mechanisms and drug responses. The gap between having a large database of partial genetic information and deriving actionable insights for drug development is far wider than commonly acknowledged.
Some might suggest that 23andMe could simply re-sequence their stored DNA samples to obtain more comprehensive genetic data. However, there would be several challenges to doing so:
1. Sample Viability: The preservation methods used for initial SNP genotyping are typically not optimized for long-term storage that would enable high-quality whole genome sequencing. DNA naturally degrades over time, and the initial preservation methods might have already compromised sample integrity.
2. Financial Reality: Given 23andMe's current cash position and ongoing losses, the company likely lacks the resources to make the substantial infrastructure investments needed to upgrade its genetic testing capabilities. The recent staff reductions and focus on cost savings suggest major technological investments are unlikely in the near term.
3. Legal Hurdles: 23andMe's original customer agreements might not include permission for genome/exome sequencing, meaning they'd potentially need to obtain new consent from customers even if they had viable samples.
Given these considerations, perhaps the most realistic path forward is to let 23andMe pursue its current commercial strategy until it either succeeds in building a sustainable business model or faces an inevitable sale/wind down.Conclusion (for now)
The coming months will be crucial. For now, the deletion instructions from my previous post remain relevant for those concerned about 23andMe’s management of their data. Can the company thread an increasingly narrow needle of building a sustainable business while maintaining the trust of millions who've shared their most personal information? As several respondents noted, the solution might lie not in choosing between commercial viability and public good, but in finding creative ways to serve both masters.
Thanks for reading,
Morgan
Huge thanks to Ross Friedberg of Goldsand Friedberg for his feedback and contributions to the piece.