23andMe: Losing at digital privacy

In the age of heightened digital privacy concerns, sharing genetic data with 23andMe may not be worth the risk.

Background and business model

23andMe is a direct-to-consumer (DTC) genetic testing company that uses at-home kits and mail delivery to collect biologic samples (saliva) in order to provide customized reports about consumers’ ancestry and genetic data (e.g., predispositions to specific health conditions). 23andMe uses digital technology to analyze biologic samples and compare customer data to the large 23andMe reference dataset of samples in order to identify and classify a customer’s ancestry and genetic markers.

23andMe disrupted the genetic testing industry because it provided a lower quality (limited set of genetic information compared to traditional genetic testing), lower cost product directly to consumers that provided relevant genetic information that was traditionally only available to doctors and medical professionals.

How 23andMe works:How 23andMe works:

Sample 23andMe health report:

Value creation and capture 

23andMe creates and captures value by 1) charging customers for at-home genetic testing kits with individualized reports, and 2) partnering with pharmaceutical companies to share customer data for drug development.[1]

1) Customer at-home genetic testing kits: 23andMe offers three versions of genetic testing kits for customers which range in the level of information provided. A customer can purchase 23andMe’s “Ancestry + Traits Service” for $99, the “Health + Ancestry Service” for $199, or the “VIP Health + Ancestry Service” for $499. All of the kits provide ancestry and traits information, while the health-specific kits provide health predisposition, carrier status, and wellness reports. The VIP kit provides priority lab processing, premium customer support, and a 1-on-1 ancestry results walkthrough.

2) Pharmaceutical partnerships: In 2018, 23andMe initiated an exclusive 4-year partnership with pharmaceutical giant, GlaxoSmithKline (GSK), to share genetic information about 23andMe’s 5 million customers. GSK will use 23andMe’s large base of customer data and proprietary statistical analytics to inform drug discovery and development. As part of the partnership, GSK and 23andMe will share in the proceeds from any new drugs that are developed. Additionally, GSK made a $300M equity investment in 23andMe at the time of the partnership.[2]

Thus, 23andMe creates value for both customers and pharmaceutical companies, and it captures that value by charging customers for genetic testing kits and partnering with pharmaceutical companies to develop new drugs.


How 23andMe is “losing” at digital privacy

23andMe laid off 14% of its workforce in January 2020 due to a slowdown in sales of its genetic testing kits. 23andMe CEO Anne Wojcicki cited privacy concerns as a possible cause of the slowdown. She believes that customers are feeling anxious about sharing genetic data due to the publicity about Facebook and other technology companies sharing customer data without consent.[3]

I view 23andMe’s lagging sales as an indicator that it is a “loser” in the digital privacy realm since 1) 23andMe was not fully transparent with customers about its data sharing practices, and 2) 23andMe may put customers’ genetic information at risk.

1) 23andMe’s data sharing practices: When customers submit biologic samples to 23andMe for analysis, they can choose to consent or withdraw from “23andMe Research”. By consenting to 23andMe Research, customers are agreeing to let 23andMe use their genetic and self-reported information for, what 23andMe describes as, “research purposes”.  23andMe indicates that this data will be de-identified (name, contact, and credit card information removed) and shared with 23andMe researchers, as well as “external research partners and in scientific publications”. [4]

While 23andMe frames this consent form around research and scientific development, it was not always clear to customers that their data would be used by pharmaceutical companies until 23andMe publicly partnered with GSK. Although this data is deidentified, it still causes many customers to reconsider choosing to share their genetic data with 23andMe. While customers may have felt comfortable sharing information for scientific research, they may not feel comfortable sharing their data with a for-profit company. Since 23andMe was not transparent about its intention to share data with pharmaceutical companies, customers cannot be certain that 23andMe will not share data with other companies that customers are not comfortable with in the future.

2) Genetic information at risk: While 23andMe has data security measures in place, it cannot be certain that a data breach will never occur. In fact, DNA testing service MyHeritage was attacked by hackers in June 2018, exposing 92 million of its accounts.[5] Hackers can use genetic information to get paid ransom, or, even more concerningly, to potentially sell to health insurance companies to use to evaluate patient eligibility or individual insurance premiums (although this would be illegal under current regulations). If 23andMe’s genetic database is hacked, customers are at risk of losing very personal and individualized information that could harm their future.

Thus, in the age of heightened concerns about digital privacy, 23andMe’s genetic testing is not as compelling for customers since sharing genetic information with 23andMe means customers are sharing their DNA with any company 23andMe chooses to partner with, and customers’ personal genetic information may be at risk of being hacked.


[2] https://www.gsk.com/en-gb/media/press-releases/gsk-and-23andme-sign-agreement-to-leverage-genetic-insights-for-the-development-of-novel-medicines/

[3] https://www.cnbc.com/2020/02/07/how-dna-testing-companies-like-ancestry-and-23andme-can-survive.html

[4] https://www.23andme.com/about/consent/

[5] https://www.theverge.com/2018/6/6/17435166/myheritage-dna-breach-genetic-privacy-bioethics


Flexport: Disrupting international freight shipment


Mercari the ‘selling app’ – Japan’s first unicorn taking e-commerce by storm

Student comments on 23andMe: Losing at digital privacy

  1. Thanks for a great article! Another wrinkle to consider here is how the privacy rights extend across geographies and regulatory environments. I imagine that each country of operation has varying levels of privacy requirements and restrictions. Compliance can be costly for a company with already high variable costs such as 23andMe.

    Furthermore, the healthcare and genetic information nature of this offering subjects it to even more restrictive policies. While much of the value can come from unlocking the genetic information and data users provide, there may be direct tradeoffs and competing incentives for customer satisfaction with privacy standards, political regulation of similar products and companies, and VC or other investor incentives.

    Working in the healthcare space, I know how cumbersome it can be to overcome legal regulations intended to protect consumers. Together, legal challenges, lawsuits, compliance monitoring, and even lobbying may increase the company’s risk profile significantly in the years to come, independent of customers’ reactions to privacy issues.

  2. Wow, as a 23andme user, I am really concerned! I wonder if sharing information with pharma companies would be negatively perceived by customers though. At the end of the day, the pharma company will (ideally) use the data to invent new medications and advance science. At the end of the day, these customers did provide consent..

  3. Hi Kendra – interesting perspective. Have you considered how the company may work to make this situation a competitive advantage. For example could they position the increased data collection as a way to provide more tailored results and value to the customer?

    Furthermore would it be possible to run a company such as 23andMe without collecting the additional data they purport to need? If yes, I wonder why they still collect the additional data for ‘research purposes’? Could they be monetizing this somehow?

  4. Thanks for an interesting read Kendra. As Petra mentioned, I too am concerned as a 23 and me customer. I guess it’s ultimately on me for not reading “the fine print” when agreeing to submit something as important as my genetic information but I agree that it was never clear to customers that our data would be used by pharmaceutical companies until 23andMe publicly partnered with GSK. Also, the claim that it will be deidentified is very difficult to prove and there are no guarantees to it. I wonder what the impact on revenues would have been if 23 and me would have been more direct with consumers in terms of how they would use their genetic data.

Leave a comment