.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Steps to Take in Response to 23andMe Bankruptcy Filing
Hello all, and happy Thursday!
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Hello all, and happy Thursday!
In the privacy world, it’s easy to get caught up in all of the technologies and procedures and assessments and policies—meanwhile, we forget that a person (the data subject) is at the root of all that work. It’s not personal data unless there’s a person involved, after all.
A great example: 23andMe is filing for bankruptcy, and all of that very personal genetic data it collected over the years is up for sale. Data doesn't get any more personal than that.
The company’s privacy policy affirms that it will never share users’ information with insurance companies or law enforcement without a warrant. But will the buyer of that information hold the same standards? Even if they do, data misuse isn’t limited to just jacking up someone’s insurance premiums or investigating someone without probable cause.
We also don't have to limit speculation to what a legal purchaser of this data might do; we know that 23andMe was hit with a data breach in 2023, exposing the data of 6.9 million people.
The story underscores the importance of robust security, data minimization, and retention practices, as well as the importance of subject rights to ensure data subjects can control the destiny of their data—but it also shows just how much of a personal impact data privacy can have.
Customers of 23andMe should exercise as much control over their data as their governing law allows. California Attorney General Rob Bonta offers some good advice on what to do if you used 23andMe’s services.
Best,
Arlo
Highlights from Osano
In Case You Missed It...
Video: March’s Ask a Privacy Pro Series
Check out what questions Osano’s privacy experts fielded in the last month in our latest Ask a Privacy Pro video! This month, we touch on Amazon’s My Health, My Data suit; whether you need a “reject all” button on your banner; and more.
Blog: How Osano Does DSARs
We’re subject to privacy laws too! That means we need to operationalize compliance, just like any other business. If you want to steal all our secrets and build an efficient subject rights request workflow at your organization, check out this blog.
Upcoming Webinars and Events...
A Blueprint for Efficient SRRs: Mastering Your Subject Rights Workflow
Whether you are swamped by a deluge of subject rights requests or just want more time to spend on strategic work, managing SRRs effectively is a highly sought-after goal—one that's seldom achieved. In this webinar, Osano’s Senior Product Manager Chris Simpson and Lead Implementation Manager Christie Roy will show you the best (and worst) approaches to handling your SRR workflow.
Save your seat | Today!
The Privacy Pro Survival Summit 2: This Time It’s Personal
In our second Privacy Pro Survival Summit, we’re putting the personal in personal data and showcasing a suite of thought leaders and experts from privacy, security, GRC, and related experts. Learn, connect with your peers, and maybe have a little fun along the way!
Save your seat | April 10th
Top Privacy Stories of the Week
How To Delete Your 23andme Data After the Company Filed for Bankruptcy
The genetic testing company 23andMe, best known for allowing people to trace their ancestry with an at-home kit, has been struggling financially for months. So when the California biotech firm announced in a statement this week that it had entered the federal bankruptcy process with the goal of finding a buyer, one question was raised for the more than 15 million users of the service: What's going to happen to my data? The company insists customers' information is protected. But if you would like to opt out entirely, California Attorney General Rob Bonta has released this eight-step guide to deleting your genetic data from 23andMe.
Meet California’s Next Top Privacy Boss
California’s Privacy Protection Agency has named Tom Kemp as its next executive director, putting the tech entrepreneur at the helm of the nation’s only dedicated privacy rights enforcement agency. Kemp, formerly CEO of cybersecurity company Centrify and a longtime policy adviser to lawmakers pushing state-level privacy laws, will be the CPPA’s second-ever leader after Ashkan Soltani departed as director in January. Kemp assumes control of the agency on April 1.
Virginia Governor Vetoes Weak AI Legislation
Virginia Gov. Glenn Youngkin vetoed H.B. 2094, a bill that sought to regulate high-risk AI use in significant decision contexts like housing, employment, and health care. While regulating the use of automated decision systems in these life-altering decisions is an urgent need, this Virginia bill had serious shortcomings that caused opposition from both industry and consumer groups.
Florida Federal Court Puts Florida’s Security of Communications Act in Play in the Ongoing Wave of Website Privacy Class Actions
A federal judge in Florida denied the dismissal of a website privacy claim brought under the Florida Security of Communications Act (FSCA). In doing so, the judge may have thrown the FSCA back into the mix of decades-old statutes that pose new dangers to consumer-facing websites, such as the California Invasion of Privacy Act (CIPA).
ChatGPT Hit with Privacy Complaint Over Defamatory Hallucinations
OpenAI is facing another privacy complaint in Europe over its viral AI chatbot’s tendency to hallucinate false information. Privacy rights advocacy group Noyb is supporting an individual in Norway who was horrified to find ChatGPT returning made-up information that claimed he’d been convicted for murdering two of his children and attempting to kill the third. Earlier privacy complaints about ChatGPT generating incorrect personal data have involved issues such as an incorrect birth date or biographical details that are wrong. One concern is that OpenAI does not offer a way for individuals to correct incorrect information the AI generates about them. Typically, OpenAI has offered to block responses for such prompts. But under the European Union’s General Data Protection Regulation (GDPR), Europeans have a suite of data access rights that include a right to rectification of personal data.
Like what you hear from the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!