Recently, the news that Regeneron acquired 23andMe’s assets out of bankruptcy has reignited a familiar debate about data privacy, trust, and the responsibilities of both companies and consumers.
Market reaction has ranged from concern to outrage; revealing a persistent gap between what the law allows and what people expect, especially when it comes to something as personal as our DNA.
I remember, over a decade ago, considering whether to become a 23andMe customer.
Unlike most online services, this one gave me pause. The stakes felt higher: it was my genetic code 🧬, not just my email or shopping preferences. So, I did something unusual—I read the terms and conditions. Buried in the legalese, but present nonetheless, was a clause stating:
data could be sold to third parties, at least in aggregate
It wasn’t front and center, but it was there for anyone willing to look.
Most of us, of course, don’t read the fine print. We click “accept” and move on, trusting that the spirit of the law will protect us, even if the letter of the law says otherwise.
But is that a reasonable expectation?
When it comes to something as sensitive as our DNA, do we not have a responsibility to understand what we’re agreeing to? I chose not to become a customer, despite my interest in the product, because I wasn’t comfortable with the terms.
This brings us to a broader question: where does responsibility lie? Is it with the company, the regulator, or the individual? There’s a growing chorus arguing that data is a human right 🤔, and that companies should be held to a higher standard.
True self-sovereignty—something we all claim to value—requires us to take ownership of our decisions. Outsourcing that responsibility, whether to a corporation, a government, or even a well-meaning friend, is a choice in itself.
We live in a world where it’s easier than ever to express outrage, but harder than ever to take meaningful action.
When a company like 23andMe goes bankrupt, its assets—data included—don’t simply vanish. Someone will acquire them, and the law (and the market) will determine who that is. If we don’t like the outcome, what’s the alternative?
Should valuable assets be left to wither, or is there a better steward out there? If so, who? And if not, what does that say about our expectations?
Ultimately, we all have the power to shape the norms and laws that govern our society. We can choose products that align with our values, advocate for clearer terms, and demand better from both companies and regulators. But we must also recognize our own agency.
Choosing not to read the terms and conditions is, in itself, a decision
… with real consequences.
As we navigate the increasingly complex landscape of digital privacy, let’s move beyond outrage and toward informed, intentional action. The future of data stewardship depends not just on what companies do, but on the choices we all make—every time we click “accept.”
I have long thought that there is an untapped market for ‘high privacy’ products, and can see a freemium bifurcation with that. I.e. the cheap version of the product abuses your data to the liking of the company, or you can pay a premium for the same/similar product where you data is not monetized. But doing so also exposes what the seller doesn’t want you know about what they are doing with your data and how valuable it is to them. Which is why, in a race to the bottom or where the profit motive dominates the economic model, we do need our institutions to intervene and update laws to match technology and business models. Absent that, we are all data cows to be milked or living off the grid with the Amish.
Btw - what is OPC doing with our data?!? Are you selling it to Big Coffee?