Scroll to top
© 2019,

23andMe, GlaxoSmithKline, and Our Rights to Own Our Personal Data

Author Richie Etwaru
Founder & CEO,

With excitement in her heart, Susan logged onto her 23andMe account. Just a few weeks earlier, like millions of other customers, Susan had spit into a tube and mailed it to the company headquarters in Mountain View, California. She wanted her DNA tested for two reasons. She was curious about her genetic ancestry (her mother had been adopted, and she didn’t know anything about her maternal grandparents), and she wanted to know if she was at risk for sickle cell anemia, which two of her cousins had. 

Being a savvy consumer, before she paid $139 for the combined health/ancestry test, Susan had read the 23andMe privacy statement on the company website. The privacy statement looked like a small book! (In fact, it’s over 8,000 words long.) She dutifully scanned it, but it seemed like the usual bewildering stuff you read on consent forms. 

She noticed this particular paragraph, but didn’t think much of it:

“Information we share with commonly owned entities: We may share some or all of your Personal Information with other companies under common ownership or control of 23andMe, which may include our subsidiaries, our corporate parent, or any other subsidiaries owned by our corporate parent in order to provide you better service and improve user experience.”

In addition, the privacy statement asserted that 23andMe customers “acquire no rights in any research or commercial products that may be developed by 23andMe or its collaborating partners.”

There were many more such bland assertions—and to Susan, all of this legalese seemed rather abstract. The company website said, “Your privacy is in our DNA,” which Susan thought sounded cute but sincere. She had agreed to the consent form, paid the fee, and sent her sample. 

Six weeks later, as Susan eagerly read her online genetic report, she learned that one quarter of her DNA came from Argentina, which must have been on her mother’s side. She also learned that she was at risk for sickle cell anemia. She made a note to call her doctor.

On that sunny afternoon, Susan wasn’t the only one who had access to her personal medical information. A big pharmaceutical company did too.


Susan’s Medical Data for Sale

On July 25, 2018, 23andMe and the pharmaceutical giant GlaxoSmithKline announced a mutual agreement to “leverage genetic insights for the development of novel medicines.” The effort is designed to build a “multi-year collaboration expected to identify novel drug targets, tackle new subsets of disease, and enable rapid progression of clinical programs.” 

Almost as a footnote in the gushy press release, it was noted that GSK is making an equity investment in 23andMe in the amount of $300 million. 

GSK is paying for personal medical information, and 23andMe is selling.

The response from patient privacy advocates has been swift. 

Peter Pitts, president of the Center for Medicine in the Public Interest, a non-partisan non-profit that aims to promote patient-centered health care, told TIME magazine, “If your data is going to be used for commercial purposes, you should be compensated for that.”

23andMe claims that customers can choose to “opt out” of having their medical records used for research, but the language in the privacy statement is sufficiently dense and vague that if Susan and the five million other 23andMe customers chose to do this, they would find themselves in a legal morass—GlaxoSmithKine can afford to pay the best lawyers in America to defend its interests.


Consumers Can Unite and Bargain Collectively

Susan is just one consumer. She can’t fight 23andMe and GSK herself. And it’s not just genetic and health data that’s for sale; the marketplace for many kinds of personal data, from her internet browsing history to what kind of car she drives, is measured in the billions of dollars. Every day, data brokers are buying and selling personal property in the form of personal data.

But there’s a way that Susan and millions of others can organize and assert their rights as owners of their data.

How can this be done?

First, we need to assert the rights of people to own and control their personal data. believes that our set of 30 human rights adopted by the United Nations in 1948 and bestowed to every human at birth needs to be expanded by one more: Human right #31, a decentralized human right declared as, “Everyone has the right to legal ownership of their inherent human data as property.” 

But even if we recognize that Susan owns her personal data, how can she assert her rights?

Emerging blockchain technology has the ability to allow millions of individuals, who as individuals have no power to negotiate with data brokers, to engage in collective negotiation. A blockchain ledger package can be created for each individual, and in that package can be included an assertion of personal ownership of the individual’s electronic medical records, an intention to “opt out” of such data-selling programs, and a stated price and set of conditions for “opting in.” 

If enough people join the blockchain ledger, and the custodian of the ledger acts as the representative of the group in confronting the buyers and sellers of personal data, then the imbalance that exists between the individual consumer and the large corporation can be tipped to be more equitable. The point is not to prohibit the sale of personal data, but to recognize it as a form of personal property that must be traded fairly and openly, and not taken without compensation. We have laws that address the taking of personal property by deception—for example, your auto mechanic cannot take your car, sell it, and then point to an obscure paragraph in the terms of service that allows him to sell your car to someone else. The same should be true for your personal data in all its forms.

This new application of blockchain technology is a way of redefining how we choose to agree on property and legal relationships. It levels the playing field and gives people like Susan the right to manage their personal data in the way they choose, not as a big corporation chooses.


Richie Etwaru is an American business executive, author, global keynote speaker, adjunct professor and patent holder who specializes in the next era of commerce termed “Trusted Commerce”.

He has held C-level roles at Fortune 500 companies for two decades, and serves as advisor to venture capitalists, startups, governments, academia, and large organizations on transitioning to Trust Companies.

Richie’s book Blockchain Trust Companies, Every Company is at Risk of Being Disrupted by a Trusted Version of Itself (2017) is used by universities, consulting organizations, and governments, and his TEDx talk Blockchain Massively Simplified has been viewed almost 1 million times.

We are

Watch and share video. Join the movement via #My31

We are