In a concerning turn of events, DNA testing company 23andMe has filed for bankruptcy as of March 23, 2025, an action that has raised significant concerns regarding the privacy and security of the genetic data of over 15 million users. This development comes amid the backdrop of increasing scrutiny over how consumer health data, particularly genetic information, is handled by companies offering direct-to-consumer testing services.
The bankruptcy filing aims to facilitate the sale of the company, which has faced ongoing financial distress, including the resignation of its board of directors last year. In its public communication, 23andMe assured customers that this filing would not alter its methods of data protection and emphasized that privacy considerations would be a top priority during any future sale. However, this raises a critical question: what happens to consumer data during a company acquisition?
Sara Gerke, an associate law professor at the University of Illinois Urbana-Champaign, noted, "We're getting into an era where we have more entities sitting on these big datasets." This increasing presence of data-saturated companies amplifies the risks associated with personal health information being inadequately protected, especially in the absence of robust federal regulations governing genetic data usage.
California Attorney General Rob Bonta, in a proactive measure, advised 23andMe users on March 21, 2025, to exercise their rights under state privacy laws. Bonta encouraged Californians to delete their accounts and request the destruction of their genetic material, citing the importance of taking control over their personal data amid the uncertainty surrounding the company's future. "California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data," he stated.
The implications of the bankruptcy extend far beyond just financial troubles. With the rise of companies like 23andMe and the widespread adoption of genetic testing, concerns have grown over the potential for data misuse. According to 23andMe's own privacy policy, certain genetic information must be retained to comply with legal obligations, even if users opt to delete their accounts. This includes retention of genetic information, date of birth, and sex. This retention policy raises alarms about the actual control consumers have over their genetic data.
Echoing these concerns, privacy and civil liberties experts have consistently warned against the use of such ancestry and DNA testing services. They highlight the scant federal privacy regulations that limit how companies can utilize consumer information. One such expert, Andrew Crawford from the Center for Democracy and Technology, pointed out that privacy policies are often lengthy and laden with legal jargon, complicating consumers' understanding of what their rights are concerning their data.
Adding to the precariousness of 23andMe's situation is the legacy of a massive data breach from 2023, where the company suffered a cyberattack that compromised the information of approximately 7 million users. In this incident, hackers attempted to sell the data of individuals with specific ethnic backgrounds on a dark web forum, raising further questions about security protocols and data handling practices. Following this breach, 23andMe has faced not only internal organizational challenges but also more than 50 lawsuits alleging failure to promptly notify users about the breach. The company has also recently attracted the attention of regulatory bodies outside the U.S., including an impending fine from the UK information commissioner’s office amounting to £4.59 million.
For the millions of people who have already shared their DNA with 23andMe, the question remains: how can one safeguard their genetic privacy? Experts recommend that deleting accounts provides the best avenue for consumers to protect their privacy. Yet, even in doing so, users must navigate the complexities of 23andMe's policies. According to the company's policy, even if users delete their accounts, retained information could persist due to legal retention requirements.
"You've got to be careful where you put your data," noted Lisa Pierce Reisz, an attorney at Epstein Becker Green. While companies like 23andMe may promise to delete data, the inherent risks tied to genetic information's permanence in various records remain constant.
This situation underscores a broader issue: the lack of federal protections for customer data shared with companies like 23andMe, as existing laws such as HIPAA exclude many consumer data from their purview. With lawmakers proposing bipartisan data privacy legislation, the future remains uncertain. For now, consumers are encouraged to take proactive steps to protect their data, as 23andMe navigates its financial and operational challenges.
The take-home message here is clear: once personal data is handed over to a company, control over that data can diminish sharply. Users should remain vigilant and informed regarding privacy policies and their rights over the data they choose to share.
