23andMe, a pioneer in direct-to-consumer genetic testing, has filed for Chapter 11 bankruptcy as of March 23, 2025, sparking widespread concern about the future of customer data privacy. Founded in 2006, the company has sold over 12 million DNA kits, with notable customers including celebrities like Oprah Winfrey and Warren Buffett. Despite the bankruptcy filing, 23andMe has secured $35 million in financing to restructure its operations and has assured customers that it will continue to operate, maintaining access to their accounts and genetic reports.
The bankruptcy filing comes after a series of financial troubles that have plagued the company since 2021, including a significant workforce reduction of 40% in 2024 and the resignation of all independent directors following CEO Anne Wojcicki's decision to take the company private. In an open letter, 23andMe emphasized that it is not shutting down, but the implications of its financial restructuring raise critical questions about the handling of sensitive customer data.
Privacy experts are particularly concerned about the potential for "genetic discrimination" amid the company's financial upheaval. The privacy policy of 23andMe states, "If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold, or transferred as part of that transaction." This means that customer data, which includes personal details and genetic information, could be sold to new owners or used in ways that customers may not have consented to.
In October 2023, a significant data breach highlighted these concerns when a hacker stole the personal information of 6.9 million people, although no genetic data was compromised. The hacker, known as "Golem," targeted specific ethnic groups, offering to sell access to personal details and genetic ancestry results. Erman Ayday, a genomic data privacy expert at Case Western Reserve University, warned that such data leaks could lead to misuse in areas like forensic investigations or even blackmail, as genetic information can reveal family connections.
Furthermore, the genetic data stored by 23andMe contains critical insights into individuals' biological makeups and potential health risks. For instance, mutations in genes like BRCA1 and BRCA2 are known to increase the risk of breast and ovarian cancers. This raises the possibility that employers or insurance companies could use this information to discriminate against individuals based on their genetic predispositions.
In light of these risks, both California's Attorney General Rob Bonta and Ontario's Privacy Commissioner Patricia Kosseim have advised consumers to withdraw their consent and request the deletion of their data from 23andMe's databases. However, even after account deletion, some personal and genetic information may still be retained by the company and its partners.
Legal frameworks governing genetic data privacy vary significantly across regions. In the European Union, strict regulations prohibit insurance companies and employers from using genetic data to discriminate against individuals. Roisin Costello, an expert in EU law, emphasized that it is "impermissible as a matter of EU law" for such discrimination to occur. In contrast, U.S. laws are less comprehensive, with protections differing by state. While some states have enacted laws to safeguard consumer privacy, the lack of a unified federal approach leaves many consumers vulnerable.
As 23andMe navigates its bankruptcy proceedings, the future of its customer data remains uncertain. The potential for new ownership raises concerns about how personal information will be handled moving forward. The company has stated that any buyer will be required to comply with applicable laws regarding the treatment of customer data, but the specifics of these protections remain to be seen.
Given the complexities surrounding genetic data and privacy, experts argue that there is a pressing need for a harmonized legal framework to protect consumers. As legal scholars Sara Gerke, Melissa B. Jacoby, and I. Glenn Cohen noted, relying heavily on privacy statements to safeguard customer data leaves individuals vulnerable to unexpected uses of their information. With genetic data at stake, it is crucial for policymakers to take decisive action to protect consumer privacy in an increasingly digital world.
As 23andMe's bankruptcy unfolds, customers are left grappling with uncertainty regarding the future of their genetic information. The company's history of data breaches and the potential for genetic discrimination underscore the importance of robust privacy protections. Consumers are urged to remain vigilant about their data and consider withdrawing consent to mitigate risks associated with their genetic information.
The case of 23andMe serves as a stark reminder of the vulnerabilities inherent in sharing personal genetic data, highlighting the urgent need for comprehensive regulations to ensure that consumer privacy is upheld in the face of corporate restructuring and financial instability.
/tpg%2Fsources%2F476af673-42a0-4592-9b21-68ddd1ae879e.jpeg)
/tpg%2Fsources%2Fb1007aa9-c48b-4a86-9207-5060dbc8df60.jpeg)