23andMe’s Bankruptcy Raises Privacy Concerns About the Future of Genetic Data
On March 24, 2025, 23andMe, a prominent genetic testing company, filed for Chapter 11 bankruptcy in the United States. This move follows a significant decline in demand for its ancestry testing kits and a damaging data breach in 2023 that compromised the personal information of approximately 7 million customers. The bankruptcy filing raises substantial concerns regarding the future of the genetic data of over 15 million users worldwide, as it may be sold or transferred to a new company as part of the reorganization process.
Background on 23andMe’s Challenges
23andMe’s market capitalization peaked at nearly $6 billion in 2021, driven by a surge in DNA testing enthusiasm. However, interest in such services has waned, affecting both 23andMe and its competitors like AncestryDNA. The company has struggled with customer retention, as many users only purchase kits once, finding little incentive to continue using the service. The 2023 data breach further eroded customer trust, leading to a $30 million settlement in a related lawsuit.
Privacy Concerns and Risks
The primary concern for users is the potential sale or transfer of their genetic data to a new company. 23andMe’s privacy policy indicates that in the event of a bankruptcy, merger, acquisition, or sale of assets, personal information may be accessed, sold, or transferred as part of the transaction. This raises questions about how a new owner might use the data, potentially for purposes different from those originally agreed to by customers. Some of the most extreme of these scenarios could involve the use of genetic data to evaluate insurance coverage and costs, among a host of other possibilities. Updates to a change of privacy and related practices via the privacy policy and potentially the terms and conditions are a nuanced area, including as it relates to enforceability. Still, practices can change even though previous versions of an online agreement state otherwise, especially if proper notice and consent are sought. Courts analyze such updates with highly scenario-specific analyses that can differ from case to case.
There are also concerns about the security and strength of operations for a company that already had a breach and is now in dire straits. For example, could there be another breach due to the nature of the company’s position and potentially limited resources, low morale, or disgruntled employees?
All that said, 23andMe has published a letter that includes FAQs about the bankruptcy proceedings, aiming to provide clarity to customers.
Compliance with Bankruptcy and Privacy Laws
In the United States, the sale or transfer of personal data during bankruptcy is governed by a variety of laws, including Section 363(b)(1) of the Bankruptcy Code, which allows data sales if the company’s privacy policy permits it. However, if the policy does not authorize such sales, a consumer privacy ombudsman must be appointed to review the transaction. There are also relatively new state-specific data privacy laws, such as the California Consumer Privacy Act (CCPA), which further complicate these sales by imposing stricter requirements on how personal data can be sold or otherwise transferred. Further, there are genetics-specific privacy laws, such as state laws, as well as federal laws, such as the Genetic Information Nondiscrimination Act (GINA).
HIPAA and Genetic Data
Unlike health records generally protected by the Health Insurance Portability and Accountability Act (HIPAA), genetic data collected by companies like 23andMe is generally not covered by HIPAA. This means that users do not have the same level of protection for their genetic information as they do for medical records shared with healthcare providers, which are regulatorily referred to as “Covered Entities.”
Steps Customers Can Take
Customers of 23andMe who are concerned about their data can consider deleting their accounts. However, this may not entirely remove all associated genetic data, as some information might remain in anonymized form for research purposes, and other information might be retained for a period to comply with “compliance obligations.” Instructions on how to delete an account can be found in publications like The Verge.
Consumer Alerts and Regulatory Oversight
Attorney General Rob Bonta of California has issued a consumer alert regarding the potential risks associated with 23andMe’s bankruptcy, emphasizing the importance of understanding how personal data might be handled in such scenarios. Regulatory bodies and privacy advocates are closely monitoring the situation to ensure compliance with existing privacy laws and to protect consumer rights, including privacy rights relating to access and deletion requests, among others.
Going Forward
The bankruptcy of 23andMe highlights significant privacy risks and challenges in managing sensitive genetic data during corporate restructurings. As the company navigates its financial difficulties, it will be interesting to see how users deal with the potential implications of their personal information being in potential limbo and how regulatory bodies navigate, ensuring that any data transfers comply with applicable privacy laws.
