23andMe was a pioneer in the consumer genomics industry when it launched in 2006, the first company offering at-home DNA testing for ancestry and later adding a health information component. But after seeing its valuation fall from $6 billion USD in 2021 to only about $12 million in 2024, the company has recently entered Chapter 11 bankruptcy. That leaves consumers with very serious privacy concerns, as the idea of its collected data being sold off is floated, and many are scrambling to have it removed from the company’s database while it is still intact.
The company has already been in business selling consumer data to pharmaceutical and biotech industries for some time, and the data it holds would remain protected under relevant laws pertaining to sensitive health information. However, the new recipients would not necessarily have to offer consumers the ability to opt out once they take possession of the data. And it remains unclear which (or how many) hands the data would wind up in, raising additional security as well as privacy concerns.
Privacy concerns rampant among 23andMe’s 15 million customers
About 15 million people who have submitted their DNA samples to the company over its nearly two decades in business are most directly impacted by these privacy concerns. Customers of the service have typically been opted in by default to “sharing” of data with third parties, which has contributed to prior sales to at least 30 other companies such as UK-based pharmaceutical firm GlaxoSmithKline; it is hard to say exactly how many and which companies have partnered with 23andMe in this way, as most of its agreements are kept confidential.
Users have had to proactively opt out of these sales in their account settings, though the company retained the right to “share” data for 30 days after the request was initially made. Users can also request destruction of their genetic sample, something that happens automatically if they close their account and request that it be deleted. Many users who overlooked the opt-out process, or may have consciously opted in with the belief that their information was only being shared for potentially life-saving medical research, are now scrambling to protect themselves before the company officially closes its doors and their data moves beyond their reach.
23andMe hit its financial peak during the Covid-19 pandemic period, when it went public and initially hit a market valuation of $6 billion. A 2023 data breach that involved the theft of some seven million customer record contributed to the company’s financial issues, but was only an accelerant on a problem that had been percolating for years; with investors came more scrutiny into the company’s finances, and word began to spread that it had never actually been profitable. A failed bid by former CEO Anne Wojcicki to take the company private again in 2024 essentially put the final nail in its coffin.
The bankruptcy announcement has prompted calls from public officials to 23andMe customers to delete their personal data from the service while still able, including New York Attorney General Letitia James and California Attorney General Rob Bonta.
Lawsuits anticipated as 23andMe winds down operations
Some legal observers and privacy experts are anticipating a wave of lawsuits against 23andMe, but these would most likely be based on individual state laws. At the federal level, there is little legal redress available for consumers. Despite the extensive information provided by a DNA sample and genetic map, there are few requirements for private companies when individuals hand the materials over to them voluntarily. They are able to avoid the usually stringent HIPAA requirements for handling personal medical information as they are not health care providers or insurers. There are 11 states that have laws for companies in this situation handling genetic information, but they mostly require that any police requests for data be accompanied by a warrant and that users be provided with a means to request deletion of their stored data.
Piyush Pandey, CEO at Pathlock, provides an example of how one of these state laws applies to the situation for those with privacy concerns: “Customers can require 23andMe to delete all the information it holds on them because genetic data falls under the California Consumer Privacy Act (CCPA). The business can face legal and financial consequences if such requests are not fulfilled. If, after submitting a deletion request, a customer does not hear back within 45 calendar days – or continues to receive personalized ads related to their genetic tests – this may signal that their personal data has not been fully deleted and should be seen as a potential sign of non-compliance.”
23andMe has attempted to address privacy concerns by reassuring customers that it strips identifiers such as names and birth dates from the stored data. But it has also only said that it “hopes” to find a sales partner that “shares in its commitment to customer data privacy.”
The way the laws are currently structured, any data sold onward from 23andMe could end up in the hands of multiple companies. Those companies may not choose not to allow customers to have their samples and records destroyed, at least for those that do not have state laws in place protecting them. At minimum that creates a drastically elevated chance of hackers breaching one of these systems and making off with the data, as happened to about half of 23andMe’s customers just two years ago, in addition to the natural privacy concerns raised by having the data sold and traded around.
Gal Ringel, Co-Founder and CEO at Mine, summarizes the bigger questions that this situation raises: “When a company that’s built on personal data collapses, it forces the entire industry to confront an uncomfortable truth: user trust is fragile. Genetic data isn’t like passwords or credit cards – you can’t reset your DNA. People shared their most intimate information believing it would be protected not just during business-as-usual, but in worst-case scenarios. That kind of trust has to be earned continuously – and preserved even when the business model fails. The 23andMe case isn’t just about bankruptcy or leadership change. It’s about what happens when the value of data outlasts the company that collected it. Consumers are now asking questions companies should have asked themselves much earlier: Who owns this data? Who controls it during an acquisition? Can it be sold? Should it be? These aren’t theoretical concerns, they’re central to any business working with personal or sensitive data. This is a wake-up call for the tech world to take data stewardship seriously, before it’s too late. The industry needs to shift from reactive privacy measures to proactive data accountability. That starts with embedding privacy and data lifecycle planning into the foundation of every product and every company, not as a legal afterthought, but as part of the architecture. It’s no longer enough to promise data protection “while operations continue.” Companies must plan for data handling in every scenario, including transitions like M&A, shutdowns, or restructuring. There should be clear, enforceable standards around what happens to user data when ownership changes – who retains control, how consent is preserved, and what rights users have in that process. Transparency shouldn’t depend on a press release after the fact. If your business is built on sensitive data, your responsibility to protect it should outlast the business itself. The real fix isn’t just better policies. It’s cultural: making data protection a strategic priority, not a compliance issue. That’s how we begin to rebuild trust – not just in one company, but in the tech industry as a whole.”
Darren Guccione, CEO and Co-Founder at Keeper Security, adds some suggestions for organizations that handle this type of data: “The protection of genetic data requires more than just encryption – it demands strict privacy, access controls and robust identity security. Organizations handling this type of incredibly sensitive data must implement a zero-trust approach with stringent internal controls, ensuring that access is tightly restricted to only those who absolutely need it. Privileged access management is essential to minimizing risk, preventing unauthorized access and limiting the potential damage of a breach. Companies should enforce strong authentication requirements, regularly audit access logs and restrict third-party integrations that could introduce vulnerabilities. Organizations storing any personally identifiable information, including attributes of users’ DNA, should meet recognized security certifications such as SOC 2 Type 1 and Type 2 and ISO 27001, 27017 and 27018. These certifications demonstrate that the company has established robust controls covering confidentiality, security, privacy, risk management practices and internal audits to safeguard sensitive data, processes and infrastructure. Regular monitoring and periodic audits are key to ensuring continued compliance. Organizations can implement automated tools and conduct periodic assessments to ensure suppliers are adhering to required standards and regulations. By maintaining recognized security certifications, organizations are upholding high standards of security and compliance, including adherence to international regulations. Consumers also need to be empowered with greater control over their data, including clear pathways for deletion and visibility into how their information is used. Due to uncertainty over the future of the business, and the data it holds, 23andMe customers should consider contacting the company to have their genetic information deleted. As an industry, we must push for stronger security and accountability to ensure all genetic data remains protected, regardless of corporate transitions or ownership changes.”
