Home What 23andMe’s bankruptcy means for your personal data

What 23andMe’s bankruptcy means for your personal data

· March 24, 2025 · 0 Comment

Illustration: Lindsey Bailey/Axios

Genetic testing company 23andMe, widely known for its at-home DNA testing kit, filed for bankruptcy Sunday.

Why it matters: That financial distress has sparked a big question for some of the more than 15 million customers who have used the company’s services: What does a sale mean for the genetic data 23andMe stores?

  • The lack of a repeat incentive to keep testing DNA was part of the company’s downfall — but it also means that for many customers, they spit in a tube, received their results and moved on from their data.
  • Now, that data, experts have noted, is now effectively up for sale — though 23andMe stresses “any buyer will be required to comply with applicable law with respect to treatment of customer data.”

Driving the news: California Attorney General Rob Bonta urged Californians ahead of Sunday’s bankruptcy announcement to “consider invoking their rights” by directing the company to delete their data.

  • A Sunday open letter from the company notes that customers can still delete their data and account, which it says will “automatically opt you out of Research and discard your sample.”
  • The company’s bankruptcy filing is intended to facilitate its sale.

Here’s what 23andMe’s sale could mean for customer data:

How does 23andMe use customer data?

23andMe notes in its privacy statement that it shares customer data with service providers and contractors and, if customers choose to opt in, with its research program.

  • The company has said that over 80% of customers give their consent to participate in research and that the information used has been stripped of identifying information, like a user’s name, date of birth or address.
  • “23andMe Research” entails independent activities performed by the company or in joint projects with third parties, it states.

The company emphasizes that data will not be shared with public databases, insurance companies or law enforcement (without a subpoena, search warrant or valid court order).

Zoom in: Customers can opt in or out of having their biological sample stored.

  • If a customer opts in but later wants to revoke their consent, 23andMe says it will “securely discard your stored Samples within the legally applicable timeframe.”

Yes, but: If a user opts into research but later changes their mind, any research that’s already been performed or published can’t be reversed or revoked.

What happens to genetic data during a sale?

In the case of bankruptcy, mergers, acquisitions or other forms of reorganization, 23andMe says, personal information “may be accessed, sold or transferred.”

  • The company’s privacy policies would apply to personal information transferred to a new entity, according to a March article published in the New England Journal of Medicine.
  • But that new entity, the paper states, “could create new terms of service.”

Between the lines: The U.S. doesn’t have a comprehensive federal data privacy law, the article noted.

  • While the Health Insurance Portability and Accountability Act (HIPAA) protects patients’ health information in the U.S., people interacting with 23andMe aren’t covered by HIPAA, since they are “customers” rather than “patients,” the authors wrote.

What they’re saying: If the company that takes over 23andMe’s data “lacks good data security, there’s a possibility of breach,” I. Glenn Cohen, one of the paper’s authors and a health law expert at Harvard Law School, noted in an interview with The Harvard Gazette.

  • [W]hile customers have made the decision to share with 23andMe … they really have very little say about what will happen should the company be taken over or should the company go bankrupt, and its assets sold,” Cohen added.

How can I delete my 23andMe account and data?

Customers can delete their 23andMe account within their account settings, according to the company’s customer care page.

  • Scroll to the section titled “23andMe data” and select view. Users can download information they want to keep before permanently deleting their data. More comprehensive instructions are available here.
  • After doing so, the user will receive an email asking them to confirm their request to delete their account.
  • Some data will be retained to comply with the company’s legal obligations, 23andMe notes in its privacy statement.

Go deeper: 23andMe sees personal data on 6.9 million customers stolen by hackers

huy_kontum_dx_2025

Leave a Reply

Your email address will not be published. Required fields are marked *