Home As 23andMe files for bankruptcy, what to know about protecting your data

As 23andMe files for bankruptcy, what to know about protecting your data

· March 24, 2025 · 0 Comment

With Sunday’s announcement by genetic testing firm 23andMe that it has filed for bankruptcy, customers of the site may be wondering what will happen to their data and what, if anything, they can or should do to protect it.

The company explained Sunday in a press release that it has entered a voluntary Chapter 11 restructuring and sale process, saying it intends to continue operations as normal, with no changes to how it stores, manages or protects customer data.

The company also addressed data concerns in an open letter to customers posted Sunday on its blog.

“We remain committed to our users’ privacy and to being transparent with our customers about how their data is managed,” it said. “Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.”

In an article published earlier this month in the New England Journal of Medicine, three law professors expressed concerns that existing protections may not be enough, calling on Congress to do more to shield consumer data from such corporate changes.

“If 23andMe goes bankrupt, these data will most likely be sold to the highest bidder, a successor company that customers might not want to entrust with their genetic data,” the authors wrote, describing the issue as “a structural problem in a legal system relying heavily on privacy policies to protect consumer data, while also treating those data as a valuable asset.”

Privacy laws protect some data

The genetic and self-reported data, including saliva samples and questionnaires, held by such companies represent some of people’s most guarded information, including family history and health-related data.

But such companies aren’t covered under Health Insurance Portability and Accountability Act (HIPAA) requirements, the authors of the Journal article said.

“From a legal standpoint, people therefore interact with the company as ‘consumers,’ not ‘patients,’” they wrote. While the Genetic Information Nondiscrimination Act prevents discriminatory use of such information by employers and health insurers, it doesn’t cover uses by other parties, nor does it prevent companies like 23andMe from selling people’s data.

The U.S. lacks a comprehensive federal privacy law unlike the European Union’s General Data Protection Regulation, created in 2018. While individual states such as California and Illinois have enacted their own privacy laws, enforcement is limited to those states.

Customers can have their data deleted

On March 21, California Attorney General Rob Bonta issued a consumer alert to the state’s 23andMe customers given the company’s financial distress, reminding them of their right to have their genetic data deleted.

“California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” Bonta said. “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.” 

According to 23andMe’s website, users can remove personal information by opting out of the 23andMe data section of account settings. The data is deleted once a user submits and confirms the request.

But some data will remain available

However, 23andMe is legally required to retain certain information, it said.

“23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth and sex as required for compliance with applicable legal obligations … even if you chose to delete your account,” the company’s privacy statement says.

It’s not clear how existing data will be handled moving forward. The company’s consumer agreements offer little comfort, the authors wrote, as the company reserves the right to transfer customer data in the event of sale or bankruptcy, and customers can’t fully protect their data from being “accessed, sold or transferred as part of that transaction.”

While the company’s privacy statement would cover personal information transferred to a new owner after the sale, they said, the new entity could create new terms of service including new and complex privacy statements that customers might agree to without taking the time to digest.

Mark Jensen, who chairs 23andMe’s board of directors, said the company decided a court-supervised sale was “the best path forward to maximize the value of the business. … We believe in the value of our people and our assets and hope that this process allows our mission of helping people access, understand and benefit from the human genome to live on for the benefit of customers and patients.”

“We will seek to find a partner who shares our commitment to customer data privacy and allows our mission of helping people access, understand and benefit from the human genome to live on,” it said.

Trending News/multimedia reporter Marley Malenfant contributed to this story.

dailynews3s_dx_2025_huy

Leave a Reply

Your email address will not be published. Required fields are marked *