23andMe, one of the first companies to provide direct-to-consumer genetic testing kits, has filed for bankruptcy. Since its founding in 2006, it has sold over 12 million DNA kits, with high-profile users including Oprah Winfrey and Warren Buffett.
The company filed for Chapter 11 bankruptcy on March 23 under the United States Bankruptcy Code. This means 23andMe — now considered a debtor-in-possession — will start restructuring its finances and operations under court supervision.
Despite the bankruptcy filing, 23andMe said it’s not shutting down. Having secured US$35 million in financing for the restructure, 23andMe has stated in an open letter that it will continue operating. Customers still have full access to their accounts, reports and data.
News of the bankruptcy has reignited concerns about data privacy, particularly what happens to customers’ personal and genetic information. Considering 23andMe’s past challenges and controversies, these concerns are understandable.
Read more:
The 23andMe data breach reveals the vulnerabilities of our interconnected data
In 2023, hackers exploited old passwords to gain access to the personal information of 6.9 million people. While 23andMe said no genetic data was compromised, information like family trees, birth years and geographic locations were. Some of the stolen data was later put up for sale on a hacking forum.
In addition to the breach and resulting legal suits, the company has been in financial trouble since 2021. In 2024, 23andMe laid off 40 per cent of its workforce and saw all its independent directors resign unanimously in response to CEO Anne Wojcicki’s decision to take the company private. Wojcicki has since stepped down.
Data as assets
A key concern now is what will happen to customer data during the bankruptcy process. The possibility of new ownership has some customers concerned about how their sensitive genetic information will be handled in the future.
23andMe’s privacy policies say the following:
“If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”
This means 23andMe could technically sell customer information as part and parcel of the company to ensure competitive bids. This information includes both individual-level data, such as genotypes, diseases and traits, as well as de-identified data that doesn’t include names or addresses.
(Shutterstock)
The company could also expand licensing agreements with pharmaceutical companies, which would allow them to use customer information for research. For instance, 23andMe’s “discovery collaboration” with GlaxoSmithKline allows consumer data to be used for research on novel drugs.
23andMe has stated customer data will remain protected during the bankruptcy process, since any buyer “will be required to comply with applicable law with respect to treatment of customer data.”
It is also important to note, however, that 23andMe may emerge successful from its restructuring. Filing for bankruptcy doesn’t mean a company will necessarily cease to operate. Many companies, including rental car company Hertz, General Motors and Red Lobster, all filed for Chapter 11 bankruptcy but eventually recovered and continued business operations. 23andMe could follow a similar path.
How privacy laws affect consumer data
In commercial spheres, an individual’s genetic information is treated the same as their personal information under privacy laws. The extent to which customers should be concerned also depends on where they are located.
For instance, the European Union and United Kingdom’s General Data Protection Regulation will provide additional protections to customers.
Customers in Canada have some protection under the Personal Information and Protection and Electronic Documents Act (PIPEDA), as they are legally permitted to withdraw consent to the use of their personal information so long as they provide reasonable notice. However, this may still be limited by legal or contractual agreements.
(Shutterstock)
In the U.S., however, the situation is much more complicated as there continues to be a lack of a harmonized legal approach to consumer privacy. Some U.S. states have enacted laws to better protect consumer privacy, like California’s Consumer Privacy Act and the Illinois Genetic Information Privacy Act.
However, U.S. federal legislation like the Health Insurance Portability and Accountability Act, better known as HIPAA, doesn’t apply because 23andMe isn’t classified as a health-care agency or an associate of a health-care organization.
What should consumers do?
There are numerous uncertainties surrounding the situation, like whether or not 23andMe will eventually cease to operate and who it might sell to. Additionally, regardless of whether or not 23andMe is sold, its privacy policies can change anytime.
In light of these uncertainties, concerned customers should err on the side of caution and delete their accounts. It is, however, important to note that 23andMe and its laboratory partners may still retain some consumers’ personal and genetic information, even after accounts are deleted.
Concerned customers should make sure to withdraw their consent and request the deletion of both their individual-level and de-identifed data from the database. California’s Attorney General Rob Bonta and Ontario’s Privacy Commissioner Patricia Kosseim have also given this advice.
Read more:
With 23andMe filing for bankruptcy, what happens to consumers’ genetic data?
The anxiety and concern surrounding 23andMe’s future is an indicator that a harmonized and effective framework is needed to regulate consumer privacy.
As legal scholars Sara Gerke, Melissa B. Jacoby and I. Glenn Cohen aptly stated in their recent research article, “a legal system that relies heavily on privacy statements to protect customer data leaves customers vulnerable to unexpected uses of their data, with limited remedies.”
Without clear regulations, consumers are forced to rely on the word of companies. With genetic data at stake, it’s imperative that policymakers take action to protect consumer privacy in the face of uncertainty.
