Struggling 23andMe May Soon Trade Your Most Private Information

Genetic Data Sells: What 23andMe's Bankruptcy Means for Your Personal Information

Struggling 23andMe May Soon Trade Your Most Private Information

When genetic testing giant 23andMe filed for bankruptcy in 2025, a storm of concerns erupted about the company's vast trove of personal information packed into their extensive genetic and health database. A U.S. judge permit the company to auction off its consumer data as part of the bankruptcy settlement.

As the furor swirled, the attorneys general from various states advised their citizens to expunge their genetic data pronto. California, for instance, encouraged its citizens to petition 23andMe to delete their data and incinerate their saliva samples. Michigan's attorney general voiced that "23andMe gathers and keeps some of humanity's most sensitive information: our genetic code."

When folks initially signed up for 23andMe, they accepted the terms and conditions and privacy notice that authorized the company to utilize their data for research and development as well as share their information in aggregated form with third parties. If consumers gave the nod for additional research, which the majority did, the company grants permission to share their individual data with these third parties too. 23andMe has also been clear that if it undergoes either a bankruptcy or asset sale, consumer information might be on the auction block.

Many customers were taken aback by these turn of events, expressing both surprise and concern. In the realm of bioethics and law, I've pondered direct-to-consumer genetic testing for nearly a decade. Examining the type of information 23andMe has amassed and how it could be used if sold or shared might help assuage consumers' worries.

What's 23andMe Up to?

When 23andMe debuted in 2007, it was one of the first direct-to-consumer genetic testing firms in the U.S. A substantial investment from Google and interest from other investors allowed it to prosper during a time when many other direct-to-consumer genetic startups folded like a house of cards.

The company's business model is rather straightforward: Customers purchase a genetic test kit online, spit in a tube they receive in the mail, mail it back, and access their results through an online portal. Over 15 million consumers snatched up 23andMe, and the majority consented to its research activities. At its zenith, the company was valued at $6 billion.

Although the market initially believed in the value of 23andMe's business model, its stock heeft been plummeting for years and now the company is deeply in debt to its creditors.

A decline in test kit sales after a 2023 hack, which compromised nearly 7 million people's data[1], and the company's inability to turn a profit from third-party data access are among the factors that contributed to its rapid downfall. Potential lack of interest in 23andMe data by private companies might stem from the fact that a significant portion of the information the company collects is self-reported, which is considered less reliable than information scribed by a doctor in a medical record.

What's In Your Data? (Warning: It's Worth More Than You Think)

"If you ain't paying, you're the product" might ring a bell. Well, 23andMe convinced its customers to be both the consumer and the product by offering DNA test kits to them while simultaneously amassing a mountain of valuable data.

But what kind of data did 23andMe amass beyond just genetic data derived from customers' spit?

Amazingly, around 85% of customers gave the green light to 23andMe research. This allowed their individual-level data to be used for studies. The company then gathered data from survey questions about their personal health and beyond, such as drinking habits and risk tolerance. This means that 23andMe has the genetic data of 15 million people, as well as almost a billion other data points associated with this genetic information. This makes the 23andMe dataset both ultra-private and incredibly valuable.

Pharmaceutical companies, like GlaxoSmithKline, seemed to agree. In 2018, 23andMe granted GlaxoSmithKline a license to use consented customer data for drug development[2]. When 23andMe went public in 2021, its $6 billion valuation reflected the promise of this business model.

But scholars, including me, have been raising warning flags for more than a decade about the dangers of allowing 23andMe to collect and use personal data. Many customers may not fully understand or feel comfortable with what they're getting themselves into.

Time to Worry: What Could Go Wrong?

In response to the current privacy concerns, 23andMe claims that there will be no alterations to how the data is stored and safeguarded during the bankruptcy process. But what exactly should customers be concerned about moving forward?

First and foremost, law enforcement could employ genetic information in either civil or criminal cases. In 2018, police turned to the genetic testing company GEDmatch to help identify the Golden State Killer[3]. They pretended to be potential customers looking for genealogy data and sent in an old crime scene blood spot. This allowed them to trace back to known suspects and their relatives who provided their genetic information as 23andMe customers. Although this was in violation of GEDmatch's own policies, the evidence was still successfully utilized in court.

Second, genetic information can potentially be utilized to discriminate against customers if it shows they have or are at an elevated risk of developing a genetic disease or disorder. While the Genetic Information Nondiscrimination Act (GINA) addresses certain facets of this concern, it does not protect against discrimination in long-term care or life insurance[3].

Most of the media attention revolves around genetic information because it is unique to only one person. But directors of direct-to-consumer genetic testing companies also hoard a gigantic amount of personal information gathered from the surveys customers complete. If this information is inadvertently or intentionally disclosed, it could potentially be used to manipulate folks in targeted advertising or to construct algorithms that take advantage of their vulnerabilities.

In Sarah Wynn-Williams' 2025 book "Careless People," she reported that Facebook used indications of customers' self-consciousness regarding their physical appearance, such as deleting a selfie, to promote beauty products[4]. If firms know such intimate details about a person, they could not only use it for targeted advertising, but also potentially manipulate them on social media or the internet in ways they do not realize.

I believe consumers are justified in feeling alarmed about how their genetic data might be misused. However, the survey data containing innumerable other personal information is at least as much, if not more, of a privacy predicament. This is particularly concerning if the data is pooled together with other information available on the internet, like a dating profile, to create a more comprehensive - and personal - picture of an individual. I am purging my own 23andMe data. In the future, I would also advise consumers to tread cautiously when gifting their personal information to the private sector without fully understanding the potential consequences.

Kayte Spector-Bagdady, Associate Professor of Obstetrics and Gynecology, University of Michigan. This article is republished from The Conversation under a Creative Commons license. Read the original article.*

Enrichment Data:

Overall:

The sale of 23andMe's consumer data during its bankruptcy proceedings raises several significant privacy concerns:

1. Data Theft and Breaches: There is concern that any new owner of the data may not have adequate data security measures in place, potentially leading to breaches similar to the one 23andMe experienced in 2023.[1][2] This could expose sensitive genetic, health, and personal information.
2. Reidentification and Unauthorized Use: The unique nature of genetic data means it can be used to reidentify individuals, even if anonymized. This raises concerns about how the data might be used beyond what consumers initially intended, such as in discrimination or law enforcement activities.[2][3]
3. Lack of HIPAA Protections: Because 23andMe is a direct-to-consumer company, it is not bound by the Health Insurance Portability and Accountability Act (HIPAA), which protects medical information shared between healthcare providers and insurers. This leaves consumers relying on company privacy policies and consumer protection laws like the Genetic Information Nondiscrimination Act (GINA)[2]
4. Transfer of Data Without Consent: While 23andMe has agreed to maintain its privacy policies for any buyer, there is still concern that data might be transferred in ways consumers did not anticipate, as the original consent agreements allow for data sharing under certain conditions[1][3]
5. Regulatory Oversight: The Federal Trade Commission (FTC) has emphasized that any buyer must adhere to existing privacy policies and applicable laws. However, this requires active regulatory enforcement to ensure compliance[1][5]
6. Lack of Transparency: The sale of 23andMe's consumer data raises questions about the transparency of its data sharing policies and how consumers can make informed decisions about their own data.
7. Legal Liability: If 23andMe's data should somehow contribute to a breach, a new owner or buyer may face legal consequences, potentially holding some responsibility for any resulting damages.
8. Misuse of Data: The misuse of genetic information has the potential for significant harm to individuals, including discrimination, privacy violations, and even identity theft.[2][4]

Mitigation Measures:

• Consumer Action: Consumers can delete their accounts and request the destruction of genetic samples. California's laws, like the California Consumer Privacy Act (CCPA) and the Genetic Information Privacy Act (GIPA), provide additional rights for Californians to control their data[4]
• Regulatory Alertness: State attorneys general and the FTC are actively monitoring the situation, urging consumers to be cautious about their data[1][4]
• Transparency and Clear Communication: 23andMe could work to improve its communication with customers regarding how data is shared and stored, including making data storage policies more easily accessible and understandable for all
• Privacy-Focused Business Model: The genetic testing industry might consider adopting a more privacy-focused business model, prioritizing customer privacy and consent when it comes to data access and sharing.
• Stronger Regulations: To address ongoing privacy concerns, regulators may need to enact stricter regulations to protect consumers' sensitive information, including greater oversight of data sharing practices and stricter penalties for non-compliance.

1. The sale of 23andMe's consumer data during its bankruptcy proceedings is causing concern, as the company's vast trove of genetic and health information may be used in ways that consumers did not intend.
2. California's attorney general has advised citizens to petition 23andMe to delete their data due to the sensitivity of the information, which includes both genetic code and self-reported personal health data.
3. When customers signed up for 23andMe, they accepted terms and conditions that permitted the company to utilize their data for research and development, as well as share their information with third parties. However, these terms may not fully address the potential misuse of genetic data.
4. In the future, consumers may need to be more cautious when gifting their personal information to companies like 23andMe, considering the potential consequences as illustrated by the company's bankruptcy proceedings.
5. Pharmaceutical companies, like GlaxoSmithKline, have shown interest in 23andMe's consumer data for drug development, demonstrating the value of such data and the potential for it to be used by third parties.
6. Concerns related to 23andMe's sale of consumer data include data breaches, reidentification and unauthorized use, lack of HIPAA protections, transfer of data without consent, regulatory oversight, lack of transparency, legal liability, and misuse of data.
7. Mitigation measures include consumer action, regulatory alertness, transparency and clear communication from 23andMe, a privacy-focused business model, and stronger regulations to protect consumers' sensitive information.

Read also: