23andMe Looks to Sell Genetic Data of 15 Million

Genetic testing company 23andMe has filed for Chapter 11 bankruptcy, raising urgent concerns over the privacy of more than 15 million customers' DNA data. The company announced plans to sell its assets (including users’ genetic data) through a competitive auction process, with CEO and co-founder Anne Wojcicki stepping down to enter the sales process as an “independent bidder”.

While 23andMe insists there will be no change to how it stores, manages, or protects customer data, regulators and privacy experts aren’t convinced. “Folks have absolutely no say in where their data is going to go,” said Tazin Khan, CEO of the nonprofit Cyber Collective, in a statement to NBC News.

The California Attorney General's office responded swiftly to the news, announcing a consumer alert that urged users to delete their genetic data, request the destruction of test samples, and revoke any research consent. The alert includes step-by-step instructions on how to permanently remove personal data from 23andMe's systems.

Mark Jensen, chair of 23andMe’s board, said the company remains “committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.” However, many see this as insufficient.

“Genetic data is immutable and can reveal very personal details about you and your family members,” warned the Electronic Frontier Foundation. Because relatives often share genetic markers, even those who never used 23andMe may have their privacy compromised.

This isn't 23andMe's first data crisis. In 2023, a data breach exposed the records of 6.9 million users, leading to class-action lawsuits and a $30 million settlement. The company then quietly amended its Terms of Use to make lawsuits harder, sparking more criticism.

Unlike health data protected by HIPAA, 23andMe’s genetic records fall into a gray zone with minimal federal oversight. Andrew Crawford, an attorney at the Center for Democracy and Technology, explained that “HIPAA protections don’t typically attach to entities that have IOT devices like fitness trackers and in many cases the genetic testing companies like 23andMe.”