After filing for Chapter 11 bankruptcy protection, popular U.S. genetics testing company 23andMe is now seeking court authorization to sell “substantially all of its assets” — which may include the sensitive health and genetic data of its roughly 14 million customers.
Legal experts and some U.S. officials are advising customers to delete their accounts — but even this may not be enough to prevent some of their personal information from being sold, they said.
Jimmy Asci, a spokesperson for 23andMe, said over email that “there are no changes to the way the Company stores, manages, or protects customer data,” and that any buyer would have to comply with the “applicable law with respect to the treatment of customer data.”
Asci did not answer when asked to confirm whether the company intends to sell its customers’ health data.
These sensitive data are “one of 23andMe’s biggest assets — indeed likely its biggest asset,” noted I. Glenn Cohen, faculty director of the Petrie-Flom Center at Harvard Law School, who recently authored a paper examining the sale of genetic information by DNA testing companies.
“It (is) predictable then, upon bankruptcy, it will be an asset under sale,” he said.
What happens to my data if 23andMe goes under?
The company’s privacy policy explicitly states that, in the case of a bankruptcy or sale, “your Personal Information may be accessed, sold or transferred as part of that transaction.” 23andMe’s privacy policy will still apply to the personal data transferred to the new entity, it continued.
“We may also disclose Personal Information about you to our corporate affiliates to help operate our services and our affiliates’ services,” the document read.
But even though the company indicated that bidders would have to abide by its existing privacy statements, “once it acquires the data the new company could offer a different privacy statement with different rules of use that might be less protective of customer privacy,” Cohen noted.
Cohen also expressed concern that customers voluntarily shared their DNA information with a particular idea in mind for how that data will be used. “Those might be quite different with a new company,” he said.
In an open letter to its customers, the company affirmed that, through its sale process, it will “look to secure a partner who shares in its commitment to customer data privacy and will further its mission of helping people access, understand and benefit from the human genome.”
“Our users’ privacy and data are important considerations in any transaction, and we remain committed to our users’ privacy and to being transparent with our customers about how their data is managed,” it continued.
Can you delete your health data from 23andMe?
In its open letter, the company assured customers they still have the ability to delete their data and 23andMe account. But Sara Gerke, an associate professor of law at the University of Illinois and a co-author on Cohen’s paper, noted that reality may be more complicated.
It’s true you can still delete your 23andMe account. But that doesn’t mean the company will delete all its information on you, according to its privacy policy.
“23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations … even if you chose to delete your account,” the document read. Gerke said this retained information can then be sold or transferred to other entities.
Similarly, Gerke said about 80 per cent of 23andMe customers have opted into sharing their de-identified genetic information and self-reported information for research purposes. If a customer deletes their account, they will automatically be opted out of research and their sample destroyed, the privacy policy reads.
But if that information has already been included in a data set or published in research papers, the company will not be able to retract that information, she explained: “It’s already out there.”
All that said, Cohen and Gerke still advise customers to delete their 23andMe accounts if possible. It’s a sentiment echoed by Rob Bonta, the Attorney General of California where 23andMe is based.
“Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” he said in a consumer alert issued on Friday.
What protections exist for my data?
In its privacy policy, 23andMe asserts it will not share customers’ personal information with public databases, insurance companies or employers and law enforcement — “absent a valid court order, subpoena, or search warrant.”
A “transparency report” issued by the company suggested it received 11 requests for customer data from law enforcement between 2015 and Feb. 28, 2025, specifying 15 different users. No data was produced without “prior, explicit consent” from the individuals in question, the report read.
Customers also have the right to opt out of certain features, such as the storage of their genetic samples (like saliva) or receiving personalized recommendations based on their sensitive data.
However, the privacy policy notes the company will share customers’ personal information with “service providers” which can include entities involved with sample analysis, IT and cloud storage and marketing and analytics.
These protections only apply to 23andMe’s current privacy policy. Should one’s information get sold to a different company, it’s possible for that company to alter this privacy policy to offer fewer protections, Gerke and Cohen say.
23andMe and privacy breaches
Cohen said he is especially concerned about the fate of 23andMe’s accrued genetic data following its high-profile data breach in 2023. The incident resulted in the leaks of roughly 6.9 million customers’ personal information.
“I would worry about what the data security looks like for the company that buys the data and whether my data will be exposed,” Cohen said.
WIRED reported at the time that the leaked information included customers’ display names, sex, birth years and some details about their genetic ancestry results. But the company claimed the hack did not leak DNA records.
In September of 2024, 23andMe agreed to pay $30 million to settle a lawsuit following the breach. Two months later, it announced it will cut about 40 per cent of its workforce, about 200 jobs, amid dwindling demand for its services.
23andMe CEO steps down
Anne Wojcicki, who co-founded 23andMe nearly two decades ago, has stepped down as CEO, the company announced. She will still remain on the company’s board. Joe Selsavage, the company’s Chief Financial and Accounting Officer, will take on the role of interim CEO.
Her resignation came weeks after a board committee rejected a nonbinding acquisition proposal from Wojcicki, who had been trying to take the company private.
Wojcicki signalled she still intends to bid on 23andMe, writing on social media she resigned to be in the “best position to pursue the company as an independent bidder.”
“We fought for consumers to have direct access to their information and for them to have choice and transparency with respect to their personal data,” she said in the statement. “As I think about the future, I will continue to tirelessly advocate for customers to have choice and transparency with respect to their personal data, regardless of platform.”
With files from the Associated Press
