Amid mounting challenges, 23andMe, a prominent US genetic testing firm, has sought bankruptcy protection to pave the way for a potential sale, a move that champions individual privacy in an era of escalating data concerns.
Late Sunday, the company announced it had voluntarily entered Chapter 11 proceedings in the US Bankruptcy Court for the Eastern District of Missouri, aiming to “facilitate a sale process to maximize the value of its business.” This strategic shift coincides with the resignation of its co-founder and CEO, Anne Wojcicki, who stepped down to spearhead an independent bid to acquire the company after facing repeated rejections from its board.
Wojcicki, who launched 23andMe in 2006 alongside Linda Avey and Paul Cusenza, has encountered significant hurdles in her vision to transform the company into a drug development powerhouse. Her ambition faltered as revenues plummeted, driven by a wave of customers — out of a total of 15 million — rushing to erase their DNA records from the company’s systems post-breach.
23andMe’s vast repository of user data, amassed through years of saliva-based ancestry testing, lies at the mercy of its own self-imposed guidelines rather than robust federal oversight.
The company’s 2023 data breach, which exposed sensitive details like genetic predispositions and ancestry reports for nearly 7 million users, underscored the sheer volume of personal information it holds. For the millions who entrusted their DNA to 23andMe, the assumption might have been that such intimate data enjoys the ironclad protections of the Health Insurance Portability and Accountability Act (HIPAA), a law designed to shield sensitive health information from unauthorized disclosure. Yet, 23andMe operates outside HIPAA’s reach, leaving it tethered only to its own privacy policies — rules it can rewrite at will.
This regulatory gap casts a long shadow over the company’s future, especially as it teeters on the brink of a sale following its bankruptcy filing. A patchwork of inconsistent state privacy laws, coupled with the absence of a cohesive federal framework, means that the genetic profiles of 15 million Americans could be up for grabs.
According to 23andMe’s privacy policy, customers’ personal information “may be accessed, sold or transferred” in scenarios like bankruptcy, mergers, or acquisitions. While the company insists its data practices will remain unchanged post-sale — pledging never to share user information with insurance providers or law enforcement without a warrant — privacy advocates should remain skeptical. Notably, 23andMe’s transparency report highlights its defiance against US law enforcement requests for DNA data, a stance that has held firm thus far.
Still, the prospect of new ownership raises alarm bells. Potential buyers might eye 23andMe’s treasure trove of genetic material as a lucrative asset to exploit in ways the current management has resisted.
In theory, 23andMe needs user approval to transfer data during an acquisition, but users could withhold it. Over a dozen states, including Montana, have enacted genetic privacy laws requiring explicit consent — Montana’s 2023 law, for instance, mandates standalone consent naming the buyer. Comparable rules apply in states like Alabama, Arizona, California, and others, with Wyoming uniquely offering a private right of action for consumers to enforce their rights in court.
With the company’s fate hanging in the balance, advocates are urging users to act swiftly to shield their data from an uncertain future.
California Attorney General Rob Bonta has championed this cause, asserting in a statement after the bankruptcy announcement that state residents can legally demand the erasure of their genetic records.
Deleting a 23andMe account is straightforward: users can log in, head to Settings, select Account Information, and choose Delete Your Account, confirming the irreversible step after a prompt.
However, the process comes with a catch. The company’s privacy policy notes that deletion is “subject to retention requirements and certain exceptions,” meaning some data — like genetic profiles, birth dates, gender, and even email addresses tied to deletion requests — may linger for unspecified periods to meet compliance obligations.
Likewise, for those who previously consented to research use of their data, retracting that permission is possible, but erasing the information entirely is not.
