23andMe—and who else?
The bankruptcy of direct-to-consumer genetic testing firm 23andMe—named as “Invention of the Year” in 2008 by Time magazine—is a cautionary tale, says Boston College Law Assistant Professor Shelly Simana, not only for business-related reasons, but in its implications for consumers’ private information.
The publicly traded retail DNA analysis service, valued as high as $5.8 billion, filed for Chapter 11 on March 23, spurring consumer advocates to implore the company’s 15 million customers to delete their personal data and prevent access by a prospective or the eventual buyer.
23andMe’s saliva-based testing not only can aid in tracing one’s ancestry but also uncover genetic predispositions ranging from diabetes to some cancers. But while this information can assist customers with their health-related decisions, noted Simana, it also raises significant privacy concerns, particularly as the company confronts a potential sale.
“When customers initially registered for 23andMe, they consented to terms that allowed the company to use their data for research and development and to share de-identified, aggregate information with third parties,” explained Simana, who studies the ethical and legal issues in genetics, reproduction, and biotechnology. “Deleting your account doesn’t retroactively undo those uses. Once data have been incorporated into research or shared externally, there’s no meaningful way to retrieve or erase it. Moreover, 23andMe’s policies make clear that in the event of a bankruptcy or asset sale, user data may still be transferred.”
23andMe—whose name is derived from the 23 chromosome pairs, one set from each parent—has assured customers that data privacy will be a priority, but skeptics point to other legal measures, such as a court-appointed, independent consumer privacy ombudsman (CPO) as a means to achieve additional accountability.
“Appointing a CPO would be a valuable step,” said Simana. “A CPO can provide independent oversight of any data-related transactions, ensuring they align with 23andMe’s stated privacy commitments and broader legal obligations. This role becomes especially important given that 23andMe’s privacy policy allows for unilateral changes at any time—leaving consumers vulnerable in the absence of additional safeguards.
“That said, it’s important to acknowledge the potential tension: Meaningful privacy oversight might require limiting how certain data can be transferred or used, which could conflict with the company’s financial goals. Still, from a consumer protection standpoint, the added accountability is well worth it.”
Simana noted that in the absence of a CPO, customers aren’t powerless—they can still make their privacy concerns heard through public advocacy.
“Joining forces with consumer rights organizations can amplify their voices. Customers can also submit complaints or concerns directly to regulators like the Federal Trade Commission or state attorneys general, who may intervene or provide oversight.”
Good digital hygiene isn’t a one-time fix; it requires ongoing attention.
Although 23andMe is free to take the highest bid when its assets are up for sale, it’s unclear whether the top buyer would be required to possess or prove that it has the necessary privacy protection capabilities and cybersecurity sophistication to guard the genetic information. This would likely pose a serious conflict in the selling process, pitting privacy laws that require due diligence when sharing personal information with a third party versus a tendering proceeding and selection that do not, said Simana.
“The bidding process can create a conflict between financial recovery and data protection. Bankruptcy law prioritizes maximizing value for creditors, which often means selling assets—including personal data—to the highest bidder. While 23andMe claims that any buyer will be required to honor its existing privacy policies, those policies are subject to change, and a new owner may revise them post-sale. That creates a significant risk: Users’ data could end up under a very different, potentially weaker, privacy regime than the one they originally agreed to.”
Customers who have privacy concerns should consider deleting their data, said Simana, but expunging your 23andMe account doesn’t necessarily erase everything. Information that has already been de-identified and aggregated may still be retained, and some data may be held for legal or regulatory compliance.
“That’s why it’s not enough to delete your digital records; you should also ask for any remaining biological samples to be destroyed. Taking that extra step can help limit future use or unintended access to your genetic material.”
High-quality digital hygiene begins with regularly reviewing your data permissions and deleting any information you no longer want stored, said Simana.
“Don’t just rely on in-app settings: Ask companies to confirm both the deletion of your digital files and the destruction of any biological samples, if applicable. Stay alert to privacy policy changes, especially after mergers or acquisitions, when terms may quietly shift. Avoid uploading your genetic data to third-party platforms, which often lack the same privacy safeguards as the original testing company, and if you’re uncomfortable with research or data-sharing practices, revisit your consent settings and opt out where possible. Good digital hygiene isn’t a one-time fix; it requires ongoing attention.”