23andMe filed for bankruptcy after a major data breach. Learn what happens to your DNA data and what legal protections may apply.
23andMe was once all the rage. Everyone wanted to uncover their genetic makeup, health predispositions, and family history. It was a popular and “unique” gift that helped fuel the company’s meteoric rise to a $6 billion valuation at its peak.
In 2021, I wrote a blog post raising red flags about the privacy risks associated with 23andMe’s at-home DNA kits (Lowey blog). One concern was how the company opted users into genetic research they may not have fully understood—research that 23andMe intended to use to develop pharmaceutical products for profit.
Those concerns were unfortunately validated.
A Massive Data Breach and Bankruptcy Filing
In October 2023, 23andMe experienced a massive data breach that exposed sensitive health and genetic information belonging to around 7 million customers. The fallout prompted numerous class action lawsuits.
In March 2025, the company filed for bankruptcy. The collapse wasn’t just financial—it marked a seismic shift in the public’s trust in consumer genetics.
Which brings us to the elephant in the room: What happens to your DNA data when the company no longer exists?
23andMe Has Created a Perfect Storm for Privacy Violations
According to CNBC, 23andMe has assured customers there will be “no changes” in how it stores, protects, or manages customer data during the sale process.
But this does little to ease consumer fears. Even before the breach, the company:
- Used genetic data to develop commercial pharmaceutical products
- Stored that data in systems that were ultimately breached, affecting millions
Passing that data to another company—likely one with the same profit motives—doesn’t protect consumers. And practically speaking, once 23andMe is defunct, it will have no meaningful control over what happens to its customers’ data.
What Can You Do.
California Attorney General Rob Bonta has issued an urgent alert advising 23andMe users to:
- Delete their data
- Revoke consent for research
- Destroy their saliva test sample
This guidance is supported by both the California Consumer Privacy Act (CCPA) and the Genetic Information Privacy Act (GIPA), which give consumers a right to deletion (AG Press Release).
But here’s the problem: even deletion may not be enough.
Why Deletion is Not a Complete Solution
23andMe may not have the ability to truly “delete” consumers’ data in all its forms.
This is because of data handling and processing. When companies use data, some modify if from its initial form and may remove direct identifiers. This happens through either anonymization or pseudonymization.
- Anonymization involves stripping—i.e., completely removing—identifiers so the data can never be traced back to a person. Thus, where a data field may have included your actual name, anonymization would remove that field altogether.
- Pseudonymization involves replacing known identifiers typically with a string of numbers and letters. For instance, instead of “Jane Doe” it may say abc2833-oiaehei393. Pseudonymization does not make data truly deidentified, as it can typically be reversed, and companies may still know your true identity through data mapping (i.e., keeping a map that knows abc2833-oiaehei393 is Jane Doe).
Given these mechanisms, several companies may lack the capability to truly track down each piece of pseudonymized or anonymized data in their own systems, especially if its been handed off to third parties.
Why This Matters for 23andMe.
This raises serious questions when it comes to 23andMe. According to 23andMe’s own documentation, it refers to research data as “de-identified” and stripped of “name and contact information.”
That leaves a key question unanswered:
- If data is anonymized or pseudonymized, do they actually have a way to locate it and ensure it’s no longer used or shared?
As the 23andMe bankruptcy process takes place, we might receive some clarity. If we don’t, it may be time for a regulator to step in and ensure users’ privacy is respected.
What Could Be Done.
Instead of placing responsibility on the consumer, there are other options regulators (or others) could take to ensure privacy is respected.
- Limit Which Data Can Be Sold & Required Consent
Only data that is clearly linked to a specific consumer should be considered a transferable asset in the pending bankruptcy.
Additionally, either 23andMe (before sale) or the purchasing entity (after sale) should be required to obtain affirmative, informed consent from each consumer to store or use this data going forward.
While this may make the “assets” (i.e., customer data), seemingly less valuable, trading in consumers’ own information that they may not know or intend to be shared is already alarming from a privacy perspective.
Consumers’ privacy should be a higher priority than selling off assets to the highest bidder.
- Mandate Deletion of Non-Consented Data
For all other data that cannot be traced back to consumers, 23andMe should be required to delete it if it was used for a commercial purpose. A new business entity that purchases 23andMe’s assets should not profit off data consumers never agreed to share with that entity.
Final Thoughts.
23andMe’s rise and fall highlights the dangers of commodifying human DNA. Consumers handed over their genetic data for health insights—but likely never imagined it would be used for profit, exposed in a breach, and then handed off in bankruptcy court.
At bottom: DNA is not just data. It’s also identity, and it deserves more legal protection than it currently has. Time will tell how this privacy headache unfolds.
Contact Us.
If you are concerned about your data privacy, we’re here to help. If you believe you have a privacy claim, contact us for a free consultation.