Everything You Need to Know About the 23andMe Bankruptcy and Your Privacy

On March 23rd, the genetic testing company 23andMe filed for Chapter 11 bankruptcy. This means that a lot of people’s genetic data is about to enter a legal grey zone. 

We recommend that if you are a 23andMe customer, you follow the California AG’s advice and delete your 23andMe account. 

Even if you are not a customer of 23andMe? You’re probably still affected by the bankruptcy of what was, until recently, one of the world’s largest biotech companies.

We’ve covered the data risks of using genetic testing companies like 23andMe before:

• A comparison of different DNA testing companies. 
• Genetic testing privacy policies and how to keep your personal data to yourself if you decide to get a genetic test.

So, here’s what you need to know if you’re worried about your data (or the data of someone close to you). 

What’s Happening to the Genetic Data You Gave to 23andMe?

It’ll probably be sold to a new owner. When you shared your DNA with 23andMe, you effectively gave it to them.

• Learn more: How companies like 23andMe use your data. 

Genetic data from over 15 million people worldwide is 23andMe’s core business asset. 

Just like what happens to any other business asset during bankruptcy, 23andMe’s cache of data is now highly likely to be sold to a new owner​ (as per 23andMe’s privacy policy). You don’t get any say in who this is. 

Experts warn that DNA information isn’t just another data point but a “blueprint” of your biological identity, and its sale could have “far-reaching consequences.”​

23andMe said that its bankruptcy won’t affect how customer data is stored, managed, or protected. 

It also said it would look for a buyer who would share its commitment to customer data privacy. But you have to take their word for it. 

Considering that in 2023, the company disclosed a data breach that impacted 6.9 million customers, that’s not too reassuring. 

Any buyer of 23andMe would need to initially comply with 23andMe’s current privacy policy, but they could change the terms eventually. 

According to Sara Gerke, a professor at the University of Illinois College of Law, whoever buys 23andMe’s data could make significant changes to how they protect it. 

A buyer could change the policy to allow for the sharing of genetic data with some types of insurers, like long-term care or disability insurance companies. Data is unlikely to be shared directly with health insurers since that would be a violation of the federal nondiscrimination law called the Genetic Information Nondiscrimination Act (GINA).

Plus, as some legal experts have pointed out, whoever buys 23andMe’s data could take away the option to opt out of sharing. Hence why you should opt out now (see how below). 

Isn’t My Genetic Data Anonymized? 

Yes, according to 23andMe, customers’ genetic data is anonymized and stored separately from your other data (e.g., name, address, etc.) 

However, speaking to Al Jazeera, Arthur Caplan, the head of the Division of Medical Ethics at the NYU Grossman School of Medicine, said: 

“Given the fact that DNA analysis is even better now than it was 10 years ago when all this collection started, they might be able to identify people.”

The Electronic Frontier Foundation also said that genetic data can’t be truly de-identified: 

“Even if separated from obvious identifiers like name, it is still forever linked to only one person in the world. And at least one study has shown that, when combined with data from GenBank, a National Institutes of Health genetic sequence database, data from some genealogical databases can result in the possibility of re-identification.”  

“This Doesn’t Affect Me” 

You don’t even have to be a customer of 23andMe to be impacted. You just have to be related to one.  

As Professor Carissa Veliz, author of Privacy is Power said in a BBC article:

“If you gave your data to 23andMe, you also gave the genetic data of your parents, your siblings, your children, and even distant kin who did not consent to that.” 

The same is true in reverse. 

Even if you take your privacy extremely seriously and wouldn’t dream of handing over your most sensitive data to a company like 23andMe, chances are, someone you know (parents, siblings, children, uncles, etc.) has done exactly that. 

By sharing their data with 23andMe, they’ve also inadvertently shared some of your data, too.  

Law enforcement can use these databases indirectly to identify suspects. Even if a suspect hasn’t submitted their own DNA, police might identify them through relatives who have shared their DNA. 

For example, the “Golden State Killer” was caught in 2018 when police used GEDmatch to link DNA from the crime scene to third cousins. 

That said, 23andMe does not provide law enforcement access to its database. 

In its transparency report, you can see that though authorities tried to get access to the genetic information of 15 people, the company did not produce this data. 

Regardless, non-customers whose DNA is revealed through someone else’s test have very limited recourse. For example, you can’t log in to delete data. 

Genetic Data Protection Laws 

“Isn’t my genetic data protected legally?” 

The answer is complicated. 

At the federal level:

• The Genetic Information Nondiscrimination Act applies to 23andMe genetic data, preventing insurers and employers from using genetic data to discriminate against you. 
• However, the Health Insurance Portability and Accountability Act – the law that most people would think of in relation to genetic data – is not relevant since it applies to healthcare and not direct-to-consumer companies such as 23andMe. 

However, at the state level, many states do have laws that cover genetic testing and data. 

For example, California’s Genetic Information Nondiscrimination Act prohibits genetic discrimination in employment, housing, mortgage lending, education, and public accommodations.

According to the Electronic Frontier Foundation, about a dozen US states have consumer data privacy laws that are specific to genetic privacy. Most of these require 23andMe to get consent from consumers before transferring data to someone else in an acquisition scenario. 

Other states have comprehensive privacy laws that give consumers rights to access and delete their data (though there are no protections in cases of mergers, acquisitions, or bankruptcies). 

What To Do Now 

You should probably delete your 23andMe account and/or warn those close to you to do the same. 

If you are a customer of 23andMe, here is exactly what we would advise you to do:

Download your 23andMe data

If you did a 23andMe test, you might as well keep the results by downloading your data. 

Here’s how:

1. Go to 23andMe and log into your account.
2. Click your username.
3. Click “Settings.”
4. Scroll to ‘23andMe Data’ and click “View.” 
5. Download the 23andMe data you want to keep. 

Delete Your 23andMe data and account

Despite what some people are saying, 23andMe is not preventing you from deleting your account. 

If the 23andMe site doesn’t work when you attempt to delete your account (previously, there was such a rush to delete 23andMe accounts that the site crashed), you can contact 23andMe customer support at customercare@23andme.com. 

Otherwise, to delete your 23andMe account, do the following: 

1. Log into your 23andMe account.
2. Click “Settings.”
3. Scroll down to ‘23andMe Data.’ 
4. Click “View.”
5. Scroll to ‘Delete Data.’
6. Click “Permanently Delete Data.”
7. Confirm your deletion request via email

After you delete your 23andMe account, your personal information won’t be used for future research (something that about 80% of 23andMe customers gave their consent for), and your genetic samples will be discarded (if you asked the company to store them previously). 

A big caveat 

Even if you delete your 23andMe account, the company may still retain some of your information. 

As per 23andMe’s privacy policy: 

“23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations … even if you chose to delete your account.” 

Remember to Opt Out of Genealogical Records Sites

Even if you’ve:

• Never taken a DNA test
• Deleted your 23andMe account 

Your information may still be available online in genealogy databases. 

It’s not your DNA, but it’s still your personal information, so take this time to delete yourself from these kinds of sites, too.

If you’re looking for directions, see our step-by-step guides:

• How to opt out of Ancestry.
• How to opt out of Family Tree Search.
• How to opt out of Rootsweb.
• How to opt out of Geni.
• How to opt out of Genealogy.com.
• How to opt out of Ancient Faces.
• How to opt out of FamilyTreeNow.
• How to opt out of Archives.com.

Or, you can subscribe to our data broker removal service to have our privacy experts opt you out of these (and other) sites on your behalf.