In 2006, 23andMe invited people to spit in a tube and discover themselves.
It was a simple promise: for $99, your DNA would reveal your ancestry, some genetic traits, even your health risks. The company became a Silicon Valley darling, once valued at $6 billion. Millions mailed in their saliva and waited anxiously for answers about their heritage.
But on Sunday, that once-rising biotech star has filed for bankruptcy.
As the company seeks a buyer under Chapter 11 protections, privacy experts and former customers are asking the same urgent question: what happens to 23andMe’s most valuable asset—your DNA?
Bankruptcy, Breaches, and a Changing Industry
The bankruptcy filing comes after years of turmoil. Demand for DNA testing has slowed. Customers, it turned out, didn’t need to trace their lineage more than once and there’s only a limited pool of potential customers interested in this kind of service. Genetic sequencing continued to become cheaper, but that only gets you so far. In 2021, the company went public. But by 2023, it was shedding employees and shutting down its drug discovery division.
Then came the data breach.
In December, hackers accessed the profiles of 6.9 million users. The leak included ancestry data, and in some cases, even details about relatives. 23andMe blamed users for weak passwords (and that justification didn’t bode well with anyone). A $30 million class-action settlement followed.
That breach wasn’t just a blow to trust—it underscored a truth privacy advocates had long warned about: genetic data is powerful, deeply personal, and uniquely vulnerable.
<!– Tag ID: zmescience_300x250_InContent_3
–>
“No national law protects your genetic data”
With the company now in limbo, legal experts say the U.S. offers little in the way of strong protections.
“That’s pretty much it on the federal level,” Anya Prince, a law professor at the University of Iowa who studies genetic privacy, told NPR. She’s referring to the Genetic Information Nondiscrimination Act, which bars employers and insurers from using genetic data against you. HIPAA—the health privacy law—doesn’t apply to direct-to-consumer companies like 23andMe.
States like California and Washington have passed stricter laws. But for the majority of the country—and the world—there is little stopping a new owner from rewriting the rules.
“Meanwhile, we continue to evolve our understanding of how genetic information has value, but also has unique vulnerability,” Andrea Downing, co-founder of The Light Collective, a digital rights nonprofit, told Wired.
23andMe has said any sale will consider customer privacy. It also stated that a new owner must follow “applicable law.” But that’s exactly what has people worried.
“In my opinion, these privacy policies—especially in the context of acquisitions in the venture capital and private equity space—aren’t worth the paper they’re printed on,” Kenn White, a data privacy advocate and longtime security researcher, told Wired.
Customers Caught in the Middle
For over 15 million people, 23andMe holds not just a string of genetic code, but the raw blueprint of their identity—and in many cases, that of their families too.
Customers gave their consent to the company under one set of terms. But a new owner could bring a new vision that my involve something different than 23andMe customers initially signed up for. That doesn’t mean that a new owner can do anything with your genetic data, but the legal landscape is so murky at the moment that a lot of scenarios could happen.
“The company has legal obligations regarding information collected under the current policies,” said John Verdi of the Future of Privacy Forum. However, enforcement in practice remains unclear, especially across jurisdictions.
And even before any takeover, 23andMe had already shared anonymized genetic data with partners like pharmaceutical giant GSK to develop new drugs.
“Everybody’s worried about what a new company can do with the data—and that is a concern—but frankly some of the things that people are worried about, 23andMe already can do or already does,” Prince noted.
What You Can Do Now
23andMe is still operational—for now. Users can still delete their data, request destruction of their biological samples, and change their research consent.
California Attorney General Rob Bonta has urged residents to act swiftly. “Consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material,” he said in a consumer alert.
To delete your data:
- Log into your 23andMe account
- Go to Settings → 23andMe Data → View
- Download your information if you wish
- Scroll to “Permanently Delete Data” and follow the prompts
You can also opt out of research participation in your account settings. If you choose to opt out, the company will stop using your data for future studies within 30 days.
“Take those actions,” Suzanne Bernstein of the Electronic Privacy Information Center told NPR. “And advocate to your state and federal representatives to pass strong consumer privacy laws. This is just the first example of a company like this with tremendous amounts of sensitive data being bought or sold.”
A New, Blurry Chapter
Anne Wojcicki, the company’s co-founder and until recently CEO, has stepped down—but says she hopes to buy the company herself. Her recent offer was rejected by the board.
In a letter posted on X, she wrote: “I believe in the mission. I believe in the power of genetics to transform lives.”
But the fate of 23andMe—and the genetic treasure chest it holds—now lies in the hands of the bankruptcy court and potential buyers.
Jennifer Wagner, a professor at Penn State, summed up the dilemma.
“If there is a new owner that comes out of the bankruptcy process, that new owner steps into the shoes of 23andMe and takes over those assets,” she said.
“They would still be bound by the complex web of contractual agreements… but I think it does give rise to some uncertainty in terms of whether or not a new player would have the same values.”
The genome, after all, doesn’t change. But the hands that hold it might.
