The 23andMe Bankruptcy: Uncertainty, Caution, and a Call to Action (Part 1)

Even with so many major headlines competing for attention last month, it was hard to miss the news that 23andMe had filed for bankruptcy. Media outlets called the filing a disaster for consumers and warned that 23andMe data are now up for grabs. Numerous state attorneys general urgently reminded customers of their data rights. Columnists for The New York Times and The Washington Post were more direct: They recommended that customers immediately delete their data.

The focus of concern has been the fate of 15 million DNA profiles. These are the genetic test results of 23andMe customers who purchased genetic testing from the company. But 23andMe’s vast data stores aren’t limited to individual genotypes. They also include customers’ biospecimens, ancestry and health-related reports, responses to research surveys, and other self-reported personal information.

In news articles, privacy and security experts have focused on the volume and sensitivity of this information and raised alarm bells about its sale in bankruptcy. There has been much speculation about who might be 23andMe’s buyer and what they might do with the data. Some media have described troubling scenarios involving nefarious actors.

Few reports include a detail that genetic genealogists know well: This is not the first time a direct-to-consumer genetics company, including all of its customer data, has changed hands. Far from it; 23andMe is one of the only major companies in this space that has not yet been sold.

This is not the first time a direct-to-consumer genetics company, including all of its customer data, has changed hands. Far from it; 23andMe is one of the only major companies in this space that has not yet been sold.

This brief but busy history includes the 2019 acquisition of GEDmatch, which maintains approximately 2 million DNA profiles, by Verogen, a forensic genomics firm. Verogen then was acquired in 2023 by QIAGEN, a Netherlands-based provider of technologies for molecular diagnostics, applied testing, and research. In 2020, Blackstone, a global investment firm, purchased Ancestry, the industry behemoth that maintains a database of over 27 million DNA profiles. The next year, FamilyTreeDNA and its parent company, Gene by Gene, merged with myDNA, an Australian personalized genomics company. Also in 2021, private equity firm Francisco Partners announced its acquisition of MyHeritage, which maintains a customer database of approximately 9 million DNA profiles.

Of course, 23andMe’s situation is different from those faced by its industry peers. Ownership of 23andMe’s assets will be decided in bankruptcy, which could encourage interest from entities in unrelated sectors or that lack experience managing large personal datasets. And as a self-described “genetic health and biopharmaceutical company,” 23andMe almost certainly holds more health information about customers than competitors focused on ancestry and family history services.

Yet, 23andMe customers are also in a different position than the customers of other acquired direct-to-consumer genetics companies. They have advance warning of the sale and therefore time, if they want it, to digest information about the buyer and terms of sale as this information becomes known. They also are able to delete their data before the deal is inked if what they learn worries them.

It appears that many customers already have done so. Some commentators have noted that a mass exodus could significantly reduce the company’s value.   

For those still on the fence, 23andMe has emphasized that its privacy policy remains in place and will be a condition of sale. FAQs issued with the bankruptcy announcement state 23andMe will continue business operations during the proceedings and that it will not change how it “stores, manages, or protects customer data.” The company separately explained that to constitute a qualified bid, potential buyers must agree to comply with its privacy policy and applicable laws.

The U.S. Federal Trade Commission (FTC), which is authorized to take legal action against companies that engage in unfair or deceptive practices, has made known its position that 23andMe must keep these promises. In a strongly worded letter to the U.S. Trustee Program that oversees bankruptcy cases, the FTC stated its expectation that 23andMe will be required to comply with its privacy statements, consistent with the Bankruptcy Code.

State attorneys general also have signaled they are closely watching the case for violations of state consumer protection and data privacy laws. By now, more than 25 state attorneys general, as well as the U.S. Trustee Program, have requested appointment of a privacy ombudsman to protect customer data in the transaction. Among other things, some argue that a privacy ombudsman is necessary to determine which of the company’s many amended privacy policies apply to specific customer data. 23andMe has countered with a proposal for an independent data customer representative to, among other things, identify privacy issues related to the sale and the buyer’s ability to securely store transferred data. More recently, the U.S. Department of Justice notified the court that a sale of the company’s data to a foreign entity could prompt national security review and could even be prohibited.

Compared to the initial bankruptcy announcement, these developments have received less attention, although they have the potential to meaningfully shape the privacy outcomes of the sale. Legal news services and lawyer publications explain how. Specifically, under the Bankruptcy Code, a privacy ombudsman can make recommendations to the court for mitigating potential privacy losses. Although not required to do so, the court can include these recommendations as conditions of sale.

Separately, the FTC can intervene to ensure that customer data are handled in ways consistent with 23andMe’s privacy promises—as it has done in the past. In one case involving extensive privacy promises made by a debtor, the FTC recommended that the buyer be in substantially the same lines of business as the debtor, agree to be bound by the debtor’s privacy policy, and obtain customers’ affirmative consent before making any material changes to the policy. The debtor eventually agreed to destroy most of the data and give customers the right to opt out of the sale of their remaining data. In a second case, the FTC asserted that, given a debtor’s explicit privacy representations, the debtor’s transfer of sensitive customer data to the new owner could violate federal law—even with the new owner representing that it would carry on the same business as the debtor. Acting on the FTC’s recommendation, the debtor agreed to delete the data.

It’s too early to know if the FTC will intervene in the 23andMe case. That it already has voiced its “interests and concerns” to the U.S. Trustee Program, including its expectation that 23andMe will be held to its privacy promises, is a good sign for customers. So, too, is the coordinated demand for a privacy ombudsman by numerous state attorneys general. For those interested in tracking these and other developments, the web page established by 23andMe’s claims and noticing agent identifies important dates and provides free access to court documents and audio files, which are regularly updated.

Part II of this series will address the bankruptcy implications of 23andMe’s position on law enforcement as well as options for customers and policymakers.

---

About the authors

Christi Guerrini, JD, MPH, is Associate Professor in the Center for Medical Ethics and Health Policy at Baylor College of Medicine.

Amy McGuire, JD, PhD, is the Leon Jaworski Professor of Biomedical Ethics and Director of the Center for Medical Ethics and Health Policy at Baylor College of Medicine.

Any opinions, conclusions, and recommendations expressed in this article are those of the authors and do not represent the views of Baylor College of Medicine.