By: Jacqueline Purmort-Labue

Following its reputation-damaging data breach in 2023 and subsequent reduced demand for testing kits, 23andMe filed for bankruptcy in late March of this year. The genetic testing company has consumers submit a saliva sample of their DNA to be analyzed for ancestry purposes, family traits, or potential health risks. The company initiated the voluntary Chapter 11 proceeding to maximize the business’s value for stakeholders through a court-supervised sale process. 

Is Your Genetic Data Being Auctioned to the Highest Bidder? 

23andMe Board Chair, Mark Jensen, stated that “data privacy will be an important consideration in any potential transaction.” In response to customer concern following the Chapter 22 filing, 23andMe released an open letter to customers, assuring users that “[a]ny buyer of 23andMe will be required to comply with our privacy policies and applicable law concerning the treatment of customer data.” Despite this, many consumers are understandably upset about their genetic information being sold to the highest bidder. In the best case scenario, users could be targeted with ads based on results from their genetic tests. However, in the worst case scenario, an employer or insurance company might find a user has a predisposition to develop early-onset Alzheimer’s, cancer, mental illness, or substance use disorder, and discriminate against the user based on that information. 

Legal Remedies For the Sale of Sensitive Data 

Those worried about their sensitive DNA information may not realize how few federal protections exist. The Health Insurance Portability and Accountability Act (HIPAA) seems like it would apply, but HIPAA’s definition of covered entities and business associates only includes healthcare providers, health insurance, and any business associate working with those companies, meaning data that’s held by direct-to-consumer companies like 23andMe is not protected. Under the law, users are treated as consumers, not patients. 

The Genetic Information Nondiscrimination Act (GINA) prevents health insurers, but also employers, from using genetic information in a discriminatory way. This federal law, passed in 2008, does not apply to life insurance companies, mortgage lenders, and other non-health entities. Additionally, GINA does not explicitly protect epigenetic information, which is information about the way a person’s genes are affected by external factors such as smoking, disease, or stress. 

Some states have passed a genetic information privacy law, including Alabama, Arizona, California, Florida, Kentucky, Maryland, Montana, Nebraska, South Dakota, Tennessee, Texas, Utah, Virginia, and Wyoming. Some states, like California and Texas, have taken consumer protection a step further. California Attorney General Rob Bonta issued a consumer alert to customers of 23andMe. He urged  Californians to consider invoking their rights under the Genetic Information Privacy Act (GIPA) and California Consumer Privacy Act (CCPA), and directing 23andMe to delete their data and destroy any remaining samples of genetic material. Similarly, Texas Attorney General Ken Paxton issued a statement, encouraging any Texan concerned about their data to exercise the right to have their data securely deleted. 

Bankruptcy law may provide some protections. Bankruptcy proceedings are an inherently public process and often draw scrutiny from the public. In some cases, regulators such as the Federal Trade Commission or state attorneys general may intervene and seek to participate in the proceedings. Bankruptcy cases are adjudicated in federal court and may require the appointment of a consumer privacy ombudsperson to review the proposed sale of assets. This ombudsperson assesses whether the proposed sale of assets aligns with the company’s existing privacy policies and applicable laws.

Looking to the Future

In response to pressure from many state attorneys general, 23andMe agreed in late April 2025 to allow a court-appointed overseer to safeguard customers’ genetic data during the bankruptcy proceeding. The ombudsman will also review any sale of 23andMe’s business or data during the company’s bankruptcy and report to the court any implications for customer data privacy. 

Experts believe existing law is insufficient or relies too heavily on consumers to self-manage their data privacy. Consumers are expected to read and understand companies’ privacy policies. However, studies have shown that the vast majority of consumers don’t read privacy notices or understand how companies use their data. 

The 23andMe bankruptcy case underscores the urgent need for stronger, comprehensive federal privacy protections for genetic data. While state-level efforts and the appointment of a privacy ombudsman offer some reassurance, they highlight the fragmented and reactive nature of current legal safeguards. As genetic testing becomes more widespread, policymakers must confront the gaps in federal law that leave consumers vulnerable, especially in high-stakes situations like asset sales. Until then, consumers are left to navigate a complex and opaque system on their own.

#GeneticData #Privacy #ConsumerProtection #WJLTA