The genetic testing company 23andMe, once a pioneer in at-home DNA testing, has filed for Chapter 11 bankruptcy, raising significant concerns about the fate of its extensive database of sensitive genetic information. With over 15 million users worldwide, the company’s financial collapse has left customers and privacy advocates questioning how their data will be handled during the sale of 23andMe’s assets. 

The bankruptcy filing, made on March 23, 2025, aims to facilitate a court-supervised sale to maximize the value of the business. However, this process has heightened fears that genetic profiles—containing deeply personal and immutable information—could be sold to unknown buyers or misused. While 23andMe has assured customers that its privacy policies remain intact and that any buyer must comply with existing data protection laws, critics argue that these safeguards may not fully protect against the potential misuse of such sensitive data. 

Adding to these concerns is the company’s troubled history with data security. In 2023, hackers breached nearly 7 million customer accounts, exposing personal and genetic information. This incident, coupled with the company’s financial struggles and declining consumer trust, has prompted attorneys general and privacy advocates to urge users to delete their data from the platform to avoid possible exploitation. 

Despite reassurances from 23andMe that data privacy will be a priority in any transaction, experts warn that genetic information is uniquely vulnerable. Unlike other types of personal data, DNA cannot be changed or anonymized entirely, making it a valuable asset for medical research, insurance companies, and even marketing firms. Critics have also noted the lack of robust federal regulations governing the use of genetic data by private entities, further complicating the situation. 

As bankruptcy proceedings continue, privacy advocates are calling for stronger oversight, including the appointment of an independent Consumer Privacy Ombudsman to ensure ethical handling of user data. However, 23andMe has reportedly resisted such measures, fueling further scepticism about its commitment to protecting customer information. 

The bankruptcy proceedings of 23andMe have raised several significant privacy concerns, particularly regarding the handling and potential sale of the genetic data of its 15 million users.  

1. Sale of Genetic Data as an Asset 

• With 23andMe filing for Chapter 11 bankruptcy, its genetic database could be treated as a “distressed asset” and sold to the highest bidder during the restructuring process. This raises fears about who might acquire this sensitive information and for what purposes, especially since customers consented to share their DNA with 23andMe, not an unknown third party. 

2. Risks of Genetic Discrimination 

• Privacy experts warn that genetic data could be misused by entities such as health or life insurance companies to engage in “genetic discrimination,” potentially influencing insurance eligibility or premiums. Although 23andMe has stated that it will maintain its privacy policies during the bankruptcy process, critics argue that new ownership could alter these policies, leaving customers vulnerable. 

3. Ambiguities in Privacy Policy 

• According to 23andMe’s privacy policy, personal information, including genetic data, may be transferred or sold in the event of a merger, reorganization, or asset sale. While the company asserts that any buyer must comply with existing privacy terms, the policy also allows for future modifications, creating uncertainty about how data might be handled under new ownership. 

4. Calls for Oversight and Consumer Action 

• Privacy advocates and officials, including California Attorney General Rob Bonta and New York Attorney General Letitia James, have urged customers to delete their data to protect it from potential misuse. However, many users have reported difficulties in accessing their accounts to erase their information due to technical issues caused by a surge in deletion requests following the bankruptcy announcement. 

5. History of Data Breaches 

• Concerns are amplified by 23andMe’s history of data security issues. In 2023, a breach exposed personal information from nearly 7 million accounts over five months, though the company claims genetic data was not compromised. This incident has further eroded trust in the company’s ability to safeguard sensitive information during its financial turmoil. 

6. Lack of Regulatory Safeguards 

• The absence of robust federal regulations governing the use and transfer of genetic data complicates matters further. While some officials advocate for appointing a Consumer Privacy Ombudsman to oversee data handling during bankruptcy proceedings, 23andMe has resisted such measures. 

As the company moves forward with its restructuring and potential sale of assets, these privacy concerns remain at the forefront for customers and regulators alike. 

What are the legal protections for genetic data in bankruptcy proceedings in India? 

The legal protections for genetic data in bankruptcy proceedings in India remain underdeveloped and fragmented under the current framework.  

1. Genetic Data Under SPDI Rules 

• The SPDI Rules (under the IT Act, 2000) classify “sensitive personal data” as including medical records, health conditions, and biometric information. While genetic data is not explicitly listed, genomic data in electronic form may fall under SPDI if linked to health or medical records. SPDI can only be transferred outside India with explicit user consent or for fulfilling a lawful contract. However, this does not address scenarios where genetic data is sold as an asset during bankruptcy. 

2. Bankruptcy-Specific Risks 

• Asset Sale Vulnerabilities: If a genetic testing company like 23andMe operated in India and filed for bankruptcy, its genetic database could be treated as a corporate asset. Indian law does not explicitly restrict the sale of genetic data during insolvency proceedings, unlike medical records protected under sector-specific laws. 

• Insufficient Consent Mechanisms: While the DPDPA allows users to withdraw consent and request data deletion, bankruptcy proceedings could override these rights if courts prioritize creditor repayment over privacy protections. Users may face challenges asserting control once data is transferred to new owners. 

3. International Comparisons Highlight Shortfalls 

• No Equivalent to GDPR or GINA: Unlike the EU’s GDPR (which classifies genetic data as “special category” data) or the U.S. Genetic Information Nondiscrimination Act (GINA), India lacks targeted legislation to prevent genetic discrimination or misuse by insurers, employers, or third-party buyers. 

• Limited Judicial Precedent: India has yet to test how courts would handle genetic data in bankruptcy cases, leaving uncertainty about balancing creditor rights with privacy concerns. 

Recommendations and Conclusion 

The 23andMe situation has thrown a spotlight on how vulnerable our most personal information can be. It makes sense that privacy pros are telling people to get ahead of the game and delete their genetic data from these testing sites, even if the tech sometimes makes that a headache. Plus, the fact that our genes connect us to our families; needs to be legally recognized with relational privacy safeguards. Selling off our genetic blueprints in bankruptcy without our clear “yes” should absolutely be off the table. These aren’t just tweaks; they’re essential updates to give individuals real control over their genetic privacy and build some much-needed trust in these testing services. At the end of the day, the 23andMe breach is a stark reminder that as we learn more about ourselves through our genes, we’ve got to make sure the rules of the game keep up to protect that incredibly personal information.