23andMe Enters Bankruptcy: What It Means for Customer Data

California-based DNA testing company 23andMe has filed for Chapter 11 bankruptcy, aiming to restructure its operations and potentially sell its assets after years of financial struggles.

With nearly two decades in the business, the company has processed over 15 million saliva-based testing kits, offering insights into customers’ family origins and certain genetic predispositions.

Genetic information is among the most sensitive personal data a company can handle, often revealing details not just about an individual but also about their relatives.

“We are committed to continuing to safeguard customer data and being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction," said Mark Jensen, chair of 23andMe’s board of directors.

While the company has pledged to not change how it handles customer data, privacy experts are raising concerns about the sensitive genetic information 23andMe has accumulated over the years and how a sale might affect it.

Since the announcement, regulators in both the US and UK have reminded consumers that rigorous privacy laws still apply, no matter the status of 23andMe’s finances. Under laws like the Genetic Information Privacy Act (GIPA), the California Consumer Privacy Act (CCPA), and the UK’s GDPR, the company remains responsible for keeping data safe.

“California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,” Attorney General Bonta told consumers. “Given 23andMe’s reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.” 

The alert for California residents also includes the necessary steps users can take to either request the deletion of their genetic data or revoke permissions to use it in future research (should they have opted for this when signing up).

On the other side of the Atlantic, UK’s privacy watchdog also issued a statement regarding the company’s announcement.

"We are aware that 23andMe has filed for Chapter 11 bankruptcy in the US to facilitate a sale process. We are monitoring the situation closely and are in contact with the company," said ICO Deputy Commissioner Stephen Bonner. "As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers."

Steps to Protect Your Privacy

If you’re concerned about your genetic or personal data, here are some key measures you can take:

Follow Official Guidelines

The California Attorney General has laid out detailed steps on how 23andMe users can request the permanent deletion of their data and destruction of any biological samples. You can also withdraw any consent previously given for research purposes by adjusting the settings in your 23andMe account.

Monitor Your Online Accounts

Even beyond genetic data, many of us have old or inactive online profiles. These accounts can become prime targets for hackers or can appear in data breaches without our awareness.

Stay Alert to Data Breaches

Breaches—like the one 23andMe reported—can expose personal and genetic information. Knowing immediately when a breach occurs can help you take action quickly, whether that means changing passwords, implementing multi-factor authentication, or revoking data-sharing permissions.

Whether you choose to keep or delete your genetic information from a DNA testing provider, staying on top of your overall digital footprint is vital. Bitdefender Digital Identity Protection (DIP) offers a way to monitor and guard your personal data across the internet with:

1. Real-Time Breach Notifications: DIP scans multiple online sources, quickly alerting you if your credentials or personal info appear in newly uncovered leaks.
2. Comprehensive Account Discovery: It reveals where your data is stored and which online accounts (forgotten or otherwise) still exist, giving you the chance to close unused profiles or tighten privacy settings.
3. Ongoing Identity Monitoring: DIP continuously checks for clues that someone might be exploiting your information, so you can act fast to reduce harm.