Alert: 23andMe bankruptcy and personal data

On 23 March 2025, popular genetic testing company 23andMe announced that it had filed for bankruptcy protection, and that the CEO and co-founder Anne Wojcicki had resigned with immediate effect. The company will be selling itself under court supervision. Their press release said that the company will continue to operate throughout the sale process and that there are no changes to the way the company stores, manages, or protects customer data.

On 24 March 2024, the UK’s Information Commissioner’s Office released a statement regarding the 23andMe data breach that was first reported in October 2023, stating that the ICO issued a notice of intent to fine 23andMe £4.59 million and a had issued a preliminary enforcement notice. The statement acknowledged the recent bankruptcy filing and noted that UK GDPR (the General Data Protection Regulation) continued to apply to 23andMe.

What happened in the data breach?

The 2023 data breach was the result of a cyberattack, which affected an estimated 7 million users. Wired reported that over 1 million users’ data was available for sale on hacker forum BreachForums, much of it targeting people of Ashkenazi Jewish heritage.

The timing of the ICO’s statement is particularly interesting as following 23andMe’s bankruptcy protection announcement, there has been a significant spike in public interest regarding the personal data that consumer genetics companies might hold (e.g. MyHeritage, or Ancestry.com).

How does 23andMe work?

23andMe usually works by first sending the consumer a kit by post, which the consumer will use to collect some of their own saliva and post back to the company. The company then extracts DNA from the saliva sample. The DNA can then be analysed. Customers could see information about not just their genealogy, but also about genetic predispositions to health-related concerns.

What is DNA data under GDPR?

An individual’s DNA analyses would be considered genetic data, which is one the special categories of personal data under GDPR. Other examples of genetic data are chromosomal analysis and RNA data. There are concerns that individuals can also be very casual in giving away their biometric data for things like facial recognition and fingerprint recognition to log into apps and devices or uploading facial landmarks for AI image generation. As a result biometric data concerns tend to be given a higher priority for enforcement by regulators.

Biometric data is a separate category from genetic data under GDPR but is also special category data. Common examples of biometric data are retina or iris analysis, fingerprint data, facial imaging data, and voice recognition data. Biometric data can even include behavioural analysis which can be linked back to an individual, for example via handwriting analysis, keystroke analysis, or eye tracking.

In a similar vein, health or medical data, which includes data like NHS numbers, medical history, or test results, are also considered special category data.

Special category data merit more protection under GDPR because use of this data is more likely to affect a person’s fundamental rights and freedoms, such as the right to bodily integrity and freedom from discrimination.

What will happen to the data?

There is currently much speculation about what might happen to 23andMe’s vast trove of genetic data and who will own it as 23andMe has proposed a 14 May 2025 auction of its assets.

It is not the first time that there has been a data auction in circumstances like this. In 2000 online toy retailer Toysmart had a plan to sell its customer data to help pay off its debts. The US Federal Trade Commission (FTC) intervened to block the sale. Whether a less interventionist FTC (which currently has its own issues with two FTC Commissioners commencing proceedings against the Trump Administration over their purported removal) intervenes here remains to be seen.

There is a possibility however that other regulators may step in to block or limit a sale. Already Attorney Generals in California, Connecticut, New York, New Hampshire, Virginia, Minnesota, Maine, Oregon, Florida, the District of Columbia and Massachusetts have said they are monitoring the situation. It is likely that GDPR regulators will take an interest too.

For users who are worried about where this data will go, it might be a good idea to try and erase as much personal data as possible from 23andMe. In fact, 2 days prior to the bankruptcy announcement, the California Attorney General issued a consumer alert reminding Californians of their right to direct the deletion of their genetic data under the Genetic Information Privacy Act, and the California Consumer Privacy Act.

Users in the UK and Europe have the right to have their personal data deleted “without undue delay” under GDPR. This is known as the right to erasure, or the right to be forgotten.

23andMe’s UK privacy page shows that they have an automated account deletion process. Users can delete their account via the Account Settings page. There have been reports of technical issues with this process but some users have said these issues have now been resolved. Once the request is confirmed, the personal data should no longer be used in research projects and stored genetic samples should also be discarded.

Under GDPR users also have the right of access, to see what personal data an organisation holds about them. The right is not absolute however and can be subject to various carve outs and exemptions. The main purpose of this right of access is to help individuals understand how and why an organisation is using their data, and to check that they are using the data lawfully.

This right is usually exercised by a Subject Access Request (SAR) though 23andMe allows users to access and download their personal data via their 23andMe account. However, extra cautious ex-users may want to make a SAR after they have deleted their account, just to check that all of their personal data has been deleted. In that case, without an account, the ex-user could potentially make their request by emailing the organisation directly, specifying the reason why they are making that request.

What protects an individual’s genetic and biometric data?

The main legislation protecting an individual’s personal data is GDPR which applies across the EU. In addition, the UK has retained GDPR into domestic law as the UK GDPR, which is complemented by the Data Protection Act 2018 (DPA 2018).

Data and cybersecurity are inextricably linked. Much of the EU’s new and upcoming technology and cybersecurity regulations also address the security of individuals’ personal data, particularly that of biometric data.

Under the EU AI Act most biometric identification or biometric categorisation AI systems (e.g.: using biometrics to analyse what ethnicity a person is) are categorised as either high risk or unacceptable risk. The outright prohibition on unacceptable risk AI systems started applying from 2 February 2025. AI medical devices, or AI systems used for medical devices are also categorised as high-risk. Recently Nvidia announced new partnerships to use their AI technologies in genomic research, clinic trials, patient monitoring, and healthcare administration. Healthcare is turning into a prominent AI industry, and it will involve significant amounts of special category data as discussed above. For more information on the EU AI Act please see: The EU Artificial Intelligence Act FAQs.

Popular wearable fitness devices may collect and process both biometric and health data. The EU Cyber Resilience Act addresses connected devices (also commonly known as the Internet of Things), which includes not just wearable tech, but also products such as smart fridges, app connected security cameras, and smart home software. Through this Act the European Commission wanted to address both the vulnerabilities and security of these products, and help consumers better understand these products. For more information on the EU Cyber Resilience Act, see: EU Cyber Resilience Act FAQs.

As consumers are increasingly interested in health and wellness (in December 2024 the FT predicted that the wellness industry will reach $7 trillion in 2025), with terms like “self-care” and “bio-hacking” becoming increasingly trending topics, it’s worth giving additional consideration to the data about our health and bodies that we give away to various apps, devices, and services, and keep in mind the right to be forgotten.

What should organisations using biometric or health data do?

Any organisation processing biometric or health data will need to develop a plan. It will want to consider:

1. Doing a Data Protection Impact Assessment (DPIA) and/or an AI Impact Assessment. For many applications processing this sort of data that will be mandatory but even where this is not mandatory it is often a good idea. In some cases, it will need to share the DPIA in advance with a regulator so make sure that the organisation can build in enough time to do this in the project plan or launch plan.
2. Doing due diligence on any partners or providers. The 23andMe experience shows that companies in this space are vulnerable to failure and start-ups in particular might not have the financial wherewithal to survive even one breach. A formal due diligence process, possibly including insurance against the company’s default, is likely to reduce risk.
3. Looking at their transparency obligations. Transparency is a key feature of both GDPR and the EU AI Act and most of the fines to date under GDPR have featured a lack of transparency. It is important to understand the technology the organisation will use, and to explain it in clear and simple terms to the people whose data it will be processing.
4. Look at the impact of data subject rights. Dealing with subject access requests and the right to be forgotten can be technically challenging if systems are not designed with these rights in mind. Organisations need to have a proper process in place for opt-outs too.
5. Look at data security. This case shows that regulators are concerned about the security of this type of data. Civil actions have also followed, and the level of damages may be higher than for other breaches – whilst it is relatively easy to change a bank account it is impossible to change one’s DNA! Even if an organisation tries and buys a cyberinsurance policy to cover the risk a good insurer is likely to ask questions about the security measures that the organisation deploying.

Further information:

The 23andMe press release can be found at: 23andMe Initiates Voluntary Chapter 11 Process to Maximize Stakeholder Value Through Court-Supervised Sale Process.

Wired report on the 2023 breach can be found at: 23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews.

Examples of recent coverage of similar concerns over genetic data include:

• “How to… delete your 23andMe data” from the MIT Technology Review, 25 March 2025 (How to… delete your 23andMe data | MIT Technology Review),
• “Why are users of 23andMe being urged to delete their data?” from the Al Jazeera, 26 March 2024 (Why are users of 23andMe being urged to delete their data? | Health News | Al Jazeera),
• “Here’s how to delete your personal data and genetic sample from 23andMe” from CBS News, 25 March 2025 (Here’s how to delete your personal data and genetic sample from 23andMe – CBS News),
• “Opt out: what to do with your 23andMe account after company filed bankruptcy” from the Guardian, 25 March 2025 (Opt out: what to do with your 23andMe account after company filed bankruptcy | Privacy | The Guardian).

See reporting of the auction date at: Bloomberg Law: DNA Data of 15 Million People Up for Sale After 23andMe Demise.

The full alert from the California Attorney General: State of California Department of Justice: Attorney General Bonta Urgently Issues Consumer Alert for 23andMe Customers.

The 23andMe UK privacy page: 23andMe: Requesting 23andMe Account Closure.

Nvidia’s news regarding their partnerships: NVIDIA Newsroom: NVIDIA Partners With Industry Leaders to Advance Genomics, Drug Discovery and Healthcare.

Financial Times articles on the wellness industry: FT: How wellness grew to become a multi-trillion-dollar market.