San Francisco-based 23andMe, which sells at-home DNA testing kits, has filed for bankruptcy in the US and is looking for a new buyer — heightening concerns about the personal data of millions of people.
23andMe experienced a major data breach in 2023, which exposed personal information like family trees, birth years, and geographic locations of approximately half of the company’s 15 million users.
Now, with the company sinking, 23andMe customers are considering deleting their accounts amid fears of another hack or changes to the company’s privacy controls under a new owner.
In the EU and the UK, 23andMe users are covered by versions of the GDPR. The Information Commissioner’s Office (ICO), Britain’s data privacy watchdog, stresses that despite the insolvency, customers remain protected by the same data privacy laws.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!
“As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers,” said Stephen Bonner, the ICO’s deputy commissioner.
However, the ICO has previously ruled that 23andMe may have violated its privacy rules.
The 23andMe track record
After the 2023 breach, the ICO and the Privacy Commissioner of Canada launched a joint investigation into 23andMe. Earlier this month, the ICO issued a notice of intent to fine the company £4.59mn ($5.93mn).
“Genetic information is among the most sensitive personal data that a person can entrust to a company[,] and organisations handling such data are required to uphold a very high standard of security and governance in accordance with [the law],” Bonner said in response to the bankruptcy filing.
In the US, meanwhile, the legal protections vary.
While users in the UK and EU have GDPR protections, data privacy laws in the US are less comprehensive and vary considerably from state to state.
23andMe claims that the company does not share the personal or medical information of any of its customers without consent. Yet with 23andMe’s track record, neither the company’s assurances nor legal protections may quell customers’ fears. During bankruptcy proceedings, the company may also have fewer resources at its disposal to fight off hackers. And under new ownership, things look even more uncertain.
According to 23andMe’s own privacy statement, if the company undergoes bankruptcy, merger, acquisition, reorganisation, or sale of assets, “your Personal Information may be accessed, sold or transferred as part of that transaction.”
How to delete your 23andMe data
Given the sensitivity of the data people have shared with 23andMe, the previous breach, and the company’s financial problems, customers may decide to just delete their data entirely. California Attorney General Rob Bonta has urged them to do just that.
“I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company,” Bonta said.
Users in Europe, meanwhile, have the “right to erasure,” which allows individuals to request that 23andMe deletes their personal data and destroys any medical samples in the company’s possession.
Here’s how to do it:
- Log in to your account and go to “Settings,” then scroll to “23andMe Data” and click “View.”
- From there, select “Delete Data,” confirm your request, and your data will be permanently removed. You can also download a copy of your genetic data before deleting it.
- To delete your test sample, go to “Settings,” then “Preferences,” where you can manage your options.
Europe’s tech regulations will come under the microscope at TNW Conference, Tickets for the event are now on sale. Use the code TNWXMEDIA2025 at the check-out to get 30% off the price tag.
Get the TNW newsletter
Get the most important tech news in your inbox each week.