DNA on the Auction Block: What 23andMe’s Bankruptcy Means for Your Privacy

By Devin Breitenberg

On March 23, 2025, 23andMe, the genetic testing giant that promised to unlock the secrets of your ancestry and health risks through a simple saliva sample, filed for Chapter 11 bankruptcy protection. With a customer base exceeding 15 million—each contributing a trove of DNA and personal data—the news has sent ripples of concern through privacy advocates and users alike. As the company prepares to auction off its assets under court supervision, a pressing question looms: If someone buys 23andMe, can they do whatever they want with that data, like sell it to third parties? The answer isn’t a simple yes or no. It’s a tangled web of legal constraints, corporate policies, and consumer vulnerabilities, revealing just how precarious the ownership of your genetic identity can be in a corporate collapse.

Bankruptcy 101: Selling the DNA Vault

Chapter 11 bankruptcy allows a company like 23andMe to reorganize its finances while continuing operations, often culminating in a sale of its assets to pay off creditors. In this case, those assets include one of the world’s largest private genetic databases—a goldmine of genomic and personal information. The company has already outlined plans to sell itself, with a bidding deadline set for around May 7, 2025. Potential buyers could include biotech firms hungry for research data, data brokers eyeing profit, or even ex-CEO Anne Wojcicki, who’s reportedly exploring a bid to take the company private. But what does this mean for the 15 million customers who trusted 23andMe with their spit?

The company’s privacy policy provides an initial glimpse: “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction.” It adds a caveat that any buyer must adhere to the existing privacy statement, which might sound like a safeguard. Dig deeper, though, and the cracks appear. That same policy allows 23andMe to amend its terms at any time with mere notice to users—no new consent required. A buyer could inherit the current rules, then rewrite them to loosen restrictions, potentially opening the door to broader data sharing or sales, all while banking on users’ apathy toward updated fine print.

The Legal Landscape: A Patchwork of Protections

A new owner wouldn’t have carte blanche to treat your DNA like a commodity on the open market—laws do impose some limits. The federal Genetic Information Nondiscrimination Act (GINA) of 2008 is a key player, barring health insurers and employers from using genetic data to deny coverage or jobs. But GINA’s reach is narrow. It doesn’t apply to life, disability, or long-term care insurers, nor does it prevent sales to other third parties like marketers or data aggregators. Beyond GINA, the U.S. lacks a comprehensive federal data privacy law akin to Europe’s General Data Protection Regulation (GDPR), which mandates explicit consent and robust consumer rights. Instead, Americans rely on a fragmented quilt of state-level regulations.

Take California’s Genetic Information Privacy Act (GIPA), for example. It requires companies to get explicit consent before collecting, using, or disclosing genetic data and grants consumers the right to demand its deletion. Roughly 19 states have enacted similar laws, but they vary widely in scope and enforcement. Some kicked in only recently, while others explicitly allow data transfers during bankruptcy unless users revoke consent beforehand. 23andMe has publicly assured that “any buyer will be required to comply with applicable law with respect to treatment of customer data,” and there are “no changes” to its current data practices for now. Yet, this assurance feels flimsy when “applicable law” depends on where the buyer operates or how aggressively they test the boundaries.

Consider a hypothetical: A buyer based in a state with minimal genetic privacy laws could comply with the bare minimum, update the privacy policy to allow new uses, and proceed—leaving customers in stricter states like California reliant on uneven enforcement to fight back. Even in states with stronger protections, loopholes exist. Many laws don’t retroactively void prior consents, meaning if you agreed to 23andMe’s terms years ago, a buyer might argue they’re still valid unless you act now.

What Could a Buyer Actually Do?

To predict a buyer’s moves, look at 23andMe’s current playbook. The company has long shared anonymized, aggregated data with third parties—think pharmaceutical giants like GlaxoSmithKline—for research, but only if users opt in. It’s a lucrative model; GSK invested $300 million in 2018 for access to such data. Identifiable data, however, stays locked down, shared with insurers or law enforcement only under subpoena or court order. A new owner would likely step into this framework initially. But here’s where the risks multiply:

Anonymized Data Expansion: If you opted into research, a buyer could keep selling anonymized data to drug companies or broaden the pool of recipients—say, to academic institutions or AI firms—without needing new permission, as long as it fits the original consent’s scope.

Identifiable Data Plays: By revising the privacy policy, a buyer could introduce new opt-in prompts to share identifiable data with unexpected players—advertisers targeting you based on health risks, or insurers adjusting premiums. Most users, notorious for skimming terms-of-service updates, might miss the change and inadvertently agree.

Regulatory Oversight: The Federal Trade Commission (FTC) could intervene if a sale or data use smells like unfairness or deception. In the 2000 Toysmart bankruptcy, the FTC stepped in when the toy retailer tried to sell customer data after promising never to share it, restricting the sale to similar businesses honoring those pledges. 23andMe’s policy, by contrast, preemptively discloses potential transfers, weakening deception claims. Still, if a buyer buries DNA-sharing in dense legalese, the FTC might cry foul under its “unfairness” authority—a long shot, but not impossible.

Your Data, Your Choices—And the Clock’s Ticking

Consumers aren’t entirely at the mercy of this process, but vigilance is critical. 23andMe lets you delete your account and data via Settings > 23andMe Data > Delete Data. It’s not a perfect fix—data already shared for research can’t be recalled, and deleted samples might linger in backups until purged—but it could block your info from a future sale. Speed matters; once the bankruptcy court approves a buyer, your leverage dwindles. Historically, only about 2% of 23andMe’s users have deleted their data, per industry estimates, suggesting most may either trust the system or overlook the risk.

Revoking consent isn’t a one-and-done shield, either. If you opted into research years ago, that data might already be in third-party hands, anonymized but still tied to broad traits. And if a buyer acts fast post-sale—say, transferring data before deletion requests pile up—your window could close. For the proactive, downloading your raw genetic data before deleting (an option 23andMe offers) lets you retain control without leaving it in corporate limbo.

The Stakes: Privacy in a Post-23andMe World

The 23andMe saga lays bare a stark reality: Your genetic data, once handed over, exists in a gray zone where corporate intent, legal gaps, and consumer inertia collide. A buyer can’t do “whatever it wants” in the wildest sense—laws and policies tether their actions—but the restraints are loose enough to worry. The bankruptcy process will reveal the new owner’s identity and agenda. Will it be a research-driven firm honoring opt-ins, or a profit-chaser testing privacy’s edges? Wojcicki’s potential bid might signal continuity, but even she’d face pressure to monetize assets amid $1.2 billion in reported liabilities.

Beyond 23andMe, this moment reflects a broader tension in the genomic age. Companies pitch DNA testing as empowerment—know your roots, your risks—but the fine print hands them enduring power over your biological blueprint. As May 2025 nears, the auction’s outcome will set a precedent for how genetic data fares in corporate distress. For now, if you’ve ever mailed in a saliva tube, your DNA’s destiny hinges on the buyer’s choices—and yours. Deleting your data today might be the surest way to opt out of an uncertain future.

Devin Breitenberg is a legal consultant and senior counsel at Devin Law LLC and legal contributor  for Veritas Expositae.  You can reach her at devin.breitenberg@veritasexpositae.com