On March 23, 2025, genetic testing company 23andMe announced it filed for bankruptcy — sparking a firestorm of articles and online posts advising consumers to delete their personal data in order to protect it from ending up in a new, unknown owner's hands.
Major news outlets, including NPR, CNN and The Washington Post, published stories about this; the Post column's headline read "Delete your 23andMe data right now." The Post story said that "unless you take action, there is a risk your genetic information could end up in someone else's hands — and used in ways you had never considered." State attorneys general also issued alerts on social media and government websites calling on users to delete their private information.
Calls for users to delete their genetic information from 23andMe's databases actually began months earlier, prompted by signs of trouble at the company. However, some online voiced skepticism that 23andMe's process for users to delete their data would actually protect their information. "Until I see HOW they handle data deletion, it's not deleted," one Redditor said; an X user said deleting accounts "may or may not" protect privacy.
In the company's letter announcing its bankruptcy sale, it said customers "still have the ability to delete their data and 23andMe account" and "the filing does not change how we store, manage, or protect customer data."
However, privacy and data experts said it is impossible to verify whether the company's data deletion process is secure — meaning that simply requesting that the company delete your account and destroy DNA samples doesn't mean your information is 100% protected in the case of a sale. Still, experts recommend consumers request 23andMe delete their data using the company's processes, as it is the only method of protection available as of this writing.
The company's bankruptcy sale letter said 23andMe will "look to secure a partner who shares in its commitment to data privacy." 23andMe's privacy statement notes that if the company is "involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction."
23andMe did not respond to a request for comment as of this writing.
Possibility for human error, data hacks and leaks
Instructions for directing 23andMe to delete personal data are available on the company's website and in a consumer alert issued in March by California Attorney General Rob Bonta. Following these instructions is "harm reduction," said Albert Fox Cahn, an attorney and director of the privacy rights group Surveillance Technology Oversight Project.
"There's no reason not to do it, but it only gives me very modest peace of mind," Cahn said.
Privacy laws vary state by state — but Cahn said the company would be risking "serious litigation" if it deliberately kept people's data after a deletion request. What's more likely, he said, is an accidental situation, like data leaking during a transfer to another owner or deletion requests falling through the cracks. Mike Cobb, chief information officer and director of engineering at data recovery company DriveSavers, agreed.
"This type of sensitive data changing hands has a real chance of human error," Cobb said. He added that the only thing consumers can do at the moment, however, is trust that the company will delete their personal information when directed.
Cobb said there are certain controls companies can use to ensure a "very good chance" that sensitive data doesn't end up in the wrong hands, including audits conducted by independent entities, storing server information in-house and automating the deletion process, rather than having a human manually delete accounts.
23andMe did not respond to detailed questions about its privacy controls; the company does use a third-party auditor but it is unclear if it only audits its finances, not its privacy protections.
"We would hope that they have been responsible, and they continue to be responsible with the customer's very, very private information," Cobb said,
The company has already dealt with data leaks before; in 2023, hackers stole information users chose to share with their DNA matches, affecting millions of people. The hack appeared to target users with Ashkenazi Jewish and Chinese heritage; lawmakers raised concerns that it "could be used by foreign governments, hate groups, and other bad actors to discriminate and target minority groups." 23andMe's reported website crash could also exacerbate chances for human error, Cobb said.
Cobb and Cahn also warned that third parties may already have access to information voluntarily shared by consumers and the company.
"We already know that there's already been so much genetic data that's accessed — not just through 23andMe but through things like GEDmatch, which pulls on 23andMe and other DNA data sources," Cahn said, referencing a DNA comparison database used by consumers and law enforcement. "To some extent, the genetic horse is out the barn."
Who has 23andMe shared your data with?
In 23andMe's full privacy statement, the company said it shares personal information with service providers and contractors who help the company with order fulfillment, processing and analyzing samples, customer care support, cloud storage, marketing and analytics, and more.
Consumers may direct the company to share personal information with anyone, including third party services like social networks, applications and services like GEDmatch. 23andMe warns consumers that if they do choose to share information with a third party, they may use the information "differently than we do under this Privacy Statement."
23andMe also has an opt-in research program, in which customers may share genetic information with scientists, nonprofit organizations, pharmaceutical companies and more. While genetic data shared in this fashion is supposed to be shared without any identifying information, 23andMe's research consent page notes there is "a very small risk that someone could get access to your Personal Information (information that can be used to identify you) without your permission in the event of a privacy breach."
Even if the genetic data shared is stripped of "identifying information," as 23andMe said, according to Cahn, it is incredibly difficult to make a DNA profile truly anonymous. Cahn compared trying to anonymize DNA to supposedly anonymous GPS data — just taking someone's name off their location data, for example, does not hide the fact that the person is moving from their home address, work address and other places they frequent.
"There's not much folks can do if this data gets out. When you're dealing with a security breach, when you're dealing with a hacker, you can change your social security number, you can even change your name. You can't change your DNA," Cahn said. "Biometric data breaches pose a truly unique threat, because there isn't really a way to mitigate the harm."