23andMe’s bankruptcy announcement on March 23rd triggered urgent calls for customers to delete genetic information and other personally identifiable information from their accounts. California AG Bonta issued a press release on March 21st with the heading, “Californians have the right to direct the company to delete their genetic data” – a full two days prior. The press release provided detailed, step-by-step instructions for deleting genetic data and test samples, and revoking permission for genetic data to be used for research.
Following these steps is helpful. But it won’t guarantee a full purge of genetic information from 23andMe’s systems. The company’s privacy notice says it retains some genetic information to comply with legal obligations and standards. 23andMe may also hold PII and genetic information of people who do not have accounts and cannot avail themselves of AG Bonta’s detailed instructions. “My husband and I aren’t on it, but my mother is, a full sister is, a half-paternal sister, and a son and daughter, plus one of my nieces. Plus some other relatives on my mother’s side,” says Deb Nam-Krane, an Indie Novelist and Climate Organizer based in the US. “So the company could probably build a pretty good profile for me.”
Even if you don’t have an account, or if you follow AG Bonta’s advice and delete your account, some of your genetic data may soon be sold to an unknown buyer.
What’s All The Fuss?
The prospect of highly sensitive genetic, ancestry and account information being sold to an unknown buyer who may use it in ways customers had not anticipated causes anxiety for some. “Contact information can go stale over time: you can always change your password, your email, your phone number, or even your address,” writes Keith Porcaro in the MIT Technology Review. “But a bad actor who has your genetic data—whether a cybercriminal selling it to the highest bidder, a company building a profile of your future health risk, or a government trying to identify you—will have it tomorrow and the next day and all the days after that. ”
Charles Outhier, a security professional based in the US, wonders whether a data broker could purchase the data and market it to insurance companies. He avoids these types of services due to privacy concerns, but he’s not sure about blood relatives.
Security concerns are also top of mind. 23andMe had already seen a drop in subscriptions after its October 2023 data breach. The hypothetical buyer’s security capabilities are unknown. Could there be another, more damaging breach?
I asked 23andMe if a foreign buyer could bid on the sale, potentially raising both national security and personal security risks. Bidders will have access to a data room to do their due diligence before they state their price. Even if their bid isn’t successful, this access could impact privacy if they are able to review customer data. 23andMe did not rule out the possibility of a foreign buyer, but explained the sale would be subject to applicable regulatory approvals, including a review by the US Committee on Foreign Investment.
Biden’s Executive Order 14117 titled, “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern” ordered the AG, Department of Homeland Security and other key officials to prevent the sale or transfer of bulk sensitive data to adversarial countries. It is unclear whether the current administration would consider itself bound by a Biden-era EO. Moreover, Signalgate has revealed Trump’s top brass do not routinely adhere to government security measures and may not appreciate the risks.
The court could appoint a Consumer Privacy Ombudsman to ensure privacy concerns are addressed in the bankruptcy proceedings. 23andMe has opposed a CPO appointment. The judge has not yet ruled on that issue, but the bankruptcy proceedings are moving forward. I wrote about this in detail here.
Deleting DNA Samples And Genetic Data Isn’t Easy. It’s Even Harder To Do At Speed And Scale.
23andMe’s IT systems saw a surge in traffic as people scrambled to delete their data, causing technical issues that frustrated their efforts, according to a March 26 BBC News report. The bankruptcy proceedings are on a tight schedule, and time is running out before the sale. 23andMe says fulfilling deletion requests takes 30 days. The deadline for bids is May 7th. The auction is May 14th. The hearing is set for June 17th.
“A sophisticated [privacy] program should have considered and had in place a mechanism to allow en masse deletion” says Samantha Simms, a Digital Attorney, Strategist and Data Protection Officer Coach based in the Caribbean. “They should have been prescient enough to design the privacy program to allow for this type of risk.”
I spoke with Dr. Krystal Tsosie, an Indigenous Geneticist-Bioethicist and Assistant Professor at Arizona State University, about the practical challenges of processing deletion requests. “Does 23andMe have a mapping of you to that [saliva] specimen? Are there harmonized processes to ensure original consent is respected? How do you recall a sample and data shared with 200+ research groups?” She’s not convinced that a deletion request would be completely fulfilled.
23andMe May Not Delete All Your Data
Even when IT systems and deletion procedures run smoothly, legal loopholes may prevent your data from being fully deleted. Privacy lawyer and self-described “Privacy Cassandra” Carey Lening described her failed efforts to delete her data after learning of 23andMe’s financial woes in her “Privacy Disasters” blog. Lening, who is based in Ireland, compared the privacy notices from 2013, when she had provided her data, and 2019, when she had made her erasure request.
What she found alarmed her. 23andMe had added a section explaining that it or its contracted laboratory would retain some genetic information to comply with standards such as the Clinical Laboratory Improvement Amendments of 1988 (CLIA), which sets minimum retention periods for clinical and diagnostic labs, not direct-to-consumer genetic testing labs. Lening wrote to 23andMe searching for answers and a way to have that data deleted under the EU’s GDPR.
“For what it’s worth, 23andMe never provided any details on whether or not they had copies of my data, whether their laboratory maintained my samples or DNA records, or which laboratory processed that data. This may matter as part of any sale of 23andMe’s assets.”
The March 14, 2025 privacy notice retains that caveat. It states
“23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth, and sex as required for compliance with applicable legal obligations, including the federal Clinical Laboratory Improvement Amendments of 1988 (CLIA), California Business and Professions Code Section 1265 and College of American Pathologists (CAP) accreditation requirements, even if you chose to delete your account. 23andMe will also retain limited information related to your account and data deletion request, including but not limited to, your email address, account deletion request identifier, communications related to inquiries or complaints and legal agreements for a limited period of time as required by law, contractual obligations, and/or as necessary for the establishment, exercise or defense of legal claims and for audit and compliance purposes.” [Emphasis added].
23andMe explained to me via email that they retain archival files to satisfy laws and standards such as CLIA, and that they securely store de-identified Genetic Information with a randomized identifier, but destroy the sample. “It is important to understand that the retained information is distinct from the genotyped data available within your account and is stripped from registration information. This data has not been processed by our interpretation software to produce your individual-level genotyped data (in your account).”
DNA Is Never Really Anonymous
Dr. Tsosie emphasized that de-identified data is treated differently from PII that is directly identifiable in research and consumer genetic testing contexts. “They have structured rules that disarticulate human consent and once data has become ‘de-identified’ it no longer requires further consent. This is insidious because you’re losing autonomy and agency over what happens to your data to satisfy the sharing terms globally of your data.” It’s not protected under HIPAA, and because it appears less risky, it may give people a false sense of security.
“Truly anonymizing DNA is not really possible” says Simms. Both individual-level de-identified data and aggregated data can be linked back to identifiable individuals or communities if measures to prevent re-identification aren’t in place. Researchers were sounding the alarm about this in the 2010s when our digital technology was less advanced and there were fewer digital traces to enrich the datasets. With generative AI drawing inferences and observing patterns is trivial. The “mosaic effect” that arises with the staggering volume of data points circulating online further aggravates the risk.
Dr. Tsosie told me that community privacy risks are a big concern for tribal communities. Because they tend to be smaller, distinct, and underrepresented in the data, it is easier to see patterns that appear to map genetic data to specific tribes. Indigeneity and tribal affiliation are not defined by DNA. Tribes have their own methods for determining tribal membership, as Tsosie explained in her Ted Talk, “Our DNA Is Not Our Identity”. But the customer who has no relationship with a particular tribe but then believes they may have some Cherokee ancestry may assume DNA results entitle them speak on behalf of those communities or benefit from special programs without ever having participated in community life.
Community privacy and individual privacy may intersect where de-identified data shows traits associated with a distinct population, such as a rare disease biomarker. Add to that distinguishing features, such as above-average age or height, that person can be singled out from within their community.
If This Is So Risky, How Is It Legal?
The law often lags behind technology and public sentiment. This gives rise to the “lawful but awful” phenomenon. Porcaro offers a scathing rebuke: “All this is possible because American lawmakers have neglected to meaningfully engage with digital privacy for nearly a quarter-century. As a result, services are incentivized to make flimsy, deceptive promises that can be abandoned at a moment’s notice. And the burden falls on users to keep track of it all, or just give up.” To fix this, he proposes the sale be subject to individual opt-ins, rather than an opt-out model.
But laws are a floor, not a ceiling. “If we are relying on law when it comes to data, we’ve missed a step. We need to be thinking of this in terms of ethics. In terms of what is right for society,” says Simms. “It’s about data ethics. At what point is it okay for a CEO to make a bid for a company whose data they failed to protect in the first place?”
While consumers wait for lawmakers to catch up, they may want to think twice about sharing their most intimate data with companies that are incentivized to treat the data as mere assets to be sold to the highest bidder.