24-03-2025
As 23andMe files for bankruptcy, what to know about protecting your data in Michigan
San Francisco-based genetic testing firm 23andMe on Sunday announced that it has filed for bankruptcy, leaving customers wondering what will happen to their data and whether they can protect it — or even delete it.
The company explained Sunday in a press release that it has entered a voluntary Chapter 11 restructuring and sale process, saying it intends to continue operations as normal, with no changes to how it stores, manages or protects customer data.
The company also addressed data concerns in an open letter to customers posted Sunday on its blog.
'We remain committed to our users' privacy and to being transparent with our customers about how their data is managed,' the company said. 'Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.'
23andMe conducted ancestry DNR tests for customers, but MSU Extension notes DNA can be used for such things as paternity, genetic disease detection and other reasons.
The company has been dealing with a wave of lawsuits after the personal data of about 7 million customers was accessed by hackers in 2023, compromising data in nearly 6.9 million DNA Relatives and Family Tree profiles.
Leaked data included users' account information, location, ancestry reports, DNA matches, family names, profile pictures, birthdates and more.
The company's privacy statement covers personal information transferred to a new owner after the sale, but "the new entity could simply change the terms of service, including the privacy statement, and people might agree to it without reading these lengthy documents," said Sara Gerke, associate professor of law at the University of Illinois Urbana-Champaign and lead author of the Journal article. "Customers need to be proactive now and be aware of this issue until Congress intervenes to address this problem at the federal level."
The company's consumer agreements offer little comfort, the authors wrote, as the company reserves the right to transfer customer data in the event of sale or bankruptcy, and customers can't fully protect their data from being 'accessed, sold or transferred as part of that transaction.'
The genetic and self-reported data, including saliva samples and questionnaires, held by such companies represent some of people's most guarded information, including family history and health-related data.
But such companies aren't covered under Health Insurance Portability and Accountability Act requirements, the authors of the Journal article said.
'From a legal standpoint, people therefore interact with the company as 'consumers,' not 'patients,'' they wrote. While the Genetic Information Nondiscrimination Act prevents discriminatory use of such information by employers and health insurers, it doesn't cover uses by other parties, nor does it prevent companies like 23andMe from selling people's data.
On March 21, California Attorney General Rob Bonta issued a consumer alert to the state's 23andMe customers given the company's financial distress, reminding them of their right to have their genetic data deleted.
'California has robust privacy laws that allow consumers to take control and request that a company delete their genetic data,' Bonta said. 'Given 23andMe's reported financial distress, I remind Californians to consider invoking their rights and directing 23andMe to delete their data and destroy any samples of genetic material held by the company.'
23andme said it is "committed to continuing to safeguard customer dataand being transparent about the management of user data going forward, and data privacy will be an important consideration in any potential transaction.'
Bonta, who sent out a "consumer alertfor 23andme customers," outlined these steps to delete your genetic data from 23andme:
Log into your 23andMe account on its website.
Go to the 'Settings' section of your profile.
Scroll to a section labeled '23andMe Data' at the bottom of the page.
Click 'View' next to '23andMe Data'
Download your data: If you want a copy of your genetic data for personal storage, choose the option to download it to your device before proceeding.
Scroll to the 'Delete Data' section.
Click 'Permanently Delete Data.'
Confirm your request: You'll receive an email from 23andMe; follow the link in the email to confirm your deletion request.
The company said the data is deleted once a user submits and confirms the request.
According to the 23andme's website, while users can remove their personal information anytime by opting out of the 23andMe data section of account settings, the company is legally required to retain certain information.
"23andMe and/or our contracted genotyping laboratory will retain your Genetic Information, date of birth and sex as required for compliance with applicable legal obligations... even if you chose to delete your account," the company's privacy statement said.
"If you previously opted to have your saliva sample and DNA stored by 23andMe, but want to change that preference, you can do so from your account settings page, under 'Preferences," according to California's attorney general.
This article originally appeared on Lansing State Journal: 23andMe bankruptcy: Is customer genetic data safe in Michigan?
