Immediate Recommendation
All customers of 23andMe and similar genetic testing companies, as well as individuals who have family members who are customers of these services, should:
- Download your genetic data immediately.
- Delete your data directly via the company’s website.
- Send a legally binding data deletion request.
Please continue reading to understand why this action is critical and how to proceed with data deletion. The potential for significant data misuse means we may not have yet witnessed the worst-case scenario.
Unforeseen Privacy Risks
23andMe, once a leading pioneer of direct-to-consumer genetic testing, recently shocked the industry by filing for bankruptcy. Founded in the mid-2000s, 23andMe soared in popularity, selling saliva-based DNA tests that unveiled customers’ ancestry breakdowns and potential health risks. Over 15 million people worldwide used 23andMe, drawn by the promise of connecting with relatives and discovering hidden parts of their family history.
Yet this trove of genetic data also posed serious privacy risks. Customers entrusted 23andMe with not only their DNA but also their names, birthdates, geographic details, and often health survey data. Because genetic information is essentially impossible to change, a breach of this data can have lifelong consequences. Worse, 23andMe’s policies aren’t governed by strict health privacy laws like HIPAA in the United States; instead, the company’s privacy pledges rest mainly in its user agreements, which can change over time.
Another largely unrecognized privacy threat concerns relatives who never consented to testing. Genetic data is shared among family members, so by submitting their saliva, your relatives also reveal parts of your and your children’s genetic profile. Researchers have shown it takes only a relatively small database to identify the majority of individuals of European descent by cross-referencing DNA markers. That means even non-customers are indirectly exposed.
A History of Negligence
The company’s history of data breaches highlights how vulnerable this information can be. In late 2023, a credential-stuffing attack compromised about 6.9 million customers’ data, including partial ancestry details, personal demographics, and family connections. Raw DNA files weren’t publicly released, but the breach exposed extremely sensitive information. Attackers listed entire swaths of profiles for sale on the dark web—some grouped by ethnicity—raising concerns about discrimination, financial scams, or even identity theft. Most alarmingly, many people’s data was harvested simply because they appeared in someone else’s DNA Relatives match list.
Public confidence in 23andMe plummeted after this breach, and the company struggled to recover. With growth stagnating in the DNA test kit market—largely a one-time purchase—23andMe’s revenue began to stall. Its stock price, which had soared during an earlier IPO, tanked. Despite layoffs and an aborted attempt to pivot to drug development, 23andMe ultimately filed for Chapter 11 bankruptcy in March 2025. The company listed over 15 million genetic profiles in its database in its court filings—potentially one of its most valuable assets.
Now, 23andMe’s financial woes place user data at even greater risk. In bankruptcy sales, user data is viewed as an asset that can be transferred to new owners who might see commercial value in monetizing that information in various ways. The company’s terms of service explicitly state that genetic data may be transferred if 23andMe is sold or restructured—an unsettling reality for anyone who assumed their DNA would never leave the original custodians’ hands.
Take Action
The Attorney General of California has issued an urgent alert instructing 23andMe customers to delete their data and have their genetic samples destroyed. The alert contains step-by-step instructions on how to do this via the 23andMe website. You should follow these instructions now, even if you are not a California resident. In addition to the steps in the alert, we recommend sending 23andMe a legally binding data deletion request. Sending such a request will give you additional legal recourse if the company does not fully comply with your request. You can send 23andMe a data deletion request via the following link:
Broader Implications
These events underscore a broader warning about consumer genomics. Similar companies such as AncestryDNA, MyHeritage, FamilyTreeDNA, and Living DNA also gather large volumes of deeply personal data from millions of users. Each business sets its own rules for data usage, retention, and sharing. If you share your genetic profile—on purpose or via a relative—truly securing that data can be complex. Law enforcement agencies have already leveraged some databases to identify crime suspects through distant relatives, stirring debate over genetic privacy rights. If you are a customer of any one of the companies listed above, please consider deleting your data as well. Here are the links:
- https://yourdigitalrights.org/d/ancestry.com
- https://yourdigitalrights.org/d/myheritage.com
- https://yourdigitalrights.org/d/familytreedna.com
- https://yourdigitalrights.org/d/livingdna.com
In hindsight, 23andMe’s bankruptcy is a cautionary tale: It reminds us that genetic data is profoundly sensitive, and handing it over to a private company is a significant act of trust. If that company falters financially or is sold to a third party, your personal information might end up in unfamiliar hands. Above all, it is a reminder that we can never know up front where our personal information, once shared, will end up, what other data it will be joined with, nor all the ways by which it can be used against our interests.
Do not delay—protect yourself by deleting your genetic data immediately via the company’s website and sending a formal data deletion request.
