Introduction
23andMe Holding Co, a prominent biotechnology firm, has faced significant challenges leading to its filing for Chapter 11 bankruptcy protection in March 2025. The company’s struggles stem from declining consumer demand, difficulties in achieving sustainable profits, and a major data breach in 2023. This breach compromised sensitive customer information, resulting in a substantial lawsuit settlement and raising concerns from international regulatory bodies about data protection during the bankruptcy process.
Description
23andMe Holding Co, a biotechnology company that has served approximately 15 million customers since its launch in 2006 [8], filed for Chapter 11 bankruptcy protection in March 2025 due to declining consumer demand and ongoing struggles to achieve sustainable profits. This filing followed a significant data breach in 2023 that compromised the genetic data, health reports [3] [5] [9], and payment details of millions of customers, leading to a $30 million lawsuit settlement. The situation has raised serious concerns from the UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) regarding the handling of sensitive personal information during the bankruptcy proceedings and potential asset sales [2]. On May 1, 2025 [10], both regulatory bodies issued a joint letter to the US trustee overseeing the bankruptcy, emphasizing the necessity for compliance with the UK General Data Protection Regulation (UK GDPR) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) [1] [2]. This emphasis is particularly pertinent given the previous data breach.
In response to these concerns [8] [11], the ICO and OPC initiated a joint investigation in June 2024 into 23andMe’s compliance with data protection laws [2], communicating provisional findings to the company, which has the opportunity to respond before final conclusions are drawn [2]. They have underscored the importance of safeguarding highly sensitive information to prevent unauthorized use or misuse, and they expect any potential buyer of 23andMe’s customer data to implement robust security measures against unauthorized access. The letter from the ICO and OPC highlighted that obligations under PIPEDA would remain applicable to personal information held by 23andMe, regardless of any changes in ownership.
Recently, a bankruptcy judge appointed a court-approved Consumer Privacy Ombudsman on April 29, 2025 [10], to oversee the management of customer genetic information and security protocols throughout the bankruptcy process. This decision [4] [6] [7], endorsed by US Bankruptcy Judge Brian Walsh [4] [9], aims to enhance customer protection compared to the previously proposed “data representative.” The ombudsman will assess whether any sale of genetic data complies with federal law and serves the interests of customers [4], reviewing 23andMe’s data handling practices and security policies [6], as well as any potential sale of the company or its data [6] [7] [9]. An initial budget of $300,000 has been allocated for the ombudsman’s activities [11], with provisions for additional funding as needed [11]. This settlement aims to address concerns regarding the company’s data security practices.
While 23andMe has stated that all potential buyers must adhere to its privacy policy and applicable laws [1], the ICO and OPC have raised concerns about a clause in the privacy policy that allows for changes over time [1], which could undermine commitments made by purchasers regarding data protection [1]. They reiterated their commitment to investigate and take action against any non-compliance with data privacy laws by 23andMe or any future purchaser [5]. Additionally, concerns have been raised regarding the impact of the bankruptcy on the $30 million class action settlement related to the data breach [6], with disputes over the settlement’s value now that the company is in bankruptcy [6].
John Edwards [1] [3] [5] [9] [10], the UK Information Commissioner [1] [2] [3] [5] [9] [10], emphasized the critical importance of protecting customers’ sensitive data during this process, while Philippe Dufresne [3] [5] [10], the Privacy Commissioner of Canada [1] [2] [3] [5] [9] [10], stressed the need for strict adherence to Canadian privacy laws, especially in light of previous data breaches affecting customer information [3]. The ICO and OPC intend to engage with the ombudsman to ensure that effective data protection measures are implemented throughout the bankruptcy proceedings, reinforcing their readiness to take action against any parties that fail to comply with data privacy regulations. Legal experts have highlighted the lack of comprehensive federal data privacy laws to protect consumers’ genetic information [8], noting that existing regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) [8], offer limited protections [8]. In light of these challenges, attorneys general across the country have advised customers who wish to prevent their data from being sold to deactivate their accounts [8]. In Washington State [8], the My Health My Data Act provides residents with rights regarding their genetic data [8], including the ability to request deletion and verify data sharing [8]. Concerns remain about how customer data may be used in the future [8], especially if it is acquired by data brokers or other entities without adequate safeguards in place [8].
Conclusion
The bankruptcy of 23andMe highlights significant challenges in balancing business viability with stringent data protection requirements. The involvement of international regulatory bodies underscores the global implications of data privacy breaches. The appointment of a Consumer Privacy Ombudsman and the ongoing investigations by the ICO and OPC aim to ensure robust data protection measures are in place. However, the situation also reveals gaps in existing federal data privacy laws, prompting calls for stronger legislative frameworks to safeguard sensitive genetic information. As the proceedings unfold, the focus remains on protecting consumer data and ensuring compliance with international privacy standards.
References
[1] https://www.infosecurity-magazine.com/news/uk-canadian-regulators-23andme/
[2] https://www.priv.gc.ca/en/opc-news/news-and-announcements/2025/let23andme250428/
[3] https://www.inkl.com/news/uk-user-data-must-be-protected-during-23andme-bankruptcy-watchdog-says
[4] https://www.livemint.com/companies/news/23andme-agrees-to-back-a-privacy-advocate-for-customer-dna-data-11745957626818.html
[5] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/05/ico-calls-for-protections-for-23andme-customer-data/
[6] https://www.claimsjournal.com/news/national/2025/04/30/330339.htm
[7] https://www.indexbox.io/blog/23andme-agrees-to-court-appointed-oversight-amid-bankruptcy/
[8] https://mynorthwest.com/local/tech-talk-data-23andme/4079727
[9] https://www.freevacy.com/news/reuters/us-court-appoints-genetic-data-ombudsman-during-23andme-bankruptcy/6346
[10] https://www.priv.gc.ca/en/opc-news/news-and-announcements/2025/nr-c250501uk/
[11] https://www.techi.com/23andme-genetic-data-security-bankruptcy-ombudsman/
