A growing number of 23andMe users are distancing themselves from the once-popular genetic testing company, as mounting concerns over privacy, data security, and corporate accountability come to a head.
Since filing for bankruptcy protection in March, the company has seen an exodus of trust — and data. Nearly 1.9 million customers, or about 15% of its user base, have asked for their genetic information to be permanently deleted from the company’s servers. That revelation came directly from interim CEO Joseph Selsavage, who testified before the House Oversight Committee this week as lawmakers took a closer look at 23andMe’s recent bankruptcy auction and its broader implications for consumer privacy.
A Company on the Brink — And a Sale That’s Raising Eyebrows
At the heart of the controversy is a $256 million offer from pharmaceutical giant Regeneron, which won the court-supervised auction to acquire 23andMe in May. The deal includes access to the company’s enormous DNA database—containing the genetic information of millions of people who used the service to learn more about their ancestry and health risks.
Regeneron says it plans to use the data to accelerate drug development and has pledged to honor 23andMe’s existing privacy standards. But those reassurances haven’t done much to calm public or political fears. Lawmakers grilled Selsavage about how the company planned to handle consent and whether users’ sensitive health data would be protected in the hands of a new owner.
“It’s not just a business deal,” one lawmaker said during the hearing. “It’s about the trust of millions of Americans who thought they were in control of their own DNA.”
Legal Hurdles: States Push Back
Adding to 23andMe’s troubles, attorneys general from over two dozen states — including heavyweights like New York, Florida, and Pennsylvania — have filed lawsuits seeking to block the sale. They argue that selling user data without direct and renewed consent violates privacy laws and consumer protection standards.
Their stance is clear: just because users agreed to share their DNA with 23andMe under certain conditions, doesn’t mean that agreement extends to a future corporate owner. In the words of one attorney general, “People didn’t sign up to have their genetic data sold off like merchandise at a bankruptcy auction.”
The legal actions aim either to stop the transfer of data altogether or to force much stricter privacy protections should the sale go through.
A History of Breaches and Blame
Trust in 23andMe had already taken a serious hit before the bankruptcy news broke. In late 2023, the company suffered a major data breach that exposed the genetic and personal data of 6.9 million users — nearly half its entire customer base.
Instead of taking responsibility, the company pointed fingers at its users, blaming them for not using stronger passwords or enabling two-factor authentication. The public backlash was swift. Critics said the company failed to implement even basic cybersecurity measures and took far too long to detect the breach. That breach appears to have directly contributed to the growing number of users demanding their data be deleted altogether.
Regeneron’s Promises Aren’t Calming Critics
Even as Regeneron tries to assure lawmakers and the public that it won’t misuse the data, many privacy advocates remain skeptical. Genetic data is among the most personal information a person can share, and its misuse could have lifelong consequences.
Experts point out that incorporating this data into a pharmaceutical company’s research operations opens the door to ethical gray areas. Consent obtained under one set of business practices may not apply under another. And while Regeneron has said it will continue to honor the original privacy terms, critics worry that profit-driven research objectives could eventually override those promises.
“There’s a huge difference between giving your data to a consumer health platform and having it end up in a pharmaceutical company’s pipeline,” said one privacy analyst. “Even if the intentions are good, the incentives are different.”
A Larger Reckoning for the Industry
The unfolding saga of 23andMe is being watched closely across the biotech and consumer genetics industries. The case has become a high-profile test of how genetic data should be handled when companies collapse or change hands — and how much control users really have over the information they’ve already shared.
Lawmakers have already begun floating the idea of stronger federal oversight. Many argue that the rules around collecting, storing, and selling genetic data haven’t kept pace with the rapid growth of at-home DNA testing and bioinformatics. Some are calling for legislation that would require companies to get renewed, explicit consent from users any time data changes ownership or purpose.
“This can’t be a free-for-all,” one member of Congress said. “Genetic data isn’t just another digital footprint. It’s a blueprint of who we are.”
