Congress Critiques 23andMe on Privacy Practices and Sale of Genetic Data

During a recent Senate hearing titled “23 and You: The Privacy and National Security Implications of the 23andMe Bankruptcy,” executives from 23andMe addressed significant concerns regarding the privacy ramifications associated with the company’s impending sale and the management of related genetic data.

In May 2025, it was reported that 23andMe had reached an agreement to be acquired by the pharmaceutical organization Regeneron for $256 million, which also included the acquisition of the genetic data of its customer base. However, by early June, former CEO Anne Wojcicki placed a last-minute bid of $305 million, casting doubt on the Regeneron transaction and putting the company back on the market.

This bid was facilitated through the TTAM Research Institute, a newly established nonprofit medical research entity founded by Wojcicki.

In previous communications, we highlighted the importance for consumers to consider deleting their genetic data from 23andMe. The interim CEO, Joe Selsavage, disclosed at the hearing that since the March bankruptcy filing, 1.9 million out of the company’s 15 million customers have chosen to erase their data.

Committee chairman James Comer emphasized the critical nature of the situation, stating:

“It is imperative that 23andMe … ensure there is absolutely no legal or illegal way for foreign adversaries or anyone else to access or manipulate and abuse Americans’ genetic data to advance their nefarious agendas.”

The urgency surrounding this matter is heightened by 23andMe’s previous data handling practices, which have raised concerns, particularly in light of the forthcoming sale. The committee criticized the company for not implementing an “opt-in” framework for the potential transfer of customer genetic data in the sale and noted the difficulties consumers face in deleting their data—23andMe’s most valuable asset in the transaction.

Representative Suhas Subramanyam expressed:

“If there simply was a ‘delete my data’ page or button somewhere more prominent then I think it would be easier for a lot of people to feel that control.”

Throughout the hearing, both Selsavage and Wojcicki refrained from committing to the establishment of a customer opt-in mechanism that would require consumer consent prior to the sale and transfer of their data, despite numerous requests from committee members.

Concerns were raised beyond the potential exposure of genetic data to foreign entities; many feared that the sale could lead to targeted advertising based on individuals’ mental health conditions, increased insurance premiums, or limited access to credit.

23andMe assured the committee that any future buyer must commit to upholding the current privacy policy, ensuring that the case principles regarding user data protection remain intact.

According to 23andMe’s privacy statement, any new owner will be required to comply with existing data protection measures, which include prohibiting the provision of user data to insurers, employers, public databases, or law enforcement without proper legal orders.

Recommendations for Consumer Data Protection

Customers are encouraged to take proactive measures regarding their data on 23andMe by reviewing company policies, deleting data if they choose, and maintaining vigilance over the usage of their sensitive genetic information.

Individuals who have submitted samples to 23andMe have the following options for varying degrees of privacy:

1. Delete Genetic Data

• Log into your account and go to Settings.
• Locate the section titled 23andMe data and select View.
• Enter your date of birth for additional security verification.
• Indicate any personal data you wish to download (ensure you are on a personal, not public, computer). At the bottom of the page, select Permanently delete data.
• You will subsequently receive an email requesting confirmation of your deletion request, which will initiate the process to remove your data and access to your account.

2. Destroy Your Test Sample

If you had previously opted to store your saliva sample and DNA with 23andMe and wish to revoke that preference, this can be done through the account settings under “Preferences.”

3. Revoke Research Consent

If you had consented to 23andMe and associated researchers utilizing your genetic data for research purposes, you may withdraw consent via the account settings under Research and Product Consents.

Assessing Exposure from the 2023 Data Breach

It’s prudent to verify whether your data was compromised in the 2023 data breach. Customers are advised to utilize tools to assess any exposure resulting from this incident and take appropriate steps for additional protection.

Cybersecurity is paramount in today’s digital landscape. Safeguarding your and your family’s personal information is essential, utilizing available identity protection resources to mitigate risks associated with potential data breaches.