Genetic Data Lottery: Concerns Over 23andMe’s Financial Health and the Future of User Data

https://pixabay.com/illustrations/dna-heritage-genetics-biology-7094406/

In 2006, the genetic genealogy giant, 23andMe, was born. Their mission was to democratize genetics, providing customers with access to their genealogical and health information in a digestible way. The process is simple–users pay a fee, provide a saliva sample, and in a few weeks they receive a report that includes personalize information about their ancestry, inherited traits, and risks for certain diseases

Eventually 23andMe entered the drug development and licensing business using customers genetic information for pharmaceutical research. This research is done through profitable agreements with biotech companies that use 23andMe’s database to conduct their work. Somewhere along the way, the long game for the business became less about making money on DNA kits, and shifted to being the “Google of personalized healthcare.” 

However, as the company grew, so did concerns over what they were doing with user health data. But the company continuously stressed that their model was opt-in, meaning users must explicitly consent to the use of their information for research (notably, the company has an ~80% opt-in rate). Additionally, users may choose to opt-out at any time. Less transparent is a disclaimer in 23andMe’s Privacy Statement which says that personal information may be accessed, sold, or transferred if the company is involved in bankruptcy, mergers, acquisitions, reorganizations, or sale of assets. 

It’s this loophole that has caused a stir with the news of 23andMe’s burgeoning financial problems. At its peak, the company was worth $6 billion dollars. But the company’s business model, which relies on collecting information from one-time sales of genetic tests, and a 2023 data breach have decreased the value of the genealogy giant to less than $100 million as of January 2025. In 2024, it became apparent that the situation was dire when the entire board, save the founder and CEO, Anne Wojcicki, resigned and the company laid off 40% of its employees as a part of a restructuring plan.

These financial woes have piqued the interest of those in the data privacy world. Many are wondering what will happen to 23andMe’s most valuable asset: the genetic data of its 15 million users. While the current revenue model seemingly isn’t working, it isn’t hard to imagine that another party would be willing to pay a premium to get ahold of 23andMe’s consumer genetic database. Others have voiced concern over law enforcement gaining access to this information following the capture of the Golden State Killer using a similar genetic database.

Financial woes have piqued the interest of those in the data privacy world. Many are wondering what will happen to 23andMe’s most valuable asset: the genetic data of its 15 million users.

Consumers largely rely on the promises of companies like 23andMe when it comes to their privacy practices. This is because the current regulatory scheme surrounding health data is patchy at best. Federal laws like the Health Insurance Portability and Accountability Act (“HIPAA”) don’t touch companies like 23andMe because they are not considered covered entities under the law. Additionally, only 20 states have passed laws that would address misappropriation of user health data, and these tend to vary in their comprehensiveness and protection.

Past attempts at a comprehensive federal privacy regime have failed to make it to the finish line. Most recently the American Privacy Rights Act of 2024 (“APRA”) was introduced into the House of Representatives where it failed to go any further in the legislative process. Even though it was unsuccessful, there is reason to be optimistic about the bipartisan effort as a signal that these issues are on the Congressional radar. While 23andMe has continued to reiterate that user privacy is a top priority, there is cause for concern about how their priorities may change if the financial health of the company continues to decline. Notably, 23andMe hit the news again in January 2025 when it was reported that they were “exploring strategic alternatives,” including a sale of the company, sale of assets, or a restructuring after previously saying they would not consider a takeover. Legislators should take note of the potential risks posed by companies that gather health data from users and slip through the regulatory cracks. But with no comprehensive federal legislation on the horizon, 23andMe users should keep an eye on what the company’s next moves are and take appropriate action to protect their genetic data.

Kalee D. Nelson

Kalee attended NC State University for college, where she majored in Political Science with a concentration in Law and Justice. Kalee is a second-year law student, where she serves as a staff member on the North Carolina Journal of Law and Technology, a member of Women in Law, and a member of OutLaw.