ABSTRACT
In March 2025, 23andMe, the flagship direct-to-consumer (DTC) genetic testing company, filed for bankruptcy. Just like that, the genetic information of 15 million customers was up for sale to the highest bidder, creating a firestorm of reactions from the public, media, state attorneys general, and legislators warning of the dire outcomes that could arise from the sale of such sensitive data. The warnings seemed reasonable as federal law does little to protect consumers from the widespread sale and misuse of their genetic data.
Yet, in retrospect, the public concerns and media frenzy could potentially be seen as excessive given the outcome. The winning bidder in the 23andMe bankruptcy was TTAM. This new non-profit entity, owned by the cofounder and former CEO of 23andMe, has promised to retain the employees of the original entity and continue to offer the same genetic services. The end result of the bankruptcy is perhaps viewed by some as not so bad—customer data will end up under control of essentially the same company, with the same employees, the same service models, and a new (old) owner.
However, the bankruptcy saga has laid bare significant gaps in genetic privacy. This paper explores the recent history of 23andMe’s bankruptcy to look to the future of genetic privacy law and policy. 23andMe is by no means the first DTC company to change hands or put genetic data up for sale. It isn’t even the first genetic testing company to file for bankruptcy. It certainly won’t be the last company to seek to sell millions of genetic profiles. As the 23andMe bankruptcy highlights, the current, weak notice-and-choice model of genetic privacy is insufficient to protect the sensitive data of consumers.
It does not have to be this way. We cannot let the seemingly good outcome in this bankruptcy obscure underlying gaps in law and policy. The DTC industry has built itself relying on the trust of millions of customers, yet when it comes to the privacy of sensitive information, this ‘trust’ in the field is largely one-sided because companies do not have commensurate legal obligations that parallel customer expectations. Just as trust is all about relationships, so too is privacy. Just as privacy law can be strengthened through incorporation of trust principles, so too can genetic privacy be bolstered. The DTC industry should be regulated through a trust-based model where the obligations of the companies match the expectations and trust of their consumers. Under quasi-fiduciary duties imposed by a trust-based model, honesty, discretion, protection, and loyalty, companies would be required to be more trustworthy stewards of sensitive genetic data and specimens – a framework that would more robustly address concerns regarding the sale and sharing of genetic data, deletion rights, and the expectations of consumers.
Prince, Anya, Genes For Sale! (July 18, 2025), Emory Law Journal (Forthcoming); University of Iowa Legal Studies Research Paper No 2025-29.
Leave a Reply