WASHINGTON — Legal and security experts warned of potential privacy concerns for 23andMe customers arising from the looming sale of the struggling firm during a Senate Judiciary Committee hearing Wednesday morning. 

What You Need To Know

  • Legal and security experts warned of potential privacy concerns for 23andMe customers arising from the looming sale of the struggling firm during a Senate Judiciary Committee hearing Wednesday morning

  • Harvard Law School professor and bioethics expert I. Glenn Cohen called on the company to go back to customers and ask if they agreed to have their data transferred to another company as part of a sale, which 23andMe is seeking court approval to complete after filing for bankruptcy

  • Founded in 2006, the company is seeking court-approval to sell its assets, including the genetic data of more than 13 million customers, who had submitted their saliva to 23andMe for testing of genetic traits, ancestry and health risks

  • While 23andMe’s interim CEO said that the company was making bidders agree to comply with its consumer privacy policy and all applicable laws, Sen. Dick Durbin, D-Ill., pointed out that the protections would not necessarily apply if the company is sold again

“The main privacy protection for those customers is just a promise the company has made in its privacy statement not to share information voluntarily with insurance companies, employers or public databases or with law enforcement agencies without a valid subpoena, search warrant or court order,” Harvard Law School professor and bioethics expert I. Glenn Cohen testified. “But if you read more closely, the privacy statement provides much less protection than it appears to.”

Cohen called on the company to go back to customers and ask if they agreed to have their data transferred to another company as part of a sale, which 23andMe is seeking court approval to complete after filing for bankruptcy.

Joseph Selsavage, 23andMe’s interim CEO, said he would bring that suggestion back for review but contended that the company has the right to sell the data because customers signed off on it as part of the larger agreement when submitting their DNA. 

Founded in 2006, 23andMe is seeking court approval to sell its assets, including the genetic data of more than 13 million customers who had submitted their saliva to the company for testing of genetic traits, ancestry and health risks. The company also conducted health research and drug development with DNA of customers who granted separate consents.

“Protecting our consumers’ data and their privacy and their consent as part of this process is a large consideration,” Selsevage said in reply to Sen. Chuck Grassley, R-Iowa, who asked about if 23andMe's aim of protecting data was in tension with its goal of maximizing profits for creditors and shareholders. “It’s not just accepting the highest dollar amount for the assets.”

In March, 23andMe filed for Chapter 11 bankruptcy protection in the Eastern District of Missouri — a move that followed an announcement that it would lay off 40% of its workforce, or more than 200 employees, in November. Prior to that, the genetics of nearly 7 million customers were exposed in a 2023 data breach.

Regeneron Pharmaceuticals said last month it is seeking to buy the company for $256 million, but the court overseeing the bankruptcy proceedings reopened the sale after TTAM Research Institute, which was founded by 23andMe co-founder and former CEO Anne Wojcicki, placed a $305 million bid.

While Selsavage said that 23andMe was making would-be buyers agree to comply with the company's consumer privacy policy and all applicable laws, Sen. Dick Durbin, D-Ill., pointed out that the protections would not necessarily apply if 23andMe is sold again.

"There's little to guarantee that the next buyer or the one after that won't abuse that policy," Durbin said.  

On Monday, 27 states and Washington, D.C., filed a lawsuit seeking to block the sale of personal genetic data without customer consent. 

“The magnitude of the data in this proposed sale stretches far beyond the 23andMe consumers, impacting those who have no awareness of the sale as well as humans who do not even exist yet,” plaintiffs wrote.

Selsavage said that after the sale was announced, about 1.3 million of its estimated 15 million users requested that their data be deleted, leading to the site being swamped and the company needing to bring in more staff.

The interim CEO said throughout Wednesday’s hearing that customers could delete their 23andMe accounts and all of their data should submit a request.

The interim CEO said throughout Wednesday’s hearing that customers could delete their 23andMe accounts and should submit requests if they want their data deleted.

But Sen. Josh Hawley, R-Mo., concluded the Judiciary Committee proceeding by pointing to fine print that seemed to say otherwise. 

A staffer brought out a poster board with the text that read, “23andMe and/or our contracted genotyping laboratory will retain your Genetic information, date of birth, and sex as required for compliance with applicable legal obligations” and noted that this was even if customers chose to delete their accounts. 

Selsavage then admitted the company retained some information but not genetic data. 

“Nothing is worse than taking the personal identifiable information of American consumers and keeping it and lying to them about it while you make a huge profit off of it,” Hawley said.