Consumer Alert: Protecting Genetic Data Amid 23andMe's Financial Distress

My Privacy Blog

My Privacy Blog

5 min read
Consumer Alert: Protecting Genetic Data Amid 23andMe's Financial Distress
Photo by Braňo / Unsplash

In recent weeks, California Attorney General Rob Bonta has issued an urgent consumer alert to customers of 23andMe, a leading genetic testing and information company. The alert comes as 23andMe faces significant financial challenges, raising concerns about the security and privacy of the sensitive genetic data it holds for millions of customers. This article delves into the implications of 23andMe's financial situation, the rights of consumers under California law, and the steps individuals can take to protect their genetic data.

Background: 23andMe's Financial Situation

23andMe, a South San Francisco-based company, has been a pioneer in direct-to-consumer genetic testing since its launch in 2007. It allows users to submit saliva samples to learn about their ancestry and genetic makeup. However, the company has recently reported substantial doubt about its ability to continue operations due to financial distress15. This uncertainty has sparked concerns about what might happen to the vast amount of genetic data it holds if the company were to be sold, restructured, or file for bankruptcy4.

Consumer Rights Under California Law

California has robust privacy laws that empower consumers to control their personal data, including genetic information. The Genetic Information Privacy Act (GIPA) and the California Consumer Protection Act (CCPA) provide Californians with the right to request the deletion of their genetic data and biological samples from companies like 23andMe12. These laws are designed to protect sensitive consumer data and ensure that individuals have control over how their genetic information is used and stored.

Steps to Protect Genetic Data

Given the current situation, Attorney General Bonta is urging Californians to consider exercising their rights under these laws. Here are the steps consumers can take to protect their genetic data:

  1. Delete Genetic Data:
    • Log into your 23andMe account on their website.
    • Navigate to the “Settings” section of your profile.
    • Scroll to the “23andMe Data” section at the bottom of the page.
    • Click “View” next to “23andMe Data.”
    • Download your data if you wish to keep a copy.
    • Scroll to the “Delete Data” section and click “Permanently Delete Data.”
    • Confirm your request via an email link sent by 23andMe12.
  2. Destroy Biological Samples:
    • If you previously opted to have your saliva sample stored, you can change this preference in your account settings under “Preferences”12.
  3. Revoke Consent for Research Use:
    • If you consented to allow your genetic data to be used for research, you can withdraw this consent from the account settings page under “Research and Product Consents”12.

Concerns and Future Implications

The potential sale or bankruptcy of 23andMe raises significant concerns about data security and privacy. Genetic data is highly sensitive and valuable, making it a prime target for unauthorized access or misuse. If 23andMe's assets were to be sold, there is a risk that the new owner might not adhere to the same privacy standards, potentially leading to data breaches or unauthorized use of genetic information4.

Moreover, the use of genetic data for research purposes, while beneficial for scientific advancements, can also raise ethical concerns. For instance, genetic information could be used in ways that individuals did not initially consent to, such as identifying genetic markers for specific traits or conditions4.

Cyber Attacks on 23andMe and Implications of DNA Hacking

23andMe, a leading genetic testing company, has faced significant cybersecurity challenges, including a major data breach in 2023. This breach highlights the vulnerabilities of genetic data and the broader implications of DNA hacking on privacy and security.

Recent Cyber Attack on 23andMe

In October 2023, 23andMe confirmed a data breach affecting approximately 6.9 million users. The breach was attributed to a credential stuffing attack, where hackers used exposed credentials from other breaches to access 23andMe accounts. The compromised data included ancestry information and, in some cases, health-related genetic data128.

Key Details of the Breach:

  • Method of Attack: Credential stuffing, using exposed credentials from past breaches.
  • Data Compromised: Ancestry information, health-related genetic data, and personal details like names and locations.
  • Number Affected: Approximately 6.9 million users, primarily through the "DNA Relatives" feature.
  • Response: 23andMe implemented mandatory two-factor authentication and reset passwords for all users238.

Implications of DNA Hacking

DNA hacking and breaches like the one at 23andMe have profound implications for privacy and security:

  1. Privacy Concerns:
    • Genetic Data Sensitivity: Genetic data is highly personal and sensitive, revealing information about health risks, ancestry, and familial connections.
    • Interconnected Data Risks: Genetic data can be linked with other personal information to create detailed profiles, potentially leading to discrimination or identity theft69.
  2. Potential Misuse:
    • Insurance and Employment Discrimination: Genetic data could be used to deny insurance coverage or employment based on predispositions to certain conditions411.
    • Surveillance and Blackmail: Unauthorized access to genetic data could facilitate surveillance or blackmail, exploiting sensitive health information11.
  3. Security Measures:
    • Enhanced Protections: Companies should invest in robust security measures like advanced encryption and multi-factor authentication to protect genetic data11.
    • Regulatory Frameworks: Stricter regulations are needed to ensure companies handle genetic data securely and transparently11.

Future Directions

In response to these challenges, there is a growing need for:

  • Consumer Awareness: Individuals should be aware of the risks associated with genetic testing and take steps to protect their data, such as regularly reviewing privacy settings and using strong, unique passwords.
  • Technological Innovations: The use of technologies like blockchain could enhance data security by providing decentralized and transparent data storage solutions.
  • Regulatory Oversight: Governments and regulatory bodies must establish clear guidelines for the handling and protection of genetic data to prevent future breaches and ensure accountability.

By addressing these challenges, we can better safeguard genetic data and mitigate the risks associated with DNA hacking.

Conclusion

As 23andMe navigates its financial challenges, it is crucial for consumers to be aware of their rights and take proactive steps to protect their genetic data. California's robust privacy laws provide a framework for individuals to control their sensitive information, and Attorney General Bonta's consumer alert serves as a timely reminder of these protections. By understanding and exercising these rights, consumers can ensure that their genetic data remains secure and is used in accordance with their wishes.

Citations:

  1. https://oag.ca.gov/news/press-releases/attorney-general-bonta-urgently-issues-consumer-alert-23andme-customers
  2. https://oag.ca.gov/news/press-releases/attorney-general-bonta-urgently-issues-consumer-alert-23andme-customers
  3. https://abc7news.com/post/california-ag-rob-bonta-reminds-23andme-customers-delete-data/16065969/
  4. https://news.harvard.edu/gazette/story/2025/03/what-happens-to-your-genetic-data-if-23andme-collapses/
  5. https://www.sfchronicle.com/bayarea/article/ag-bonta-reminds-23andme-customers-right-delete-20234995.php
  6. https://transcend.io/blog/cpra-vs-ccpa
  7. https://twitter.com/MarshaCollier/status/1903506468332294491
  8. https://calmatters.digitaldemocracy.org/bills/ca_202320240sb1250
  9. https://legiscan.com/CA/text/SB26/id/3029649/California-2025-SB26-Introduced.html
  10. https://www.sacbee.com/news/politics-government/capitol-alert/article302597434.html
  11. https://news.ycombinator.com/item?id=43447421
  12. https://www.mintz.com/insights-center/viewpoints/2826/2021-10-19-californias-senate-bill-41-genetic-information-privacy
  13. https://www.gov.ca.gov/2024/12/30/new-in-2025-protecting-consumers/
  14. https://www.consumeraffairs.com/news/23andme-users-may-want-to-delete-data-as-company-faces-financial-trouble-032225.html
  15. https://legiscan.com/CA/text/SB1250/id/2930762
  16. https://library.nclc.org/article/new-consumer-law-rights-taking-effect-2025
  17. https://www.abc10.com/article/news/local/california/california-rob-bonta-23andme-genetic-dna/103-650ef24c-fa47-412e-bd4f-1400d9d76297
  18. https://www.hinshawlaw.com/newsroom-updates-cyber-bytes-privacy-law-essentials-california-gipa.html
  19. https://cppa.ca.gov/announcements/2024/20241217.html
  20. https://www.youtube.com/watch?v=CmHCyduhukM
  21. https://itss.ucsd.edu/news/Pages/New-State-Laws-Relating-To-Genetic-Data-Privacy-and-Security.aspx

Answer from Perplexity: pplx.ai/share

Read more