By Jeffery P. Drummond, Lee B. Hunt, and John M. Jackson

Since its 2006 founding, 23andMe’s (the “Company”) service of collecting, analyzing, and reporting customers’ genetic information has raised privacy concerns among many. Worsening those concerns, the Company filed for bankruptcy protection in a Missouri federal court in late March 2025. A statement posted to its website confirmed the Company’s intent to sell “substantially all of its assets” through the bankruptcy process,^[1] including the genetic profiles of approximately 15 million of its customers, which could potentially be among its most valuable.

A sale to the highest bidder of such a novel and personal asset raises a multitude of questions, the most obvious being, “What can I do if I am a 23andMe customer and don’t want my DNA profile sold?”

Attorneys General Weigh In

Since news of the bankruptcy and pending auction broke, a number of states’ attorneys general have been advising their citizens of the Company’s bankruptcy and the vulnerability of their genetic information. Universally, these attorneys general remind citizens of their ability to encourage or require deletion of their 23andMe data and account in a timely manner. Many states have laws regulating data collection, use, security, and disclosure by direct-to-consumer genetic testing companies and/or mandate consumers’ ability to access and delete data, including California’s Genetic Information Privacy Act (Cal. Civ. Code § 56.18-56.186 (2023)) and Virginia’s Genetic Data Privacy law (Va. Code Ann. § 59.1-593 (2021)). Texas is no different.

Texas’ “Direct-to-Consumer Genetic Testing Companies; Rights Regarding DNA” law provides consumers a property right in and the exclusive right of control over a biological sample they submit to genetic testing companies, and the results or analysis thereof. Tex. Bus. & Com. Code Ann. § 503A.003. Further, the results of genetic testing are confidential and may not be disclosed to another without the individual’s express consent. Id. Consistent with this property interest and right of control, companies like 23andMe are obligated to provide a process for consumers to access and delete their account, all genetic data, and their biological sample. Tex. Bus. & Com. Code Ann. § 503A.005(c).

Regarding the Company’s transfer of genetic data to a purchaser, Texas law requires that the Company seek “an individual’s separate express consent” before the transfer or disclosure of an individual’s genetic data to any person other than the company’s vendors and service providers or the use of genetic data for a purpose other than the primary purpose for which it was provided. Tex. Bus. & Com. Code Ann. § 503A.006(a)(1). This alone would seem to hinder the Company’s ability to transfer your data without seeking your approval first. After all, the purchaser of the Company’s 15M DNA profiles is probably not a “vendor or service provider.” However, it may not be this simple. The Company’s current terms of service authorize “23andMe, its contractors, successors, and assignees” to analyze your submitted sample and disclose the results to those you approve.^[2] Whether this constitutes the consent required under Texas law is unclear.

Taking Action to Protect Your Data

While the legal relationship between personal identifying information and privacy rights isn’t novel, the specifics of this case make it unique. Further, the attention it is garnering from state governments and citizens alike suggests that state judiciaries and legislatures may look to strengthen data privacy protections for consumers. But what can be done now to protect you if you’re a 23andMe customer and you don’t want your data transferred?

Just as many attorneys general, the attorneys of Jackson Walker urge our clients to understand their rights to control their personal genetic information. Should you wish to delete your account and genetic data and revoke your permissions, consider doing the following:

To Delete Your Data and Account

If you wish to permanently delete your Genetic Data from 23andMe:

1. Log into your 23andMe account on their website.
2. Go to the “Settings” section of your profile.
3. Scroll to a section labeled “23andMe Data” at the bottom of the page.
4. Click “View” next to “23andMe Data.”
5. Download your data: If you want a copy of your genetic data for personal storage, choose the option to download it to your device before proceeding.
6. Scroll to the “Delete Data” section.
7. Click “Permanently Delete Data.”

Additional information is available here: Requesting 23andMe Account Closure – 23andMe Customer Care

To Revoke Permissions

Customers who allowed the Company and third parties to use genetic data and samples for research may withdraw their consent for such use by visiting the account settings page under “Research and Product Consents.”

To Require Destruction of Your Test Sample

Customers who provided a saliva sample to 23andMe may have previously opted in to the Company storing their samples and DNA. You may revoke this by visiting the account settings page under “Preferences.”

Note that time may be of the essence. Some state laws provide a window by which a direct-to-consumer testing company must respond to your request. For example, Virginia law requires deletion within thirty days of the request. A request received less than thirty days before the sale might not be executed by the time the sale occurs. Further, as more consumers begin deleting their accounts, the value of the asset may begin to fall. That may encourage the Company to hold the auction as soon as legally permissible.

If you have questions or concerns about this or other matters of data privacy and protection, please contact Lee B. Hunt, Jeff Drummond, or John Jackson.

[1] https://investors.23andme.com/news-releases/news-release-details/23andme-initiates-voluntary-chapter-11-process-maximize; last visited 03/28/2025.

[2] https://www.23andme.com/legal/terms-of-service/full-version/; last visited 03/28/2025.

The opinions expressed are those of the authors and do not necessarily reflect the views of the firm, its clients, or any of its or their respective affiliates. This article is for informational purposes only and does not constitute legal advice. For questions, please contact a member of the Intellectual Property practice.

Meet Jeff

Jeffery P. Drummond represents hospitals, physicians, laboratories, surgery centers, and other healthcare providers in transactional and regulatory matters. He is best known for his experience in HIPAA and medical record privacy, as well as other data privacy and security issues. Since 2002, Jeff has written a weblog on HIPAA matters at HIPAABlog.blogspot.com, and he regularly tweets about HIPAA @JeffDrummond. In recognition of his practice, Jeff has been recognized among The Best Lawyers in America in the area of Healthcare Law since 2018 and has been ranked in Texas for Healthcare by Chambers USA: America’s Leading Lawyers for Business.

Meet Lee

Lee B. Hunt focuses his practice on intellectual property, entertainment law, alcoholic beverage law, internal investigations, and general commercial litigation in both state and federal courts. Lee has experience in a wide range of intellectual property matters, including copyright and trademark clearance, protection, registration, licensing, anti-counterfeiting and enforcement, infringement actions, trademark cancellations, oppositions, and appeals before the Trademark Trial and Appeal Board (TTAB) and in federal court. Additionally, Lee offers guidance on IP transactional and litigation issues related to domain names, publicity rights, branded entertainment, digital rights, marketing and advertising campaigns, and software.

Meet John

John M. Jackson has represented clients in patent litigation and complex commercial litigation matters in federal and state courts throughout the country, and in the International Trade Commission (ITC). He has represented clients in patent infringement lawsuits involving software, internet applications, consumer electronics, oil drilling technology, mechanical devices, chemical compositions, and business methods. In addition to his intellectual property practice, John co-chairs the Firm’s Cybersecurity Litigation Group and counsels clients concerning data privacy issues. He has earned certification as a Certified Information Privacy Professional (CIPP/US) and a Certified Information Privacy Manager through the International Association of Privacy Professionals.