California Attorney General Rob Bonta has reminded customers of struggling biotech firm 23andMe of their right to direct the deletion of their genetic data.
These rights fall under California’s Genetic Information Privacy Act (GIPA) and the California Consumer Protection Act (CCPA).
The public advisory, published on the State of California Department of Justice’s website on March 21, followed the California-based company's public report that it is in financial distress and doubt surrounding its ability to continue as a going concern.
Two days later, 23andMe announced that it had filed for Chapter 11 bankruptcy protection in the US to initiate the sale of its assets.
Mark Jensen, Chair and Member of the Special Committee of the Board of Directors, said in a statement: “After a thorough evaluation of strategic alternatives, we have determined that a court-supervised sale process is the best path forward to maximize the value of the business.”
On March 24, 2025, CEO and Co-Founder Anne Wojcicki announced on X she has resigned as CEO and intends to be an independent bidder for the firm’s ownership.
23andMe’s Data Breach, Board Shakeup and Major Restructuring
The announcement follows a series of significant setbacks for 23andMe. After its initial public offering (IPO) in 2021, which saw the company reach a valuation of up to $6bn, the company struggled to gain investor confidence, failing to turn a profit and saw its market capital steadily decline.
To address the situation, a board of independent directors was formed in March 2024. In July, Wojcicki submitted a proposal to take the company private again.
The offer was rejected and the seven directors resigned in September, 2024.
At the same time, in March 2024, the company agreed to pay a $30m settlement to the victims of a 2023 data breach while denying “any wrongdoing whatsoever.”
The data breach resulted in the exposure of genetic data for 6.9 million users, including 6.4 million in the US.
The firm also agreed to bolster its security in the wake of the incident, including mandatory multifactor authentication (MFA), protection against credential stuffing and annual audits.
At the end of 2024, the company announced the layoff of 40% of its 200-employee workforce as part of a restructuring effort.
Customers’ Right Over 23AndMe Data
In his advisory, Attorney General Bonta said California’s GIPA and the CCPA grants Californian customers of 23AndMe permission to:
- Delete their genetic data from 23andMe
- Revoke permission for their genetic data to be used for research
- Destroy their 23andMe test sample
According to Tilo Weigandt, COO and Co-founder of Vaultree, the user data handled by 23andMe is sensitive genetic and health-related information, which is considered special category data and receives the highest level of protection under the EU’s and UK’s General Data Protection Regulation (GDPR).
Like Attorney General Bonta, Weigandt believes 23andMe customers in the UK and the EU should:
- Review the privacy policy and past consents they gave to 23andMe
- Exercise their right to data erasure if they no longer wish for their data to be retained or transferred
- Monitor announcements from data protection agencies across the EU and the UK or any future communications regarding the sale or restructuring of 23andMe
Despite the ongoing uncertainty surrounding the firm, on March 24, 23andMe said that it “remains open for business, and there are no changes to the way we store, manage or protect customer data.”
The company is currently valued at approximately $48.56m.
Photo credits: JHVEPhoto/Victor Moussa/Shutterstock