23andMe experienced a data breach that exposed over seven million of its customers’ genetic information in 2023 (DeGeurin, 2024). The data breach severely affected 23andMe’s reputation and caused 23andMe to declare bankruptcy on March 23, 2025. Hackers targeted the data from specific ethnic groups, in particular (Carballo et al., 2024). Individuals of Chinese and Ashkenazi Jewish heritage were among the specific groups that were targeted (Carballo et.al, 2024). Customers on 23andMe that identify as part of one of these ethnic groups could be at risk for hate crimes if their genetic data is sold to an actor with ill intentions. Additionally, the dilemma of what happens to users’ data if 23andMe is sold to an outside actor or undergoes a merger or acquisition — even if the user has requested data deletion — is a critical question that needs to be addressed. 23andMe’s headquarters are located in Sunnyvale, California. Therefore, the California government has jurisdiction over the company. I argue that California should enact a law explicitly preventing third parties from accessing users’ de-identified genetic data without their consent.
In regards to users’ genetic data, the California Privacy Act (CCPA) and the California Genetic Information Privacy Act (GIPA) gives customers the right to delete their identified genetic information from 23andMe if requested (California State Legislator, 2021). However, the Federal Clinical Laboratory Improvement Amendments (CLIA) of 1988 limit these rights by requiring laboratories to retain users de-identified genetic data for regulatory purposes. The CLIA mandates that 23andMe’s genotyping laboratories hold an archive of users’ de-identified genetic information for a certain period of time (often two years) for regulatory compliance (Dubinieki, 2025). While California legislation ensures that identifiable genetic information can be deleted, there is currently no comprehensive legislation in California that explicitly prevents de-identified genetic data retained for regulatory purposes from being accessed by a third-party.
I propose that California enacts a state law that requires laboratories in California to obtain consent from a user before retaining or transferring de-identified genetic data to a third party. If no consent is provided, the laboratory must destroy a user’s de-identified genetic data once the regulatory retention period is over. Although the biotech industry might resist this policy solution because of a desire to use 23andMe users’ de-identified genetic information for research and profit, the individuals’ whose data it is have privacy rights.
However, this policy solution would lower the risk that a user’s de-identified genetic data could be exploited by a third party for financial gain. A potential trade off is that it may limit the scope of genetic data available to pharmaceutical and biotech companies for research and development, potentially slowing innovation. My proposed policy would represent a stronger step towards stronger data rights. In turn, this could encourage consumers to share information more willingly, knowing that they will have a greater say over how companies can use it.
Sources
California State Legislature. (2021). Senate Bill No. 41: Privacy: genetic testing companies. Chapter 596. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202120220SB41
Carballo, R, et.al. (2024, Jan 26). “23andMe Breech Targeted Jewish and Chinese Customers, Lawsuit Says.” New York Times. https://www.nytimes.com/2024/01/26/business/23andme-hack-data.html
DeGeurin, M. (2024, Feb 15). “Hackers got nearly 7 million people’s data from 23andMe. The firm blamed users in a very dumb move.” The Guardian. https://www.theguardian.com/technology/2024/feb/15/23andme-hack-data-genetic-data-selling-response
Dubinieki, A. (2025, Mar 31). Deleting your 23andMe Account? Some Data Could Still Be Sold. Forbes. https://www.forbes.com/sites/abigaildubiniecki/2025/03/31/deleting-your-23andme-account-some-data-could-still-be-sold/
