As 23andMe navigates bankruptcy proceedings, the fate of 15 million users' genetic information hangs in the balance. In a March 31, 2025 letter, FTC Chairman Andrew Ferguson expressed concern and requested the court ensure any asset sale maintains the company's privacy commitments. The move raises a key question: what happens to sensitive genetic data (and promises to protect it) when its custodian goes bankrupt?
The Fallout from 23andMe’s Bankruptcy
23andMe’s bankruptcy follows years of financial instability, exacerbated by a 2023 data breach that exposed nearly seven million profiles. On March 24, California Attorney General Rob Bonta issued a consumer alert urging Californians to invoke their rights under the Genetic Information Privacy Act and California Consumer Privacy Act to delete their data and destroy stored biological samples. New York AG Letitia James echoed this warning. Following these announcements, the 23andMe website login portal went down as customers rushed to delete their data.
The FTC's Intervention
Ferguson's letter emphasizes that 23andMe's promises to safeguard user data—genetic profiles, health records, and biometric samples—must remain binding on any purchaser under Section 363(b)(1) of the Bankruptcy Code. This intervention reflects the FTC's continued efforts on genetic privacy protection, following settlements with CRI Genetics (2023), 1Health/Vitagene (2023), and Genelink (2014) over deceptive advertising and poor data security practices.
Risks of Genetic Data Misuse
Genetic information is among the most sensitive data a business may handle, and safeguards should be designed accordingly. Unlike passwords or credit cards, genetic data is immutable. Unauthorized collection or processing of genetic data could enable insurance or employment discrimination (e.g., denial of coverage based on predispositions), identity theft, targeted scams using personal health insights, or the sale of data to pharmaceutical firms or marketers.
Business Takeaways
The FTC’s letter establishes that bankruptcy courts must treat privacy promises as material covenants, not disposable assets. Ferguson draws on representations made by 23andMe, whether in its privacy statement, public statements, or consent forms, and urges the court to “protect users’ interests by ensuring that their data and personal information will be used consistent with 23andMe’s promises.” The message is clear: Businesses may be temporary, but privacy promises are forever. Companies handling sensitive data should carefully craft privacy commitments with an eye toward long-term sustainability, as these promises will bind both current operations and any future corporate transitions.