Congress Grills 23andMe Over Privacy Concerns and Genetic Data Sale

TL;DR

Congress recently scrutinized 23andMe over privacy concerns and the sale of genetic data in a Senate hearing. Key issues include data protection, customer consent mechanisms, and potential misuse of genetic information. Customers are advised to manage their data proactively and consider deleting it from 23andMe’s platform.

Main Content

In a recent Senate hearing titled “23 and You: The Privacy and National Security Implications of the 23andMe Bankruptcy,” 23andMe executives faced intense questioning about the privacy implications of the company’s sale and the handling of associated genetic data.

Background on 23andMe’s Sale

In May 2025, 23andMe agreed to sell itself to the pharmaceutical organization Regeneron for $256 million, a deal that included the acquisition of customers’ genetic data. However, in early June, former CEO Anne Wojcicki made a last-minute bid of $305 million through the TTAM Research Institute, a nonprofit she recently established. This move placed 23andMe back on the auction block¹.

Senate Hearing Highlights

Interim CEO Joe Selsavage reported that since the company’s March bankruptcy filing, 1.9 million of the 15 million customers have chosen to delete their data. Committee chairman James Comer emphasized the need to protect Americans’ genetic data from foreign adversaries and other malicious entities².

The committee criticized 23andMe for not adopting an “opt-in” framework for data transfer and for making it difficult for consumers to delete their data. US Representative Suhas Subramanyam suggested that a more prominent “delete my data” option would empower users³.

Privacy Concerns and Implications

Despite multiple requests from committee members, 23andMe executives declined to commit to an opt-in mechanism requiring consumer approval before data transfer. Concerns were raised about the potential misuse of genetic data, including targeted advertising, increased insurance premiums, and restricted access to credit⁴.

23andMe assured the committee that any new owner must uphold the existing privacy policy, which prohibits sharing user data with insurers, employers, public databases, or law enforcement without legal authorization⁵.

What Consumers Can Do to Protect Their Data

Customers are advised to actively manage their data on 23andMe by reviewing policies, deleting data if desired, and staying vigilant about how their genetic information is used. Here are the steps to protect your data:

1. Delete Your Genetic Data from 23andMe
   • Log into your account and navigate to Settings.
   • Under Settings, scroll to 23andMe data and select View.
   • Enter your date of birth for extra security.
   • Choose which personal data to download, then select Permanently delete data.
   • Confirm the deletion request via email.
2. Destroy Your 23andMe Test Sample
   • If you opted to have your saliva sample and DNA stored, you can change this preference under Preferences in your account settings.
3. Revoke Permission for Research Use
   • If you consented to research use, you can withdraw consent under Research and Product Consents in your account settings.

Check If You Were Affected by the 23andMe Data Breach

Customers are also advised to check if their data was exposed in the 2023 data breach. Use the free Digital Footprint Portal to scan for exposed data and take additional protective measures.

For further insights, check out the detailed report on the 23andMe Senate hearing.

References

1. Malwarebytes Labs (2025). “23andMe and its customers’ genetic data bought by a pharmaceutical org”. Malwarebytes. Retrieved 2025-06-11. ↩︎

2. The Guardian (2025). “23andMe CEO bid places company back on auction”. The Guardian. Retrieved 2025-06-11. ↩︎

3. Malwarebytes Labs (2025). “23andMe bankruptcy: How to delete your data and stay safe from the 2023 breach”. Malwarebytes. Retrieved 2025-06-11. ↩︎

4. Malwarebytes Labs (2024). “23andMe blames negligent breach victims, says it’s their own fault”. Malwarebytes. Retrieved 2025-06-11. ↩︎

5. 23andMe (n.d.). “Privacy Statement”. 23andMe. Retrieved 2025-06-11. ↩︎