Joyce A. Shelton, Ph.D.
Professor of Biology Emerita
Trinity International University
The direct to consumer genetic testing company 23andMe, has been in bankruptcy. On May19th of this year they announced that they have sold the company and all of its assets to Regeneron Pharmaceuticals for 256 million dollars. This sale means that Regeneron acquires 23andMe’s gigantic genetic databank garnered from approximately 15 million customers. Given the uniquely personal identifying information about themselves and family members that consumers share when they submit their genetic samples to companies like 23andMe, issues surrounding data security and privacy have long been a cause for alarm. Concerns skyrocketed in December 2023 when 23andMe had their database hacked and stolen personal data were published on the dark web. Late last year it became apparent that 23andMe was in serious financial straits, once again raising questions regarding the security and privacy of the massive amounts of personal data (both biometric and infometric) held by this company. In March 2025, 23andMe filed for bankruptcy and began seeking a buyer for the company’s most valuable asset, their giant collection of genetic information. In recent weeks, we at the Tennessee Center for Bioethics & Culture along with many other sources, including government officials and data privacy experts, recognized the dangers inherent in such a transaction and attempted to communicate the mounting urgency for consumers to remove their data as quickly as possible. Many did, but some did not or were not able to before the sale.
What does the acquisition by Regeneron mean for the data privacy of 23andMe’s customers? 23andMe’s main mission was to provide information to consumers about their personal ancestry and potential health problems. As part of their privacy agreement with their customers, it did not share personalized data with third parties. Anonymized data were shared for genetic research purposes only if the consumer explicitly consented. The mission of Regeneron Pharmaceuticals is different. They aren’t just doing research or providing information to consumers. They are in the business of developing new drugs and marketing them. The prevailing concern is this: neither those who provided their genetic profiles to 23andMe, nor their extended families, consented to the use of their data by this new company for these purposes.
In an attempt to reassure the 23andMe customer base, the FTC has advised that consistency with past privacy and security pledges to consumers should be part of the sale of the company and its assets. Both 23andMe and Regeneron have issued press releases regarding the acquisition that acknowledge data privacy as a concern. The CEO and president of Regeneron, George Yancopoulos states that “we have deep experience with large-scale data management, having worked with collaborators around the world to link de-identified DNA sequences from nearly three million consented participants to electronic health records, safely and securely enabling future medical advances.” With respect to honoring data privacy, the press release goes on to say, “Regeneron intends (italics mine) to ensure compliance with 23andMe’s consumer privacy policies and applicable laws with respect to the treatment of customer data.” While Regeneron’s stated good intentions are reassuring to an extent, their own press release goes on to explain that the word intend implies that they are under no obligation to continue this approach indefinitely. Thus, for now, we can only wait and see.
So, do 23andMe consumers have any recourse in light of remaining unresolved uncertainties in the aftermath of the genetic company’s sale? The good news is that there may be help and hope on the way. A bipartisan group of US congressional members has now acknowledged the need to better protect the genetic information of vulnerable American citizens. “Consumers should feel confident that any personal information shared with a public company isn’t up for grabs when that company files for bankruptcy,” said Senator Chuck Grassley. Senator Grassley (R-Iowa), Chair of the Senate Judiciary Committee, is joined by Senators John Cornyn (R-TX) and Amy Klobuchar (D-MN) in introducing a bill in the Senate Judiciary Committee, titled the Don’t Sell My DNA Act which would “amend the federal bankruptcy statute to specifically include protections for genetic information.” The proposed act “would impose restrictions on the use, sale, or lease of personally identifiable information that includes genetic data during bankruptcy proceedings. It specifies that “no use, sale, or lease shall be approved if the personally identifiable information consists, in whole or in part, of genetic information… unless all affected persons, including non-parties, have affirmatively consented in writing to such use.” According to Grassley, “This bill would fill gaps in current law to help safeguard consumers’ genetic information and ensure Americans’ DNA isn’t treated like any other financial asset.” Maybe it is time to contact these senators and thank them for their important efforts and encourage our own state senators to support this much needed bill on behalf of American consumers.