23andMe raked by Congress on privacy, sale of genetic data

In a Senate hearing adequately titled “23 and You: The Privacy and National Security Implications of the 23andMe Bankruptcy,” 23andMe executives addressed concerns about the privacy implications of the company’s sale and the handling of associated genetic data.

For those who missed the latest developments, in May 2025, we reported that 23andMe had agreed to sell itself to the pharmaceutical organization Regeneron for $256 million. In that agreed sale, Regeneron was also going to acquire the genetic data of 23andMe’s customers. But in early June, 23andMe’s former CEO Anne Wojcicki put forth a last-minute bid of $305 million, throwing Regeneron’s purchase into question, and placing 23andMe itself back on auction.

The bid was made through the TTAM Research Institute, a nonprofit medical research organization recently set up by Wojcicki.

We explained earlier how consumers could (and why they maybe should) delete their genetic data from 23andMe. Apparently, people listened. Interim CEO Joe Selsavage said at the hearing that since the company’s March bankruptcy filing, 1.9 million of the company’s 15 million customers have chosen to delete their data.

Committee chairman James Comer said in opening remarks:

“It is imperative that 23andMe … ensure there is absolutely no legal or illegal way for foreign adversaries or anyone else to access or manipulate and abuse Americans’ genetic data to advance their nefarious agendas.”

The urgency of the matter, undoubtedly enhanced by the way 23andMe has handled data sales and breaches in the past, lies in the impending sale of the company.

The committee criticized the company for failing to model the potential transfer of customers’ genetic data in the upcoming sale with an “opt-in” framework, and ruled that 23andMe made it too cumbersome for consumers to delete the data—23andMe’s biggest asset in the sale.

US Representative Suhas Subramanyam of Virginia said:

“If there simply was a ‘delete my data’ page or button somewhere more prominent then I think it would be easier for a lot of people to feel that control.”

During the hearing, interim CEO Selsavage and former CEO Wojcicki repeatedly declined to commit to establishing a customer opt-in mechanism, specifically one that would require consumers’ approval before their data could be sold and transferred to a new owner, despite multiple requests from committee members.

Beyond the threat of genetic data falling into foreign hands, many raised concerns that the sale could enable targeted advertising aimed at individuals with mental health conditions, drive up insurance premiums, or restrict access to credit.

23andMe assured the committee that regardless of who wins the auction, the company will not be sold to any entity unless it agrees to uphold the existing privacy policy.

23andMe’s privacy statement tells users that any new owner must adhere to its existing data protection guidelines, which include not providing user data to insurers, employers, public databases, or law enforcement without a court order, search warrant, or subpoena.

What can consumers do to protect their data?

Customers should actively manage their data on 23andMe by reviewing policies, deleting data if desired, and staying vigilant about how their sensitive genetic information is used.

People that have submitted samples to 23andMe have three different options, each providing a different level of privacy.

1. Delete your genetic data from 23andMe

For 23andMe customers who want to delete their data from 23andMe:

• Log into your account and navigate to Settings.
• Under Settings, scroll to the section titled 23andMe data. Select View.
• You will be asked to enter your date of birth for extra security.
• In the next section, you’ll be asked which, if there is any, personal data you’d like to download from the company (make sure you’re using a personal, not public, computer). Once you’re finished, scroll to the bottom and select Permanently delete data.
• You should then receive an email from 23andMe detailing its account deletion policy and requesting that you confirm your request. Once you confirm you’d like your data to be deleted, the deletion will begin automatically, and you’ll immediately lose access to your account.

2. Destroy your 23andMe test sample

If you previously opted to have your saliva sample and DNA stored by 23andMe, but want to change that preference, you can do so from your account settings page, under “Preferences.”

3. Revoke permission for your genetic data to be used for research

If you previously consented to 23andMe and third-party researchers using your genetic data and sample for research, you may withdraw consent from the account settings page, under Research and Product Consents.

Check if you were caught in the 23AndMe data breach

Additionally, you may want to check if your data was exposed in the 2023 data breach. We recommend that you run a scan using our free Digital Footprint Portal to see if your data was exposed in the breach, and then to take additional steps to protect yourself (we’ll walk you through those).

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.