Privacy, Consent, and National Security After the 23andMe Bankruptcy

In March, 23andMe, once heralded as a revolutionary consumer genetics company, filed for Chapter 11 bankruptcy protection. Within weeks, pharmaceutical giant Regeneron Pharmaceuticals placed a bid to purchase the genetic database—containing profiles from over 15 million individuals—for over $250 million in a court-supervised auction. However, in a final twist, TTAM Research Institute (TTAM), a nonprofit owned by the former CEO of 23andMe, Anne Wojcicki, acquired 23andMe’s DNA database for $305 million. While TTAM has pledged to uphold privacy standards and comply with existing data protection laws, the sale has triggered urgent questions about what legal safeguards, if any, exist to protect Americans’ most intimate biological information.

This moment presents a crucial inflection point in data governance, one that demands a clear legal response. Existing privacy, bankruptcy, and bioethics frameworks are ill-equipped to handle the transfer of sensitive genetic data through bankruptcy courts, leaving individuals vulnerable to privacy invasions, discriminatory misuse, and national security risks. Policymakers should prohibit the commodification and sale of DNA data during bankruptcy proceedings, recognizing that genetic information is unique, immutable, and deeply personal. Otherwise, the 23andMe sale may set a dangerous precedent—treating DNA like any ordinary corporate asset and eroding public trust in genetic research and data stewardship.

Genetic Data as a Unique and Inherently Shared Category

Unlike traditional personally identifiable information (PII) such as names or Social Security numbers, genetic data is biologically immutable and inherently familial. A single individual’s DNA sequence reveals information not just about themselves but also about their biological relatives. In this way, the privacy implications of genetic data are relational: Sharing your genome means sharing parts of your parents’, your children’s, and your siblings’ genomes as well.

Moreover, even “de-identified” genetic data has been shown to be easily re-identifiable. Research has demonstrated that anonymized genomic information can often be linked back to individuals when combined with public databases or genealogical tools. The sensitivity and identifiability of this data means that once exposed, it cannot be revoked or changed.

This creates a significant legal challenge. U.S. data protection laws generally focus on individual consent and ownership. But DNA is not purely individual—it is unchangeable and communal. Unlike credit card numbers or email addresses, which can be changed if compromised, genetic data is permanent and biologically shared. Its exposure implicates entire family trees. U.S. laws have yet to fully grapple with this distinctiveness, leaving a gap in protections for this especially sensitive category of information.

Bankruptcy Law and the DNA Loophole

Under current bankruptcy law, most customer data is treated as an asset that may be transferred or sold. Section 363(b)(1)(B) of the Bankruptcy Code imposes some restrictions on the sale of PII, such as names, Social Security numbers, and financial account details. Specifically, if a debtor has a privacy policy that restricts the transfer of such information and the proposed sale would be inconsistent with that policy, the sale can proceed only if a consumer privacy ombudsman is appointed and the court determines that the sale does not violate consumer privacy interests. However, the statute does not explicitly include genetic information within its scope, creating ambiguity about how, or whether, DNA data should be protected in these transactions.

This gap has come under heightened scrutiny as lawmakers and state officials raise urgent concerns about the 23andMe sale. Last month, the U.S. House Committee on Oversight and Government Reform held a hearing titled “Securing Americans’ Genetic Information: Privacy and National Security Concerns Surrounding 23andMe’s Bankruptcy Sale.” Lawmakers from both parties grilled Wojcicki about the company’s past data breaches, its failure to provide clear deletion options to consumers, and the risk that adversarial foreign entities could gain access to Americans’ DNA data through the sale. That same day, 28 state attorneys general filed suit in federal bankruptcy court to block the transfer of genetic data without explicit customer consent, arguing that 23andMe lacked legal authority to treat biological samples and genotype data as freely transferrable assets. The outrage of the 23andMe DNA data sale has resulted in bipartisan support for increased genetic data privacy protections, with several senators co-sponsoring the Don’t Sell My DNA Act.

The current bankruptcy framework, however, prioritizes efficiency and creditor recovery. It treats corporate assets, including customer data, as fungible. This approach allows for the swift and unencumbered transfer of data to new owners, which proponents argue is essential for preserving business value and ensuring predictable outcomes for investors and creditors. From this perspective, providing enhanced protection for data like genetic information would diminish its market value, complicate restructuring efforts, and potentially force liquidations, ultimately harming all parties involved.

This commercial expediency fails to account for the unique, immutable, and profoundly sensitive nature of genetic data, which transcends the definition of a typical corporate asset. Importantly, corporate assets are anything—tangible or intangible—that create value for the business whether now or in the future. Generally, this includes things like inventory, intellectual property, trademarks, and customer lists—resources that can be valued, sold, and replaced without lasting personal consequence. In contrast to traditional corporate assets, however, genetic data is permanent and links a person and their ancestors. It cannot be changed, revoked, or siloed to affect only one person. Treating such deeply personal data as a commodity ignores the ethical and legal implications of its misuse or exposure.

DNA data exposure carries severe and irreversible risks. Leaked genetic information can lead to discrimination in employment, insurance, and housing, despite legal protections like GINA (the Genetic Information Nondiscrimination Act) that have notable gaps. It can be exploited to reveal predispositions to medical conditions, mental health disorders, or substance use—all without the individual’s consent. In some cases, law enforcement or foreign actors could use this data to identify individuals or their relatives, raising surveillance and national security concerns. Because genetic data cannot be changed once exposed, these harms are permanent. Therefore, treating DNA as a mere commodity in bankruptcy proceedings represents a critical oversight, ignoring its ethical implications and the urgent need for tailored legal safeguards that prioritize human dignity and security over conventional asset liquidation.

In response to this regulatory oversight, a bipartisan coalition of senators introduced the Don’t Sell My DNA Act, which would add genetic information to the definition of PII under the Bankruptcy Code. The bill requires written notice and reaffirmative consent before any transfer of genetic data, and mandates deletion of data not subject to a sale. While the bill is a critical step forward, its introduction amid an ongoing bankruptcy underscores the reactive nature of current policy.

Without statutory protection, consumers are left reliant on the original company’s privacy policy. Those policies often contain boilerplate clauses allowing transfer of data during a sale or bankruptcy. In other words, a click-through agreement from a decade ago may now serve as legal justification for the transfer of your genetic blueprint to an entirely new entity. This raises issues of consent.

The Case for Re-consent

Informed consent is a cornerstone of data ethics and medical research. It requires not only disclosure of how data will be used but also that individuals understand and voluntarily agree to such uses. There is a long-standing debate over whether users actually understand what they are consenting to when signing service agreements.

In the context of 23andMe, users were asked to accept terms of service at the point of purchase. Those terms of service include sharing DNA data for users who opt in with third parties, including nonprofit foundations, academic institutions, or pharmaceutical companies. The terms of service also include selling personal information following bankruptcy, merger, or acquisition. 

But in the event of a fundamental change in company ownership and purpose, there are rarely mechanisms to revisit consent. Unlike research institutions governed by institutional review boards (IRBs), direct-to-consumer genetics companies operate with minimal oversight from regulatory bodies like the Food and Drug Administration that are tasked with regulating health products. In contrast, university research must comply with IRB standards such as ensuring that research involving human subjects meets ethical standards, minimizing risks, ascertaining that informed consent is truly voluntary, and protecting vulnerable populations. An IRB, for example, would typically require researchers to explain how genetic data will be secured or mandate that participants can withdraw from a study at any time. But these protections are often absent in commercial genetic testing contexts.

Calls for re-consent are not novel. Ethicists and data protection scholars have long warned that one-time agreements are insufficient to protect enduring, sensitive data. Simply put, users cannot foresee how their data might be used in the future or by a company they may not anticipate acquiring it. Given the limited nature of the average consumer’s understanding of service agreements, re-consent mechanisms should be triggered by material changes in data ownership such as corporate acquisition, data repurposing, or entry into new partnerships. Re-consent mechanisms recognize that circumstances change, trust erodes, and the goals of new data stewards may diverge sharply from the expectations users had when they first provided their genetic samples. Asking users to re-consent gives them the opportunity to affirm or revoke that trust—to say, plainly, “absolutely not,” if the new terms no longer align with their values or comfort level.

Some observers may argue that when customers agreed to 23andMe’s terms of service they gave explicit consent for the transfer of 23andMe user data. From this perspective, these terms are legally binding contracts that clearly outline how data will be handled, including provisions for data transfer during significant business events. This reduces the inquiry to a matter as simple as whether the user clicked “agree” to the user agreement. If yes, then there is a binding contract—full stop. In this view, any conversation of re-consent represents an attempt to unilaterally change the established rules of engagement, undermining contractual agreements, and introducing an unpredictable element into business operations and asset valuations. 

But this argument oversimplifies the concept of informed consent in the context of genetic data. An agreement to one company is simply insufficient for the possibility of perpetually transferring immutable biological information, because the context, actors, and purposes surrounding that data can fundamentally change. A user may have trusted 23andMe’s original mission, governance, or privacy safeguards, but that trust does not automatically extend to an unknown acquirer with different incentives or operational practices. Treating consent as a one-time checkbox ignores the evolving nature of data stewardship and undermines the autonomy of individuals whose genetic material is at stake. 

As a society, the U.S. has deemed other forms of data worthy of additional safeguards due to their sensitive nature. For example, the U.S. imposes enhanced privacy around medical records, limits the transfer of student data under federal education laws, and regulates companies’ ability to collect data on children. These elevated standards reflect a broader ethical consensus: Not all data can be treated the same under the law. The transfer of DNA data—deeply personal, permanent, and familial—should be no exception, especially in defense of human dignity. 

A National Security Risk in the Making

Beyond privacy and ethics, the sale of vast genetic databases poses serious national security concerns. The U.S. Department of Defense has previously warned service members against using direct-to-consumer genetic kits, citing the risk of surveillance, blackmail, and other operational threats. Adversarial nations or malicious actors could potentially access genetic databases to identify individuals with military ties, uncover their familial networks, or exploit genetic predispositions to medical or psychological conditions. Such data could be used for targeted misinformation campaigns, coercion, or even tailored biological threats. When this type of sensitive information is transferred without strict safeguards, it becomes a national defense vulnerability—not just a privacy issue.

In 2023, 23andMe experienced a massive data breach affecting nearly 7 million users, with hackers reportedly targeting individuals of Chinese and Ashkenazi Jewish descent. These users’ genetic data was exploited to target them maliciously. Better funded and more nefarious actors could potentially go even further, developing genetically tailored bioweapons to target any human population.

While the fundamental arguments for human dignity and robust individual privacy are ethically paramount, the pragmatic and often politically salient threat to national security may ultimately hold the greatest sway with lawmakers. Policymakers frequently respond more decisively to clear and present dangers to state interests than to abstract ethical principles. Sadly, that may even be the case when the discussion is the commodification of the human genome.

Consider the hypothetical: If Regeneron or TTAM were a Chinese-owned company, the decision to block the sale of 23andMe’s genetic database would likely be simple, swiftly framed as an undeniable national security imperative. Politically, lawmakers from both parties have shown a willingness to act quickly and decisively when foreign adversaries are involved, particularly China, due to growing bipartisan concern over surveillance and data exploitation. Legally, such a transaction would trigger a review by the Committee on Foreign Investment in the United States (CFIUS), which has the authority to scrutinize and block foreign acquisitions of U.S. companies if they pose a threat to national security. In recent years, CFIUS has increasingly focused on deals involving access to sensitive personal data, including health and genetic information. The current dilemma, involving a U.S.-based acquirer, is more complex precisely because it lacks this clear “foreign adversary” trigger, even though the underlying risks to Americans’ genetic privacy may be just as grave.

Indeed, congressional hearings have raised alarms about the possibility that hostile foreign actors could gain access to genetic databases either directly or through partnerships and investments. Regardless of whether the purchasers were domestic or foreign, two concerns provide for sobering reality. First, the privacy implications and security concerns remain whether it is a foreign or domestic entity acquiring DNA data. And second, if a precedent is set allowing genetic data to be treated like any other asset in bankruptcy proceedings, it opens the door for future transfers to virtually any buyer, including foreign entities. To be sure, companies like 23andMe have long brokered access to genetic data, such as through their partnership with GSK, but the bankruptcy context is uniquely troubling because it removes meaningful consumer agency, bypasses re-consent, and permits sensitive data to change hands under financial duress with minimal oversight or transparency.

Setting a Dangerous Precedent

The 23andMe bankruptcy sale may become the first of many such transactions as the digital health sector consolidates and interest in the intersection of AI and health continues to grow. If DNA data is treated like any other corporate asset, future buyers could include data brokers, insurers, or surveillance technology companies. This would not only undermine consumer trust but also erode foundational bioethical principles that govern research and health data collection. It could deter individuals from participating in genetic testing or research altogether, chilling scientific progress. It risks widening disparities in health outcomes, as marginalized communities, already distrustful of the health industry, may be even less likely to engage. And it invites a marketplace in which deeply personal biological information is monetized without safeguards, accountability, or meaningful consent. It signals to the public that their most personal information—their genetic identity—is subject to market forces and private interests without adequate oversight. 

In legal terms, the commodification of genetic data through bankruptcy proceedings reflects a structural misalignment: The United States’s commercial laws were not built to handle sensitive biometric and biological data. Treating DNA as property to be bought and sold like office furniture or software licenses reflects a deep failure to recognize the unique nature of the human genome.

Recommendations and Legal Reform

The Don’t Sell My DNA Act is a start to genetic privacy protection, ensuring that genetic data is classified as PII under the Bankruptcy Code. But this is only the beginning.

Congress should:

• Establish a federal data privacy law that includes heightened protections for genetic, biometric, and health-related data in the era of artificial intelligence.

• Create a general consumer right to delete, allowing individuals to request the permanent deletion of their personal data, including genetic, biometric, and health-related information—from both first-party companies and third-party data processors. This right should include enforceable timelines (e.g., 30 days to comply), require companies to confirm deletion, and authorize the Federal Trade Commission (FTC) and state attorneys general to investigate and penalize noncompliance through civil fines and injunctive relief.

• Require companies handling genetic data to undergo independent audits and ethics reviews conducted by qualified third-party organizations, such as certified data privacy auditors or accredited bioethics review boards. These entities should be approved or registered with a federal agency like the FTC or the Department of Health and Human Services to ensure consistency, accountability, and public trust.

• Establish a permanent consumer genetic data ombudsman for any bankruptcy or merger proceedings involving sensitive health data. In bankruptcy law, courts may appoint an ombudsman to evaluate and protect consumer privacy when personally identifiable information is being sold or transferred. A dedicated genetic data ombudsman would ensure that consumers’ genetic and health information receives heightened scrutiny and ethical oversight during financial restructurings, preventing harmful transfers and advocating for re-consent, deletion rights, and responsible data stewardship before any sale or merger is approved.

Federal regulators, including the FTC and the Department of Health and Human Services, must also clarify the applicability of existing consumer protection and medical privacy laws to genetic databases and push for standardized safeguards. The FTC has taken some action, such as bringing enforcement against companies that failed to adequately protect genetic data. However, these actions have been piecemeal and reactive, relying on general consumer protection authority rather than clear, enforceable rules specific to genetic information. Without comprehensive standards and proactive oversight, critical gaps remain in how genetic data is handled, transferred, and safeguarded, particularly in high-risk contexts like bankruptcy or corporate acquisition. 

***

The acquisition of 23andMe by TTAM is not just another corporate transaction. It is a profound challenge to how we define and defend personal identity in the digital age. As data becomes central to global power, profit, and governance, our existing legal and ethical structures for protecting genetic information are woefully inadequate.

DNA is more than data. It’s the very code of life itself, a detailed record of our ancestry, a map of our medical vulnerabilities, and an intimate heritage passed down through generations. Allowing its transfer without meaningful consent, robust oversight, or sufficient protection means the U.S. ignores the hard-won wisdom of bioethics and the stark warnings of history. Congress now has an urgent window to enact vital protections before the damage becomes irreversible. The fundamental choice facing us is whether we will treat genetic data as a mere commodity to be traded, or as a foundational aspect of personhood that demands unparalleled legal and ethical safeguards.