23andMe is potentially selling more than just genetic data – the personal survey info it collected is just as much a privacy problem
- Written by Kayte Spector-Bagdady, Associate Professor of Obstetrics and Gynecology, University of Michigan
 
As soon as the genetic testing company 23andMe filed for bankruptcy[1] on March 23, 2025, concerns about what would happen to the personal information contained in its massive genetic and health information database were swift and widespread. A few days after, a U.S. judge ruled that the company could sell its consumer data[2] as part of the bankruptcy.
The attorneys general of several states warned their citizens to delete their genetic data. California urged its citizens[3] to request that 23andMe delete their data and destroy their spit samples. Michigan’s attorney general released a statement[4] warning that “23andMe collects and stores some of the most sensitive personal information, our genetic code.”
When customers originally signed up for 23andMe, they agreed to terms and conditions and a privacy notice[5] that allows the company to use their information for research and development as well as share their data, in aggregate, with third parties. If consumers consented to additional research, which the vast majority did, the company can additionally share their individual information with third parties. 23andMe has also been clear that if it is involved in a bankruptcy or sale of assets, consumer information might be sold or transferred[6].
While 23andMe has warned customers all along about everything that is currently happening, many are still surprised and concerned[7].
I’m a lawyer and bioethicist[8] who has been studying direct-to-consumer genetic testing for almost a decade. Understanding what information 23andMe has been collecting, and how it might be used if sold or shared, can help clarify concerns for consumers.
What is 23andMe?
In 2007, 23andMe, named after the 23 pairs of chromosomes[9] found in a human cell, was one of the first direct-to-consumer genetic testing companies[10] to open in the United States. It was backed by a large investment by Google, which quickly attracted the interest of other investors[11], allowing 23andMe to thrive when many other direct-to-consumer genetic companies went quickly out of business[12].
The direct-to-consumer business model is fairly straightforward: A consumer orders a genetic test kit online, spits into a tube that comes in the mail, returns it to the company and accesses their results in an online portal. Over 15 million consumers[13] bought 23andMe, and the vast majority consented to its research. At its peak, the company was valued at US$6 billion[14].
The fate of the trove of personal information 23andMe has gathered over the years has wide-ranging implications for consumers.While the market initially believed in the value of 23andMe’s business model, its stock has been in decline for years[15], and the company owes hundreds of millions of dollars[16] to creditors.
Reasons for this rapid decline include a decrease in the sale of test kits after a 2023 hack of almost 7 million people’s data[17], as well as a failure to profit enough from providing data access to other private sector companies. Lack of private interest in 23andMe data may be related to the fact that much of the information the company collects is self-reported[18], which is often considered less reliable than information written down by a doctor in a medical record.
What kind of data does 23andMe collect?
While the saying goes “If you’re not paying, you’re the product,” 23andMe managed to convince its consumers to both pay for AND be the product. It did this by selling genetic testing kits to consumers as well as collecting a massive amount of their valuable data.
And 23andMe collected more than just genetic data generated from consumers’ spit. Eighty-five percent of customers[19] consented to 23andMe research[20], allowing their individual-level data to be used for studies. The company then collected information from survey questions[21] about their personal health and beyond, such as drinking habits[22] and risk tolerance[23].
This means that not only does 23andMe possess the genetic data of 15 million people[24], but it also possesses almost a billion additional data points associated with this genetic information. This makes the 23andMe dataset potentially very private – and very valuable.
At first, drug companies seemed to agree. For example, in 2018, 23andMe granted pharmaceutical company GlaxoSmithKline an exclusive license[25] to use consented customer data to develop new drugs. GlaxoSmithKline also made a $300 million equity investment in 23andMe. When 23andMe went public in 2021, its $6 billion valuation[26] reflected the promise of this business model.
But for over a decade, scholars, including me[27], have been warning that allowing 23andMe to collect and use personal data was not one that customers fully understood, or were actually comfortable with.
What should 23andMe customers worry about?
In response to current public concern about data privacy, 23andMe has stated that there will be no changes to how it stores and protects data[28] during its bankruptcy proceedings. But once that stage is through, what exactly should customers worry about?
First, law enforcement could use genetic information in civil or criminal cases. This happened in 2018, when police used the genetic testing company GEDmatch to help identify the Golden State Killer[29]. Police pretended they were customers looking for genealogy data and sent in an old crime scene blood spot[30]. This allowed them to connect to known suspects with blood relatives who had given their genetic information to the company as consumers. While this was in violation of GEDmatch’s own policies, the evidence was successfully used in court.
Second, genetic information could be used to discriminate against customers[31] if it shows that they have or are at high risk of developing a genetic disease or disorder. The federal Genetic Information Nondiscrimination Act[32] prohibits health insurers and employers from asking about genetic information or using it to discriminate in work or health insurance decisions. It does not, however, protect against discrimination in long-term care or life insurance.
Many of the warnings from the media and attorneys general are focused on genetic information because it is unique to only one person. But direct-to-consumer genetic testing companies also retain a massive amount of personal information from the surveys consumers are asked to complete. Much of this information could be embarrassing if it were inadvertently or intentionally revealed, such as a person’s intelligence[34].
In the 2025 book “Careless People[35],” former Meta executive Sarah Wynn-Williams reported that Facebook would use indications of self-consciousness about personal appearance, such as deleting a selfie, to promote beauty products. If companies know such intimate details about a person, they could not only be used to sell products, but also potentially manipulate them over social media or the internet in ways they do not even realize. It could be used for targeted advertising or to build algorithms that exploit a person’s vulnerabilities.
I believe consumers are right to be worried about how their genetic data could be misused. But the survey data containing all sorts of other personal information are at least as much, if not more, of a privacy problem[36]. This is particularly concerning if the data is pooled together with other information[37] available on the internet, like a dating profile, to create a more detailed – and personal – picture of an individual.
I am deleting my own 23andMe data. In the future, I would also warn consumers against freely gifting the private sector with information about their fears, hopes, limitations and successes.
That information is valuable to more people than just you.
References
- ^ 23andMe filed for bankruptcy (apnews.com)
- ^ sell its consumer data (fortune.com)
- ^ urged its citizens (oag.ca.gov)
- ^ released a statement (www.michigan.gov)
- ^ terms and conditions and a privacy notice (doi.org)
- ^ might be sold or transferred (web.archive.org)
- ^ surprised and concerned (www.youtube.com)
- ^ lawyer and bioethicist (medschool.umich.edu)
- ^ 23 pairs of chromosomes (openstax.org)
- ^ first direct-to-consumer genetic testing companies (mediacenter.23andme.com)
- ^ interest of other investors (biz.chosun.com)
- ^ out of business (www.beckershospitalreview.com)
- ^ 15 million consumers (www.cnn.com)
- ^ valued at US$6 billion (www.wsj.com)
- ^ in decline for years (www.nytimes.com)
- ^ hundreds of millions of dollars (finance.yahoo.com)
- ^ 2023 hack of almost 7 million people’s data (www.theguardian.com)
- ^ collects is self-reported (www.the-scientist.com)
- ^ Eighty-five percent of customers (www.nytimes.com)
- ^ 23andMe research (www.23andme.com)
- ^ survey questions (customercare.23andme.com)
- ^ drinking habits (web.archive.org)
- ^ risk tolerance (web.archive.org)
- ^ genetic data of 15 million people (www.bloomberg.com)
- ^ GlaxoSmithKline an exclusive license (www.gsk.com)
- ^ $6 billion valuation (www.wsj.com)
- ^ including me (theconversation.com)
- ^ no changes to how it stores and protects data (foleyhoag.com)
- ^ identify the Golden State Killer (www.forbes.com)
- ^ old crime scene blood spot (www.npr.org)
- ^ discriminate against customers (doi.org)
- ^ Genetic Information Nondiscrimination Act (www.genome.gov)
- ^ Westend61/Getty Images (www.gettyimages.com)
- ^ a person’s intelligence (web.archive.org)
- ^ Careless People (us.macmillan.com)
- ^ privacy problem (theconversation.com)
- ^ pooled together with other information (doi.org)
Authors: Kayte Spector-Bagdady, Associate Professor of Obstetrics and Gynecology, University of Michigan


