California’s top law enforcement official is challenging a federal judge’s decision greenlighting the sale of genetic testing giant 23andMe. State Attorney General Rob Bonta argues the approved transaction violates California’s stringent privacy protections. This high-stakes legal battle centers on the fate of millions of users’ deeply personal genetic information amidst 23andMe’s bankruptcy proceedings.
The company, a household name in direct-to-consumer DNA testing, sought Chapter 11 bankruptcy protection in March 2025. This strategic move aimed to facilitate a sale of its assets. A federal bankruptcy judge recently approved a $305 million bid for 23andMe’s genetic data and other holdings. The approved buyer is TTAM Research Institute. This entity is a nonprofit medical research group. It is led by 23andMe founder and former CEO Anne Wojcicki.
California’s Privacy Law Stance
Attorney General Bonta’s office stated emphatically on Monday that the sale terms “do not comply” with state law. Specifically, the state contends the sale runs afoul of the California Genetic Information Privacy Act (GIPA). GIPA is a landmark law in genetic data protection. It requires companies to secure explicit opt-in consent from customers. This consent is necessary before selling their genetic information to third parties.
A spokesperson for Bonta, Elissa Perez, expressed disappointment in the court’s decision. She stated the sale of “vast amounts of genetic data and biological samples” to TTAM or potentially other buyers violates GIPA. The Attorney General’s office had previously sought to block the sale in court. They had also urged California residents to “urgently” delete their genetic data.
The state has been involved in the bankruptcy case from the beginning. Perez affirmed California’s commitment to opposing actions inconsistent with state law. This applies to both the company and any future purchaser of sensitive personal data.
Multi-State Opposition Grows
California is not alone in its concerns. A broad coalition of states has also taken legal action. Twenty-seven states and the District of Columbia joined a lawsuit against 23andMe. This legal challenge was filed in the U.S. Bankruptcy Court for the Eastern District of Missouri. That court oversees 23andMe’s bankruptcy case.
The core of the multi-state argument is clear. They assert 23andMe cannot sell customer genetic data without obtaining “expressed, informed, affirmative consent.” This consent must come from each affected customer. The states are not against a sale in principle. However, they firmly believe explicit individual consent is non-negotiable for data transfer.
New York Attorney General Letitia James highlighted the critical nature of this data. She stated 23andMe cannot “auction millions of people’s personal genetic information without their consent.” Customers, she emphasized, “have a right to know what will be done with their information.” Pennsylvania Attorney General Dave Sunday joined the lawsuit. He noted customers did not expect their sensitive data to be sold to the highest bidder during bankruptcy.
The states contend that selling this data compilation is unprecedented. Genetic identity is highly sensitive and immutable. It can identify relatives across generations. It lives forever. It cannot be changed or replaced if misused.
The Judge’s Ruling and 23andMe’s Response
Despite the state objections, U.S. Bankruptcy Judge Brian C. Walsh approved the sale Friday. Judge Walsh dismissed the complaints from the five states still formally objecting (California, Kentucky, Tennessee, Texas, Utah). He ruled that GIPA’s opt-in requirements do not apply to TTAM’s purchase in this context.
In a detailed memo, Walsh argued that people’s genetic information would remain private. He stated that customers would “deal with the same business, the same employees, familiar leaders, and the same privacy policies.” From his perspective, there was “no need to impose obstacles.”
23andMe maintains that the sale is permissible. A spokesperson, Ann Sommerlath, said the transaction enforces “binding commitments” for the buyer. These commitments include “additional consumer protections and privacy safeguards.” Email notices will be sent when the sale closes. The company argues the sale aligns with its existing privacy policies and applicable law. They stated any potential buyer was required to adopt their policies and comply with the law. Customers, 23andMe claims, will retain the same rights and protections under the new owner.
TTAM Research Institute and another potential bidder, Regeneron Pharmaceuticals, have reportedly committed to abiding by 23andMe’s privacy policies. They stated they would continue to operate the company as before.
Why Genetic Data Privacy Matters Now
The legal challenges underscore critical concerns about genetic data privacy. Unlike traditional medical records protected by HIPAA, data from direct-to-consumer genetic testing companies often is not. These interactions are frequently viewed as commercial transactions. This distinction means genetic testing data lacks the same stringent federal privacy safeguards.
While GINA protects against genetic discrimination by employers and health insurers, it doesn’t regulate data sales by companies like 23andMe. Experts warn that even if a new owner initially adheres to the old privacy policy, they can often change the terms later. Customers might agree to updated terms without fully reviewing them.
The sensitivity of this data is amplified by its nature. It is unique, permanent, and reveals information about relatives. With over 15 million people in 23andMe’s database, the scale of the potential transfer is immense. This context is particularly concerning given the company experienced a data breach in 2023. That incident potentially affected 6.9 million users.
Federal lawmakers have also weighed in. During Congressional testimony earlier this month, some argued 23andMe should be responsible for getting affirmative consent before selling data to a new owner.
What Customers Can Do: Protecting Your Data
Amidst the uncertainty, Attorneys General have issued urgent warnings to customers. California AG Bonta and New York AG James have both encouraged users to take action. They emphasize consumers’ right to control their sensitive information.
One key action is requesting data deletion. California law specifically grants residents the right to request deletion of their genetic data. AG Bonta’s office provided instructions and urged Californians to consider this step. This includes directing 23andMe to delete data and destroy physical samples.
Here is how customers can typically request data deletion:
Log in to the 23andMe website account.
Navigate to “Settings.”
Find the “23andMe Data” section.
Select “View.”
Choose “Delete Data.”
Select “Permanently Delete Data.”
Confirm the request via a follow-up email.
Customers should note that deletion is permanent and irreversible. It removes most personal information and profile data. If a user participated in research, their data stops being used in future projects. Any stored physical sample will be discarded upon account deletion.
However, there’s a critical caveat. According to 23andMe’s privacy statement, certain data is retained for legal obligations. This includes “Genetic Information, date of birth and sex.” Customers also have the option to download a copy of their data before initiating deletion. Additionally, users who opted into the research program can withdraw consent via account settings under “Preferences.” They can also change sample storage preferences there.
The multi-state lawsuit specifically seeks a court ruling. They want the court to determine “whether and to what extent” 23andMe can transfer data without explicit consent.
Frequently Asked Questions
Why does California’s AG argue the 23andMe sale violates state law?
California Attorney General Rob Bonta contends the planned sale breaches the state’s Genetic Information Privacy Act (GIPA). This law requires companies to get explicit “opt-in” consent from customers. This consent is needed before* selling their genetic information to any third party. The AG’s office believes the terms of the bankruptcy sale transfer vast amounts of this sensitive data without fulfilling this requirement.
How can 23andMe customers request deletion of their genetic data?
Customers concerned about the sale can request their data be deleted. The process involves logging into the 23andMe website account. Navigate to the “Settings” section. Find “23andMe Data,” then select “View,” followed by “Delete Data,” and finally “Permanently Delete Data.” A confirmation via email is required to finalize the request. Note that deletion is generally permanent. Some basic genetic data and demographics might be retained for legal compliance.
Does selling genetic data during bankruptcy have special privacy risks?
Yes, experts and state officials highlight increased risks. Direct-to-consumer genetic data like 23andMe’s is often not protected by HIPAA standards, unlike medical records. In a bankruptcy sale, data can be transferred as an asset. While the buyer might initially follow existing policies, they can typically change them later. This poses a risk that sensitive, immutable genetic information could be used or shared in ways customers did not originally anticipate or consent to.
What Comes Next
The federal bankruptcy judge has approved the sale to TTAM Research Institute. The transaction is expected to close in the coming weeks. However, the legal challenge from California and other states continues. AG Bonta’s office is currently “evaluating next steps.” This suggests the potential for further legal action or intervention. The battle over the future and privacy of millions of genetic profiles is far from over. This case highlights the ongoing tension between corporate transactions, consumer privacy rights, and the unique sensitivity of genetic information.
