23andMe promised not to sell your genetic data without consent. When the company went bankrupt, your DNA became a corporate asset sold to the highest bidder. The privacy policy had a loophole: if the company is sold, your data goes with it — consent or not. 15 million people's most intimate biological data changed hands in a bankruptcy auction. You agreed to let 23andMe use your DNA for 'research.' What actually happened: a pharmaceutical giant paid $300 million to mine your genetic code for commercial drug development. The drugs belong to the pharma company. You get nothing. Over 80% of users opted in — suggesting the consent form was designed to get a 'yes' rather than truly inform you that your DNA would fuel a billion-dollar drug pipeline.
What they claim: 23andMe's service is about genetic testing and health reports from saliva samples — no location tracking or physical activity monitoring is needed.
What we found: The 23andMe app requests ACCESS_FINE_LOCATION (precise GPS), ACCESS_COARSE_LOCATION (approximate location), and ACTIVITY_RECOGNITION (tracks whether you are walking, driving, or stationary). The app also includes 4 trackers: Google Analytics, Google Firebase Analytics, Mapbox (location/mapping), and New Relic. For a DNA testing service, location tracking and physical activity monitoring represent significant scope creep beyond the core service.
What they claim: 23andMe states de-identified data is shared with research partners, implying genetic data cannot be traced back to individuals.
What we found: The 2023 data breach exposed that the DNA Relatives feature created interconnected profiles — compromising 14,000 accounts exposed 6.9 million users' data through network effects. Genetic data is inherently identifiable: even de-identified SNP data can be re-identified through relative matching, genealogy databases, and forensic genetic genealogy techniques. Research has shown that 60% of Americans of European descent can be identified through genetic genealogy databases using just their genetic markers.
What they claim: The 23andMe DNA kit is a passive saliva collection tube with no electronics.
What we found: While the physical kit has no radios or electronics, the companion app requests CAMERA access, ACTIVITY_RECOGNITION, fine and coarse LOCATION permissions, and runs persistent background services (FOREGROUND_SERVICE, RECEIVE_BOOT_COMPLETED, WAKE_LOCK). The app's data collection capabilities far exceed what is needed to manage a DNA testing service. The platform collects location data, physical activity patterns, and device usage patterns — creating a comprehensive behavioral profile alongside your genetic profile.
What they claim: The 23andMe app collects limited technical data necessary for the DNA testing service.
What we found: The app requests CAMERA access (ostensibly for kit registration barcode scanning but remains available at all times), AD_ID (advertising identifier for cross-app tracking), and embeds 4 third-party trackers including Mapbox (location mapping) and New Relic (behavioral analytics). The Canada-UK investigation found 23andMe failed to implement adequate safeguards, yet the app actively collects behavioral data beyond the service scope. This creates a dual risk: inadequate protection of genetic data AND unnecessary collection of behavioral data.
What they claim: 23andMe privacy policy states genetic information will not be sold without explicit consent and that the company is prepared to use all legal measures to resist law enforcement requests.
What we found: When 23andMe filed for bankruptcy in March 2025, the genetic data of 15 million customers became a corporate asset in bankruptcy proceedings. The company was sold to TTAM Research Institute for $305 million, including all customer genetic data. State AGs in NY, CA, VA, and MA issued emergency alerts urging users to delete data. The privacy policy's own change-of-ownership clause permitted data transfer in acquisition scenarios.
What they claim: 23andMe promised to protect users' genetic data, with co-founder Anne Wojcicki stating she would "never sell customers' data."
What we found: 23andMe filed for Chapter 11 bankruptcy in March 2025. The company holds DNA data from approximately 15 million people. In bankruptcy, company assets -- including customer databases -- can be sold to the highest bidder. California Attorney General Rob Bonta issued a consumer alert urging 23andMe users to delete their data before the bankruptcy sale. The bankruptcy filing transforms a privacy promise into an asset liquidation question: does "we won't sell your data" survive when the company itself is being sold? DNA data is permanent. Unlike a password, you cannot change your genome. Unlike financial data, genetic information identifies not just you but your biological relatives -- people who never consented. Fifteen million people's permanent biological identity is now an asset in a bankruptcy proceeding. The company that promised to protect your DNA is selling itself to whoever pays the most.
What they claim: 23andMe's privacy policy states genetic information will not be used for personalized or targeted marketing without explicit consent.
What we found: The app includes the AD_ID permission (advertising identifier), Google Analytics tracker, and Google Firebase Analytics tracker. While the policy claims genetic data won't be used for marketing, the presence of advertising infrastructure in the app means non-genetic behavioral data (browsing patterns, feature usage, location) can and likely is used for targeted advertising. The Mapbox tracker provides location-based profiling capabilities.
What they claim: 23andMe's privacy policy promises users can request deletion of their data.
What we found: The GSK partnership involved sharing genetic data for commercial drug discovery from 2018-2023. Once de-identified data has been shared with pharmaceutical partners and incorporated into drug development pipelines, deletion from the original 23andMe database does not un-share data already transmitted. During the 2025 bankruptcy proceedings, state AGs urged users to delete their data before the sale, but data already shared with GSK and other research partners over seven years cannot be recalled.
What they claim: 23andMe's privacy commitments are binding and protect users over the long term.
What we found: The $30 million class action settlement (finalized January 2026) amounts to approximately $4.35 per affected user (6.9 million users). The settlement includes 3 years of monitoring, but genetic data exposure is permanent — your DNA does not expire. The FTC issued a letter saying buyers must honor privacy commitments, but the company was sold to a new entity (TTAM Research Institute) that could potentially modify the privacy policy going forward. 23andMe renamed itself to ChromeCo, Inc. after the sale.
What they claim: 23andMe collects only the data necessary for the service and implements appropriate safeguards to protect highly sensitive genetic information.
What we found: Canada-UK joint investigation (PIPEDA Findings 2025-001) found 23andMe violated PIPEDA Principle 4.7 (safeguards) and UK GDPR. The credential stuffing attack ran for five months (April-September 2023) before detection. 23andMe did not enforce two-factor authentication until after the breach exposed 6.9 million users' genetic and ancestry data. The UK ICO imposed a GBP 2.31 million penalty.
What they claim: 23andMe promoted genetic testing with promises to protect users' DNA data
What we found: In 2024, 23andMe filed for bankruptcy after a data breach exposed 6.9 million users' genetic data. The bankruptcy raised alarm about what happens to DNA data when a company fails — California's Attorney General warned users to delete their data before the sale. Unlike passwords, you cannot change your DNA. The most intimate data possible — your genetic code — is now an asset in bankruptcy proceedings, available to the highest bidder.
What they claim: 23andMe states it does not disclose genetic data to insurance companies or employers.
What we found: While GINA (Genetic Information Nondiscrimination Act) prohibits health insurance and employment discrimination based on genetic information, it does not cover life insurance, disability insurance, or long-term care insurance. The 2023 breach exposed genetic ancestry data and health predisposition information that could be exploited by these unprotected insurance sectors. The breach data included ethnicity estimates and health-related haplogroup information that could be used for discriminatory purposes outside GINA's coverage.
What they claim: 23andMe's privacy policy states data is shared only with research collaborators using de-identified, aggregate data, and that research participation is entirely optional.
What we found: GSK/GlaxoSmithKline paid $300 million for exclusive four-year access to 23andMe's genetic database. Over 80% of customers opted into research — a rate suggesting the consent flow was designed for maximum opt-in rather than informed consent. Under a 2023 amendment, GSK paid $20 million for a one-year data license where any resulting drugs belong solely to GSK, with 23andMe receiving only royalties. Users who consented to 'research' may not have anticipated their DNA powering commercial pharmaceutical products worth billions.