A coalition of 27 states and the District of Columbia has taken legal action to prevent 23andMe from selling personal genetic data in its possession without customer consent.
The California-based biotechnology company filed for Chapter 11 bankruptcy on March 23 to facilitate the sale of its assets, sparking concerns over the handling of the sensitive genetic data it holds.
“This isn’t just data – it’s your DNA. It’s personal, permanent, and deeply private,” Oregon Attorney General Dan Rayfield said in the statement. “People did not submit their personal data to 23andMe thinking their genetic blueprint would later be sold off to the highest bidder.”
In their lawsuit, the states contended that 23andMe should obtain expressed consent from its customers before transferring or selling their data to another company.
“Virtually all of this ‘customer data’ is immutable. If stolen or misused, it cannot be changed or replaced,” they stated in the suit. “In other words, the magnitude of the data in this proposed sale stretches far beyond the 23andMe consumers, impacting those who have no awareness of the sale as well as human beings who do not even exist yet.”
Joining Rayfield in the suit are attorneys general from Arizona, Colorado, Connecticut, the District of Columbia, Florida, Illinois, Kansas, Kentucky, Louisiana, Maine, Michigan, Minnesota, Missouri, New Hampshire, New Mexico, New York, North Carolina, Oklahoma, Pennsylvania, South Carolina, South Dakota, Utah, Vermont, Virginia, Washington, West Virginia, and Wisconsin.
Responding to a media inquiry, 23AndMe pointed to interim CEO Joseph Selsavage’s remarks during Tuesday’s House Oversight Committee hearing, in which he affirmed the company’s commitment to customer data privacy.
These data encompassed users’ origin estimation, phenotype, health information, photos, and identification data. The company said at the time that it believed “threat actors” gained access to accounts where users recycled login credentials.







