Telehealth 6 min read

What Happens to Your DNA Data? Direct-to-Consumer Genetic Testing After 23andMe

A spit-in-a-tube DNA test gives a company your most permanent personal data. The 23andMe bankruptcy showed how fragile the protections really are, and what you can do about it.

Key Takeaways: What Happens to Your DNA Data? Direct-to-Consumer Genetic Testing After 23andMe

  • When a company enters Chapter 11 bankruptcy, its assets are identified and marked for sale, and customer data is one of those assets.
  • Here is the uncomfortable part for consumers.
  • What makes genetic data uniquely sensitive.

A home DNA test is a strange transaction. You pay a company to learn about your ancestry or health risks, and in return you hand over the single most permanent, most identifying piece of information you possess, a record that also implicates relatives who never consented to anything. For years that trade felt abstract. Then 23andMe, a pioneer of the industry holding genetic data on roughly fifteen million customers, filed for bankruptcy in 2025, and the abstract became very concrete.

This article is general information about consumer health technology, not informational context. Speak with a qualified professional about your own health.

Why the bankruptcy was a wake-up call

When a company enters Chapter 11 bankruptcy, its assets are identified and marked for sale, and customer data is one of those assets. That is what alarmed regulators and privacy experts about the 23andMe case: the genetic profiles of millions of people were potentially part of what could be sold. State attorneys general urged residents to delete their data, a bipartisan coalition moved to block any transfer without explicit consent, and a court-appointed privacy ombudsman was tasked with scrutinising the sale. The company maintained that any buyer would have to honour its existing privacy policy, and it was ultimately acquired by a non-profit led by its co-founder, which kept the policies largely intact, but the episode exposed how much can hinge on who happens to buy the data.

The gap in the law

Here is the uncomfortable part for consumers. In the United States there is no single federal law comprehensively protecting consumer genetic data. The familiar health privacy law, HIPAA, generally applies to healthcare providers and insurers, not to direct-to-consumer testing companies. A separate law, the Genetic Information Nondiscrimination Act, bars employers and health insurers from discriminating based on genetic information but does not broadly govern how a testing company collects, uses or sells your data. Some states have passed their own genetic privacy laws, but it is a patchwork, and many people’s protection depends largely on the company’s own privacy policy, a document that often permits transfer of data in a sale. We cover the broader version of this problem in the telehealth and health app privacy checklist.

What makes genetic data uniquely sensitive

Unlike a password or a card number, you cannot change your DNA after a breach, and it is not really yours alone, since it reveals information about your biological relatives too. It can carry implications for disease risk, and in the wrong hands raises concerns that range from discrimination to misuse. That permanence is why experts argue genetic data deserves stronger protection than ordinary personal information, and why a click-through consent agreed years ago sits uneasily as the main thing standing between your genome and a future owner you have never heard of.

What you can actually do

  1. Before testing, read the privacy policy specifically for what happens to your data in a sale, merger or bankruptcy, and whether it is shared with research or pharmaceutical partners.
  2. Decide consciously whether to opt in to research uses; these are often separate, revocable permissions.
  3. If you already tested and are concerned, you can usually request data deletion and destruction of your physical sample, and revoke research consent, through the account settings.
  4. Download your data and reports first if you want to keep them, because deletion is typically permanent and irreversible.
  5. Keep a record, such as a screenshot and any confirmation email, of deletion requests.

Deleting from a genetics company follows the same principle as leaving any health service: uninstalling an app or forgetting a login does not erase what the company holds. The account-level action is what matters, a point that applies equally to fitness and medical apps and to the insurer question explored in what insurers and employers can see from your wearable.

Should you avoid DNA tests entirely?

Not necessarily. These tests can be meaningful and even motivating, and for some people the health-risk information is genuinely useful. The point is to go in informed: understand that you are trusting a private company with immutable data, that the legal floor under that data is lower than most people assume, and that the company’s circumstances, not just its promises, can change. If those terms are acceptable to you, the choice is yours to make with open eyes. If they are not, that is a perfectly reasonable reason to skip the kit, and to push for stronger privacy laws, which is the longer-term fix experts across the field are calling for.

It is not just privacy, it is what else they do with it

Most people picture data privacy as the risk of a leak. With genetic testing there is a second, quieter dimension: what the company itself does with your DNA. Many direct-to-consumer firms invite customers to opt in to research, and have struck partnerships with pharmaceutical companies that use aggregated genetic data for drug discovery. None of that is inherently sinister, and some of it funds genuinely valuable science, but it means your sample can have a commercial life well beyond the ancestry report you paid for. Reading, and consciously choosing, the research-sharing options is as important as reading the privacy policy.

Clearing up a common fear

One worry deserves a careful, accurate answer: the idea that signing up to a DNA service hands your genome to law enforcement. The picture is more nuanced. The technique of identifying people through genetic relatives, sometimes called investigative genetic genealogy, generally operates on databases that accept uploaded DNA files from third parties. A service that does not accept such uploads, and that bans forensic use, is structurally more insulated from it. The practical lesson is not panic but specificity: read each company’s stated policy on law-enforcement requests and DNA uploads rather than assuming the worst or the best.

Geography changes your protection

Where you live materially affects how safe your genetic data is. In the European Union, data-protection rules manage genetic data as a special category and restrict sharing it with health insurers and employers. The United States, by contrast, leans on a patchwork of state laws plus narrow federal statutes, leaving more to the company’s own policy. If strong legal protection matters to you, it is worth knowing which regime actually governs the service you are using, rather than assuming a universal standard exists.

Sources and further reading