Key Points:

• 23andMe, a direct-to-consumer genetic testing company, has declared bankruptcy

  
  

• There is significant concern about how customers’ genetic data will be protected: now and in the future
  

• Consumers are urged to delete their data, and businesses are encouraged to learn from the data breach (review policies and procedures and ensure that there is compliance with the law)

What happened?

23andMe, the company that provided basic ancestry as well as health and ancestry services (with touted 99 precent accuracy), has filed for bankruptcy in the United States. This entails filing a under Chapter 11 of the United States Bankruptcy Code.

The direct-to-consumer genetic testing company was founded in 2006. It was the first company to offer autosomal testing by asking users to directly submit saliva samples that would be analyzed to produce charts of their background and lineage.

But the company experienced a serious data breach in 2023, where seven million customers were subject to unauthorized access of their genetic data. The ordeal took about five months to resolve, and it ruined the company’s reputation. What’s more, the affected customers launched a class action in the United States, which they ultimately settled with the company for $30 million.

At this point, the company has secured financing and will continue to operate during a sale process. The company has listed its assets and estimated liabilities to be between USD 100 million and 500 million. Although it is still operating while trying to find a buyer, the company recently laid off 40 percent of its workforce and has ended its therapeutics division.

What will happen to the genetic data involved in the 23andMe data breach?

We need to examine the full Privacy Statement (Statement). Last updated March 14, 2025, the Statement says that “At 23andMe, Privacy is in our DNA”.

The information that the company collects includes Individual-level Information (information about a single individual, such as their genotypes, diseases or other traits or characteristics) and De-identified Information (information that has been stripped of identifying data, such as name and contact information, so that an individual cannot reasonably be identified).

The types of personal information collected includes registration information; genetic information; sample information; self-reported information; user content; and web-behaviour information. The company collects the information through the customer providing it, service providers collecting cookies or analytics tools, other third parties involving customers such as gifting a testing kit, and the company itself with its inferences.

The company uses personal information in order to: provide their services’ analyze and measure trends and usage of the services; communicate with customers; personalize, contextualize and market their services to customers; provide cross-context behavioural or targeted advertising; enhance the safety, integrity, and security of their services; enforce, investigate, and report conduct violating their Terms of Service or other policies; conduct surveys or polls, and obtain testimonials or stories; comply with their legal, licensing, and regulatory obligations; and conduct 23andMe Research, if customers choose to participate.

More precisely, the purpose of 23andMe Research is to make new discoveries about genetics and other factors behind diseases and traits. “23andMe Research” means research activities performed by 23andMe, either independently or jointly with third parties, and overseen by an independent ethics review board.

In terms of data sharing, the company shares with service providers, friends and family members if the customer so wishes, affiliates and commonly owned entities, and third parties related to law, harm, and the public interest. That said, the Statement clearly stipulates that the company does not share customer information with public databases, insurers, employers, or law enforcement absent a valid court order, subpoena, or search warrant.

With respect to security, the company states that it implements physical, technical, and administrative measures aimed at preventing unauthorized access to or disclosure of customers’ Personal Information. Moreover, it advises that “Please recognize that protecting your Personal Information is also your responsibility. Be mindful of keeping your password and other authentication information safe from third parties, and immediately notify 23andMe of any unauthorized use of your login credentials”.

In addition, the Statement clarifies that it retains personal information for as long as necessary to provide the services and fulfill transactions that are requested by customers.

Customers can also choose (or choose not to) store their sample; view health reports; share their information with genetic relatives or other users; receive personalized recommendations based on sensitive data categories; receive promotional communications; and participate in research.

It is clear that despite these points made in the Statement, there have been several criticisms of the company’s handling of personal data, particularly genetic data. For instance, it has been noted that the data breach took place because there was an attack that exploited weak security practices. That is, there was no multi-factor authentication feature, unnecessary information disclosure where the DNA Relatives and Family Tree features exposed data from other users, amplifying the breach’s impact, and users were also reusing passwords across different services. According to Digital Defenders, there were things that the company should have done:

• Use multi-factor authentication

  
  

• Monitor for security events to stop attacks earlier

  
  

• Rate limits on logins to slow down and frustrate attackers using automated tools

  
  

• Have account lockout policies so accounts get locked after a set number of failed attempts

  
  

• Have stronger password policies to reduce password reuse risks

  
  

• Incorporate data minimization where less data is collected in the first place

  
  

• Use the principle of least privilege so that users only have access to the data they need

  
  

The class action settlement in the United States can help to compensate for any customer losses related to the data breach. However, it is currently not clear how the genetic information of customers will be handled by a new successor company (the company could be sold to a new company, which may want to make new terms and conditions).

What has happened in Canada?

On June 10, 2024, the privacy authorities for Canada and the United Kingdom (UK) launched a joint investigation into the data breach that was discovered in October 2023 at the global direct-to-consumer genetic testing company 23andMe.

On the Privacy Commissioner of Canada (OPC) website, the announcement stated that 23andMe is a custodian of highly sensitive personal information including genetic information which does not change over time. The data can reveal information about an individual and their family members, including about their health, ethnicity, and biological relationships. This makes public trust in these services essential. Presently, the OPC is still investigating the matter.

Both Canada (the OPC and provincial Commissioners) and the UK noted that the sensitive information needs to be protected:

“In the wrong hands, an individual’s genetic information could be misused for surveillance or discrimination,” said Commissioner Philippe Dufresne.

“Ensuring that personal information is adequately protected against attacks by malicious actors is an important focus for privacy authorities in Canada and around the world”.

Likewise, the Information Commissioner’s Office (ICO) in the UK made an announcement in June, 2024 of the investigation with the OPC. The goal is to examine:

• the scope of information that was exposed by the breach and potential harms to affected people

  
  

• whether 23andMe had adequate safeguards to protect the highly sensitive information within its control

  
  

• whether the company provided adequate notification about the breach to the two regulators and affected people as required under Canadian and UK data protection laws

  
  

The ICO recently announced that in early March, 2025, it issued 23andMe with provisional findings, a notice of intent to fine £4.59 million and a preliminary enforcement notice:

“We would stress these findings are provisional and, as with all preliminary findings, are subject to representations from 23andMe including in relation to affordability considerations. The ICO will carefully consider any representations made before taking a final decision.

We are aware that 23andMe has filed for Chapter 11 bankruptcy in the US to facilitate a sale process. We are monitoring the situation closely and are in contact with the company. As a matter of UK law, the protections and restrictions of the UK GDPR continue to apply and 23andMe remains under an obligation to protect the personal information of its customers."

Given the settlement in this case in the United States, it will be interesting what takes place in Canada. It will be important to note that in Ontario, the Personal Health Information Protection Act states in section 4 that “personal health information” means identifying information about an individual in oral or recorded form, if the information relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family. It will be critical to see how the phrase “including information that consists of the health history of the individual’s family” is treated by the regulator—many family members are also caught in the 23andMe mess thanks to their relatives hastily giving up their genetic data. The ramifications are very serious when it comes to thinking about how employers and insurers may obtain and use this information in the future.

Correspondingly, in the federal spere, the Personal Information Protection and Electronic Documents Act (PIPEDA) states in section 2 that “personal health information” is personal health information, with respect to an individual, whether living or deceased, means information concerning the physical or mental health of the individual.

There could also be human rights provisions that are triggered regarding genetic discrimination. For instance, in Ontario, the Ontario Human Rights Commission has urged insurance companies to avoid using enumerated grounds of discrimination contained in the Human Rights Code and genetic testing information for measuring risk. It has also cautioned employers that they can only test job applicants with pre-employment medical exams if determining a person’s ability to perform essential job duties.

Furthermore, in the federal sphere, the Canadian Human Rights Act states in section 3 that genetic characteristics is one of the prohibited grounds of discrimination. Moreover, section 3(3) of the Act states the following:

“Where the ground of discrimination is refusal of a request to undergo a genetic test or to disclose, or authorize the disclosure of, the results of a genetic test, the discrimination shall be deemed to be on the ground of genetic characteristics”

And in order to protect workers from the “interview” that consists of requiring the taking of a genetic test (and potential consequent refusal to hire or promote), legislation in the federal spere, namely the Canada Labour Code, has a considerable thoughtful section called Division XV.3: Genetic Testing. Essentially, every employee:

• is entitled not to undergo or be required to undergo a genetic test

  
  

• is entitled not to disclose or be required to disclose the results of a genetic test

  
  

Most importantly, employers are not allowed to dismiss, suspend, lay off, or demote an employee, impose a financial or other penalty on an employee, or refuse to pay an employee remuneration in respect of any period that the employee would, but for the exercise of the employee’s rights under this Division, have worked, or take any disciplinary action against or threaten to take any such action against an employee just because the employee refused a request by the employer to undergo a genetic test, refused to disclose the results of a genetic test, or on the basis of the results of a genetic test undergone by the employee.

Employees can make a complaint if their employers contravene these provisions.

These provisions were a result of the forward-thinking Genetic Non-Discrimination Act (a 2017 amendment) that made changes to the human rights and employment provisions in the federal legislation. In 2020, the Supreme Court of Canada confirmed in Reference re Genetic Non‑Discrimination Act, that the Genetic Non-Discrimination Act of 2017 was indeed constitutional despite jurisdictional concerns, and applied to everyone in Canada.

What the foregoing suggests is that both Ontario and the federal government have basic protections in place to protect employees and job applicants, as well as individuals who need to buy insurance. Just imagine a job applicant going to an interview with an employer: in the near future, will that employer ask the applicant for a sample such as a saliva test?

This all reminds me of a 1997 movie called Gattaca, where a future society that was centred on eugenics. The main character, Vincent, was not conceived through genetic selection and was called an “invalid” (unlike his brother, Anton, who was a “valid”) and faced several instances of genetic discrimination, even though it was illegal. In fact, he found a way to live among the valids and achieve his lifetime goal of working in the spaceflight conglomerate Gattaca Aerospace Corporation. But he had to pose as a valid to do this using donated hair, skin, blood, and urine samples of a valid who was in an accident and was paralyzed after being hit by a car.

In my view, Gattaca, which was set in the “not too distant future”, could happen in reality. Although there are currently protections in place in Canada, the strengths of the Canada Human Rights Act and the Canada Labour Code should be duplicated all across Canada. Since both regimes are provincially-regulated, the changes need to be reflected in both human rights and employment legislation of the provinces and territories.

What should consumers do?

Many 23andMe customers have been recommended to delete their data and their accounts. It is clear that nothing has changed since the data breach—the company is still operating in the same manner when it comes to storing, managing, or protecting customer data.

The Ontario Information and Privacy Commissioner warns consumers in March, 2025 about what will happen to their genetic data—she points out that there is a risk that the data privacy safeguards that customers initially signed on to may change. That is,  when company ownership changes hands, the terms of engagement could as well.

Also, it is important to note that there is a class action in Canada, where the Supreme Court of British Columbia has appointed a representative plaintiff and established the class membership criteria on December 20, 2023. In an interview with CBC and the representative plaintiff, the plaintiff expressed regret that he gave up a significant amount of intimate data:

“You're giving them everything. You're basically giving them the raw code of yourself, if you will — you at your most finest essence"

How did the data breach happen? Hackers initially got into around 14,000 accounts by using old compromised passwords that customers had recycled from other accounts on other sites, and then used those accounts to access 5.5 million DNA relatives profiles.

In a blog dated March 26, 2025, 23andMe states that it is required to comply with its privacy policy and the law with respect to the treatment of customer data. Also, it states that “Under Chapter 11, we intend to use the sale process to maximize the value of our business while continuing to operate”.

While the company tries to find a new buyer, customers are still able to go in and access their accounts, genetic reports, and any stored data. They can delete their data and accounts, which is recommended.

Additionally, the blog states the following:

“Through the sale process, 23andMe will look to secure a partner who shares in its commitment to customer data privacy and will further its mission of helping people access, understand and benefit from the human genome.

Any buyer will be required to comply with our privacy policy and with all applicable law with respect to treatment of customer data. Our users’ privacy and data are important considerations in any transaction, and we remain committed to our users’ privacy and to being transparent with our customers about how their data is managed.

You have choices. You can opt into and out of our research at any time by updating your consent status in your account settings. If you opt out, we will stop using your information for research going forward (we cannot affect studies that have already been completed) and will discontinue use of your data within 30 days”

What can businesses learn from 23andMe?

Canadian businesses are recommended to review their privacy policies and security safeguards in order to ensure that any data that is under their control is being properly protected. When it comes to commercial transactions that are covered by PIPEDA, there are specific obligations that businesses must meet if a data breach is discovered. Businesses must act quickly and make the necessary notifications to the Privacy Commissioner and affected individuals.

It is interesting that 23andMe is promising that the unknown buyer would have to comply with its privacy policy—as the Information and Privacy Commissioner pointed out, a new company can change the terms of engagement and thus the way in which it protects user privacy.

We may find out soon what the results of the OPC’s investigation of 23andMe as well. The report may contain additional information and learnings—we will keep you posted.