Dive Brief:
- 23andMe is facing questions from top Republicans on the House Energy and Commerce Committee over the privacy safeguards the bankrupt genetic testing company intends to implement in the event of a sale or transfer of customer data.
- In a Thursday letter, the lawmakers demanded a number of details, including a description of how representations made in the company’s privacy statement will be enforced if customer information is sold to a third party. The letter seeks responses by no later than May 1.
- “With the lack of a federal comprehensive data privacy and security law, we write to express our great concern about the safety of Americans' most sensitive personal information,” said the letter, which was signed by Committee Chairman Brett Guthrie, R-Ky., along with Reps. Gus Bilirakis of Florida, and Gary Palmer of Alabama, both Republicans who chair key subcommittees.
Dive Insight:
Sunnyvale, California-based 23andMe has sparked growing data privacy concerns after announcing last month that it initiated Chapter 11 bankruptcy protection and was seeking to sell “substantially all of its assets.”
According to 23andMe's privacy statement, the company may sell or transfer customers’ personal information in a bankruptcy proceeding, the House letter noted.
“Additionally, a judge recently ruled 23andMe has the right to sell the sensitive medical and genetic information of its 15 million customers, which is considered to be the company's most valuable asset,” said the letter to Joe Selsavage, who recently took on the position of interim CEO at 23andMe while continuing to serve as CFO. Anne Wojcicki, who previously served as CEO, resigned while staying on as a member of the board.
Rep. James Comer, R-Ky., chairman of the House Oversight and Government Reform Committee, is also investigating data privacy issues in the bankruptcy.
“To ensure the safety of Americans’ data, we request documents and information from you and your testimony at a hearing on May 6, 2025,” Comer said in an April 15 letter to Wojcicki.
Federal Trade Commission Chairman Andrew Ferguson weighed in late last month in a letter to Acting U.S. Trustee Jerry Jensen, saying 23andMe must honor its data privacy and security commitments in any sale or transfer of individuals’ personal data. The letter also stated that any purchaser should “expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies.”
Meanwhile, attorneys general in a number of states have issued alerts urging 23andMe users to consider taking steps to protect their privacy, including deleting their personal information.
Guthrie and his Commerce Committee colleagues said they were concerned about the uncertainty surrounding what might happen in the event of a sale of customer data. They noted that data privacy obligations under the Health Insurance Portability and Accountability Act generally do not apply to direct-to-consumer companies, like 23andMe.
“Adding to our concerns, customers are experiencing issues accessing and deleting their data from their 23andMe accounts,” the lawmakers wrote.
In a Friday press release, 23andMe said it “takes its responsibility as a steward of customer data seriously.”
Among other steps, the company has “requested that potential bidders submit detailed descriptions of their intended use of any purchased customer data, outline the privacy programs and security controls they have in place or would implement, and disclose whether any modification of existing privacy policies would be requested — as any changes must be made in accordance with the terms of the Company’s privacy policies and applicable law,” the release said.
