Event Review: ELSI and the Sale of Genetic Data –The case of 23andMe

The September 2025 session of the ELSI Friday Forum, titled 'ELSI and the Sale of Genetic Data: The Case of 23andMe', tackled this question through the real-world example of the bankruptcy of one of the most prominent direct-to-consumer (DTC) genetic testing companies, 23andMe.

The ELSI Friday Forum series, funded by the US National Human Genome Research Institute, regularly brings together experts to dissect the ethical, legal, and social implications (ELSI) of genomics. This particular session, introduced by Professor Mildred Cho, co-director of the Center for ELSI Resources and Analysis, and moderated by Professor Anya Prince, featured two legal scholars: Professor Sara Gerke and Professor Neil Richards. Both offered complementary perspectives on how the 23andMe case reveals deep flaws in the governance of genetic data; flaws that, as the discussion made clear, are as urgent as they are complex.

As Professor Gerke outlined at the very beginning, 23andMe's financial troubles had been mounting for some time, with a major data breach in 2023 and a 70 percent stock price drop culminating in its March 2025 bankruptcy filing (see BioNews 1211 and 1283). The non-profit TTAM Research Institute ultimately acquired the company's assets, including an enormous database containing the genetic and personal data of more than 15 million customers, including family histories, self-reported health information, behavioural data, and even messages, some of which referred to relatives who had never given consent.

What made her account particularly compelling was the calm but unmistakable warning that accompanied it: these transfers are entirely legal. 23andMe's privacy policy explicitly allowed for the sale of user data in the event of bankruptcy, provided the new owner complied with 'applicable privacy laws.' Yet, as Professor Gerke reminded the audience, the USA has no overarching federal privacy law comparable to the EU's General Data Protection Regulation (GDPR).

Her explanation of the regulatory patchwork was one of the most illuminating, and frustrating, moments of the session. She highlighted how the US Health Insurance Portability and Accountability Act (HIPAA) only applies to specific 'covered entities' such as hospitals and health insurers, not to DTC genetic testing companies. Likewise, the Genetic Information Nondiscrimination Act protects individuals from genetic discrimination in employment and health insurance, but not in life, disability, or long-term care insurance.

With striking legal precision, Professor Gerke revealed the fragility of consumer protections most people assume exist. As she put it, Americans' privacy effectively depends on their postcode: states like California and Colorado have enacted stronger rules, while others have none. Her reference to the proposed Genomic Data Protection Act, which would grant individuals the right to delete their data and request destruction of their biological samples, offered a glimmer of hope. Still, the takeaway was sobering: for now, genetic data in the USA remains vulnerable to misuse, resale, and exploitation.

If Professor Gerke laid the groundwork, Professor Richards deepened the ethical stakes. His presentation, highly engaging for the legally minded audience, explored how bankruptcy law is designed to maximise the financial value of a company's assets, not to protect personal privacy or human dignity. The take-home message was quite unsettling: in the eyes of bankruptcy law, he explained, genetic data is an asset like any other, a commodity to be valued and sold.

By showcasing the bankruptcy of a toy company, Professor Richards effectively illustrated how, regardless of sensitivity, data is routinely monetised to repay creditors. Applied to genomic information, this logic gives rise to what he called a 'secondary market in genetic data', a chilling but accurate reality. This portion of the webinar was particularly thought-provoking: Professor Richards managed to translate a highly technical legal process into a vivid ethical problem that resonated beyond the legal community.

His discussion of 'orphaned data' was especially striking. What happens to the genetic information of people who have died, who cannot consent, withdraw, or even be aware of how their data is used? If privacy protections rely on individuals making informed choices, then, as Professor Richards argued, 'dead people can't opt out.' This underscored how ill-equipped existing systems are to address the moral dimensions of genomic information, data that represent our unique blueprint and that, unlike a password, cannot be changed or revoked.

Professor Richards' final message – that privacy policies and individual consent cannot compensate for the absence of strong federal protections – felt like a call to action. His framing of genetic privacy as a human rights issue elevated the discussion beyond legal analysis, lending it moral urgency.

The Q&A session added further layers of complexity. Asked about de-identification, both speakers noted that while anonymising data can protect privacy, it also creates a loophole: once de-identified, data often falls outside HIPAA's protections and can therefore be freely traded. Even worse, combining multiple datasets can often re-identify individuals, especially in small or vulnerable populations, offering insight into why de-identification cannot be the sole solution.

Questions about protecting marginalised and vulnerable communities, such as Indigenous or transgender people, prompted a return to the central theme: only universal, robust data protections can safeguard everyone, and end what Richards rightly described as the 'US data anarchy'. The speakers agreed that patchwork protections are not enough when the stakes involve identity, ancestry, and health.

Overall, this ELSI Friday Forum was among the most relevant and intellectually engaging sessions I've attended so far. The interplay between Professor Gerke's legal precision and Professor Richards' ethical framing made for a well-rounded and dynamic conversation. Both speakers communicated complex ideas with clarity, and the case-study approach, anchoring abstract legal concepts in the tangible example of 23andMe, proved highly effective, turning policy debate into a compelling narrative.

For professionals and lay audiences alike, the session served as both a wake-up call and a masterclass in bioethical reasoning. It highlighted how far genetic privacy law in the USA lags behind the technology it seeks to regulate, and why this gap demands urgent attention.

A powerful, insightful, and at times unsettling discussion, this Forum is highly recommended for anyone working in genomics, law, bioethics, or data governance. It left one lingering question that should concern us all: when companies fail, who protects the people behind the data?