Data Security: A Look at 23andMe's Legal Troubles
March 31, 2025
2023 was a bad year for 23andMe, a once beloved tech fad. A general decline of interest in their service met with a huge security breach, compromising the data of nearly 7 million users, to produce a crisis the company has yet to recover from. In 2024, a class action lawsuit was filed against the company as they failed to disclose the racial targeting of Jewish and Chinese users in these cyberattacks. A settlement of 30 million dollars was reached, but 23andMe has returned to the headlines in 2025 ahead of their plans to file for chapter 11 bankruptcy. Unresolved concerns about the company’s data security from the 2023 breach have reemerged as the company prepares to be sold and potentially transfer its data to new ownership.
23andMe has a privacy policy expanding on its promise that, “your privacy comes first.” Provisions include:
- "You can be assured that your genetic data will not be shared with employers, insurance companies, or public databases without your explicit consent.
- Since 2008, your individual data has never been released to law enforcement and will only be shared if required by a valid legal process.
- All your sensitive information is encrypted (at rest and in transit) and regular assessments are conducted to identify security vulnerabilities and threats.
- We have enabled app-based 2-step verification for your 23andMe account adding a second check beyond your password."
These provisions indicate that 23andMe will not intentionally distribute the data provided to them by its users without consent. When it comes to data breaches carried out by hostile actors and hackers, the company opts to quietly shift the blame onto the consumer.
In a blog post following the data breach, 23andMe explains the technique used by the hackers:
"In early October, we learned that a threat actor accessed a select number of individual 23andMe.com accounts through a process called credential stuffing. That is, usernames and passwords that were used on 23andMe.com were the same as those used on other websites that have been previously compromised or otherwise available."
Since security on 23andMe’s end was not breached, it is easy to say that they could not do much to protect their user’s data, aside from sending out reminders to change compromised passwords and to enable “app-based 2-step verification.” The company was not ultimately penalized for having this vulnerability in its security system. The 2024 lawsuit was specifically about failing to disclose the racial targeting of users by the hackers.
One common discussion around data security surrounds limits on data retention, meaning the implementation of a timeframe by which a data collector must delete the data they are holding on to. It is self-evident that the longer that data is sitting on a server, the more likely it is to be breached and gotten ahold of by hostile actors. On the topic of data retention, Principles of the Law: Data Privacy (available in our collection) states:
"Scope of retention of personal data. A data controller may retain personal data only for legitimate purposes that are consistent with the scope and purposes of notice provided to the data subject. A data processor shall retain personal data only as justified by its contract with the data controller or the data processor that provided the personal data and when consistent with these Data Privacy Principles. (Sec. 10(a))"
So far, governments have not been able to enforce guidelines about when data must be deleted by a data collector, and so 23andMe is well within their rights to hold onto user data as long as they would like.
The EU took a step in the direction of general data protection legislation with the institution of the General Data Protection Regulation, or GDPR, in 2018. It includes an individual right to deletion of data, which states,
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies [...] ( GDPR Art. 17 Sec. 1)"
Since its implementation, 23andMe complies with these regulations as outlined on this page. But the responsibility is still on the consumer to request data deletion from the company. Without a more serious and holistic approach to security, breaches like the 2023 one remain inevitable.
By Yanis Ait Kaci Azzou and Andrea Larios, Library Assistants
Bibliography:
Principles of the Law: Data Privacy, published by the American Law institute, can be found in the Downtown Riverside collection under the call number KF 1262 .P75 2020. This resource may also be accessed at all our locations on Westlaw or LexisNexis.
New York Times Articles Referenced:
"23andMe Files for Bankruptcy Amid Concerns About Security of Customers’ Genetic Data"
"23andMe Breach Targeted Jewish and Chinese Customers, Lawsuit Says"
"Data Breach at 23andMe Affects 6.9 Million Profiles, Company Says"
(For access to the New York Times through our website, follow this webpage.)
23andMe Statements:
"Questions related to 23andMe's Chapter 11 Filing"
"Addressing Data Security Concerns – Action Plan"
General Data Protection Regulation Compliance
The class action lawsuit against 23andMe can be accessed on Westlaw.
