23andMe Privacy Ombudsman Urges User Consent Pre-Data Sale (1)

The consumer privacy ombudsman tasked with analyzing the impact of 23andMe’s bankruptcy sale on individuals’ privacy has called for users’ consent before the sale of the company’s vast trove of genetic data receives court approval.

Neil M. Richards told the bankruptcy judge that he couldn’t “conclude with certainty” that the sale of millions of customers’ genetic data is consistent with 23andMe’s privacy policy and statements. He recommended that the company obtain “separate, affirmative consent” before selling user data to either Regeneron Pharmaceuticals Inc. or TTAM Research Institute, according to his report filed Wednesday in the US Bankruptcy Court for the Eastern District of Missouri.

“It would not be hyperbole to conclude that this is one of the most—if not the most—sensitive collections of data about identified people ever sought to be discharged in bankruptcy,” Richards wrote.

The report comes after months of growing concerns from international, federal, and state regulators over the impact of the sale on the privacy of millions of consumers. After investigating 23andMe and bidders’ security and privacy practices, the ombudsman said he couldn’t conclude that the sale wouldn’t violate non-bankruptcy laws, such as state privacy laws.

The ombudsman’s report is non-binding, leaving Judge Brian C. Walsh with the last word on terms of a sale.

23andMe’s Privacy Promises

The sale of 23andMe’s assets may ultimately violate its own privacy notice, Richards found, because it lacked any reference to the potential for a sale of data in bankruptcy before June 2022.

“Before June 8, 2022, no consumer—no matter how hard they looked—would have been able to find a statement in 23andMe’s Privacy Statement that a bankruptcy might result in the sale or transfer of their data,” the report said. “This is, again, in contrast to the many clear, bold, and large statements about the importance of privacy.”

While bankruptcy-related language has since been added, “it is neither easy nor intuitive” to find, the ombudsman wrote.

“It takes either four correct clicks among many through a complex interface to find and read the full relevant sentence, or three clicks and then scrolling through a dense document of 3,306 words to find the specific bankruptcy language,” Richards added, noting that it’s " highly unlikely” a “typical” customer understood what they were agreeing to when signing up to use the genetic testing provider’s services.

Regeneron Versus TTAM

To mitigate consumer harms, Richards recommended either 23andMe or the winning bidder obtain consent from consumers before using their genetic data. He also advised the winning bidder make additional data privacy and security commitments, such as demanding warrants from law enforcement before handing over data and making promises not to use data in a way “inconsistent” with customers’ best interests.

The ombudsman’s report also highlighted “unique challenges” that would arise depending on which company ends up purchasing 23andMe’s data trove.

Regeneron has never operated a direct-to-consumer genetic testing business and may not be prepared to handle data subject requests, Richards said. Meanwhile, many of the individuals associated with TTAM were also at 23andMe during its 2023 data breach. TTAM, founded by 23andMe’s former CEO Anne Wojcicki, is also organized as a nonprofit medical research organization, which would put it outside of the scope of some privacy laws, potentially creating an “accountability vacuum.”

The case is In re 23andMe Holding Co. , Bankr. E.D. Mo., No. 25-40976, report filed 6/11/25 .