Direct-to-consumer genetic testing company 23andMe has filed for Chapter 11 bankruptcy, a move driven in part by a severe loss of consumer trust following a 2023 security breach that compromised the genetic data of millions. The incident has refocused attention on the urgent need for robust genetic privacy protections and consistent regulatory standards, especially as companies across industries—from health care to AI—leverage sensitive genomic data in increasingly complex ways.

The bankruptcy underscores the unique risks posed by genetic information, which unlike other forms of personal data, is permanent, deeply intimate, and impossible to change if compromised. As Bloomberg Law reports, misuse of such data can lead to discrimination in insurance and employment, identity fraud, and even national security threats if foreign actors weaponize U.S. genetic data.

While federal laws like the Genetic Information Nondiscrimination Act (GINA), HIPAA, and the Affordable Care Act provide a baseline of protection, these laws leave major gaps. GINA, for example, bars genetic discrimination in health insurance and employment, but does not cover life or disability insurance. Enforcement is largely reactive and does not address the broader consumer privacy risks associated with widespread data sharing and resale.

States have tried to fill in the gaps with their own laws. California’s Genetic Information Nondiscrimination Act extends protections into housing and education, while states like Maryland and Washington have adopted strict rules around informed consent, data security, and bans on the sale of genetic data. But this patchwork of state laws creates a complex and often confusing compliance landscape for companies operating nationally.

To navigate these challenges, businesses handling genetic information should implement clear compliance strategies, including:

• Publishing detailed privacy notices about how genetic data is collected, used, stored, and shared.
• Providing consumer controls for accessing, deleting, or modifying their genetic data and accounts.
• Obtaining explicit, purpose-specific consent before using genetic data, with easy revocation options.
• Implementing strong data security systems and performing regular risk assessments and audits.
• Conducting data protection impact assessments to identify and mitigate emerging privacy and security risks.

Still, experts warn that industry compliance alone isn’t enough. The 23andMe fallout demonstrates that even de-identified data can be re-identified using public databases and genomic software, raising new risks for both individuals and national security. Advocates are calling for the Trump administration and Congress to prioritize comprehensive federal legislation that would impose consistent standards for consent, data minimization, breach notification, and restrictions on resale of genetic data.

“The 23andMe bankruptcy is a wake-up call,” the report concludes. Without urgent regulatory action and stronger compliance, companies risk not only legal consequences, but permanent reputational damage in an era of growing privacy expectations and geopolitical threats.