About a decade ago, DNA testing kits like 23andMe and Ancestry were at the height of their popularity, claiming to provide insights into health risks and family history.
By early 2019, more than 26 million consumers had submitted their DNA to four major commercial ancestry and health databases, according to MIT Technology Review—and by 2021, 23andMe reached a peak valuation of $6 billion after going public.
At the height of its popularity, the DNA companies promised not to share their customers’ genetic information with any third party without their consent.
Customers, however, could participate in research conducted on behalf of academic, nonprofit, and industry organizations.
But customers had to agree to take part in any academic studies.
“If customers don’t consent, none of their data is shared,” a 23andMe spokeswoman told CBNC in 2018.
But these promises came before companies such as 23andMe faced financial problems.
The California-based company, which sold customers on the idea of learning about their ancestry by mailing in saliva samples, filed for bankruptcy last year.
The company is selling the DNA profiles of more than 15 million people — including about 700,000 Canadians.
Privacy advocates worry that 23andMe customers’ DNA information could be sold without their consent.
So how ironclad are 23andMe’s privacy promises?
The Calgary Journal set out to fact-check the company’s claim.
Financial downturn and cyberattack
Following the height of their public success, 23andMe began to experience significant financial difficulties as the market for direct-to-consumer DNA testing kits declined, and their business models failed to hold the interest of those whose curiosity had been piqued after their first purchase.
In addition to a market decline, skepticism about the accuracy of the tests increased, as experts in genetics and bioethics have also cautioned against overinterpreting consumer genetic data—particularly when removed from a clinical setting.
In October 2023, news broke that 23andMe had been involved in a data breach that affected almost 7 million customers, with nearly 319,000 of those individuals in Canada.
During the 2023-2024 cyber attack, hackers gained access to a range of personal information. This included health reports, raw DNA data, ancestry reports, birth years, demographics and location details.
For users who used the “DNA Relatives” feature, the breach exposed profile information that allowed them to share details with genetic matches, including their relationships and geographic locations.
In response to the data breach, the Privacy Commissioner of Canada and the United Kingdom’s information commissioner launched a joint investigation into 23andMe’s privacy practices and compliance with Canada’s Personal Information Protection and Electronic Documents Act and the U.K.’s General Data Protection Regulation and Data Protection Act 2018.
What happened to customer data during bankruptcy?
As a result of the compounding challenges, 23andMe filed for Chapter 11 bankruptcy protection last March, heightening concerns about customer data security, the reliability of consumer genetic testing, and widespread claims that DNA testing companies might sell users’ genetic data to insurance companies.
In bankruptcy proceedings, a company’s assets — including customer data — may be sold as part of the restructuring process.
After filing for Chapter 11 bankruptcy, 23andMe insisted that its privacy policy and data-security practices would remain unchanged.
The Privacy Commissioner of Canada also maintained that personal information held by 23andMe would continue to be protected under the Personal Information Protection and Electronic Documents Act, regardless of any change in ownership.
Bankruptcy proceedings, however, are distinct from broader privacy obligations, raising separate questions about how personal data may be treated before, during, or after insolvency.
What do privacy laws actually protect?
In Canada, genetic information is protected from forced disclosure under the Genetic Non-Discrimination Act.
But, this does not prevent insurers from asking for an individual’s existing family medical history or using information about a pre-existing condition, even if that condition has a genetic basis.
In an interview with NPR, Anya Prince, a legal scholar with the University of Iowa College of Law, said that consumer DNA data in the U.S. is not protected under the Health Insurance Portability and Accountability Act.
“HIPAA,” said Prince, “does not protect data that’s held by direct-to-consumer companies like 23andMe,” because it operates outside of the health-care sector.
According to 23andMe’s research and consent document, participation is voluntary, and users can change their consent at any time.
These claims are, however, further complicated by the fact that after giving your consent to research, companies such as 23andMe will typically anonymize your genetic data.
A process that can make it nearly impossible for customers to later withdraw their samples from research databases, even if they change their minds.
It is also important to note that once customers agree to participate in research, the prohibitions of the Genetic Non-Discrimination Act do not apply to the individual conducting medical, pharmaceutical or scientific research.
Even where genetic laws exist, protections are limited and genetic data can affect not only the individual who consents, but also biological relatives who never agreed to testing.
The proposed Canadian class-action settlement
In December, a Canadian class-action settlement was reached for approximately $4.49 million (US$3.25 million) on behalf of Canadian residents whose personal information was compromised during the 23andMe data breach in 2023.
Sage Nematollahi, a lawyer at KNP Complex Litigation in Toronto and counsel to a class of Canadian consumers in the 23andMe Canadian Data Breach Class Action settlement, stressed that the cross-border insolvency process introduced additional legal complexity for Canadian claims.
“This case is the first Canadian class action that has been resolved and settled within a U.S. insolvency proceeding,” said Nematollahi in an interview with the Calgary Journal, adding that it was very possible that all the claims made by Canadians could have been “completely wiped out.”
“So we have a settlement that’s taken to the courts for approval, and I think we did a great job doing it, and we’re very proud of it,” said Nematollahi.
The settlement, which applies to users affected between May 1 and October 1, 2023, is set to receive final approval at a court hearing on February 17, 2026.
Eligible class members may be entitled to reimbursement of up to $2,500 for documented out-of-pocket expenses related to the breach.
23andMe is currently owned and operated by TTAM Research Institute, a nonprofit public benefit corporation based in California and led by 23andMe’s former CEO and Co-Founder, Anne Wojcicki.
In a 2025 statement published on the company’s website, co-founder Anne Wojcicki said that, core to her beliefs, “individuals should be empowered to have choice and transparency with respect to their genetic data,” adding that “the future of healthcare belongs to all of us.”
23andMe had also stated that its existing privacy policies, including the option for consumers to opt out of research, remain in place following the July 2025 sale of its assets— and that additional safeguards have been implemented to enhance data protection.
However, as privacy and legal experts warn, the extent of that protection ultimately depends on consent agreements, applicable privacy laws in a given jurisdiction and how genetic data is used after collection.
The Calgary Journal asked 23andMe to comment on this fact-checking report, but did not hear back by our deadline.
Read more of the Calgary Journal’s fact-checking reporting here.
Learn about our method and process for fact-checking here.
If you have an idea for a fact-check, contact us.