Don't Blame 23andMe for the Federal Government's Lack of Clear Data Privacy Rules

A lawsuit against genomics firm 23andMe is stirring a debate about what the proper role of government is in regulating how private companies use sensitive data.

In June, 27 states filed a lawsuit against 23andMe to block the sale of the company's customer data without their consent. The firm filed for Chapter 11 bankruptcy in March, and recently, Regeneron Pharmaceuticals (a biotechnology firm) announced that it would buy the company.

Data obtained from 23andMe can "identify and track those who are related to the 23andMe consumer—including future generations yet unborn," according to the lawsuit. The sheer magnitude of this genetic information, therefore, impacts those "who have no awareness of the sale as well as humans who do not even exist yet." The lawsuit alleges that with access to a user's DNA, the "customer's genome could remain in existence in corporate hands and subject to use (ranging from research to cloning) long after future generations of the 23andMe's consumer have passed away."

The plaintiffs argue that 23andMe customers "have inherent common law rights of ownership or control in their biological material" and that the company "lacks sufficient rights to control and transfer" these materials "absent the customer's express, informed, affirmative consent to the proposed sale/transfer." As such, "23andMe must honor its representations to consumers by requiring 'explicit consent' to the proposed sale based on its 'Privacy' webpage, which assures customers that their DNA and health insights, entrusted with 23andMe, will be protected."

Nicole Shekhovtsova, a technology policy analyst at Reason Foundation (the nonprofit that publishes this magazine), says that while the issue is a complex one, especially in considering the government's proper role in protecting the interests of private companies and consumers, the case highlights a larger problem: The U.S. doesn't have a federal framework to regulate how private companies can use or share sensitive data. "A national framework would give both companies and consumers clear, uniform rules—and prevent this kind of legal uncertainty," she explains.

"The regulatory gap is unfair not just to companies, but to consumers as well. It leaves users with unequal and inconsistent protections, where the rules depend on where they live and how a court interprets contractual language," she adds.

American genetic privacy laws began in the 1990s, starting with Oregon's 1995 Genetic Privacy Act and mostly focused on clinical settings such as hospitals and labs, not direct-to-consumer companies like 23andMe. Because of this, 23andMe was able to operate under its own internal policies and terms of service. As Shekhovtsova explains, it wasn't until the early 2020s that states started passing laws that directly regulated how consumers' genetic information could be collected, used, and transferred. California, for instance, modified its Consumer Privacy Act in 2023, which limited the "use and disclosure of sensitive personal information."

"By that time, 23andMe had already built a massive database under a different legal environment. Now there's a growing conflict between the company's original contractual model and newer state-level legal requirements—many of which impose stricter rules on consent, data transfers, and sample destruction," says Shekhovtsova. This has created "a legal mismatch" where companies that rely on "click-wrap contracts are now being judged under far more stringent, purpose-bound state statutes," she adds.

Still, the lawsuit may not be the most effective way to address the issue.

"Rather than establishing clear rules, or letting companies equip individuals with better tools to manage their privacy, this lawsuit imposes top-down restrictions," she says.

A better way forward would be to empower private entities to protect consumer data. 23andMe's website already allows users to voluntarily delete their data and request destruction of their biological samples, telling users, "If, at any time, you are no longer interested in participating in our Services, you may delete your 23andMe account directly within your Account Settings."

As the lawsuit navigates the legal system, the states that are suing 23andMe and the consumers who are concerned about their privacy could be better served in directing their ire at government agencies. "The FBI's Next Generation Identification system contains the fingerprints of more than 186 million criminal, civil, and military individuals," writes Reason's Ronald Bailey. "While fingerprints have to be collected onsite and compared using offsite databases, facial recognition cameras with real-time database matching can become ubiquitous, able to track you nearly everywhere you go in public. Your face may be your passport but it's also your snitch."