About the Information Commissioner's Office
Media centre
News, blogs and speeches
ICO calls for protections for 23andMe customer data

ICO calls for protections for 23andMe customer data

Date 1 May 2025
Type Statement

The UK Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada (OPC) have called for the protection of the sensitive personal data of 23andMe’s customers during and after the genetic testing company’s bankruptcy proceedings.

The regulators have written a joint letter to the U.S. Trustee, which serves to oversee bankruptcy cases, overseeing case administration and litigating to enforce the bankruptcy laws.

The letter highlights the requirements under UK and Canadian law for both 23andMe and any potential buyer of either the company or its customers’ personal data to adhere to UK GDPR and PIPEDA (Canada's federal private-sector privacy law), whilst warning that they will take action if this data is not properly protected.

At a hearing on 29 April 2025, a US bankruptcy judge ordered the appointment of a Consumer Privacy Ombudsman to oversee the handling of 23andMe’s customers’ personal information during the bankruptcy proceedings. The ICO and OPC welcome this development and plan to engage with the ombudsman once their appointment has been finalised.

John Edwards, UK Information Commissioner, said:

“23andMe holds some of the most personal and highly sensitive information possible about its customers, including genetic data, health reports and self-reported health conditions. We have this week written to the U.S. Trustee to call for the protection of this sensitive data during and after the company’s bankruptcy.

“The UK public need to trust that the bankruptcy proceedings, and any potential sale of the company or its assets, will safeguard their personal data from unauthorised use or misuse. We are here to advocate on their behalf and we will not hesitate to take action against 23andMe or any potential purchaser should data protection legislation not be adhered to.”

Philippe Dufresne, Privacy Commissioner of Canada, said:

“23andMe holds the highly sensitive personal information, including DNA, of millions of customers. My Office is closely following the sale of 23andMe to ensure that any personal information relating to individuals located in Canada is handled in compliance with our federal private-sector privacy law. This is of the utmost importance given the significant concerns that Canadians may have about the protection of their personal information going forward, especially given that some of the data has previously been subject to a breach.”

Investigation

The ICO and OPC have been jointly investigating a 2023 data breach at 23andMe. In March 2025 the ICO issued its provisional findings, a Notice of Intent to impose a fine of £4.59m and a Preliminary Enforcement Notice. The ICO will carefully consider any representations from 23andMe before taking a final decision.

Questions and answers

What are your main concerns?

The ICO and OPC are concerned about the protection of sensitive personal data of 23andMe's UK and Canadian customers during and after the bankruptcy proceedings. We want to prevent unauthorised use or misuse of consumers personal data.

What specific types of personal data are the ICO and OPC worried about?

The ICO and OPC are particularly worried about the protection of highly sensitive information, including genetic data, health reports, and self-reported health conditions of 23andMe's customers.

What actions have the ICO and OPC taken in response to the 2023 data breach at 23andMe?

The ICO and OPC have been jointly investigating the 2023 data breach. In March 2025, the ICO issued provisional findings, a Notice of Intent to impose a fine of £4.59 million, and a Preliminary Enforcement Notice. We are currently considering representations from 23andMe before making a final decision.

What are the legal obligations of any potential buyer of 23andMe or its assets under UK law?

Any potential buyer of 23andMe must comply with UK GDPR, including the restrictions imposed on the use or disclosure of personal information for purposes other than those for which it was originally collected. Buyers must also implement strong security measures to protect the personal information they hold. 

What measures are the ICO and OPC suggesting to ensure the protection of personal data during the bankruptcy proceedings?

The ICO and OPC have welcomed the appointment of a Consumer Privacy Ombudsman to oversee the protection of personal data during the bankruptcy proceedings. We also remind any potential buyer of 23andMe that they must adhere to data protection legislation.

How have the ICO and OPC communicated their concerns to the US Trustee?

The ICO and OPC have written a joint letter to the US Trustee, expressing their concerns and outlining the privacy law requirements that apply to the personal information of 23andMe customers in the UK and Canada. They have also indicated their willingness to investigate and take appropriate action if there is evidence of any future non-compliance by a buyer of 23andMe and/or its customers’ data

Can 23andMe’s data be sold?

Yes, but any purchaser of their data must remain compliant with data protection legislation.

What are the potential consequences for 23andMe or any potential purchaser should they fail to comply with data protection laws?

The ICO and OPC have made it clear that they will not hesitate to investigate and take appropriate action against 23andMe or any potential purchaser who acquires 23andMe, should there be evidence of non-compliance with applicable data privacy laws.