The Collapse of 23andMe and the Crumbling Foundation of Consumer Genomics
With implications for forensic science*
It’s been a long unraveling, but now there’s little room left for optimism. The company that once promised to democratize genetics, to empower people through knowledge of their own DNA, is disintegrating before our eyes. 23andMe, once valued at six billion dollars, has filed for Chapter 11 bankruptcy. Its CEO and co-founder Anne Wojcicki is positioning herself to repurchase the company, its board has imploded, and its valuation has collapsed by more than 95%. But the more critical question isn’t what will happen to the corporate entity; rather, it’s what will happen to the 15 million genetic profiles sitting on its servers.
For those working in investigative genetic genealogy or who rely on large-scale consumer genomics for leads in forensic contexts, the demise of 23andMe is not just a business story. It’s a turning point. One that reveals the structural weaknesses of the consumer DNA market, the ethical ambiguities baked into its foundations, and the regulatory vacuum that has allowed some of the most intimate forms of personal data to be bought, sold, and leaked with minimal recourse.
The Fantasy and the Fallout
From the beginning, 23andMe pitched itself not just as a testing service, but as a new kind of company, one that blurred the lines between healthcare, self-knowledge, and entertainment. The early marketing revolved around empowerment: discover your ancestry, learn your disease risks, find unknown relatives. It was sleek, forward-looking, and pitched to a population newly interested in precision medicine and personal data. The price dropped rapidly, from $999 at launch to less than $100 by the mid-2010s, making the kits a holiday-season staple. By the close of 2024, over 15 million people had signed up.
But DNA doesn’t repeat like Netflix1. It’s a one-time experience. Unlike tech companies that sell subscriptions, targeted ads, or recurring services, 23andMe and its competitors could only sell each customer one real product: Themselves. After that, the business turned to subscription health updates and, more ambitiously, drug development using aggregated genetic data. Neither of these strategies panned out. The company spent hundreds of millions developing two immuno-oncology drugs and launched a telehealth service to little fanfare. Despite the vastness of its database, research revenue from partnerships like the one with GlaxoSmithKline began to decline. Most customers never opted into extended services. Moreover, most diseases can’t be blamed on a single gene and most people don’t carry mutations.2 The returns simply didn’t match the investment.
To make matters worse, the data that 23andMe collected, although vast, wasn’t especially valuable in medical terms. Self-reported health data from surveys is noisy and biased. Genome-wide SNP arrays can’t match the precision of whole-genome sequencing. The promise of big-data breakthroughs gave way to the reality that understanding polygenic traits and complex disease risk remains stubbornly elusive.
Yet all of this mishegoss, the financial collapse, the failed pharmaceutical pipeline, and the underwhelming customer engagement, obscures the deeper problem: What it means when 15 million people have submitted their genomic data to a company with no clear financial future and very few legal constraints on what can be done with that information.
What Privacy Really Means
The most damning critique of 23andMe is not that it failed to make money.4 It’s that it never had a workable answer to the ethical questions it posed simply by existing. Consumer DNA companies, unlike healthcare providers, are not covered by HIPAA. That means their obligations to protect genetic data exist primarily in the form of privacy policies, policies which, as many consumers fail to understand, can be rewritten at any time. In fact, 23andMe’s own privacy documentation explicitly states that, in the event of a merger or acquisition, customer data may be transferred as an asset: You have made yourself a commodity. It promises to notify customers of policy changes and give them the opportunity to opt out. But as with most online services, these changes go unnoticed by the vast majority.
“Once your DNA is out in the wild, it’s out there for good.”
After a 2023 breach that exposed data from nearly 7 million customers, targeting especially those with Ashkenazi Jewish or Chinese ancestry, the company settled a class-action lawsuit for $30 million. In its court filings, 23andMe emphasized its “extremely uncertain financial condition.” The language was meant to shield it from further litigation. It could just as easily describe the condition of the entire consumer genomics sector.
Those concerned about the consequences of the breach had good reason. The leaked data included not just ancestry information but profiles that could be linked to extended relatives. With enough cross-referenced data, even de-identified samples can be re-identified. As scholars have repeatedly shown, genomic data isn’t private simply because your name isn’t attached to it. It carries with it a web of familial connections, identity markers, and health predispositions. Once compromised, there’s no way to change it. Your genome is not a password.5
This is not merely a privacy problem. It’s a governance vacuum. And it has direct consequences for any domain that relies on genetic data, including forensic science*.
Implications for Investigative Genetic Genealogy
Since the identification of the Golden State Killer, investigative genetic genealogy has become one of the most powerful tools in the forensic arsenal. The strategy relies not on suspects having left their DNA at multiple crime scenes, but on their relatives having voluntarily uploaded their data to open or semi-open platforms such as GEDmatch or FamilyTreeDNA. Sometimes, those relatives don’t even know they’ve contributed. A single third cousin in a public database can be enough to triangulate a match.
Although 23andMe has, to date, declined law enforcement access without a warrant, and claims not to have shared data with police, the line between consumer platforms and forensic tools has thinned considerably. Several other companies have offered broad access. And given the financial pressure 23andMe faces, there is no guarantee that a new owner wouldn’t see value in cooperating with, or selling access to, investigative agencies.6
This raises a complex set of questions for IGG practitioners. What happens when genealogical data originally uploaded for personal curiosity becomes embedded in a criminal investigation? What obligations do we have to those who never consented to being part of the forensic dragnet, yet become implicated by association? Equally worrying is the potential loss of data access altogether. For all its flaws, 23andMe maintained an infrastructure that allowed researchers and customers to engage with its datasets. If the company shutters entirely or fragments under new ownership, the data may disappear into proprietary silos, no longer accessible even to those who contributed it.
For forensic genealogists, this poses both a practical and an ethical dilemma. The tools developed over the past decade have been powerful precisely because they were participatory. People chose to upload their data, share their family trees, contribute to research. But if the foundational companies crumble and the data is sold, siloed, or misused, the entire social contract that made IGG feasible begins to fall apart.
Regulatory Silence
There is no coherent federal framework in the United States for governing consumer DNA data. The Genetic Information Nondiscrimination Act (GINA) protects against certain forms of discrimination by health insurers and employers. But it does not restrict life insurers, disability carriers, or data brokers. It does not cover data breaches. And it does not meaningfully constrain what companies like 23andMe or any future acquirer can do with your genome.
Some states, like California and Florida, offer additional protections, including the right to delete genetic data. But enforcement is patchy. In practice, very few consumers fully understand what rights they have (or lack). And companies are not required to explain the implications of data use in terms most people can grasp. Moreover, even when users attempt to delete their data, the results may be limited. Anonymized datasets cannot easily be scrubbed of individual entries. Once incorporated into an aggregated genome-wide association study or drug development pipeline, the data is effectively permanent. The consumer’s ability to withdraw becomes symbolic at best.
The Ethical Legacy
What the fall of 23andMe lays bare is not just the fragility of its business model, but the inadequacy of the ethical foundations on which the consumer genomics industry was built. The promise was always more emotional than scientific. It offered people a sense of connection, insight, even destiny. In reality, the science was limited, the privacy protections thin, and the incentives skewed toward monetization.7
Worse, it relied on a kind of ethical sleight of hand. Customers were told they were in control of their data.8 They were given opt-in checkboxes, dropdown menus, and cheerful email reminders about surveys. But the asymmetry of knowledge was vast. Most had no way of understanding what they were really consenting to.9
In forensic science, we are often asked to navigate that same asymmetry, between what is technically legal and what is ethically defensible. The use of consumer DNA in criminal investigations may be lawful, but it must also be just. It must consider the rights of those who did not volunteer, the communities most likely to be surveilled, and the dangers of expanding forensic reach beyond democratic oversight.
After the Collapse
Whether 23andMe survives in any recognizable form is beside the point. The industry it helped to create is in crisis. Other companies may step in, but the public’s trust has been eroded, and the regulatory gaps are now too glaring to ignore.
For forensic professionals, this is a moment of reckoning. We must confront the downstream effects of relying on platforms that were never built for justice, only for profit. We must push for greater transparency, more stringent data protections, and public engagement about the risks and limits of genetic tools. Above all, we must resist the temptation to treat genetic information as just another forensic commodity. It is not. It is, in a very real sense, the most intimate form of evidence we will ever encounter.
And once it's in someone else’s hands, there's no getting it back.10
Nor does it jump over the credits and credit scenes to promote the next show you probably don’t want to watch because the algorithm is a bunch of dopey code that doesn’t really understand that, although you watched Love Actually once, it doesn’t mean you’re really, really into rom-coms, and that it should stop Jerry Maguire-ing me. Sorry. Pet peeve.
Although I’ve always said, screw lab safety—I want superpowers.
“Welcome to you” is so creepy-cringe, like ordering “Doppelgänger in a Box.”
[Me]: What did we get in the mail today, dear?
[Spouse]: You.
[Me]: *shudder*
Yet, still: Ouch.
There’s your t-shirt.
Remember those policies that can be re-written? Uh huh.
No, you’re not “12% Irish.” You share 12% of the genes of the people who submitted DNA from Ireland; it’s a reference population. The tests provide probabilistic insights into geographic ancestry, not a definitive lineage or racial classification. DNA tests can identify shared DNA segments with general geographic groups, but they don't reveal individual ancestry. DNA inheritance is not always predictable, and you might not inherit 50% of each parent's ancestral regions, especially with distant relatives. The accuracy of ancestry results is affected by the reference populations used by the testing companies. Different companies may use different reference populations, leading to variations in results. I could go on (trust me on that), but you get the point.
Hahahahaha-ahahahaha. Hahaha. *snif* Hehehe. Sigh.
NOBODY reads any of the “Terms and Conditions.” As John Oliver said, “If you want to do something evil, put it inside something boring. Apple could put the entire text of Mein Kampf inside the iTunes user agreement, and you'd just go agree, agree, agree - what? - agree, agree.”
Don’t spit in the tube. Wait—there’s your t-shirt!