Your 23andMe DNA Is Up for Sale: Here’s How to Protect It Before It’s Too Late

If you’ve ever submitted your DNA to 23andMe, now is the time to act. The company has filed for bankruptcy, and buried deep in their user agreement is a disturbing clause: they can sell your genetic data to whoever offers the highest bid. And that’s not a hypothetical—at one point, a major pharmaceutical company was the highest bidder for millions of profiles. Your DNA, including markers for disease risk, ancestry, and physical traits, could soon belong to corporations, insurers, or even foreign governments—all without your explicit consent.

Here’s the problem: HIPAA doesn’t apply. Genetic testing companies like 23andMe aren’t bound by the same privacy protections as your doctor’s office. That means your most intimate biological data—your blueprint—can be sold off with fewer restrictions than your medical records from a routine check-up. Imagine a world where insurers hike your rates based on a gene you didn’t know you had. Or a world where governments use inherited markers to surveil or discriminate. That world is a lot closer than you think.

But you still have a window to protect yourself. The good news? You can download your data and delete your account before it changes hands. This includes requesting that your physical DNA sample be destroyed. Here is a step-by-step guide:

To completely delete your data:

1. Return to settings: If you’re still on the data download page from the previous steps, you can skip to step three. Otherwise, click your username, then click “Settings.”
2. Navigate to data management: Scroll down to the bottom where it says “23andMe Data” and click “View.”
3. Initiate permanent deletion: Scroll down to the bottom of this page and click “Permanently Delete Data.” This will begin the irreversible process of removing all your genetic information from 23andMe’s systems.
4. Confirm via email: You should receive a message stating that 23andMe received your deletion request, but you need to confirm it by clicking a verification link sent to your email address. This two-step process is designed to prevent accidental deletions.
5. Complete the deletion process: Head to the email account associated with your 23andMe account to find the email titled “23andMe Delete Account Request.” Click the “Permanently Delete All Records” button at the bottom of the email. You will be taken to a confirmation page that states “Your data is being deleted.” You may need to log in again if you’ve logged out of your account.
6. Verify complete deletion: After completing these steps, you should receive a final confirmation email from 23andMe acknowledging that your data deletion request has been processed. Keep this email as documentation of your deletion request.
7. Follow up if necessary: If you don’t receive confirmation within a reasonable timeframe (typically 30 days), contact 23andMe customer service directly to ensure your deletion request was properly processed.

The implications of this go far beyond 23andMe. This moment is a wake-up call for every person who’s handed over their DNA to a private company. Even if you didn’t, a close relative might have—and your genetic data overlaps with theirs. Once it’s out there, it’s nearly impossible to reclaim.

The 23andMe bankruptcy shows us how vulnerable we really are when it comes to genetic privacy. So take control while you still can. Download your data. Delete your account. And demand that companies treat your DNA with the same respect as your identity—because that’s exactly what it is.

Concerned about how your team is handling security threats like this—and the dozens more we face every day? Let’s start the conversation. Reach out at events@sileo.com.