10 Questions Congress Has for 23andMe Amid Its Bankruptcy Sale

The House Committee on Energy and Commerce has a few questions for 23andMe.

Reps. Brett Guthrie, Gus M. Bilirakis, and Gary Palmer sent a letter to the biotech company’s interim CEO, Joe Selsavage, on April 17. The committee said it has launched an investigation into 23andMe’s decision to file for Chapter 11 bankruptcy and “the ramifications that process could have on the highly sensitive information of millions of Americans.”

“With the lack of a federal comprehensive data privacy and security law, we write to express our great concern about the safety of Americans’ most sensitive personal information,” the congressmen wrote.

23andMe initiated voluntary Chapter 11 proceedings in March after axing over 200 employees and shutting down its therapeutics division last November. The company weathered several storms in recent years, including when hackers accessed the personal data of almost 7 million users in 2023, resulting in a $30 million settlement agreement with affected individuals.

More recently, 23andMe shared details about the court-approved sale process, saying all potential buyers must comply with its privacy policy and any applicable laws.

A 23andMe representative referred BI to an April 18 press release that shared more details about the potential sale.

Among the stipulations, the company said potential bidders must provide “detailed descriptions of their intended use of any purchased customer data, outline the privacy programs and security controls they have in place or would implement, and disclose whether any modification of existing privacy policies would be requested — as any changes must be made in accordance with the terms of the Company’s privacy policies and applicable law.”

A representative for the House Committee on Energy and Commerce said 23andMe has a May 1 deadline to respond to the following questions.

1. If 23andMe were to sell the personal information of its customers either as a standalone asset or as part of a broader sale of the company, what post-sale data privacy and security protections would be in place for its customers’ personal information?
2. Please describe how the representations made in 23andMe’s privacy statement will continue to apply—and be enforced—if the personal information of 23andMe’s customers is sold to a third party. Please include in this response information about what, if anything, would hold a third-party buyer to 23andMe’s privacy statement or prevent it from subsequently using, transferring, or otherwise selling, such information in the future.
3. Does 23andMe plan to change its privacy statement at any time prior to selling any customers’ personal information? If so, please explain the change 23andMe plans to implement and when those changes will go into effect.
4. Does 23andMe intend to vet prospective buyers to which it may sell its customers’ personal information? If so, please detail the vetting process and whether it will include the prospective buyer’s history of implementing data security protections and compliance with sectoral, state, or any other data privacy and security laws. If not, please explain why.
5. Please detail the categories of customer information 23andMe has, and of that what 23andMe is considering selling.
6. Has 23andMe notified its customers of the company’s bankruptcy announcement? If so, please attach the customer notification. If not, please explain why.
7. Has 23andMe provided its customers with a guide for how to delete, or request to delete any information currently in 23andMe’s possession? If so, please provide a copy of that guide and specify when it was provided to customers. If not, please explain why, and explain whether 23andMe will contact each of its customers and provide an opportunity to delete their personal information prior to a potential sale of the company or personal information maintained by the company.
8. Please detail the number of requests 23andMe received from its customers to delete their personal information between when 23andMe filed for bankruptcy and the date of the response to this letter. Of those requests, please provide a breakdown of how many requests were made by customers through their 23andMe online accounts and how many were made via customer service calls because customers were unable to successfully delete their information through their online accounts. Of those requests, please detail the number of fulfilled requests.
9. Will 23andMe offer for sale any information in which a customer has requested the deletion of such information? If so, does 23andMe’s privacy policy consider selling information a legitimate purpose for retaining information past a customer’s request to delete their information?
10. Will 23andMe deidentify its customers’ personal information prior to selling it or the company? If so, please detail which information will be deidentified. If not, please explain why the company is electing not to deidentify information.