In a significant follow-up to the recent developments covered in our previous article, Lessons from the 23andMe Bankruptcy: Strategic Insights for Founders and VCs, 23andMe is now facing a substantial legal challenge involving multiple states. This litigation underscores the importance of rigorous data privacy practices, particularly in handling sensitive consumer information.
Overview of the Lawsuit
In June 2025, twenty-seven U.S. states collectively filed an adversary proceeding in the U.S. Bankruptcy Court for the Eastern District of Missouri against 23andMe Holding Co. and its subsidiary, 23andMe, Inc. The states seek a declaratory judgment regarding 23andMe’s rights to consumer genetic data and other related personal information, arguing that the company lacks the authority to sell or transfer this highly sensitive data without explicit informed consent from its customers.
Central Issues of the Complaint
The lawsuit raises significant concerns around consumer rights and data privacy, notably:
- Ownership and Control of Data: The states assert that customers inherently retain ownership or control over their biological materials and genetic data, including genotype, phenotype, and family information.
- Consent Requirements: The lawsuit emphasizes the necessity for explicit, informed, affirmative consumer consent before genetic data can be transferred or sold, citing consumer protection and genetic privacy statutes from multiple jurisdictions.
- Privacy Policy Representations: States allege that 23andMe explicitly promised in its earlier privacy policies that genetic data would not be sold without clear customer consent, creating an expectation of privacy and control among consumers.
Legal and Strategic Implications for Founders and VCs
For startup founders and venture capital investors, this lawsuit highlights several critical takeaways:
- Rigorous Consent Protocols: Ensure explicit, clear, and documented consent protocols when handling sensitive personal data, especially genetic or health-related information.
- Transparent Communication: Maintain transparency with consumers regarding how their data is used, clearly specifying rights retained by the company and rights retained by the consumer.
- Robust Privacy Policies: Privacy policies should clearly define how consumer data will be used and protected, and these policies must be strictly adhered to in practice to avoid legal repercussions.
- Compliance Across Jurisdictions: Understand and comply with varying state laws on genetic and data privacy, recognizing that data privacy is governed at both state and federal levels and subject to differing regulatory requirements.
Potential Outcomes and Market Impact
The outcome of this litigation could establish significant precedents regarding data ownership and privacy rights in the context of corporate restructuring and asset sales. Companies dealing in sensitive personal data may face increased scrutiny and potential limitations in similar transactions, directly impacting valuation, investment attractiveness, and operational flexibility.
Lessons Learned and Moving Forward
Founders and investors should proactively audit data privacy practices and contractual frameworks to ensure compliance and minimize litigation risk. Given the evolving nature of data privacy regulations and consumer expectations, regular reviews and updates of privacy policies and practices are essential.
Final Thoughts
This landmark case against 23andMe reinforces the importance of handling sensitive consumer data with the utmost diligence and transparency. For founders and investors navigating similar challenges, ensuring robust, compliant data privacy practices is not merely prudent—it’s imperative.
At Veritas Global, we specialize in guiding technology firms and investors through complex regulatory landscapes, including critical issues around data privacy compliance. To understand how these developments might impact your business and to ensure your data practices meet regulatory standards, schedule a consultation with our team today.
