Before the 23andMe even announced its plans to file for bankruptcy on March 23, 2025, California attorney general Rob Bonta issued a consumer alert encouraging residents of the state to direct the company to delete their data and destroy any samples of genetic material it holds. Since then, similar warnings have been issued by attorneys general in Massachusetts, Alabama and other states.
Bracewell’s Lucy Porter told Agenda that “[i]t’s the first time we’ve seen somebody come out and remind their residents that, ‘Hey, you have rights.'” Porter went on to explain, “I think part of what’s making people anxious is, because it’s a bankruptcy and not just a sale, they don’t know who the new owner is.”
Now, the bankruptcy and the crisis it triggered for the company mark a convergence point, Porter said: companies and consumers are fully realizing the power of their data and are grappling with its risks. Maximizing the value of data while minimizing risk from it means prioritizing what she calls “data maturity.”
Board directors should press management on understanding what kinds of data the company collects and what its value is, to the company itself as well as to its customers and other stakeholders, Porter said. They should also consider what would happen if, as happened at 23andMe, a large number of consumers were to act on their privacy rights at once and how they would maintain their customers’ trust if the company restructured.
“More people are aware of, ‘Maybe I don’t want folks to have my data.’ At the same time, especially with the rise of AI, companies are like, ‘Wait, I can use that data,'” Porter said. “It’s going to become more valuable, which makes it more risky.”
