As a member of the International Association of Privacy Professionals (IAPP), I am closely following the recent announcement that Regeneron Pharmaceuticals has agreed to acquire 23andMe for $256 million through a bankruptcy auction. This acquisition raises significant data privacy concerns, particularly given 23andMe’s vast repository of genetic data from over 15 million customers. Below, I outline the key aspects of this deal, its implications for sensitive data, and recommendations for ensuring compliance with privacy obligations.
Overview of the Acquisition
On May 19, 2025, Regeneron announced its intent to purchase substantially all of 23andMe’s assets, including its Personal Genome Service, Total Health, Research Services, and biobank of genetic samples, following 23andMe’s Chapter 11 bankruptcy filing in March 2025. The deal, subject to approval by the U.S. Bankruptcy Court for the Eastern District of Missouri on June 17, 2025, aims to bolster Regeneron’s genomics-driven drug discovery capabilities. However, the transfer of 23andMe’s genetic data—a highly sensitive asset—has reignited scrutiny over data privacy, especially in light of 23andMe’s 2023 data breach affecting nearly 7 million customers and ongoing congressional investigations into its data handling practices.
Data Privacy Concerns With Regeneron
Genetic data is among the most sensitive categories of personal information, as it reveals intimate details about an individual’s health, ancestry, and predisposition to diseases. The acquisition amplifies several privacy risks:
1. Consent and Transparency: 23andMe’s privacy policy allows customers to consent to data use for research, but many users may not fully understand the scope of data sharing, as evidenced by a 2017-2018 survey showing over 40% of customers were unaware of data-sharing practices. At an IAPP CIPT study the presenter used to showcase 23andMe’s privacy notice as an example of a well written layered response to quell worries about the sensitive data they collect. Regeneron has pledged to honor 23andMe’s existing privacy policies and comply with applicable laws, but any changes to these policies post-acquisition could alter the scope of data use without explicit customer re-consent. We would love for Regeneron to see our Adaptive Privacy Notice that would take their compliance to another tier and fully satisfy any worries from regulators or data subjects.
2. Data Security: The 2023 data breach exposed the vulnerability of 23andMe’s systems, leading to a $30 million settlement. While Regeneron has committed to maintaining security controls, the integration of 23andMe’s data into its systems introduces new risks, particularly if cybersecurity measures are not robust.
3. Regulatory Gaps: Direct-to-consumer genetic testing companies like 23andMe are not covered by the Health Insurance Portability and Accountability Act (HIPAA), relying instead on a patchwork of state laws and self-regulatory commitments. The absence of a comprehensive federal data privacy law heightens the risk of inconsistent protections. Congressional concerns, voiced in April 2025 by the House Committee on Energy and Commerce, underscore the potential for sensitive data to be compromised during asset sales.
4. Third-Party Oversight: The bankruptcy court has appointed an independent Consumer Privacy Ombudsman to assess the deal’s privacy implications, with a report due by June 10, 2025. This oversight is a positive step but limited in scope, focusing on compliance with existing policies rather than proactive risk mitigation.
Implications for Stakeholders
For 23andMe customers, the acquisition raises questions about the continued control over their genetic data. Regeneron’s commitment to allow data deletion upon request is reassuring, but practical challenges such as reported difficulties in deleting accounts could undermine this promise. For Regeneron, the acquisition offers a strategic advantage in drug development but comes with heightened legal and reputational risks if privacy obligations are not met. Regulators and advocacy groups, including the Federal Trade Commission (FTC), have emphasized that any buyer must maintain 23andMe’s privacy commitments, signaling close scrutiny.
Recommendations for Privacy Compliance
As a member of the IAPP, I advocate for a privacy-by-design approach to ensure the ethical handling of 23andMe’s genetic data during and after the acquisition. Below are actionable recommendations for Regeneron and stakeholders:
Data Privacy Recommendations for Regeneron’s Acquisition of 23andMe
1. Strengthen Consent Mechanisms
Action: Implement clear, granular consent processes that explicitly outline how genetic data will be used for research, drug development, or third-party sharing.
Rationale: Ensures compliance with principles of transparency and user autonomy under frameworks like the General Data Protection Regulation (GDPR) for EU customers and state laws like the California Consumer Privacy Act (CCPA).
Implementation: Update 23andMe’s privacy policy to include Regeneron-specific use cases and notify all customers, offering an opt-in mechanism for new data uses.
2. Enhance Data Security
Action: Conduct a comprehensive cybersecurity audit of 23andMe’s data infrastructure before integration and adopt industry-leading encryption and access controls.
Rationale: Mitigates risks of breaches, aligning with FTC expectations and consumer trust requirements.
Implementation: Engage third-party cybersecurity experts to validate controls and establish ongoing monitoring.
3. Collaborate with the Privacy Ombudsman
Action: Work proactively with the court-appointed Consumer Privacy Ombudsman to address concerns and incorporate recommendations into the acquisition plan.
Rationale: Demonstrates good faith and strengthens court approval prospects.
Implementation: Provide full transparency on data flows and security measures during the ombudsman’s review.
4. Facilitate Data Deletion
Action: Streamline the process for customers to delete their genetic data, ensuring accessibility and responsiveness.
Rationale: Addresses congressional concerns about deletion difficulties and complies with privacy laws granting data subject rights.
Implementation: Develop an automated, user-friendly deletion portal and confirm deletions within legally mandated timeframes.
5. Advocate for Regulatory Clarity
Action: Engage with policymakers to support a federal data privacy law that includes genetic data protections.
Rationale: Reduces compliance complexity and enhances consumer trust across jurisdictions.
Implementation: Partner with IAPP and other industry groups to provide expertise on genetic data privacy.
6. Maintain Public Transparency
Action: Publish regular updates on data handling practices and privacy commitments post-acquisition.
Rationale: Builds trust and aligns with IAPP’s emphasis on accountability.
Implementation: Issue a public report within six months of acquisition closure detailing compliance with privacy policies.
Regeneron’s Next Step for Data Privacy Compliance With 23andMe’s Data
Regeneron’s acquisition of 23andMe presents a pivotal moment for genetic data privacy. While the deal promises advancements in genomics-driven medicine, it also underscores the fragility of consumer trust in the absence of robust privacy protections. By adopting the above recommendations, Regeneron can navigate legal and ethical challenges, align with IAPP’s mission to advance responsible data practices, and set a precedent for handling sensitive genetic data. The bankruptcy court’s oversight and the ombudsman’s report will be critical in ensuring these commitments are upheld, but proactive measures by Regeneron are essential to safeguard the privacy of 23andMe’s 15 million customers.
We welcome the opportunity to help Regeneron on this tricky path forward.
