Public Citizen Urges California AG to Investigate Former 23andMe CEO’s Acquisition of Company’s DNA Database

By J.B. Branch

Download PDF

Attorney General Robert Bonta
Office of the Attorney General
1300 “I” Street
Sacramento, CA 95814-2919

July 10, 2025

Dear Attorney General Bonta,

I am writing to urge the California Attorney General’s Office to launch a robust and immediate investigation into the proposed activities of TTAM Research Institute (“TTAM”), a “non-profit” founded and controlled by 23andMe’s former CEO, Anne Wojcicki, and the acquisition and management of a huge trove of private, consumer information. In a bizarre bankruptcy auction, the founder of 23andMe has “bought back” the company’s vast genetic data trove through a purportedly non-profit vehicle. The California Attorney General’s Office possesses ample authority to delve into the privacy and consumer protection issues implicated by TTAM’s planned operations under its mandate to protect consumers via California’s Genetic Information Privacy Act (“GIPA”).

I. Background: DNA Data Ownership From 23andMe to TTAM Research Institute

The saga of 23andMe has taken a truly bewildering turn. After years of financial instability, compounded by a massive 2023 data breach that compromised nearly 7 million customer accounts, 23andMe filed for Chapter 11 bankruptcy in March 2025. This move immediately raised red flags regarding the fate of the intimate biological information of millions of individuals.

While pharmaceutical giant Regeneron Pharmaceuticals initially emerged as the winning bidder, the narrative swiftly pivoted. Anne Wojcicki, 23andMe’s co-founder and former CEO, orchestrated a bid through her newly formed entity, TTAM. TTAM’s $305 million bid ultimately prevailed over Regeneron’s $256 million offer. In a sale approved by the bankruptcy court, 23andMe transferred its DNA database to TTAM. It is this transfer that is problematic and at immediate issue as it violates GIPA.

II. The Transaction Fails to Provide Meaningful Reconsent (Cal. Civ. Code § 56.18)

TTAM’s acquisition of 23andMe’s DNA data base appears to violate California’s Genetic Information Privacy Act (“GIPA”). GIPA is designed to safeguard the autonomy and privacy of consumers, particularly in the context of sensitive genetic information. The sale of such data to a new entity, one that consumers did not directly engage with and did not authorize to receive their genetic information, runs afoul of these statutory protections.

First and foremost, GIPA requires “separate and express consent” for each transfer or disclosure of genetic data. While it is true that 23andMe users agreed to service terms that contemplated the disclosure of their DNA data in the event of a merger, acquisition, or bankruptcy proceeding that is irrelevant under GIPA. The spirit by which GIPA is written stands for the premise that consent is not a one-time transaction. On the contrary, GIPA demands that consent be reaffirmed to account for the evolving nature of businesses and their purposes, thereby providing consumer autonomy over their genetic material.

A user may have trusted 23andMe’s mission, but this trust cannot be said to extend to TTAM whose incentives, operational practices, and overall objective are entirely unknown regardless if TTAM claims to abide by the same privacy standards as 23andMe. Indeed, GIPA’s language accounts for this. The law states that, “express consent cannot be inferred from inaction” (emphasis added). In other words, 23andMe must show that consumers made an intentional decision to allow their sensitive information to be shared with TTAM. The process by which TTAM acquired 23andMe’s DNA database did not afford Californians the opportunity to opt-out or consent, which is in direct violation of GIPA’s transfer requirements. Without this explicit authorization, the transfer fails to meet the threshold of informed, affirmative consumer re-consent contemplated under GIPA.

The sale of Californian’s genetic data without renewed consent undermines the rights GIPA was enacted to protect. It strips individuals of agency over their most personal and immutable information, their DNA, and hands control of that information to a new entity without their meaningful consent. This is not merely a technical violation of a statute. It is a breach of trust that violates the spirit – and, it appears, the letter – of GIPA. The law exists to empower consumers to control how their genetic data is used, not to facilitate its commodification in acquisitions.

In sum, the transfer of genetic data from 23andMe to TTAM, without affirmative authorization appears to violate GIPA. It reflects a troubling trend of undermining consumer autonomy and commercializing deeply personal information without adequate safeguards.

III. Affirmative Steps the California Department of Justice Must Take

This situation demands decisive action from the California Department of Justice. We urge you to:

• Launch a Comprehensive Investigation: Immediately initiate a formal investigation into TTAM Research Institute’s acquisition of the genetic database and the consumer protection concerns related to data transfer, privacy, and re-consent.
• Mandate Affirmative Re-Consent for DNA Data Use: The Attorney General must continue to defend the underlying principle of GIPA which establishes that in cases involving genetic data transfer affirmative re-consent is required from California consumers whose data is held. “Click-through” agreements from years past are insufficient regardless of previously agreed to terms when GIPA specifically requires re-consent for each DNA data transfer.

The California Department of Justice has the authority and responsibility to act. By doing so, it can affirm a powerful principle: that our genetic code is worthy of the utmost protection and that transactions involving genetic information are not exempt from legal scrutiny. Personally identifiable information as personal as our DNA is not merely a commodity to be shuffled around as property to any corporation—“nonprofit” or otherwise. GIPA’s re-consent requirement was no technicality. It was a moral and legal safeguard, recognizing that DNA is not just data but identity.  We urge you to uphold the standard that, no matter the branding, transfers of sensitive data such as DNA require re-consent at each occurrence.

Respectfully submitted,
J.B. Branch
Technology Policy Advocate
Public Citizen
jbranch@citizen.org