California Attorney General Rob Bonta filed suit in Oakland against Chrome Holding Co., the company formerly known as 23andMe, alleging failures to safeguard customers’ sensitive information. The action, announced today, centers on data protection practices tied to genetic and personal profiles. The case could test how state privacy rules apply to consumer genetics firms and other companies handling intimate data.
The filing comes after a high-profile security incident last year involving user accounts connected to 23andMe. Investigators said attackers used stolen passwords from other sites to access profiles. The incident sparked concern over exposure of ancestry details and other personal information.
What the Lawsuit Says
“California Attorney General Rob Bonta today filed a lawsuit against Chrome Holding Co., formerly known as 23andMe, for failing to protect its customers’ sensitive personal information.”
According to the announcement, the state claims the company did not do enough to prevent unauthorized access to customer data. The complaint is expected to cite California’s privacy and consumer protection laws, arguing that a firm collecting genetic and personal records must apply strong safeguards and notify users promptly when risks arise.
While the legal filing was not immediately available in full, such cases often focus on security controls, password policies, multi-factor authentication, and data retention practices. The suit signals growing scrutiny of companies that encourage users to link family trees or share profile information with relatives.
Background on the Security Incident
In late 2023, user profiles linked to ancestry and relative-matching features appeared on illicit forums. Public updates from the company at the time said attackers relied on reused passwords obtained elsewhere, a tactic known as credential stuffing. The company said its core systems were not directly breached but that attackers accessed accounts where users had weak or duplicated logins.
The exposure fueled debate over whether consumer genetics services should limit profile visibility by default and require stronger authentication. Privacy advocates warned that even partial records—such as genealogical links or heritage data—can be sensitive when aggregated.
California’s Privacy and Security Standards
California has some of the toughest privacy laws in the country. The California Consumer Privacy Act and its amendment, the California Privacy Rights Act, require clear disclosures, reasonable security, and avenues for consumers to access and delete data. The state has also enforced rules on tracking and sale of personal information.
The Attorney General’s office has pursued enforcement actions in recent years, signaling that companies must align their practices with state standards. Cases typically examine whether firms took reasonable steps to protect data, whether they limited unnecessary collection, and how quickly they notified affected users.
- Reasonable security controls and authentication are central to compliance.
- Clear consumer choice and consent are required for sensitive data.
- Timely and accurate notices are expected after security incidents.
Company Perspective and Industry Impact
Chrome Holding Co. has previously emphasized account security features and urged customers to enable multi-factor authentication. The company’s public statements after last year’s incident pointed to industry-wide risks from password reuse. Consumer groups, however, have pressed for stronger defaults and stricter sharing rules for genetic data.
The case could influence practices across the direct-to-consumer genetics market. Firms may face pressure to adopt account lockouts, adaptive risk checks, and privacy-by-default settings for family matching. Vendors that store sensitive attributes—health, biometrics, or location—will be watching for signals on what regulators consider “reasonable” protections.
What Consumers Should Know
Experts recommend enabling multi-factor authentication, using unique passphrases, and reviewing sharing settings on family and ancestry features. Consumers can also limit third-party data links and periodically download and delete data they no longer need.
Regulators argue that strong personal habits help, but the legal duty rests with companies to provide secure systems and default settings that reduce exposure.
What Comes Next
The lawsuit will proceed in state court, with early motions likely focused on which laws apply and how to measure harm. Discovery could reveal internal security reviews, incident timelines, and decisions about default privacy settings. Any settlement or judgment may include fines, independent assessments, and changes to product design.
For now, the action signals that state authorities plan to apply privacy law to genetic data with special care. Companies handling sensitive records should expect tighter oversight of authentication, data minimization, and user controls. Consumers should watch for updates on account protections and any steps they may need to take.
The outcome could shape how consumer genetics firms manage profiles, match relatives, and share information by default. It may also set a wider bar for handling sensitive data across industries that rely on personal records.
Deanna Ritchie is a managing editor at DevX. She has a degree in English Literature. She has written 2000+ articles on getting out of debt and mastering your finances. She has edited over 60,000 articles in her life. She has a passion for helping writers inspire others through their words. Deanna has also been an editor at Entrepreneur Magazine and ReadWrite.
