Will 23andMe sell your DNA data? Pennsylvania’s attorney general joins a lawsuit to prevent that.

Pennsylvania Attorney General Dave Sunday has joined a lawsuit filed by 27 states and the District of Columbia to prevent 23andMe, a popular DNA testing company that helps determine ancestry information, from selling consumer data as part of its bankruptcy proceedings.

The lawsuit says the California-based genomics biotech company is proposing to sell an “unprecedented compilation of highly sensitive and immutable personal data: a human being’s permanent and everlasting genetic identity.”

The risk of a data transfer is too great, the complaint says, as DNA data are unique to an individual and can be used to identify relatives — past and future. And genomic data live forever, even after a person dies.

“If stolen or misused, it cannot be changed or replaced,” the complaint says.

The state attorneys general ask a federal judge in Missouri, where bankruptcy proceedings are underway, to issue a declaratory judgment to prevent the transfer of the data to any third party as part of a sale unless 23andMe receives “expressed, informed, affirmative consent” from customers.

» READ MORE: A DNA test revealed Matt Katz was conceived by a sperm donor. His mother had no idea.

“The millions of consumers — including many Pennsylvanians — who paid for these services certainly did not expect their sensitive data to one day be sold off to a highest bidder,” Sunday said in a statement.

A 23andMe spokesperson said in a statement that the sale of the data is permitted under bankruptcy law and the company’s privacy policies.

The company declared bankruptcy in March, which according to its website does not mean that it is going out of business. Instead, the company is looking for a buyer to continue its operations.

There are two remaining bidders committed to abiding by 23andMe privacy policies, the spokesperson said.

“We required any bidder to adopt our policies and comply with applicable law as a condition to participating in our sales process,” the 23andMe spokesperson said. “Customers will continue to have the same rights and protections in the hands of the winning bidder.”

The maker of the popular home DNA testing kits was founded in 2006 and in 2021 was worth $6 billion. The company’s value plummeted in recent years, and one of the current bids for purchase is for $256 million by Regeneron Pharmaceuticals, a New York-based drug developer.

A sale hearing for 23andMe is scheduled for Tuesday. The deadline for consumers to file a proof of claim in the bankruptcy case is July 14.

» READ MORE: 23andMe data breach and settlement: What to know

23andMe’s database has genetic data on more than 15 million people, according to the lawsuit.

In 2023, hackers breached the company’s data, potentially affecting 6.9 million people, a 23andMe spokesperson said at the time.

The ability to cross-reference large amounts of DNA data has led in recent years to people finding unknown relatives and uncovering biological parents, as well as solving decades-old crimes.

Sunday said in his statement that he encourages 23andMe customers to delete their data from the company’s database.

To do so, customers should enter the 23andMe Data section in the account setting, according to the company’s website. That allows customers to remove the majority of their personal information, though 23andMe says it is required to retain some data to comply with legal obligations.

Deleting your account will also permanently delete the data associated with all profiles within it.

After a request to delete your account is submitted, 23andMe will send you an email with its account-deletion policy that requests confirmation.

“Keep in mind, once you confirm your request to delete your Personal Information, it cannot be canceled, undone, withdrawn, or reversed,” the company’s website says.