23andMe, Inc. – €2,700,000 Fine (United Kingdom, 2025)

€2,700,000Information Commissioner's Office5 June 2025United Kingdom
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

23andMe, Inc. was fined £2,310,000 for not protecting user data properly, which led to a cyberattack affecting over 155,000 users in the UK. This matters because it shows the importance of data security, especially for sensitive information like DNA. Companies need to take stronger measures to protect personal data from breaches.

What happened

23andMe, Inc. failed to implement adequate security measures, resulting in a data breach due to a cyberattack.

Who was affected

155,592 users in the UK whose personal data was compromised during the breach.

What the authority found

The Information Commissioner's Office found that 23andMe did not take sufficient steps to secure personal data, violating GDPR's requirements for data security.

Why this matters

This case highlights the need for companies to prioritize data security to prevent breaches. It sets a precedent that companies can face significant fines for failing to protect sensitive user information.

GDPR Articles Cited

AI-verified

Art. 32(GDPR)
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
verified correct
United Kingdom enforcementInformation Commissioner's Office actionsAll 23andMe, Inc. actions
Full Legal Summary
Detailed

The UK DPA imposed a fine of £ 2,310,000 (EUR 2,700,000) on 23andMe, Inc. The controller, a company offering DNA testing to private individuals, failed to implement sufficient technical and organizational measures to ensure data security, especially in regards to the sensitivity of the processed data. As a result, a cyberattack occurred, which led to a data breach affecting 155,592 UK-based users over the course of at least five months. The DPA considered the controller's failure to identify the attack earlier and its failure to adequately inform the DPA about the breach as aggravating factors.

Related Enforcement Actions (0)

No other enforcement actions found for 23andMe, Inc. in UK

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

5 June 2025

Authority

Information Commissioner's Office

Fine Amount

€2,700,000

Enforcement Tracker ID

ETid-2656

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. 23andMe, Inc. - United Kingdom (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: