The start of 23andMe Holding Co.'s closely watched bankruptcy proceedings offers customers a troubling reminder of their rights under US privacy laws: any future buyer of the trove of genetic data will largely have the last say on how they use it.
After the genetic testing firm filed for bankruptcy March 23, several state attorneys general advised residents to quickly ask 23andMe to delete their DNA-related information and withdraw their consent. 23andMe has proposed a May 14 auction to sell its assets, which include the genetic data of more than 15 million customers.
The company has pledgedto uphold the commitments of its privacy notice and maintains any buyer will be required to comply with privacy laws. Yet, while the legality of the sale of genetic data will be closely monitored during bankruptcy proceedings, potential purchasers will have discretion in deciding how they want to use the data.
That’s because the patchwork of state data privacy laws means protections vary heavily from state to state, and genetic testing offerings like 23andMe’s services largely fall outside the scope of federal health laws like the Health Insurance Portability and Accountability Act.
“The reality is it’s the Wild West,” said Collin R. Walke, leader of Hall Estill’s cybersecurity and data privacy practice.
That doesn’t mean whoever buys 23andMe’s assets won’t be scrutinized for how they handle a genetic data trove that includes ancestry reports, ancestors’ birth locations and family names, and geographic location, among other information.
“There is precedent for a federal agency like the FTC to take a closer look at the transfer of sensitive personal data in bankruptcy proceedings or in transactions generally,” said Duane C. Pozza, co-chair of Wiley Rein LLP’s privacy, cyber, and data governance practice and a former agency official.
Whether the FTC will choose to step in is unclear as its change in leadership and the Trump administration’s anti-regulatory tone may shift its enforcement priorities. An agency spokesperson declined to comment.
State Laws
Privacy requirements applying to a potential buyer of 23andMe data are both scattershot and dependent on 23andMe’s original privacy terms.
Individuals have little protection over their genetic data at the federal level once they’ve agreed to give it away, according to Sara Gerke, a law professor at University of Illinois Urbana-Champaign.
Existing federal privacy laws like HIPAA and GINA (Genetic Information Nondiscrimination Act) are focused on health care and don’t fully cover direct-to-consumer genetic testing companies like 23andMe, said Gerke, who recently collaborated on a paper on issues that could arise in a 23andMe bankruptcy.
In the absence of robust federal protections, individual data rights largely depend on state laws. But state-level protections vary significantly. Illinois, under its Genetic Information Privacy Act, explicitly requires written consent for the transfer of genetic data. Virginia’s genetic data privacy law requires genetic testing companies to obtain “express consent” about the collection, use, maintenance, or disclosure of genetic data. Many other states don’t have privacy requirements specific to genetic data—or comprehensive privacy laws.
The bankruptcy system offers some safeguards and oversight. Along with being a court-overseen process, a consumer privacy ombudsman can be appointed to ensure compliance with a debtor’s privacy policy—in this case, 23andMe’s—and any applicable laws.
“The California attorney general and any other attorney general can monitor what’s going on in the bankruptcy, and if they see anything happening that’s of concern, they can jump in, object to the sale,” said Laura Coordes, an Arizona State University professor of law who focuses on bankruptcy-related issues.
Whether they will “is a different question,” Coordes said.
And protections available in bankruptcy court aren’t foolproof. Ombudsmen can only offer recommendations to the court, and can’t issue any binding requirements. Their appointment is also optional if the sale appears to be consistent with a debtor’s privacy policy.
“A lot is going to depend on what that sale ultimately looks like,” Coordes said.
When Bankruptcy Oversight Ends
The bankruptcy court’s oversight of the sale of 23andMe’s genetic data will end when the sale is accomplished. Then regulators and the plaintiffs bar will likely take over and monitor a future buyer’s use of the data.
“Once that sale happens and that buyer has those assets, in theory at least, the buyer could change the privacy policy, and that’s where there isn’t going to be a bankruptcy court or any court looking over the buyer’s shoulder,” Coordes said.
She added, “It’s really down to the consumer to be aware.”
While buyers have some latitude to make changes to user agreements after a transfer of the company’s assets is completed—as long as it comports with laws— sensitive data carries some additional risk.
“Regulators will look closely” for material changes to the use of genetic data, Pozza said, including how purchasers will disclose new uses to consumers and seek to obtain consent, and issue enforcement actions if needed.
He pointed to a 2010 bankruptcy case involving a teen magazine, during which the FTC warned that the sale of information about its subscribers—including their age and sexual orientation—could run afoul of privacy statements made to original customers, potentially violating the FTC’s prohibition against unfair or deceptive acts or practices. It asked for the data to be deleted.
“A lot of this comes down to what privacy protections are available in the first place,” Coordes said.
She added, “it’s not the case that, a company files for bankruptcy and all the privacy protections go out the window, that’s not it at all. Instead, those privacy protections sort of set the baseline for how actions are scrutinized going forward—or not scrutinized.”
Which buyer throws their hat in the auction will also be closely watched—especially as sensitive data has been leveraged for many generative AI use cases, including the generation of deepfakes and other synthetic media.
There are “huge real world implications on who buys,” Walke noted. It “absolutely matters, especially in the age of AI.”
To contact the reporters on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.