A bankruptcy judge’s signoff on 23andMe’s sale of genetic data exposes privacy law loopholes in a carefully structured deal and sets the stage for increased regulatory scrutiny.
Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri on June 27 approved the 23andMe asset sale, dismissing concerns raised by a privacy ombudsman appointed by the court as well as objections from states to the transfer of data without explicit customer consent. The sale approval is poised to trigger heightened oversight from state regulators who have argued the transfer violates privacy laws.
The DNA testing firm’s March bankruptcy raised privacy concerns that were unusual for the court because of the sensitive nature of its data trove. It moved to sell its assets for $305 million to co-founder Anne Wojcicki and related nonprofit TTAM Research Institute via an equity transfer instead of a direct data transfer.
“Based on what was presented in court, it doesn’t seem like those privacy laws cover a change in ownership structure of the entity,” said Robert Lawless, a bankruptcy law professor at the University of Illinois Urbana-Champaign. “If outside of bankruptcy court, 23andMe just sold equity to somebody else, none of this would have applied.”
More than 30 states initially objected to the sale. Many resolved their concerns, but California, Kentucky, Tennessee, Texas, and Utah remain opposed.
California’s Department of Justice said Monday the sale approval “doesn’t comply” with its state law and that it’s “disappointed.” The agency is evaluating “next steps” to protect residents’ data.
“California has been a party to the 23andMe bankruptcy proceedings since day one,” the agency said. “We will continue to oppose any actions by the company and any purchaser of personal, sensitive data that are inconsistent with the requirements of California law.”
23andMe said it anticipates the sale will close around July 8.
Regulatory Scrutiny
States argued that data sales without a customer’s explicit consent is a violation of privacy rights.
A consumer privacy ombudsman also pushed for opt-in consent, saying he otherwise couldn’t conclude that the sale wouldn’t violate state privacy laws.
Some of the ombudsman’s recommendations “went beyond the bankruptcy courts’ limit,” Lawless said.
“The bankruptcy court is not there to impose all sorts of rules, but to allocate the property rights determined by nonbankruptcy law,” he said.
States could consider legal action, but an appeal of the sale order would be tough due to the benefit of bankruptcy protections.
Still, Lee Merreot, a privacy partner at the Beckage Firm, said there’s a “risk that California or another State Attorney General may file some action against TTAM for not getting that consent, whether it’s really explicitly required or not.”
The four other objecting states said their laws restrict genetic data transfers to any “person,” a term they said covers entities. California’s statute regulates transfers to a “third party.”
Walsh said those terms weren’t uniformly defined in the states’ statutes, and even if they were, they couldn’t be interpreted to require genetic-testing companies to obtain express consent for any possible transfer or disclosure.
A spokesperson in the Utah’s Attorney General Office said Monday that the approval “isn’t the result wanted” but it would “remain dedicated” to safeguarding residents’ privacy rights.
In addition to fighting the sale in court, states could put increased pressure on the buyer, said Jordan Cohen, a health-care partner at Akerman LLP.
“It looks like we’re getting close to the end of the story of whether the transaction is going to close, but definitely not in terms of the privacy-related aspects of this,” he said. “I imagine there’ll be some pretty rigorous oversight from state regulators over this.”
The Federal Trade Commission also warned earlier this year that the transfer had to follow applicable laws and 23andMe’s terms of use and public representations.
“The FTC may well seek to monitor compliance with prior privacy promises made to customers,” said Lisa Sotto, chair of Hunton Andrews Kurth LLP’s global privacy and cyber practice.
The FTC declined to comment.
Sale Structure
The proposed transaction involves transferring 23andMe assets, including genetic and other personally identifiable information, to a subsidiary referred to as Newco, which would then sell the assets to TTAM.
Walsh rejected arguments that Newco is a third party and ruled that, as a subsidiary, it doesn’t require separate customer consent.
“If we cut through the formalities, this transaction will result in Ms. Wojcicki’s repurchase of a business that she co-founded and ran for years,” Walsh wrote in the June 27 opinion. “And she will improve privacy practices while honoring customers’ rights to delete their accounts and data.”
The judge said 23andMe’s fallback option is to confirm a plan through Chapter 11, through which TTAM would become the company’s owner.
While that alternative could sidestep certain legal objections by avoiding customer data transfer, it would take longer and cost an additional $20 million without providing added privacy benefits, he wrote.
Privacy Commitments
TTAM committed to protect customers’ privacy, including by not sharing personal data with insurance companies, offering two years of identity-theft monitoring, and sending an additional email notice to customers about TTAM’s privacy practices.
23andMe notified customers on June 30 of the sale approval and TTAM’s privacy obligations. It also indicated that consumers would still be able to delete their accounts and data.
About 1.9 million customers deleted their accounts since the beginning of the bankruptcy proceedings, according to the order.
The nonprofit also committed to comply with laws, even if its status awarded it exemptions under several state privacy statutes.
What TTAM does with the data next will be closely watched—and serves as a warning to other companies with swaths of sensitive customer information.
TTAM didn’t immediately respond to a request for comment.
“It’s good reminder for companies who have sensitive data like this to be able to have clear and transparent privacy notices,” Merreot of the Beckage Firm said."So their users know that they’re collecting the sensitive data in the first place and why they’re using it, who they’re sharing it with.”
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.