Attorneys general from 27 states and the District of Columbia moved to appoint a consumer privacy ombudsman and security examiner in 23andMe Holding Co.'s bankruptcy, saying they’re concerned about the potential sale of sensitive data.
The personally identifiable and genetic data that the DNA testing company controls requires stringent safeguards, the attorneys general said in four separate requests filed Tuesday in the US Bankruptcy Court for the Eastern District of Missouri.
“Good intention will not protect this data,” they said in one of the Tuesday filings.
The company has faced heightened scrutiny from the Federal Trade Commission and several state attorneys general over its data and a proposed sale. 23andMe faced legal troubles related to a 2023 data breach in which a hack compromised information of about 7 million customers, including direct access to around 14,000 user accounts.
23andMe, which filed for bankruptcy in late March, previously said an ombudsman was unnecessary because the company has extensive privacy policies. Under bankruptcy law, companies can’t sell their consumers’ personally identifiable information unless the sale conforms to the firm’s privacy policies or until after an ombudsman is appointed.
The company recently asked the court to appoint an independent representative to assess the data security practices of potential buyers of its genetic database, which includes more than 15 million customers’ genetic and health data.
An independent ombudsman could address both consumer privacy concerns and “the security of the genomic and medical records as well as the physical human material that has been entrusted with the debtor,” the filing said.
“This is a watershed moment in bankruptcy—a moment when legal regulations have not kept pace with science, leaving millions of Americans dependent upon the protections and safeguards only this Court can enforce,” the attorneys general said.
23andMe has proposed a May 14 auction for the sale of its assets.
“The states are concerned not only about the protection of each and every consumer, but also every person who shares DNA with each consumer – along with their respective future generations,” the filing said.
The California attorney general noted in a Tuesday joinder that under its state privacy notice with the company, consumers have the right to opt out of the sale of their data, but 23andMe’s bidding procedures don’t account for that. The company has a “casual disregard” for its privacy notices for Washington, Colorado, Virginia, Utah and Connecticut residents as well, the filing said.
“Under Alaska law it is illegal—indeed, if done knowingly, a crime—for a person to transfer genetic data without the informed written consent of the person whose genes the data reflects,” the state said in a separate joinder.
The Justice Department’s bankruptcy watchdog, the US Trustee, and Texas also urged the court to appoint an independent ombudsman last week.
The company this week asked the court to block two Canadian class action suits over the data breach, saying the cases would disrupt its restructuring efforts and asset sale.
23andMe is represented by Paul Weiss Rifkind Wharton & Garrison LLP and Carmody MacDonald PC.
The case is 23andMe Holding Co., Bankr. E.D. Mo., No. 25-40976, motion 4/15/25.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
Learn About Bloomberg Law
AI-powered legal analytics, workflow tools and premium legal & business news.
Already a subscriber?
Log in to keep reading or access research tools.