The chapter 11 bankruptcy cases of 23andMe Holding Co. and its affiliated debtors (collectively, "23andMe"), the company that provides direct-to-consumer genetic testing and ancestry services, has prompted a wave of panicked advisories from government officials and "experts" telling consumers to delete their personal information held by 23andMe. While the bankruptcy and proposed auction to sell 23andMe assets (including its customers' genetic information) brings some uncertainty, it is important to keep in mind the substantial safeguards consumers will have for their personal information based on the U.S. Bankruptcy Code and certain federal and state laws.
A Business Built on Consumer Data
Through its at-home saliva collection kits, 23andMe was an early leader in direct-to-consumer genetic testing that gave people access to information about their ancestry, genetic traits, and health risks through its Personal Genome Service offerings. According to its bankruptcy filings, the company developed one of the world's largest platforms for genetic research with data obtained from more than 15 million customers, which facilitated the development of new drugs through collaborations with universities, research institutions, and pharmaceutical companies. 23andMe also operates Lemonaid Health, a telehealth platform providing remote healthcare and pharmacy services, and one of the dozen 23andMe debtor entities in bankruptcy.
23andMe states that it collects a variety of personal information from its customers, primarily through its genetic testing services, including:
- Genetic information (DNA data obtained from saliva samples);
- Phenotypic information (data provided by consenting customers about their traits, conditions, diseases, and other observable characteristics through online surveys and questionnaires); and
- Personally identifiable information (personal details such as name, contact information, and payment information).
23andMe uses genetic and phenotypic data for creating personalized reports, research and development, and healthcare services. In its privacy policy, 23andMe asserts that personal genetic information will not be shared with employers, insurance companies, or public databases without explicit user consent and that it maintained security measures, including encryption and regular assessments, to safeguard sensitive information. 23andMe also represents that its users have control over their data, with the ability to change consents and delete their data at any time. As part of the chapter 11 cases, 23andMe reaffirmed that the bankruptcy filings will not change how the company stores, manages, or protects customer data.
Despite reaching a nearly $6 billion valuation after going public in 2021, 23andMe never turned a profit. To make matters worse, it suffered a significant cyber security incident in 2023, resulting in a wave of class actions that later settled for $30 million and other lawsuits and regulatory actions.
23andMe Seeks to Operate Until a Sale of its Business
23andMe plans to continue operating the business during the bankruptcy cases, while pursuing one or more court-approved sales of its assets. 23andMe claims, in its Customer FAQs issued in conjunction with its bankruptcy filing, that it "will look to secure a partner who shares in its commitment to customer data privacy" and, in the meantime, will continue providing its services and managing customer data in the ordinary course.
Bankruptcy Code Protections for 23andMe Consumer Data
While 23andMe is in chapter 11, customers of 23andMe should know that consumer data will be subject to various protections. The Bankruptcy Code protects "personally identifiable information" ("PII"), defined as information provided by an individual to the debtor in connection with obtaining a product or service primarily for personal, family, or household purposes, such as names, physical or electronic addresses, phone numbers, social security numbers, credit card accounts, birth date, birth or adoption certificate number, place of birth, or any other information of an identified individual that, if disclosed, may result in the contact or identification of such individual physically or electronically.
The Bankruptcy Code also safeguards the sale of PII in 23andMe's chapter 11 cases, by requiring that the sale of PII be "consistent with" its privacy policy in effect on the filing date, or that a consumer privacy ombudsman be appointed to ensure that the interests of the consumers are protected. Just days into 23andMe's bankruptcy, the United States Trustee – the public watchdog of the bankruptcy system – recommended appointment of a consumer privacy ombudsman during the initial Bankruptcy Court hearing.
While 23andMe is likely not a "health care business" as defined under the Bankruptcy Code, and therefore not subject to the Code's record retention and destruction requirements, 23andMe can nevertheless seek court permission to establish similar procedures, as was established in the chapter 11 case of digital health company Pear Therapeutics.
Other Federal and State Laws Protecting 23andMe Customers
Because 23andMe provides direct-to-consumer genetic testing and is not a healthcare provider or insurer, federal privacy laws that regulate genetic information – such as the Health Insurance Portability and Accountability Act ("HIPAA") and the Genetic Information Nondiscrimination Act ("GINA") – do not apply. However, 23andMe and any purchaser of its assets must abide by various federal and state laws relating to the collection, storage, sharing, use, disclosure, processing, transferring, privacy, and security of genetic data and other identifiable personal information including:
- The Federal Trade Commission Act, which prohibits unfair or deceptive practices that harm consumers, including the misuse of their genetic data;
- The California Consumer Privacy Act as amended by the California Privacy Rights Act, which grants California consumers the right to access, delete, opt out of, correct, and limit the use of their personal information, including genetic data, and the California Genetic Information Privacy Act ("GIPA"), which gives California consumers the right to delete their genetic data and revoke their consent for its collection, use, and disclosure by genetic testing companies; and
- At least 10 other state genetic privacy laws in states where 23andMe customers reside.
The Federal Trade Commission plays a crucial role in protecting consumer privacy, especially in cases involving the sale or transfer of personal information during bankruptcy cases. The FTC has a history of intervening in such cases to ensure that consumer data is handled in accordance with privacy policies made by the original data collectors.
For example, in the bankruptcy case of RadioShack, noting that RadioShack had made extensive privacy promises to consumers, including commitments not to sell their information, the FTC recommended specific sale conditions to protect consumer data collected by RadioShack. The FTC recommended that: the data should not be sold as a standalone asset but should be bundled with other assets; any buyer should be in a substantially similar line of business and agree to adhere to RadioShack's original privacy policies; and any buyer should provide notice and obtain affirmative consent from consumers before using the data in ways that differ materially from the original promises.
Similarly, the FTC intervened in the bankruptcy case of XY Magazine and its associated website, XY.com. The FTC highlighted that XY had made explicit privacy promises, assuring subscribers that their sensitive personal information would never be shared with third parties. The FTC warned that any sale or transfer of this data would violate these privacy promises and could constitute a possible violation against "unfair or deceptive acts or practices" under the FTC Act. The FTC suggested that the data should be destroyed to prevent any potential misuse – and it was later destroyed, pursuant to a settlement agreement in that case.
Finally, the FTC also enforces the Health Breach Notification Rule, which requires certain businesses to notify consumers, the FTC, and, in some cases, the media, if there is a breach of unsecured identifiable health information. Given that 23andMe does not come within the reach of HIPAA, the Health Breach Notification Rule is particularly significant if there is another breach involving the genetic and health-related data collected by the company.
Takeaways
23andMe's bankruptcy creates some uncertainty for customers who have provided their genetic and personal information to the company, particularly where that information can be sold if the sale is "consistent with" 23andMe's privacy policy or approved by the Bankruptcy Court following appointment of a privacy ombudsman. But this data is not simply up for grabs. The Bankruptcy Courts are well-equipped to handle asset sales involving PII, and additional protections – both at the federal and state level – create guardrails for how that data can be stored, transferred, and used. Other companies with genetic data should watch the 23andMe case closely, given that the sale of PII and patient data sets is not an uncommon occurrence outside the context of a bankruptcy case.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
