On March 23, 2025, 23andMe, a well-known genetics and telehealth company, filed for Chapter 11 relief in the U.S. Bankruptcy Court for the Eastern District of Missouri. The company generates ancestry and health reports from genetic material derived from customer-provided saliva samples. Inflationary pressures, decline in demand, and increased competition were cited by the company as precipitating its bankruptcy. In addition, the company faced continued litigation and regulatory overhang due to a data breach in October 2023 that allegedly resulted in the disclosure of personal information, including names, profile photos, birth years and locations, family surnames, ethnicity estimates, external family tree links, and information related to mitochondrial DNA and Y-chromosome DNA, of nearly 7 million customers.
23andMe intends to use the Chapter 11 case to conduct a marketing and sale process that will result in the sale of substantially all of the company's assets, and the Bankruptcy Court has approved the company's proposal to select a stalking horse bid (i.e., a floor-setting bid that would remain subject to solicitation of further bids and an auction) by April 25, 2025, an auction on May 14, 2025, and a final hearing to approve the sale on June 17, 2025.
23andMe's Genetic and Consumer Health Data
Given 23andMe's popularity and potential sale to an unknown bidder, many customers, regulators, and privacy advocates expressed concern over the sale's impact on customers' sensitive genetic and consumer health data, which may be among the most valuable assets comprising the 23andMe bankruptcy estate.
Because 23andMe is not a healthcare provider or similar "covered entity" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the collection, storage, use, transfer, and sale of consumers' genetic information and health information is governed by a patchwork of state-level, non-uniform consumer privacy laws and 23andMe's policies pertaining to consumer data, namely its Privacy Statement and other related or subsidiary policies.
These State consumer privacy laws all seek to protect information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household, and often give heightened protection to genetic and consumer health data. For instance, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which in many ways set the bar for consumer privacy law in the U.S., specifically protect consumers' "genetic data," "biometric information" about that person's "physiological, biological, or behavioral characteristics" including information about their DNA, and other personal information "collected and analyzed concerning a consumer's health" or "sex life or sexual orientation." The CCPA and CPRA impose stringent disclosure, consent, and maintenance obligations on the "data controller" who collects "personal information" or heightened "sensitive personal information" and affords consumers broad rights for managing their personal information or sensitive personal information, such as the right to request the company delete that data. Notably, California Attorney General Rob Bonta urged consumers to exercise their right to direct 23andMe to delete their genetic information on March 21 as soon as the company reported in securities filings that it was in financial distress and had substantial doubt about its ability to continue as a going concern and The Wall Street Journal reported that 23andMe's website crashed the day after the bankruptcy filing as customers flooded the site to delete their genetic information and user profiles. However, 23andMe customers who do not live in a State with a data privacy law that affords them a right of deletion may be left out in the cold unless 23andMe chooses to offer all customers this right, which remains to be seen.
Companies like 23andMe customarily maintain robust privacy policies or privacy statements that explain to consumers how they collect, use, store, and share personal information and, if applicable, sensitive personal information by using their product or service. There is extensive debate over how a consumer may effectively consent to a company's data collection, use, storage, and sharing terms, though consumers, privacy advocates, and attorneys generally acquiesce that the privacy policies are the definitive disclosure documents. Under 23andMe's Privacy Statement, customers consent to their personal information being used for reasonably expected purposes, such as 23andMe delivering and improving its products and services and serving targeted ads to its users, but also for 23andMe to use de-identified genetic data for purposes of research and operating its now shuttered therapeutics division and drug discovery program. 23andMe's Privacy Statement also states "If [23andMe is] involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity" so a successor-in-interest to 23andMe's assets, namely its genetic and consumer health data, would also inherit all of consumer consent previously provided to 23andMe.
Protecting Personal Information in Bankruptcy Sales
Section 363 of the Bankruptcy Code authorizes the sale of a bankrupt debtor's assets free and clear of claims and encumbrances, but specifically prohibits a sale involving "personally identifiable information" collected and used pursuant to the debtor's privacy policy unless the sale complies with the terms and conditions of the policy or the court, following the appointment and report of a "consumer privacy ombudsman," finds that there is no evidence that the sale violates applicable privacy laws.
A consumer privacy ombudsman is appointed under Section 332 of the Bankruptcy Code to provide an independent report to the bankruptcy court on, among other things, the debtor's collection and use of personal information and how the bankruptcy and sale affects the debtor's consumers. This is particularly common where a debtor seeks approval of a sale of assets that includes information that is subject to a privacy policy consented to by consumers as to the collection, storage, use, transfer, and sale of their personal information. A consumer privacy ombudsman is only required where the debtor seeks to modify or abrogate a privacy policy as part of a sale. However, bankruptcy courts retain the discretion to appoint a consumer privacy ombudsman even where the sale purports to comply with the debtor's privacy policy.1 The ombudsman's report is advisory only and taken into account by the bankruptcy court in reviewing and approving the terms of the sale in light of the cost-benefit analysis for customers should the sale be approved and alternatives for mitigating the risk to consumers' personal information.
In the 23andMe case, the Office of the United States Trustee, a governmental unit under the Department of Justice that provides oversight in bankruptcies, has indicated that it may seek the appointment of a consumer privacy ombudsman, while the company has argued that the appointment is not necessary because 23andMe intends that the sale will conform with its existing Privacy Statement, consistent with its messaging to its customers. However, it remains unclear how 23andMe will have the leverage to definitively impose those restrictions and obligations on an eventual buyer and, therefore, convincingly make that guarantee to the Bankruptcy Court or its consumers at this stage. For example, it is possible that potential buyers will require that any sale modify 23andMe's existing Privacy Statement and/or related policies.
Ultimately, even if the Bankruptcy Code may not require a consumer privacy ombudsman, given the enormously sensitive nature of the main asset to be sold in the case—customers' genetic information and other personal information—it is possible that the Bankruptcy Court will appoint a consumer privacy ombudsman to provide oversight and advice to ensure that customers' personal information will remain protected.
Footnote
1 In re Celsius Network LLC, No. 22-10964, 2022 WL 14193879, at *7 (Bankr. S.D.N.Y. Oct. 24, 2022).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
