As 23andMe’s sale proceeds, the public must remain vigilant. Because once our most intimate information is up for sale, there may be no getting it back.
How to delete 23andMe data
23andMe has filed for bankruptcy. Here’s how you can delete your data.
Problem Solved
- Diane Lourdes Dick and Anya Prince are University of Iowa law professors.
- Lourdes Dick specializes in bankruptcy law; Prince specializes in genetic privacy law.
Did you spit in a tube for 23andMe? If so, your genetic data may soon be handed over to a new company — Regeneron.
Just four years ago, when 23andMe went public, the company was valued at $6 billion. Earlier this year, it filed for bankruptcy. While its business model — selling DNA tests to consumers, then turning around and monetizing that data — seemed full of promise, the company has struggled to turn a profit. Its most valuable remaining asset is the genetic and personal information of its customers. Regeneron is now poised to step in and purchase this customer datafor $256 million. The sale includes 23andMe’s customer-facing genomics service arm, as well as its health and research arm.
When the bankruptcy was first announced, the realization that these data could now be sold caused understandable alarm. At least eight state attorneys general urged consumers to delete their data, citing privacy concerns. These fears were understandable. Federal health privacy laws, like HIPAA, do not apply to companies like 23andMe. And, in the absence of a comprehensive federal privacy law, what happens to customer data is largely governed by the company’s own privacy policy.
That policy is clear: “if we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction.” Before the potential sale to Regeneron was announced, some consumers were uncomfortable with the prospect of a new, unknown owner gaining access to their DNA. Many took advantage of the option to log into their 23andMe account, download their results, and request that their account and biospecimen be deleted.
But with more than 15 million individuals in the database, many of whom signed up years ago, it’s likely that many failed to delete their data prior to the announcement. Thus, the genomics and personal information of most of the consumers will likely be handed over to Regeneron as part of the sale. The sale, however, is “court-mediated,” which means the bankruptcy system itself will carefully watch how this vast trove of sensitive genetic data is managed and will have the final say over whether the sale can proceed.
Bankruptcy courts are designed to sort out the financial affairs of struggling companies. Traditionally, that meant auctioning off tangible assets — real estate, inventory, equipment — to satisfy debts. But in today’s economy, intangible assets like data can be far more valuable. And genetic data is not just another marketing list. It’s immutable, uniquely identifying, and predictive — not only of an individual’s health risks, but potentially those of their family members as well.
When a company files for bankruptcy, all its assets become part of the “bankruptcy estate,” which can be sold off to maximize returns for creditors. Under Section 363 of the Bankruptcy Code, judges can approve such sales with minimal delay. Courts have routinely approved the sale of customer data in bankruptcy, provided certain protections are in place.
Still, courts don’t operate in a vacuum. While they generally prioritize maximizing value, they can also consider the risks to consumers — especially when it comes to deeply personal information. Courts have the discretion to reject a bidder whose proposed use of data is incompatible with the company’s privacy policy, or whose practices pose a threat to consumer trust. In this way, the “highest bidder wins” rule has limits.
In this case, the bankruptcy court appointed a neutral third party, called a privacy ombudsman, to consider consumers’ sensitive data. The appointment of the ombudsman was notable because it was not required by bankruptcy law. In cases where a company’s privacy policy is silent on bankruptcy-related data transfers, courts are required to appoint a “consumer privacy ombudsman” to evaluate the risks and advise the court. But because 23andMe’s privacy policy explicitly allows for data to be transferred in bankruptcy, the court could have skipped over this safeguard.
To offer further privacy protections, courts usually require buyers to honor the original privacy policy. Indeed, as part of the sale, Regeneron says it will comply with 23andMe’s existing privacy policies and plans to further lay out their privacy and security policies for the bankruptcy court. But here’s the catch: a new owner can often revise that policy, provided they give notice. Indeed, 23andMe’s current privacy policy says that it can be changed “from time to time.” So even if data is sold with protections in place, Regeneron would also take over the right to change those protections in the future.
What can be done to further protect consumers now?
23andMe’s sale to Regeneron is not yet a done deal. The privacy ombudsman is scheduled to report on the privacy aspects of the sale by mid-June — a short time before the bankruptcy court hearing on whether to approve the sale. Thus, there is still time for privacy advocates to ensure strong protections of consumer data. There’s precedent for public pressure influencing data sales. When RadioShack went bankrupt in 2015, it initially planned to sell its customer data without restriction. But after pushback from the Federal Trade Commission and state attorneys general, the terms of the sale were revised to limit how that data could be used.
Overall, the sale of 23andMe to a pharmaceutical company that has announced its desire to continue the customer genomics services while also respecting genetic privacy is probably a best-case scenario for this bankruptcy. However, 23andMe’s bankruptcy is by no means a one off. We need to confront larger legal gaps: both bankruptcy law and privacy law need to play catch-up to the reality that more and more companies are widely collecting consumers’ sensitive health and genetic data. Our bankruptcy system was never designed to safeguard personal privacy and, federally, sensitive health information outside the health care setting is not well protected. The assumption that all corporate assets are fair game for liquidation fails to account for the unique sensitivity of biometric and genetic data. Courts, regulators, and lawmakers must do more to align bankruptcy practices and privacy protections with modern data realities.
At a minimum, bankruptcy judges should, as the judge did in this case, consider appointing privacy ombudsmen even in cases where the law does not require it — especially when the asset at issue is a massive trove of health-related data. Regulators should proactively monitor the case and be prepared to intervene if the sale poses consumer risks. And Congress should move quickly to enact baseline privacy protections for biometric and genetic information — protections that don’t vanish the moment a company files for bankruptcy.
You might have thought that by mailing in a DNA sample to learn about your ancestry or health risks, you were engaging in a personal, one-time transaction. But genetic data doesn’t expire — and neither do its implications. As 23andMe’s sale proceeds, the public must remain vigilant. Because once our most intimate information is up for sale, there may be no getting it back.
Diane Lourdes Dick and Mother Prince are University of Iowa law professors. Lourdes Dick specializes in bankruptcy law; Prince specializes in genetic privacy law.
