23andMe, a pioneer in the DNA testing kit industry, announced that it has filed for Chapter 11 bankruptcy protection and recently asked to select an independent customer data representative regarding any sale of user data. Its bankruptcy raises issues about data privacy and what companies must do to protect that data for the benefit of their customers and to protect themselves from litigation or violations of US and international privacy laws.
When a company goes bankrupt, that does not mean the company, along with all of its assets, is dissolved and disappears. What it means, generally, is that the company’s assets are identified and marked for sale. Then, the company seeks a buyer and/or holds an auction. What does that mean for the roughly 15 million 23andMe customers and the data they’ve provided to 23andMe?
The data of those 15 million 23andMe customers is part of the sale.
For many 23andMe customers, the company holds two categories of sensitive information: the user-provided saliva sample and the detailed genetic profile created from it. According to 23andMe’s privacy notice, the data may be shared, accessed, sold, or transferred in the event of a bankruptcy. The possible sale of 23andMe assets has triggered concern by government officials, privacy advocates, and consumers due to the uncertainty the sale brings. A question for 23andMe and similarly situated companies is what steps they must—or, at least, should—take to assuage these concerns.
Is DNA Data Regulated by Law? It Depends
In an FAQ about the bankruptcy posted on its website, 23andMe states that a new owner will be required to abide by 23andMe’s privacy notice and “applicable law” governing the processing of consumer data. However, the applicable law likely imposes few restrictions.
The United States has no federal omnibus consumer data privacy law—such laws are either industry-specific or state-specific. As a result, there is a patchwork of state consumer data privacy laws attempting to govern this area. While almost half of US states currently have some form of privacy law, only some of those laws include genetic data in their definitions of “Sensitive Personal Information.” Some states have adopted laws specifically covering genetic privacy. At least 11 states have enacted laws giving consumers a say in how their genetic data is used. These privacy laws and genetic privacy laws primarily require transparency by the company and provide certain rights to consumers, such as the right to request that the companies delete their data. But these laws impose few restrictions on what companies can do with the data once it’s collected.
The federal, industry-specific law known as the Health Insurance Portability and Accountability Act of 1966 (HIPAA), and the Genetic Information Nondiscrimination Act (GINA), do not apply to the sale of 23andMe. HIPAA applies to certain healthcare providers that transact with health plans; it does not apply to entities that do not engage in these covered transactions, even if they meet the broad definition of “healthcare provider.” GINA bars employers and health insurers from discriminating against individuals due to genetic information but does not regulate the collection, use, and disclosure of genetic information generally.
In other countries, certain laws restrict access to medical information by health insurers and employers. The protective strength of those laws varies from country to country. For example, EU law dictates that genetic data cannot be shared with health insurers or employers. As with HIPAA, the EU law would likely not apply to 23andMe because 23andMe is not a covered medical provider.
As such, 23andMe, and similarly situated companies, have few legal obligations with which to comply when selling their business assets…but they may not be out of the woods just yet.
While there is no state, federal, or international law that currently applies to companies like 23andMe and that governs the sale of genetic data, that does not mean there won’t be. The sale of 23andMe has garnered much attention because the company holds highly sensitive personal data. Legislative proposals will likely follow in the wake of 23andMe’s sale, similar to what happened with the boom in generative AI like ChatGPT and the legislation that followed.
With the ever-changing landscape of federal and state privacy laws, it is important to periodically review and modify data management and retention policies and update privacy notices. Companies should also engage in a business life cycle analysis through a privacy lens. Developing data management policies in the event of the conclusion of a business is just as critical as developing such policies during the operation of the business. With the current state of privacy laws—both domestic and abroad—privacy compliance is not a checklist to be completed and forgotten. Companies conducting mergers, acquisitions, or bankruptcy proceedings that involve the transfer of personal information or other covered information should retain privacy counsel early on to identify potential issues and develop a sale strategy that ensures compliance with applicable laws and addressing consumer concerns.
We can help. If you would like to learn more about data privacy laws, please contact the author or any member of the Intellectual Property Group at McCarter & English.