23andMe Bankruptcy: The Privacy Ombudsman’s Report

Hashed & Salted | A Privacy and Data Security Update

The court-appointed Consumer Privacy Ombudsman (CPO) in the 23andMe bankruptcy last month released a 200-plus-page report assessing the privacy implications of the proposed sale of 23andMe’s assets as part of its Chapter 11 bankruptcy proceedings, In Re 23andMe Holdings. At the time of release of the CPO’s report (CPO Report) on June 11, two bidders, Regeneron and TTAM Research Institute, were actively competing to acquire the assets.

What Are the Highlights?

The CPO was asked to opine on a series of questions. Below are highlights of the CPO’s opinions on the key questions:

1) Whether the proposed sale is consistent with 23andMe’s privacy policies

The CPO concluded that “it is highly unlikely that a typical 23andMe customer acting reasonably knew or understood what they were agreeing to in the Privacy Statement with respect to the sale of data in bankruptcy, particularly in the context of the many general promises of far greater salience regarding the importance of privacy.” To support this conclusion, the CPO flags the following facts: 1) Prior to June 2022, 23andMe’s privacy statement did not explicitly refer to the transfer of personal data in connection with a bankruptcy, 2) the Privacy Statement has been updated 22 different times since 2007, and 3) a meaningful number of 23andMe customers do not regularly log in to their accounts and may not have been made aware of the changes. The CPO also points to privacy promises made in consumer communications, which he views as promising a level of privacy that is not in line with the sale of data in the context of this bankruptcy.

The CPO Report notably provides no support for the position that the average consumer would find a disclosure in the context of a merger materially different from a disclosure in the context of a bankruptcy. The CPO Report also does not address whether a buyer that steps into the shoes of 23andMe and upholds its privacy practices and promises would be acting consistently with 23andMe’s privacy policies—a curious omission.

2) Whether the proposed sale would violate non-bankruptcy laws

The CPO found that he “cannot conclude that certain non-bankruptcy laws would not be violated if the Company and its data assets were sold as part of this current bankruptcy proceeding, unless the winning bidder obtained appropriate consent from the Company’s customers prior to obtaining their genetic data and other personal information.”

The CPO Report outlines various state genetic privacy laws; the Federal Trade Commission (FTC) Act and state unfair or deceptive practices (UDAP) laws; state comprehensive privacy laws; and state health data laws to support the CPO’s analysis, finding as follows:

• A number of state genetic privacy laws prohibit the transfer or sale of genetic data without explicit consent. While some of the laws include an exemption for transfers to vendors or service providers, the ability to take advantage of that exception would depend on the structure of the corporate relationship. The CPO was not convinced that the buyer would ultimately act in this limited capacity.
• Section 5 of the FTC and state UDAP laws could be implicated because the CPO has already concluded that the sale of assets would not be consistent with 23andMe’s privacy promises and could be viewed as a deceptive or even unfair practice. Notably, none of the statements flagged by the CPO (e.g., “You can be assured that your genetic data will not be shared with employers, insurance companies, or public databases without your explicit consent”) conflict with the prospect of a sale where a new company would step into the shoes of an existing company.
• The CPO concludes that it is less likely that state comprehensive privacy laws and state consumer health laws would be violated due to carve-outs for disclosures in connection with bankruptcy.

3) The costs and benefits of the sale

While the CPO Report acknowledges the potential benefits of the sale, which include the benefits of the genetic research being conducted with the data, it concludes that the potential costs outweigh the benefits in the absence of consent.

Where Do We Go From Here?

The CPO recommended multiple safeguards, including:

• Affirmative consent from customers before transfer or use of their data
• Data deletion for nonconsenting users, and posthumous account deletion mechanisms
• Public commitments by the buyer to data loyalty and privacy best practices
• Actual notice to all users before transfer
• Active defense of law enforcement requests to access the data
• Contractual and policy-based commitments by any purchaser to preserve or exceed 23andMe’s current protections

Our Take

The CPO Report largely reads as a conclusion searching for supporting facts. It is clear that the CPO is concerned that because the data at issue includes genetic information, which is inherently identifiable and incredibly sensitive and poses serious risks to consumers, the sale of that information in connection with bankruptcy poses a privacy risk that is not addressed by existing laws. While the conclusion that consumers must provide affirmative consent to this transfer “feels” right, it is out of line with the reality of business practices and the requirements of the law. It suggests that bankruptcy poses an inherently greater risk than a merger or acquisition. If 23andMe had decided to sell itself a year ago, this proceeding would have been avoided, and it is very possible that the Privacy Statement disclosures would have covered the transaction. (For more on the data privacy issues in the context of business transactions, see our article “23andMe Bankruptcy Sparks Data Privacy Concerns. Should It?”) The only issue potentially prompting the need for consent would have been whether the acquiring company is a service provider or a third party under the state genetic privacy laws. The CPO Report ultimately raises issues with the current state of privacy in the U.S., which continues to rely on notice and choice as its anchoring framework. There is little disagreement that the framework is due for a change, but until that happens, businesses shouldn’t be punished for complying with the laws as they currently exist.

What Should Companies Take Away From This?

A few points to consider as you look ahead to potential business transactions:

• Audit historic privacy promises: Ensure that legacy privacy representations like “We don’t share your data” are qualified and not overstated in light of future business transactions.
• Review privacy statement language: Ensure that all potential business transactions are clearly disclosed.
• Consider the structure of business transactions: Where sensitive data is involved, understand the laws that apply and whether consent will be required prior to the transfer of data or whether the business relationships can be structured in a manner that doesn’t trigger consent requirements.
• Plan for deceased or inactive users: Develop processes for posthumous deletion requests and managing dormant accounts with sensitive data.
• Strengthen contractual safeguards: Build in commitments around data use restrictions, deletion protocols and government access in any asset purchase agreement.
• Prepare for scrutiny: Expect attention from state attorneys general, the FTC and consumer advocates if sensitive personal data is part of a transaction.
  As more states pass laws regulating health and genetic data (e.g., Washington’s My Health My Data Act, California’s GIPA, New York’s pending HIPA), companies should prepare now by taking inventory of any sensitive data, strengthening consent frameworks and planning for edge cases such as deceased users. Any future M&A or restructuring involving sensitive personal data should be privacy-informed from the start.