As 23andMe crumbles under bankruptcy, millions of Americans’ DNA data now hangs in the balance, raising alarms about what could happen to your genetic information. The Federal Trade Commission has stepped in with strong warnings about protecting consumer privacy as the company’s sensitive data assets face potential sale.
At a glance:
• 23andMe filed for bankruptcy protection on March 23 following weak demand and a massive data breach
• FTC Chairman Andrew Ferguson has issued a formal letter expressing concerns about the fate of customer data
• The company’s privacy policies allow for the potential sale of genetic data during bankruptcy proceedings
• Nearly 7 million customers had their personal information exposed in a 2023 data breach
• California’s Attorney General Rob Bonta recommends customers delete their genetic data to protect privacy
Government Agencies Sound Alarm on DNA Data Sale
The Federal Trade Commission has formally intervened in 23andMe’s bankruptcy proceedings with serious privacy concerns for millions of Americans. FTC Chairman Andrew Ferguson sent a letter to the Acting U.S. Bankruptcy Trustee highlighting the risks of genetic information being transferred to new owners who might not honor existing privacy agreements.
Millions of people’s DNA data could soon be accessed by…who knows who?
Ferguson stressed that promises made to consumers about privacy and data security must be upheld in any sale of the company’s assets. The FTC has a history of stepping into bankruptcy cases to protect consumer data, previously intervening in high-profile bankruptcies like RadioShack and XY Magazine. But this case is…quite different.
23andMe filed for Chapter 11 bankruptcy protection on March 23 after experiencing declining demand for its DNA testing kits. The company’s financial troubles were compounded by a devastating data breach in 2023 that exposed personal information of nearly 7 million customers over a five-month period.
Privacy Promises Must Be Kept Despite Bankruptcy
Chairman Ferguson directly addressed the privacy concerns in his communication with bankruptcy officials regarding the sensitive nature of genetic information. “Many Americans are concerned about the impact of a potential sale of their personal data, and I understand those concerns,” Ferguson said.
“Consumers should be able to trust that companies will keep their promises, including when it comes to handling of sensitive information,” Ferguson added.
The FTC’s position is that any new buyer must adhere to the same privacy protections promised to customers when they submitted their DNA samples.
23andMe’s own privacy statement indicates that protections should apply continuously to personal information, even during bankruptcy proceedings – but it’s hard to know how new buyers will treat these agreements in the event of a sale. Nonetheless, the company’s policy states: “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”
State Officials Recommend Deleting DNA Data
California Attorney General Rob Bonta has taken a more direct approach to protecting consumers amid the bankruptcy proceedings, explicitly advising 23andMe customers to delete their genetic data from the company’s databases to protect their privacy rights. Just incase.
The concerns stem from language in 23andMe’s privacy policies that could potentially allow for the sale of genetic data to new owners. While the company claims the bankruptcy will not impact how customer data is managed, privacy advocates remain skeptical about how strictly these commitments will be honored.
The FTC believes that consistent with Section 363(b)(1) of the Bankruptcy Code, privacy promises to consumers must be kept regardless of the company’s financial situation. Any bankruptcy-related sale involving users’ personal information and biological samples will remain subject to the representations the company made to users about both privacy and data security.
