The genetic data that 15 million people entrusted to 23andMe to learn more about their ancestry and health could soon be sold to the highest bidder as “distressed assets” in 23andMe bankruptcy proceedings. According to 23andMe’s March 26 open letter, the Chapter 11 filing doesn’t change how 23andMe stores and protects customer data during this process. The company will continue to operate, and customers can access and change their accounts as normal during this time.

But many customers are distressed about what will happen to their data after the sale, and who the ultimate buyer will be. Customers put their trust in 23andMe — not an unknown buyer with unclear intentions — when they shared DNA they can never change. A statement from 23andMe assures customers that data privacy will be an “important consideration” in any potential transaction. One way to do this is to appoint an independent consumer privacy ombudsman, but according to BNN Bloomberg, 23andMe has opposed a bankruptcy watchdog’s motion to appoint a CPO.

Joseph Sarachek, a bankruptcy lawyer and adjunct professor at NYU Stern School of Business, notes that while 23andMe was very good at amassing valuable data, its subscription model wasn’t profitable. He cites as evidence the ex-CEO’s offer to buy the company once valued at $3.4 billion for just under $11 million. “The market in distressed assets is pretty accurate.”

The eventual buyer could be a venture capitalist that wants to run the business more efficiently within a similar but more profitable model. More cynically it could be a “vulture capitalist” that sees the data merely as a valuable asset to monetize as it strips the company for parts. According to Sarachek, appointing a CPO would be antithetical to 23andMe’s goals to maximize value since the CPO can place limits on the sale to protect privacy. “The data drives the value of this,” says Sarachek. He tells me me a slew of deletion requests would directly impact 23andMe’s value.

This creates an apparent conflict of interest: 23andMe wants to maximize value but all the value lies in the very data customers want to delete. “This means the real value of this data comes from the fact that people have forgotten about it,” writes Keith Porcaro in his MIT Technology Review article, "How a bankruptcy judge can stop a genetic privacy disaster.”

MORE FOR YOU

Anonymous Hackers Expose Putin’s Secret Data—Publish Trump File

iOS 18.4.1 iPhone Update: Apple Urges Installation For All Users

Today’s NYT Mini Crossword Clues And Answers For Friday, April 18th

DNA is highly revealing and cannot be changed, so the stakes are very high. “If a bankruptcy court makes a mistake authorizing the sale of 23andMe’s user data, that mistake is likely permanent and irreparable.” Porcaro urges the court to appoint a CPO. He recommends mandatory opt-in consent from each customer to the sale of their data. Porcaro argues this will require the buyer to gain customer trust and align more closely to customers’ wishes.

While concerned customers can delete their data to exclude it from sale, this may not shield all of their genetic data from a new buyer, as I’ve explained here. Sarachek tells me that money for the sale would be withheld until any pending or incomplete deletion requests were resolved, so 23andMe is incentivized to act quickly. As privacy writer and attorney Carey Lening shows in her article, “Privacy Disasters: 23andMe, and You, and Our Genetic Data,” companies and customers often have differing views of what constitutes a “resolved” complaint. She is still waiting to find out if 23andMe and its partner labs still retain some of her genetic information.

How Does a Consumer Privacy Ombudsman Protect Privacy In Bankruptcy Proceedings?

Chapter 11 proceedings aim to maximize the company’s value to ensure creditors — those to whom 23andMe owes money — get paid from the proceeds of sale. 23andMe’s customers are not “creditors,” since privacy interests are not tangible assets. The only tangible privacy claims are the data breach class action settlement claims. Yet the plaintiffs and their lawyers may never see this money.

A CPO would have the knowledge, skill and specific function of representing consumer privacy interests in this case. Without one, the process would be guided by commercial considerations. The CPO would scrutinize the applicable privacy notice(s), assess potential privacy impacts, propose privacy-protective measures, convey individual privacy concerns and assess applicable privacy laws like the Federal Trade Commission Act, the California Consumer Privacy Act and the EU’s General Data Protection Regulation.

23andMe processes the data of people around the world and is subject to many privacy and data protection laws. The laws are complex, nuanced and varied. Privacy analyses are highly fact-specific and contextual. 23andMe’s privacy team may not have the resources to navigate these complexities in individual cases at scale and speed. In the throes of bankruptcy proceedings, any disputes around interpretation will have no viable umpire. By the time a domestic or foreign data protection authority is able to investigate and issue any order, the data may already be sold.

A CPO can propose privacy-preserving measures be applied to the sale, such as:

  • Requiring all customers to opt-in to the sale, such that silence or inaction would not result in sale and transfer of the data.
  • Requiring the buyer to agree to:
    • adhere to the privacy policy after the sale;
    • provide express opt-in or opt-out rights in the case of any material changes to the policy;
    • employ appropriate security measures to safeguard the data;
    • abide by all applicable laws, including international laws and state laws. As a Future of Privacy Forum report illustrates, in the U.S. alone there are numerous state genetic privacy laws to consider.

The company can oppose the CPO recommendations, and it is the judge who will ultimately decide which ones to order.

A CPO must be appointed no less than seven days before the hearing, but it’s only mandatory where the pre-bankruptcy privacy notice prohibits sale of the personal information. Since the March 14 privacy notice expressly stated data could be sold in case of bankruptcy and the buyer will be bound by 23andMe’s privacy policy, the company argues privacy is sufficiently protected. The bankruptcy watchdog argued this was insufficient, since consumers often fail to fully read or understand privacy policies.

To further complicate matters, not all customers are subject to the same privacy policy. The policy in force at the time the customer gave their data would apply, unless they’d consented to material changes of a later one. How will 23andMe and the ultimate buyer manage this added layer of complexity? Will the buyer even be aware of this?

The bankruptcy judge has not yet ruled on the appointment of a CPO, but he has approved the sale procedures, which stipulate that the buyer must comply with 23andMe’s privacy policy. It also provides a 21-day notice period for parties to object to the sale of personally identifiable information or genetic information.

Before the sale, potential bidders will be given access to a data room to conduct due diligence on the assets under binding confidentiality agreements. 23andMe can withhold certain sensitive data that could put them at a competitive disadvantage or expose them to regulatory scrutiny. The order does not explicitly call out personally identifiable or genetic information under that heading. It is unclear what measures, if any, 23andMe intends to take to minimize the privacy impacts of the due diligence process, or whether potential bidders will have access to identifiable, individual-level customer data for their review. If a CPO were appointed, they could propose privacy-protective measures and advise the court on how various privacy laws apply to this commercial transaction. Without that privacy expertise, ill-suited commercial law analyses will predominate.

How Can We Ensure The Buyer Can Protect The Data?

23andMe can select the highest or the best bid. It is unclear whether “best” includes assessing whether the buyer’s privacy and cybersecurity program are sophisticated and mature enough to manage and protect highly sensitive personally identifiable information and genetic information. Merely papering over privacy commitments does not translate into actual protection. Most privacy laws require companies to conduct some privacy and cybersecurity due diligence before sharing PII with a third party. The bid selection process does not.

The data is thus subject to less protection in this sale than it would be in the ordinary course of business. There is nothing — apart from voluntary compliance with applicable privacy laws and best practices — to compel 23andMe to ensure the buyer can actually live up to its contractual privacy commitments.

Commitments on paper offer cold comfort when so many breaches and violations are discovered after the harms are felt. The prospect of valuable yet sensitive genetic, ancestry and account information being sold to an unknown buyer with uncertain privacy practices or intentions causes anxiety for many. People worry that an insurance company might buy it and use the data to withhold coverage; or that it could be used for genetic profiling to discriminate against people based on health or demographic characteristics; or it might be shared with law enforcement for prosecutions.

“As a Black woman who never used 23andMe because of privacy concerns, I have to question to what extent has the U.S. government had access to that data," says Samantha Simms. The digital lawyer, data protection officer and coach is particularly worried about the high numbers of Black and Caribbean customers who turn to direct-to-consumer genetic testing to access ancestral information that a legacy of colonialism and chattel slavery has denied them. "RFK Jr. suggested that Black people needed less COVID vaccination than other racial groups. It can lead to an entire group of people being not treated on basis of a eugenicist theory.”

23andMe cautions that although it may not expressly seek to determine intersex conditions, they may become apparent in testing. In the wrong hands, could this information be used to prosecute or harass a customer under laws or policies that only recognize two biological sexes?

Dr. Krystal Tsosie, an Indigenous geneticist-bioethicist and assistant professor at Arizona State University, told me that consumer DNA testing can raise group privacy risks for small, identifiable communities, like Indigenous tribes. When organizations use Indigenous genetic data without the free, prior and informed tribal consent, it can undermine Indigenous Data Sovereignty and even territorial sovereignty claims, as the Havasupai blood scandal showed. 23andMe approached Indigenous communities to advise them that they were able to map and distinguish what they believed to be tribal affiliations from genetic data they had amassed. Indigenous tribes have their own processes for establishing tribal affiliation and asked the company not to proceed. 23andMe now only provides regional-level results and adds a caveat that DNA testing does not confirm tribal affiliation. Would the new buyer maintain this policy?

What Can Customers Do To Protect Their Data?

Sarachek says the buyer will be bound by existing contracts. Changing them en masse would be too complicated. Yet privacy notices can and do change with little notice. 23andMe assures customers that the new purchaser would need to obtain fresh consent before any material changes. For example, 23andMe’s privacy notice states that it will not voluntarily share customer data with insurance companies or law enforcement. If the buyer wished to start sharing with these entities, it would need to inform customers and seek fresh consent. Yet sometimes companies only update their notices after they get caught, as was the case with TikTok using voice recordings to create voice biometrics. By then it is too late.

“This is a terrible deal for users who just wanted to learn a little more about themselves or their ancestry,” laments Porcaro.

In the absence of a CPO appointment, is there anything customers and others who are concerned can do to ensure privacy concerns are represented in this proceeding?

Individual customers will not have standing, but there are some possible avenues:

  1. Delete your data: If you have an account, you can delete your data and your biospecimen and withdraw any consents to research participation. It will take approximately 30 days to process. This will not apply to research already conducted, but will apply going forward, according to 23andMe.
  2. Keep up with privacy policy updates: If you choose not to delete your account, be sure to read any privacy policy updates the eventual buyer sends you. It may contain very important information about material changes to their use of your data. Adjust your privacy preferences accordingly.
  3. Contact relatives: If you don’t have an account but your blood relatives do, consider asking them if they can delete their accounts to ensure some personally identifiable and genetic information associated with you is thereby deleted.
  4. Share your concerns with 23andMe: Customers can also contact 23andMe in writing to express their privacy concerns and ask the company to agree to the CPO appointment, especially with respect to the genetic information their privacy notice says they retain.
  5. You could contact the U.S. Trustee Region 13 to express your support for the motion to appoint a CPO and express your concerns with the short time period the bankruptcy court has agreed to.
  6. Contact officials: If you are in the U.S., you could contact your political representatives, the Federal Trade Commission, your attorney general (especially if your state has a genetic privacy law), and other data protection authority to express your concern and ask them to intervene. Senators like Ron Wyden have intervened in past, as has the FTC. The AGs are all included in mandatory notification for this bankruptcy proceeding.
  7. Contact data protection authorities: If you are outside the U.S., you could contact your DPA to express your concerns. The Global Privacy Assembly of DPAs have mechanisms for coordinating their enforcement activity. If they have jurisdiction over 23andMe, they can reach out to inquire further and if necessary initiate an investigation.
  8. Practice good digital hygiene going forward:
    1. Think twice before sharing PII that cannot be changed, like your biometric data (finger prints, voice prints, iris scans, DNA, etc.).
    2. Clean up your digital footprint, especially for any accounts that use the same email address you used for your 23andMe account. Our digital traces can be stitched together to paint a rich picture of who we are. Adding genetic information to that list can be extremely revealing and potentially dangerous in the wrong hands. Rupture those links where possible using a service like Kanary Copilot or DeleteMe.
    3. Make digital hygiene a part of your lifestyle: You can create a plan using the Consumer Reports Security Planner or EFF’s Surveillance Self-Defense Toolkits.

It’s not just your privacy at stake when you share genetic information. The actions you take can affect those related to you or who are in similar identifiably demographic groups as you. Until privacy laws catch up and are enforced, privacy protection rests largely on individual shoulders.