23andMe’s Bankruptcy Puts 15 Million Users’ DNA Info on Auction Block

Millions of Americans who sent their saliva to 23andMe in hopes of finding lost relatives or identifying health risks buried in their DNA now face the prospect of seeing their genetic information sold to the highest bidder as part of the company's bankruptcy. This sets up a test of existing legal safeguards around privacy and safety, raising concerns about how customers' personal data will be protected.

A Crowdsourced Platform for Genetic Research

23andMe has proposed a May 14 auction for the sale of its assets, which include the genetic data of more than 15 million customers. Founded in 2006, 23andMe said in court papers that the data represents "one of the world's largest crowdsourced platforms for genetic research." This highlights an aspect of corporate restructuring that receives relatively little notice from the general public until moments like this: customer data is a valuable asset that often changes hands in Chapter 11. Other examples include patient information from bankrupt hospitals or nursing homes, as well as customer data from failed retail chains.

A Valuable Asset, but with a Price Tag

The prospect of key genetic information being sold feeds into long-simmering unease around privacy and safety in the industry. Existing bankruptcy law contains measures to protect sensitive information of failed companies like 23andMe, but concerns persist about how this data will be handled. A 2023 data breach compromised the information of roughly seven million 23andMe customers, fueling worries about what this means for their personal information and that of their families.

What Does 23andMe Say?

A 23andMe spokeswoman said in an email that customers can delete data within their account and don't need to contact customer care to do so. In a note to customers, the company stated that the bankruptcy filing doesn't change how they store or protect personal data and any buyer will be required to comply with applicable laws regarding treatment of such information. "Our users' privacy and data are important considerations in any transaction, and we remain committed to our users' privacy and to being transparent with our customers about how their data is managed," the company said.

Consumer Alerts Issued

California and Connecticut's top law enforcement officers issued consumer alerts on Monday, providing instructions on how 23andMe customers can delete their genetic information. Some customers took to social media to express concern about the company's website and application being slower than usual as users sought to delete their data.

A Test of Existing Safeguards

"We are watching this bankruptcy filing closely and expect to be actively engaged to ensure sensitive records are protected and 23andMe is held accountable," said Connecticut Attorney General William Tong in a statement. The auction highlights the tension between a company's obligation in bankruptcy to sell its assets for as much as possible, while ensuring that customers' privacy isn't jeopardized.

The Role of Consumer Privacy Ombudsmen

Congress in 2005 added protections to the bankruptcy code that permit the US Department of Justice to seek appointment of a consumer privacy ombudsman who provides independent oversight of customers' privacy interests during a Chapter 11 sale. Such ombudsmen are "explicitly charged by the bankruptcy code with responsibility to protect personal identifiable info" and should object to any sale or transfer of customer data that doesn't include the best possible safeguards, including opt-out provisions like those provided in California.

The Auction Process

23andMe has filed customary motions seeking court approval to run a sale process for its assets and tap as much as $35 million in Chapter 11 financing. The company listed $277.4 million in assets and $214.7 million in liabilities in court papers. The case is 23andMe Holding Co., 25-40976, U.S. Bankruptcy Court Eastern District of Missouri (St. Louis).

Conclusion

The sale of 23andMe's assets raises concerns about the protection of customers' genetic data and privacy. As the company navigates this complex process, it is crucial that existing safeguards are tested and that customers' rights are upheld. The outcome of this auction will have far-reaching implications for the industry and consumers alike, highlighting the need for greater transparency and accountability in the handling of sensitive customer data.