On March 23, 2025, 23andMe Holding Co. (“23andMe”) filed for bankruptcy in the Eastern District of Missouri, potentially setting in motion the sale of genetic data collected from more than 15 million people. This has led to news outlets and state Attorneys General encouraging consumers to delete their 23andMe data before it is sold as part of the bankruptcy process.
The key question for many observers seems to be: Can 23andMe really sell genetic data through bankruptcy? The answer is: probably yes. If you’d like to know why, continue reading.
Bankruptcy & Customer Data 101:
Chapter 11 bankruptcy provides a business with a mechanism to reorganize the company while selling certain assets, or selling the company to new ownership, to help satisfy the company’s debts. Customer data is one asset that can be sold as part of this process. Generally speaking, § 363(b)of the Bankruptcy Code looks to the company’s privacy policy to determine if the company can sell or lease personal information it holds. If the privacy policy in effect at the time of the company’s bankruptcy declaration tells consumers their data may be sold via bankruptcy proceedings, then in principle, bankruptcy law permits the data to be sold – subject to any restrictions of applicable non-bankruptcy law (discussed in further sections below).
Section 363(b) was introduced in 2005 to codify the results of the In re Toysmart.com case, in which the Federal Trade Commission (FTC) intervened to contest Toysmart.com’s sale of customer data as part of its bankruptcy. The FTC objected to this sale because Toysmart.com’s privacy policy had represented to consumers that their data would never be sold. The FTC thus initially took the position that a sale would be a deceptive practice under Section 5 of the FTC Act. Section 363(b) codifies the FTC’s focus on the promises contained in the debtor’s privacy policy from the Toysmart.com case in determining whether bankruptcy law permits consumer data to be sold.
If the privacy policy is not clear whether the company may sell customer data (including if prior versions or other statements to consumers contained promises not to sell data), the bankruptcy court can appoint a Consumer Privacy Ombudsman to review the proposed data sale and make recommendations. If appointed, the Ombudsman’s job is two-fold. First, he or she provides guidance to the court on the facts, circumstances, and conditions of the sale of personally identifiable information (PII) at issue while considering the debtor’s privacy policy, any gains or losses of privacy to the consumer, potential cost to consumers if the sale is approved, and potential alternatives to mitigate privacy losses. Second, the Ombudsman may advise the court on whether the sale would violate applicable non-bankruptcy law. On the basis of this review, the Ombudsman recommends whether the sale should occur and if so, whether conditions should be added to the sale. Conditions can include, e.g., (a) the buyer should be in materially the same line of business as the seller, (b) the buyer should agree to comply with the seller’s privacy policy, or (c) the buyer will notify consumers of any materially new uses or disclosures of their personal information and give them an opportunity to opt-out.
In the 23andMe case, the US Trustee’s office has argued that an Ombudsman is necessary to protect privacy rights of consumers. However, 23andMe argued against such an appointment because 23andMe and the eventual buyer would abide by its Privacy Policy and comply with applicable law.
The 23andMe Privacy Policy states that 23andMe may sell or transfer consumer personal information in the event of a bankruptcy. During registration, the consumer assents to the Privacy Policy and 23andMe Terms of Service by checking a box indicating the consumer’s agreement to the terms which are both hyperlinked in the text. Though courts can be inconsistent when it comes to enforcing online contracts between consumers and large companies, bankruptcy courts often look more closely at the content of the privacy policy, not at the method it was presented to the consumer, to determine if it permits the sale.
What About Privacy Law?
Since selling data in bankruptcy is not just subject to the Bankruptcy Code, but also to applicable non-bankruptcy laws, some observers have asked whether privacy statutes would prevent or restrict 23andMe’s ability to sell genetic data. But privacy laws may not apply to much data involved in this bankruptcy filing.
On the federal side, HIPAA may not apply to much of the genetic data collected from consumers. 23andMe likely did not act as a HIPAA covered entity or business associate with respect to many of the consumers who sent in samples for genetic testing. 23andMe does appear to have a telehealth subsidiary (Lemonaid Health) that likely is covered by HIPAA, but even then, HIPAA permits covered entities to transfer protected health information, such as genetic information, in the event of a reorganization as part of the covered entity’s “healthcare operations.” The federal Genetic Information Privacy Act (“GINA”) will not apply unless the genetic information is used in a discriminatory fashion, such as to deny employment
State comprehensive consumer privacy laws, like California’s CCPA, and state health privacy laws, like Washington’s My Health My Data Act, generally regulate “genetic information” as a type of “sensitive information” and provide consumers certain rights in their data, such as the right to delete. However, the majority of these laws also exempt from their definition of a “data sale” those transfers of data that occur in bankruptcy proceedings. This means the business can transfer the genetic information during bankruptcy without triggering the normally-applicable rules for “data sales” – like notice and opt-out rights – as long as the purchaser assumes the data under the same terms as the seller’s privacy policy. If the buyer plans to make new uses or disclosures of the customer data, this can take the bankruptcy data sale out of the exemptions offered by state privacy laws, requiring consideration of whether consumers should receive notice of the sale and an opportunity to opt-out.
Any other Non-Bankruptcy Law Relevant to the 23andMe Case?
Federal and state unfair trade practices laws also apply in the bankruptcy context. Data cannot be sold to buyers in ways that would render the sale, or the ensuing uses or disclosures of data, unfair or deceptive to consumers.
In the 23andMe case, the Federal Trade Commission (FTC) has already weighed in. FTC Chairman Andrew Ferguson published a letter he sent to the 23andMe bankruptcy court. He sees the FTC Act – which prohibits unfair or deceptive trade practices that harm consumers – as impacted by the potential sale of 23andMe data. Chairman Ferguson’s letter walks through all promises to consumers made by 23andMe and its subsidiaries. Importantly, the FTC reads 23andMe’s privacy policy as promising to consumers that the protections it contains “shall apply continuously to their personal information, even if the data is sold or transferred in a bankruptcy proceeding.” For this reason, Chairman Ferguson argues to the bankruptcy court that “any purchaser should expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies.”
Do any other Laws say Consumers have to Consent in Advance to a Sale of Genetic Data?
Apart from consent requirements that may result from unfair and deceptive trade practices statutes, some states have passed statutes specifically relating to genetic testing. However, the majority of laws related to obtaining informed consent to perform genetic testing on samples apply to health care providers. Still, several states, including New York, Oregon, and Virginia, have adopted genetic privacy laws that require genetic testing companies to obtain specific express consent before disclosing genetic samples and/or genetic information to third parties. It seems to be an open question whether a purchaser of 23andMe via bankruptcy proceedings would qualify as a disclosure to a “third party” within the meaning of these statutes.
What Does This Mean for Companies?
Privacy policies that expressly contemplate data sales in bankruptcy, as presented via enforceable methods of assent to customer-facing agreements, are essential if your company has large amounts of data – particularly sensitive data – and potentially is looking to sell.
Prospective buyers should prioritize privacy and security diligence when considering purchasing a company that collects, transfers, stores, or maintains large quantities of more sensitive data.
Genetic testing companies in particular should review state genetic testing laws for consent requirements that may go above and beyond other privacy laws and regulations.
