[co-author: Stephanie Kozol]*
Several state attorneys general (AGs) and the Federal Trade Commission (FTC) have begun scrutinizing ancestry tracking company 23andMe following its recent announcement that it has filed for Chapter 11 bankruptcy. As part of these efforts, the AGs have issued alerts on ways consumers can exercise their rights under state privacy laws, and the FTC has issued letters stressing potential risks to U.S. bankruptcy trustees. 23andMe, which was founded in 2006, has collected DNA and associated genetic material on seven million American customers to provide information related to those customers’ ancestry.
State AGs have historically treated matters involving genetic, health-related, and biometric data with particularly heightened attention given the highly personal nature of such data and the associated privacy considerations implicated. Given that 23andMe holds the genetic data of millions of customers, it is unsurprising that state AGs have taken notice of its troubles, especially as bankruptcy will likely affect company leadership and staffing levels, which potentially could impact the company’s internal system integrity. Indeed, the company’s CEO announced her resignation from the position on March 24. Further complicating the AGs’ overall view is the company’s previous 2023 data breach customer personal information, which is still under investigation by the states, and the company’s recent assertion to the bankruptcy court that it does not require a “privacy ombudsman” to oversee personal data as it goes through the bankruptcy process.
Over the past few days, several state AGs, including California, Connecticut, and Virginia, have issued consumer alerts encouraging consumers to act concerning their stored data. Generally, the warnings cite those states’ comprehensive consumer privacy laws and recommend that consumers request that the company delete their data and destroy genetic material, and that they revoke any prior consent to use such data granted to the company.
Nineteen states to date have enacted comprehensive state privacy laws that apply to organizations controlling or processing the personal information of consumers, including genetic and health-related data. The laws universally grant consumers the right to access, correct, and delete such information, and to opt out of the sale and use of the data for targeted advertising and profiling. Most of the comprehensive laws also contain cybersecurity components that mandate businesses implement “reasonable” data security measures, supervise their vendors and service providers through specific contractual provisions, minimize the amount of personal information they collect, and conduct data protection assessments for potentially high-risk data processing. Every law also requires businesses to disclose their privacy practices to consumers, and most require affirmative consent to process “sensitive” personal information, which includes child-related, health care, religious, or political data, among other types. Violations of these laws can result in monetary penalties and injunctive relief.
As this case progresses, state AGs will undoubtedly examine the company’s past cybersecurity measures and privacy policies and procedures not only pursuant to the above privacy laws, but also to state consumer protection laws that prohibit misrepresentation as to how the company has handled such data. Indeed, over the past year, the AGs have sharpened their resources to focus on privacy, with many devoting entire units solely to privacy enforcement.
Additionally, on March 31, the FTC expressed significant privacy and security concerns regarding the potential sale of sensitive consumer information in the 23andMe bankruptcy case. FTC Chairman Andrew Ferguson emphasized that 23andMe must honor its privacy commitments to users, including safeguarding genetic data, even in bankruptcy proceedings. Ferguson’s letter to the acting U.S. trustee for Missouri and other states stressed that any sale of 23andMe’s data must adhere to the company’s privacy policies and applicable laws. This announcement follows 23andMe’s plan to auction its vast genetic data to repay creditors, which has alarmed consumers and prompted many to cancel their accounts. The FTC’s stance underscores the importance of maintaining data protection promises, especially in light of the 2023 data breach. The agency’s scrutiny of data handling in bankruptcy cases is not new, as seen in its 2015 intervention in bankruptcy proceedings involving RadioShack.
The 23andMe situation provides a cautionary tale for companies handling consumer personal information, especially genetic and health-related data. Companies that control or process such data should verify that they are engaging in defensible privacy and cybersecurity practices in accordance with those states’ privacy and consumer protection laws and pertinent federal regulations and should consult competent outside counsel accordingly. Companies must ensure that, at a minimum, they maintain fundamental privacy measures, such as a readily available privacy policy, conspicuous notice of privacy rights, an easily accessible opt-out process on their websites, and consistent fulfillment of consumer opt-out requests. Failure to do so comes with significant risk.
*Senior Government Relations Manager
