Federal Trade Commission Chairman Andrew Ferguson on Monday said genetic testing company 23andMe, which recently initiated a bankruptcy proceeding, must honor its data privacy and security commitments in any sale or transfer of individuals' personal data.
23andMe promises a number of protections for user data in a privacy statement posted on its website. The company has indicated since its bankruptcy filing that it will continue to honor its privacy representations in the process of securing a purchaser, Ferguson noted in a letter to Acting U.S. Trustee Jerry Jensen.
“The FTC believes that, consistent with Section 363(b)(1) of the Bankruptcy Code, these types of promises to consumers must be kept,” he said.
Sunnyvale, California-based 23andMe announced on March 23 that it initiated Chapter 11 bankruptcy protection and was seeking authorization from the U.S. Bankruptcy Court for the Eastern District of Missouri to begin a process to sell “substantially all of its assets.”
The company also announced new leadership, tapping CFO Joe Selsavage to take on the added role of interim CEO after co-founder Anne Wojcicki resigned as chief executive while staying on the board.
The company filed for bankruptcy after financial challenges over the past few years and a massive data breach in 2023.
“23andMe is a perfect example of how impossible it can be for corporate reputations to recover from a serious data breach,” Ron De Jesus, field chief privacy officer at San Francisco, California-based data privacy startup Transcend, said in an email.
Attorneys general in a number of states, including New York, California, Virginia and Massachusetts, have issued alerts urging 23andMe users to consider taking steps to protect their privacy, including deleting their personal information.
In his Monday letter, Ferguson said he was writing to express “the FTC’s interests and concerns relating to the potential sale or transfer of millions of American consumers’ sensitive personal information.”
“As you may know, 23andMe collects and holds sensitive, immutable, identifiable personal information about millions of American consumers who have used the Company’s genetic testing and telehealth services,” he said, adding that such information includes genetic data, biological DNA samples, health records, and ancestry and genealogy details.
The letter states that any purchaser should “expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies.”
Ferguson’s letter is a “forceful reminder” that privacy promises need to be followed to avoid violating FTC Act prohibitions against deceptive trade practices, according to Lisa Sotto, chair of the global privacy and cybersecurity practice group at law firm Hunton Andrews Kurth.
“While the letter falls short of threatening an enforcement action, it is a clear indication that the FTC is focusing a watchful eye on this matter,” she said in an email.
The issue of data privacy protection in bankruptcy proceedings is not new. The FTC’s focus on the issue dates back as early as 2000, when the agency sued Toysmart, a failed internet retailer of children’s toys, to prevent the company from selling consumer data after a bankruptcy filing, Sotto said. The parties ultimately reached a settlement allowing the data to be sold to a “qualified buyer,” with the requirement that such entity agree to abide by the terms of Toysmart’s privacy statement.
In 2005, Congress amended the Bankruptcy Code to restrict sales of personally identifiable information by debtors, requiring that an independent consumer privacy ombudsman be appointed to oversee such sales.
“Chairman Ferguson is reiterating long standing FTC policy regarding the sale of data in a bankruptcy proceeding,” Dan Caprio, a senior policy advisor in the data protection, privacy and security practice at law firm DLA Piper, said in an email.
“23andme committed to its users that they are in control of their data, and that users can decide how their information is used and for what purposes — including honoring the right of users to delete their personal information at any time. Failure to honor that promise would be grounds for the FTC to open an investigation,” Caprio said.
The company said in an emailed statement that Ferguson's letter “recognizes our commitment to protect customer data, including our stated commitment to continuing our privacy and security programs.”
