Recent developments surrounding 23andMe’s bankruptcy proceedings and the proposed transfer of millions of consumers’ genetic profiles have intensified scrutiny of the fragmented legal framework governing biometric and genetic privacy in the United States.
Over the past week, renewed public and regulatory attention has focused on one of the most consequential privacy controversies in recent years: the treatment of consumer genetic data during the bankruptcy and restructuring of direct‑to‑consumer DNA testing company 23andMe. Regulators, consumer advocates, and lawmakers continue to raise concerns regarding whether highly sensitive genetic information may be transferred, sold, or repurposed during insolvency proceedings with insufficient consumer protections.
The controversy has exposed significant structural weaknesses in U.S. privacy law. Unlike financial records or traditional healthcare data maintained by HIPAA‑covered entities, consumer genetic information collected by direct‑to‑consumer testing companies frequently falls outside comprehensive federal privacy regulation. As a result, millions of consumers who voluntarily submitted DNA samples for ancestry and wellness purposes now face uncertainty regarding how their immutable genetic information may be handled during corporate restructuring, acquisition, or liquidation.
At the center of the issue lies a broader legal question: whether existing privacy and bankruptcy laws are adequate to protect highly sensitive biological data in an era of increasingly valuable consumer genomics.
This article examines the legal implications of the 23andMe proceedings, the intersection of bankruptcy and privacy law, and the emerging compliance considerations for organizations handling genetic and biometric data.
I. Why Genetic Data Occupies a Unique Legal Category
A. The Sensitivity and Permanence of Genetic Information
Genetic data is fundamentally different from most categories of personal information. DNA data can reveal:
- Familial relationships
- Disease predispositions
- Ethnic and ancestral background
- Behavioral and biological characteristics
Unlike passwords or financial account numbers, genetic data cannot realistically be changed after exposure or misuse. Moreover, genetic information implicates not only the individual consumer, but also biological relatives and future generations.
Courts, regulators, and scholars increasingly characterize genetic information as among the most sensitive categories of personal data in existence.
B. Limited Federal Protection
Despite its sensitivity, consumer genetic data remains subject to a fragmented regulatory framework.
1. HIPAA Limitations
The Health Insurance Portability and Accountability Act (HIPAA) generally applies only to:
- Covered entities
- Healthcare providers
- Health plans
- Business associates
Direct‑to‑consumer genetic testing companies often fall outside HIPAA’s scope because they operate directly with consumers rather than within traditional healthcare ecosystems.
As a result, many consumers incorrectly assume that genetic testing companies are governed by the same legal standards applicable to hospitals and insurers.
2. GINA’s Narrow Scope
The Genetic Information Nondiscrimination Act (GINA) provides certain protections against discrimination in:
- Employment
- Health insurance underwriting
However, GINA does not comprehensively regulate:
- Data retention
- Data sales
- Commercial transfers
- Bankruptcy proceedings
- Life or disability insurance uses
This leaves substantial gaps in consumer protection.
II. The Bankruptcy Problem: Data as a Transferable Asset
A. Genetic Data in Corporate Insolvency
The 23andMe proceedings have highlighted a difficult reality: personal data is often treated as a transferable business asset during bankruptcy.
Under Section 363 of the Bankruptcy Code, companies may sell assets during restructuring proceedings. Those assets may include:
- Customer databases
- User profiles
- Research datasets
- Genetic information repositories
Because consumer genomic databases possess substantial commercial and pharmaceutical value, they can become among the most significant assets in a bankruptcy estate.
B. Privacy Policies and Bankruptcy Transfers
The Bankruptcy Code imposes certain limitations on transfers of personally identifiable information (PII). Specifically, transfers generally must remain “consistent with” the company’s existing privacy policy unless additional protections are implemented.
However, this framework presents several challenges:
- Privacy policies are often broad and discretionary
- Consumers rarely understand downstream transfer implications
- Policies may permit amendment after acquisition
- Bankruptcy courts historically prioritize creditor recovery
These concerns became particularly acute given the scale of the genetic datasets involved.
C. Appointment of a Consumer Privacy Ombudsman
In response to mounting regulatory pressure, the bankruptcy court approved the appointment of a consumer privacy ombudsman to oversee data handling and evaluate the privacy implications of any sale or transfer.
This development is notable because it reflects increasing judicial recognition that:
- Genetic information creates extraordinary privacy risks
- Traditional bankruptcy procedures may inadequately protect consumers
- Data governance considerations are becoming central to restructuring proceedings
III. International and Regulatory Reactions
A. FTC and State Attorney General Concerns
The Federal Trade Commission and multiple state attorneys general expressed concerns regarding the handling of consumer genetic data during the proceedings.
Regulators emphasized risks involving:
- Secondary use of genetic data
- Transfers to unknown purchasers
- Inadequate consent mechanisms
- Data security vulnerabilities
Several attorneys general publicly advised consumers to:
- Delete stored genetic data
- Withdraw research consent
- Request destruction of biological samples
B. International Data Protection Concerns
International regulators also intervened. The UK Information Commissioner’s Office (ICO) and Canada’s Office of the Privacy Commissioner issued joint statements emphasizing that any purchaser of 23andMe assets would remain subject to applicable privacy laws governing genetic data.
The ICO specifically noted concerns regarding:
- Genetic profiles
- Health reports
- Self‑reported medical conditions
- Long‑term downstream use of data
This demonstrates the increasingly global nature of genetic privacy governance.
IV. Emerging Legislative Responses
A. State Genetic Privacy Laws
Recent legislative activity suggests growing momentum toward stronger protections for genetic information.
Several states have enacted or proposed laws addressing:
- Explicit consent for genetic data transfers
- Consumer deletion rights
- Restrictions on secondary use
- Enhanced disclosure obligations
Rhode Island lawmakers recently advanced legislation prompted in part by concerns arising from the 23andMe proceedings.
B. Proposed Federal Reforms
Privacy advocates and legislators have also renewed calls for federal reform, including proposals such as the “Don’t Sell My DNA Act.”
Potential reform areas include:
- Opt‑in consent requirements for transfers
- Bankruptcy‑specific privacy restrictions
- Mandatory deletion rights
- Expanded FTC authority
Whether Congress will enact comprehensive legislation remains uncertain, but the political momentum surrounding genetic privacy continues to increase.
V. Compliance Implications for Organizations
Organizations collecting biometric or genetic information should view the 23andMe controversy as a significant compliance warning.
1. Data Minimization
Organizations should collect and retain only data reasonably necessary for defined purposes. Data minimization remains one of the most effective risk‑reduction mechanisms.
2. Enhanced Consent Mechanisms
Consent frameworks should clearly address:
- Research uses
- Potential corporate transactions
- Data sharing practices
- Long‑term retention policies
3. Bankruptcy and M&A Preparedness
Privacy governance programs should incorporate:
- Transactional data transfer protocols
- Consumer notification procedures
- Due diligence regarding privacy representations
- Restrictions on downstream purchaser use
4. Vendor and Third‑Party Oversight
Organizations partnering with genetic testing or biometric analytics providers should carefully evaluate:
- Security controls
- Data retention practices
- Cross‑border transfer risks
- Contractual limitations on data use
5. Incident Response and Security
Given the sensitivity of genetic information, organizations should implement:
- Multi‑factor authentication
- Encryption protocols
- Access controls
- Continuous monitoring mechanisms
The 2023 breach affecting millions of 23andMe users illustrates the severe consequences of inadequate safeguards.
Conclusion
The 23andMe bankruptcy proceedings have become a defining moment in modern privacy law, exposing profound gaps in the United States’ regulatory approach to genetic information. The controversy underscores that genetic data cannot be treated as an ordinary commercial asset; its sensitivity, permanence, and familial implications demand heightened legal protections.
As lawmakers, regulators, and courts continue grappling with these issues, organizations handling genetic and biometric data must proactively strengthen governance frameworks, reassess consent and retention practices, and prepare for increased regulatory scrutiny.
If your organization requires guidance regarding genetic privacy compliance, biometric data governance, consumer consent frameworks, or privacy considerations in mergers, acquisitions, or bankruptcy proceedings, please contact us at: