The concerns identified in my earlier blog titled, The Dangers of Direct to Consumer Genetic Testing and the Prospective Sale of 23andMe, have come sharply into focus in 23andMe’s bankruptcy case.
With over 15 million customers having entrusted their DNA to the company, the prospect of this sensitive information being sold as part of bankruptcy proceedings has sparked widespread anxiety. In response, the court has appointed a consumer privacy ombudsman (“CPO”) a move that carries profound implications for consumer protection and data security.
Why the Privacy Ombudsman Matters
The appointment of a CPO is a victory for consumer rights advocates and state officials who argued that 23andMe’s initial proposal—a company-hired “data representative”—would not provide sufficient oversight. A group of more than 25 states objected to the company’s proposal arguing that 23andMe simply wanted to hire someone who would rubber stamp a sale.
The parties in interest reached a joint stipulation and agreed order signed by the Court providing for the CPO’s appointment by the Office of the United States Trustee.
The CPO will independently assess whether any sale of genetic data complies with federal privacy laws, the company’s existing policies, and promises made to customers, and whether it serves the best interests of customers, then report its findings to the Court.
The CPO will also, among other things, assess (1) “the potential losses or gains of privacy to consumers if such sale or lease is approved by the court,” (2) “the potential costs or benefits to consumers if such sale or lease is approved by the court,” and (3) “the cybersecurity program and security controls utilized by any potential purchaser,” according to the stipulation.
This ensures that consumer data is not simply treated as a financial asset but as highly sensitive personal information deserving of stringent protections.
The Risks of Genetic Data Sales
Genetic data is uniquely personal and immutable. Unlike passwords or financial information, DNA cannot be changed if compromised. The potential sale of 23andMe’s data to unknown buyers raises concerns about misuse, including discriminatory practices, unauthorized research, or even law enforcement access without consent.
The CPO’s role is to scrutinize any transaction to prevent such risks, ensuring that buyers adhere to strict privacy standards.
A Precedent for Future Bankruptcies
The appointment of a CPO in 23andMe’s case sets a precedent for how courts handle consumer data in corporate bankruptcies. As more companies collect vast amounts of personal information, similar protections may become standard practice in bankruptcy proceedings.
Ultimately, the CPO’s oversight provides a crucial safeguard against the reckless monetization of genetic data, ensuring that consumer rights remain at the forefront of 23andMe’s bankruptcy process.