Human genomics and telehealth company 23andMe recently filed for bankruptcy protection in the Eastern District of Missouri. The company says that it intends to use Chapter 11 to run a sale process for its assets. This has raised concerns about the identity of the eventual buyer and the uses to which they might put the company’s vast database of customers’ genetic information. Indeed, out of concern for what might happen to the data, the attorney generals and other state offices of at least 28 states[1] have issued press releases or alerts reminding customers of their rights to delete their data or even encouraging such action.

In this article, the Debtwire legal analyst team provides an overview of 23andMe’s product lines, its privacy policies and how it uses customer data. It also discusses what data might be sold in bankruptcy and the potential limitations on such transfer.

23andMe’s business lines

23andMe, which has over 15m customers, is perhaps best known for its direct-to-consumer genetic testing, which is conducted through the use of saliva kits and provides information about one’s ancestry. However, the debtors’ offerings expand well beyond ancestry services. The company operates three business lines – (i) Personal Genome Service (PGS), (ii) TeleHealth, and (iii) Research Services. PGS, which is the largest driver of the company’s revenues, provides customers with reports on their ancestry, genetic health predispositions and risks, carrier status, and how their genes can affect their response to medications. One membership also offers access to genetics-based medical care. The PGS business line accounted for 76% of the company’s revenues for the fiscal year ending 31 March 2024, according to the declaration of Matthew Kvarda, which was filed in support of the Chapter 11 cases.

The company also operates a telehealth platform, Lemonaid Health, which, according to the declaration, acts as a “national online doctor’s office,” providing medical care, pharmacy services, and laboratory testing services. Lemonaid Health contracts with four non-debtor professional medical corporations (PMC) that are 100% owned by licensed medical providers. The company has a management services agreement (MSA) with each PMC and provides business, administrative, and non-clinical services in exchange for a fixed fee. The company also operates a mail order pharmacy. The TeleHealth business accounted for approximately 16% of the company’s revenues in FY 2024 according to the declaration.

In addition, 23andMe operates a voluntary research program. Participating customers allow the company to use their genotypic data, as well as phenotypic data that they provide about their health and physical and lifestyle characteristics. 23andMe says that it has more than 5.5bn unique phenotypic data points and that its research database is one of the world’s largest. It uses the database to research the intersection of genetics and disease and to identify new drugs in cooperation with universities, research institutions, and pharmaceutical companies. According to the company, more than 80% of its customer base “who are genotyped and eligible for research” have elected to take part in the research. In FY 2024, it generated approximately 8% of its revenues from the research business line.

The company proposes a bankruptcy sale of all the companies’ assets

23andMe has never recognized any net profits and has funded its operations from the sale of equity and sales of PGS and Telehealth products and services. As interest rate increases and inflation raised the company’s operating costs, the market for its PGS line declined, and the company faced increased competition for its ancestry and telehealth services. In addition, a data breach in October 2023 lead to a barrage of costly consumer lawsuits in both the US and abroad. After running an unsuccessful out-of-court sales process, 23andMe chose to continue that process in Chapter 11 and filed its bankruptcy petitions in the USD District Court for the Eastern District of Missouri on 23 March.

The debtors’ stated in their bidding procedures motion that in bankruptcy they seek to “effectuate a value-maximizing sale of substantially all or a portion of their assets.” One of the bidding requirements approved by the bankruptcy Court on 27 March is that the bidder “must comply in all respects with the Debtors’ consumer privacy practices.” The bidding procedures acknowledge, however, that those privacy practices “do not restrict the transfer of personally identifiable information of the Debtors’ customers in connection with a bankruptcy, merger, acquisition, reorganization, or sale of assets.”

Who owns your data?

The agreement between the 23andMe and its US customers is governed by the company’s Terms of Service. They are not optional, stating that “if you do not agree with our Terms or any other policies, then do not use the Services.” The Terms allow a customer to delete their account “at any time.” According to 23andMe’s website, once a customer requests deletion the company will “immediately and automatically begin the deletion process.” Any stored genetic samples will be discarded and “Personal Information,” which includes Genetic Information, Sample Information, Biometric Information, and Self-Reported Information, will not be used in future research projects.[2]

According to the Terms of Service, the data provided by users to 23andMe generally falls into two buckets – information derived from the sample submitted by customers and “User Content.” With respect to the former, the Terms of Service states that “[a]ny information derived from your sample remains your information,” subject to rights retained by the company. The company adds that providing and processing a sample does not give the customer any rights in research or commercial products that are developed by 23andMe or its collaborators.

“User Content,” in turn, is “all information, data, text, software, music, audio, photographs, graphics, video, messages, or other materials generated by users of the Services and transmitted, whether publicly or privately, to or through 23andMe.” It does not include genetic or health information. The debtors state that in order for the company to provide services, the user agrees to grant a license to 23andMe, affiliated companies, sublicensees and successors a “perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license” to the data that is “fully-paid and royalty free.”[3] In other words, the company can use “User Content” in perpetuity and without compensation to the customer. This license survives any termination of the Terms of Service, and this license is transferrable. The user nonetheless retains the copyrights on such data.

The company reserves the right to amend the Terms of Service “at any time,” and says that continued access to or use of the services after any change constitutes consent to the revised terms.

Privacy Issues

23andMe’s Privacy Statement provides additional guidelines about the handling of “Personal Information.” The Privacy Statement says that if 23andMe is “involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.”

The Privacy Statement governs the retention of Personal Information. Like the Terms of Service, it says that a customer can delete their account “at any time.” A supplemental Privacy Notice applicable to the residents of California, Colorado, Connecticut, Utah, and Virginia, who are protected by various data privacy and protection acts, 23andMe also states that all US customers can request the deletion of their data. According to the Privacy Statement, upon the deletion of an account the customer is opted out of research and their sample is discarded. However, it also says that 23andMe will keep Personal Information “for as long as necessary” to comply with legal obligations, resolve disputes and enforce agreements, as well as for “other legitimate and lawful business purposes.” Nonetheless, even if a user deletes their account, the company can retain Genetic Information to comply with “applicable legal obligations.”

In addition to the Terms of Service, the company has three types of optional consent documents. A biobanking consent provides for the storage of the customer’s sample and allows 23andMe to “access and analyze” the sample until consent is withdrawn or the customer closes their account. Withdrawal of consent does not rescind the lawfulness of any processing prior to withdrawal. In addition, a research consent allows the company to use a customer’s anonymized[4] genetic information in research conducted by 23andMe. Finally, the company has an individual data sharing consent that supplements the research consent and allows the company to share genetic information with collaborators. If a customer withdraws their agreement to the research and data sharing consents, the company will not use the information in new research or share information, but the withdrawal may take up to 30 days to be effective.

As with the Terms of Service, the company further reserves the right to modify the Privacy Statement.

What could happen to customer data in a bankruptcy?

The filing of a Chapter 11 petition creates a bankruptcy estate that is separate and apart from the debtor and contains “all legal or equitable interests of the debtor in property as of the commencement of the case.”[5] In the case of 23andMe, this would include not only any outright ownership of data, but also any rights to use data. Thus, 23andMe’s estate would include all of its rights to use customer data pursuant to its licenses and the consent agreements. Furthermore, the bankruptcy also allows a debtor to assume and assign any executory contracts to which it is a party, such as the Terms of Service.[6] Thus, 23andMe could assume its Terms of Service, Privacy Statements and consent agreements and assign them to any purchaser and, at the time of transfer, those contracts would bind customers and the purchaser to the same extent that they currently bind customers and 23andMe.

As noted, the Terms of Service tell customers that “[a]ny information derived from your sample remains your information.” This appears to state that customers owns their genetic information, in which case it would not be the property of 23andMe’s bankruptcy estates. Under such an understanding, in a sale, ownership of the genetic data would remain with the customer and would not transfer to the purchaser, since a bankruptcy estate cannot sell something that it does not own and in which it. However, the Privacy Statement seems to contradict this, saying that in the event of a bankruptcy, acquisition or asset sale, Personal Information, which includes genetic information, may be “sold or transferred,” subject to the continuing applicability of the Privacy Statement to the purchaser, thereby implying that genetic information could be sold. These two statements appear to create an ambiguity as to the ownership of the data, one that is perhaps best resolved by understanding that any sale is limited to 23and Me’s licensing rights and conferred and withdrawable consent rights, and that the customer ultimately remains ownership of their information.

The company’s contractual rights to use the data are undoubtedly property of the bankruptcy estates and could be transferred in any sale, subject to any limitations on their assignment under non-bankruptcy law. Any rights to use the data under the any of the consent agreements, as well as the perpetual license to use “User Content,” could transfer to the purchaser. However, the transfer of customer data could be complicated to a certain extent by state law. For example, according to digital rights group The Electronic Frontier Foundation, the company would have to obtain customer consent to the transfer of data under the laws of at least 12 states, including California, Texas, and Virgina.

After any sale, the rights to use the data would be subject to the company’s Privacy Statement, as any potential purchaser must agree to “comply in all respects with the Debtors’ consumer privacy practices.” As noted, the company reserves the right to change the Terms of Service and the Privacy Statement at will. However, if any purchaser decided to modify the Terms of Service and Privacy Policy to make them more favorable to the company, it would likely need to obtain renewed customer consent; otherwise, it could risk an enforcement action by the Federal Trade Commission (FTC) or a barrage of individual lawsuits under state deceptive trade practices act.[7]

Last year, the FTC noted on its blog that changing the Terms of Service to “adopt more permissive data practices” could be a deceptive practice. It stated that “[a] business that collects user data based on one set of privacy commitments cannot then unilaterally renege on those commitments after collecting usersʼ data.”[8] In addition, in a now-deleted posting from 2015 the FTC stated that when one company acquires another, the acquiring company can continue existing privacy practices. Alternatively, it can, with respect to information collected before the acquisition, get consumers to give their “express affirmative consent to opt in” to any new practices and, with respect to information to be collected in the future, give consumers notice of a choice about whether to agree to the change (although express affirmative consent may not be necessary). “Simply revising the language in a privacy policy or agreement isn’t sufficient,” according to the FTC. Thus, 23andMe’s current Terms of Service, which deems consent to be given by a customer’s continued access to and use of services after any policy change, might not meet some of these standards.

Another question in 23andMe’s bankruptcy case is how many customers will seek to delete their accounts and have their sample and data discarded between now and the closing of any sale. Given that customer data is the central value proposition underlying the company’s business, such deletions, if extensive, could negatively affect the value of the company and the price that any bidder is willing to pay. Indeed, there have been reports of a surge in traffic on the company’s website of customers who are trying to delete their data. It is unclear how much data will be deleted before the completion of any sale, and therefore how much of a melting ice cube 23andMe is, but data deletion would have to be accounted for in any valuation of the company’s assets. If a significant amount of data ends up being deleted, it might make the company a less attractive, and less expensive, target for potential purchasers.

The debtors have scheduled a bid deadline of 7 May and a sale hearing deadline of 17 June. It remains to be seen whether concerns over the ultimate destination and use of the data will push out these dates. While the most straightforward way of addressing privacy concerns would appear to be to request the deletion of one’s data (assuming that the company or any purchaser would comply), some consumers and/or government regulators may seek to address those concerns by objecting to the sale. Already, at the hearing to approve the debtors’ bid procedures, an attorney representing the state of Indiana expressed concern about ensuring that the sale parties will comply with state consumer protection and privacy laws.

At that same hearing, counsel for the US Trustee raised privacy concerns, stating that it would be better to have a consumer privacy ombudsman appointed to review the sale procedures. Section 332 of the Bankruptcy Code authorizes a bankruptcy court to appoint a consumer privacy ombudsman to assist it in its consideration of a proposed sale of personally identifiable information, including “potential losses or gains of privacy to consumers” and “potential costs or benefits to consumers.”[9] Section 363(b)(1) of the Bankruptcy Code, in turn, places conditions on the sale of a company that has issued a privacy policy to consumers “prohibiting the transfer of personally identifiable information.” It provides that personally identifiable information cannot be sold unless the sale is consistent with the privacy policy or, after the appointment of a consumer privacy ombudsman, the court approves the sale “giving due consideration to the facts, circumstances, and conditions of such sale,” and finds that the sale would not “violate applicable bankruptcy law.”[10] At the bid procedures hearing, the bankruptcy judge said that it would address the sale and the possible appointment of an ombudsman on separate tracks, possibly indicating that he did not intend to let privacy concerns affect the sale timeline, at least for now. Ultimately, time will tell if privacy concerns delay, or even derail, a sale.

Paul Gunther is a former practicing restructuring and litigation attorney. Prior to joining Debtwire as a Legal Analyst, Paul practiced in the New York offices of Dentons US LLP, Salans LLP and Mayer Brown LLP. He has represented various constituencies in high-profile restructurings.

This report should not be relied upon to make investment decisions. Furthermore, this report is not intended and should not be construed as legal advice. ION Analytics does not provide any legal advice, and clients should consult with their own legal counsel for matters requiring legal advice. All information is sourced from either the public domain, ION Analytics data or intelligence, and ION Analytics cannot and does not verify or guarantee the adequacy, accuracy or completeness of any source document. No representation is made that it is current, complete or accurate. The information herein is not intended to be used as a basis for investing and does not constitute an offer to buy or sell any securities or investment strategy. The information herein is for informational purposes only and ION Analytics accepts no liability whatsoever for any direct or consequential loss arising from any use of the information contained herein. 

——————

Endnotes

[1] Some of states that have issued alerts are California, New York, Washington, Georgia, Minnesota, Tennessee, Kansas, Nevada, Idaho, Virgina, Maryland, North Carolina, South Carolina, Arizona, Oregon, Connecticut, Vermont, Utah, Massachusetts, New Hampshire, Maine, Delaware, Alabama, Hawaii, Indiana, Michigan, Montana, Florida, as well as the District of Columbia.

[2] 23andMe’s Privacy Statement defines “Genetic Information” as information regarding genotype, including genetic data and reports. “Sample Information” is information regarding any sample such as a saliva sample that is submitted for processing. “Biometric Information” is self-reported information used to identify biological characteristics.” “Self-Reported Information” is information that the customer provides regarding “gender, disease conditions, health-related information, traits, ethnicity, and family history.”

[3] The license allows 23andMe to “host, reproduce, adapt, modify, translate, publish, publicly perform, store, publicly display, distribute, reproduce, edit, reformat, and create derivative works from any User Content that you submit, post, or display on or through the Services.”

The Privacy Statement distinguishes “Aggregate Information” from Personal Information, which it defines as “information about a group of people, such as an analysis or evaluation of a group” that is “describe[d] . . . in such a way that no specific individual may be reasonably identified.” The Privacy Statement does not specify how Aggregate Information is handled, but a supplemental privacy notice states that US state data protection laws do not consider aggregate information to be Personal Information.

[4] The information is anonymized by disassociating the information from the person’s name and contact information. However, the National Human Genome Research Institute, asserts on its website that “each person’s DNA sequence is unique, which means a DNA sample can never be truly anonymized.”

[5] 11 U.S. Code § 541.

[6] 11 U.S.C. § 365. There is no statutory definition of executory contract, but one commonly applied definition is that a contract is executory where both parties have continuing obligations such that if either failed to continue to perform it would constitute a material breach.

[7] 15 U.S.C. § 45.

[8] The FTC also reached a settlement with a genetics testing company accused after it alleged that the company “deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.”

[9] 11 U.S.C. § 332. The Bankruptcy Code defines “personally identifiable information” to include names, geographical and electronic addresses, telephone number, social security numbers, credit card numbers provided by an individual to the debtor to obtain a product or service, and “any other information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically. The definition does not specifically include genetic data.

[10] 11 U.S.C. § 363(b)(1)