FTC: 23andMe Can Sell Data But Buyer Must Honor Deletion Requests
Biotechnology company 23andMe can sell users’ genetic data in its bankruptcy sale, but the buyer must honor the company’s original privacy terms and users’ right to delete, FTC Chairman Andrew Ferguson said in a Monday letter to DOJ (see 2503280047) and (2503240046).
Sign up for a free preview to unlock the rest of this article
All data sold in the transaction “will be subject to the representations the Company has made to users about both privacy and data security, and which users relied upon in providing their sensitive data to the Company,” Ferguson wrote.
The letter went to officials at the U.S. Trustee Program, a DOJ office that oversees the administration of bankruptcy proceedings. The office didn’t comment Monday. 23andMe didn’t comment.
State attorneys general and international regulators have issued guidance on how users can access and delete the data 23andMe collected. Ferguson noted 23andMe’s commitment that users are “in control of their data” and can decide how it's handled, “including honoring the right of users to delete their personal information at any time.”
The company said in a March 26 statement that to constitute a qualified bid, potential buyers must “agree to comply with 23andMe’s consumer privacy policy and all applicable laws with respect to the treatment of customer data.”
Ferguson said he’s “pleased” to see public statements indicating 23andMe will prioritize honoring its privacy representations in the sale. He said any purchaser should “expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies and applicable law, including as to any changes it subsequently makes to those policies.”
23andMe collects DNA through saliva samples, phenotypic information and personal information like names, contact information and payment details.
Attorneys from Foley Hoag on Friday said the bankruptcy code protects personally identifiable information. The firm noted that a potential privacy ombudsman could be appointed to ensure user data is properly protected during a sale. Because 23andMe “provides direct-to-consumer genetic testing,” it’s not a healthcare company and isn’t subject to federal regulations like the Health Insurance Portability and Accountability Act and the Genetic Information Nondiscrimination Act, they said. However, 23andMe and its purchaser must follow FTC Act regulations for unfair and deceptive practices, as well as data deletion requirements under state laws like the California Consumer Privacy Act.
AGs from New York, North Carolina, South Carolina, California, Indiana and Colorado have recommended users delete their sensitive 23andMe data. Colorado AG Phil Weiser (D) on Monday urged users to “act now to protect your data.”