23andMe’S BANKRUPTCY: IS THE SKY FALLING?

May 28, 2025 Brian K. Fullmer James S. Samuelson Resources

Since 23andMe’s filing for Chapter 11 bankruptcy on March 23, 2025, the treatment of personally identifiable information (PII) has drawn significant media attention due to the extremely sensitive nature of the data involved. As a provider of genetic testing and health-related services, 23andMe holds vast amounts of consumer data, including DNA profiles, medical histories, and other personal information. The handling of this critical data during a bankruptcy sale implicates both privacy concerns and federal statutory protections.

As a threshold matter, the potential scope of data, both type and quantity, available to be transferred will be governed by both prevailing federal and applicable state data privacy statutes and the contractual obligations of 23andMe’s users. Users of 23andMe agree to the prevailing terms of service, including related policies such as its privacy statement and use of information disclaimer, upon use or access of its products, software, services, and website, regardless of whether such use is connected to an account.

23andMe’s terms of service contain a customary agreement in which the user acknowledges that permission is granted to “23andMe, its contractors, successors, and assignees” to irreversibly analyze any DNA samples submitted. This includes an explicit statement that certain rights to information derived from that sample are retained by 23andMe. Users further grant a license to 23andMe and its successors and assigns with respect to any “User Data” (identified as information, graphics, and other content generated by users and transmitted to or through 23andMe). Nevertheless, alarm bells need not necessarily ring among those who have used 23andMe’s services.

In addition to the terms of service, 23andMe’s privacy statement establishes concrete limits upon the permitted use and transfer of information which govern the PII in question. To begin with, 23andMe segregates data into two categories – “Individual-level Information,” which is aligned with customary PII under statutory and regulatory regimes, and “De-identified Information,” meaning information which has been stripped of any identifying data such that an individual “cannot reasonably be identified,” which includes aggregated and de-identified group information. With respect to use of PII, 23andMe’s privacy policy provides a blanket ban on use of genetic information unless a user has opted in. Users who have existing privacy concerns would best protect their information by accessing 23andMe’s portal and confirm they are opted out, and if not, update their settings to opt out of this use of information.

With respect to the transfer of PII, the current privacy policy for 23andMe permits data sharing to various third parties, including service providers and contractors assisting with services. In particular, the company’s bankruptcy is governed by this language: “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.” In using the services, therefore, a user of 23andMe agrees and represents that any PII provided to the company may be transferred, and the sale of identifying information, including without limitation PII, would otherwise be permissible pursuant to the prevailing contractual terms between users and 23andMe. While this may justify consumer alarm with respect to PII, the United States Bankruptcy Code provides significant statutory and legal protection of this information.

Under section 363(b)(1) of the Bankruptcy Code, a consumer privacy ombudsman must be appointed when a debtor proposes to sell or lease PII in a manner that violates the restrictions set forth in its privacy policy in effect at the time the data was collected. In this case, however, 23andMe’s privacy policy explicitly authorizes the transfer of PII in bankruptcy, and the court-approved bidding procedures require any successful bidder to comply with that policy.  As a result, the statutory requirement for appointing an ombudsman was not automatically triggered.

Nonetheless, the bankruptcy court retains discretion to appoint a consumer privacy ombudsman even when not required by the statute. The court may do so either with or without the request of a party in interest if it determines that additional oversight is necessary to protect consumer privacy. If appointed, the ombudsman’s role is to review the debtor’s privacy policy and prepare a report evaluating the privacy implications of the proposed sale. The report typically includes an assessment of potential losses (or gains) in consumer privacy and may recommend conditions or safeguards to mitigate any risks. The court considers the report in determining whether to approve the sale and whether to impose privacy-related conditions.

Initially, no ombudsman had been appointed in the 23andMe case. On March 28, 2025, the bankruptcy court entered a bidding procedures order that governs how the debtor’s customer data may be sold. The procedures order requires all qualified bidders to comply “in all respects” with the debtor’s existing privacy practices and mandates that each bid include a statement confirming the bidder’s intent to do so. These provisions are designed to ensure that any purchaser maintains the privacy standards in place at the time the data was collected.

23andMe appeared to recognize that oversight is needed. It filed a motion to appoint an independent customer data representative. However, the representative would be chosen by 23andMe and would have a more limited role than a court-appointed ombudsman. In early April 2025, the United States Trustee (“UST”) and a group of approximately 25 states (including Arizona) moved the Court to appoint a consumer privacy ombudsman.

The UST and the states argued that a neutral ombudsman is necessary because 23andMe’s privacy policies have changed over time. They also point to 23andMe’s prior data breach, the complexity and highly personal nature of the data involved, and the mix of federal, state, and international privacy laws at play.

Not surprisingly, 23andMe dropped its request for an independent customer data representative and agreed to appointment of a court-appointed ombudsman.  On April 29 the bankruptcy court entered an order for the UST to appoint a consumer privacy ombudsman, and on May 6, Neil M. Richards was appointed as ombudsman. Mr. Richards will evaluate the proposed handling of customer genetic and other personal information and provide reports to the court addressing the privacy risks, legal compliance and appropriate safeguards.

A sale hearing is scheduled for June 17, 2025. Given the sensitive and uniquely personal nature of the data held by 23andMe, we recommend that stakeholders continue to monitor proceedings as they develop to understand specifically how the transfer of PII will be handled, including which privacy laws will apply to the ultimate purchaser of this information, and any additional prospective compliance requirements and protections mandated by the bankruptcy court. As noted above, users who have existing privacy concerns would best protect their information by accessing 23andMe’s portal to confirm they are opted out of use of certain information, and if not, update their settings to opt out of this use of information.

Categories