Full Report
The recommendation to the bankruptcy judge overseeing the sale is partially based on messages from 23andMe customers who told him they are worried about their genetic data’s inclusion in the sale.
Analysis Summary
This summary is based on the recommendation provided by a consumer privacy ombudsman regarding the proposed sale of 23andMe’s consumer genetic data during bankruptcy proceedings.
# Regulation/Compliance: Ombudsman Recommendation on Data Sale Consent (23andMe Bankruptcy)
## Overview
This summary details the recommendation from the Consumer Privacy Ombudsman, Neil Richards, to the bankruptcy court overseeing the sale of 23andMe assets. The core recommendation is that consumers must be allowed to provide **separate and affirmative (opt-in) consent** before their highly sensitive genetic data is included in the sale, as the existing privacy policy updates may not legally or ethically cover this eventuality.
## Key Details
- **Issuing Authority:** Consumer Privacy Ombudsman (Neil Richards), acting in a court-appointed advisory capacity during 23andMe bankruptcy proceedings.
- **Effective Date:** Recommendation presented immediately to the bankruptcy court (timing contingent on court ruling).
- **Jurisdiction:** Bankruptcy Court for the District of Missouri (governing the 23andMe sale process).
- **Status:** Recommendation/Advisory Opinion.
## Requirements
### Mandatory Requirements (As recommended by the Ombudsman for the sale)
1. **Separate and Affirmative Consent:** Organizations must obtain explicit, opt-in consent from consumers specifically for the sale of their genetic data as an asset.
2. **Transparency:** Any major policy changes, especially those concerning the potential sale of data in bankruptcy, must be communicated clearly and visibly, not buried in technical policy language.
3. **Data Deletion Management:** Organizations must effectively manage and process consumer requests for data deletion, including addressing accounts of deceased relatives.
### Recommended Practices
1. **Post-Consent Utilization:** If the court mandates consent, the winning bidder should be required to obtain this consent *before* utilizing the data.
2. **Respecting Past Promises:** The company should honor its historically visible public promises regarding privacy, which often differed from the technical disclosures in the full privacy policy.
## Affected Organizations
- **Industries:** Direct-to-Consumer Genetic Testing, Healthcare Data Brokers, Companies facing M&A or Bankruptcy proceedings involving sensitive personal data.
- **Organization Size:** Affects any entity holding large troves of consumer genetic or highly sensitive PII.
- **Geographic Scope:** While jurisdiction is U.S. Bankruptcy Court, the principles affect any company handling data under broad US privacy frameworks (which often default to state laws like CCPA/CPRA).
## Compliance Timeline
- **June 2022 (Historical):** 23andMe updated its privacy statement to *mention* the potential for data sale in bankruptcy, but this notice was deemed insufficiently visible.
- **March 2024 (Historical):** 23andMe declared bankruptcy.
- **TBD (Immediate):** Court ruling must be issued on the Ombudsman's recommendation regarding required consent before the auction proceeds.
- **Upon Sale Approval:** Full compliance requires obtaining affirmative customer consent for data transfer post-sale or before asset transfer to the winning bidder.
## Implementation Guidance
### Assessment Phase
- **Policy Gap Analysis:** Review historical privacy policy changes against public-facing statements to identify discrepancies in consumer understanding regarding data monetization, especially concerning bankruptcy sales.
- **Data Inventory:** Identify volumes of active and inactive customer data, particularly focusing on genetic material/sequences.
### Implementation Phase
- **Consent Mechanism Development:** If the court agrees, organizations must immediately halt data packaging for sale until a granular, opt-in consent mechanism for the specific transaction is designed and implemented.
- **Data Deletion Prioritization:** Review and expedite backlog on data deletion requests flagged in the report.
### Validation Phase
- **Auditing Consent:** Log and audit all new affirmative consents obtained specifically for the data sale auction.
- **Consumer Confirmation:** Verify, through sampling, that consumers explicitly understand they are opting into the sale of their genetic data.
## Technical Requirements
Specific technical requirements are not detailed, but the implementation implicitly requires:
1. **Data Segregation:** Ability to segment data sets based on consent status (those who opted-in for this specific sale vs. others).
2. **Secure Deletion Protocols:** Robust execution of data purging for those exercising deletion rights.
## Penalties & Enforcement
- **Fines:** Traditional regulatory fines are not the primary immediate concern; the consequence is primarily court-enforced restructuring of the sale terms.
- **Other Consequences:** Failure to comply could lead to the **invalidation of the asset sale**, significant reputational damage, and increased enforcement scrutiny from Congress and future privacy regulators.
- **Enforcement:** Direct judicial enforcement by the Bankruptcy Judge overseeing the proceedings. Congressional oversight also applies significant pressure.
## Related Standards
- **General Privacy Principles:** The recommendation aligns with core principles in GDPR (explicit consent) and CCPA/CPRA (right to opt-out of sale, implying an opt-in requirement for highly sensitive data sales).
- **Trustworthiness Frameworks:** Highlights the failure to uphold user trust, a key component of ethical data handling frameworks.
## Resources
- **Official Documentation:** The specific court filing by Ombudsman Neil Richards (Docket entry referenced in context).
- **Guidance Documents:** Congressional hearing transcripts regarding consumer empowerment and data sensitivity.
## Practical Recommendations
1. **Assume Strict Consent:** Any entity anticipating a sale of highly sensitive data in bankruptcy should proactively plan to meet the standard of “separate and affirmative consent,” regardless of previous boilerplate disclosures.
2. **Harmonize Statements:** Ensure public-facing privacy representations precisely match the technical limitations and potential outcomes described in the legal terms of service.
3. **Prioritize Deletion:** Treat data deletion requests as an urgent action item, as failure to comply compromises consumer rights and escalates legal risk.