Personal Information, Terms of Service, and the 23andMe Bankruptcy

These days, when we buy products or register for services, terms and conditions or terms of service or terms of use apply. Those terms often include a privacy policy, setting out the purposes for which the vendor may use our personal data. But what if that vendor goes bankrupt? There may be a new acquirer who will continue the business as a going concern, but what guarantees are there that the new owner will not sell your data? Or what if the business cannot be salvaged and its main asset is your data? Can it just sell it on the dark web?

These issues have come to the forefront in connection with the 23andMe bankruptcy. There are, by the way, interesting corporate governance issues that have arisen in the bankruptcy. Co-founder Anne Wojcicki was eventually able to set up a non-profit to purchase the company, and the bankruptcy court recently approved that purchase. There was a lot of drama along the way, as Matt Levine explains here. In short, because 23andMe had some real assets, bankruptcy turned out very well for it. There was interest and a bidding war. The company was once valued at $6 billion. It sold for $305 million, but that’s not nothing.

Anyhoo, It appears that there are significant gaps in the statutory regimes that protect personal data, including personal medical data, because, as Joe Hernandez reports for NPR here, “The Health Insurance Portability and Accountability Act, or HIPAA, applies to health care providers and insurers but not direct-to-consumers companies like 23andMe.” The only thing between the data of millions of 23andMe customers and the dark web were 23andMe’s terms of service. How much protection would those terms provide? As APNews reports here, twenty-seven states and the District of Columbia intervened in the 23andMe bankruptcy seeking to protect the privacy of consumer data. But what backstops are in place to otherwise protect consumers’ data from pillage?

The Planet Money podcast did a deep dive and provides some answers: there’s not much of a backstop. The bidders in the 23andMe bankruptcy pledged to abide by the company’s existing privacy policies and to comply with all relevant law. Planet Money reveals that what the law requires is that companies that acquire debtors that possess personal information preserve the debtor’s pre-existing policy. The notion, I suppose, is that the debtor’s customers have already agreed to the debtor’s privacy policy, so they have a level of privacy protection with which they are comfortable.

But we are talking about terms of service here. Customers never agreed to 23andMe’s privacy policy in any substantive sense. They paid for a service. They likely didn’t read or consider the privacy policy. It wasn’t salient to them. But perhaps it was salient to some people. Perhaps they  were concerned about the uses to which their personal data could be put. Likely 23andMe provided assurances that their data was anonymized and would actually be used for the good of all of humankind. That’s nice.

Except privacy policies, like terms of use generally, can be updated at any time, and even the most intrepid consumer can’t keep up with all of the updates. The entity that buys the debtor adopts the existing privacy policy, except that the existing privacy policy can be amended. All it takes is an e-mail to all existing users notifying them that terms have been updated. I think I am a pretty typical consumer, and I predict that that e-mail, if it even gets through a spam filter, is going to be deleted unread. Life is short.

The safest thing to (spoiler alert for those who want to listen to the Planet Money episode) is to delete your account. Doing so makes your personal data unavailable to 23andMe and its successor organizations, or so the privacy policy provides. They also have to destroy your saliva sample, but that takes a little time.