Now, the company and its assets could potentially be sold to an entity that has a different agenda for millions of individuals’ genetic information. In that event, genetic information could be used for research on genetic diseases, identification of individuals in law enforcement actions, and other applications that consumers may not have contemplated when they provided their genetic information to 23andMe.

The fate of 23andMe raises questions such as what laws, if any, protect this information, and what can customers do to protect their data?

Data privacy laws

All 50 states have data breach notification laws that require data owners to notify individuals if certain personal information was subject to unauthorized access or acquisition. However, the acquisition of data through the sale of a bankruptcy estate does not mean that the acquisition of data is unauthorized. It is likely that the bankruptcy estate would be considered the “owner” of the data with authorization to sell it without the consent of the individuals who provided the data. And, in turn, the buyer’s subsequent use of the data would be “authorized.”

It should also be noted that states define personal information differently, and only a small number of states protect biometric information such as genetic information. State laws generally do not govern the processing of the data. Thus, in the event that the acquirer of the data experiences a data breach, 23andMe, or a future acquirer, may be required to inform individuals of a breach but will not necessarily be required to disclose how their information is being used.

Federal laws also do not offer much help here. The Health Insurance Portability and Accountability Act applies only to certain types of health care entities and their vendors. 23andMe, or a subsequent purchaser, is not likely to fall under this classification. Further, to qualify as protected health information under HIPAA, the information generally needs to be transmitted electronically and related to a person’s health condition, or to the provision of, or payment for the provision of, health care. Therefore, data collected by 23andMe would not qualify as protected health information. Although the federal Genetic Information Nondiscrimination Act prohibits employers and health insurance companies from discriminating based on an individual’s genetic information, among other things, it presumably would not protect against other uses of the information.

What can 23andMe customers do?

Currently, customers are still able to delete their data and profiles from 23andMe. Customers should also consider requesting destruction of their saliva samples and cancellation of any further use of their genetic information. Additionally, it is a best practice to review the privacy policies of companies to which consumers divulge personal information. Privacy policies typically explain what third parties, if any, will receive the information and how the information is processed.

The Constangy Cyber Team assists business of all sizes and industries with compliance needs. If you would like additional information about state or federal data privacy laws, please contact us at cyber@constangy.com.