What Happens if a DTC Genomics Company Goes Belly Up?

The following post was originally published in three parts on September 14, 15 and 16 in Genetic Future.

BankruptcyDirect-to-consumer (DTC) genomics companies are not immune to the current recession. When TruGenetics, a new player in the DTC genomics space, announced in June that it would be handing out 10,000 free genome scans, both Genetic Future and the Genomics Law Report raised questions about the financial viability of its business model, particularly in the current economic climate. Sure enough, on August 21, TruGenetics announced that it had been unable to secure funding sufficient to support its business model as contemplated. Frequent readers know that TruGenetics is not the only DTC genomics company that is struggling. The financial struggles of deCODE Genetics have been well chronicled (see here, here and here) and even new market leader 23andMe has undergone a dramatic shift in its top management as it pursues a new round of financing.

Ultimately, it was a recent headline here at Genetic Future—“deCODE Genetics on the brink of insolvency”—that started us thinking: what would happen if an established DTC genomics company actually went bankrupt? More specifically, what would happen to the genomic (and other) data held by the company? Genomic data is likely to be the company’s most valuable asset. Can that data be sold off to help meet the company’s debts? Bankruptcy can be a confusing and arcane process, with real risks and uncertainties for companies, their creditors and their customers.

In today’s post—the first of three on this subject—we examine the privacy and confidentiality policies of several leading DTC genomics companies to find out what, if anything, they have to say about whether data can be transferred to another company. In the second part, which will appear tomorrow, we take a close look at how the legal system would likely treat a DTC genomics company’s bankruptcy. In the final part, on Wednesday, we attempt to answer the only question that really matters for most readers: what does it all mean for the average DTC genomics customer?

Part I: The Fine Print: What the Privacy Policies Say

Privacy policies are particularly important in the field of DTC genomics where the sensitivity of consumer data is rivaled only by that found in other areas of healthcare and in the financial services sector. Courts and regulators are concerned as well. For instance, the Federal Trade Commission (FTC) has brought actions to enforce “companies’ privacy promises about how they collect, use and secure consumers’ personal information.” The first question, then, is how DTC genomics companies’ Privacy Policies address the possibility of selling customers’ data. As examples, we will consider the policies of two companies, TruGenetics and 23andMe, which, together, help to illustrate the range of policies in place today.

1. TruGenetics. Despite its funding difficulties and the fact that it has invited registrants to remove themselves from its database, TruGenetics does still maintain a website that provides both a Privacy Policy and a Terms of Use. The Privacy Policy (which is incorporated verbatim into the Terms of Use) focuses on data anonymization, transfers requested by registrants and GINA. As for how TruGenetics intends to use registrants’ genomic and other information, the only guidance comes from the Terms of Use, which include the following:

Your questionnaire responses and genetic information will be used for genetic research. One of the main goals of TruGenetics™ is to develop a unique research database for conducting genetic studies. Your decision to use TruGenetics’™ services indicates that you are willing to contribute your questionnaire responses and genetic information to the TruGenetics™ research database. . . . TruGenetics™ may conduct this research, or may partner with another organization, including non-profit and commercial entities, to conduct research. TruGenetics™ may charge a fee for conducting research using this database.

TruGenetic’s policy contains a promise of confidentiality and anonymity—although, as we have written elsewhere, that is a promise that is probably unwarranted—but there is no promise that the data will not be distributed to third parties. In fact, just the opposite is true—the purpose of the data collection is for it to be used by third parties for research, and the policy provides no assurance that the data will not be used for any other reason. TruGenetics’ policy itself therefore is no obstacle to the sale of the data, and provides no detail for a registrant to determine the circumstances under which his or her data might be transferred, either in the ordinary course of business or bankruptcy.

2. 23andMe. 23andMe has three separate policies applicable to users of its DTC genomics service: a Privacy Statement, a Consent and Legal Agreement and a Terms of Service. These policies clearly contemplate that certain personal information, including both genotypic and phenotypic information, may be made available to “commercial and/or non-profit organizations that conduct scientific and/or medical research.” While the Privacy Policy provides that such information will not be made available without “explicit consent,” it is unclear from the terms alone whether this consent requirement is satisfied by the consumer’s signing the Consent and Legal Agreement (which is required prior to any genotyping) or whether separate consents must be sought prior to the disclosure.

23andMe’s Consent and Legal Agreement applies to the company’s “successors and assigns” (as does TruGenetics’), thus expressly contemplating that information may be transferred. Much more explicit, however, is a separate section of its Privacy Policy entitled “Business Transitions” which states candidly that, in the event of “a merger, acquisition by another company, or sale of all or a portion of its assets,… your personal information and non-personal information will likely be among the assets transferred.” Indeed, as 23andMe’s research efforts expand, that information might represent its most valuable asset.

23andMe agrees to provide advance notice via email and prominent notice on the website of such a transfer, as well as to “require an acquiring company or merger agreement to uphold the material terms of this privacy statement, including honoring requests for account deletion.” Notably, although in other situations involving the potential transfer of private data (for instance, for research purposes) 23andMe repeatedly emphasizes that consent will be required before third parties receive access to personal information, that requirement is absent from the “Business Transitions” provision. In addition, the requirement that an acquirer uphold the privacy statement applies only to the “material terms” of the privacy agreement—leaving open the question whether any particular provision of the privacy agreement is “material.”

3. deCODE Genetics. deCODE’s DTC offering, deCODEme, has a Privacy Policy, a Service Agreement and a Terms of Use. These policies are conceptually similar to the 23andMe policies, appearing to permit the sale or transfer of genomic information provided that the terms of the Privacy Policy are generally upheld by the acquirer. While deCODE’s public financial difficulties were in some respects the impetus for this article, its unique legal situation as an Icelandic company doing business in Reykjavik, subject to a distinctive set of bankruptcy laws and statutory restrictions, renders it unrepresentative of other DTC companies. For that reason, we will continue to restrict our analysis to U.S.-based firms. A recent article in the journal Science, however, contains interesting speculation about what might happen to deCODE’s enormous customer biobanks, which is estimated to cover approximately 140,000 individuals, if the company does collapse, including speculation as to how deCODE might transfer its data to another EU entity under Icelandic and EU regulation.

4. So What Does It All Mean? If the company’s policy clearly permits the sale of genomic information in the kind of transaction that could be consummated in a bankruptcy case, then such a sale can go forward. But if the policy prohibits such a sale, or if the policy is unclear or does not address the subject at all, a transfer may still take place—subject to the ins and outs of bankruptcy law, including provisions specifically applicable to personal information. We’ll turn to that in the second part of this series.

Part II: Privacy Policies Through the Looking Glass of Bankruptcy Law

In part one, we discussed the importance of Privacy Policies and other legal agreements in determining how DTC genomics companies will treat their customers’ information, including in the case of a bankruptcy sale. Unfortunately, but not surprisingly, we failed to find much in the way of concrete answers. In this part, we investigate how a bankruptcy court would be likely to evaluate the proposed sale of a company’s genomic database, including in what scenarios it might be willing to set aside the company’s own agreed upon Privacy Policies.

1. Section 363 and the Stalking Horse. Section 363 of the Bankruptcy Code authorizes the sale (typically in an auction) of the assets of a business in bankruptcy. Quick auctions under Section 363 are becoming increasingly common because they allow for the transfer of desirable assets free and clear of liens and other liabilities (while leaving undesirable assets out of the deal), and unlike traditional Chapter 11 reorganizations, do not require the longer and more expensive confirmation process designed to fully protect the rights of creditors. During the current economic crisis, Section 363 was used in the sale of Lehman Brothers to Barclays Capital, in the sale of Chrysler’s valuable assets to Fiat and of General Motors to a new company backed by the U.S. Treasury. Section 363 auctions can also be lightning fast—Lehman Brothers’ assets, which were valued at billions of dollars, were sold less than a week after its Chapter 11 filing—although 2 to 3 months is more common.

In a Section 363 transaction, the bankrupt company agrees in principle to sell its assets to a “stalking horse” buyer, and then, following bankruptcy court approval of the sale procedures, solicits bids in an attempt to solicit a more favorable purchase price. The stalking horse company is often not outbid and winds up acquiring the most valuable assets. As the G.M. example demonstrates, there is no requirement that the stalking horse be a private company. Just as The Wellcome Trust has been mentioned as a potential acquirer of some of deCODE Genetics’ genomic database, a Federal agency such as the FDA or NIH could conceivably organize a bid for genomic assets it deemed important, assuming that it could muster the political and financial capital to proceed at the breakneck pace that can be required of Section 363 bankruptcy proceedings.

In response to a 2005 bankruptcy case (In re Toysmart.com LLC) in which a bankrupt toy company attempted to sell private customer data to its creditors in clear contravention of its own privacy policy, a new procedure was added to Section 363. The procedure requires the appointment of a Consumer Privacy Ombudsman (CPO) prior to the sale or lease of “personally identifiable information” from a bankrupt company when the proposed sale would be inconsistent with a company’s present and disclosed policy “prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with” the company.

2. How To Know If You’ll Need a CPO. By law, the CPO procedure only applies when the proposed sale would be inconsistent with a company’s present and disclosed policy “prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with” the company. However, bankruptcy courts have also appointed a CPO to advise them on the transfer of the information when the bankrupt company’s policy (like TruGenetics’) does not discuss whether the data may be sold to another company.1 Thus, if a DTC genomics company employs a policy that permits the transfer of information and other assets to third parties, the CPO procedure will not apply.

If the company’s policies prohibit such a transfer or, as in the case of most DTC genomics companies, if they are unclear, the CPO procedure may be available to assist the bankruptcy court in evaluating the appropriateness of the proposed sale of “personally identifiable information.” But is genomic information “personally identifiable information”?

In order to qualify as “personally identifiable information” or PII, the information in question must satisfy two criteria. First, it must be “provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family, or household purposes.” Data submitted to a private genomics company for personal use (whether clinical or otherwise) would therefore qualify; data submitted for research purposes (which would arguably apply to the TruGenetics model, and possibly to certain services offered by 23andMe) would not satisfy this criteria.

Moreover, PII must contain, as at least part of the overall information content, one of the following specific pieces of information:

♦   Name
♦   Street Address
♦   Email Address
♦   Telephone Number; or
♦   Credit card number

As for something as seemingly personal as, say, a whole genome sequence, or perhaps just a record of 500,000 SNPs? That information, along with “any other information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically,” constitutes PII if and only if it is “identified with 1 or more of the items of information” in the list above. Thus, while genomic information coupled directly with a name or other specified individual information would qualify as PII, de-identified genomic information, regardless of the practical possibility of later re-identification, would not qualify as PII and would not invoke the protections of the CPO procedure. It is unclear whether or not genomic information that was de-identified but capable of being re-identified through, for instance, coded identifiers, would be treated as PII.

Assuming that the presence of PII could be established, recall that the CPO procedure is only available when the proposed transfer would violate the company’s applicable privacy policy. In the case of 23andMe, for example, its privacy policy permits transfers to an acquirer but requires that the acquiring entity agree to the “material terms” of its existing privacy policy. If the agreement with the stalking horse did not mandate agreement to all the terms of the privacy policy—for example, if it declined to agree that the data could be deleted upon request in order to avoid the possibility that a significant number of spooked former customers of 23andMe would demand that their information be removed from the database—the court would then have to determine whether such a provision was material in order to determine whether the proposed transfer violated the privacy policy, a process in which it would be likely to seek input from a CPO (although it could order changes in the asset purchase agreement on its own). Thus, as a practical matter, the CPO procedure is likely to be available in order to evaluating ambiguous DTC genomics privacy policies.

3. What Does the “C” in CPO Stand For, Again? Even if a CPO is appointed, it is the bankruptcy court that must ultimately evaluate and approve the proposed sale of assets. The role of the CPO, if appointed, is to provide information to the court, including with respect to the following:

♦   the debtor’s privacy policy;
♦   the potential losses or gains of privacy to consumers if such sale or such lease is approved by the court;
♦   the potential costs or benefits to consumers if such sale or such lease is approved by the court; and
♦   the potential alternatives that would mitigate potential privacy losses or potential costs to consumers.

Keep in mind that the bankruptcy statute does not require the CPO to represent the interests of the consumers. In fact, “the Consumer Privacy Ombudsman appears more in the role of an expert commentator than a consumer advocate.”2  Also, recall the speed at which auctions under Section 363 are conducted. Given the logistics and time entailed in first determining whether a CPO is warranted and, if so, locating and appointing a CPO, the CPO in most instances can be expected to have “only a day or two to obtain the information he or she needs and digest it.”3  With privacy issues as complex as those that would be presented in a DTC genomics company’s bankruptcy, and in the absence of any guarantee the CPO will be someone familiar with the issues, there is scant hope of a sophisticated analysis.

A review of the cases in which a CPO has been appointed and filed a report reveals a clear pattern: the CPO supports the sale “provided certain conditions were met, such as requiring that (1) the sales be made to qualified purchasers (those in the same business or that would operate the same business as the debtor), (2) the purchaser would serve as a successor-in-interest to the debtor’s … privacy policies and (3) customers be provided an opportunity to opt-in or opt-out of the proposed transfer.”4 It appears to be highly unlikely that a CPO would recommend a transfer in which the buyer would not agree, going forward, to abide by the same privacy policy that governed the data prior to the transaction.

So bankruptcy law clearly sees the possibility that genomic data could be sold in violation of its privacy policy—since that is the situation that would trigger review by a CPO. But as we just noted, the actual cases in which CPO’s have conducted such review indicates that, while a bankruptcy court may override a provision in a privacy policy that prohibits the transfer of data to a third party, the CPOs and courts do seem to be unwilling to override other provisions, but rather wish to make sure that the policy is otherwise enforced by the acquirer, and not used for any markedly different purpose than before.

4. The FTC and Other Considerations. Of course, even if the CPO were to recommend a transaction in which the data would no longer be subject to the same kind of restrictions present in the privacy policy when the data was gathered, the CPO’s report is not binding on the court. Furthermore, in such a case—or in a case in which a CPO was not appointed because the information transferred did not qualify as PII—the FTC and state attorneys general could well decide to intervene. As the FTC website states:

A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. … Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.

However, because of the speed at which the typical Section 363 auction takes place, combined with the limited resources of the FTC, it cannot be assumed that the agency (or one or more state attorneys general) will get involved in every case in which private data will be transferred without appropriate authorization in a privacy policy. The field of DTC genomics is sufficiently prominent, however, that it seems unlikely that the FTC would fail to receive notice and, if necessary, review any proposed transfer that raised significant consumer privacy concerns.

So what does this all mean for the average DTC genomics customer? Tune in tomorrow when we attempt to put all the pieces together.

Part III: What Does It All Mean?

In part one, we discussed the importance of Privacy Policies and other legal agreements in determining how DTC genomics companies will treat their customers’ information, including in the case of a bankruptcy sale. Unfortunately, but not surprisingly, we failed to find much in the way of concrete answers. In part two, we dug into the law to investigate how a bankruptcy court would be likely to evaluate the proposed sale of a company’s genomic database, including in what scenarios it might be willing to set aside the company’s own agreed upon Privacy Policies. In this final part, the threads come together as we ask—and attempt to answer—the only question that really matters for most readers: what does it all mean for the average DTC genomics customer?

If you’re concerned that your DTC genomics provider of choice might be a candidate for bankruptcy the very first thing to do, of course, is to consider whether the privacy of your genomic data is even important to you. If you’re applying for (or already enrolled in) the Personal Genome Project, for example, chances are that you wouldn’t much care if 23andMe went bankrupt and decided to sell your information to a competitor, to a pharmaceutical company or to anybody else.

But for the many customers who, at least at present, consider the privacy and security of their genomic data to be an important factor in choosing whether to purchase the services offered by DTC genomic companies, there is simply no substitute for reading to the bottom of the page. When you purchase a product and utilize the corresponding services, including the website where you view your genomic information, you are agreeing to the terms supplied by that company.

As for what those terms say, while it varies on a case-by-case basis and the terms are always subject to change (and they do, in fact, change, often in response to developments in either the law, the company’s business model or both), the prediction here is that if your DTC genomic company of choice goes belly up there is a good chance that its assets, including its database of genomic information, will be up for sale.

The good news is that, in all likelihood, the sale would be restricted to another company that would use the data for substantially the same purposes as the original company and generally agree to abide by the same privacy protections as the now-bankrupt company. Again, those provisions vary by company but generally provide individuals with an ability to terminate their involvement with the company and withdraw their information (to the extent that it has not already been made available to third parties for allowable research or other purposes) from the company’s database.

Finally, as with just about every aspect of genomics law, the most complete and accurate answer is that time will tell. When the first DTC genomics bankruptcy inevitably arrives it will help answer more definitively a host of important questions, including whether and how a government agency might take an interest in commercially acquired genomic data, whether genomic data will be considered personally identifiably information under bankruptcy law and how debtors, creditors, consumers and regulators will react to the sale of large-scale genomic databases.


1 Luis Salazar, Don’t Fear the Consumer Privacy Ombudsman, 26 American Bankruptcy Institute Journal 42 (2007).

2 Warren Agin, Handling Customer Data in Bankruptcy Mergers and Acquisitions-Coping with the Consumer Privacy Ombudsman Provisions of the 2005 Bankruptcy Act, E-Commerce Issues and Developments

3 Agin.

4 Salazer.