The Federal Trade Commission (FTC) said it was worried about the safety of the personal data of Americans who were previously customers of genetic testing company 23andMe.
“It is my understanding that 23andMe user data may be an asset that is sold” as part of the company’s bankruptcy process, he wrote.
Since its launch in 2007, 23andMe has collected various data points from U.S. customers, including “genetic information, biological DNA samples, health information, ancestry and genealogy information, personal contact information, payment and billing information, and other information,” the letter states.
During its operational period, the company told customers it would protect user data and not share it with unauthorized third parties.
According to the company’s privacy statement, updated on March 14, if 23andMe is involved in bankruptcy, and customers’ personal information is sold as part of the transaction, the privacy protections outlined by 23andMe shall still apply.
Ferguson said the FTC “believes that, consistent with Section 363(b)(1) of the Bankruptcy Code, these types of promises to consumers must be kept.”
As such, any bankruptcy-related sale of 23andMe that includes users’ personal information and biological samples must retain the privacy and data security commitments the company had made to users, he said, adding that the customers had handed over sensitive data based on these commitments.
Opting Out
23andMe filed for bankruptcy, expecting that the sales process would resolve existing operational, financial, and legal challenges, said Mark Jensen, a member of the board of directors.In its March 23 open letter, 23andMe stated that customers are free to opt out of the company’s research at any time.
This can be done by updating the consent status in users’ account settings. Once customers opt out, the company discontinues the usage of data within 30 days.
In addition, “customers still have the ability to delete their data and 23andMe account,” the company said.
“New Yorkers can follow instructions offered by my office to delete their data or destroy any DNA samples held by 23andMe. Anyone experiencing issues deleting their information stored with 23andMe should contact my office,” she said.
Earlier on March 21, California Attorney General Rob Bonta asked that people use state privacy laws to get the data deleted and have genetic samples stored by the company destroyed.
“The threat actor used the compromised credential stuffed accounts to access the information included in a significant number of DNA Relatives profiles (approximately 5.5 million) and Family Tree feature profiles (approximately 1.4 million), each of which were connected to the compromised accounts,” the company said at the time.
In September, 23andMe announced that it was offering $30 million in settlement to compensate the millions of customers affected by the data breach.
