Privacy Impacts the Sale of Your Assets

Privacy is a cross-cutting issue that impacts all aspects of a company’s business. While traditionally viewed as a compliance function, if strategically utilized, privacy can become a brand differentiator. Privacy can also impact a company in its wind-down phases.

Recent statements by the Chairman of the Federal Trade Commission (FTC) reiterate this point, which come in the wake of bankruptcy proceedings filed by 23andMe, the well-known genetic testing company.^[1] The proceedings have left millions of consumers in fear that their personal information may not receive the same level of privacy or data protection if sold to another company.

On March 31, 2025, the FTC Chairman issued a letter to the Office of the U.S. Trustee regarding the ongoing bankruptcy proceedings involving 23andMe and its implications for consumer’s data.^[2] Citing Section 363(b)(1) of the Bankruptcy Code, Chairman Ferguson asserted that any bankruptcy-related transfer of sensitive and personal information is subject to the privacy and data security representations 23andMe made to its users.^[3]

During its operation, 23andMe collected vast amounts of sensitive and personal information including genetic information, biological DNA samples, health information, ancestry and genealogy information, personal contact information, and payment and billing information. The collection, use, and protection of this valuable data is governed by 23andMe’s privacy policy. In the event of a change in ownership, 23andMe’s privacy policy states:

If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.^[4]

In keeping with the FTC’s longstanding position, the Chairman’s letter stated that 23andMe must continue to honor the representations in its privacy policy throughout bankruptcy proceedings, including any bankruptcy-related sale or transfer.^[5] Furthermore, not only must 23andMe uphold these representations, but “any purchaser should expressly agree to be bound by and adhere to the terms of 23andMe’s privacy policies.”^[6] Thus, companies on both sides of any bankruptcy-related sale or transfer must comply with the existing privacy policy.

The FTC’s statements raise several considerations for businesses as they consider their own privacy policies, as well as future transactions involving data assets governed by existing privacy policies.

• Data transfers must be structured in a manner consistent with the existing privacy policy. Any sale or lease of personally-identifiable information must be consistent with the existing privacy policy to comply with both the FTC Act and the Bankruptcy Code.
• Potential limitation on buyers of a business’s assets. In evaluating a potential acquisition, a company will need to assess whether they can uphold the existing privacy policy that governs the data assets they wish to purchase. Not all businesses may be willing or able to comply with the existing privacy policy, which could limit potential buyers for this type of asset.
• Governance mechanisms must be able to survive transitions. Given that the existing privacy policy will control, the governance mechanisms overseeing the data—such as how the data is maintained, stored, and protected—must be able to survive the transition to a new company.

Endnotes

[1] In re 23andMe Holding Co., et al., No. 25-40976, U.S. Bankruptcy Court for the Eastern District of Missouri, Eastern Division.

[2] Andrew N. Ferguson, Chairman, Federal Trade Commission, “Re: In re 23andMe Holding Co., et al., Case No. 25-40976, United States Bankruptcy Court for the Eastern District of Missouri (Eastern Division),” (March 31, 2025).

[3] Id. at 2-3; see also 11 U.S.C. § 363(b)(1).

[4] 23andMe, Privacy Statement, (Mar. 14, 2025) https://www.23andme.com/legal/privacy/full-version/.

[5] Ferguson, Supra note 2, at 2-3.

[6] Id. at 3.