Daniel Solove writes:
A recent article in The Atlantic discusses the risk of 23andMe selling its vast stockpile of DNA data on 15 million individuals:
23andMe is not doing well. Its stock is on the verge of being delisted. It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the entire board of directors quit, save for Anne Wojcicki, a co-founder and the company’s CEO. Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.
Can anything be done to protect this DNA data in the event of a sale?
More than two decades ago, the FTC intervened in a bankruptcy sale of personal data by Toysmart, an online toy merchant that had massive quantities of children’s data. The FTC limited Toysmart’s ability to sell its data only to companies operating in a similar market and agreeing to abide by the same privacy policies as Toysmart had in place. But the Toysmart case was a “deception” case under the FTC Act, triggered by the fact that the company had stated in its privacy notice that it would not share the personal data of its customers to third parties.
The lesson companies learned from Toysmart is to include the sale of data as an asset in a potential bankruptcy. This makes a deception case difficult or impossible to bring. 23andMe has done this, writing the following in its privacy notice:
If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.
Read more at TeachPrivacy.