PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

DNA 23andMe

A recent article in The Atlantic discusses the risk of 23andMe selling its vast stockpile of DNA data on 15 million individuals:

23andMe is not doing well. Its stock is on the verge of being delisted. It shut down its in-house drug-development unit last month, only the latest in several rounds of layoffs. Last week, the entire board of directors quit, save for Anne Wojcicki, a co-founder and the company’s CEO. Amid this downward spiral, Wojcicki has said she’ll consider selling 23andMe—which means the DNA of 23andMe’s 15 million customers would be up for sale, too.

Can anything be done to protect this DNA data in the event of a sale?

More than two decades ago, the FTC intervened in a bankruptcy sale of personal data by Toysmart, an online toy merchant that had massive quantities of children’s data. The FTC limited Toysmart’s ability to sell its data only to companies operating in a similar market and agreeing to abide by the same privacy policies as Toysmart had in place. But the Toysmart case was a “deception” case under the FTC Act, triggered by the fact that the company had stated in its privacy notice that it would not share the personal data of its customers to third parties.

The lesson companies learned from Toysmart is to include the sale of data as an asset in a potential bankruptcy.  This makes a deception case difficult or impossible to bring.  23andMe has done this, writing the following in its privacy notice:

If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction and this Privacy Statement will apply to your Personal Information as transferred to the new entity.

The failure of the notice-and-choice approach is about as established as the law of gravity. Nobody reads privacy notices. Meaningful consent can’t be inferred from customer inaction. The existence of a notice alone provides no indicia of consumer consent whatsoever.

Ultimately, consumers need protection here. Many consumers didn’t contemplate that their DNA data would be sold off to other companies for whatever potential uses they might want. Although the buyer would be subject to the terms of 23andMe’s privacy notice, the notice (as with most) is written in a way that is rather flexible. The notice is written with the typical statement that it may be changed at any time. Here is a list of allowable uses from the privacy notice:

    • Provide our Services, including to develop, operate, improve, maintain, and safeguard our Services, including developing new product tools and features
    • Analyze and measure trends and usage of the Services
    • Communicate with you, including customer support, or to share information about our Services or other offers or information we think may be relevant to you
    • Personalize, contextualize and market our Services to you
    • Provide cross-context behavioral or targeted advertising (learn more in our Cookie Policy and Cookie Choices page)
    • Enhance the safety, integrity, and security of our Services, including prevention of fraud and other unauthorized or illegal activities on our Services
    • Verify your identity and administer your User Account
    • Enforce, investigate, and report conduct violating our Terms of Service or other policies
    • Conduct surveys or polls, and obtain testimonials or stories about you
    • Comply with our legal, licensing, and regulatory obligations
    • Conduct 23andMe Research, if you choose to participate

It is unclear whether a new buyer that offers somewhat different services would be bound to the specific services 23andMe offers or how broadly or narrowly “services” will be interpreted.  There are a myriad of ways that the data can be used, as privacy notices are drafted to provide a lot of wiggle room so that companies can use data.

In the event of a sale of the DNA data, the FTC could bring an “unfairness” action under the FTC Act. A potential basis for this would be the Sears case. There, Sears installed spyware into users’ computers, but it disclosed it in the privacy notice. The FTC concluded that given the significant privacy invasiveness of spyware, burying this fact in the privacy notice was not sufficient and was an unfair practice. Given the nature of DNA data, the FTC might be able to reach a similar conclusion and move beyond the mere disclosure of a sale of the data in the privacy notice. This would be a bold move for the FTC, but an important one.  If privacy protection is to have any real teeth, then it would seem to me that there should be significant restrictions and safeguards on the sale of this data.

To capture the issues with bankruptcy and the sale of personal data, I created the following cartoon a while ago:

Cartoon Bankruptcy Sale of Personal Data

 

* * * *

Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 150 courses. He is also the co-organizer of the Privacy + Security Forum events for privacy professionals.

Subscribe to Solove’s Free Newsletter

Newsletter - Solove - Privacy

Button - Subscribe

Prof. Solove’s Privacy Training: 150+ Courses

TeachPrivacy Privacy Awareness Training 03a

Button Learn More 01