Genetic data custody debate

A spit tube and a consent box can become bankruptcy assets, and 23andMe’s collapse turned that into a live policy fight in Washington on April 14. (troutman.com) 23andMe filed for Chapter 11 on March 23, 2025, in the Eastern District of Missouri and said it would run a court-supervised sale while continuing operations. The company said there would be “no changes” to how it stores, manages, or protects customer data during the process. (23andme.com) The Troutman Pepper Locke event says the case caught consumers, regulators, and policymakers “flatfooted” over the genetic data of about 15 million Americans. Its panel description frames the issue as a recurring one for biotechnology, health-data, and digital-health companies that store large private datasets. (troutman.com) Genetic data is not like an email address or a credit card number. A DNA profile can identify family links, health risks, and ancestry, and it cannot be reissued after a sale or breach the way a password can. (bmj.com) That difference pushed privacy law into bankruptcy court. On March 31, 2025, Federal Trade Commission Chairman Andrew Ferguson said consumers should be able to trust companies to keep their privacy promises even during a sale or transfer of sensitive information. (ftc.gov) State officials moved faster than Congress. California Attorney General Rob Bonta issued a consumer alert on March 21, 2025, telling residents they could direct 23andMe to delete genetic data, destroy stored samples, and withdraw research consent under California privacy law. (oag.ca.gov) Washington state issued a similar alert on March 28, 2025, pointing residents to rights under the My Health My Data Act, including deletion requests, consent withdrawal, and a list of third parties that received their data. The notice said 23andMe held private genetic data for more than 15 million people. (atg.wa.gov) The bankruptcy did not end with liquidation of the database. Regeneron first announced a deal on May 19, 2025, to buy 23andMe’s assets for $256 million, but 23andMe later said TTAM Research Institute, a California nonprofit founded by Anne Wojcicki, completed the acquisition on July 14, 2025. (23andme.com; 23andme.com) By then, the legal debate had sharpened. A June 11, 2025 report from the court-appointed consumer privacy ombudsman said he could not conclude that selling 23andMe’s data assets in the bankruptcy would avoid violating some non-bankruptcy laws unless the winning bidder obtained appropriate customer consent. (business.cch.com) Court records now show the restructured case still pending under the name Chrome Holding Co., with the Chapter 11 plan confirmed and consummated on December 5, 2025. The policy argument left behind is narrower and harder: when a vendor holds biometric or identity-linked data, buyers and regulators may need to ask about deletion rights, portability, consent records, and sale terms before the company ever gets into distress. (restructuring.ra.kroll.com)