As noted in our last two client alerts (here and here), the issue as to who should be the watchdog to protect consumer personal data is coming to a head in the chapter 11 bankruptcy cases of 23andMe Holding Co and its affiliated debtors (collectively, “23andMe” or the “Debtors”). This week we saw a trio of motions filed by the Debtors, the State of Texas ("Texas"), and the U.S. Trustee, all seeking appointment of someone to oversee protection of customer data through a chapter 11 sale, but with no consensus about who that person should be – or, more importantly, what powers they should have.
On April 7, 2025, the Debtors asked the Bankruptcy Court to appoint an independent Customer Data Representative (“CDR”) to oversee the treatment of consumer information held by 23andMe during the bankruptcy cases and specifically with respect to the proposed sale of assets, ensuring compliance with their existing privacy policies and data security processes. The Debtors asserted that the appointment of a disinterested, independent CDR would help preserve the value of their estates, reassure their customers of the privacy and security of their data, facilitate the closing of any sale transaction on a timely basis, and ultimately maximize value for all stakeholders. The Debtors proposed that the CDR would perform the following duties:
- Review the Debtors’ existing privacy policies, cybersecurity infrastructure, and other information related to security of customer data;
- Act as a consultation party in the sale process to identify and advise on any potential issues arising from the transfer of consumer data to any successful bidder, and evaluate the bidder’s cybersecurity capabilities and data storage infrastructure;
- Prepare and file a final report analyzing any proposed transaction involving the transfer of consumer data, addressing whether the transaction complies with the Debtors’ privacy policies and applicable data privacy laws, determining whether it will result in a material change in the security of consumer data, and balancing the interests of consumers with maximizing value to creditors; and
- Coordinate with key stakeholders, including the U.S. Trustee, the official committee of unsecured creditors, and other parties in interest.
In their motion for appointment of a CDR, the Debtors argued that the formal privacy watchdog codified in the Bankruptcy Code – a consumer privacy ombudsman (“CPO”) – is not necessary. That’s because 23andMe’s privacy policies, according to the Debtors, permit the transfer of personal information to a third party as part of some transactions, so a consumer privacy ombudsman is not statutorily required.
The following day, on April 8, 2025, the Debtors emphasized their commitment to protecting consumer data by filing a statement responding to customers who expressed difficulty in deleting their accounts and data. The Debtors reiterated that their privacy policies will remain in place in connection with any proposed sale of their assets and that any buyer must comply with those policies, as well as applicable privacy laws. They noted that any sale is subject to court oversight and customary regulatory approvals.
Neither Texas nor the U.S. Trustee was persuaded by the Debtors, however, and each filed its own motion seeking appointment of a CPO. Texas filed its motion on April 9, 2025, raising concerns specifically about the Debtors’ compliance with Texas state privacy laws regarding consumer genetic testing, data privacy, and identity theft. Texas raised concerns over the handling of personally identifiable information and previous data breaches, noting that genetic data requires heightened protections and asserting that the appointment of a CPO is mandatory under the Bankruptcy Code where it is unclear which if any of the 22 amended privacy policies applied to consumers or if customers provided "explicit consent" as required by Texas law. Texas argued that 23andMe cannot avoid appointment of a CPO because the relevant company policies, which include all policies in place at the time a consumer’s personal information was collected, do restrict the transfer of personal information.
The U.S. Trustee filed its motion on April 10, 2025, agreeing with Texas that a CPO is required but asking, in the alternative, that the Bankruptcy Court appoint an examiner who would investigate and report on the privacy issues implicated by the Debtors’ proposed asset sale. The U.S. Trustee explained that “[a]lthough the relief sought by the Debtors and the United States Trustee may seem superficially similar, there are critical differences between the two motions.” Chief among these differences, according to the U.S. Trustee, are that the Debtors’ are asking to handpick their CDR (instead of undergoing the independent appointment process the Bankruptcy Code provides for a CPO and examiners) and that the CDR would have a role far narrower than a CPO or an examiner. In arguing that a CPO is required, the U.S. Trustee explained that 23andMe’s policies may not permit the sale of personal information here, particularly because we do not yet know how the sale will occur (as a going concern or piecemeal, which could bear on the applicability of those policies) and because certain versions of the company’s privacy policy may not have received customer assent.
The Court has scheduled a hearing on all three motions for April 29, 2025. It is likely that other parties in interest will weigh in on these issues before then. We will continue to monitor the privacy and sale developments in these bankruptcy cases.
