Genetic privacy FTC: 23andMe buyer must honor firms privacy promises for genetic data Agency issues warning about privacy of genetic information and DNA samples. Jon Brodkin Apr 1, 2025 1:40 pm | 23 23andMe headquarters in Sunnyvale, California on March 25, 2025. Credit: Getty Images | Anadolu 23andMe headquarters in Sunnyvale, California on March 25, 2025. Credit: Getty Images | Anadolu Story textSizeSmallStandardLargeWidth *StandardWideLinksStandardOrange* Subscribers only Learn moreFederal Trade Commission Chairman Andrew Ferguson said he's keeping an eye on 23andMe's bankruptcy proceeding and the company's planned sale because of privacy concerns related to genetic testing data. 23andMe and its future owner must uphold the company's privacy promises, Ferguson said in a letter sent yesterday to representatives of the US Trustee Program, a Justice Department division that oversees administration of bankruptcy proceedings."As Chairman of the Federal Trade Commission, I write to express the FTC's interests and concerns relating to the potential sale or transfer of millions of American consumers' sensitive personal information," Ferguson wrote. He continued:As you may know, 23andMe collects and holds sensitive, immutable, identifiable personal information about millions of American consumers who have used the Company's genetic testing and telehealth services. This includes genetic information, biological DNA samples, health information, ancestry and genealogy information, personal contact information, payment and billing information, and other information, such as messages that genetic relatives can send each other through the platform.23andMe's recent bankruptcy announcement set off a wave of concern about the fate of genetic data for its 15 million customers. The company said that "any buyer of 23andMe will be required to comply with our privacy policy and with all applicable law with respect to the treatment of customer data." Many users reacted to the news by deleting their data, though tech problems apparently related to increased website traffic made that process difficult.23andMe's ability to secure user data is also a reason for concern. Hackers stole ancestry data for 6.9 million 23andMe users, the company confirmed in December 2023.The bankruptcy is being overseen in US Bankruptcy Court for the Eastern District of Missouri.FTC: Bankruptcy law protects customersFerguson's letter points to several promises made by 23andMe and says these pledges must be upheld. "The FTC believes that, consistent with Section 363(b)(1) of the Bankruptcy Code, these types of promises to consumers must be kept. This means that any bankruptcy-related sale or transfer involving 23andMe users' personal information and biological samples will be subject to the representations the Company has made to users about both privacy and data security, and which users relied upon in providing their sensitive data to the Company," he wrote. "Moreover, as promised by 23andMe, any purchaser should expressly agree to be bound by and adhere to the terms of 23andMe's privacy policies and applicable law, including as to any changes it subsequently makes to those policies."23andMe has "commit[ed] to its users that they are in control of their data, and that users can decide how their information is used and for what purposesincluding honoring the right of users to delete their personal information at any time," Ferguson wrote. The firm says that explicit authorization from users is needed to disclose genetic information to third parties.Ferguson's letter said that 23andMe tells customers "that it restricts the use and sharing of personal information to what is necessary to provide its services," and that it shares the personal data "with a limited number of service providers who are contractually bound to protect the confidentiality and security of user personal information." The company says in its privacy statement "that it does not share personal information with insurance companies, employers, public databases, or law enforcement, absent a valid court order, subpoena, or search warrant," Ferguson wrote."Importantly, 23andMe promises users that these protections (and its entire Privacy Statement) shall apply continuously to their personal information, even if the data is sold or transferred in a bankruptcy proceeding," the FTC chair wrote.Ferguson said he is "pleased to see" that 23andMe has indicated since its bankruptcy filing that it will continue to honor its privacy promises. But the letter serves as a reminder that the FTC can take action when companies fail to live up to their promises.Just how active Ferguson will be in the 23andMe bankruptcy process isn't clear. President Trump has attempted to limit FTC authority by issuing an executive order declaring that it and similar agencies are no longer independent and must be supervised by the president.Trump also fired both Democratic FTC commissioners despite a US law and a 1935 Supreme Court ruling stating that the president cannot do so without good cause. The Democrats are challenging the firings in court, but for now the FTC has only Republican commissioners. Ferguson backed Trump in the firings, and his FTC reportedly instructed staff to stop describing the agency as "independent" in official filings.Jon BrodkinSenior IT ReporterJon BrodkinSenior IT Reporter Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry. 23 Comments