The longevity of (informed) consent in light of a transfer of (sensitive) personal data

In the United States, a bankruptcy judge in charge of the 23andMe case approved the sale of the firm to a nonprofit. For those not fully aware of the case, 23andMe, a California based company, offered DNA (saliva based) testing kits to customers to generate reports on the customer’s ancestry and genetic predispositions to health-related topics. In the beginning years of its conception the company knew great success and even became publicly traded. However, in 2023 it experienced a data breach exposing data of nearly 7 million customers after which its value started falling and the company filed for Chapter 11 bankruptcy. Given the company had gathered quite a large volume of sensitive personal data the sale of this data as part of the bankruptcy proceedings created quite some concern from a privacy and customer perspective.

A Consumer Privacy Ombudsman was appointed to help advise the court about the complex privacy issues involved in the sale of the data under the bankruptcy procedure. In the Ombudsman’s report, it was advised that the customers should consent to the sale of their data, which consent would need to be obtained ideally prior to the transfer. Also, the consent should be requested via email or through the company’s website or a mobile application and customers cannot be nudged into giving consent. Furthermore, data of customers who do not consent should be deleted. 

In the case of 23andMe it became particularly clear that DNA data is not your usual corporate asset that can be easily transferred like any other asset in a bankruptcy (or other type of change of control) situation. When customers purchased their DNA kit, they were asked to accept terms of service which included an opt-in consent to share DNA data with third parties, including nonprofit foundations, academic institutions, or pharmaceutical companies. These terms of service also included selling data following bankruptcy, merger, or acquisition. Often such clauses also appear in a privacy policy and are nothing more than a boilerplate clause. In reality, customers cannot foresee how their data will be used in the future by the company, nor by a third-party acquirer. 

It is definitely interesting to see how this case is creating quite some discussion in the United States on informed consent and the need to re-consent. The question of how long a data subject’s consent really remains valid is always difficult, yet new to the discussion is the need to revisit consent triggered by a fundamental change in company ownership and purpose (e.g. bankruptcy, acquisition, partnerships, etc.). Of course the particular context and the fact that very sensitive personal data was involved cannot be ignored.

Note that only shortly before the green light was given for the sale, the company was fined £2.31 million for failing to implement appropriate security measures to protect users’ data by the UK data protection authority (ICO) following a joint investigation with the Office of the Privacy Commissioner of Canada.

To circulate back to Belgium our team has had the privilege to advise clients on the transfer and sale of personal data in the context of a company in distress, or an asset deal. An interesting and recent decision from the Belgian data protection authority of January 2025 provides further insight into the legal basis and GDPR compliance in corporate transactions (full decision available here in Dutch and here in French).