Direct-to-consumer (DTC) genomics companies are not immune to the current recession. When TruGenetics, a new player in the DTC genomics space, announced in June that it would be handing out 10,000 free genome scans, both Genetic Future and the Genomics Law Report raised questions about the financial viability of its business model, particularly in the current economic climate. Sure enough, on August 21, TruGenetics announced that it had been unable to secure funding sufficient to support its business model as contemplated. Frequent readers know that TruGenetics is not the only DTC genomics company that is struggling. The financial struggles of deCODE Genetics have been well chronicled (see here, here and here) and even new market leader 23andMe has undergone a dramatic shift in its top management as it pursues a new round of financing.
Ultimately, it was a recent headline here at Genetic Future—“deCODE Genetics on the brink of insolvency”—that started us thinking: what would happen if an established DTC genomics company actually went bankrupt? More specifically, what would happen to the genomic (and other) data held by the company? Genomic data is likely to be the company’s most valuable asset. Can that data be sold off to help meet the company’s debts? Bankruptcy can be a confusing and arcane process, with real risks and uncertainties for companies, their creditors and their customers.
In today’s post—the first of three on this subject—we examine the privacy and confidentiality policies of several leading DTC genomics companies to find out what, if anything, they have to say about whether data can be transferred to another company. In the second part, which will appear tomorrow, we take a close look at how the legal system would likely treat a DTC genomics company’s bankruptcy. In the final part, on Wednesday, we attempt to answer the only question that really matters for most readers: what does it all mean for the average DTC genomics customer?
Part I: The Fine Print: What the Privacy Policies Say
Privacy policies are particularly important in the field of DTC genomics where the sensitivity of consumer data is rivaled only by that found in other areas of healthcare and in the financial services sector. Courts and regulators are concerned as well. For instance, the Federal Trade Commission (FTC) has brought actions to enforce “companies’ privacy promises about how they collect, use and secure consumers’ personal information.” The first question, then, is how DTC genomics companies’ Privacy Policies address the possibility of selling customers’ data. As examples, we will consider the policies of two companies, TruGenetics and 23andMe, which, together, help to illustrate the range of policies in place today.
Your questionnaire responses and genetic information will be used for genetic research. One of the main goals of TruGenetics™ is to develop a unique research database for conducting genetic studies. Your decision to use TruGenetics’™ services indicates that you are willing to contribute your questionnaire responses and genetic information to the TruGenetics™ research database. . . . TruGenetics™ may conduct this research, or may partner with another organization, including non-profit and commercial entities, to conduct research. TruGenetics™ may charge a fee for conducting research using this database.
TruGenetic’s policy contains a promise of confidentiality and anonymity—although, as we have written elsewhere, that is a promise that is probably unwarranted—but there is no promise that the data will not be distributed to third parties. In fact, just the opposite is true—the purpose of the data collection is for it to be used by third parties for research, and the policy provides no assurance that the data will not be used for any other reason. TruGenetics’ policy itself therefore is no obstacle to the sale of the data, and provides no detail for a registrant to determine the circumstances under which his or her data might be transferred, either in the ordinary course of business or bankruptcy.
23andMe agrees to provide advance notice via email and prominent notice on the website of such a transfer, as well as to “require an acquiring company or merger agreement to uphold the material terms of this privacy statement, including honoring requests for account deletion.” Notably, although in other situations involving the potential transfer of private data (for instance, for research purposes) 23andMe repeatedly emphasizes that consent will be required before third parties receive access to personal information, that requirement is absent from the “Business Transitions” provision. In addition, the requirement that an acquirer uphold the privacy statement applies only to the “material terms” of the privacy agreement—leaving open the question whether any particular provision of the privacy agreement is “material.”
4. So What Does It All Mean? If the company’s policy clearly permits the sale of genomic information in the kind of transaction that could be consummated in a bankruptcy case, then such a sale can go forward. But if the policy prohibits such a sale, or if the policy is unclear or does not address the subject at all, a transfer may still take place—subject to the ins and outs of bankruptcy law, including provisions specifically applicable to personal information. We’ll turn to that in the second part of this series.
Part II: Privacy Policies Through the Looking Glass of Bankruptcy Law
In part one, we discussed the importance of Privacy Policies and other legal agreements in determining how DTC genomics companies will treat their customers’ information, including in the case of a bankruptcy sale. Unfortunately, but not surprisingly, we failed to find much in the way of concrete answers. In this part, we investigate how a bankruptcy court would be likely to evaluate the proposed sale of a company’s genomic database, including in what scenarios it might be willing to set aside the company’s own agreed upon Privacy Policies.
1. Section 363 and the Stalking Horse. Section 363 of the Bankruptcy Code authorizes the sale (typically in an auction) of the assets of a business in bankruptcy. Quick auctions under Section 363 are becoming increasingly common because they allow for the transfer of desirable assets free and clear of liens and other liabilities (while leaving undesirable assets out of the deal), and unlike traditional Chapter 11 reorganizations, do not require the longer and more expensive confirmation process designed to fully protect the rights of creditors. During the current economic crisis, Section 363 was used in the sale of Lehman Brothers to Barclays Capital, in the sale of Chrysler’s valuable assets to Fiat and of General Motors to a new company backed by the U.S. Treasury. Section 363 auctions can also be lightning fast—Lehman Brothers’ assets, which were valued at billions of dollars, were sold less than a week after its Chapter 11 filing—although 2 to 3 months is more common.
In a Section 363 transaction, the bankrupt company agrees in principle to sell its assets to a “stalking horse” buyer, and then, following bankruptcy court approval of the sale procedures, solicits bids in an attempt to solicit a more favorable purchase price. The stalking horse company is often not outbid and winds up acquiring the most valuable assets. As the G.M. example demonstrates, there is no requirement that the stalking horse be a private company. Just as The Wellcome Trust has been mentioned as a potential acquirer of some of deCODE Genetics’ genomic database, a Federal agency such as the FDA or NIH could conceivably organize a bid for genomic assets it deemed important, assuming that it could muster the political and financial capital to proceed at the breakneck pace that can be required of Section 363 bankruptcy proceedings.
2. How To Know If You’ll Need a CPO. By law, the CPO procedure only applies when the proposed sale would be inconsistent with a company’s present and disclosed policy “prohibiting the transfer of personally identifiable information about individuals to persons that are not affiliated with” the company. However, bankruptcy courts have also appointed a CPO to advise them on the transfer of the information when the bankrupt company’s policy (like TruGenetics’) does not discuss whether the data may be sold to another company.1 Thus, if a DTC genomics company employs a policy that permits the transfer of information and other assets to third parties, the CPO procedure will not apply.
If the company’s policies prohibit such a transfer or, as in the case of most DTC genomics companies, if they are unclear, the CPO procedure may be available to assist the bankruptcy court in evaluating the appropriateness of the proposed sale of “personally identifiable information.” But is genomic information “personally identifiable information”?
In order to qualify as “personally identifiable information” or PII, the information in question must satisfy two criteria. First, it must be “provided by an individual to the debtor in connection with obtaining a product or a service from the debtor primarily for personal, family, or household purposes.” Data submitted to a private genomics company for personal use (whether clinical or otherwise) would therefore qualify; data submitted for research purposes (which would arguably apply to the TruGenetics model, and possibly to certain services offered by 23andMe) would not satisfy this criteria.
Moreover, PII must contain, as at least part of the overall information content, one of the following specific pieces of information:
♦ Street Address
♦ Email Address
♦ Telephone Number; or
♦ Credit card number
As for something as seemingly personal as, say, a whole genome sequence, or perhaps just a record of 500,000 SNPs? That information, along with “any other information concerning an identified individual that, if disclosed, will result in contacting or identifying such individual physically or electronically,” constitutes PII if and only if it is “identified with 1 or more of the items of information” in the list above. Thus, while genomic information coupled directly with a name or other specified individual information would qualify as PII, de-identified genomic information, regardless of the practical possibility of later re-identification, would not qualify as PII and would not invoke the protections of the CPO procedure. It is unclear whether or not genomic information that was de-identified but capable of being re-identified through, for instance, coded identifiers, would be treated as PII.
3. What Does the “C” in CPO Stand For, Again? Even if a CPO is appointed, it is the bankruptcy court that must ultimately evaluate and approve the proposed sale of assets. The role of the CPO, if appointed, is to provide information to the court, including with respect to the following:
♦ the potential losses or gains of privacy to consumers if such sale or such lease is approved by the court;
♦ the potential costs or benefits to consumers if such sale or such lease is approved by the court; and
♦ the potential alternatives that would mitigate potential privacy losses or potential costs to consumers.
Keep in mind that the bankruptcy statute does not require the CPO to represent the interests of the consumers. In fact, “the Consumer Privacy Ombudsman appears more in the role of an expert commentator than a consumer advocate.”2 Also, recall the speed at which auctions under Section 363 are conducted. Given the logistics and time entailed in first determining whether a CPO is warranted and, if so, locating and appointing a CPO, the CPO in most instances can be expected to have “only a day or two to obtain the information he or she needs and digest it.”3 With privacy issues as complex as those that would be presented in a DTC genomics company’s bankruptcy, and in the absence of any guarantee the CPO will be someone familiar with the issues, there is scant hope of a sophisticated analysis.
A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. … Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.
So what does this all mean for the average DTC genomics customer? Tune in tomorrow when we attempt to put all the pieces together.
Part III: What Does It All Mean?
In part one, we discussed the importance of Privacy Policies and other legal agreements in determining how DTC genomics companies will treat their customers’ information, including in the case of a bankruptcy sale. Unfortunately, but not surprisingly, we failed to find much in the way of concrete answers. In part two, we dug into the law to investigate how a bankruptcy court would be likely to evaluate the proposed sale of a company’s genomic database, including in what scenarios it might be willing to set aside the company’s own agreed upon Privacy Policies. In this final part, the threads come together as we ask—and attempt to answer—the only question that really matters for most readers: what does it all mean for the average DTC genomics customer?
If you’re concerned that your DTC genomics provider of choice might be a candidate for bankruptcy the very first thing to do, of course, is to consider whether the privacy of your genomic data is even important to you. If you’re applying for (or already enrolled in) the Personal Genome Project, for example, chances are that you wouldn’t much care if 23andMe went bankrupt and decided to sell your information to a competitor, to a pharmaceutical company or to anybody else.
But for the many customers who, at least at present, consider the privacy and security of their genomic data to be an important factor in choosing whether to purchase the services offered by DTC genomic companies, there is simply no substitute for reading to the bottom of the page. When you purchase a product and utilize the corresponding services, including the website where you view your genomic information, you are agreeing to the terms supplied by that company.
As for what those terms say, while it varies on a case-by-case basis and the terms are always subject to change (and they do, in fact, change, often in response to developments in either the law, the company’s business model or both), the prediction here is that if your DTC genomic company of choice goes belly up there is a good chance that its assets, including its database of genomic information, will be up for sale.
The good news is that, in all likelihood, the sale would be restricted to another company that would use the data for substantially the same purposes as the original company and generally agree to abide by the same privacy protections as the now-bankrupt company. Again, those provisions vary by company but generally provide individuals with an ability to terminate their involvement with the company and withdraw their information (to the extent that it has not already been made available to third parties for allowable research or other purposes) from the company’s database.
Finally, as with just about every aspect of genomics law, the most complete and accurate answer is that time will tell. When the first DTC genomics bankruptcy inevitably arrives it will help answer more definitively a host of important questions, including whether and how a government agency might take an interest in commercially acquired genomic data, whether genomic data will be considered personally identifiably information under bankruptcy law and how debtors, creditors, consumers and regulators will react to the sale of large-scale genomic databases.
1 Luis Salazar, Don’t Fear the Consumer Privacy Ombudsman, 26 American Bankruptcy Institute Journal 42 (2007).
2 Warren Agin, Handling Customer Data in Bankruptcy Mergers and Acquisitions-Coping with the Consumer Privacy Ombudsman Provisions of the 2005 Bankruptcy Act, E-Commerce Issues and Developments