In this series of three guest posts, lawyers Daniel Vorhaus and Lawrence Moore of the excellent Genomics Law Report provide insight into the intriguing question of what happens to customers’ genetic data in the event that a personal genomics company goes out of business. Part II and III of this series will be posted over the next two days.
What Happens if
a DTC Genomics Company Goes Belly Up?
Direct-to-consumer (DTC) genomics
companies are not immune to the current recession. When TruGenetics,
a new player in the DTC genomics space, announced in June that it would
be handing out 10,000 free genome scans, both Genetic Future and the Genomics
Law Report raised
questions about the financial viability of its business model, particularly
in the current economic climate. Sure enough, on August 21, TruGenetics announced that it
had been unable to secure funding sufficient to support its business
model as contemplated.
Frequent readers know that TruGenetics is not the only DTC genomics
company that is struggling. The financial struggles of deCODE
Genetics have been well chronicled (see here, here and here) and even new market leader 23andMe
a dramatic shift in its top management
as it pursues a new round of financing.
Ultimately, it was a recent
headline here at Genetic Future – deCODE Genetics on the brink of
insolvency – that
started us thinking: what would happen if an established DTC genomics
company actually went bankrupt? More specifically, what would
happen to the genomic (and other) data held by the company? Genomic
data is likely to be the company’s most valuable asset. Can
that data be sold off to help meet the company’s debts? Bankruptcy
can be a confusing and arcane process, with real risks and uncertainties
for companies, their creditors and their customers.
In today’s post – the
first of three on this subject – we examine the privacy and confidentiality
policies of several leading DTC genomics companies to find out what,
if anything, they have to say about whether data can be transferred
to another company. In the second part, which will appear tomorrow, we
take a close look at how the legal system would likely treat a DTC genomics
The Fine Print: What the Privacy Policies Say
Privacy policies are particularly
important in the field of DTC genomics where the sensitivity of consumer
data is rivaled only by that found in other areas of healthcare and
in the financial services sector. Courts and regulators are concerned
as well. For instance, the Federal
(FTC) has brought actions to enforce companies’
privacy promises about how they collect, use and secure consumers’
The first question, then, is how DTC genomics companies’ Privacy Policies
address the possibility of selling customers’ data. As examples,
we will consider the policies of two companies, TruGenetics and 23andMe,
which, together, help to illustrate the range of policies in place today.
TruGenetics. Despite its funding
the fact that it has invited registrants to remove themselves from its
database, TruGenetics does still maintain a website that
provides both a Privacy
transfers requested by registrants and GINA. As for how TruGenetics intends
to use registrants’ genomic and other information, the only guidance
Your questionnaire responses
and genetic information will be used for genetic research. One of the
main goals of TruGeneticsTM is to develop a unique research
database for conducting genetic studies. Your decision to use TruGenetics’TM
services indicates that you are willing to contribute your questionnaire
responses and genetic information to the TruGeneticsTM research
database. . . . TruGeneticsTM may conduct this research,
or may partner with another organization, including non-profit and commercial
entities, to conduct research. TruGeneticsTM may charge a
fee for conducting research using this database.
TruGenetic’s policy contains
a promise of confidentiality and anonymity – although, as we have written
elsewhere, that is a promise
that is probably unwarranted – but
there is no promise that the data will not be distributed to third parties.
In fact, just the opposite is true – the purpose of the data collection
is for it to be used by third parties for research, and the policy provides
no assurance that the data will not be used for any other reason.
TruGenetics’ policy itself therefore is no obstacle to the sale of
the data, and provides no detail for a registrant to determine the circumstances
under which his or her data might be transferred, either in the ordinary
course of business or bankruptcy.
2. 23andMe. 23andMe has three separate policies applicable
to users of its DTC genomics service: a Privacy
Statement, a Consent and Legal
Agreement and a Terms of Service. These policies clearly contemplate
that certain personal information, including both genotypic and phenotypic
information, may be made available to commercial and/or non-profit
organizations that conduct scientific and/or medical research.
made available without explicit consent, it is unclear from the
terms alone whether this consent requirement is satisfied by the consumer’s
signing the Consent and Legal Agreement (which is required prior to
any genotyping) or whether separate consents must be sought prior to
23andMe’s Consent and Legal
Agreement applies to the company’s successors and assigns (as
does TruGenetics’), thus expressly contemplating that information
may be transferred. Much more explicit, however, is a separate
states candidly that, in the event of a merger, acquisition by another
company, or sale of all or a portion of its assets, your personal
information and non-personal information will likely be among the assets
transferred. Indeed, as 23andMe’s research
that information might represent its most valuable asset.
23andMe agrees to provide advance
notice via email and prominent notice on the website of such a transfer,
as well as to require an acquiring company or merger agreement to
uphold the material terms of this privacy statement, including honoring
requests for account deletion. Notably, although in other situations
involving the potential transfer of private data (for instance, for
research purposes) 23andMe repeatedly emphasizes that consent will be
required before third parties receive access to personal information,
that requirement is absent from the Business Transitions provision.
In addition, the requirement that an acquirer uphold the privacy statement
applies only to the material terms of the privacy agreement – leaving
open the question whether any particular provision of the privacy agreement
3. deCODE Genetics. deCODE’s DTC offering, deCODEme, has a Privacy
Policy, a Service Agreement and a Terms
of Use. These
policies are conceptually similar to the 23andMe policies, appearing
to permit the sale or transfer of genomic information provided that
While deCODE’s public financial difficulties were in some respects
the impetus for this article, its unique legal situation as an Icelandic
company doing business in Reykjavik, subject to a distinctive set of
bankruptcy laws and statutory restrictions, renders it unrepresentative
of other DTC companies. For that reason, we will continue to restrict
our analysis to U.S.-based firms. A recent
article in the
journal Science, however, contains interesting speculation
about what might happen to deCODE’s enormous customer biobanks, which
is estimated to cover approximately 140,000 individuals, if the company
does collapse, including speculation as to how deCODE might transfer
its data to another EU entity under Icelandic and EU regulation.
What Does It All Mean? If the company’s policy clearly permits
the sale of genomic information in the kind of transaction that could
be consummated in a bankruptcy case, then such a sale can go forward.
But if the policy prohibits such a sale, or if the policy is unclear
or does not address the subject at all, a transfer may still take place–subject
to the ins and outs of bankruptcy law, including provisions specifically
applicable to personal information. We’ll turn to that in the
second part of this series.