Genetic Future

In this series of three guest posts, lawyers Daniel Vorhaus and Lawrence Moore of the excellent Genomics Law Report provide insight into the intriguing question of what happens to customers’ genetic data in the event that a personal genomics company goes out of business. Part II and III of this series will be posted over the next two days.


What Happens if
a DTC Genomics Company Goes Belly Up?

Direct-to-consumer (DTC) genomics
companies are not immune to the current recession. When TruGenetics,
a new player in the DTC genomics space, announced in June that it would
be handing out 10,000 free genome scans, both Genetic Future and the Genomics
Law Report
raised
questions about the financial viability of its business model, particularly
in the current economic climate. Sure enough, on August 21, TruGenetics announced that it
had been unable to secure funding sufficient to support its business
model
as contemplated.
Frequent readers know that TruGenetics is not the only DTC genomics
company that is struggling. The financial struggles of deCODE
Genetics have been well chronicled (see here, here and here) and even new market leader 23andMe
has undergone
a dramatic shift in its top management

as it pursues a new round of financing.

Ultimately, it was a recent
headline here at Genetic Future – deCODE Genetics on the brink of
insolvency – that
started us thinking: what would happen if an established DTC genomics
company actually went bankrupt? More specifically, what would
happen to the genomic (and other) data held by the company? Genomic
data is likely to be the company’s most valuable asset. Can
that data be sold off to help meet the company’s debts? Bankruptcy
can be a confusing and arcane process, with real risks and uncertainties
for companies, their creditors and their customers.

In today’s post – the
first of three on this subject – we examine the privacy and confidentiality
policies of several leading DTC genomics companies to find out what,
if anything, they have to say about whether data can be transferred
to another company. In the second part, which will appear tomorrow, we
take a close look at how the legal system would likely treat a DTC genomics
company’s bankruptcy.

Part I:
The Fine Print: What the Privacy Policies Say

Privacy policies are particularly
important in the field of DTC genomics where the sensitivity of consumer
data is rivaled only by that found in other areas of healthcare and
in the financial services sector. Courts and regulators are concerned
as well. For instance, the Federal
Trade Commission

(FTC) has brought actions to enforce companies’
privacy promises about how they collect, use and secure consumers’
personal information
.
The first question, then, is how DTC genomics companies’ Privacy Policies
address the possibility of selling customers’ data. As examples,
we will consider the policies of two companies, TruGenetics and 23andMe,
which, together, help to illustrate the range of policies in place today.

1.
TruGenetics
. Despite its funding
difficulties
and
the fact that it has invited registrants to remove themselves from its
database, TruGenetics does still maintain a website that
provides both a Privacy
Policy
and a Terms of Use. The Privacy Policy (which is
incorporated verbatim into the Terms of Use) focuses on data anonymization,
transfers requested by registrants and GINA. As for how TruGenetics intends
to use registrants’ genomic and other information, the only guidance
comes from the Terms of Use, which include the following:

Your questionnaire responses
and genetic information will be used for genetic research. One of the
main goals of TruGeneticsTM is to develop a unique research
database for conducting genetic studies. Your decision to use TruGenetics’TM
services indicates that you are willing to contribute your questionnaire
responses and genetic information to the TruGeneticsTM research
database. . . . TruGeneticsTM may conduct this research,
or may partner with another organization, including non-profit and commercial
entities, to conduct research. TruGeneticsTM may charge a
fee for conducting research using this database.

TruGenetic’s policy contains
a promise of confidentiality and anonymity – although, as we have written
elsewhere, that is a promise
that is probably unwarranted
– but
there is no promise that the data will not be distributed to third parties.
In fact, just the opposite is true – the purpose of the data collection
is for it to be used by third parties for research, and the policy provides
no assurance that the data will not be used for any other reason.
TruGenetics’ policy itself therefore is no obstacle to the sale of
the data, and provides no detail for a registrant to determine the circumstances
under which his or her data might be transferred, either in the ordinary
course of business or bankruptcy.

2. 23andMe. 23andMe has three separate policies applicable
to users of its DTC genomics service: a Privacy
Statement
, a Consent and Legal
Agreement
and a Terms of Service. These policies clearly contemplate
that certain personal information, including both genotypic and phenotypic
information, may be made available to commercial and/or non-profit
organizations that conduct scientific and/or medical research.
While the Privacy Policy provides that such information will not be
made available without explicit consent, it is unclear from the
terms alone whether this consent requirement is satisfied by the consumer’s
signing the Consent and Legal Agreement (which is required prior to
any genotyping) or whether separate consents must be sought prior to
the disclosure.

23andMe’s Consent and Legal
Agreement applies to the company’s successors and assigns (as
does TruGenetics’), thus expressly contemplating that information
may be transferred. Much more explicit, however, is a separate
section of its Privacy Policy entitled Business Transitions which
states candidly that, in the event of a merger, acquisition by another
company, or sale of all or a portion of its assets, your personal
information and non-personal information will likely be among the assets
transferred. Indeed, as 23andMe’s research
efforts expand
,
that information might represent its most valuable asset.

23andMe agrees to provide advance
notice via email and prominent notice on the website of such a transfer,
as well as to require an acquiring company or merger agreement to
uphold the material terms of this privacy statement, including honoring
requests for account deletion. Notably, although in other situations
involving the potential transfer of private data (for instance, for
research purposes) 23andMe repeatedly emphasizes that consent will be
required before third parties receive access to personal information,
that requirement is absent from the Business Transitions provision.
In addition, the requirement that an acquirer uphold the privacy statement
applies only to the material terms of the privacy agreement – leaving
open the question whether any particular provision of the privacy agreement
is material.

3. deCODE Genetics. deCODE’s DTC offering, deCODEme, has a Privacy
Policy
, a Service Agreement and a Terms
of Use
. These
policies are conceptually similar to the 23andMe policies, appearing
to permit the sale or transfer of genomic information provided that
the terms of the Privacy Policy are generally upheld by the acquirer.
While deCODE’s public financial difficulties were in some respects
the impetus for this article, its unique legal situation as an Icelandic
company doing business in Reykjavik, subject to a distinctive set of
bankruptcy laws and statutory restrictions, renders it unrepresentative
of other DTC companies. For that reason, we will continue to restrict
our analysis to U.S.-based firms. A recent
article
in the
journal Science, however, contains interesting speculation
about what might happen to deCODE’s enormous customer biobanks, which
is estimated to cover approximately 140,000 individuals, if the company
does collapse, including speculation as to how deCODE might transfer
its data to another EU entity under Icelandic and EU regulation.

4. So
What Does It All Mean
? If the company’s policy clearly permits
the sale of genomic information in the kind of transaction that could
be consummated in a bankruptcy case, then such a sale can go forward.
But if the policy prohibits such a sale, or if the policy is unclear
or does not address the subject at all, a transfer may still take place–subject
to the ins and outs of bankruptcy law, including provisions specifically
applicable to personal information. We’ll turn to that in the
second part of this series.

rss-icon-16x16.jpg Subscribe to Genetic Future.

Comments

  1. #1 Steven Murphy MD
    September 14, 2009

    Thanks for addressing that guys. I think this is a very, very important point. What happens if an inverstor just keeps buying more and more of a company. Does 23andSergey need to notify its customers if say, perchance, google invests and buys out all the other investors? Or can this be a backdoor to access all the 23andMe data without the customer being notified?

    Thanks,
    -Steve

  2. #2 Art
    September 14, 2009

    Time and time again it has been shown that information collected by the corporation is considered a corporate asset. As such during a bankruptcy, or any business dealings, the data cannot be destroyed because doing so would violate the interests of the shareholders and the requirement that the corporation protect the value of their investment.

    As such corporate databases, right down to medical records and your genome, cannot be abandoned or destroyed. They must be sold. And once sold the existing privacy agreement is void.

  3. #3 Mary
    September 14, 2009

    Fascinating discussion, thanks for raising the issues. Looking forward to all the pieces.

    I have a separate question about the individual’s re-use of the data. What are the formats they will have available? Will they retain experimental details? Raw data? Hmmm…..

  4. #4 Ed Mohebi
    September 14, 2009

    I would like to point out that we are highly sensitive and thoughtful about how we do things; hence the reason we started with a PRE-REGISTRATION BETA site.
    We have not and would not go on to collecting phenotype or genotype information unless and until we have adequate funding in hand.

    We would expect the same thoughtfulness from our colleagues; so it seems that using us an example was somewhat inane.

    Ed Mohebi
    COO
    TruGenetics

  5. #5 Dan Vorhaus
    September 14, 2009

    Ed, thanks.

    I appreciate that TruGenetics, still in the early stages of its business and searching for additional funding, is a somewhat different case from other companies that are actively collecting user information and generating genotypic data. However, it’s not the case that in analyzing what would happen under your public terms of service in a hypothetical insolvency setting we were suggesting that we had any specific knowledge that TruGenetics (or any other DTC company) is, in fact, on the verge of or anywhere close to bankruptcy. In that regard we have no knowledge other than what has been publicly disclosed by a particular company, including, in the case of TruGenetics, its recently announced funding difficulties.

    Regardless, the purpose of the exercise is to examine what would happen in a hypothetical bankruptcy scenario. While the bankruptcy scenario is hypothetical, the privacy policies, terms of service, etc. that would be operative in such a scenario are not hypothetical – they are publicly available and presently applicable documents.

    In the case of TruGenetics, its policies – which to my knowledge are identical to those available when TruGenetics first unveiled its website – solicit customers/participants according to the posted Terms of Service and Privacy Policy. There is no indication (unlike, for instance, in Knome’s Terms of Service) that additional or different terms or policies would apply to the actual data collection step if and when that should occur. Indeed, the existing terms of service purport to address how the data would be used, including how it would be shared with third parties.

    One of the tricky things about policies is that, because they are most frequently agreed to by use, they are subject to change often with little or no advance notice to users. For that reason, we directed our analysis at the public policies of certain companies available as of this writing. Obviously, if TruGenetics’ were to change its policies – e.g., in light of its receipt of additional funding – the analysis would presumably change as well.

  6. #6 Jason Bobe
    September 15, 2009

    I wrote an essay about it I never published a few years back and amazingly I found my notes! My interest in bankruptcy stemmed for a real-world example in the DTC genetics space. Remember DNA Science (was http://www.DNA.com)?

    For a DTC genetics company trying to get off the ground in 2002, genetic privacy was probably an even bigger deal in the hearts and minds of potential customers then than it is now. So DNA Sciences came up with the “Gene Trust Bill of Rights” which described how privacy would be protected. It included this passage:

    “…personally identifying genetic information will never, under any circumstances, be sold or shared with anyone outside the Gene Trust.”

    The company ultimately went belly-up and their assets were sold to Genaissance on May 15, 2003. Soon after, I contacted the legal counsel of Genaissance to inquire about whether the assets included the genetic information and/or tissues of participants in DNA Sciences, but I never heard back and it fell off my radar. I think it would be interesting to follow-up now and do a post-mortem.

    In any event, the legal landscape has changed since 2003, due in part, to the bankruptcy of Toysmart.com and the pandemonium which ensued when they took out an ad in the Wall Street Journal (June 8, 2000) offering for sale, among other assets, their customer database. This was of course an action which did not honor their privacy policy, which included boilerplate language that was fairly typical during that time (from Sept 1999):

    “(1) Personal information voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party. All information obtained by toysmart.com is used only to personalize your experience online; and (2) When you register with toysmart.com, you can rest assured that your information will never be shared with a third party.”

    Here is a summary of the sequence of events which occured around this time:
    # June 2000 Toysmart files Chapter 11 bankruptcy
    # June 8th, 2000 Toysmart advertised to sell all assets including customer data in WSJ
    # Truste complains to FTC
    # July 10, 2000 FTC filed lawsuit against Toysmart
    # July 21, 2000 FTC and Toysmart reached agreement on the case without any court hearing
    # July 25, 2000 attorneys general from 39 states put an effort together to block any form of sale of customer data
    # Meanwhile, Toysmart rejected two offers from Buena Vista Internet Group and Digital Research Inc. to purchase its customer data due to low offering price
    # August 27, 2000 court disapproves the settlement between FTC and Toysmart and set restrictions to the sale
    # January 9, 2001 Buena Vista Internet Group again offered to purchase the customer data but would destroy it onsite
    # January 30, 2001 court approve the purchase and customer data was deleted at Toysmart

    I’ve always wondered why the reaction was so fierce to protect customer data about toys (of all things!), and there was hardly a word written about DNA Sciences, which occurred well after the Toysmart.com debacle.

    The Toysmart.com case led to a flurry of revisions to privacy policies for those dot coms which survived the bust. For example, Amazon.com added a clause saying “…in the unlikely event that Amazon.com Inc. or substantially all of its assets are acquired, customer information will of course be one of the transferred assets.”

    In terms of legal protection, also see the Bankruptcy Abuse Prevention and Consumer Protection Act of 2005. In particular, Section 232 “Consumer Privacy Ombudsman” which was intended to “assist the bankruptcy court in the decision of whether to approve the sale of a company’s informational assets during bankruptcy”. The ombudsman’s task is defined as (1) a review of the debtor’s privacy policy, (2) assessment of potential losses or gains of privacy to consumers if a sale is approved, and (3) alternatives to mitigate consumer privacy losses. I haven’t looked at the law in this area for at least a few years, so I’m not sure how much the legal landscape has changed.

    Hope this is helpful.

    Thanks,
    Jason Bobe

  7. #7 Jason Bobe
    September 15, 2009

    Ha! I just saw post #2 in the series, which covers the privacy ombudsman. One step ahead of me!

    http://scienceblogs.com/geneticfuture/2009/09/guest_post_bankruptcy_part2.php

    Thanks,
    Jason

  8. #8 Neil
    September 17, 2009

    Ed @ 4:

    I would like to point out that we are highly sensitive and thoughtful about how we do things; hence the reason we started with a PRE-REGISTRATION BETA site.
    We have not and would not go on to collecting phenotype or genotype information unless and until we have adequate funding in hand.

    This is somewhat disingenuous – Dan Vorhaus observed that your (well written) Terms of Use are intended to permit the sale of the proposed research database in the ordinary course of business.

    The Risks section puts it nicely:

    You should be careful about sharing your genetic information. Although genetic data is not widely used by businesses and insurance companies at this time, this may change in the future and you should be very careful about who you share your genetic information with.

    Quite.