What Happens to Your Personal Data When a Company Folds?

As genetic testing giant 23andMe Holding Co. (ME) enters Chapter 11 bankruptcy, millions of customers suddenly confronted an uncomfortable question: What happens to their most personal data when a company goes under?

With attorneys general from New York to California urging customers to secure their data in light of the company’s collapse, consumers have been alerted to the precarious nature of having their personal information in corporate hands. The company’s vast database of over 15 million genetic profiles—what one cybersecurity expert called a “digital gold mine”—could soon be on the auction block to satisfy creditors.

“It highlights the issue that the U.S. does not have a comprehensive privacy law at the federal level and that not all Americans currently have full control over what happens to their data,” Sara Gerke, associate professor of law at the University of Illinois Urbana-Champaign, told Investopedia.

When Your Data Outlives the Company That Holds It

For companies like 23andMe, what happens to consumer data during a bankruptcy is largely governed by the privacy policies that few people read when signing up for services. In an open letter to its customers, the company said, “Any buyer of 23andMe will be required to comply with applicable law with respect to the treatment of customer data.”

Of course, for worried consumers, a buyer would have to follow applicable laws, which shouldn’t be news. “I think the main things to worry about is that the successor company that buys the data may have weaker cybersecurity (23andMe itself had a massive data breach), that it alters the privacy statement in a way you find objectionable and you don’t pay close enough attention, or that you lose the benefits of the arrangement with 23andMe (information on ancestry, disease risk, helping the development of therapeutics) that made the risks worthwhile for you in the first place,” I. Glenn Cohen, a professor of law at Harvard University, told Investopedia.

While medical information is protected under HIPAA, genetic data from direct-to-consumer testing companies is in a legal gray area. The Genetic Information Nondiscrimination Act (2008) outlaws discrimination by employers and health insurers based on genetic information, but doesn’t restrict how your data can be sold or transferred.

A company bankruptcy makes things even more complex. While it includes some consumer protections not found in regular mergers and acquisitions, the system prioritizes repaying creditors, which could pressure bankruptcy courts to approve deals that maximize financial returns, even if sensitive data is involved.

How You Can Protect Your Data

Experts like Gerke recommend several steps you can take before and after companies holding your sensitive information face financial trouble:

1. Review privacy policies and relevant laws: “I personally think that customers need to be made aware of the issue so that they can take proactive steps if they want to,” Gerke said. Look specifically for clauses addressing what happens to your data during bankruptcy, acquisition, or other business transitions. Also, get to know the privacy laws in your jurisdiction beforehand.
2. Request account deletion immediately: Though not the perfect solution, deleting your account can limit what information remains accessible.
3. Opt out of research programs: Many companies allow consumers to withdraw consent for their data to be used in research. While this won’t remove data already used, it can prevent further sharing.
4. Watch for communications from the company or legal notices: Bankruptcy proceedings require public notice, and regulators like the U.S. Federal Trade Commission and state attorneys general might intervene when sensitive data is involved.
5. Consider legal resources. In some cases, consumer class action lawsuits have successfully established protections for data during bankruptcy proceedings.

The Bottom Line

The most valuable asset many firms have is the data they get from you. For now, without stronger federal protections, many Americans remain vulnerable to having their most personal biological information change hands without their meaningful consent. The 23andMe bankruptcy shows just how valuable and easily transferrable such private data has become—a “digital gold mine” that, once shared, may continue changing hands long after the company that collected it has disappeared.