Several state attorneys general (AGs) and the Federal Trade Commission (FTC) have begun scrutinizing ancestry tracking company 23andMe following its recent announcement that it has filed for Chapter 11 bankruptcy. As part of these efforts, the AGs have issued alerts on ways consumers can exercise their rights under state privacy laws, and the FTC has issued letters stressing potential risks to U.S. bankruptcy trustees. 23andMe, which was founded in 2006, has collected DNA and associated genetic material on seven million American customers to provide information related to those customers’ ancestry.
State AGs have historically treated matters involving genetic, health-related, and biometric data with particularly heightened attention given the highly personal nature of such data and the associated privacy considerations implicated. Given that 23andMe holds the genetic data of millions of customers, it is unsurprising that state AGs have taken notice of its troubles, especially as bankruptcy will likely affect company leadership and staffing levels, which potentially could impact the company’s internal system integrity. Indeed, the company’s CEO announced her resignation from the position on March 24. Further complicating the AGs’ overall view is the company’s previous 2023 data breach customer personal information, which is still under investigation by the states, and the company’s recent assertion to the bankruptcy court that it does not require a “privacy ombudsman” to oversee personal data as it goes through the bankruptcy process.
Over the past few days, several state AGs, including California, Connecticut, and Virginia, have issued consumer alerts encouraging consumers to act concerning their stored data. Generally, the warnings cite those states’ comprehensive consumer privacy laws and recommend that consumers request that the company delete their data and destroy genetic material, and that they revoke any prior consent to use such data granted to the company.
Nineteen states to date have enacted comprehensive state privacy laws that apply to organizations controlling or processing the personal information of consumers, including genetic and health-related data. The laws universally grant consumers the right to access, correct, and delete such information, and to opt out of the sale and use of the data for targeted advertising and profiling. Most of the comprehensive laws also contain cybersecurity components that mandate businesses implement “reasonable” data security measures, supervise their vendors and service providers through specific contractual provisions, minimize the amount of personal information they collect, and conduct data protection assessments for potentially high-risk data processing. Every law also requires businesses to disclose their privacy practices to consumers, and most require affirmative consent to process “sensitive” personal information, which includes child-related, health care, religious, or political data, among other types. Violations of these laws can result in monetary penalties and injunctive relief.
As this case progresses, state AGs will undoubtedly examine the company’s past cybersecurity measures and privacy policies and procedures not only pursuant to the above privacy laws, but also to state consumer protection laws that prohibit misrepresentation as to how the company has handled such data. Indeed, over the past year, the AGs have sharpened their resources to focus on privacy, with many devoting entire units solely to privacy enforcement.
Additionally, on March 31, the FTC expressed significant privacy and security concerns regarding the potential sale of sensitive consumer information in the 23andMe bankruptcy case. FTC Chairman Andrew Ferguson emphasized that 23andMe must honor its privacy commitments to users, including safeguarding genetic data, even in bankruptcy proceedings. Ferguson’s letter to the acting U.S. trustee for Missouri and other states stressed that any sale of 23andMe’s data must adhere to the company’s privacy policies and applicable laws. This announcement follows 23andMe’s plan to auction its vast genetic data to repay creditors, which has alarmed consumers and prompted many to cancel their accounts. The FTC’s stance underscores the importance of maintaining data protection promises, especially in light of the 2023 data breach. The agency’s scrutiny of data handling in bankruptcy cases is not new, as seen in its 2015 intervention in bankruptcy proceedings involving RadioShack.
The 23andMe situation provides a cautionary tale for companies handling consumer personal information, especially genetic and health-related data. Companies that control or process such data should verify that they are engaging in defensible privacy and cybersecurity practices in accordance with those states’ privacy and consumer protection laws and pertinent federal regulations and should consult competent outside counsel accordingly. Companies must ensure that, at a minimum, they maintain fundamental privacy measures, such as a readily available privacy policy, conspicuous notice of privacy rights, an easily accessible opt-out process on their websites, and consistent fulfillment of consumer opt-out requests. Failure to do so comes with significant risk.
Troutman Pepper Locke State Attorneys General Team
 |
Ashley Taylor – Co-leader and Firm Vice Chair Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation. |
 |
Clay Friedman – Co-leader Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation. |
 |
Chris Carlson Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies. |
 |
Lauren Fincher Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes. |
 |
Stephen Piepgrass Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education. |
 |
Michael Yaghi Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation. |
 |
Samuel E. “Gene” Fishel Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests. |
 |
Jay Myers Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs. |
 |
Chuck Slemp Chuck advises clients on a wide range of complex issues that frequently involve government actions, including investigations, inquiries, regulatory matters, and litigation. With a distinguished background in the law and public service, he served as chief deputy attorney general of Virginia before joining the firm. In addition to overseeing the Department of Law and Division of Debt Collection, Chuck managed a team of attorneys who handle complex litigation and investigations. He also directed the attorney general’s legislative affairs and represented the attorney general in various capacities. |
 |
Jessica Birdsong Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology. |
 |
Blake R. Christopher Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries. |
 |
Nick Gouverneur Nick is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. He received his J.D. from the University of Illinois College of Law, where he served as a member of the Journal of Law, Technology & Policy. |
 |
Troy Homesley Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals. |
 |
Natalia Jacobo Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based on the West Coast. She routinely counsels clients on a variety of state and federal regulatory matters, with a particular emphasis on consumer protection and data privacy matters. |
 |
Namrata Kang Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting. |
 |
Michael Lafleur Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general. |
 |
Lane Page Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues. |
 |
Dascher Pasco Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities. |
 |
Kyara Rivera Rivera Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review. |
 |
Trey Smith Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues. |
 |
Daniel Waltz Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals. |
 |
Cole White Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general. |
 |
Stephanie Kozol Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department. |