Skip to main content
Blog

23andMe: Privacy and Property Protection in Bankruptcy

AEIdeas

October 4, 2024

Kristen V. Brown, a staff writer at The Atlantic in a piece last week. I wouldn’t argue against being concerned, but there may be more privacy protection in place than Brown believes. Certainly if my views about contract law and property pertain in these contexts. But let’s see.

The problem is not new. A data-intensive company in financial trouble may put its data on the auction block to recover all the value it can for creditors. For privacy mavens of a certain age, that’s ToySmart. The failing online retailer risked profligate treatment of consumer data by considering selling that data as an asset.

Via Twenty20

In that case, the Federal Trade Commission (FTC) stepped in. “Even failing dot-coms must abide by their promise to protect the privacy rights of their customers,” said Chairman Robert Pitofsky via press release. “The FTC seeks to ensure these promises are kept.” Problem solved, that once.

But do we really think that a company with a great mass of personal data can sell it to get around the promises made at collection? Why don’t healthy companies sell data to others and launder privacy promises away?

The way I see it, those promises are encumbrances that stay with the data wherever it goes. Did you acquire it subject to a promise not to use it for marketing? That encumbrance stays with it even if the company sells the data or gets taken over. The right to use it in marketing isn’t something the acquirer has, so they cannot sell it, in bankruptcy or out.

23andMe has a pretty inscrutable congeries of policies, including terms of service, a “privacy statement” that the terms call “additional information”—begging the question whether they think it’s part of the terms—and a privacy page saying, “Your privacy comes first.” It has numerous pages of consents, which may affect privacy. A statement about Europe’s General Data Protection Regulation may or may not differ from its general privacy policy and may or may not apply to US users.

Brown points out that the “full privacy statement,” which is a little bit hard to find, allows unilateral changes of that policy. So is there a policy, really? This is where I’m concerned that modern contract law is falling down in not retaining classical principles. Such principles include seeing contracts as “meetings of minds” between parties.

Much is not specifically agreed upon when people have complex interactions with big companies, and contract terms supplied by one party are merely an attempt to put what they want into the agreement. When push comes to shove—again, in classical contract law—the contract terms on which minds did not meet are filled in by what is reasonable, customary, and fair.

Would a contract that allows one party to change it at any time really be a contract? I don’t know if the issue has been litigated. I’ve never seen such a provision pressed to the top of contract language (like arbitration clauses are) seeking to make it an agreed-upon term. Such language seems more common in online take-it-or-leave-it offerings, but is it actually a customary, enforced term? Is it fair? I doubt it.

I’m hopeful that contract retains enough of its classical moorings to act as the consumer protector that it is. Classical contract law declines to award the benefit of uncertainty to the big company that silently sought advantage in pages and pages of small type.

Then there’s property. In a forthcoming article in the Kansas Law Review, I argue that the ToySmart case would have supplied consumers better natural protections were information contracted about recognized as property. In bankruptcy, contractual obligations often go by the wayside, while property is returned to its owner. Were people’s DNA data at 23andMe treated as property, it would not be an asset that can be stripped of contractual protections and resold. 23andMe would have only the rights that it acquired in the first instance, the rest being retained by consumers.

So, yes, be concerned. We should seek contracts saying explicitly that personal information is the customer’s property, left with the service provider as a “bailment.” That’s legalese for “when one person holds another’s property.”

Justice Gorsuch teaches about these concepts in his dissent to Carpenter vs. United States (2018), which dealt with government access to data about us produced by cell phone use. We could all learn from his dissent and look forward to when his views on this (and other legal precepts with which I agree) carry the day.