Jul. 9, 2025

23andMe Sale Decision Offers Lessons for Privacy Lawyers and State AGs

After months of arguments around protecting a trove of 15 million individuals’ genetic data, the U.S. Bankruptcy Court for the Eastern District of Missouri (Court) approved the sale of 23andMe Holding Co.’s assets to TTAM Research Institute. Over objections from more than 30 U.S. states citing privacy law concerns, in a 38‑page memorandum opinion issued June 27, 2025, the Court found no need for affirmative customer consent to transfer genetic data and made a striking argument about DNA property rights. Days later, it denied motions to stay the sale pending appeals from the state of California and a group of amici curiae. This article breaks down the Court’s analysis of privacy issues, including its rejection of the chief privacy ombudsman’s recommendations, and offers key takeaways for privacy practitioners. See our two-part series on the sale of 23andMe’s genetic data: “Implications of the Motions for a Privacy Ombudsman and State Laws” (Apr. 16, 2025), and “Lessons for Companies Around Sensitive Data” (Apr. 23, 2025).

Creating Enforceable Online Agreements

The growing volume of privacy litigation has prompted businesses to try and ensure their arbitration and other online agreements will pass judicial muster. At the same time, companies face the delicate balancing act of seeking to protect themselves without disrupting the user experience. This article distills insights offered by Kyle Fath, a partner at Squire Patton Boggs, and Julie Rubash, GC and CPO at Sourcepoint, on common ways companies seek to bind users to their terms of use, the leading cases assessing whether and when such mechanisms suffice to create enforceable contracts, and practical tips for creating binding online agreements. See “Scrutiny Over Dark Patterns Presents Further Challenges in Online Contracting” (Jan. 18, 2023).

A Step-by-Step Approach to Upleveling Compliance Analytics

Many companies know that they could be making better use of their data to improve their compliance programs, but the process of making upgrades can be daunting. Ericsson, a Sweden-based telecommunication company, recently took a step-by-step approach to improve their data analytics program and prepare for the future, contemplating AI use. This article shares strategic details around the process, which three Ericsson compliance officers shared during the Society of Corporate Compliance and Ethics 2025 conference on Data Analytics for Compliance Programs. See “Thoughts From DOJ Experts on Using Data Analytics to Strengthen Compliance Programs” (Jul. 17, 2024).

Senior DHS Cyber and Emerging Technology Official Joins Crowell & Moring in D.C.

Matthew Ferraro, the former senior counselor for cybersecurity and emerging technology to the U.S. Secretary of Homeland Security, has joined Crowell & Moring as a partner in the privacy and cybersecurity group in Washington, D.C. For insights from Crowell, see “Navigating SEC Cybersecurity Enforcement in a Post-SolarWinds World” (Nov. 15, 2023); and “SEC and CFTC Wall Street Resolutions Highlight Need for Communication and Records Compliance” (Oct. 26, 2022).