Apr. 23, 2025

Sale of 23andMe’s Genetic Data: Lessons for Companies Around Sensitive Data

Twenty-five states alleged last week that 23andMe’s privacy policies violated multiple states’ laws and that customers’ data is not secure, urging a bankruptcy court to appoint independent experts to recommend privacy and security measures before the company may sell genetic data as an asset. Alaska separately told the court that its state law requires 23andMe to seek new customer consent for the sale. This article, the second installment in a two-part series with insights from Withers and LK Law Firm, distills the legal questions about privacy that have emerged in the bankruptcy case and offers lessons from the proceedings for other companies, including takeaways about emerging risks and laws around sensitive data inferences. Part one discussed the growing potential for state privacy laws to play a disruptive role in bankruptcies and possible powers for an appointed privacy ombudsman in the 23andMe case. See “FTC and State Enforcers Reveal What’s Next and What to Do About It” (Oct. 2, 2024).

Redefining Compliance From a Consumer-Centric Obligation to Product-Embedded Enablement

Compliance, once a function that followed innovation, must now move ahead of it. The paradigm is shifting as organizations transition from responding to regulatory demands to embedding compliance directly within product design, development and delivery. In this guest article, Nikhil Sarnot, a managing director at Accenture Security, discusses how compliance must evolve from an oversight function into a foundational enabler and offers practical steps for shaping the way compliance teams achieve that goal. See “The Algorithmic CCO: Practical Steps for Implementing AI in Compliance” (Mar. 12, 2025).

How Ericsson Made Compliance Training Must-See TV

Most compliance training is thought of as dry and boring, but if packaged as a dramatic TV show, it can excite and engage employees, according to compliance experts at a company that has seen and resolved its fair share of compliance issues. Kelly Sargeant, Ericsson’s global head of compliance training and communications, and Vidya Krishnan, its global chief learning officer, explained during a recent conference how their narrative approach to training integrates lessons from different fields without a prohibitive price tag. This article distills their insights, including how, once a program is up and running, a combination of AI and staff contributions can make it ever more efficient. See “Rethinking Click-Through Training: Maximize Effectiveness With Customization” (Apr. 16, 2025).

Mayer Brown Welcomes Back Data Privacy Partner in Chicago

Lei Shen has rejoined Mayer Brown as a partner in its cybersecurity & data privacy practice in Chicago. She arrives from Cooley. For commentary from Shen, see “What to Expect From the CPRA – California’s New Proposed Privacy Law” (Sep. 30, 2020). For insights from Mayer Brown, see “How the 2025 Cybersecurity Executive Order Affects Business” (Feb. 5, 2025); and “Nine Cybersecurity Resolutions for 2025” (Jan. 22, 2025).

Seasoned Technology and AI Partner Joins Dentons’ Privacy and Cybersecurity Team in Maine

Dentons has welcomed Andrew Clearwater to the firm’s privacy and cybersecurity team as a partner in Portland, Maine. He arrives from security software provider OneTrust. For commentary from Clearwater, see “Implications of the New E.U. AML Directive” (Jul. 10, 2024); and “U.K. Equifax Fine Calls for Stricter Parent-Subsidiary Data-Sharing Processes” (Oct. 25, 2023).