What Happens to Your Data When a Company Goes Bankrupt

When a company you trusted with your personal information files for bankruptcy, your data doesn't disappear with the business. It becomes an asset on a balance sheet — something to be appraised, auctioned, and sold to the highest bidder. The 2025 collapse of 23andMe turned this abstract risk into a national crisis, putting the genetic data of 15 million Americans on the auction block. Here's what actually happens to your data when a company goes under, and what you can do about it.

Your Data Is a Corporate Asset

Under U.S. bankruptcy law, a company's assets are inventoried and either liquidated (Chapter 7) or reorganized (Chapter 11) to pay creditors. Customer databases, user accounts, and personal information are routinely classified as assets in these proceedings — no different from office furniture or intellectual property.

This means the data you handed over when you signed up for an account, filled out a profile, or used a service can be:

• Sold to another company as part of a bulk asset purchase
• Transferred to an acquiring entity that may have entirely different privacy practices
• Auctioned to the highest bidder in a competitive sale process
• Abandoned on servers that change hands with minimal security oversight

The privacy policy you agreed to when you first shared your data? Bankruptcy courts can — and regularly do — override those commitments. The company's promise to never sell your information doesn't survive a bankruptcy filing in many cases.

The 23andMe Bankruptcy: A Wake-Up Call

In March 2025, genetic testing company 23andMe filed for Chapter 11 bankruptcy protection. The company held DNA profiles, health predisposition reports, and ancestry data for roughly 15 million customers. That data immediately became one of the most valuable assets in the bankruptcy estate.

What followed was unprecedented:

• More than two dozen state attorneys general sued to block the sale, arguing that genetic information is fundamentally different from typical corporate data
• Regeneron, a major biotechnology company, emerged as a leading bidder — raising concerns about pharmaceutical companies gaining access to millions of people's genetic profiles
• A nonprofit entity called TTAM Research Institute, set up by 23andMe co-founder Anne Wojcicki, ultimately won the auction with a $305 million bid
• The bankruptcy court approved the sale in June 2025, and the transaction closed in July 2025

This Isn't New — It's Just Getting Worse

The 23andMe case grabbed headlines, but companies have been selling customer data through bankruptcy for years:

• RadioShack (2015): Attempted to sell 117 million customer records — including names, addresses, and purchase histories — to the highest bidder. Only intervention by the FTC and state attorneys general prevented the sale.
• Toys "R" Us (2017): Customer data, including children's wish lists and family information, became part of the bankruptcy estate.
• Health and fitness apps: Several smaller health-tracking companies have folded and transferred sensitive health data without meaningful user consent.

As more businesses collect more personal data, every corporate failure puts more people at risk. And the protections in place haven't kept up.

What Protections Exist Today

The FTC's Limited Authority

The Federal Trade Commission has authority to appoint a Consumer Privacy Ombudsman in bankruptcy cases where personal data may be sold in ways that conflict with the company's privacy policy. However, the ombudsman's role is advisory — they can recommend safeguards, but bankruptcy judges are not required to follow those recommendations. The FTC's ability to intervene has also been constrained by budget limitations and shifting enforcement priorities.

State Privacy Laws

States with comprehensive privacy laws — California (CCPA/CPRA), Colorado, Virginia, Connecticut, and others — give residents some rights to request deletion of their data. But exercising those rights becomes complicated when a company is in bankruptcy proceedings, as the bankruptcy court's authority can supersede state-level protections.

The SECURE Data Act (2026)

In April 2026, House Republicans introduced the SECURE Data Act (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act), a comprehensive federal privacy bill partly inspired by the 23andMe case. The bill would establish enforceable consumer rights including the right to access, correct, delete, and port personal data, as well as the right to opt out of data sales. It also addresses data transfers during mergers, acquisitions, and bankruptcies — though critics, including the Electronic Frontier Foundation and EPIC, argue the protections don't go far enough.

How to Protect Your Data Before a Company Fails

You can't predict which companies will go bankrupt, but you can minimize your exposure:

1. Delete Accounts You Don't Use

If you're no longer using a service, don't just stop logging in — actively delete your account and request data deletion. The less data a company holds about you when it fails, the less there is to sell. This is especially important for services that hold sensitive data like health records, genetic information, or financial details.

2. Exercise Data Deletion Rights Early

If a company shows signs of financial trouble — layoffs, plummeting stock price, executive departures — submit your data deletion request immediately. Once bankruptcy is filed, the automatic stay may complicate or delay deletion requests. Act before the filing, not after.

3. Minimize What You Share

Before handing over personal information to any service, ask yourself: does this company genuinely need this data to provide the service I'm using? Use throwaway email addresses for non-essential accounts. Avoid providing your real phone number, home address, or date of birth unless absolutely required.

4. Read Privacy Policies for Bankruptcy Language

Many privacy policies include a clause about data transfers in the event of a merger, acquisition, or bankruptcy. Look for it. If a company explicitly reserves the right to transfer your data to a successor entity without additional consent, that's a risk factor worth considering before you sign up.

5. Monitor Your Data Broker Exposure

When companies go bankrupt, the data that gets sold doesn't always stay with the acquiring company. It can flow into the broader data broker ecosystem, appearing on people-search sites and background check databases. Regular monitoring helps you catch new exposures early.

PrivacyOn continuously scans 100+ data broker sites for your personal information and submits removal requests automatically. When data from a bankrupt company finds its way onto people-search sites, PrivacyOn catches it and removes it — without you having to track down each broker individually.

What to Do If a Company You Use Files for Bankruptcy

1. Submit a data deletion request immediately. Use the company's existing privacy request process. Even if the company is in bankruptcy, submitting the request creates a record of your intent.
2. Download your data first. Before requesting deletion, export a copy of any data you want to keep — photos, documents, purchase history — because the service may shut down without warning.
3. Monitor bankruptcy proceedings. Court filings are public through the PACER system. Look for motions to sell customer data and any privacy ombudsman reports.
4. File objections if needed. If a proposed sale of data conflicts with the company's privacy policy, you or a state attorney general can file objections with the bankruptcy court.
5. Freeze your credit. If the bankrupt company held financial information, place a credit freeze with all three bureaus as a precaution.

The Bottom Line

Company bankruptcies are an underappreciated privacy risk. When a business fails, your personal data — from contact information to genetic profiles — can be sold to entities you never agreed to share it with. Federal protections remain insufficient, and the SECURE Data Act is still working its way through Congress. The most effective defense is to be proactive: minimize the data you share, delete accounts you no longer use, and monitor where your information appears online. Services like PrivacyOn can help by automating the ongoing work of tracking and removing your data from the brokers and people-search sites where it inevitably ends up.