On May 1, 2023, the U.S. Court of Appeals for the Seventh Circuit affirmed the dismissal of a putative class action alleging violations of the Illinois Genetic Information Privacy Act (GIPA) against the asset management firm Blackstone Inc. over its all-stock acquisition of the genealogy company Ancestry.com. In a case of first impression, the Seventh Circuit held that a “run-of-the-mill corporate acquisition, without more alleged about that transaction,” does not result in a compulsory disclosure of genetic information in violation of Section 30 of GIPA.
GIPA provides that “genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with [statutory requirements], by that individual to receive the information.” 410 ILCS 513/15. Section 30 of the act provides that no person or company “may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test.” Id. at 30(a). Under Section 40, “[a]ny person aggrieved by a violation of this Act shall have a right of action.” Id. at 40.
Lead plaintiffs Carolyn Bridges and Raymond Cunningham purchased DNA testing products from Ancestry.com and submitted their saliva samples. Ancestry processed and stored plaintiffs’ genetic information with other personal identifying information, such as their names, emails and home addresses.
In December 2020, Blackstone acquired Ancestry for $4.7 billion in an all-stock acquisition. In July 2021, Bridges and Cunningham filed a putative class action in Illinois state court alleging that the acquisition compelled the disclosure of their genetic information in violation of Section 30. Blackstone removed the case to federal court and then moved to dismiss. The district court dismissed the complaint on the grounds that a corporate acquisition of a company that stored genetic information, without more, did not result in a compulsory disclosure of genetic information in violation of GIPA. Plaintiffs appealed.
Seventh Circuit’s Decision
Although the issue presented to the Seventh Circuit was whether GIPA liability can attach to a company that receives protected information as a result of an all-stock corporate acquisition, the Seventh Circuit affirmed the dismissal on the narrower issue that the plaintiffs had not alleged a “compulsory disclosure” in violation of Section 30.
The court found that it could not “plausibly infer that a run-of-the-mill corporate acquisition, without more alleged about that transaction, results in a compulsory disclosure within the meaning of Section 30.” It did not matter “that Blackstone may have pursued the deal, at least in part, to obtain Ancestry’s genetic information” or that “Blackstone, as part of the firm’s broader investment strategy, planned to sell data from unnamed portfolio companies to unaffiliated third parties.” This was because, the Seventh Circuit explained, “[t]he complaint still lacks a plausible allegation that Blackstone compelled Ancestry to disclose protected information.”
Although Bridges v. Blackstone, Inc. suggests that an all-stock acquisition, in and of itself, does not compel disclosure of genetic information, the case does not completely slam the door on potential GIPA liability arising from corporate transactions. For example, the court suggested the outcome might have been different if the “terms of the deal mandated prohibited disclosure.”
Bridges holds lessons for companies considering acquisitions that implicate a change in corporate control of privacy-protected information. Companies should consider conducting data privacy diligence to understand the target’s data and how it is collected, stored and protected, including whether, as in Bridges, data subject to regulation is paired with personal identifiable information that links data to data subject. An acquiror should also closely examine the target’s privacy policies to understand what the target promised about the handling of its customers’ data, including in the event of an acquisition or change in ownership. Such diligence should be conducted through the lens of the acquiror’s integration plans, including any plan to “roll up” the acquired company or its assets following the closing, and how it intends to use the target’s data going forward. The acquiror and/or post-transaction entity may be required, for example, to obtain appropriate consents for or notify individuals of changes to data handling practices. The target company’s privacy policies could also significantly limit or altogether preclude the acquiror’s intended use of its data assets, which might, depending on the circumstances, impact the underlying deal thesis or valuation and is therefore critical to understand as early in the process as possible. Target companies should also be mindful of their own policies and terms that may inhibit the value of their data assets in future acquisitions, and be prepared to discuss and address acquiror concerns during the diligence process.