In mid-December 2025, iRobot announced it was filing a prepackaged Chapter 11 petition in the U.S. Bankruptcy Court for the District of Delaware. Under its restructuring support agreement, Shenzhen Picea Robotics, a Chinese manufacturer of Roomba hardware and creditor holder, will acquire 100 % of iRobot’s equity. The prepackaged plan is anticipated to conclude in February 2026. The sale raises complex legal questions at the intersection of bankruptcy practice, data privacy, national security review, and cross-border data transfer governance.
This transaction follows earlier failed acquisition efforts, most notably Amazon’s attempt to purchase iRobot for approximately $1.7 billion, which collapsed in early 2024 after U.S. and E.U. regulatory scrutiny.
A once celebrated feature – mapping rooms – is now the source of concern as iRobot attempts another sale. Modern Roomba devices use cameras, LIDAR, and other sensors to build digital maps of users’ homes as part of navigation and “smart-home” services. These mapping datasets can include highly detailed spatial information, usage patterns, and environmental images.
Prior privacy disclosures by iRobot indicated that data would not be shared with third parties unless the consumer explicitly opted in, and that smart-home mapping data could be used to support integrations with compatible products. Fast forward to present day, iRobot and entities involved in the sale have made public representations about the privacy and security of user data – particularly assurances that mapping data will remain protected, encrypted, and geographically localized within U.S. servers, aiming to reassure users about geographic data sovereignty. While consumers may be skeptical whether iRobot may actually follow through with such promises and whether Shenzhen Picea Robots will honor them, the Federal Trade Commission (FTC) has indicated they will hold such companies accountable.
Just earlier in 2025, FTC Chairman Andrew N. Ferguson issued a formal letter to the U.S. Trustee in the 23andMe bankruptcy proceeding, raising privacy concerns about the potential sale or transfer of millions of Americans’ genetic and personal information. Chairman Ferguson emphasized that the FTC has a strong interest in ensuring that companies uphold the privacy representations they made to consumers and that any purchaser be bound by existing privacy policies and applicable law.
While the letter did not initiate a formal enforcement action, it serves as a bellwether of FTC scrutiny: the agency has signaled that discontinuities between public privacy promises and post-transaction practices could give rise to enforcement under the unfair or deceptive practices prongs of Section 5 of the FTC Act. In the 23andMe context, this included concern that purchasers of the data continue to apply the same safeguards and privacy protections referenced in the original privacy notice.
A distinctive feature of the case with iRobot is the involvement of national security review. Lawmakers have urged the U.S. Treasury to subject the bankruptcy plan and subsequent acquisition to review by the Committee on Foreign Investment in the United States (CFIUS) given potential risks associated with foreign access to detailed home-mapping technologies. CFIUS authority extends beyond classic defense and infrastructure assets to technologies that could have national security implications, especially if those technologies collect or enable access to highly sensitive personal or geospatial data at scale. iRobot’s sale illustrates that even a bankruptcy sale does not immunize a transaction from national security scrutiny when data is considered a strategic asset.
While iRobot likely has a lot of work ahead as it attempts to finalize the sale to Shenzhen Picea Robotics, there are many lessons to be learned.
Similarly situated companies should:
- Be mindful public statements about data privacy may be treated as warranties or representations subject to enforcement and thus should calibrate any public disclosures (including bankruptcy court filings and press releases) to avoid inadvertently creating regulatory obligations.
- Consider whether existing consents remain valid under applicable privacy laws (e.g., state privacy statutes that require opt-in for sensitive data processing) if data practices are modified as part of an acquisition, in order to mitigate regulatory risk and preserve consumer trust.
- Consider whether any changes with the shift in corporate ownership are consistent with data subjects’ expectations, contractual privacy notices, and applicable statutes during the negotiation of a sale with another entity, the selling company should also consider.
Additionally, a shift in corporate ownership to a foreign-linked buyer triggers additional regulatory considerations such as:
- Whether consumer data will remain under U.S. jurisdiction and be subject to equivalent safeguards
- Whether wholly new processing, cross-border transfer, or subsequent data sharing will occur
- Whether bankruptcy sales involving foreign-linked buyers may trigger voluntary or mandatory CFIUS filings, even absent typical acquisition thresholds
- Whether mitigation measures (e.g., data localization, firewalls) will need to be negotiated to secure regulatory comfort
Companies would further be well advised to take proactive steps before being at the doorstep of a merger, sale, or bankruptcy proceeding, especially where consumer data constitutes a core asset. Bankruptcy is not a regulatory off-ramp. Ownership shifts involving the transfer of consumer data and sensitive technology can trigger scrutiny.
Effective data governance should be treated as an enterprise-risk function, not a transaction-specific exercise. Practitioners should advise clients to inventory and classify data assets, map data flows, and identify which datasets are subject to heightened legal protections or consent requirements. Privacy Notices, internal policies, and public statements should be drafted with potential future sales or acquisitions in mind, clearly articulating how data may be used or transferred in the event of a corporate transaction. Companies should also ensure that technical and contractual controls – such as access restrictions, data localization commitments, and successor-in-interest clauses – are in place to operationalize any representations. Regular audits and cross-functional coordination between legal, compliance, IT, and communications teams can further ensure that privacy commitments are consistently implemented and defensible if scrutinized by regulators or courts.