23andMe bankruptcy highlights need for data protection law

It’s not clear who might buy that data, or why — and many customers have no desire to find out. Many have been rushing to delete their data. (Attorney General Andrea Campbell has published a how-to guide, as has the Globe.)

The concern is that while 23andMe has a strong privacy policy, a company that buys its data might not. The chairman of the Federal Trade Commission has asked that any buyer be bound by the company’s existing policy. But that decision will be made by the court.

State laws can provide some limits on what a prospective buyer could do with 23andMe’s data. Led by California, around 20 states — not including Massachusetts — have enacted consumer data privacy laws, which differ in the details but broadly govern how businesses can use private data and what control consumers have over how personal data are used.

For example, many of these laws give consumers the right to delete their data at any time or opt out of targeted advertising based on their data.

Massachusetts does not have a comprehensive consumer data privacy bill, although several versions of bills are pending in the Legislature.

“Right now, Massachusetts consumers are at a huge disadvantage when it comes to the relationships that they enter into with private companies that collect sensitive information about them and their families,” said Kade Crockford, director of technology and justice programs at the American Civil Liberties Union of Massachusetts.

Practically, many multistate companies will offer identical privacy policies nationwide that conform to the requirements of states with stricter laws.

But some companies segment their data so different rules apply in different states. Passing a law in Massachusetts would ensure Massachusetts consumers have optimal protection. If a company violates consumer privacy, a Massachusetts law would give the attorney general authority to sue on behalf of consumers.

One version of a comprehensive data privacy bill could directly affect a case like the 23andMe bankruptcy. It would require that if a company acquires a consumer’s personal data through a sale, merger, or bankruptcy, the consumer needs to be told who is acquiring their data and what their privacy policy is. They also must be given an opportunity to delete their data or withdraw consent for them to be used.

More broadly, versions of these bills being considered by lawmakers would limit how companies can use personal or sensitive information, ban the sale of sensitive data, and allow an individual to sue if privacy law is breached.

State Senator Barry Finegold (D-Andover), who cochairs the Joint Committee on Economic Development and Emerging Technologies, said, “I think the lesson learned from 23andMe is that nothing’s ever guaranteed.” Finegold said policies need to be in place so consumers are informed if their data are sold. “The biggest thing we’re focused on is to make sure people are fully aware where their information goes,” he said.

Ideally, a privacy policy would be passed by Congress rather than through a patchwork of state laws. The European Union, for example, has the General Data Protection Regulation, which sets out the rights of consumers and the responsibilities of any organization that collects personal data in European member states.

But given the unlikelihood of Congress acting on the issue, regulation has largely been left up to states.

In a letter she wrote to the Legislature last year, Campbell expressed support for comprehensive data privacy protection that offers consumers choice and control over how their data are used; gives extra protection to sensitive data like location or health information; and gives the attorney general authority to enforce the law and adapt it to new technologies.

If it has any silver lining, the 23andMe bankruptcy could be the spur that lawmakers need to get a data privacy bill done.

Editorials represent the views of the Boston Globe Editorial Board. Follow us @GlobeOpinion.