Many consumers are rushing to delete their data from 23andMe, a genetic testing company, amid concerns that a buyer could potentially misuse it. However, while 23andMe has a strong privacy policy, it is unclear who might buy the data or why — and many customers have no desire to find out. In fact, some have been deleting their data in a panic, with Attorney General Andrea Campbell publishing a how-to guide to help them do so. The concern is that while 23andMe has a robust privacy policy, a company that buys its data might not adhere to the same standards. The chairman of the Federal Trade Commission has requested that any buyer be bound by 23andMe’s existing policy. However, this decision will be made by the court, leaving the outcome uncertain. State laws can provide some limits on what a prospective buyer could do with 23andMe’s data. In the United States, around 20 states — excluding Massachusetts — have enacted consumer data privacy laws that govern how businesses can use private data and what control consumers have over how personal data are used. These laws vary in detail but generally provide consumers with rights such as:
* Deleting their data at any time
* Opting out of targeted advertising based on their data
* Receiving clear and concise notifications when their data is being used
Massachusetts, on the other than, does not have a comprehensive consumer data privacy bill. Although several versions of bills are pending in the Legislature, the state remains at a disadvantage when it comes to consumer data protection. “Right now, Massachusetts consumers are at a huge disadvantage when it comes to the relationships they enter into with private companies that collect sensitive information about them and their families,” said Kade Crockford, director of technology and justice programs at the American Civil Liberties Union of Massachusetts. “This lack of protection creates an environment in which consumers are vulnerable to exploitation and abuse.”
Some multistate companies may offer identical privacy policies nationwide that conform to the requirements of states with stricter laws. However, some companies segment their data, applying different rules in different states. Passing a law in Massachusetts would ensure that state consumers have optimal protection. If a company violates consumer privacy, a Massachusetts law would give the attorney general authority to sue on behalf of consumers. This would provide a much-needed safeguard against companies that may not adhere to the same standards as 23andMe. One version of a comprehensive data privacy bill could directly affect a case like the 23andMe bankruptcy. Such a bill would require that if a company acquires a consumer’s personal data through a sale, merger, or bankruptcy, the consumer needs to be told who is acquiring their data and what their privacy policy is. They also must be given an opportunity to delete their data or withdraw consent for it to be used. More broadly, versions of these bills being considered by lawmakers would limit how companies can use personal or sensitive information, ban the sale of sensitive data, and allow an individual to sue if privacy law is breached. State Senator Barry Finegold, who co-chairs the Joint Committee on Economic Development and Emerging Technologies, said, “I think the lesson learned from 23andMe is that nothing’s ever guaranteed.” He emphasized the importance of policies that inform consumers about where their data goes and allow them to exercise control over how it is used. Ideally, a privacy policy would be passed by Congress rather than through a patchwork of state laws. The European Union, for example, has the General Data Protection Regulation, which sets out the rights of consumers and the responsibilities of any organization that collects personal data in European member states. However, given the unlikelihood of Congress acting on the issue, regulation has largely been left up to states. In a letter, Attorney General Andrea Campbell expressed support for comprehensive data privacy protection that offers consumers choice and control over how their data are used; gives extra protection to sensitive data like location or health information; and gives the attorney general authority to enforce the law and adapt it to new technologies. If there is any silver lining to the 23andMe bankruptcy, it could be the potential to spur lawmakers into action on data privacy legislation. The uncertainty surrounding the sale of 23andMe’s data has already prompted some consumers to delete their data in a panic. However, a well-crafted data privacy bill could provide a much-needed framework for protecting consumers and ensuring that their data is used responsibly.