Landmark Massachusetts Data Privacy Act Approved by Legislative Committee

(BOSTON 5/6/2024) Today, Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity chairs Representative Tricia Farley-Bouvier and Senator Michael Moore announced that a wide-ranging bill which grants consumers new rights over their personal data has been reported favorably out of Committee. The Massachusetts Data Privacy Act (MDPA) establishes baseline data minimization standards by restricting data holders to only collect and process what is reasonably necessary and proportional to their lawful purpose. The MDPA will ensure greater accountability of companies and grant user data privacy protections to those present in Massachusetts and residents of the state. Highlighted in this bill are strong protections for children, defined as anyone under 18 years, from targeted advertising and transferring of their data without expressed consent. 

“With so much of our lives happening online, it can be hard to know who is collecting your data, how much they know about you, and what they’re doing with that information,” said Senator Michael Moore (D-Millbury). “The Massachusetts Data Privacy Act gives everyday Bay Staters the right to better control their data and grants them the ability to simply say no when it comes to invasive data collection practices. Further, it protects users’ most sensitive data from being used for targeted advertising, including information on race, sexual orientation, religious beliefs, and whether one has been a victim of a crime. I’m proud to have collaborated with my co-chair Representative Tricia Farley-Bouvier and thank her for her leadership on this critical topic. This bill will bring accountability to invasive tech companies, and I look forward to continuing the conversation about digital consumer protections as this legislation makes its way through the State House.”

“We rely on technology daily, but these companies are collecting more of our data than ever before and then legally selling this information, rarely with the consumer’s knowledge,” said House Chair Tricia Farley-Bouvier (D-Pittsfield).  “At a juncture where the collection and sale of what should be private data is a matter of public safety and security, the Massachusetts Data Privacy Act is a critical step to hold companies accountable and establish consumer protection in Massachusetts. We must take action to protect the people of the Commonwealth, especially children, and their private data.”

The MDPA reflects efforts to keep the Commonwealth up to date with the bipartisan federal consensus model for data privacy in three ways; establishing baseline data minimization standards by restricting data holders to only collect and process data that is reasonably necessary and proportional to their purpose; recognizing and reflecting their role in collecting, processing, and transferring data; and banning the commercial sale of geolocation information and targeted advertising to minors.

As proposed in the MDPA, important data subject rights extend to all individuals located in Massachusetts such as, the right to access their personal information, the right to opt out of certain processes such as targeted advertising, and the right to delete certain information.

The MDPA would also provide a variety of meaningful enforcement mechanisms.  The Attorney General is empowered to enforce the MDPA under its own terms and as a violation of the Commonwealth’s consumer protection law, Chapter 93A. Consumers are also able to bring claims on their own behalf through a private right of action.

More Restrictive Standards for Sensitive Covered Data

The bill specifies that sensitive data, as defined below, cannot be processed for the purposes of targeted advertising. Covered entities cannot engage in targeted advertising to minors, nor can covered entities transfer an individual’s sensitive covered data to a third party without the affirmative express consent of the individual.

Sensitive data includes information such as precise geolocation information, biometric or genetic information, the data of a minor (anyone under 18), government-issued identifiers, and data that reveals an individual’s:

  • race, color, ethnicity, or national origin

  • sex or gender identity and sexual orientation

  • religious beliefs

  • citizenship or immigration status

  • military service

  • status as a victim of a crime

 

Outlines Acceptable Consent Practices

The legislation states that covered entities must issue clear and conspicuous requests for consent to collect and process information with reasonably understandable language, and explain an individual's applicable rights. Requests for consent must be displayed at or before the point of collection of information, and need to include a description of what information will be collected and the purpose for collection.

Covered entities cannot infer that an individual has provided consent via their inaction (e.g. clicking out of the consent request without confirming choices does not equate consent.)

Privacy by Design

Bill language states that covered entities are required to establish, implement, and maintain reasonable policies, practices, and other procedures that reflect their role in collecting, processing, and transferring data. These policies and practices should identify, assess, and mitigate privacy risks as a whole and implement reasonable training and safeguards to promote compliance with all privacy laws applicable to covered data the covered entity collects, processes, or transfers.

Additional Provisions of the Massachusetts Data Privacy Act include:

  • Privacy Policy Notice Requirements

  • Data Broker Registration with the Office of Consumer Affairs and Business Regulation

  • Attorney General Regulatory Authority

  • Bans the Commercial Sale of Location Information

The Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity’s action comes two months following President Biden’s Executive Order to Protect Americans’ Sensitive Personal Data. Additionally, this action comes in the wake of Senator Wyden’s Letter to the FTC and SEC after a broker sold phone location data to target visitors at hundreds of reproductive health clinics and Senator Markey’s letter to car makers regarding the advancement in car technology and consumer data privacy. These increasing calls for company accountability and enhanced data privacy for consumers reflect a lack of comprehensive federal action and showcases the urgency to act to protect Massachusetts consumers.

Having been approved by the Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity, the bill now will move forward to the Senate and House Committee on Ways and Means for further review.

###