Residents of the Commonwealth have become targets of scam artists and predatory merchants who take possession of residents’ identifying information, steal it and use it for their own purposes. This Act determines that each person owns his/her own identity and identifying information, limits the circumstances under which others can obtain access to and use that information and creates both criminal penalties and civil remedies. All persons shall be free to conduct their affairs using United States currency. Each person domiciled within the Commonwealth owns his/her own identity as this is contained in his/her social security number, driver’s license number, account numbers in financial institutions, retail store accounts, credit cards and all other account numbers of all kinds and varieties. Each person has a compelling and legitimate interest in maintaining privacy and preserving confidentiality of all such account numbers. The Commonwealth has a compelling interest in protecting the identity of its domiciliaries.
1. The term “account number” shall include, but not be limited to, each person’s social security number, driver’s license number, license plate number, bank account number, credit card number, account number at a retail store which sells goods or services, account number at a business which sells goods or services on-line, telephone number and all other account numbers of all kinds and varieties.
2. The term “person” shall mean all human beings domiciled within the Commonwealth of Massachusetts or who purchases goods or services within the Commonwealth or who transact business within the Commonwealth.
3. The term “company” shall mean all corporations, partnerships, limited liability companies, limited liability partnerships, legal entities and persons engaged in trade or commerce within the Commonwealth.
4. The terms contained herein, if not otherwise defined, shall have the meanings given to them in G. L. 93A.
5. No person or company engaged in trade or commerce within the Commonwealth shall have the right to obtain, possess, sell, lend, distribute, disseminate or use any person’s account number without his/her prior written permission except that:
a) When a person charges goods or services purchased by the use of a credit card or account number, the seller of those goods and services may obtain the person’s credit card number or account number and may retain it until such time as the seller has been paid for those goods and services. The seller and/or vendor shall permanently and irrevocably destroy the purchaser’s account number within 120 days of receipt of payment.
b) A company engaged in the business of issuing credit cards may obtain and use a person’s account number with its business for the purposes of processing transactions made by that person using that account. It may not, however, sell, lend, distribute, use or disseminate that person’s account number or other information about the person for any other purpose or turn it over to any other person in the absence of a duly issued court order.
c) A seller or vendor of goods or services may require a person who wishes to pay by check to display a photo identification such as a driver’s license or passport to ensure that person’s identity and may record the purchaser’s license number or passport number. The seller or vendor may retain information obtained from seeing those until after the purchaser’s check has cleared and the seller has been paid. The seller shall permanently and irrevocably destroy all records the purchaser’s bank account number and his/her driver’s license number and/or passport number and any copies of the person’s photograph within 120 days of receipt of payment. The seller or vendor may not use this information for any other purpose or turn it over to any other person in the absence of a duly issued court order.
d) Financial institutions which are required by Federal or State law to obtain social security numbers from their customers may obtain, keep and use those numbers but may do so solely for the purposes of complying with Federal or State law. They may not turn over or deliver that information to any other person in the absence of a duly issued court order.
e) Companies which extend credit within the Commonwealth may seek and obtain account numbers from persons who apply for credit and may keep this information in their records until such time as the indebtedness for which the credit has been applied and granted is fully paid. Within one hundred twenty days after the indebtedness has been paid, the financial institution shall permanently and irrevocably destroy all records of the person’s account numbers. The companies may not use this information for any other purpose. Companies which extend credit within the Commonwealth may not disseminate the information received on applications for credit to any third persons except to the extent necessary to verify the truthfulness of an applicant’s statements on his/her application for credit. All companies to which said information is disseminated shall destroy that information completely and irrevocably within one hundred twenty days of responding to a request.
f) A telephone company may make and keep records of the persons who have telephone numbers within the Commonwealth of the phone calls made by its customers. Within thirty days after the person pays his/her telephone bill, the telephone company shall permanently and irrevocably destroy all records of the phone numbers to which the persons who are its customers placed calls and all records of numbers from which calls were placed to the person and all records of the cell towers accessed and/or used. A telephone company may keep records beyond thirty days if, and only if, a court of competent jurisdiction has issued an order directing it to do so. In the event that a telephone company receives notice of an application for an order or an order or other legal process which compels it to disclose any information about a person’s use of his/her telephone or cell towers, the telephone company shall immediately give written notice to said person unless a court of competent jurisdiction has ordered it not to do so. If a court has ordered a telephone company not to identify its customer of the existence of an order requiring that company to disclose its customer’s telephone records, it shall immediately notify the Attorney General in writing.
g) Sellers of firearms, ammunition and explosives may create, keep and disseminate records of such purchases as required by Federal law and the laws of the Commonwealth. They may not allow access to said information, use it, sell it, lend it or otherwise disseminate it without each person’s written permission, a duly issued search warrant or order of a Court of competent jurisdiction.
h) A company may comply with a duly issued search warrant or order of a court of competent jurisdiction. Provided, however, the company shall immediately give notice in writing, by first class mail, to the owner of each account number that is the subject of a search warrant and/or court order unless the court has specifically directed that no notice be given. If an order directs that no notice be given to a customer, then the company shall immediately notify the Attorney General.
i) If a person wishes to allow credit card, account information or other documents to be used by a company in connection with regularly occurring purchases of goods and services, such as utility bills, oil supplies or propane supplies, that person may provide written permission allowing for this use for a maximum period of one year. Any company engaging in such transactions shall obtain permission using a document made of paper and ink and shall keep it in paper format only. No company may seek this permission by e-mail or other electronic transmission but shall seek it using the United States mail. Any person granting this permission may extend it for one year, or any successive year, by executing written instruments which shall be signed on paper, and kept only on paper. No company possessing this information may use it for any other purpose.
6. No company may create, maintain, keep, use or disseminate any information, accounts or records of the purchases of goods or services made by persons who purchase goods or services. Provided, however, persons who wish to maintain accounts with the sellers of goods and services may do so by agreeing to have an account in that person’s name opened. Companies which offer such accounts must charge the same prices for their goods and services to those who have accounts and those who do not. It shall be a knowing, willful, unfair and deceptive practice for any company to (i) charge more for its goods and services to those who do not have accounts than it charges to those who do have accounts; (ii) to offer to charge less to persons who disclose their identities or account information; (iii) to refuse or fail to sell goods and services for cash, to charge more for sales in cash or to charge more for sales using credit or debit cards; or (iv) disseminate, sell, loan or use information about a person’s account for any purpose other than to service that account with that company. It is the intent of this subsection to make it unlawful for companies to offer “discounts” to those who use cards or other identifying media which allow the companies to track their customers’ activities and/or purchases and which charge more to those who do not use or have those cards or media.
7. No company engaged in trade or commerce may keep its records as to domiciliaries of the Commonwealth outside of the Commonwealth or send them outside of the Commonwealth without complying fully with the provisions of this Act. If records as to persons domiciled within the Commonwealth are kept outside the Commonwealth, the companies shall comply with this Act as to all such persons regardless of where the records are kept.
8. No agency of the Commonwealth of Massachusetts, no city, town or other governmental entity shall seek, use, obtain, possess, sell, lend or disseminate any person’s account numbers for any purpose other than to perform its own specific governmental function. No agency of the Commonwealth of Massachusetts, no city, town or other governmental entity shall seek, obtain, possess, sell, lend, disseminate or permit access to any person’s account numbers to any person, person or company engaged in trade or commerce or an agency of any governmental body unless the person, company or agency seeking access has obtained either a duly authorized search warrant or order of a Court of competent jurisdiction or the person has given written permission in accordance with this Act.
9. The Commonwealth, its employees and agents shall safeguard all account numbers, tax records and identifying information as to residents of the Commonwealth and shall not cause or allow that information to be disclosed to others without the prior written consent of the resident or a duly issued order of the Superior Court or of the United States District Court or of the United States Bankruptcy Court or, in connection with marital or child support issues, the Probate and Family Court. The Commonwealth shall have a fiduciary duty to protect all account numbers, tax records and identifying information as to residents of the Commonwealth. In the event of disclosure, the Commonwealth shall compensate all persons whose information was disclosed for all direct, indirect and consequential harm. It shall pay the resident’s reasonable legal fees and costs incurred in any law suit to enforce rights protected by this act resulting in a judgement in the resident’s favor.
10. Any permission given by a person to allow access to another to gain access to his/her account numbers shall be written and signed on paper as a separate written instrument. Any permission given by way of a click on an electronic form shall not be of any force or effect and shall be null and void. No such permission may be granted on a form which contains any other terms or provisions. No language contained in boilerplate or other similar forms shall be effective to give any permission required by this Act. Any permission granted shall expire automatically within ninety days of being given. Provided, however, this provision shall not apply to executors, executrix, administrators or personal representatives of estates, guardians or conservators appointed by courts of competent jurisdiction and holders of durable powers of attorney or health care proxies.
11. All companies engaged in trade and commerce within the Commonwealth and each agency of the Commonwealth, a city, town or other governmental body shall immediately give written notice to all persons whose account numbers it possesses in writing sent by United States Mail, first class, whenever it allows access to that person’s account numbers or sells, lends or disseminates any of said account numbers. If a company or agency fails to send such notice, then it shall be strictly liable to each person in the amount of the greater of (i) $100 per each unauthorized release, possession, lending or dissemination of an account number or (ii) any and all harm, whether financial or otherwise, suffered by the person plus punitive damages and attorneys fees. The “economic loss rule” shall not limit or bar any claim under this Act. Each person shall have the right to seek damages under this provision in his or her own name.
12. If any company engaged in trade or commerce or any agency of the Commonwealth, city, town or other governmental agency seeks, possesses, sells, lends or disseminates a person’s account number for any purpose other than authorized herein, then it shall be strictly liable to the person for the greater of (i) $100 per each unauthorized seeking, possession, lending or dissemination or (ii) any and all harm, whether financial or otherwise, suffered by the person plus punitive damages and attorneys fees. The “economic loss rule” shall not limit or bar any claim under this Act. Each person shall have the right to seek damages under this provision in his or her own name.
13. No company engaged in trade or commerce within the Commonwealth and no agency of the Commonwealth, city, town or other governmental agency may require any person to submit his/her claims under this act to decision by arbitration. Any effort to require a person to submit claims under this Act to arbitration shall be void, violative of public policy and a knowing, willful, unfair and deceptive trade practice. No Court of the Commonwealth shall have jurisdiction to enforce any arbitration provision which impacts the provisions of this Act or to enforce and/or confirm any arbitration order or decision which impacts any person’s rights under this Act. All persons bringing claims under this Act shall have the right to a trial by jury.
14. In the event that a class action is brought under this Act and a court certifies a class, the company which is the subject of said suit shall notify all persons whose rights might be impacted by the action by first class mail, postage pre-paid. Publication may be required by the court having jurisdiction over the class action but this shall be in addition to, and not a substitute for notice by first class mail.
15. The attorney general and the several district attorneys shall have the authority to bring actions in equity in the name of the Commonwealth to enforce the provisions of this Act and to obtain reimbursement for any attorneys’ fees and costs incurred by them in the effort in the event that a judgment enters in favor of the Commonwealth. They shall also have the right to seek punitive damages in an amount not to exceed the total number of persons effected, multiplied time the total number of transactions, multiplied by $10.00 (ten dollars), multiplied by a multiplier of not less than two nor more than ten.
16. Any company or person engaged in trade or commerce within the Commonwealth which knowingly, willfully or with gross negligence allows access to a person’s account number, or who sells, uses, lends or disseminates a person’s account number except as provided for herein shall be punished by a fine of not less than $10.00 per account number released, per release, and not more than $10,000 per account number released, per release. The attorney general and the several district attorneys shall have the authority to bring criminal prosecutions under this provision. Payment of punishment shall not release the company’s civil liability to any person whose account number was sought, sold, loaned or disseminated. If a company prosecuted under this Act fully and completely compensates all persons whose account numbers have been disclosed without notice and all persons whose account numbers were sold, loaned, disclosed, disseminated or released, then the Court shall consider this as mitigation in imposing a sentence but only if the Company has not previously been convicted under this Act.
17. Each person domiciled within the Commonwealth of Massachusetts shall have an expectation of privacy as to all of his/her account numbers, license numbers and other electronic records. All companies which possess or have access to this information shall have a fiduciary duty to said persons and shall be strictly liable in the event of possession, use or disclosure except as provided for herein. Any possession, use or disclosure of said information not in conformity with this act shall be deemed to be a knowing, willful, unfair and deceptive trade and/or practice within the meaning of G.L. c. 93A.
18. Prior to commencing an action under G.L. c. 93A, a person/consumer shall send the demand letter required by G.L. c. 93A §2. The provisions of G.L. c. 93A shall then apply.
19. The Commonwealth shall not keep or maintain any electronic information accessible via the internet which contains the social security numbers, financial information, employer identification numbers or other confidential information. If the Commonwealth uses electronic devices such as computers to keep and store tax information, those devices shall not be connected to the internet or any other device which allows remote access.
20. G.L. c. 93H, Section 2 shall be repealed and replaced by:
The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns, possesses or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated and the provisions and intent of this Act. The objectives of the regulations shall be to: insure the security and confidentiality of customer information; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. The supervisor of records, with the advice and consent of the information technology division to the extent of its jurisdiction to set information technology standards under paragraph (d) of section 4A of chapter 7, shall establish rules or regulations designed to safeguard the personal information of residents of the commonwealth that is owned or licensed. Such rules or regulations shall be applicable to: (1) executive offices and any agencies, departments, boards, commissions and instrumentalities within an executive office; and (2) any authority created by the General Court, and the rules and regulations shall take into account the size, scope and type of services provided thereby, the amount of resources available thereto, the amount of stored data, and the need for security and confidentiality of both consumer and employee information. The objectives of the rules or regulations shall be to: insure the security and confidentiality of personal information; protect against anticipated threats or hazards to the security or integrity of such information; and to protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any resident of the commonwealth. The legislative branch, the judicial branch, the attorney general, the state secretary, the state treasurer and the state auditor shall adopt rules or regulations designed to safeguard the personal information of residents of the commonwealth for their respective departments.
21. The liability of the Commonwealth and of its subdivisions shall not exceed $100,000.00 as to each matter, transaction or event.
22. If any provision of this Act is found to be unconstitutional, then the remainder of the Act shall remain in full force and effect, all to provide the persons residing within this Commonwealth with the greatest privacy of account numbers and other identifying information permissible.
The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.