SECTION 1. Chapter 149A of the General Laws, as appearing in the 2020 Official Edition, is hereby amended by adding the following chapter:
Chapter 149B
Section 1. Definitions
(a) As used in this chapter, the following words shall, unless a different meaning is required by the context or is specifically prescribed, have the following meanings:
“Authorized representative” , any person or organization appointed by the worker to serve as an agent of the worker. Authorized representative shall not include a worker’s employer.
“Automated Decision System (ADS)” or “algorithm” , a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes or assists an employment-related decision.
“Automated Decision System (ADS) output” , any information, data, assumptions, predictions, scoring, recommendations, decisions, or conclusions generated by an ADS.
“Data,” or “worker data” , any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular worker, regardless of how the information is collected, inferred, or obtained. Data includes, but is not limited to, the following:
(i) Personal identity information, including the individual’s name, contact information, government-issued identification number, financial information, criminal background, or employment history.
(ii) Biometric information, including the individual’s physiological, biological, or behavioral characteristics, including the individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with other data, to establish individual identity.
(iii) Health, medical, lifestyle, and wellness information, including the individual’s medical history, physical or mental condition, diet or physical activity patterns, heart rate, medical treatment or diagnosis by a healthcare professional, health insurance policy number, subscriber identification number, or other unique identifier used to identify the individual.
(iv) Any data related to workplace activities, including the following:
(1) Human resources information, including the contents of an individual’s personnel file or performance evaluations.
(2) Work process information, such as productivity and efficiency data.
(3) Data that captures workplace communications and interactions, including emails, texts, internal message boards, and customer interaction and ratings.
(4) Device usage and data, including calls placed or geolocation information.
(5) Audio-video data and other information collected from sensors, including movement tracking, thermal sensors, voiceprints, or faction, emotion, and gait recognition.
(6) Inputs of or outputs generated by an ADS that are linked to the individual.
(7) Data that is collected or generated on workers to mitigate the spread of infectious diseases, including COVID-19, or to comply with public health measures.
(v) Online information, including an individual’s Internet Protocol (IP) address, private social media activity, or other digital sources or unique identifiers associated with a worker.
“Department” , the department of labor & workforce development.
“Electronic monitoring” , the collection of information concerning worker activities or communications by any means other than direct observation, including the use of a computer, telephone, wire, radio, camera, electromagnetic, photoelectronic, or photo-optical system.
“Employer” , any person who directly or indirectly, or through an agent or any other person, employs or exercises control over the wages, benefits, other compensation, hours, working conditions, access to work or job opportunities, or other terms or conditions of employment, of any worker, including any of the employer’s labor contractors.
“Employment-related decision” , any decision made by the employer that affects wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job content, assignment of work, access to work opportunities, productivity requirements, workplace health and safety, and other terms or conditions of employment. For independent contractors or job applicants, this means the equivalent of these decisions based on their contract with or relationship to the employer.
“Essential job functions” , the fundamental duties of a position, as revealed by objective evidence, including the amount of time workers spend performing each function, the consequences of not requiring individuals to perform the function, the terms of any applicable collective bargaining agreement, workers’ past and present work experiences and performance in the position in question, and the employer’s reasonable, nondiscriminatory judgment as to which functions are essential. Past and current written job descriptions and the employer’s reasonable, nondiscriminatory judgment as to which functions are essential may be evidence as to which functions are essential for achieving the purposes of the job, but may not be the sole basis for this determination absent the objective evidence described in this section.
“Impact assessment” , the ongoing study and evaluation of a data collection system or an automated decision system and its impact on workers.
“Productivity system” , a management system that monitors, evaluates, or sets the amount and quality of work done in a set time period by workers.
“Secretary” , the secretary of the executive office of labor and workforce development
“Third party” , a person who is not one of the following:
(i) The employer.
(ii) A vendor or service provider to the employer.
(iii) A labor or employee organization within the meaning of state or federal law.
“Worker” , any natural person or their authorized representative acting as a job applicant to, an employee of, or an independent contractor providing service to, or through, a business in any workplace. This term includes state workers, with the limitations established in section 6.
“State worker”, any natural person or their authorized representative acting as a job applicant to, an employee of, or an independent contractor providing service to, or through, a state or local governmental entity in any workplace.
“Worker Information System (WIS)” , a process, automated or not, that involves worker data, including the collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, sharing, disclosure, dissemination, combination, restriction, erasure, or destruction of worker data. A WIS does not include an ADS.
“Workplace” , a location within Massachusetts at which or from which a worker performs work for an employer.
“Vendor” , an entity engaged by an employer or an employer’s labor contractors, to provide software, technology, or a related service that is used to collect, store, analyze, or interpret worker data or worker information.
Section 2. Notice of data collection
(a)An employer that controls the collection of worker data shall, at or before the point of collection, inform the workers as to all of the following:
(i)The specific categories of worker data to be collected, the specific purpose for which the specific categories of worker data are collected or used, and whether and how the data is related to the worker’s essential job functions.
(ii)Whether and how the data will be used to make or assist an employment-related decision, including any associated benchmarks.
(iii)Whether the data will be deidentified.
(iv)Whether the data will be used at the individual level, in aggregate form, or both.
(v)Whether the information is being disclosed or otherwise transferred to a vendor or other third party, the name of the vendor or third party, and for what purpose.
(vi)The length of time the employer intends to retain each category of worker data.
(vii)The worker’s right to access and correct their worker data.
(viii)Any data protection impact assessments, and the identity of any worker information systems, that are the subject of an active investigation by the department.
(b)Notice may be given after the point of collection only if at least one of the following conditions is met:
(i)Collection is necessary to preserve the integrity of an investigation of wrongdoing.
(ii)Earlier notice would violate the requirements of federal, state, or local laws or regulations.
(iii)Earlier notice would violate a court order.
(c)If an employer discloses worker data to a vendor, third party, or state or local government, the employer must provide affected workers with notice that includes the information specified in subsection (a).
(d) An employer shall provide a copy of the above notice to the department.
Section 2A. Right of employee to request information
(a)An employer, or a vendor acting on behalf of an employer, that collects, stores, analyzes, interprets, disseminates, or otherwise uses worker data shall provide the following information to the worker, in an accessible manner, upon receipt of a verifiable request:
(i)The specific categories and specific pieces of worker data that the employers, or a vendor acting on behalf of any employer, retains about that work.
(ii)The sources from which the data is collected.
(iii)The purpose for collecting, storing, analyzing, or interpreting the worker data.
(iv)Whether and how the data is related to the worker’s essential job functions, including whether and how the data is used to make or assist an employment-related decision.
(v)Whether the data is being used as an input in an ADS, and if so, what ADS output is generated based on the data.
(vi)Whether the data was generated as an output of an ADS.
(vii)The names of any vendors or third parties, from whom the worker data was obtained, or to whom an employer or vendor acting on behalf of an employer has disclosed the data, and the specific categories of data that was obtained or disclosed.
(b) When complying with a worker’s request for data access, the employer shall not disclose personal identity information of any individual other than the worker who submitted the request.
(c) Information provided by an employer or a vendor acting on behalf of an employer to a worker pursuant to subsection (a) shall be provided as follows:
(i)At no cost to the worker.
(ii)In an accessible format that allows the worker to transport it to another entity without hindrance.
(iii)In a timely manner upon receipt of the verifiable request.
(d)For purposes of this section, a “verifiable request” is a request made by a worker that the business can reasonably verify.
Section 2B. Data accuracy
(a)An employer shall ensure that worker data is accurate and, where relevant, kept up to date.
(b)A worker shall have the right to request an employer to correct any inaccurate worker data about the worker that the employer maintains.
(c)An employer that receives a verifiable request to correct inaccurate worker data shall respond to the worker’s request as follows:
(i)An employer shall investigate and determine whether the disputed worker data is inaccurate.
(1)If an employer determines that the disputed worker data is inaccurate, the employer shall do all of the following:
a)Promptly correct the disputed worker data and inform the worker of the employer’s decision and action.
b)Review and adjust as appropriate any employment-related decisions or ADS outputs that were partially or solely based on the inaccurate data, and inform the worker of the adjustment.
c)Inform any third parties with which the employer shared the inaccurate worker data, or from which the employer received the inaccurate worker data, and direct them to correct it.
(2)If an employer, upon investigation, determines that the disputed worker data is accurate, the employer shall inform the worker of the following:
a)The decision not to amend the disputed worker data.
b)The steps taken to verify the accuracy of the worker data and the evidence supporting the decision not to amend the disputed worker data.
(ii)An employer is not obligated to change the disputed worker data when the disputed worker data consists of subjective information, opinions, or other non verifiable facts, if the employer does all of the following:
(1)Documents that the disputed worker data consists of subjective information and notes the source of the subjective information.
(2)Informs the worker of its decision to deny the request to change the disputed worker data.
(iii)An employer shall not process, use, or make any employment-related decision based on disputed worker data while the employer is in the process of determining its accuracy.
Section 2C. Management of Worker Data
(a)An employer or vendor acting on behalf of an employer shall not collect, store, analyze, or interpret worker data unless the data is strictly necessary to accomplish any of the following purposes:
(i)Allowing a worker to accomplish an essential job function.
(ii)Monitoring production processes or quality.
(iii)Assessment of worker performance.
(iv)Ensuring compliance with employment, labor, or other relevant laws.
(v)Protecting the health, safety, or security of workers.
(vi)Additional purposes to enable business operations as determined by the department.
(b)An employer or a vendor acting on behalf of an employer shall not collect, store, analyze or interpret worker data unless such collection, storage, analysis, or interpretation is:
(i)necessary to accomplish a purpose mentioned in (a);
(ii)the least invasive means that could reasonably be used to accomplish such purpose; and
(iii)limited to the smallest number of workers.
(c)An employer or vendor acting on behalf of an employer shall collect, store, analyze and interpret the least amount of worker necessary to accomplish the purpose mentioned in (a).
(d)An employer or a vendor acting on behalf of an employer shall not use worker data for purposes other than those specified in the provided notice.
(e)An employer or a vendor acting on behalf of an employer shall not sell or license worker data, including deidentified or aggregated data, to a vendor or third party, including another employer.
(f)An employer or vendor acting on behalf of an employer shall not disclose or transfer worker data to a vendor or third party unless the following conditions are met:
(i)Vendor or third-party access to the worker data is pursuant to a contract with the employer and the contract prohibits the sale or licensing of the data.
(ii)The vendor or third party implements reasonable security procedures and practices appropriate to the nature of the worker data to protect the data from unauthorized or illegal access, destruction, use, modification, or disclosure.
(g)An employer or vendor acting on behalf of an employer shall not transfer or otherwise disclose biometric, health, or wellness data to any third party unless required under state or federal law.
(h)An employer or vendor acting on behalf of an employer shall not share worker data with the state or local government unless allowed under this part or otherwise necessary to do the following:
(i)Provide information to the department as required by this part.
(ii)Comply with the requirements of federal, state, or local law or regulation.
(iii)Comply with a court-issued subpoena, warrant, or order.
(i)An employer or vendor acting on behalf of an employer that is in possession of biometric, health, or wellness data shall permanently destroy that data when the initial purpose for collecting the data has been satisfied or at the end of the worker’s relationship with the employer, unless there is a reasonable interest for the worker to access the data after the relationship has ended.
(j)An employer or vendor acting on behalf of an employer shall not use biometric, health or wellness data, including a worker’s decision not to participate in a wellness program, as a basis for any employment-related decision.
(k) An employer or vendor acting on behalf of an employer shall not use worker data as a basis for any employment-related decision if the collection of such data prevents compliance with meal or rest periods, use of bathroom facilities, including reasonable travel time to and from bathroom facilities, or occupational health and safety laws, as appearing in the General Laws. An employer shall not take adverse employment action against an employee, including changes to a worker’s wages, based upon an employee’s use of meal or rest periods, use of bathroom facilities, including reasonable travel time to and from bathroom facilities, or occupational health and safety laws, as appearing in General Laws.
Section 2D. Data security
(a)An employer that collects, stores, analyzes, interprets, disseminates, or otherwise uses worker data shall undertake its best efforts to implement, maintain, and keep up-to-date security protections that are appropriate to the nature of the data, and to protect the data from unauthorized access, destruction, use, modification, or disclosure. The security program shall include administrative, technical, and physical safeguards.
(b)An employer that collects, stores, analyzes, interprets, disseminates, or otherwise uses worker data in any form and that becomes aware of a breach of the security of worker data shall promptly provide written notice to each affected worker. The employer shall provide a description of the specific categories of data that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person, and what steps it will take to address the impact of the data breach on affected workers. The notification shall be made in the most expedient time possible. The employer shall promptly notify the department in writing of such a breach.
Section 2E. Vendor requirements
(a)A vendor that collects, stores, analyzes, interprets, disseminates, or otherwise uses worker data on behalf of an employer shall comply with the requirements of this chapter, and employers are jointly and severally liable if the vendor fails to do so.
(b)A vendor that collects, stores, analyzes, interprets, disseminates, or otherwise uses worker data on behalf of the employer must provide all necessary information to the employer to enable the employer to comply with the requirements of this chapter.
(c)A vendor that collects, stores, analyzes, or interprets worker data on behalf of the employer shall do all of the following upon termination of the contract with the employer:
(i)Return all of the worker data to the employer.
(ii)Delete all of the worker data.
Section 3. Electronic monitoring notice
(a)An employer or vendor acting on behalf of an employer that is planning to electronically monitor a worker shall provide a worker with notice that electronic monitoring will occur prior to conducting each specific form of electronic monitoring. Notice shall include, at a minimum, the following elements:
(i)A description of the allowable purpose that the specific form of electronic monitoring is intended to accomplish, as specified in section 2C.
(ii)A description of the specific activities, locations, communications, and job roles that will be electronically monitored.
(iii)A description of the technologies used to conduct the specific form of electronic monitoring and the worker data that will be collected as a part of the electronic monitoring.
(iv)Whether the data gathered through electronic monitoring will be used to make or inform an employment-related decision, and if so, the nature of that decision, including any associated benchmarks.
(v)Whether the data gathered through electronic monitoring will be used to assess workers’ productivity performance or to set productivity standards, and if so, how.
(vi)The names of any vendors conducting electronic monitoring on the employer’s behalf and any associated contract language related to that monitoring.
(vii)A description of a vendor or third party to whom information collected through electronic monitoring will be disclosed or transferred. The description will include the name of the vendor and the purpose for the data transfer.
(viii)A description of the organizational positions that are authorized to access the data gathered through the specific form of electronic monitoring and under what conditions.
(ix)A description of the dates, times, and frequency that electronic monitoring will occur.
(x)A description of where the data will be stored and the length it will be retained.
(xi)An explanation of why the specific form of electronic monitoring is strictly necessary to accomplish an allowable purpose described in subsection (a) of section 3C.
(xii)An explanation for how the specific monitoring practice is the least invasive means available to accomplish the allowable monitoring purpose as outlined in subsection (a) of section 3C.
(xiii)Notice of the workers’ right to access or correct the data.
(xiv)Notice of the workers’ right to recourse under section 6.
(b)Notice of the specific form of electronic monitoring shall be clear and conspicuous and provide the worker with actual notice of electronic monitoring activities. A notice that states electronic monitoring “may” take place or that the employer “reserves the right” to monitor shall not be considered clear and conspicuous.
(c)(1) An employer who engages in random or periodic electronic monitoring of workers shall inform the affected workers of the specific events which are being monitored at the time the monitoring takes place. Notice shall be clear and conspicuous. (2) Notice of random or periodic electronic monitoring may be given after electronic monitoring has occurred only if necessary to preserve the integrity of an investigation of illegal activity or protect the immediate safety of workers, customers, or the public.
(d)Employers shall provide a copy of the disclosure required by this section to the department.
Section 3A. Notice of change
An employer shall provide additional notice to workers when a significant update or change is made to the electronic monitoring or in how the employer is using it.
Section 3B. Notice of systems in use
(a) An employer shall maintain an updated list of electronic monitoring systems currently in use.
(b) (i) An employer shall annually, by January 1 of each year, provide notice to workers of all electronic monitoring systems currently in use. The notice shall include the information specified in subsection (a) of section 3.
(ii) An employer shall provide a copy of the notice provided pursuant to paragraph (1) to the department no later than January 31 of that year.
Section 3C. Restrictions on implementation of electronic monitoring
(a)An employer or vendor acting on behalf of an employer shall not electronically monitor a worker unless all of the following conditions are met:
(i)The electronic monitoring is primarily intended to accomplish any of the following allowable purposes:
(1)Allowing a worker to accomplish an essential job function.
(2)Monitoring production processes or quality.
(3)Assessment of worker performance.
(4)Ensuring compliance with employment, labor, or other relevant laws.
(5)Protecting the health, safety, or security of workers.
(6)Administering wages and benefits.
(7)Additional electronic monitoring purposes to enable business operations as determined by the department.
(ii)The specific form of electronic monitoring is strictly necessary to accomplish the allowable purpose and is the least invasive means to the worker that could reasonably be used to accomplish the allowable purpose.
(iii)The specific form of electronic monitoring is limited to the smallest number of workers and collects the least amount of data necessary to accomplish the allowable purpose.
(iv)The information collected via electronic monitoring will be accessed only by authorized agents and used only for the purpose and duration for which authorization was given as specified in the notice required by section 3.
(b)Notwithstanding the allowable purposes for electronic monitoring described in paragraph (i) of subsection (a), the following practices are prohibited:
(i)The use of electronic monitoring that results in a violation of labor and employment laws.
(ii)The use of electronic monitoring that prevents compliance with meal or rest periods, use of bathroom facilities, including reasonable travel time to and from bathroom facilities, or occupational health and safety laws, as appearing in the General Laws.
(iii)The monitoring of workers who are off-duty and not performing work-related tasks.
(iv)The monitoring of workers in order to identify workers exercising their legal rights, including, but not limited to, rights guaranteed by employment and labor law.
(v)Audio-visual monitoring of bathrooms or other similarly private areas, including locker rooms, changing areas, breakrooms, smoking areas, employee cafeterias, and lounges, including data collection on the frequency of use of those private areas.
(vi)Audio-visual monitoring of a workplace in a worker’s residence, a worker’s personal vehicle, or property owned or leased by a worker, unless that audio-visual monitoring is strictly necessary.
(vii)Electronic monitoring systems that incorporate facial recognition, gait, or emotion recognition technology.
(viii)Additional specific forms of electronic monitoring as determined by the department.
(c)Before an employer uses an electronic productivity system, the employer shall submit a summary of the system to the department, including information on the specific form of monitoring, the number of workers impacted, the data that will be collected, and how that data will be used in making employment-related decisions. Electronic productivity systems must also be reviewed by the department of labor standards before implementation to ensure electronic productivity systems do not result in physical or mental harm to workers.
(d)An employer or a vendor acting on behalf of an employer shall not require workers to either install applications on personal devices that collect or transmit worker data or to wear, embed, or physically implant those devices, including those that are installed subcutaneously or incorporated into items of clothing or personal accessories, unless the electronic monitoring is strictly necessary to accomplish essential job functions and is narrowly limited to only the activities and times necessary to accomplish essential job functions. Location-tracking applications and devices shall be disabled outside the activities and times necessary to accomplish essential job functions.
Section 3D. Employer use of electronic monitoring data
(a)An employer or vendor acting on behalf of an employer shall use worker data collected through electronic monitoring only to accomplish its specified allowable purpose.
(b)An employer or vendor acting on behalf of an employer shall not solely rely on worker data collected through electronic monitoring when making hiring, promotion, termination, or disciplinary decisions.
(i)An employer shall conduct its own assessment before making hiring, promotion, termination, or disciplinary decisions independent of worker data gathered through electronic monitoring. This includes corroborating the electronic monitoring worker data by other means, including a supervisor’s documentation or managerial documentation.
(ii)If an employer cannot independently corroborate the worker data gathered through electronic monitoring, the employer shall not rely upon that data in making hiring, promotion, termination, or disciplinary decisions.
(iii)The information and judgements involved in an employer’s corroboration or use of electronic monitoring data shall be documented and communicated to affected workers prior to the hiring, promotion, termination, or disciplinary decision going into effect.
(iv)Data that provides evidence of criminal activity, when independently corroborated by the employer, is exempt from subsection (b).
(c)An employer or vendor acting on behalf of an employer shall not solely rely on worker data collected through electronic monitoring when determining a worker’s wages.
Section 4. Automated decision systems
(a)An employer or a vendor acting on behalf of any employer shall provide sufficient notice to workers prior to adopting an ADS. An employer with an existing ADS at the time this part takes effect shall provide notice pursuant to this section within 30 day after this part takes effect.
(b)Notice required by subsection (a) shall be considered sufficient if it meets at least the following requirements:
(i)The notice is provided within a reasonable time prior to the use of the ADS.
(ii)The notice is provided to all workers affected by the ADS in the manner in which routine communications are provided to workers.
(iii)The notice contains the following information:
(1)The nature, purpose, and scope of the decisions for which the ADS will be used, including the range of employment-related decisions potentially affected and how, including any associated benchmarks.
(2)The type of ADS outputs.
(3)The specific category and sources of worker data that the ADS will use.
(4)The individual, vendor, or entity that created the ADS.
(5)The individual, vendor, or entity that will run, manage, and interpret the results of the ADS.
(6)The right to recourse pursuant to section 6 of this chapter.
(c)An employer or vendor acting on behalf of an employer shall provide a copy of the notice to the department within 10 days of distribution to workers.
Section 4A. Notice of change of automated decision systems
An employer or vendor acting on behalf of an employer shall provide additional notice to workers when any significant updates or changes are made to the ADS or in how the employer is using the ADS.
Section 4B. Tracking automated decision systems in use
(a)An employer or vendor acting on behalf of an employer shall maintain an updated list of all ADS currently in use.
(b)An employer shall annually, on or before January 1 of each year, provide notice to workers of all ADS currently in use. The notice shall include the information required by paragraph (iii) of subsection (b) of section 4.
(c)The notice shall be submitted to the department on or before January 31 of each year.
Section 4C. Use of automated decision systems for employment decisions; productivity systems
(a)An employer or vendor acting on behalf of an employer shall not use an ADS to make employment-related decisions in any of the following ways:
(i)Use of an ADS that results in a violation of labor or employment law.
(ii)Use of an ADS to make predictions about a worker’s behavior that are unrelated to the worker’s essential job functions.
(iii)Use of an ADS to identify, profile, or predict the likelihood of workers exercising their legal rights.
(iv)Use of an ADS that draws on facial recognition, gait, or emotion recognition technologies, or that makes predictions about a worker’s emotions, personality, or other types of sentiments.
(v)Use of customer ratings as input data for an ADS.
(vi)Any additional use of an ADS that poses harm to workers prohibited by the department pursuant to section 6(b).
(b)Before an employer or a vendor acting on behalf of an employer uses a productivity system that uses algorithms, the employer shall submit a summary of the system to the department. The summary shall include all of the following information:
(i)The role and nature of the algorithm’s use.
(ii)The number of workers impacted by the system.
(iii)The nature of the algorithmic output.
(iv)How the algorithmic output will be used in making employment-related decisions.
(c)Productivity systems that use algorithms shall also be reviewed by the department of labor standards’ occupational safety and health statistics program before implementation to ensure that electronic productivity systems do not result in physical or mental harm to workers.
(d)This section shall not be construed to conflict with the powers of the executive office of labor and workforce development.
Section 4D. Restrictions on employer or vendor use of automated decision systems
(a)An employer or vendor acting on behalf of an employer shall not use ADS outputs regarding a worker’s health as a basis for any employment-related decision.
(b)An employer or vendor acting on behalf of an employer shall not solely rely on output from an ADS when determining employee wages.
(c)An employer or vendor acting on behalf of an employer shall not solely rely on output from an ADS to make a hiring, promotion, termination, or disciplinary decision.
(i)An employer shall conduct its own evaluation of the worker before making a hiring, promotion, termination, or disciplinary decision, independent of the output used from the ADS. This includes establishing meaningful human oversight by a designated internal reviewer to corroborate the ADS output by other means, including supervisory or managerial documentation, personnel files, or the consultation of coworkers.
(ii)Meaningful human oversight requires that the designated internal reviewer meet the following conditions:
(1)The designated internal reviewer is granted sufficient authority, discretion, resources, and time to corroborate the ADS output.
(2)The designated internal reviewer has sufficient expertise in the operation of similar systems and a sufficient understanding of the ADS in question to interpret its outputs as well as results of relevant algorithmic impact assessments.
(3)The designated internal review has education, training, or experience sufficient to allow the reviewer to make a well-informed decision.
(iii)When an employer cannot corroborate the ADS output produced by the ADS, the employer shall not rely on the system to make the hiring, promotion, termination, or disciplinary decision.
(iv)When an employer can corroborate the ADS output and makes the hiring, promotion, termination, or disciplinary decision based on that output, a notice containing the following information shall be given to affected workers:
(1)The specific decision for which the ADS was used.
(2)Any information or judgments used in addition to the ADS output in making the decision.
(3)The specific worker data that the ADS used.
(4)The individual, vendor, or entity who created the ADS.
(5)The individual or entity that executed and interpreted the results of the ADS.
(6)A copy of any completed algorithmic impact assessments regarding the ADS in question.
(7)Notice of the worker’s right to dispute an algorithmic impact assessment regarding the ADS in question pursuant to section 5C.
(8)The right to recourse pursuant to section 6 of this chapter.
(v)When an employer uses corroborated output from an ADS to make a hiring, promotion, termination, or disciplinary decision, notice shall be given to the affected worker prior to the implementation of that decision.
Section 4E. Requirements for vendor use of automated decision systems
(a)A vendor that uses an ADS on behalf of an employer shall comply with the requirements of this chapter. An employer is jointly and severally liable for a vendor’s failure to comply.
(b)A vendor that uses an ADS on behalf of an employer shall provide all necessary information to the employer to enable the employer to comply with the requirements of this chapter.
(c) A vendor that collects or stores worker data in order to use an ADS on behalf of an employer shall do both of the following upon termination of its contract with the employer:
(i)Return all of the worker data, including any relevant ADS outputs, to the employer.
(ii)Delete all worker data.
Section 5. Algorithmic impact assessments
(a) An employer that develops, procures, uses, or otherwise implements an ADS to make or assist an employment-related decision shall complete an Algorithmic Impact Assessment (AIA) prior to using the system, and retroactively for any ADS that is in place at the time this part takes effect, for each separate position for which the ADS will be used to make an employment-related decision. When an employer procures an ADS from a vendor, the employer may submit an AIA conducted by the vendor if it meets all of the requirements set forth in this chapter.
(b)An “Algorithmic Impact Assessment (AIA)” means a study evaluating an ADS that makes or assists an employment-related decision and its development process, including the design and training data of the ADS, for negative impacts on workers. An AIA shall include, at minimum, all of the following:
(i)A detailed description of the ADS and its intended purpose.
(ii)A description of the data used by the ADS, including the specific categories of data that will be processed as input and any data used to train the model that the ADS relies on.
(iii)A description of the outputs produced by the ADS, including the following:
(1)The types of ADS outputs produced by the ADS.
(2)How to interpret the ADS outputs.
(3)The types of employment-related decisions that may be made on the basis of the ADS outputs.
(iv)An assessment of the necessity and proportionality of the ADS in relation to its purpose, including reasons for the superiority of the ADS over non automated decision making methods.
(v)An evaluation of the risk of the ADS, including the following risks:
(1)Errors, including both false positives and false negatives.
(2)Discrimination against protected classes.
(3)Violation of legal rights of affected workers.
(4)Direct or indirect harm to the physical health, mental health, or safety of affected workers.
(5)Chilling effect on workers exercising legal rights, including, but not limited to, rights guaranteed by employment and labor laws.
(6)Privacy harms, including the risks of security breach or inadvertent disclosure.
(7)Negative economic impacts or other negative material impacts on workers, including, but not limited to, impacts related to wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, assignment of work, access to work opportunities, job responsibilities, and productivity requirements.
(8)Infringement on the dignity and autonomy of affected workers.
(vi)The specific measures that will be taken to minimize or eliminate the identified risks.
(vii)A description of the methodology used to evaluate the identified risks and mitigation measures.
(viii)Any additional components necessary to evaluate the negative impacts of an ADS as determined by the department.
Section 5A. Data protection impact assessments
(a)An employer that develops, procures, uses, or otherwise implements a Worker Information System (WIS) shall complete a Data Protection Impact Assessment prior to using the system, or retroactively for a WIS in place prior to the effective date of this part. When an employer procures a WIS from a vendor, the employer may submit an impact assessment conducted by the vendor, if it meets all of the requirements set forth in this section.
(b)A “Data Protection Impact Assessment (DPIA)” means a study evaluating a WIS for negative impacts on workers. A DPIA shall include, at minimum, all of the following:
(i) A systematic description of the nature, scope, context, and purpose of the WIS.
(ii)An assessment of the necessity and proportionality of the WIS in relation to its purpose.
(iii)An evaluation of the potential risks of the WIS, including the following risks:
(1)Violation of the legal rights of affected workers.
(2)Discrimination against protected classes.
(3)Privacy harms, including the risks of invasive or offensive surveillance, security breach, or inadvertent disclosure.
(4)Chilling effect on workers exercising legal rights, including, but not limited to, rights guaranteed by employment and labor laws.
(5)Infringement upon the dignity and autonomy of affected workers.
(6)Negative economic impacts or other negative material impacts on affected workers, including on dimensions including wages, benefits, other compensation, hours, work schedule, performance evaluation, hiring, discipline, promotion, termination, job content, assignment of work, access to work opportunities, and productivity requirements.
(iv)The specific measures that will be taken to minimize or eliminate the identified risks.
(v)A description of the methodology used to evaluate the identified risks and recommended mitigation measures.
(vi)Any additional components necessary to evaluate the negative impacts of a WIS determined by the department.
Section 5B. Proper use of impact assessments
(a)The AIA or DPIA shall be conducted by an independent assessor with relevant experience.
(b)An employer shall initiate an AIA or DPIA at the beginning of the procurement or development process for any ADS or WIS, or retroactively for any ADS or WIS in place at the time this part takes effect. An AIA or DPIA shall be continuously updated throughout the procurement, development, or implementation process and thereafter to reflect any material changes to the ADS or WIS as they become evident.
(c)An employer shall fully comply with all requests from the assessor for information required to conduct the AIA or DPIA.
(d)(i) Throughout the assessment process, the assessor shall consult with workers who are potentially affected by the ADS or WIS. Consultation shall include, but is not limited to, the following stages:
(1) Identification of the specific risks that need to be evaluated.
(2)Development of mitigation measures to minimize the risks associated with the system.
(ii)An assessor shall make the preliminary assessment available to potentially affected workers for anonymous review and comment during a defined open comment period.
(1)An employer shall not retaliate against a worker who participates in the open comment period.
(2)A worker or a designated worker representative may comment or request additional information.
(3)An assessor shall incorporate a record of the feedback received and a description of why the suggestions were either incorporated or rejected.
(4)An assessor shall ensure that potentially affected workers are adequately informed of their ability to review and comment on the AIA or DPIA.
(e)An employer shall submit and update, as needed, the completed AIA or DPIA to the department and potentially affected workers prior to the use of the ADS or WIS.
(i)If health and safety risks are found or implicated, an employer shall also submit its assessment to the Occupational Safety and Health Administration.
(ii)If a risk of discrimination or bias is detected or believed to exist, an employer shall also submit its assessment to the state agency overseeing workplace discrimination.
(f)An employer may use the ADS or WIS once it submits the relevant impact assessments to the department, unless the department directs otherwise, as described in subsection (g).
(g) Upon review of the AIA or DPIA, the department may require any of the following:
(i)Require the employer to submit additional documentation.
(ii)Require the employer to implement mitigation measures in using the ADS or WIS.
(iii)Prohibit the employer from using the ADS or WIS.
(h)Upon submitting the AIA or DPIA to the department, the employer shall develop and publish on its internet website an impact assessment summary that describes the assessment’s methodology, findings, results, and conclusions for each element required by this part, as well as any modification made to it based on the assessment results.
(i)The AIA or DPIA and its summary shall be written in a manner that is precise, transparent, comprehensible, and easily accessible.
(j)The full AIA or DPIA and all relevant materials and sources used for the development of the assessment may be made available to external researchers at the discretion of the department.
Section 5C. Disputed impact assessments
(a)At any point after an employer has submitted an AIA or DPIA to the department, a worker may anonymously dispute the AIA or DPIA and request that the department conduct an investigation of the employer. The following are bases for challenging an AIA or DPIA:
(i)The AIA or DPIA provided insufficient information, was incomplete, or inaccurate.
(ii)The AIA or DPIA assessor was not adequately independent from the employer.
(iii)The AIA or DPIA failed to adequately identify risks or appropriately weigh harms against benefits.
(iv)Mitigation measures identified in the AIA or DPIA were not implemented or, once implemented, failed to reduce residual risks to acceptable levels.
(v)Any other reason the AIA or DPIA was defective or incomplete as identified by the department.
(b)If an employer fails to conduct an impact assessment of an ADS or WIS used in making or assisting an employment-related decision, a worker may anonymously request that the department conduct an investigation of the employer.
(c)Regardless of the use or outcome of the dispute processes available in this section, a worker retains the right to recourse pursuant to section 6.
Section 5D. Requirements for vendor implementation of impact assessments
(a) A vendor that develops, procures, uses, or otherwise implements an ADS or WIS on behalf of an employer shall comply with the requirements of this chapter. An employer shall be jointly and severally liable for a vendor’s failure to comply.
(b)A vendor that develops, procures, uses, or otherwise implements an ADS or WIS on behalf of an employer shall provide all necessary information to the employer to enable the employer to comply with the requirements of this chapter.
(c)A vendor that develops, procures, uses, or otherwise implements an ADS or WIS on behalf of an employer shall provide any additional information, as requested by the independent assessor or department, necessary to conduct an assessment or investigation.
Section 6. Enforcement
(a)(i) A worker may bring a civil action for injunctive relief and recover civil penalties against the employer in an amount equal to the penalties provided in this section. A plaintiff who brings a successful civil action for violation of these provisions is entitled to recover reasonable attorney’s fees and costs.
(ii) An employer or vendor that violates this section shall be subject to an injunction
and liable for civil penalties provided in this chapter, which shall be assessed and recovered in a civil action by the attorney general. In a successful civil action brought by the attorney general to enforce this part, the court may grant injunctive relief in order to obtain compliance with the part and shall award costs and reasonable attorney’s fees.
(iii) An employer shall not retaliate against a worker because the worker exercised, or
notified another worker of their right to exercise, any of the rights under this
section.
(iv) Provisions of a collective bargaining agreement that provide additional worker
protections are not superseded by this part.
(b) The department shall have the authority to enforce and assess penalties under this part and to adopt regulations relating to the procedures for an employee to make a complaint alleging a violation of this section.
(i)On or before January 1, 2025, the department shall adopt regulations to further the purpose of this section, including, but not limited to, regulations on all of the following:
(1)Developing, maintaining, and regularly updating the following:
a)A list of allowable purposes for data collection and electronic monitoring.
b)Definitions of specific categories of worker data required in notices mandated in this part.
c)A list of prohibited forms of electronic monitoring.
d)A list of prohibited ADS.
e)A list of valid reasons for disputing an employer’s AIA or DPIA and requesting investigation by the department.
f)Rules specifying employers’ and workers’ respective obligations to ensure occupational health and safety in home offices, personal vehicles, and other workplaces owned, leased, or regularly used or occupied during non-work hours by a worker. The rules shall specify the manner, means, and frequency with which employers may collect data or electronically monitor those workplaces in order to satisfy the employers’ obligation under applicable occupational health and safety laws.
g)The specific requirements of the notices required by this part.
h)Any additional rules and standards, as needed, to respond to the rapid developments in existing and new technologies introduced in the workplace in order to prevent harm to the health and well-being of workers.
(2)Developing agency procedures to review and evaluate employers’ submissions of AIA, DPIA, and summaries of electronic productivity systems.
(ii)To assist in developing the regulations required by subsection (b), the secretary shall convene an advisory committee to recommend best practices to mitigate harms to workers from the use of data-driven technology in the workplace. The advisory committee shall be composed of stakeholders and other related subject matter experts and shall also include representatives of the department of labor standards, and the occupational safety and health administration. The secretary shall convene the advisory committee no later than March 1, 2024.
(iii)The department shall strategically collaborate with stakeholders to educate workers and employers about their rights and obligations under this part, respectively, in order to increase compliance.
(c)(i) An employer or vendor acting on behalf of an employer who fails to comply with section 2 through 2D of this chapter is subject to the following penalties:
(1)A violation of section 2 shall be subject to a penalty of ten thousand dollars ($10,000) per violation.
(2)A violation of section 2A shall be subject to a penalty of five thousand dollars ($5,000) for each verified request made by a worker.
(3)A violation of section 2B shall be subject to a penalty of five thousand dollars ($5,000) per violation.
(4)A violation of section 2C shall be subject to a penalty of twenty thousand dollars ($20,000) per violation.
(5)A violation of section 2D shall be subject to a penalty of one hundred dollars ($100) per affected worker for each violation of this provision.
(ii)An employer or vendor acting on behalf of an employer who fails to comply with sections 3 through 3D of this chapter is subject to the following penalties:
(1)A violation of section 3 shall be subject to a penalty of ten thousand dollars ($10,000) per violation.
(2)A violation of section 3C shall be subject to a penalty of five thousand dollars ($5,000) for each day that the violation occurs.
(3)A violation of Section 3D shall be subject to a penalty of ten thousand dollars ($10,000) per worker for each violation.
(iii)An employer or vendor acting on behalf of an employer who fails to comply with sections 4 through 4D is subject to the following penalties:
(1)A violation of section 4, 4A, or 4D shall be subject to a penalty of ten thousand dollars ($10,000) per violation.
(2)(2) A violation of section 4B shall be subject to a penalty of two thousand five hundred dollars ($2,500) per violation.
(3)(3) A violation of section 4C shall be subject to a penalty of twenty thousand dollars ($20,000) per violation.
(iv)An employer or vendor acting on behalf of an employer who fails to submit an impact assessment pursuant to sections 5, 5A, 5B, or 5C shall be subject to a penalty of twenty thousand dollars ($20,000) per violation.
Section 6.
(a)The provisions in sections 2 through 6 shall apply to state workers so long as they are not construed or applied to displace or supplant state rules and regulations and collective bargaining agreements that apply to state workers.
(b)The department shall have the authority to enact regulations establishing the forms and manners under which sections 2 through 6 shall apply to state workers so that such application conforms with the previous paragraph.
The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.