HOUSE DOCKET, NO. 3698        FILED ON: 1/20/2023

HOUSE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 357

 

The Commonwealth of Massachusetts

_________________

PRESENTED BY:

Kate Lipper-Garabedian

_________________

To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:

The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:

An Act protecting reproductive health access, LGBTQ lives, religious liberty, and freedom of movement by banning the sale of cell phone location information.

_______________

PETITION OF:

 

Name:

District/Address:

Date Added:

Kate Lipper-Garabedian

32nd Middlesex

1/20/2023

Adam Scanlon

14th Bristol

1/31/2023

David Paul Linsky

5th Middlesex

1/31/2023

Steven Ultrino

33rd Middlesex

1/31/2023

Joanne M. Comerford

Hampshire, Franklin and Worcester

1/31/2023

Lindsay N. Sabadosa

1st Hampshire

1/31/2023

Jack Patrick Lewis

7th Middlesex

2/3/2023

Simon Cataldo

14th Middlesex

2/3/2023

Brian W. Murray

10th Worcester

2/3/2023

Vanna Howard

17th Middlesex

2/3/2023

Patricia A. Duffy

5th Hampden

2/3/2023

Jason M. Lewis

Fifth Middlesex

2/3/2023

Samantha Montaño

15th Suffolk

2/7/2023

Rebecca L. Rausch

Norfolk, Worcester and Middlesex

2/7/2023

Jon Santiago

9th Suffolk

2/7/2023

Carol A. Doherty

3rd Bristol

2/7/2023

Thomas M. Stanley

9th Middlesex

2/9/2023

Tricia Farley-Bouvier

2nd Berkshire

2/14/2023

Patrick M. O'Connor

First Plymouth and Norfolk

3/2/2023

Rob Consalvo

14th Suffolk

3/2/2023

James B. Eldridge

Middlesex and Worcester

3/2/2023

James J. O'Day

14th Worcester

3/2/2023

Erika Uyterhoeven

27th Middlesex

3/6/2023

Rodney M. Elliott

16th Middlesex

3/22/2023

Kevin G. Honan

17th Suffolk

3/22/2023

Natalie M. Higgins

4th Worcester

3/22/2023

Steven Owens

29th Middlesex

3/22/2023

Tommy Vitolo

15th Norfolk

3/22/2023

Adrianne Pusateri Ramos

14th Essex

4/6/2023

James C. Arena-DeRosa

8th Middlesex

6/6/2023

Mindy Domb

3rd Hampshire

6/6/2023

Jennifer Balinsky Armini

8th Essex

6/6/2023

Adrian C. Madaro

1st Suffolk

6/15/2023

William J. Driscoll, Jr.

7th Norfolk

6/15/2023

John J. Mahoney

13th Worcester

6/15/2023

James K. Hawkins

2nd Bristol

6/15/2023

John Francis Moran

9th Suffolk

6/15/2023

Patricia A. Haddad

5th Bristol

6/15/2023

Sean Garballey

23rd Middlesex

6/27/2023

Natalie M. Blais

1st Franklin

6/27/2023

Priscila S. Sousa

6th Middlesex

6/27/2023

Danielle W. Gregoire

4th Middlesex

6/27/2023

Mike Connolly

26th Middlesex

6/27/2023

Ruth B. Balser

12th Middlesex

6/27/2023

Edward R. Philips

8th Norfolk

6/27/2023

Margaret R. Scarsdale

1st Middlesex

6/27/2023

Kristin E. Kassner

2nd Essex

6/27/2023

Jay D. Livingstone

8th Suffolk

6/27/2023

Michelle L. Ciccolo

15th Middlesex

6/28/2023

Danillo A. Sena

37th Middlesex

6/30/2023

Dawne Shand

1st Essex

7/7/2023

William F. MacGregor

10th Suffolk

7/10/2023

Kay Khan

11th Middlesex

7/20/2023

Joan B. Lovely

Second Essex

9/20/2023

Carmine Lawrence Gentile

13th Middlesex

9/20/2023

David Henry Argosky LeBoeuf

17th Worcester

9/20/2023

Christine P. Barber

34th Middlesex

9/20/2023

Tram T. Nguyen

18th Essex

9/20/2023

Richard M. Haggerty

30th Middlesex

9/21/2023

Andres X. Vargas

3rd Essex

10/10/2023

William M. Straus

10th Bristol

10/11/2023

Denise C. Garlick

13th Norfolk

10/27/2023

Judith A. Garcia

11th Suffolk

10/27/2023

Estela A. Reyes

4th Essex

11/14/2023

Daniel Cahill

10th Essex

12/7/2023

Rita A. Mendes

11th Plymouth

12/7/2023

Marjorie C. Decker

25th Middlesex

12/7/2023

Manny Cruz

7th Essex

12/12/2023

Jessica Ann Giannino

16th Suffolk

12/12/2023

John H. Rogers

12th Norfolk

1/2/2024

John F. Keenan

Norfolk and Plymouth

1/5/2024

Aaron L. Saunders

7th Hampden

1/24/2024

Daniel R. Carey

2nd Hampshire

1/24/2024

Ryan M. Hamilton

15th Essex

1/24/2024

Kate Donaghue

19th Worcester

1/24/2024

John Barrett, III

1st Berkshire

1/25/2024

Dylan A. Fernandes

Barnstable, Dukes and Nantucket

1/29/2024

James Arciero

2nd Middlesex

2/1/2024

Bradley H. Jones, Jr.

20th Middlesex

2/1/2024

Kimberly N. Ferguson

1st Worcester

2/22/2024

Hannah Kane

11th Worcester

2/22/2024

Paul J. Donato

35th Middlesex

2/22/2024

Patrick Joseph Kearney

4th Plymouth

3/5/2024

Brian M. Ashe

2nd Hampden

5/30/2024


HOUSE DOCKET, NO. 3698        FILED ON: 1/20/2023

HOUSE  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  No. 357

By Representative Lipper-Garabedian of Melrose, a petition (accompanied by bill, House, No. 357) of Kate Lipper-Garabedian and others relative to banning the sale of cell phone location information.  Consumer Protection and Professional Licensure.

 

The Commonwealth of Massachusetts

 

_______________

In the One Hundred and Ninety-Third General Court
(2023-2024)

_______________

 

An Act protecting reproductive health access, LGBTQ lives, religious liberty, and freedom of movement by banning the sale of cell phone location information.

 

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
 

SECTION 1. The General Laws, as appearing in the 2018 Official Edition, are hereby amended by inserting after chapter 93K the following chapter:

CHAPTER 93L. Privacy Protections for Location Information Derived from Electronic Devices

Section 1. Definitions

As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:—

“Application”, a software program that runs on the operating system of a device.

“Collect”, to obtain, infer, generate, create, receive, or access an individual’s location information.

“Consent”, freely given, specific, informed, unambiguous, opt-in consent. This term does not include either of the following: (i) agreement secured without first providing to the individual a clear and conspicuous disclosure of all information material to the provision of consent, apart from any privacy policy, terms of service, terms of use, general release, user agreement, or other similar document; or (ii) agreement obtained through the use of a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.

“Covered entity”, any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity does not include a state or local government agency, or any court of Massachusetts, a clerk of the court, or a judge or justice thereof. A covered entity does not include an individual acting in a non-commercial context. A covered entity includes all agents of the entity.

“Device”, a mobile telephone, as defined in section 1 of chapter 90 of the general laws, or any other electronic device that is or may commonly be carried by or on an individual and is capable of connecting to a cellular, bluetooth, or other wireless network.

“Disclose”, to make location information available to a third party, including but not limited to by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating such location information orally, in writing, electronically, or by any other means.

“Individual”, a person located in the Commonwealth of Massachusetts.

“Location information”, information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the Commonwealth of Massachusetts with sufficient precision to identify street-level location information within a range of 1,850 feet or less. Location information includes but is not limited to (i) an internet protocol address capable of revealing the physical or geographical location of an individual; (ii) Global Positioning System (GPS) coordinates; and (iii) cell-site location information. This term does not include location information identifiable or derived solely from the visual content of a legally obtained image, including the location of the device that captured such image, or publicly posted words.

“Location Privacy Policy”, a description of the policies, practices, and procedures controlling a covered entity’s collection, processing, management, storage, retention, and deletion of location information.

“Monetize”, to collect, process, or disclose an individual’s location information for profit or in exchange for monetary or other consideration. This term includes but is not limited to selling, renting, trading, or leasing location information.

“Person”, any natural person.

“Permissible purpose”, one of the following purposes: (i) provision of a product, service, or service feature to the individual to whom the location information pertains when that individual requested the provision of such product, service, or service feature by subscribing to, creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, executution, or completion of a financial or commercial transaction or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting; (iii) compliance with an obligation under federal or state law; or (iv) Response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

“Process”, to perform any action or set of actions on or with location information, including but not limited to collecting, accessing, using, storing, retaining, analyzing, creating, generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, structuring, disposing of, destroying, de-identifying, or otherwise manipulating location information. This term does not include disclosing location information.

“Reasonably understandable”, of length and complexity such that an individual with an eighth-grade reading level, as established by the department of elementary and secondary education, can read and comprehend.

“Service feature”, a discrete aspect of a service provided by a covered entity, including but not limited to real-time directions, real-time weather, and identity authentication

"Service provider”, an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that such service provider is, conducting business activities on behalf of, for the benefit of,  at the direction of, and under contractual agreement with a covered entity.

“Third party”, any covered entity or person other than (i) a covered entity that collected or processed location information in accordance with this chapter or its service providers, or (ii) the individual to whom the location information pertains. This term does not include government entities.

Section 2. Protection of location information

(a)It shall be unlawful for a covered entity to collect or process an individual’s location information except for a permissible purpose. Prior to collecting or processing an individual’s location information for one of those permissible purposes, a covered entity shall provide the individual with a copy of the Location Privacy Policy and obtain consent from that individual; provided, however, that this shall not be required when the collection and processing is done in (1) compliance with an obligation under federal or state law or (2) in response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

(b)If a covered entity collects location information for the provision of multiple permissible purposes, it should be mentioned in the Location Privacy Policy and individuals shall provide discrete consent for each purpose; provided, however, that this shall not be required for the purpose of collecting and processing location information to comply with an obligation under federal or state law or to respond to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

(c)A covered entity that directly delivers targeted advertisements as part of its product or services shall provide individuals with a clear, conspicuous, and simple means to opt out of the processing of their location information for purposes of selecting and delivering targeted advertisements.

(d)Consent provided under this section shall expire (1) after one year, (2) when the initial purpose for processing the information has been satisfied, or (3) when the individual revokes consent, whichever occurs first, provided that consent may be renewed pursuant to the same procedures. Upon expiration of consent, any location information possessed by a covered entity must be permanently destroyed.

(e)It shall be unlawful for a covered entity or service provider that lawfully collects and processes location information to:—

(1)collect more precise location information than necessary to carry out the permissible purpose;

(2)retain location information longer than necessary to carry out the permissible purpose;

(3)sell, rent, trade, or lease location information to third parties; or

(4)derive or infer from location information any data that is not necessary to carry out a permissible purpose.

(5)disclose, cause to disclose, or assist with or facilitate the disclosure of an individual’s location information to third parties, unless such disclosure is (i) necessary to carry out the permissible purpose for which the information was collected, or (ii) requested by the individual to whom the location data pertains.

(f)It shall be unlawful for a covered entity or service providers to disclose location information to any federal, state, or local government agency or official unless (1) the agency or official serves the covered entity or service provider with a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant, (2) disclosure is mandated under federal or state law, or (3) the data subject requests such disclosure.

(g)A covered entity shall maintain and make available to the data subject a Location Privacy Policy, which shall include, at a minimum, the following:—

(1)the permissible purpose for which the covered entity is collecting, processing, or disclosing any location information;

(2)the type of location information collected, including the precision of the data;

(3)the identities of service providers with which the covered entity contracts with respect to location data;

(4)any disclosures of location data necessary to carry out a permissible purpose and the identities of the third parties to whom the location information could be disclosed;

(5)whether the covered entity’s practices include the internal use of location information for purposes of targeted advertisement

(6)the data management and data security policies governing location information;

(7)the retention schedule and guidelines for permanently deleting location information.

(h)A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its Location Privacy Policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new Location Privacy Policy.

(i)It shall be unlawful for a government entity to monetize location information.

Section 3. Transparency

(a)A covered entity shall, on an annual basis, report to the attorney general aggregate information pertaining to any warrants seeking location information collected and processed by that covered entity that were received during the preceding calendar year by the entity and, if known, by any service providers and third parties. The report shall disaggregate orders by requesting agency, statutory offense under investigation, and source of authority.

(b)Covered entities that are required to regularly disclose location information as a matter of law shall, on an annual basis, report to the attorney general aggregate information related to such disclosures.

(c)The attorney general shall develop standardized reporting forms to comply with this section and make the reports available to the general public online.

Section 4: Prohibition Against Retaliation

A covered entity shall not take adverse action against an individual because the individual exercised or refused to waive any of such individual’s rights under this chapter, unless location data is essential to the provision of the good, service, or service feature that the individual requests, and then only to the extent that such data is essential. This prohibition includes but is not limited to:

(1)refusing to provide a good or service to the individual;

(2)charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; or

(3)providing a different level or quality of goods or services to the individual.

Section 5. Enforcement

(a)A violation of this chapter or a regulation promulgated under this chapter regarding an individual’s location information constitutes an injury to that individual.

(b)Any individual alleging a violation of this chapter by a covered entity or service provider may bring a civil action in the superior court or any court of competent jurisdiction; provided that, venue in the superior court shall be proper in the county in which the plaintiff resides or was located at the time of any violation.

(c)An individual protected by this chapter shall not be required, as a condition of service or otherwise, to file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim arising under this chapter.

(d)In a civil action in which the plaintiff prevails, the court may award (1) actual damages, including damages for emotional distress, or $5,000 per violation, whichever is greater, (2) punitive damages; and (3) any other relief, including but not limited to an injunction or declaratory judgment, that the court deems to be appropriate. The court shall consider each instance in which a covered entity or service provider collects, processes, or discloses location information in a manner prohibited by this chapter or a regulation promulgated under this chapter as constituting a separate violation of this chapter or regulation promulgated under this chapter. In addition to any relief awarded, the court shall award reasonable attorney’s fees and costs to any prevailing plaintiff.

(e)The attorney general may bring an action pursuant to section 4 of chapter 93A against a covered entity or service provider to remedy violations of this chapter and for other relief that may be appropriate.

(f)Any provision of a contract or agreement of any kind, including a covered entity’s terms of service or policies, including but not limited to the Location Privacy Policy, that purports to waive or limit in any way an individual’s rights under this chapter, including but not limited to any right to a remedy or means of enforcement, shall be deemed contrary to state law and shall be void and unenforceable.

(g)No private or government action brought pursuant to this chapter shall preclude any other action under this chapter.

Section 6. Non-applicability

This chapter shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 or other applicable federal and state laws and regulations.

Section 7. Regulations

The attorney general shall:—

(1)adopt, amend, or repeal regulations for the implementation, administration, and enforcement of this chapter;

(2)gather facts and information applicable to the attorney general’s obligation to enforce this chapter and ensure its compliance;

(3)conduct investigations for possible violations of this chapter;

(4)refer cases for criminal prosecution to the appropriate federal, state, or local authorities; and

(5)maintain an official internet website outlining the provisions of this chapter.

SECTION 2. Location Information Collected Before Effective Date

Within 6 months after the effective date of this Act, covered entities shall obtain consent in accordance with the provisions of Section 2 of Chapter 93L for any location information collected, processed, and stored before such effective date, and shall permanently destroy any location information for which they have not obtained consent.

SECTION 3. Effective Date

This Act shall take effect 1 year after enactment.