SECTION 1. The General Laws, as appearing in the 2018 Official Edition, are hereby amended by inserting after chapter 93K the following chapter:

CHAPTER 93L. Privacy Protections for Location Information Derived from Electronic Devices

Section 1. Definitions

As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:—

“Application”, a software program that runs on the operating system of a device.

“Collect”, to obtain, infer, generate, create, receive, or access an individual’s location information.

“Consent”, freely given, specific, informed, unambiguous, opt-in consent. This term does not include either of the following: (i) agreement secured without first providing to the individual a clear and conspicuous disclosure of all information material to the provision of consent, apart from any privacy policy, terms of service, terms of use, general release, user agreement, or other similar document; or (ii) agreement obtained through the use of a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.

“Covered entity”, any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity does not include a state or local government agency, or any court of Massachusetts, a clerk of the court, or a judge or justice thereof. A covered entity does not include an individual acting in a non-commercial context. A covered entity includes all agents of the entity.

“Device”, a mobile telephone, as defined in section 1 of chapter 90 of the general laws, or any other electronic device that is or may commonly be carried by or on an individual and is capable of connecting to a cellular, bluetooth, or other wireless network.

“Disclose”, to make location information available to a third party, including but not limited to by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating such location information orally, in writing, electronically, or by any other means.

“Individual”, a person located in the Commonwealth of Massachusetts.

“Location information”, information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the Commonwealth of Massachusetts with sufficient precision to identify street-level location information within a range of 1,850 feet or less. Location information includes but is not limited to (i) an internet protocol address capable of revealing the physical or geographical location of an individual; (ii) Global Positioning System (GPS) coordinates; and (iii) cell-site location information. This term does not include location information identifiable or derived solely from the visual content of a legally obtained image, including the location of the device that captured such image, or publicly posted words.

“Location Privacy Policy”, a description of the policies, practices, and procedures controlling a covered entity’s collection, processing, management, storage, retention, and deletion of location information.

“Monetize”, to collect, process, or disclose an individual’s location information for profit or in exchange for monetary or other consideration. This term includes but is not limited to selling, renting, trading, or leasing location information.

“Person”, any natural person.

“Permissible purpose”, one of the following purposes: (i) provision of a product, service, or service feature to the individual to whom the location information pertains when that individual requested the provision of such product, service, or service feature by subscribing to, creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, executution, or completion of a financial or commercial transaction or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting; (iii) compliance with an obligation under federal or state law; or (iv) Response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

“Process”, to perform any action or set of actions on or with location information, including but not limited to collecting, accessing, using, storing, retaining, analyzing, creating, generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, structuring, disposing of, destroying, de-identifying, or otherwise manipulating location information. This term does not include disclosing location information.

“Reasonably understandable”, of length and complexity such that an individual with an eighth-grade reading level, as established by the department of elementary and secondary education, can read and comprehend.

“Service feature”, a discrete aspect of a service provided by a covered entity, including but not limited to real-time directions, real-time weather, and identity authentication

"Service provider”, an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that such service provider is, conducting business activities on behalf of, for the benefit of,  at the direction of, and under contractual agreement with a covered entity.

“Third party”, any covered entity or person other than (i) a covered entity that collected or processed location information in accordance with this chapter or its service providers, or (ii) the individual to whom the location information pertains. This term does not include government entities.

Section 2. Protection of location information

(a)It shall be unlawful for a covered entity to collect or process an individual’s location information except for a permissible purpose. Prior to collecting or processing an individual’s location information for one of those permissible purposes, a covered entity shall provide the individual with a copy of the Location Privacy Policy and obtain consent from that individual; provided, however, that this shall not be required when the collection and processing is done in (1) compliance with an obligation under federal or state law or (2) in response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

(b)If a covered entity collects location information for the provision of multiple permissible purposes, it should be mentioned in the Location Privacy Policy and individuals shall provide discrete consent for each purpose; provided, however, that this shall not be required for the purpose of collecting and processing location information to comply with an obligation under federal or state law or to respond to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

(c)A covered entity that directly delivers targeted advertisements as part of its product or services shall provide individuals with a clear, conspicuous, and simple means to opt out of the processing of their location information for purposes of selecting and delivering targeted advertisements.

(d)Consent provided under this section shall expire (1) after one year, (2) when the initial purpose for processing the information has been satisfied, or (3) when the individual revokes consent, whichever occurs first, provided that consent may be renewed pursuant to the same procedures. Upon expiration of consent, any location information possessed by a covered entity must be permanently destroyed.

(e)It shall be unlawful for a covered entity or service provider that lawfully collects and processes location information to:—

(1)collect more precise location information than necessary to carry out the permissible purpose;

(2)retain location information longer than necessary to carry out the permissible purpose;

(3)sell, rent, trade, or lease location information to third parties; or

(4)derive or infer from location information any data that is not necessary to carry out a permissible purpose.

(5)disclose, cause to disclose, or assist with or facilitate the disclosure of an individual’s location information to third parties, unless such disclosure is (i) necessary to carry out the permissible purpose for which the information was collected, or (ii) requested by the individual to whom the location data pertains.

(f)It shall be unlawful for a covered entity or service providers to disclose location information to any federal, state, or local government agency or official unless (1) the agency or official serves the covered entity or service provider with a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant, (2) disclosure is mandated under federal or state law, or (3) the data subject requests such disclosure.

(g)A covered entity shall maintain and make available to the data subject a Location Privacy Policy, which shall include, at a minimum, the following:—

(1)the permissible purpose for which the covered entity is collecting, processing, or disclosing any location information;

(2)the type of location information collected, including the precision of the data;

(3)the identities of service providers with which the covered entity contracts with respect to location data;

(4)any disclosures of location data necessary to carry out a permissible purpose and the identities of the third parties to whom the location information could be disclosed;

(5)whether the covered entity’s practices include the internal use of location information for purposes of targeted advertisement

(6)the data management and data security policies governing location information;

(7)the retention schedule and guidelines for permanently deleting location information.

(h)A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its Location Privacy Policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new Location Privacy Policy.

(i)It shall be unlawful for a government entity to monetize location information.

Section 3. Transparency

(a)A covered entity shall, on an annual basis, report to the attorney general aggregate information pertaining to any warrants seeking location information collected and processed by that covered entity that were received during the preceding calendar year by the entity and, if known, by any service providers and third parties. The report shall disaggregate orders by requesting agency, statutory offense under investigation, and source of authority.

(b)Covered entities that are required to regularly disclose location information as a matter of law shall, on an annual basis, report to the attorney general aggregate information related to such disclosures.

(c)The attorney general shall develop standardized reporting forms to comply with this section and make the reports available to the general public online.

Section 4: Prohibition Against Retaliation

A covered entity shall not take adverse action against an individual because the individual exercised or refused to waive any of such individual’s rights under this chapter, unless location data is essential to the provision of the good, service, or service feature that the individual requests, and then only to the extent that such data is essential. This prohibition includes but is not limited to:

(1)refusing to provide a good or service to the individual;

(2)charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; or

(3)providing a different level or quality of goods or services to the individual.

Section 5. Enforcement

(a)A violation of this chapter or a regulation promulgated under this chapter regarding an individual’s location information constitutes an injury to that individual.

(b)Any individual alleging a violation of this chapter by a covered entity or service provider may bring a civil action in the superior court or any court of competent jurisdiction; provided that, venue in the superior court shall be proper in the county in which the plaintiff resides or was located at the time of any violation.

(c)An individual protected by this chapter shall not be required, as a condition of service or otherwise, to file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim arising under this chapter.

(d)In a civil action in which the plaintiff prevails, the court may award (1) actual damages, including damages for emotional distress, or $5,000 per violation, whichever is greater, (2) punitive damages; and (3) any other relief, including but not limited to an injunction or declaratory judgment, that the court deems to be appropriate. The court shall consider each instance in which a covered entity or service provider collects, processes, or discloses location information in a manner prohibited by this chapter or a regulation promulgated under this chapter as constituting a separate violation of this chapter or regulation promulgated under this chapter. In addition to any relief awarded, the court shall award reasonable attorney’s fees and costs to any prevailing plaintiff.

(e)The attorney general may bring an action pursuant to section 4 of chapter 93A against a covered entity or service provider to remedy violations of this chapter and for other relief that may be appropriate.

(f)Any provision of a contract or agreement of any kind, including a covered entity’s terms of service or policies, including but not limited to the Location Privacy Policy, that purports to waive or limit in any way an individual’s rights under this chapter, including but not limited to any right to a remedy or means of enforcement, shall be deemed contrary to state law and shall be void and unenforceable.

(g)No private or government action brought pursuant to this chapter shall preclude any other action under this chapter.

Section 6. Non-applicability

This chapter shall not apply to location information collected from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, if the information is protected from disclosure under the federal Health Insurance Portability and Accountability Act of 1996 or other applicable federal and state laws and regulations.

Section 7. Regulations

The attorney general shall:—

(1)adopt, amend, or repeal regulations for the implementation, administration, and enforcement of this chapter;

(2)gather facts and information applicable to the attorney general’s obligation to enforce this chapter and ensure its compliance;

(3)conduct investigations for possible violations of this chapter;

(4)refer cases for criminal prosecution to the appropriate federal, state, or local authorities; and

(5)maintain an official internet website outlining the provisions of this chapter.

SECTION 2. Location Information Collected Before Effective Date

Within 6 months after the effective date of this Act, covered entities shall obtain consent in accordance with the provisions of Section 2 of Chapter 93L for any location information collected, processed, and stored before such effective date, and shall permanently destroy any location information for which they have not obtained consent.

SECTION 3. Effective Date

This Act shall take effect 1 year after enactment.