An Act establishing the Comprehensive Massachusetts Consumer Data Privacy Act
By Mr. Driscoll, a petition (accompanied by bill, Senate, No. 33) of William J. Driscoll, Jr. for legislation to establish the comprehensive Massachusetts consumer data privacy act. Advanced Information Technology, the Internet and Cybersecurity.
Consumer Data Privacy
This bill brings Massachusetts into alignment with data privacy laws in 17 other states, including Connecticut, New Hampshire, and Rhode Island. It adds a new chapter that would govern the relationship between MA residents and businesses that collect and process their personal data, and provide new consumer rights over the collection, processing, and sale of that data, with heightened protections for data collected from known minors. It also creates clear guardrails for businesses that collect the personal data of MA residents.
Section 1 sets definitions for this act, which mirror the definitions used in data protection acts across New England. The act does deviate from other New England legislation in the definition of “gender-affirming healthcare services”, which tracks to the 2022 Data Shield Act (See Ch. 127, Acts of 2022).
Section 2 specifies the scope of applicability - limited to businesses that collect or process the data of at least 100,000 MA residents, or 25,000 MA residents if the sale of consumer data is more than 25% of the business’ revenue.
Section 3 provides exemptions from the law - public agencies are exempt, as are colleges and universities, federally registered securities associations, financial institutions regulated by federal data laws, and health information organizations which are governed by federal regulations.
Section 4 provides a number of rights to consumers over their data collected by covered companies, and the mechanisms to enforce those rights. A consumer is entitled to: confirm when a company is collecting/processing their data and access said data; correct any errors in the data; mandate the deletion of their personal data; obtain a copy of the personal data processed; and opt out of the processing of personal data for the purposes of advertising, the sale of personal data, or data profiling purposes. A company is obligated to: respond to all consumers within 45 days; provide a detailed justification for declining any requests, accompanied by instructions for appealing these decisions; and provide the information requested by a consumer free of charge once in a given 12 month period.
Section 5 allows a consumer to designate an agent to exercise their rights under this act.
Section 6 outlines responsibilities of companies collecting and processing consumer data. Companies are obligated to: limit the collection of personal data to what is reasonably necessary, as disclosed to the consumer; maintain reasonable security practices to protect consumer data; avoid the processing of sensitive personal data for advertising purposes without consumer consent; stop the sale of personal data without consumer consent; comply with federal antidiscrimination and child protection laws; disclose the sale of personal data to consumers with a clear method for consumers to opt-out of such sales, and provide clear privacy notices explaining the type of data collected, the purposes for that collection;, the rights of consumers, the companies contact information, and the information shared with third parties. Section 6 also prohibits a company from collecting location data (“geofence”) at mental health, reproductive health, or sexual health facilities.
Section 7 provides for heighted protections for minors where the company knows that their service is offered to minors, requiring that the company use reasonable care to avoid any heightened risks of harm to minors, and prohibits the use of a minor’s personal data for targeted advertising, sale to third parties, or data profiling. It also prohibits the collection or use of a minors location data, and requires that any direct messaging service offered by a company establish safeguards to limit the ability of adults to send unsolicited communications to minors.
Section 8 provides that a company contracted for the purposes of processing consumer data is obligated to meet the same responsibilities outlined in the previous sections, and governs the formation of a relationship between data collecting companies and data processing companies.
Section 9 requires that a company collecting personal data conduct data-protection assessments that outline potential risks of certain processing activities and safeguards that could be implemented to reduce or eliminate those risks. The Attorney General is empowered to request these data processing assessments.
Section 10 requires that companies possessing de-identified data are obligated to ensure it remains de-identified.
Section 11 provides some limitations and exemptions from this law related to compliance with other state and federal laws, subpoenas and government investigations, services provided by a company under contract, responding to security threats, engaging in research, and any limitations that may be provided for under the state or federal constitutions.
Section 12 empowers the Attorney General to take steps to enforce this section. It also provides that a violating entity may fix or cure any issues that may present a violation of this section for the first 18 months of this section’s effectiveness.
Section 13 establishes that this section shall be effective July 1, 2026.
* The bill summary was created by the Primary Sponsor of the bill; no committee of the General Court certifies the accuracy of its contents.
The information contained in this website is for general information purposes only. The General Court provides this information as a public service and while we endeavor to keep the data accurate and current to the best of our ability, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.