Bill SD.501

SENATE DOCKET, NO. 501 FILED ON: 1/13/2025

SENATE . . . . . . . . . . . . . . No.

[Pin Slip]

[SIMILAR MATTER FILED IN PREVIOUS SESSION
SEE SENATE, NO. 148 OF 2023-2024.]

The Commonwealth of Massachusetts

_______________

In the One Hundred and Ninety-Fourth General Court
(2025-2026)

_______________

An Act to protect safety and privacy by stopping the sale of location data.

Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:

SECTION 1. The General Laws, as appearing in the 2022 Official Edition, are hereby amended by inserting after chapter 93M the following chapter:

Section 1. Definitions

(a) As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:

(1) “Application”, a software program that runs on the operating system of a device.

(2) “Collect”, to obtain, infer, generate, create, receive, or access an individual’s location information.

(3) “Consent”, freely given, specific, informed, unambiguous, opt-in consent. This term does not include either of the following: (i) agreement secured without first providing to the individual a clear and conspicuous disclosure of all information material to the provision of consent, apart from any privacy policy, terms of service, terms of use, general release, user agreement, or other similar document; or (ii) agreement obtained through the use of a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.

(4) “Covered entity”, any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity does not include a state or local government agency, or any court of Massachusetts, a clerk of the court, or a judge or justice thereof. A covered entity does not include an individual acting in a non-commercial context. A covered entity includes all agents of the entity.

(5)“ Device”, a mobile telephone, as defined in section 1 of chapter 90 of the general laws, or any other electronic device that is or may commonly be carried by or on an individual and is capable of connecting to a cellular, bluetooth, or other wireless network.

(6) “Disclose”, to make location information available to a third party, including but not limited to by sharing, publishing, releasing, transferring, disseminating, providing access to, or otherwise communicating such location information orally, in writing, electronically, or by any other means.

(7) “Individual”, a person located in the Commonwealth of Massachusetts.

(8) “Location information”, information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the Commonwealth of Massachusetts with sufficient precision to identify street-level location information within a range of 1,850 feet or less. Location information includes but is not limited to (i) an internet protocol address capable of revealing the physical or geographical location of an individual; (ii) Global Positioning System (GPS) coordinates; and (iii) cell-site location information. This term does not include location information identifiable or derived solely from the visual content of a legally obtained image, including the location of the device that captured such image, or publicly posted words.

(9) “Location Privacy Policy”, a description of the policies, practices, and procedures controlling a covered entity’s collection, processing, management, storage, retention, and deletion of location information.

(10) “Monetize”, to collect, process, or disclose an individual’s location information for profit or in exchange for monetary or other consideration. This term includes but is not limited to selling, renting, trading, or leasing location information.

(11) “Person”, any natural person.

(12) “Permissible purpose”, one of the following purposes: (i) provision of a product, service, or service feature to the individual to whom the location information pertains when that individual requested the provision of such product, service, or service feature by subscribing to, creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, execution, or completion of a financial or commercial transaction or fulfill an order for specific products or services requested by an individual, including any associated routine administrative, operational, and account-servicing activity such as billing, shipping, delivery, storage, and accounting; (iii) compliance with an obligation under federal or state law; or (iv) response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

(13) “Process”, to perform any action or set of actions on or with location information, including but not limited to collecting, accessing, using, storing, retaining, analyzing, creating, generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, structuring, disposing of, destroying, de-identifying, or otherwise manipulating location information. This term does not include disclosing location information.

(14) “Reasonably understandable”, of length and complexity such that an individual with an eighth-grade reading level, as established by the department of elementary and secondary education, can read and comprehend.

(15) “Service feature”, a discrete aspect of a service provided by a covered entity, including but not limited to real-time directions, real-time weather, and identity authentication.

(16) "Service provider”, an individual, partnership, corporation, limited liability company, association, or other group, however organized, that collects, processes, or transfers location information for the sole purpose of, and only to the extent that such service provider is, conducting business activities on behalf of, for the benefit of, at the direction of, and under contractual agreement with a covered entity.

(17) “Third party”, any covered entity or person other than (i) a covered entity that collected or processed location information in accordance with this chapter or its service providers, or (ii) the individual to whom the location information pertains. This term does not include government entities.

Section 2. Protection of location information

(a) It shall be unlawful for a covered entity to collect or process an individual’s location information except for a permissible purpose. Prior to collecting or processing an individual’s location information for one of those permissible purposes, a covered entity shall provide the individual with a copy of the Location Privacy Policy and obtain consent from that individual; provided, however, that this shall not be required when the collection and processing is done in (1) compliance with an obligation under federal or state law or (2) in response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

(b) If a covered entity collects location information for the provision of multiple permissible purposes, it shall be mentioned in the Location Privacy Policy and individuals shall provide discrete consent for each purpose; provided, however, that this shall not be required for the purpose of collecting and processing location information to comply with an obligation under federal or state law or to respond to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to human life.

(c) A covered entity that directly delivers targeted advertisements as part of its product or services shall provide individuals with a clear, conspicuous, and simple means to opt out of the processing of their location information for purposes of selecting and delivering targeted advertisements.

(d) Consent provided under this section shall expire (1) after one year, (2) when the initial purpose for processing the information has been satisfied, or (3) when the individual revokes consent, whichever occurs first, provided that consent may be renewed pursuant to the same procedures. Upon expiration of consent, any location information possessed by a covered entity shall be permanently destroyed.

(e) It shall be unlawful for a covered entity or service provider that lawfully collects and processes location information to:

(1) collect more precise location information than necessary to carry out the permissible purpose;

(2) retain location information longer than necessary to carry out the permissible purpose;

(3) sell, rent, trade, or lease location information to third parties; or

(4) derive or infer from location information any data that is not necessary to carry out a permissible purpose.

(5) disclose, cause to disclose, or assist with or facilitate the disclosure of an individual’s location information to third parties, unless such disclosure is (i) necessary to carry out the permissible purpose for which the information was collected, or (ii) requested by the individual to whom the location data pertains.

(f) It shall be unlawful for a covered entity or service providers to disclose location information to any federal, state, or local government agency or official unless (1) the agency or official serves the covered entity or service provider with a valid warrant or establishes the existence of exigent circumstances that make it impracticable to obtain a warrant, (2) disclosure is mandated under federal or state law, including in response to a court order or lawfully issued and properly served subpoena or civil investigative demand under state or federal law, or (3) the data subject requests such disclosure.

(g) A covered entity shall maintain and make available to the data subject a Location Privacy Policy, which shall include, at a minimum, the following:

(1) the permissible purpose for which the covered entity is collecting, processing, or disclosing any location information;

(2) the type of location information collected, including the precision of the data;

(3) the identities of service providers with which the covered entity contracts with respect to location data;

(4) any disclosures of location data necessary to carry out a permissible purpose and the identities of the third parties to whom the location information could be disclosed;

(5) whether the covered entity’s practices include the internal use of location information for purposes of targeted advertisement;

(6) the data management and data security policies governing location information; and

(7) the retention schedule and guidelines for permanently deleting location information.

(h) A covered entity in lawful possession of location information shall provide notice to individuals to whom that information pertains of any change to its Location Privacy Policy at least 20 business days before the change goes into effect, and shall request and obtain consent before collecting or processing location information in accordance with the new Location Privacy Policy.

(i) It shall be unlawful for a government entity to monetize location information.

Section 3: Prohibition Against Retaliation

A covered entity shall not take adverse action against an individual because the individual exercised or refused to waive any of such individual’s rights under this chapter, unless location data is essential to the provision of the good, service, or service feature that the individual requests, and then only to the extent that such data is essential. This prohibition includes but is not limited to:

(1) refusing to provide a good or service to the individual;

(2) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; or

(3) providing a different level or quality of goods or services to the individual.

Section 4. Enforcement

(a) A violation of this chapter or a regulation promulgated under this chapter regarding an individual’s location information constitutes an injury to that individual and shall be deemed an unfair or deceptive act or practice in the conduct of trade or commerce under chapter 93A.

(b) Any individual alleging a violation of this chapter by a covered entity or service provider may bring a civil action in the superior court or any court of competent jurisdiction; provided that, venue in the superior court shall be proper in the county in which the plaintiff resides or was located at the time of any violation.

(c) An individual protected by this chapter shall not be required, as a condition of service or otherwise, to file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim arising under this chapter.

(d) In a civil action in which the plaintiff prevails, the court may award (1) actual damages, including damages for emotional distress, or $5,000 per violation, whichever is greater, (2) punitive damages; and (3) any other relief, including but not limited to an injunction or declaratory judgment, that the court deems to be appropriate. The court shall consider each instance in which a covered entity or service provider collects, processes, or discloses location information in a manner prohibited by this chapter or a regulation promulgated under this chapter as constituting a separate violation of this chapter or regulation promulgated under this chapter. In addition to any relief awarded, the court shall award reasonable attorney’s fees and costs to any prevailing plaintiff.

(e) The attorney general may bring an action pursuant to section 4 of chapter 93A against a covered entity or service provider to remedy violations of this chapter and for other relief that may be appropriate.

(f) Any provision of a contract or agreement of any kind, including a covered entity’s terms of service or policies, including but not limited to the Location Privacy Policy, that purports to waive or limit in any way an individual’s rights under this chapter, including but not limited to any right to a remedy or means of enforcement, shall be deemed contrary to state law and shall be void and unenforceable.

(g) No private or government action brought pursuant to this chapter shall preclude any other action under this chapter.

Section 5. Implementation

The Attorney General may adopt, amend or repeal rules and regulations for the implementation, administration, and enforcement of this chapter.

SECTION 2. Location Information Collected Before Effective Date

Location information collected, processed, and stored prior to the effective date of this Act shall be subject to subsections 2(e)(3), 2(e)(5), and 2(f) of Chapter 93N.

SECTION 3. Effective Date

This Act shall take effect 1 year after enactment.

Name:	District/Address:
Cynthia Stone Creem	Norfolk and Middlesex