Amendment ID: S2996-5
Amendment 5
Privacy Protections For Sensitive Health Data and Geolocation Data
Mr. Finegold, Ms. DiZoglio, Messrs. Montigny and Eldridge and Ms. Moran move that the proposed new text be amended by inserting after Section 38 the following sections:-
“SECTION 39. The General Laws are hereby amended by inserting after chapter 93L the following chapter:-
CHAPTER 93M. Privacy Protections for Sensitive Health Data and Geolocation Data
Section 1. Definitions
As used in this chapter, the following words shall have the following meanings unless the context clearly requires otherwise:
“Collects,” “collected” or “collection” means buying, renting, gathering, obtaining, receiving or otherwise accessing any personal information pertaining to an individual by any means. This includes, but is not limited to, obtaining information from the individual, either actively or passively, or by observing the individual’s behavior.
“Consent” means a clear affirmative act signifying an individual’s freely given, specific, informed and unambiguous agreement to allow the processing of personal information relating to the individual for a narrowly defined particular purpose. Consent may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action. The following shall not constitute consent: (1) acceptance of a general or broad terms of use or similar document that contains descriptions of personal information processing along with other, unrelated information; (2) hovering over, muting, pausing or closing a given piece of content; or (3) agreement obtained through dark patterns.
“Controller” means the operator that, alone or jointly with others, determines the purposes and means of the processing of personal information of an individual.
“Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice.
“De-identified information” means information, derived from personal information, that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual or a device linked to such individual.
“Entity” means a sole proprietorship, or a corporation, association, partnership or other legal entity.
“HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq.
“Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly.
“Individual” means a natural person in the Commonwealth, not including a natural person acting in a commercial or employment context.
“Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with an identified or identifiable individual; provided, however, that personal information shall not include: (1) publicly available information; or (2) de-identified information that is processed in accordance with section 8 of this chapter.
“Process” or “processing” means any operation or set of operations which is performed on personal information or on sets of personal information, whether or not by automated means, such as the collection, use, storage, disclosure, analysis, prediction, deletion, or modification of personal information. “Process” or “processing” includes the actions of a controller directing a processor to process personal information.
“Processor” means an entity that processes personal information on behalf of a controller.
“Protected health information” shall have the same meaning as defined in 45 C.F.R. 160.103.
“Publicly available information” means information about an individual that is: (1) lawfully made available from federal, state or local government records; or (2) information that a controller has a reasonable basis to believe is lawfully and intentionally made available by the individual to the general public through widely distributed media.
“Sale, “sell” or “sold” means sharing, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, an individual’s personal information by the controller to a third party for monetary or other valuable consideration in a bargained-for exchange. “Sale,” “sell” or “sold” does not include the following:
(1) The disclosure of personal information to a processor where the processor only processes such personal information on behalf of the controller;
(2) The disclosure or transfer of personal information to an affiliate that controls, is controlled by or is under common control or shares common branding with the controller;
(3) The disclosure or transfer of personal information to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets;
(4) The disclosure of personal information to a third party for purposes of providing a product or service specifically requested by the individual; or
(5) When the individual uses or expressly directs the controller to disclose personal information to a third party or otherwise interact with a third party.
“Sensitive health information” means:
(1) Personal information concerning an individual’s mental or physical health diagnosis or treatment;
(2) Personal information concerning an individual’s sex life or sexual orientation;
(3) Personal information concerning an individual’s sexual or reproductive health, including, but not limited to, information concerning pregnancy, menstruation, ovulation, ability to conceive a pregnancy or sexually transmitted illnesses; or
(4) Personal information concerning use or purchase of contraceptives, birth control, abortifacients or other medication related to reproductive health.
“Specific geolocation information” means information derived from technology including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms that directly identify the specific location of an individual within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet. Specific geolocation information excludes the content of communications or any information generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
“Third party” means a natural person, entity, public authority, agency or body other than the applicable individual, controller, processor or affiliate of the controller or the processor.
Section 2. Scope
This chapter shall apply to:
(a) A controller or processor that conducts business in the Commonwealth; and
(b) The processing of sensitive health information or specific geolocation information by a controller or processor not physically established in the Commonwealth, where the processing activities are related to: (i) the offering of goods or services in the Commonwealth; or (ii) the monitoring of the behavior of individuals in the Commonwealth.
Section 3. Core Privacy Principles
(a) Sensitive health information or specific geolocation information shall be:
(1) Processed lawfully, fairly and in a transparent manner in relation to the individual;
(2) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(3) Processed in a manner that is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
(4) Maintained in a manner such that the information is accurate;
(5) Maintained in a form which permits identification of individuals for no longer than is necessary for the purposes for which the information is processed; and
(6) Processed by the controller in a manner that ensures that the information remains appropriately secure.
(b) A controller shall be responsible for and capable of demonstrating compliance with subsection (a), including by implementing procedures that are reasonable and appropriate taking into consideration:
(1) The size, scope and type of the controller;
(2) The amount of resources available to the controller;
(3) The amount and nature of the personal information processed by the controller; and
(4) The need for the security and confidentiality of the personal information processed by the controller.
Section 4. Consent Requirements
(a) A controller shall not process an individual’s sensitive health information or specific geolocation information without obtaining the individual’s consent, or, in the case of the processing of personal information concerning an individual who a controller knows or reasonably should know is under the age of 13, without processing such information in accordance with 15 U.S.C. 6501 et seq.; and
(b) A controller shall provide an effective, clear and conspicuous mechanism for an individual to revoke the individual’s consent under this section and, upon revocation of such consent, cease to process the individual’s sensitive health information or specific geolocation information as soon as practicable, but not later than fifteen days after the receipt of such request.
Section 5. Right to Privacy Notice
(a) At or before the point of collection of an individual’s sensitive health information or specific geolocation information, a controller shall provide the individual with a reasonably accessible, clear and meaningful privacy notice that shall include at a minimum:
(1) The controller’s purposes for processing such information;
(2) A description of whether the controller sells such information to third parties, and the categories of third parties, if any, to whom the controller sells such information; and
(3) The length of time the controller intends to retain such information, or if that is not possible, the criteria used to determine such period.
(b) A controller shall not process sensitive health information or specific geolocation information for purposes incompatible with the disclosed purposes for which the information was collected without providing the individual with notice consistent with this section.
(c) Nothing in this paragraph shall require a controller to provide the information required in a manner that would disclose the controller’s trade secrets.
Section 6. Risk Assessments
(a) Prior to the processing of sensitive health information or specific geolocation information, the controller shall carry out a risk assessment of the impact of the envisioned processing. A single assessment may address a set of similar processing operations that present similarly high risks. The assessment shall contain at a minimum:
(1) A systematic description of the envisioned processing and its purposes, including, where applicable, the legitimate interest pursued by the controller or third party;
(2) An assessment of the necessity of the processing in relation to its purposes, taking into account whether the controller or third party can achieve their legitimate interests in another less intrusive way;
(3) An assessment of the proportionality of the processing in relation to the purposes, taking into account the amount and nature of the personal information to be processed;
(4) An assessment of the risks to individuals;
(5) The measures envisioned to address the risks and ensure the protection of sensitive health information or specific geolocation information, taking into account the individuals’ reasonable expectations of privacy or other legal rights; provided, however, that such measures may include but are not limited to: (i) de-identification; (ii) deletion of such information; (iii) procedures for responding to requests from governmental authorities concerning such information; and (iv) security mechanisms; and
(6) A description of: (i) the context of the processing; and (ii) whether the controller is processing an individual’s sensitive health information or specific geolocation information in ways in which the individual would reasonably expect.
(b) A controller shall implement procedures to conduct such risk assessments that are reasonable and appropriate taking into consideration the factors specified in paragraphs (1) through (4) of subsection (b) of section 3.
(c) The Attorney General of the Commonwealth may require, pursuant to a civil investigative demand, that a controller disclose any risk assessment relevant to an investigation conducted by the Attorney General. The controller shall make the risk assessment available to the Attorney General, who may evaluate the risk assessment for compliance with this chapter. Risk assessments shall be confidential and exempt from public inspection and copying under chapter 66 of the General Laws. The disclosure of a risk assessment pursuant to a civil investigative demand from the Attorney General shall not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.
(d) Risk assessments shall apply to processing activities created or generated after the effective date of this chapter and shall not be retroactive.
Section 7. Privacy Obligations of Processors
(a) A contract between a controller and processor shall govern the processor’s procedures with respect to processing individuals’ sensitive health information or specific geolocation information that the processor receives from or on behalf of the controller. The contract shall clearly set forth the processing instructions to which the processor is bound, including the following requirements related to sensitive health information and specific geolocation information:
(1) At the controller’s discretion, the processor shall delete or return such information to the controller as requested at the end of the provision of services, unless retention of such information is required by law;
(2) Upon the reasonable request of the controller, the processor shall make available to the controller such information in its possession necessary to demonstrate compliance with the obligations under this chapter; and
(3) The processor shall be prohibited from: (i) selling such information; (ii) retaining, using or disclosing such information other than for the purposes specified in the contract or as otherwise permitted by this chapter; or (iii) retaining, using or disclosing such information outside of the direct relationship between the processor and the controller.
(b) No contract shall relieve a controller or a processor from the liabilities imposed on it by this chapter.
Section 8. De-identified Information
A controller that possesses de-identified information shall: (1) take reasonable technical and organizational measures to ensure that the information cannot be associated with an identified or identifiable individual; (2) not attempt to re-identify the information, provided that the controller may attempt to re-identify the information solely for the purpose of determining whether its de-identification procedures satisfy this section’s requirements; and (3) contractually require any recipients of the information to comply with this section’s requirements.
Section 9. No Waiver
Any provision of a contract or agreement of any kind that purports to waive or limit in any way individual rights under this chapter shall be void and unenforceable.
Section 10. Powers of the Attorney General
(a) Whenever the Attorney General has reasonable cause to believe that an entity has engaged in, is engaging in or is about to engage in a violation of this chapter, the Attorney General may issue a civil investigative demand. The provisions of section 6 of chapter 93A of the General Laws shall apply mutatis mutandis to civil investigative demands under this chapter.
(b) The Attorney General shall have the authority to enforce the provisions of this chapter. A violation of this chapter shall not serve as the basis for or be subject to a private right of action under this chapter. Nothing in this chapter shall be construed as creating a new private right of action or serving as the basis for a private right of action that would not otherwise have had a basis under any other law but for the enactment of this chapter. This chapter neither relieves any party from any duties or obligations imposed, nor alters any independent rights that individuals have under chapter 93A of the General Laws, other state or federal laws, the Massachusetts Constitution or the United States Constitution.
(c) Prior to initiating any civil action under this chapter, the Attorney General shall provide an entity with written notice identifying the specific provisions of this chapter that the Attorney General alleges have been or are being violated.
(d) (1) The entity shall have 30 days in which to cure a violation after being provided notice by the Attorney General. If within that time period the entity cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action under this chapter shall be initiated against the entity.
(2) Paragraph (1) shall not apply when:
(i) The court has issued a temporary restraining order, preliminary injunction or permanent injunction or assessed civil penalties against the entity for a violation of this chapter;
(ii) The Attorney General and the entity have previously reached a settlement relating to this chapter that includes an admission by the entity that it has violated this chapter, not including any express written statement provided pursuant to paragraph (1);
(iii) The Attorney General has clear and convincing evidence that the entity willfully and wantonly violated this chapter; or
(iv) The violation occurs more than twenty-four months after this section’s effective date and the violating entity: (A) as of January 1 of the calendar year, had annual global gross revenues in excess of 1,000,000,000 dollars in the preceding calendar year; and (B) determines the purposes and means of processing of the personal information of not less than 100,000 individuals.
(e) If the entity continues to violate this chapter following the cure period in subsection (d), breaches an express written statement provided to the Attorney General under that subsection, or is not eligible for a cure period pursuant to that subsection, the Attorney General may initiate a civil action against the entity in the name of the Commonwealth or as parens patriae on behalf of individuals. The Attorney General may seek a temporary restraining order, preliminary injunction or permanent injunction to restrain any violations of this chapter and may seek civil penalties of up to 7,500 dollars for each violation under this chapter.
(f) In determining the overall amount of civil penalties to seek or assess against an entity, the Attorney General or the court shall include, but not be limited to, the following in its consideration:
(1) The size, scope and type of the entity;
(2) The amount of resources available to the entity;
(3) The amount and nature of the personal information processed by the entity;
(4) The nature and severity of the violation;
(5) Efforts undertaken by the entity to cure the violation; and
(6) The number of violations.
(g) The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, including attorney fees, in any action initiated under this chapter.
(h) The Attorney General shall have discretion to allocate any civil penalties, expenses, fees or proceeds of any settlement of a civil action pursuant to this chapter to: (1) the general fund; or (2) where possible, directly to individuals impacted by the violation of the chapter.
(i) The Attorney General shall promote public awareness of this chapter.
(j) The Attorney General shall adopt regulations for the purposes of carrying out this chapter.
Section 11. Limitations
(a) The obligations imposed on controllers or processors under this chapter shall not:
(1) Apply to the processing of personal information by a natural person in the course of a purely personal or household activity; or
(2) Apply where compliance by the controller or processor would violate an evidentiary privilege under the laws of the Commonwealth or be construed to prevent a controller or processor from providing personal information concerning an individual to a person covered by an evidentiary privilege under the laws of the Commonwealth as part of a privileged communication.
(b) Nothing in this chapter shall be construed to restrict a controller’s or a processor’s ability to:
(1) Comply with federal, state or local laws, rules or regulations;
(2) Comply with a civil, criminal or regulatory inquiry, subpoena or summons by federal, state, local or other governmental authorities;
(3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or local laws, rules or regulations;
(4) Investigate, establish, exercise, prepare for or defend legal claims;
(5) Take immediate steps to protect the security or protection of a natural person, if that natural person is at risk or danger of death or serious physical injury; or
(6) Assist another controller, processor or third party with any of the obligations under this chapter.
(c) Nothing in this chapter shall be construed to restrict a controller’s or processor’s ability to process personal information for internal use in order to:
(1) Identify and repair technical errors that impair existing or intended functionality; or
(2) Perform solely internal operations that are consistent with the reasonable expectations of the individual based on the individual’s relationship with the controller; provided, however, that the controller shall conspicuously disclose such processing to the individual in advance and conduct a risk assessment pursuant to section 6 that shows the legitimate interests pursued by the controller or by a third party substantially outweigh the individual’s reasonable expectations of privacy or other legal rights.
(d) This chapter shall not apply to:
(1) Any agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof; or
(2) A covered entity or business associate, as defined in 45 C.F.R. 160.103.
(e) The following information shall be exempt from the provisions of this section:
(1) Protected health information processed under HIPAA pursuant to 45 C.F.R. 160, 162 and 164.
(2) Information used only for public health activities as authorized by HIPAA.
(3) Patient identifying information for purposes of 42 C.F.R. 2, established pursuant to 42 U.S.C. 290dd-2.
(4) Information that is: (i) collected for a clinical trial subject to the Federal Policy for the Protection of Human Subjects (also known as the Common Rule) under 45 C.F.R. 46; (ii) collected pursuant to good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; (iii) collected pursuant to the human subject protection requirements under 21 C.F.R. 50 and 56; or (iv) personal information used or disclosed in research conducted in accordance with one or more of the requirements set forth in this paragraph.
(5) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq.
(6) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act, 42 U.S.C. 299b-21 et seq.
(7) Information that is: (i) derived from any of the health care-related information listed in this paragraph; and (ii) de-identified in accordance with the requirements for de-identification pursuant to 45 C.F.R. 164.
(8) Information that is treated in the same manner as, or that originates from and is intermingled to be indistinguishable with, information exempt under this subsection that is maintained by: (i) a covered entity or business associate, as defined in 45 CFR 160.103; or (ii) a program of a qualified service organization as defined by 42 U.S.C. 290dd-2.
(9) Personal information processed in compliance with the federal Driver’s Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq.
(10) Personal information regulated by the federal Family Educational Rights and Privacy Act, 20 U.S.C. 1232g et seq.
(11) Personal information processed in compliance with chapter 175I of the General Laws.
(12) Personal information processed for purposes of chapter 176Q of the General Laws.
SECTION 40. Section 39 shall take effect 18 months after the enactment of this act."