Amendment ID: S2996-6
Amendment 6
Privacy of Location Data
Ms. Creem, Ms. Edwards, Ms. DiZoglio, Messrs. Lesser, Montigny and Eldridge, Ms. Moran and Ms. Comerford move that the proposed new text be amended by adding the following section:-
"SECTION X. The General Laws, as appearing in the 2020 Official Edition, are hereby amended by inserting after chapter 93K the following chapter:
CHAPTER 93L. Privacy Protections for Location Information Derived from Electronic Devices
Section 1. Definitions
As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:-
“Application” means a software program that runs on the operating system of a device.
“Collect” means to obtain, generate, create, receive, or access location information by any means.
“Covered entity” means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A covered entity does not include a state or local government agency, or any court of Massachusetts, a clerk of the court, or a judge or justice thereof. A covered entity includes the data processors such entity contracts with and any other agents of the entity.
“Data processor” means a person or entity that processes location information on behalf of a covered entity.
“Device” means a mobile telephone, as defined in section 1 of chapter 90 of the general laws, or any other electronic device that is or may commonly be carried by or on an individual and is capable of connecting to a cellular or other wireless network and transmitting, receiving, or collecting location information.
“Disclose” means to make location information available to a third party, intentionally or unintentionally, including but not limited to by sharing, publishing, releasing, transferring, disseminating, providing access to, failing to restrict access to, or otherwise communicating such location information orally, in writing, electronically, or by any other means.
“Harm” shall mean potential or realized adverse consequences to an individual, including but not limited to: (i) direct or indirect financial harm; (ii) physical harm or threats to individuals or property; (iii) interference with or surveillance of First Amendment-protected activities or legally-protected health care activities, as defined in section 11I½ of chapter 12; (iv) interference with the right to vote or with free and fair elections; (v) loss of individual control over location information via non-consensual collection, processing or disclosure of location information, data breach, or other actions that violate this chapter; or (vi) other effects that are foreseeable to, or contemplated by, a covered entity.
“Individual” means a person located in the Commonwealth of Massachusetts.
“Monetize” means to collect, process, or disclose an individual’s location information for profit or in exchange for monetary or other consideration. This term includes but is not limited to selling, renting, trading, or leasing location information.
“Person” means any natural person.
“Process” means to perform any action or set of actions on or with location information, including but not limited to collecting, accessing, using, storing, retaining, analyzing, creating, generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, structuring, disposing of, destroying, de-identifying, or otherwise manipulating location information. This term does not include disclosing or monetizing location information.
“Location information” means information that individuals transmit or make available, regardless of the technological method used, to covered entities with which they interact using a device and that pertains to or directly or indirectly reveals the present or past physical or geographical location of individuals or a device associated with them. Location information includes but is not limited to: (i) an internet protocol address capable of revealing the physical or geographical location of an individual; (ii) Global Positioning System coordinates; (iii) cell-site location information; (iv) information generated by an application; (v) information provided to an application or website by a user regarding their location or location-based activity.
“Permissible purpose” means: (i) provision of a good, service, or specific feature to the individual whose location information is collected when that individual has requested such good, service, or specific feature; (ii) execution of a financial or commercial transaction requested by the individual; (iii) compliance with an obligation under federal, state, or local law; (iv) compliance with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons, consistent with due process; or (v) response to an emergency service agency, an emergency alert, a 911 communication, or any other communication reporting an imminent threat to life or property. Monetization of location information is not a permissible purpose.
“Third party” means any covered entity, person, or governmental entity other than (i) a covered entity that collected or processed location information in accordance with this chapter or (ii) the individual to whom the location information pertains.
Section 2. Protection of location information
(a) It shall be unlawful for a covered entity to collect or process an individual’s location information other than for a permissible purpose.
(b) It shall be unlawful for a covered entity that lawfully collects and processes location information to: (i) disclose, cause to disclose, or otherwise disseminate or cause to disseminate an individual’s location information, unless such disclosure is necessary to carry out a permissible purpose for which the information was collected; (ii) monetize location information; (iii) collect location information at a more granular level than necessary to carry out a permissible purpos; (iv) use location information for any purpose other than to carry out a permissible purpose; (v) retain location data for any time longer than strictly necessary to carry out a permissible purpose; or (vi) derive or infer information or data not needed to carry out a permissible purpose from any element or set of location information.
Section 3. Enforcement
(a) Each instance in which a covered entity or data processor collects, processes, discloses or monetizes location information in a manner prohibited by this section constitutes a separate violation of this section.
(b) A violation of this chapter or a regulation promulgated under this chapter regarding an individual’s location information constitutes a rebuttable presumption of harm to that individual.
(c) Any individual alleging harm caused by a violation of this chapter by a covered entity or data processor may bring a civil action in any court of competent jurisdiction. An individual protected by this chapter shall not be required, as a condition of service or otherwise, to file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim under this chapter.
In a civil action in which the plaintiff prevails, the court may award: (i) liquidated damages of $5,000 per violation; (ii) punitive damages; and (iii) any other relief, including but not limited to an injunction, that the court deems to be appropriate. In addition to any relief awarded, the court shall award reasonable attorney’s fees and costs to any prevailing plaintiff.
(d) The attorney general may bring an action pursuant to section 4 of chapter 93A against a covered entity or data processor to remedy violations of this chapter and for other relief that may be appropriate.
(e) Any provision of a contract or agreement of any kind, including a covered entity’s terms of service or policies, that purports to waive or limit in any way an individual’s rights under this chapter, including but not limited to any right to a remedy or means of enforcement, shall be deemed contrary to state law and shall be void and unenforceable.
(f) No private or government action brought pursuant to this chapter shall preclude any other action under this chapter.
Section 4. Transparency
A covered entity shall, on an annual basis, report to the attorney general aggregate information pertaining to any warrants seeking location information collected and processed by that covered entity that were received during the preceding calendar year by the entity and, if known, by any data processors and third parties.
Covered entities that are required to regularly disclose location information as a matter of law shall, on an annual basis, report to the attorney general aggregate information related to such disclosures.
The attorney general shall develop standardized reporting forms to comply with this section and make the reports available to the general public online."