Press Room

The Massachusetts Data Privacy Act lays out one of the strongest legislative plans for consumer data protection in the United States which safeguards personal privacy and civil liberties for Massachusetts consumers. 

An Act establishing the Massachusetts Data Privacy Act, S.2608, would protect people in Massachusetts from the exploitation of their precise GPS location, health care information, and biometric data such as face or fingerprint scans. It also guarantees stepped-up protections for minors and allows people to opt out of being targeted by advertisers based on their personal data.

In addition to limits on what big companies can do with personal data, the bill places strong limits on what personal information can be collected in the first place.

The legislation goes even further for young people, creating a stricter threshold to protect the data of minors. The bill also limits the compliance burden on Massachusetts small businesses by focusing only on larger-scale entities that deal with the personal data of thousands of people per year.

The details of the legislation are below.

Guarantees the Consumer’s Right to Know. Specifies that people have a right to know if their personal data is being collected, allows them to see what data was collected, and allows them to find out who their data has been shared with.

Gives Control to Consumers. Empowers people in Massachusetts with control over their personal data through new guaranteed rights to correct inaccurate data, delete personal information, and opt out of having their personal data sold to others.

Creates Strong Enforcement Powers. Gives the Attorney General broad regulatory authority to enforce the provisions of the Massachusetts Data Privacy Act.

Curtails Data Collection. Constrains companies’ unfettered collection of personal data by limiting them to only collecting what is reasonably necessary in order to provide their product or service. For certain sensitive types of data, including biometrics, precise GPS location, and healthcare data, businesses could only collect the information if it is strictly necessary.

Bans Sensitive Data Sales. Prohibits any kind of entity, including businesses and nonprofits, from selling off a person’s sensitive data. Protected categories of sensitive data include precise geolocation; health care information; biometric data, such as face and fingerprint scans; citizenship or immigration status; information revealing someone’s sex life, and any information about a person’s race, color, ethnicity, religion, sexual orientation, gender identity, or national origin; and information that pertains to a child.

Limits Data Transfers. Limits entities from transferring sensitive data unless they first obtain the consumer’s affirmative consent.

Creates Opt-Out Rights for Targeted Advertising. Gives consumers the right to opt out of having their personal data collected or processed for the purpose of targeted advertising or for sale to third parties.

Bans the Sale of Young People’s Data. Prohibits all entities from selling minors’ personal data.

Blocks Targeted Ads for Minors. Prohibits companies from collecting or processing a young person’s personal information for the purposes of targeting ads.