Mass. Legislators Urge Privacy Action But Face Many Options at Hearing

Massachusetts legislators are seeking consensus on eight comprehensive privacy bills introduced this year in the House and Senate, two senators told us last month (see 2503170036). The committee heard testimony Wednesday on those bills plus narrower privacy measures on children (H-98), location (H-86, S-197), biometric and neural data (S-36, S-43, H-96 and H-103), security breaches (H-93, S-39) and surveillance pricing (H-99, S-47).

One possible approach, modeled after the 2022 federal American Data Privacy and Protection Act (ADPPA), appears in a trio of measures: S-45 by the committee’s Senate chair, Michael Moore (D); S-29 by Senate Democratic Leader Cynthia Creem; and H-104 by Rep. Andres Vargas (D). Meanwhile, S-33 by Sen. William Driscoll (D) and H-80 by Rep. Kate Hogan (D) hewed closer to the Connecticut privacy law model.

A relatively unique bill (S-301) by Sen. Barry Finegold (D) combines elements of the California Consumer Protection Act, the Connecticut-style framework and Europe’s General Data Protection Regulation (GDPR).

Next, H-78 by state Rep. Tricia Farley-Bouvier (D) is based on a model bill by Consumer Reports (CR) and the Electronic Privacy Information Center (EPIC) and contains a private right of action. Last, H-1754 by Rep. Russell Holmes (D) is modeled on the GDPR.

For too long, the burden of protecting privacy has fallen on individuals rather than companies, said the legislative committee’s House Chair Farley-Bouvier. Senate Chair Moore said increasing data breaches show the need to act. "Self-regulation does not work," said Moore, though he added that there must be a balance that provides consumer protection without stifling innovation. “All of this is made worse by the actions of the federal government," including a recent information-sharing agreement between the IRS and U.S. Immigration and Customs Enforcement "that likely violates federal [privacy] law."

“This is one of the most important issues of our time,” said Vargas: Especially at a time when "at the national level, consumer protection and privacy [are] being rolled back; this is a time for Massachusetts to step up to the plate [and] catch up to other states" with privacy laws. Rep. David Rogers (D), co-sponsor of Vargas’ H-104, said the issue is “ripe” for Massachusetts action, considering about 20 other states have passed comprehensive laws. It’s fair for businesses to seek interoperability, said Rogers, but that can’t be a reason not to act.

Driscoll urged legislators to support his S-33 because he said it’s an approach “that 17 other states have coalesced around, adopted and implemented.”

However, Farley-Bouvier said she was closely tracking an advancing Connecticut bill to update that state’s privacy law, including by enhancing data minimization rules and switching from an entity- to a data-level exemption for the Gramm-Leach-Bliley Act (see 2503210065). The House chair raised concerns about exempting entities covered by old federal privacy laws. Such carveouts are common in other states’ privacy laws. GLBA dates to the '90s, when people were using flip phones, she said.

Creem testified mainly on the need for her location privacy bill (S-197) but noted that her comprehensive bill also includes the location shield provisions. Meanwhile, Rep. Simon Cataldo (D) noted that his neural privacy bill (H-103) with Vargas could be "neatly tucked into any of the more comprehensive bills on data privacy that have been proposed."

The legislature should act, said Rep. David Viera (R), the Republican co-sponsor of the House's location privacy bill (H-86). "Privacy is a fundamental human right."

Industry Urges Harmony Among States

Industry groups favored the comprehensive bill by Rep. Hogan because they said it aligns best with other states’ privacy laws. Consumer privacy advocates urged Massachusetts to step beyond existing rules.

H-80 is based on "the framework that currently covers over 100 million U.S. consumers [and] has been adopted on a bipartisan basis in Connecticut, Rhode Island, New Hampshire and 15 other states,” said Andrew Kingman, outside counsel for State Privacy & Security Coalition (SPSC). Kingman urged legislators not to consider a private right of action or Maryland-like data minimization rules that appear in Farley-Bouvier’s H-78.

Rep. Tommy Vitolo (D) pushed back: "This idea that we can't have a patchwork I find absurd,” the lawmaker said. “In fact, my very job is to create a patchwork of laws in this nation. If we didn't have a patchwork of laws, we wouldn't have jobs. We would just have a U.S. Congress."

Farley-Bouvier pressed Kingman to explain his opposition to the data minimization rules proposed in her bill. The Maryland provision is untested and could have negative consequences such as making it harder for companies to provide security patches. The House chair replied, “It sounds like we need to work together on data minimization.”

TechNet also supported H-80 and its Senate companion S-33. “It's a model that has been thoroughly vetted and adopted in red, blue and purple states, including our New England neighbors,” said Chris Gilrein, the industry group’s executive director for the Northeast.

Responding to the TechNet official’s call for interoperability, Rep. Joan Meschino (D) suggested, "A solution could be that Massachusetts could just become the standard to which all comply."

EPIC Deputy Director Caitriona Fitzgerald urged Massachusetts lawmakers to provide “meaningful” data-minimization rules. The consumer privacy advocate supported the committee chairs’ bills, which she said would require that collected data is "related to the product or service I'm asking for as a consumer.” Also, Fitzgerald urged legislators to provide a private right of action.

Witnesses from Consumer Reports and Consumer Federation of America also supported Farley-Bouvier's bill. They praised H-78's data minimization rules, private right of action and heightened protections for sensitive data.

Massachusetts should seize its chance to move on from "the failed notice-and-consent regime" of most privacy regulations and take a data minimization approach instead, said Eric Null, co-director of Center for Democracy and Technology's Privacy & Data Project.