Mass. Privacy Bill with Data Minimization, Private Right of Action Gains Steam

Also advancing to Ways and Means were legislation on location (S-197) and biometric privacy (S-43), plus a new draft of a surveillance-pricing measure (S-2515) that replaces S-47. Moore said in a March interview that there was great legislative interest in crafting privacy bills this year (see 2503170036).

SB-2516 “gives everyday Bay Staters the right to better control their data and grants them the ability to simply say no when it comes to invasive data collection practices,” Moore said in a news release Tuesday. “Further, it protects users’ most sensitive data from being sold or being used for targeted advertising, including information on race, sexual orientation, religious beliefs, and whether one has been a victim of a crime.”

The Advanced IT Committee heard many privacy measures at a lengthy hearing April 9 (see 2504090040). S-2516 replaces three of the comprehensive privacy bills that were heard -- Moore’s S-45, Creem’s identical S-29 and Driscoll’s S-33. The previous Moore and Creem bills were modeled after the 2022 federal American Data Privacy and Protection Act (ADPPA), whereas the Driscoll bill hewed closer to Connecticut’s privacy law and received support from the tech industry at the April hearing.

However, the new SB-2516 looks more like H-78 by the committee’s House chairperson, Rep. Tricia Farley-Bouvier (D). Both bills appear to be based on a stringent model developed by Consumer Reports (CR) and the Electronic Privacy Information Center (EPIC). SB-2516 adds a requirement for data brokers to register with the state and a ban on selling location information.

Consumer Advocates Ecstatic

“Massachusetts Senators have advanced a bill that, if enacted, would be the strongest privacy law in the country,” EPIC Deputy Director Caitriona Fitzgerald said in an email. S-2516 would protect residents “from the mass collection and abuse of their personal data, and ban the sale of their sensitive data such as precise geolocation data and health data.”

CR urges Massachusetts General Court leaders to prioritize and quickly move forward with S-2516, which “puts consumer privacy first,” said CR Policy Analyst Matt Schwartz in an email. “This vote sends a strong signal that Massachusetts lawmakers want to help reset the power imbalance and give consumers meaningful control over their personal information.” CR is glad to see the bill include location shield requirements and data broker rules akin to the California Delete Act, he added.

However, TechNet’s Chris Gilrein panned the bill in an emailed statement as “a major departure from the privacy frameworks in Connecticut, Rhode Island, New Hampshire, and more than a dozen other states.” The industry group’s executive director for the Northeast said the bill’s “untested provisions would require bespoke compliance solutions, placing undue burdens on Massachusetts businesses and exposing them to frivolous litigation with the inclusion of a private right of action."

SB-2516 would authorize the state attorney general to make rules and enforce the law, as privacy measures in many other states do. However, the Massachusetts bill would also allow injured consumers to bring civil actions against companies other than small businesses.

On data minimization, S-2516 would require that controllers limit “the collection, processing, and transfer of personal data to what is reasonably necessary to provide or maintain: (A) a specific product or service requested by the consumer to whom the data pertains, including any routine administrative, operational, or account-servicing activity, such as billing, shipping, delivery, storage, or accounting; or (B) a communication, that is not an advertisement, by the controller to the consumer reasonably anticipated within the context of the relationship between the controller and the consumer.”

Controllers may not sell sensitive data, nor may they “collect, process, or transfer sensitive data concerning a consumer except when such collection, processing, or transfer is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the sensitive data pertains,” the bill says. Maryland’s privacy law has similar data-minimization language, which is stricter than what’s in other states’ bills.

Under S-2516, sensitive data would include precise geolocation information; biometric or genetic information; health information, private messages, contact books and calendar entries; data of children younger than 18 and government IDs. It would also include data that reveals an individual’s race, color, ethnicity, or national origin; sexual orientation or sex or gender identity; religious beliefs; citizenship or immigration status; military service; or status as a crime victim.

Additionally, the bill would set privacy policy notice requirements and address dark patterns. It would require consent requests to be clear and easy to understand and disallow companies inferring consent from inaction, such as clicking out of a consent request without selecting to accept or decline.

Alternatives Remain

The only remaining alternative comprehensive privacy bill on the Senate side is a unique proposal (S-301) by Sen. Barry Finegold (D). The bill, which combines elements of California and Connecticut privacy laws and Europe’s General Data Protection Regulation (GDPR), remains pending in the Economic Development Committee.

That committee hasn’t yet announced a hearing for S-301, “but we’re optimistic that it will move forward as an alternative model to S.2516,” a Finegold spokesperson emailed us on Tuesday. As an Advanced IT Committee member, Finegold “chose to reserve his rights on S.2516, but he sees it as a huge step in the right direction. It’s critical that we pass comprehensive data privacy legislation.”

“We’re rowing in the same direction here,” the Finegold spokesperson added. “S.2516 and S.301 differ on a few key elements, including enforcement and treatment of location data, but they’re ultimately based on the same core principles.”

The House side of the Advanced IT committee hasn’t yet made a move on three House bills from the April hearing, including H-78, H-80 and H-104. A fourth House bill (H-1754) is pending in the Judiciary Committee and hasn’t received a hearing.

Meanwhile, Advanced IT senators also cleared multiple narrower privacy bills Monday, including a location shield bill (S-197). It would stop businesses from “collecting or processing the location data of an individual present in Massachusetts except for certain enumerated permissible purposes, and for compliance with federal or state law and emergency circumstances,” said a summary.

Businesses would have to obtain opt-in consent before collecting or processing someone’s location data. Also, S-197 restricts location data collection “to what is necessary to carry out the permissible purpose and prohibits retaining location data longer than necessary to complete the permissible purpose.” And it would prohibit selling location data to third parties. The attorney general would adopt rules for and enforce the proposed law.

And the committee cleared S-43, which would require private entities possessing biometric information or identifiers to write a policy outlining a retention schedule and guidelines for destruction “after the initial purpose of collection of the information, or one year, whichever occurs first,” said a bill summary. Also, the bill would require opt-in consent before collecting the information and ban companies from selling biometric identifiers or biometric information. Moreover, the bill would include a private right of action.

A surveillance-pricing bill will also advance. “Food stores and food departments shall be prohibited from suggesting items or adjusting the prices of any item in the food store and food department directly or indirectly, based on the biometric data of individuals collected on the premises of a food store and food department,” says SB-2515.