BOSTON — Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity chairs Representative Tricia Farley-Bouvier and Senator Michael Moore announced that a wide-ranging bill which grants consumers new rights over their personal data has been reported favorably out of Committee. 

 

The Massachusetts Data Privacy Act (MDPA) establishes baseline data minimization standards by restricting data holders to only collect and process what is reasonably necessary and proportional to their lawful purpose. The MDPA will ensure greater accountability of companies and grant user data privacy protections to those present in Massachusetts and residents of the state. Highlighted in this bill are strong protections for children, defined as anyone under 18 years, from targeted advertising and transferring of their data without expressed consent.

 

"We rely on technology daily, but these companies are collecting more of our data than ever before and then legally selling this information, rarely with the consumer's knowledge," said House Chair Tricia Farley-Bouvier. "At a juncture where the collection and sale of what should be private data is a matter of public safety and security, the Massachusetts Data Privacy Act is a critical step to hold companies accountable and establish consumer protection in Massachusetts. We must take action to protect the people of the Commonwealth, especially children, and their private data."

 

The MDPA reflects efforts to keep the Commonwealth up to date with the bipartisan federal consensus model for data privacy in three ways; establishing baseline data minimization standards by restricting data holders to only collect and process data that is reasonably necessary and proportional to their purpose; recognizing and reflecting their role in collecting, processing, and transferring data; and banning the commercial sale of geolocation information and targeted advertising to minors.

 

As proposed in the MDPA, important data subject rights extend to all individuals located in Massachusetts such as, the right to access their personal information, the right to opt out of certain processes such as targeted advertising, and the right to delete certain information.

 

The MDPA would also provide a variety of meaningful enforcement mechanisms. The Attorney General is empowered to enforce the MDPA under its own terms and as a violation of the Commonwealth's consumer protection law, Chapter 93A. Consumers are also able to bring claims on their own behalf through a private right of action.

 

More Restrictive Standards for Sensitive Covered Data

The bill specifies that sensitive data, as defined below, cannot be processed for the purposes of targeted advertising. Covered entities cannot engage in targeted advertising to minors, nor can covered entities transfer an individual's sensitive covered data to a third party without the affirmative express consent of the individual.

 

Sensitive data includes information such as precise geolocation information, biometric or genetic information, the data of a minor (anyone under 18), government-issued identifiers, and data that reveals an individual's:

? race, color, ethnicity, or national origin

? sex or gender identity and sexual orientation

? religious beliefs

? citizenship or immigration status

? military service

? status as a victim of a crime

 

Outlines Acceptable Consent Practices

The legislation states that covered entities must issue clear and conspicuous requests for consent to collect and process information with reasonably understandable language, and explain an individual's applicable rights. Requests for consent must be displayed at or before the point of collection of information, and need to include a description of what information will be collected and the purpose for collection.

 

Covered entities cannot infer that an individual has provided consent via their inaction (e.g. clicking out of the consent request without confirming choices does not equate consent.) Privacy by Design Bill language states that covered entities are required to establish, implement, and maintain reasonable policies, practices, and other procedures that reflect their role in collecting, processing, and transferring data. These policies and practices should identify, assess, and mitigate privacy risks as a whole and implement reasonable training and safeguards to promote compliance with all privacy laws applicable to covered data the covered entity collects, processes, or transfers.

 

Additional Provisions of the Massachusetts Data Privacy Act include:

? Privacy Policy Notice Requirements

? Data Broker Registration with the Office of Consumer Affairs and Business Regulation

? Attorney General Regulatory Authority

? Bans the Commercial Sale of Location Information