Massachusetts Latest State to Advance Data Privacy Bill
The bill marks the first time that comprehensive data privacy legislation has advanced out of committee in Massachusetts.
Like seemingly every state these days, Massachusetts is the latest angling to implement data privacy legislation that could give residents greater control over their personal information, something which could have the Commonwealth following in the footsteps of states like California, Colorado, and Virginia.
The Massachusetts Joint Committee on Advanced Information Technology, the Internet and Cybersecurity advanced the internet privacy rights bill, the Massachusetts Information Privacy and Security Act, aka MIPSA, last week, in a 12-0 vote.
“Online privacy and security issues are only going to get more important,” Democratic state Senator Barry Finegold, Senate chair of the committee said last week. “In the absence of federal action, we can enact meaningful reforms in the commonwealth and help clarify the rules of the road for businesses.”
The bill is a re-draft of a bill introduced last fall by Massachusetts Senate Majority Leader Cindy Creem and Rep. Andy Vargas, S.46/H.142 - the Massachusetts Information Privacy Act. According to Linda Dean Campbell, a State Representative for the 15th District, the Joint Committee voted on 50 bills last week and MIPSA was "the most complex bill that emerged."
While it's yet to fully make its way through the statehouse, the bill is already notable; while previous efforts have stalled, MIPSA marks the first time that comprehensive data privacy legislation has advanced out of committee in Massachusetts.
If it moves forward, the bill would set safeguards for how companies collect, use, retail, and sell personal information. Companies would have to have an easy-to-understand privacy notice outlining how users' personal data is collected and sold. When it comes to selling information, organizations would have to obtain consent for sales of sensitive information, like geolocation and racial data, and when trying to sell the personal information of children under 16.
Like Illinois, which unanimously passed the Biometric Information Privacy Act (BIPA) in 2008, the Massachusetts bill would impose requirements on businesses that collect biometric information as well.
Similar to the California Privacy Rights Act (CPRA) - set to go into effect January 2023 - under the Massachusetts law, businesses would have to conduct regular risk assessments for high-risk practices such as the sale of personal information.
Like laws on the books already in those aforementioned states, residents would have more control over how their information is used. Like CCPA, Massachusetts residents would be able to opt out of the sale of their own information, they’d also have the right to delete and correct any personal information a company maintains about them.
Like California, Colorado, and Virginia, the law, if passed, would empower Massachusetts' Attorney General's office to investigate, regulate and enforce the law. The office of the AG, Maura Healey, could also impose penalties of $7,500 per violation and require companies that buy and sell internet data register with the office.
It's still too early to know what the full scope of the bill will look like. While laws in Virginia (CDPA) and Colorado (CPA) require companies to conduct and keep track of a data protection assessment of data collection activities, it's unclear whether Massachusetts' legislation would stipulate that.
It's also uncertain what type of companies would have to comply with the law, too. According to a press release issued by the Joint Committee last week, compliance requirements would hinge on a company's size, scope, and conduct "in order to minimize operational impacts on small businesses.
While the legislation still has a ways to go, including approval by the House and Senate, it's on the right track and like scores of other state-level data privacy legislation as of late, worth monitoring.