Bill Summary – FastDemocracy

HOUSE . . . . . . . . No. 4632
         The Commonwealth of Massachusetts
                     ________________________________________
                        HOUSE OF REPRESENTATIVES, May 13, 2024.
    The committee on Advanced Information Technology, the Internet and
Cybersecurity, to whom were referred the petition (accompanied by bill,
Senate, No. 227) of Barry R. Finegold for legislation to establish the
Massachusetts Information Privacy and Security Act; the petition
(accompanied by bill, House, No. 60) of Daniel R. Carey and Mindy
Domb relative to the security and the protection of personal information
by establishing the Massachusetts information privacy and security act;
the petition (accompanied by bill, House, No. 63) of Dylan A. Fernandes,
Mindy Domb and Bud L. Williams for legislation to protect biometric
information; the petition (accompanied by bill, House, No. 80) of David
M. Rogers relative to internet privacy rights for children; and, the petition
(accompanied by bill, House, No. 83) of Andres X. Vargas, David M.
Rogers and Carmine Lawrence Gentile for legislation to establish the
Massachusetts data privacy protection act, reports recommending that the
accompanying bill (House, No. 4632) ought to pass.
                             For the committee,
                                                TRICIA FARLEY-BOUVIER.
                                                      FILED ON: 5/6/2024
      HOUSE . . . . . . . . . . . . . . . No. 4632
                                The Commonwealth of Massachusetts
                                                      _______________
                                    In the One Hundred and Ninety-Third General Court
                                                       (2023-2024)
                                                      _______________
     An Act establishing the Massachusetts Data Privacy Act.
              Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
     of the same, as follows:
         SECTION 1.
         The General Laws, as appearing in the 2022 Official Edition, are hereby amended by
  inserting after chapter 93L the following chapter:
         Chapter 93M. Massachusetts Data Privacy Act
         Section 1. Definitions
         (a)      As used in this chapter, the following words shall, unless the context clearly
 requires otherwise, have the following meanings:
         (1)      “authentication”, the process of verifying an individual or entity for security
 purposes.
         (2)      “biometric data”, data generated from the technological processing of an
 individual’s unique biological, physical, or physiological characteristics that is linked or
 reasonably linkable to an individual, including but not limited to retina or iris scans, fingerprint,
                                                          1 of 64
 voiceprint, map or scan of hand or face geometry, vein pattern, gait pattern; provided, however,
 that “biometric information” shall not include:
        (i)     a digital or physical photograph;
        (ii)    an audio or video recording; or
        (iii)   data generated from a digital or physical photograph, or an audio or video
 recording, unless such data is generated to identify a specific individual.
        (3)     "chapter”, this chapter of the General Laws, as from time to time may be
 amended, and any regulations promulgated under said chapter.
        (4)     “collect” and “collection”, buying, renting, licensing, gathering, obtaining,
 receiving, accessing, or otherwise acquiring covered data by any means. This includes receiving
 information from the consumer either actively, through interactions such as user registration, or
 passively, by observing the consumer’s behavior.
        (5)     “consent”, a clear affirmative act signifying an individual’s freely given, specific,
 informed, and unambiguous agreement to allow the processing of specific categories of personal
 information relating to the individual for a narrowly defined particular purpose after having been
 informed, in response to a specific request from a covered entity that meets the requirements of
 this chapter; provided, however, that “consent” may include a written statement, including a
 statement written by electronic means, or any other unambiguous affirmative action; and
 provided further, that the following shall not constitute “consent”:
        (i)     acceptance of a general or broad terms of use or similar document that contains
 descriptions of personal information processing along with other, unrelated information;
                                                   2 of 64
        (ii)    hovering over, muting, pausing, or closing a given piece of content; or
        (iii)   agreement obtained through dark patterns or a false, fictitious, fraudulent, or
 materially misleading statement or representation.
        (6)     “control”, with respect to an entity:
        (i)     ownership of, or the power to vote, more than 50 percent of the outstanding shares
 of any class of voting security of the entity;
        (ii)    control over the election of a majority of the directors of the entity (or of
 individuals exercising similar functions); or
        (iii)   the power to exercise a controlling influence over the management of the entity.
        (7)     “covered data”, information, including derived data, inferences, and unique
 persistent identifiers, that identifies or is linked or reasonably linkable, alone or in combination
 with other information, to an individual or a device that identifies or is linked or reasonably
 linkable to an individual. However, the term “covered data” does not include de-identified data
 or publicly available information.
        (8)     “covered entity”, any entity or any person, other than an individual acting in a
 non-commercial context, that alone or jointly with others determines the purposes and means of
 collecting, processing, or transferring covered data.
        The term “covered entity” does not include:
        (i)     government agencies or service providers to government agencies that exclusively
 and solely process information provided by government entities;
                                                      3 of 64
        (ii)    any entity or person that meets the following criteria for the period of the 3
 preceding calendar years (or for the period during which the covered entity or service provider
 has been in existence if such period is less than 3 years):
        (A)     the entity or person’s average annual gross revenues during the period did not
 exceed $20,000,000;
        (B)     the entity or person, on average, did not annually collect or process the covered
 data of more than 25,000 individuals during the period, other than for the purpose of initiating,
 rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested
 service or product, so long as all covered data for such purpose was deleted or de-identified
 within 90 days, except when necessary to investigate fraud or as consistent with a covered
 entity’s return policy; and
        (C)     no component of its revenue comes from transferring covered data during any
 year (or part of a year if the covered entity has been in existence for less than 1 year) that occurs
 during the period.
        (iii)   a national securities association that is registered under 15 U.S.C. 78o-3 of the
 Securities Exchange Act of 1934.and is operating solely for purposes under that act.
        (iv)    a nonprofit organization that is established to detect and prevent fraudulent acts in
 connection with insurance and is operating solely for that purpose.
        (9)     “covered high-impact social media company”, a covered entity that provides any
 internet-accessible platform where:
        (i)     such covered entity generates $3,000,000,000 or more in annual revenue;
                                                    4 of 64
        (ii)      such platform has 300,000,000 or more monthly active users for not fewer than 3
 of the preceding 12 months on the online product or service of such covered entity; and
        (iii)     such platform constitutes an online product or service that is primarily used by
 users to access or share user-generated content.
        (10)      “dark pattern or deceptive design”, a user interface that is designed, modified, or
 manipulated with the purpose or substantial effect of obscuring, subverting, or impairing a
 reasonable individual’s autonomy, decision-making, or choice, including, but not limited to, any
 practice the Federal Trade Commission refers to as a “dark pattern.”
        (11)      “data broker”, a covered entity whose principal source of revenue is derived from
 processing or transferring covered data that the covered entity did not collect directly from the
 individuals linked or linkable to the covered data. This term does not include a covered entity
 insofar as such entity processes employee data collected by and received from a third party
 concerning any individual who is an employee of the third party for the sole purpose of such
 third-party providing benefits to the employee. An entity may not be considered to be a data
 broker for purposes of this chapter if the entity is acting as a service provider.
        (12)      “de-identified data”, information that does not identify and is not linked or
 reasonably linkable to a distinct individual or a device, regardless of whether the information is
 aggregated, and if the covered entity or service provider:
        (i)       takes technical measures to ensure that the information cannot, at any point, be
 used to re-identify any individual or device that identifies or is linked or reasonably linkable to
 an individual;
                                                     5 of 64
        (ii)    publicly commits in a clear and conspicuous manner:
        (A)     to process and transfer the information solely in a de-identified form without any
 reasonable means for re-identification; and
        (B)     to not attempt to re-identify the information with any individual or device that
 identifies or is linked or reasonably linkable to an individual; and
        (iii)   contractually obligates any person or entity that receives the information from the
 covered entity or service provider:
        (A)     to comply with all the provisions of this paragraph with respect to the
 information; and
        (B)     to require that such contractual obligations be included contractually in all
 subsequent instances for which the data may be received.
        (13)    “derived data”, covered data that is created by the derivation of information, data,
 assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another
 source of information or data about an individual or an individual’s device.
        (14)    “device”, any electronic equipment capable of collecting, processing, or
 transferring data that is used by one or more individuals or households.
        (15)    “genetic information”, any covered data, regardless of its format, that concerns an
 individual’s genetic characteristics, including but not limited to:
        (i)     raw sequence data that results from the sequencing of the complete, or a portion
 of the, extracted deoxyribonucleic acid (DNA) of an individual; or
                                                     6 of 64
        (ii)    genotypic and phenotypic information that results from analyzing raw sequence
 data described in subparagraph (i).
        (16)    “homepage”, the introductory page of an internet website and any internet web
 page where personal information is collected; provided, however, that in the case of an online
 service, such as a mobile application, “homepage” shall include:
        (i)     the application’s platform page or download page;
        (ii)    a link within the application, such as from the application configuration, “About,”
 “Information,” or settings page; and
        (iii)   any other location that allows individuals to review the notices required by this
 chapter, including, but not limited to, before downloading the application.
        (17)    “individual”, a natural person who is a Massachusetts resident or is present in
 Massachusetts.
        (18)    “knowledge”,
        (i)with respect to a covered entity that is a covered high-impact social media company,
 the entity knew or should have known the individual was a minor;
        (ii)with respect to a covered entity or service provider that is a large data holder, and
 otherwise is not a covered high-impact social media company, that the covered entity knew or
 acted in willful disregard of the fact that the individual was a minor; and
        (iii)with respect to a covered entity or service provider that does not meet the
 requirements of clause (i) or (ii), actual knowledge.
                                                    7 of 64
        (19)      “large data holder”, a covered entity or service provider that in the most recent
 calendar year:
        (i)had annual gross revenues of $200,000,000 or more; and
        (ii)collected, processed, or transferred the covered data of more than 2,000,000
 individuals or devices that identify or are linked or reasonably linkable to one or more
 individuals, excluding covered data collected and processed solely for the purpose of initiating,
 rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested
 product or service; or the sensitive covered data of more than 200,000 individuals or devices that
 identify or are linked or reasonably linkable to one or more individuals.
        The term “large data holder” does not include any instance in which the covered entity or
 service provider would qualify as a large data holder solely on the basis of collecting or
 processing personal email addresses, personal telephone numbers, or log-in information of an
 individual or device to allow the individual or device to log in to an account administered by the
 covered entity or service provider.
        (20)      “material”, with respect to an act, practice, or representation of a covered entity
 (including a representation made by the covered entity in a privacy policy or similar disclosure to
 individuals) involving the collection, processing, or transfer of covered data, that such act,
 practice, or representation is likely to affect a reasonable individual’s decision or conduct
 regarding a product or service
        (21)      “minor”, an individual under the age of 18.
        (22)      “OCABR”, the Office of Consumer Affairs and Business Regulation.
                                                      8 of 64
            (23)   “precise geolocation information,” information derived from a device or from
 interactions between devices, with or without the knowledge of the user and regardless of the
 technological method used, that pertains to or directly or indirectly reveals the present or past
 geographical location of an individual or device within the Commonwealth of Massachusetts
 with sufficient precision to identify street-level location information within a range of 1,850 feet
 or less.
            (24)   “process”, any operation or set of operations performed on information or on sets
 of information, whether or not by automated means, including but not limited to the use, storage,
 analysis, deletion, or modification of information.
            (25)   “processing purpose”, a reason for which a covered entity or service provider
 collects, processes, or transfers covered data that is specific and granular enough for a reasonable
 individual to understand the material facts of how and why the covered entity or service provider
 collects, processes, or transfers the covered data.
            (26)   "profiling", any form of automated processing performed on personal data to
 evaluate, analyze or predict personal aspects related to an identified or identifiable individual's
 economic situation, health, personal preferences, interests, reliability, behavior, location or
 movements.
            (27)   “publicly available information”, any information that a covered entity or service
 provider has a reasonable basis to believe has been lawfully made available to the general public
 from:
                                                      9 of 64
        (i)     federal, state, or local government records, if the covered entity collects,
 processes, and transfers such information in accordance with any restrictions or terms of use
 placed on the information by the relevant government entity;
        (ii)    widely distributed media;
        (iii)   a website or online service made available to all members of the public, for free or
 for a fee, including where all members of the public, for free or for a fee, can log in to the
 website or online service;
        (iv)    a disclosure that has been made to the general public as required by federal, state,
 or local law; or
        (v)     the visual observation of the physical presence of an individual or a device in a
 public place, not including data collected by a device in the individual’s possession.
        For purposes of this paragraph, information from a website or online service is not
 available to all members of the public if the individual who made the information available via
 the website or online service has either restricted the information to a specific audience or
 reasonably expects that the information will not be distributed to so ma