HOUSE . . . . . . . . No. 4632
The Commonwealth of Massachusetts
________________________________________
HOUSE OF REPRESENTATIVES, May 13, 2024.
The committee on Advanced Information Technology, the Internet and
Cybersecurity, to whom were referred the petition (accompanied by bill,
Senate, No. 227) of Barry R. Finegold for legislation to establish the
Massachusetts Information Privacy and Security Act; the petition
(accompanied by bill, House, No. 60) of Daniel R. Carey and Mindy
Domb relative to the security and the protection of personal information
by establishing the Massachusetts information privacy and security act;
the petition (accompanied by bill, House, No. 63) of Dylan A. Fernandes,
Mindy Domb and Bud L. Williams for legislation to protect biometric
information; the petition (accompanied by bill, House, No. 80) of David
M. Rogers relative to internet privacy rights for children; and, the petition
(accompanied by bill, House, No. 83) of Andres X. Vargas, David M.
Rogers and Carmine Lawrence Gentile for legislation to establish the
Massachusetts data privacy protection act, reports recommending that the
accompanying bill (House, No. 4632) ought to pass.
For the committee,
TRICIA FARLEY-BOUVIER.
FILED ON: 5/6/2024
HOUSE . . . . . . . . . . . . . . . No. 4632
The Commonwealth of Massachusetts
_______________
In the One Hundred and Ninety-Third General Court
(2023-2024)
_______________
An Act establishing the Massachusetts Data Privacy Act.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
of the same, as follows:
1 SECTION 1.
2 The General Laws, as appearing in the 2022 Official Edition, are hereby amended by
3 inserting after chapter 93L the following chapter:
4 Chapter 93M. Massachusetts Data Privacy Act
5 Section 1. Definitions
6 (a) As used in this chapter, the following words shall, unless the context clearly
7 requires otherwise, have the following meanings:
8 (1) “authentication”, the process of verifying an individual or entity for security
9 purposes.
10 (2) “biometric data”, data generated from the technological processing of an
11 individual’s unique biological, physical, or physiological characteristics that is linked or
12 reasonably linkable to an individual, including but not limited to retina or iris scans, fingerprint,
1 of 64
13 voiceprint, map or scan of hand or face geometry, vein pattern, gait pattern; provided, however,
14 that “biometric information” shall not include:
15 (i) a digital or physical photograph;
16 (ii) an audio or video recording; or
17 (iii) data generated from a digital or physical photograph, or an audio or video
18 recording, unless such data is generated to identify a specific individual.
19 (3) "chapter”, this chapter of the General Laws, as from time to time may be
20 amended, and any regulations promulgated under said chapter.
21 (4) “collect” and “collection”, buying, renting, licensing, gathering, obtaining,
22 receiving, accessing, or otherwise acquiring covered data by any means. This includes receiving
23 information from the consumer either actively, through interactions such as user registration, or
24 passively, by observing the consumer’s behavior.
25 (5) “consent”, a clear affirmative act signifying an individual’s freely given, specific,
26 informed, and unambiguous agreement to allow the processing of specific categories of personal
27 information relating to the individual for a narrowly defined particular purpose after having been
28 informed, in response to a specific request from a covered entity that meets the requirements of
29 this chapter; provided, however, that “consent” may include a written statement, including a
30 statement written by electronic means, or any other unambiguous affirmative action; and
31 provided further, that the following shall not constitute “consent”:
32 (i) acceptance of a general or broad terms of use or similar document that contains
33 descriptions of personal information processing along with other, unrelated information;
2 of 64
34 (ii) hovering over, muting, pausing, or closing a given piece of content; or
35 (iii) agreement obtained through dark patterns or a false, fictitious, fraudulent, or
36 materially misleading statement or representation.
37 (6) “control”, with respect to an entity:
38 (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares
39 of any class of voting security of the entity;
40 (ii) control over the election of a majority of the directors of the entity (or of
41 individuals exercising similar functions); or
42 (iii) the power to exercise a controlling influence over the management of the entity.
43 (7) “covered data”, information, including derived data, inferences, and unique
44 persistent identifiers, that identifies or is linked or reasonably linkable, alone or in combination
45 with other information, to an individual or a device that identifies or is linked or reasonably
46 linkable to an individual. However, the term “covered data” does not include de-identified data
47 or publicly available information.
48 (8) “covered entity”, any entity or any person, other than an individual acting in a
49 non-commercial context, that alone or jointly with others determines the purposes and means of
50 collecting, processing, or transferring covered data.
51 The term “covered entity” does not include:
52 (i) government agencies or service providers to government agencies that exclusively
53 and solely process information provided by government entities;
3 of 64
54 (ii) any entity or person that meets the following criteria for the period of the 3
55 preceding calendar years (or for the period during which the covered entity or service provider
56 has been in existence if such period is less than 3 years):
57 (A) the entity or person’s average annual gross revenues during the period did not
58 exceed $20,000,000;
59 (B) the entity or person, on average, did not annually collect or process the covered
60 data of more than 25,000 individuals during the period, other than for the purpose of initiating,
61 rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested
62 service or product, so long as all covered data for such purpose was deleted or de-identified
63 within 90 days, except when necessary to investigate fraud or as consistent with a covered
64 entity’s return policy; and
65 (C) no component of its revenue comes from transferring covered data during any
66 year (or part of a year if the covered entity has been in existence for less than 1 year) that occurs
67 during the period.
68 (iii) a national securities association that is registered under 15 U.S.C. 78o-3 of the
69 Securities Exchange Act of 1934.and is operating solely for purposes under that act.
70 (iv) a nonprofit organization that is established to detect and prevent fraudulent acts in
71 connection with insurance and is operating solely for that purpose.
72 (9) “covered high-impact social media company”, a covered entity that provides any
73 internet-accessible platform where:
74 (i) such covered entity generates $3,000,000,000 or more in annual revenue;
4 of 64
75 (ii) such platform has 300,000,000 or more monthly active users for not fewer than 3
76 of the preceding 12 months on the online product or service of such covered entity; and
77 (iii) such platform constitutes an online product or service that is primarily used by
78 users to access or share user-generated content.
79 (10) “dark pattern or deceptive design”, a user interface that is designed, modified, or
80 manipulated with the purpose or substantial effect of obscuring, subverting, or impairing a
81 reasonable individual’s autonomy, decision-making, or choice, including, but not limited to, any
82 practice the Federal Trade Commission refers to as a “dark pattern.”
83 (11) “data broker”, a covered entity whose principal source of revenue is derived from
84 processing or transferring covered data that the covered entity did not collect directly from the
85 individuals linked or linkable to the covered data. This term does not include a covered entity
86 insofar as such entity processes employee data collected by and received from a third party
87 concerning any individual who is an employee of the third party for the sole purpose of such
88 third-party providing benefits to the employee. An entity may not be considered to be a data
89 broker for purposes of this chapter if the entity is acting as a service provider.
90 (12) “de-identified data”, information that does not identify and is not linked or
91 reasonably linkable to a distinct individual or a device, regardless of whether the information is
92 aggregated, and if the covered entity or service provider:
93 (i) takes technical measures to ensure that the information cannot, at any point, be
94 used to re-identify any individual or device that identifies or is linked or reasonably linkable to
95 an individual;
5 of 64
96 (ii) publicly commits in a clear and conspicuous manner:
97 (A) to process and transfer the information solely in a de-identified form without any
98 reasonable means for re-identification; and
99 (B) to not attempt to re-identify the information with any individual or device that
100 identifies or is linked or reasonably linkable to an individual; and
101 (iii) contractually obligates any person or entity that receives the information from the
102 covered entity or service provider:
103 (A) to comply with all the provisions of this paragraph with respect to the
104 information; and
105 (B) to require that such contractual obligations be included contractually in all
106 subsequent instances for which the data may be received.
107 (13) “derived data”, covered data that is created by the derivation of information, data,
108 assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another
109 source of information or data about an individual or an individual’s device.
110 (14) “device”, any electronic equipment capable of collecting, processing, or
111 transferring data that is used by one or more individuals or households.
112 (15) “genetic information”, any covered data, regardless of its format, that concerns an
113 individual’s genetic characteristics, including but not limited to:
114 (i) raw sequence data that results from the sequencing of the complete, or a portion
115 of the, extracted deoxyribonucleic acid (DNA) of an individual; or
6 of 64
116 (ii) genotypic and phenotypic information that results from analyzing raw sequence
117 data described in subparagraph (i).
118 (16) “homepage”, the introductory page of an internet website and any internet web
119 page where personal information is collected; provided, however, that in the case of an online
120 service, such as a mobile application, “homepage” shall include:
121 (i) the application’s platform page or download page;
122 (ii) a link within the application, such as from the application configuration, “About,”
123 “Information,” or settings page; and
124 (iii) any other location that allows individuals to review the notices required by this
125 chapter, including, but not limited to, before downloading the application.
126 (17) “individual”, a natural person who is a Massachusetts resident or is present in
127 Massachusetts.
128 (18) “knowledge”,
129 (i)with respect to a covered entity that is a covered high-impact social media company,
130 the entity knew or should have known the individual was a minor;
131 (ii)with respect to a covered entity or service provider that is a large data holder, and
132 otherwise is not a covered high-impact social media company, that the covered entity knew or
133 acted in willful disregard of the fact that the individual was a minor; and
134 (iii)with respect to a covered entity or service provider that does not meet the
135 requirements of clause (i) or (ii), actual knowledge.
7 of 64
136 (19) “large data holder”, a covered entity or service provider that in the most recent
137 calendar year:
138 (i)had annual gross revenues of $200,000,000 or more; and
139 (ii)collected, processed, or transferred the covered data of more than 2,000,000
140 individuals or devices that identify or are linked or reasonably linkable to one or more
141 individuals, excluding covered data collected and processed solely for the purpose of initiating,
142 rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested
143 product or service; or the sensitive covered data of more than 200,000 individuals or devices that
144 identify or are linked or reasonably linkable to one or more individuals.
145 The term “large data holder” does not include any instance in which the covered entity or
146 service provider would qualify as a large data holder solely on the basis of collecting or
147 processing personal email addresses, personal telephone numbers, or log-in information of an
148 individual or device to allow the individual or device to log in to an account administered by the
149 covered entity or service provider.
150 (20) “material”, with respect to an act, practice, or representation of a covered entity
151 (including a representation made by the covered entity in a privacy policy or similar disclosure to
152 individuals) involving the collection, processing, or transfer of covered data, that such act,
153 practice, or representation is likely to affect a reasonable individual’s decision or conduct
154 regarding a product or service
155 (21) “minor”, an individual under the age of 18.
156 (22) “OCABR”, the Office of Consumer Affairs and Business Regulation.
8 of 64
157 (23) “precise geolocation information,” information derived from a device or from
158 interactions between devices, with or without the knowledge of the user and regardless of the
159 technological method used, that pertains to or directly or indirectly reveals the present or past
160 geographical location of an individual or device within the Commonwealth of Massachusetts
161 with sufficient precision to identify street-level location information within a range of 1,850 feet
162 or less.
163 (24) “process”, any operation or set of operations performed on information or on sets
164 of information, whether or not by automated means, including but not limited to the use, storage,
165 analysis, deletion, or modification of information.
166 (25) “processing purpose”, a reason for which a covered entity or service provider
167 collects, processes, or transfers covered data that is specific and granular enough for a reasonable
168 individual to understand the material facts of how and why the covered entity or service provider
169 collects, processes, or transfers the covered data.
170 (26) "profiling", any form of automated processing performed on personal data to
171 evaluate, analyze or predict personal aspects related to an identified or identifiable individual's
172 economic situation, health, personal preferences, interests, reliability, behavior, location or
173 movements.
174 (27) “publicly available information”, any information that a covered entity or service
175 provider has a reasonable basis to believe has been lawfully made available to the general public
176 from:
9 of 64
177 (i) federal, state, or local government records, if the covered entity collects,
178 processes, and transfers such information in accordance with any restrictions or terms of use
179 placed on the information by the relevant government entity;
180 (ii) widely distributed media;
181 (iii) a website or online service made available to all members of the public, for free or
182 for a fee, including where all members of the public, for free or for a fee, can log in to the
183 website or online service;
184 (iv) a disclosure that has been made to the general public as required by federal, state,
185 or local law; or
186 (v) the visual observation of the physical presence of an individual or a device in a
187 public place, not including data collected by a device in the individual’s possession.
188 For purposes of this paragraph, information from a website or online service is not
189 available to all members of the public if the individual who made the information available via
190 the website or online service has either restricted the information to a specific audience or
191 reasonably expects that the information will not be distributed to so ma