SENATE DOCKET, NO. 267 FILED ON: 1/10/2025 SENATE . . . . . . . . . . . . . . No. The Commonwealth of Massachusetts _________________ PRESENTED BY: Michael O. Moore _________________ To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General Court assembled: The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: An Act establishing the Massachusetts Data Privacy Act. _______________ PETITION OF: NAME: DISTRICT/ADDRESS: Michael O. Moore Second Worcester 1 of 1 SENATE DOCKET, NO. 267 FILED ON: 1/10/2025 SENATE . . . . . . . . . . . . . . No. [Pin Slip] [SIMILAR MATTER FILED IN PREVIOUS SESSION SEE SENATE, NO. 2770 OF 2023-2024.] The Commonwealth of Massachusetts _______________ In the One Hundred and Ninety-Fourth General Court (2025-2026) _______________ An Act establishing the Massachusetts Data Privacy Act. Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows: 1 SECTION 1. The General Laws, as appearing in the 2022 Official Edition, are hereby 2 amended by inserting after chapter 93L the following chapter: 3 Chapter 93M. Massachusetts Data Privacy Act 4 Section 1. Definitions 5 (a) As used in this chapter, the following words shall, unless the context clearly 6 requires otherwise, have the following meanings: 7 (1) “authentication”, the process of verifying an individual or entity for security 8 purposes. 1 of 64 9 (2) “biometric data”, data generated from the technological processing of an 10 individual’s unique biological, physical, or physiological characteristics that is linked or 11 reasonably linkable to an individual, including but not limited to retina or iris scans, fingerprint, 12 voiceprint, map or scan of hand or face geometry, vein pattern, gait pattern; provided, however, 13 that “biometric information” shall not include: 14 (i) a digital or physical photograph; 15 (ii) an audio or video recording; or 16 (iii) data generated from a digital or physical photograph, or an audio or video 17 recording, unless such data is generated to identify a specific individual. 18 (3) "chapter”, this chapter of the General Laws, as from time to time may be 19 amended, and any regulations promulgated under said chapter. 20 (4) “collect” and “collection”, buying, renting, licensing, gathering, obtaining, 21 receiving, accessing, or otherwise acquiring covered data by any means. This includes receiving 22 information from the consumer either actively, through interactions such as user registration, or 23 passively, by observing the consumer’s behavior. 24 (5) “consent”, a clear affirmative act signifying an individual’s freely given, specific, 25 informed, and unambiguous agreement to allow the processing of specific categories of personal 26 information relating to the individual for a narrowly defined particular purpose after having been 27 informed, in response to a specific request from a covered entity that meets the requirements of 28 this chapter; provided, however, that “consent” may include a written statement, including a 2 of 64 29 statement written by electronic means, or any other unambiguous affirmative action; and 30 provided further, that the following shall not constitute “consent”: 31 (i) acceptance of a general or broad terms of use or similar document that contains 32 descriptions of personal information processing along with other, unrelated information; 33 (ii) hovering over, muting, pausing, or closing a given piece of content; or 34 (iii) agreement obtained through dark patterns or a false, fictitious, fraudulent, or 35 materially misleading statement or representation. 36 (6) “control”, with respect to an entity: 37 (i) ownership of, or the power to vote, more than 50 percent of the outstanding shares 38 of any class of voting security of the entity; 39 (ii) control over the election of a majority of the directors of the entity (or of 40 individuals exercising similar functions); or 41 (iii) the power to exercise a controlling influence over the management of the entity. 42 (7) “covered data”, information, including derived data, inferences, and unique 43 persistent identifiers, that identifies or is linked or reasonably linkable, alone or in combination 44 with other information, to an individual or a device that identifies or is linked or reasonably 45 linkable to an individual. However, the term “covered data” does not include de-identified data 46 or publicly available information. 3 of 64 47 (8) “covered entity”, any entity or any person, other than an individual acting in a 48 non-commercial context, that alone or jointly with others determines the purposes and means of 49 collecting, processing, or transferring covered data. 50 The term “covered entity” does not include: 51 (i) government agencies or service providers to government agencies that exclusively 52 and solely process information provided by government entities; 53 (ii) any entity or person that meets the following criteria for the period of the 3 54 preceding calendar years (or for the period during which the covered entity or service provider 55 has been in existence if such period is less than 3 years): 56 (A) the entity or person’s average annual gross revenues during the period did not 57 exceed $20,000,000; 58 (B) the entity or person, on average, did not annually collect or process the covered 59 data of more than 25,000 individuals during the period, other than for the purpose of initiating, 60 rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested 61 service or product, so long as all covered data for such purpose was deleted or de-identified 62 within 90 days, except when necessary to investigate fraud or as consistent with a covered 63 entity’s return policy; and 64 (C) no component of its revenue comes from transferring covered data during any 65 year (or part of a year if the covered entity has been in existence for less than 1 year) that occurs 66 during the period. 4 of 64 67 (iii) a national securities association that is registered under 15 U.S.C. 78o-3 of the 68 Securities Exchange Act of 1934.and is operating solely for purposes under that act. 69 (iv) a nonprofit organization that is established to detect and prevent fraudulent acts in 70 connection with insurance and is operating solely for that purpose. 71 (9) “covered high-impact social media company”, a covered entity that provides any 72 internet-accessible platform where: 73 (i) such covered entity generates $3,000,000,000 or more in annual revenue; 74 (ii) such platform has 300,000,000 or more monthly active users for not fewer than 3 75 of the preceding 12 months on the online product or service of such covered entity; and 76 (iii) such platform constitutes an online product or service that is primarily used by 77 users to access or share user-generated content. 78 (10) “dark pattern or deceptive design”, a user interface that is designed, modified, or 79 manipulated with the purpose or substantial effect of obscuring, subverting, or impairing a 80 reasonable individual’s autonomy, decision-making, or choice, including, but not limited to, any 81 practice the Federal Trade Commission refers to as a “dark pattern.” 82 (11) “data broker”, a covered entity whose principal source of revenue is derived from 83 processing or transferring covered data that the covered entity did not collect directly from the 84 individuals linked or linkable to the covered data. This term does not include a covered entity 85 insofar as such entity processes employee data collected by and received from a third party 86 concerning any individual who is an employee of the third party for the sole purpose of such 5 of 64 87 third-party providing benefits to the employee. An entity may not be considered to be a data 88 broker for purposes of this chapter if the entity is acting as a service provider. 89 (12) “de-identified data”, information that does not identify and is not linked or 90 reasonably linkable to a distinct individual or a device, regardless of whether the information is 91 aggregated, and if the covered entity or service provider: 92 (i) takes technical measures to ensure that the information cannot, at any point, be 93 used to re-identify any individual or device that identifies or is linked or reasonably linkable to 94 an individual; 95 (ii) publicly commits in a clear and conspicuous manner: 96 (A) to process and transfer the information solely in a de-identified form without any 97 reasonable means for re-identification; and 98 (B) to not attempt to re-identify the information with any individual or device that 99 identifies or is linked or reasonably linkable to an individual; and 100 (iii) contractually obligates any person or entity that receives the information from the 101 covered entity or service provider: 102 (A) to comply with all the provisions of this paragraph with respect to the 103 information; and 104 (B) to require that such contractual obligations be included contractually in all 105 subsequent instances for which the data may be received. 6 of 64 106 (13) “derived data”, covered data that is created by the derivation of information, data, 107 assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another 108 source of information or data about an individual or an individual’s device. 109 (14) “device”, any electronic equipment capable of collecting, processing, or 110 transferring data that is used by one or more individuals or households. 111 (15) “genetic information”, any covered data, regardless of its format, that concerns an 112 individual’s genetic characteristics, including but not limited to: 113 (i) raw sequence data that results from the sequencing of the complete, or a portion 114 of the, extracted deoxyribonucleic acid (DNA) of an individual; or 115 (ii) genotypic and phenotypic information that results from analyzing raw sequence 116 data described in subparagraph (i). 117 (16) “homepage”, the introductory page of an internet website and any internet web 118 page where personal information is collected; provided, however, that in the case of an online 119 service, such as a mobile application, “homepage” shall include: 120 (i) the application’s platform page or download page; 121 (ii) a link within the application, such as from the application configuration, “About,” 122 “Information,” or settings page; and 123 (iii) any other location that allows individuals to review the notices required by this 124 chapter, including, but not limited to, before downloading the application. 7 of 64 125 (17) “individual”, a natural person who is a Massachusetts resident or is present in 126 Massachusetts. 127 (18) “knowledge”, 128 (i)with respect to a covered entity that is a covered high-impact social media company, 129 the entity knew or should have known the individual was a minor; 130 (ii)with respect to a covered entity or service provider that is a large data holder, and 131 otherwise is not a covered high-impact social media company, that the covered entity knew or 132 acted in willful disregard of the fact that the individual was a minor; and 133 (iii)with respect to a covered entity or service provider that does not meet the 134 requirements of clause (i) or (ii), actual knowledge. 135 (19) “large data holder”, a covered entity or service provider that in the most recent 136 calendar year: 137 (i)had annual gross revenues of $200,000,000 or more; and 138 (ii)collected, processed, or transferred the covered data of more than 2,000,000 139 individuals or devices that identify or are linked or reasonably linkable to one or more 140 individuals, excluding covered data collected and processed solely for the purpose of initiating, 141 rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested 142 product or service; or the sensitive covered data of more than 200,000 individuals or devices that 143 identify or are linked or reasonably linkable to one or more individuals. 144 The term “large data holder” does not include any instance in which the covered entity or 145 service provider would qualify as a large data holder solely on the basis of collecting or 8 of 64 146 processing personal email addresses, personal telephone numbers, or log-in information of an 147 individual or device to allow the individual or device to log in to an account administered by the 148 covered entity or service provider. 149 (20) “material”, with respect to an act, practice, or representation of a covered entity 150 (including a representation made by the covered entity in a privacy policy or similar disclosure to 151 individuals) involving the collection, processing, or transfer of covered data, that such act, 152 practice, or representation is likely to affect a reasonable individual’s decision or conduct 153 regarding a product or service 154 (21) “minor”, an individual under the age of 18. 155 (22) “OCABR”, the Office of Consumer Affairs and Business Regulation. 156 (23) “precise geolocation information,” information derived from a device or from 157 interactions between devices, with or without the knowledge of the user and regardless of the 158 technological method used, that pertains to or directly or indirectly reveals the present or past 159 geographical location of an individual or device within the Commonwealth of Massachusetts 160 with sufficient precision to identify street-level location information within a range of 1,850 feet 161 or less. 162 (24) “process”, any operation or set of operations performed on information or on sets 163 of information, whether or not by automated means, including but not limited to the use, storage, 164 analysis, deletion, or modification of information. 165 (25) “processing purpose”, a reason for which a covered entity or service provider 166 collects, processes, or transfers covered data that is specific and granular enough for a reasonable 9 of 64 167 individual to understand the material facts of how and why the covered entity or service provider 168 collects, processes, or transfers the covered data. 169 (26) "profiling", any form of automated processing performed on personal data to 170 evaluate, analyze or predict personal aspects related to an identified or identifiable individual's 171 economic situation, health, personal preferences, interests, reliability, behavior, location or 172 movements. 173 (27) “publicly available information”, any information that a covered entity or service 174 provider has a reasonable basis to believe has been lawfully made available to the general public 175 from: 176 (i) federal, state, or local government records, if the covered entity collects, 177 processes, and transfers such information in accordance with any restrictions or terms of use 178 placed on the information by the relevant government entity; 179 (ii) widely distributed media; 180 (iii) a website or online service made available to all members of the public, for free or 181 for a fee, including where all members of the public, for free or for a fee, can log in to the 182 website or online service; 183 (iv) a disclosure that has been made to the general public as required by federal, state, 184 or local law; or 185 (v) the visual observation of the physical presence of an individual or a device in a 186 public place, not including data collected by a device in the individual’s possession. 10 of 64 187 For purposes of this paragraph, information from a website or online service is not 188 available to all members of the public if the individual who made the information available via 189 the website or online service has either restricted the information to a specific audience or 190 reasonably expects that the information will not be distributed to so many persons as to become a 191 matter of public knowledge.