The "Comprehensive Massachusetts Consumer Data Privacy Act" introduces Chapter 93M to the General Laws, enhancing consumer data privacy protections in Massachusetts. The bill defines key terms such as "personal data," "consumer," "controller," and "sensitive data," and applies to businesses that control or process significant amounts of consumer data. It establishes consumer rights regarding personal data, including the necessity of clear consent for data processing, and outlines exemptions for certain entities and data types, such as protected health information under HIPAA. The act emphasizes the protection of sensitive data, particularly for minors, and prohibits the sale of personal data without consent while mandating reasonable security measures against unauthorized access.

Furthermore, the bill outlines comprehensive consumer rights, allowing individuals to access, correct, delete, and opt out of data processing, with specific provisions for children and individuals under guardianship. Controllers are required to respond to consumer requests promptly and provide clear privacy notices. The legislation mandates data protection assessments for high-risk processing activities and grants the Attorney General exclusive enforcement authority, including a notice of violation before legal action. The act aims to create a robust framework for data privacy that aligns with modern practices while ensuring compliance with federal laws, set to take effect on July 1, 2026.