HOUSE DOCKET, NO. 3847 FILED ON: 2/19/2021
HOUSE . . . . . . . . . . . . . . . No.
The Commonwealth of Massachusetts
David M. Rogers and Andres X. Vargas
To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:
The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
An Act relative to data privacy.
David M. Rogers 24th Middlesex 2/19/2021
1 of 1
HOUSE DOCKET, NO. 3847 FILED ON: 2/19/2021
HOUSE . . . . . . . . . . . . . . . No.
[Pin Slip]
The Commonwealth of Massachusetts
In the One Hundred and Ninety-Second General Court
An Act relative to data privacy.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
of the same, as follows:
1 SECTION 1. The General Laws are hereby amended by inserting after chapter 93K the
2 following chapter:-
3 CHAPTER 93L. Data Accountability and Transparency Agency.
4 Section 1. Definitions.
5 For purpose of this chapter, the following words and terms shall have the following
6 meanings:
7 “Affiliate”, means any person that controls, is controlled by, or is under common control
8 with another person.
9 “Agency”, means the Massachusetts Data Accountability and Transparency Agency
10 established in section 5.
1 of 37
11 “Anonymized Data”, means information that has been proven to not identify, relate to,
12 describe, reference, be capable of being associated with, or be linked or reasonably linkable to a
13 particular individual or device.
14 “Automated Decision System”, means a computational process, including one derived
15 from machine learning, statistics, or other data processing or artificial intelligence techniques,
16 that makes a decision, or facilitates human decision-making.
17 “Automated decision system impact evaluation”, means a study conducted after
18 deployment of an automated decision system that includes, at a minimum—(a) an evaluation of
19 an automated decision system’s accuracy, bias on the basis of protected class, and impact on
20 privacy on individuals or groups of individuals; (b) an evaluation of the effectiveness of
21 measures taken to minimize risks as outlined in any prior automated decision system risk
22 assessments; and (c) recommended measures to further minimize risks to accuracy, bias on the
23 basis of protected class, and privacy on individuals or groups of individuals.
24 “Automated decision system risk assessment”, means a study evaluating an automated
25 decision system and the automated decision system’s development process, including the design
26 and training data of the automated decision system, for potential risks to accuracy, bias,
27 discrimination, and privacy on individuals or groups of individuals that includes, at a
28 minimum—(a) a detailed description of the automated decision system, including—(i) its design
29 and methodologies; (ii) training data characteristics; (iii) data; and (iv) purpose; (b) an
30 assessment of the automated decision system governance in light of its purpose, potential
31 unintended consequences, and taking into account relevant factors, including—(i) the duration
32 and methods for which personal data and the results of the automated decision system are stored;
2 of 37
33 (ii) what information about the automated decision system (including inputs, features, and
34 results) is available to individuals; and (iii) the recipients of the results of the automated decision
35 system; (c) an assessment of the risks posed by the automated decision system—(i) poses to
36 individuals or groups of individuals of privacy harm; and (ii) may result in or contribute to in
37 accurate, biased, or discriminatory decisions impacting individuals or groups of individuals; (D)
38 the measures a data aggregator will employ to minimize the risks described in subparagraph (C),
39 including technological and physical safeguards.
40 “Collect”, (a) means buying, renting, gathering, obtaining, receiving, or accessing any
41 personal data by any means; and (b) includes—(i) receiving personal data from an individual or
42 device; and (ii) creating, deriving, or inferring personal data by observing the behavior of an
43 individual.
44 “Commissioner,” means the Commissioner of the Massachusetts Data Accountability and
45 Transparency Agency.
46 “Covered individual”, means an applicant, current or former employee, contractor,
47 subcontractor, grantee, or agent of a data aggregator or service provider.
48 “Data Aggregator”, means (a) any person that collects, uses, or shares an amount of
49 personal data that is not de minimis; and (b) does not include an individual who collects, uses, or
50 shares personal data solely for personal reasons.
51 “Device”, means any physical object that— (a) is capable of connecting to the internet or
52 other communication network; or (b) has computer processing capabilities that can collect, send,
53 receive, or store data.
3 of 37
54 “Electronic data”, means any information that is in an electronic or digital format or any
55 electronic or digital reference that contains information about an individual or device.
56 “Facial recognition technology”, means an automated or semiautomated process that
57 assists in identifying or verifying an individual based on the characteristics of the face of an
58 individual.
59 “Individual”, means a natural person.
60 “Intentional interaction”, means an interaction in which an individual engages in 1 or
61 more actions to demonstrate that the individual intends to interact with a data aggregator.
62 “Journalism”, means the gathering, preparing, collecting, photographing, recording,
63 writing, editing, reporting, or publishing of news or information that concerns local, national, or
64 international events or other matters of public interest for dissemination to the public; and
65 includes the collection or use of personal data about a public individual or official, or that
66 otherwise concerns matters of public interest, for dissemination to the public.
67 “Person”, means an individual, a local, State, or Federal governmental entity, a
68 partnership, a company, a corporation, an association (incorporated or unincorporated), a trust,
69 an estate, a cooperative organization, another entity, or any other organization or group of such
70 entities acting in concert.
71 “Personal data”, means electronic data that, alone or in combination with other data—(A)
72 could be linked or reasonably linkable to an individual, household, or device; or (B) could be
73 used to determine that an individual or household is part of a protected class.
4 of 37
74 ‘‘Privacy harm’’ means an adverse consequence, or a potential adverse consequence, to
75 an individual, a group of individuals, or society caused, or potentially caused, in whole or in part,
76 by the collection, use, or sharing of personal data, including—(a) direct or indirect financial loss
77 or economic harm, including financial loss or economic harm arising from fraudulent activities
78 or data security breaches; (b) physical harm, harassment, or a threat to an individual or property;
79 (c) psychological harm, including anxiety, embarrassment, fear, other trauma, stigmatization,
80 reputational harm, or the revealing or exposing of an individual, or a characteristic of an
81 individual, in an unexpected way; (d) an adverse outcome or decision, including relating to the
82 eligibility of an individual for the rights, benefits, or privileges in credit and insurance (including
83 the denial of an application or obtaining less favorable terms), housing, education, professional
84 certification, employment (including hiring, firing, promotion, demotion, and compensation), or
85 the provision of health care and related services; (e) discrimination or the otherwise unfair or
86 unethical differential treatment with respect to an individual, including in a manner that is
87 prohibited under Section 9 of this chapter; (f) the interference with, or the surveillance of,
88 activities that are protected by the First Amendment to the Constitution of the United States; (g)
89 the chilling of free expression or action of an individual, or society generally, due to perceived or
90 actual pervasive and excessive collection, use, or sharing of personal data; (h) the impairment of
91 the autonomy of an individual or society generally; and (i) any harm fairly traceable to an
92 invasion of privacy tort; and (j) any other adverse consequence, or potential adverse
93 consequence, consistent with the provisions of this Act, as determined by the Director.
94 “Protected class”, means the actual or perceived race, color, ethnicity, national origin,
95 religion, sex, gender, gender identity, sexual orientation, familial status, biometric information,
96 lawful source of income, or disability of an individual or a group of individuals.
5 of 37
97 “Public accommodation’’ means any type of business considered a place of public
98 accommodation pursuant to section 201(b) of the Civil Rights Act of 1964 (42 U.S.C. 2000a(b))
99 or section 301(7) of the Americans with Disabilities Act of 1990 (42 U.S.C. 12181(7)) or a
100 business that offers goods or services through the internet to the general public.
101 “Service provider”, means a data aggregator that collects, uses, or shares personal data
102 only on behalf of another data aggregator in order to carry out a permissible purpose.
103 “Share”, means disseminating, making available, transferring, or otherwise
104 communicating orally, in writing, or by electronic or other means, personal data, except for as
105 required under section 9 of this chapter.
106 “Use”, means to perform an operation or a set of operations on personal data, either
107 manually or by automated means, after the collection of the data, including—(a) the analysis,
108 organization, storage, retention, or maintenance of the data; and (b) the derivation or inference of
109 information from the personal data.
110 “Verifiable request”, means a request that a data aggregator can reasonably verify is
111 made—(a) by an individual; (b) by an individual on behalf of the individual’s minor child; or (c)
112 by a person registered with the Secretary of State authorized by the individual to act on the
113 individual’s behalf.
114 Section 2. Massachusetts Data Accountability and Transparency Agency.
115 (a) There shall be a Massachusetts Data Accountability and Transparency Agency which
116 shall consist of one commissioner who shall exercise supervision and control over the agency,
117 whom shall be appointed by a majority vote of the treasurer and receiver-general, the governor,
6 of 37
118 and the attorney general and shall have a background in technology; protection of personal data;
119 civil rights and liberties; law; social sciences; and business.
120 (b) The commissioner shall serve in that capacity for a term of five years and until a
121 successor shall be appointed. The commissioner shall be eligible for reappointment; provided,
122 however that no commissioner shall serve more than 10 years. An individual appointed to fill the
123 vacancy of commissioner shall be appointed in a like manner.
124 (c) The commissioner shall be a resident of the commonwealth within 90 days of
125 appointment and, while serving as commissioner, shall not: (i) hold, or be a candidate for,
126 federal, state or local elected office; (ii) hold an appointed office in a federal, state or local
127 government; or (iii) serve as an official in a political party. The commissioner shall receive a
128 salary equal to the salary of the secretary of administration and finance under section 4 of chapter
129 7. The commissioner shall devote their full time and attention to the duties of their office and
130 shall hold no other employment.
131 (d) The treasurer and receiver-general, the governor, and the attorney general may
132 remove the commissioner, by a majority vote, if the commissioner: (i) is guilty of malfeasance in
133 office; (ii) substantially neglects the duties of a commissioner; (iii) is unable to discharge the
134 powers and duties of the office; (iv) commits gross misconduct; or (v) is convicted of a felony.
135 Before removal, the commissioner shall be provided with a written statement of the reason for
136 removal and shall have an opportunity to be heard.
137 (e) The commissioner, through the agency, shall have all the powers necessary or
138 convenient to carry out and effectuate its purposes including, but not limited to, the power to: (i)
139 appoint officers, hire employees and make such divisions or other offices among employees of
7 of 37
140 the agency; (ii) establish and amend a plan of organization that it considers expedient; (iii)
141 execute all instruments necessary or convenient for accomplishing the purposes of this chapter;
142 (iv) enter into agreements or other transactions with a person, including, but not limited to, a
143 public entity or other governmental instrumentality or authority in connection with its powers
144 and duties under this chapter; (v) appear on its own behalf before boards, commissions,
145 departments or other agencies of municipal, state or federal government; (vi) apply for and
146 accept subventions, grants, loans, advances and contributions of money, property, labor or other
147 things of value from any source, to be held, used and applied for its purposes; (vii) provide and
148 pay for advisory services and technical assistance as may be necessary in its judgment to carry
149 out this chapter and fix the compensation of persons providing such services or assistance; (viii)
150 prepare, publish and distribute, with or without charge as the commissioner may determine, such
151 studies, reports, bulletins and other materials as the commissioner considers appropriate; (ix)
152 gather facts and information applicable to the agency’s obligations; (x) conduct investigations
153 into covered entities, including data aggregators and service providers; (xi) impose fees and
154 fines, as authorized by this chapter and penalties and sanctions for a violation of this chapter or
155 any regulations promulgated by the agency; (xii) collect fees under this chapter; (xiii) conduct
156 adjudicatory proceedings and promulgate regulations in accordance with chapter 30A and may
157 adopt regulations and establish procedures that include electronic communications, by which a
158 request to receive notice shall be made and the method by which timely notice may be given;
159 (xiv) refer cases for criminal prosecution to the appropriate federal, state or local authorities; (xv)
160 maintain an official internet website for the agency; (xvi) monitor any federal activity regarding
161 data privacy; (xvii) delegate to any employee, representative, or agent any powers vested in the
162 agency by law; (xviii) adopt and use a seal; (xix) use and expend funds; (xx) implement this
8 of 37
163 chapter through orders, guidance documents, interpretations, statements of policy, examinations,
164 investigations, joint investigations, and enforcement actions; (xxi) monitor risks to individuals or
165 groups of individuals in collection, use, and sharing of personal data and report risks to the
166 public; and (xxii) perform such other functions as may be authorized or required by law.
167 (f) The commissioner shall file an annual report with the secretary of the executive office
168 of administration and finance, the clerks of the senate and the house of representatives, and the
169 senate and house committees on ways and means: (i) listing the number of employees of the
170 agency, the salaries and titles of each employee, the source of funding for the salaries of said
171 employees and the projected date when federal funds for such positions are expected to
172 terminate; (ii) listing and describing grant programs of the department funded by the federal
173 government, including the amount of funding by grant; (iii) listing and describing other programs
174 of the agency; and (iv) any other amounts to be spent by category and grantee. Such reports shall
175 be filed annually on or before December thirty-first and shall refer to activities planned for the
176 subsequent calendar year. The commissioner shall also file with said committees an annual
177 report detailing all expenditures in the agency by the division, identified by categories of projects
178 and grantees under each category, together with all available documentation resulting