HOUSE DOCKET, NO. 3263 FILED ON: 1/20/2023
HOUSE . . . . . . . . . . . . . . . No. 60
The Commonwealth of Massachusetts
_________________
PRESENTED BY:
Daniel R. Carey
_________________
To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:
The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
An Act establishing the Massachusetts information privacy and security act.
_______________
PETITION OF:
NAME: DISTRICT/ADDRESS: DATE ADDED:
Daniel R. Carey 2nd Hampshire 1/20/2023
Mindy Domb 3rd Hampshire 1/31/2023
1 of 1
 HOUSE DOCKET, NO. 3263 FILED ON: 1/20/2023
HOUSE . . . . . . . . . . . . . . . No. 60
By Representative Carey of Easthampton, a petition (accompanied by bill, House, No. 60) of
Daniel R. Carey and Mindy Domb relative to the security and the protection of personal
information by establishing the Massachusetts information privacy and security act. Advanced
Information Technology, the Internet and Cybersecurity.
The Commonwealth of Massachusetts
_______________
In the One Hundred and Ninety-Third General Court
(2023-2024)
_______________
An Act establishing the Massachusetts information privacy and security act.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
of the same, as follows:
1 SECTION 1. The General Laws are hereby amended by inserting after chapter 93L the
2 following chapter:-
3 CHAPTER 93M. The Massachusetts Information Privacy and Security Act.
4 Section 1. Title
5 This chapter shall be known as the “Massachusetts Information Privacy and Security
6 Act.”
7 Section 2. Definitions
8 As used in this chapter, the following words shall have the following meanings, unless
9 the context clearly requires otherwise:
1 of 71
10 “Affiliate”, an entity that controls, is controlled by, or is under common control or shares
11 common branding with another entity; provided, however, that for the purposes of this definition,
12 “control” or “controlled” shall mean:
13 (1) ownership of more than 50 per cent of the outstanding shares of any class of voting
14 security of the entity;
15 (2) control in any manner over the election of a majority of the entity’s directors or of
16 persons exercising similar functions; or
17 (3) the power to otherwise exercise a controlling influence over the management of the
18 entity.
19 “Biometric information”, a retina or iris scan, fingerprint, voiceprint, map or scan of hand
20 or face geometry, vein pattern, gait pattern, or other personal information generated from the
21 specific technical processing of an individual’s unique biological or physiological patterns or
22 characteristics used to identify a specific individual; provided, however, that “biometric
23 information” shall not include:
24 (1) a digital or physical photograph;
25 (2) an audio or video recording; or
26 (3) data generated from a digital or physical photograph, or an audio or video recording,
27 unless such data is generated to identify a specific individual.
28 “Business associate” shall have the same meaning as in 45 C.F.R. 160.103.
2 of 71
29 “Child”, an individual who a controller knows or reasonably should know is under the
30 age of 13.
31 “Collect”, buying, renting, gathering, obtaining, receiving, or otherwise accessing any
32 personal information pertaining to an individual by any means, including, but not limited to,
33 obtaining information from an individual, either actively or passively, or by observing an
34 individual’s behavior.
35 “Common branding”, a shared name, service mark, trademark, or other indicator that an
36 individual would reasonably understand to indicate that two or more entities are commonly
37 owned.
38 “Consent”, a clear affirmative act signifying an individual’s freely given, specific,
39 informed, and unambiguous agreement to allow the processing of specific categories of personal
40 information relating to the individual for a narrowly defined particular purpose; provided,
41 however, that “consent” may include a written statement, including a statement written by
42 electronic means, or any other unambiguous affirmative action; and provided further, that the
43 following shall not constitute “consent”:
44 (1) acceptance of a general or broad terms of use or similar document that contains
45 descriptions of personal information processing along with other, unrelated information;
46 (2) hovering over, muting, pausing, or closing a given piece of content; or
47 (3) agreement obtained through dark patterns or a false, fictitious, fraudulent, or
48 materially misleading statement or representation.
3 of 71
49 “Controller”, the entity that, alone or jointly with others, determines the purposes and
50 means of the processing of personal information of an individual.
51 “Covered entity” shall have the same meaning as in 45 C.F.R. 160.103.
52 “Dark pattern”, a user interface that is designed, modified, or manipulated with the
53 purpose or substantial effect of obscuring, subverting or impairing a reasonable individual’s
54 autonomy, decision-making, or choice.
55 “Data broker”, a controller that, in a calendar year, knowingly collects and sells to third
56 parties:
57 (1) the personal information of not less than 25,000 individuals; provided, however, that
58 the controller derives not less than 25 percent of its annual global gross revenues from the sale of
59 personal information;
60 (2) the biometric, genetic, or specific geolocation information of not less than 10,000
61 individuals; or
62 (3) the personal information of not less than 10,000 individuals with whom the controller
63 does not have a direct relationship, including, but not limited to, a relationship in which an
64 individual is a past or present: (i) customer, client, subscriber, user, or registered user of the
65 controller’s goods or services; (ii) an employee, contractor, or agent of the controller; (iii) an
66 investor in the controller; or (iv) a donor to the controller.
67 The following activities conducted by a controller, and the collection and sale of personal
68 information incidental to conducting these activities, shall not qualify the controller as a data
69 broker: (A) providing 411 directory assistance or directory information services, including name,
4 of 71
70 address, and telephone number, on behalf of or as a function of a telecommunications carrier; (B)
71 providing publicly available information related to an individual’s business or profession; or (C)
72 providing publicly available information via real-time or near-real-time alert services for health
73 or safety purposes.
74 “De-identified information”, information that cannot reasonably be used to infer
75 information about, or otherwise be linked to, an identified or identifiable individual or
76 household, or a device linked to such individual or household; provided, however, that the
77 controller that possesses the information:
78 (1) takes reasonable technical and organizational measures to ensure that the information
79 cannot, at any point, be associated with or used to re-identify an identified or identifiable
80 individual or household;
81 (2) publicly commits to process the information solely in a de-identified fashion;
82 (3) does not attempt to re-identify the information; provided, however, that the controller
83 may attempt to re-identify the information solely for the purpose of determining whether its de-
84 identification procedures satisfy the provisions of this definition; and
85 (4) contractually obligates any recipients of the information to comply with the
86 provisions of this definition with respect to the information and requires that such obligations be
87 included contractually in all subsequent instances for which the information may be received.
88 “De-identification”, the creation of de-identified information from personal information.
5 of 71
 89 “Designated method for submitting a request”, a mailing address, email address, internet
90 web page, internet web portal, toll-free telephone number, or other applicable contact
91 information, whereby an individual may submit a request or direction under this chapter.
92 “Entity”, a sole proprietorship, or a corporation, association, partnership or other legal
93 entity.
94 “Genetic information”, personal information, regardless of format, that:
95 (1) results from the analysis of a biological sample of an individual, or from another
96 source enabling equivalent information to be obtained; and
97 (2) concerns an individual’s genetic material, including, but not limited to,
98 deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes,
99 alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs),
100 uninterpreted data that results from analysis of the biological sample or other source, and any
101 information extrapolated, derived, or inferred therefrom.
102 “Health care facility” shall have the same meaning as defined in section 25B of chapter
103 111 of the General Laws.
104 “Health care provider” shall have the same meaning as defined in section 1 of chapter
105 111 of the General Laws.
106 “Health record”, an individual’s health-related record, as maintained pursuant to section
107 70 of chapter 111 of the General Laws.
108 “HIPAA”, the federal Health Insurance Portability and Accountability Act of 1996, 42
109 U.S.C. 1320d et seq., as amended from time to time.
6 of 71
110 “Homepage”, the introductory page of an internet website and any internet web page
111 where personal information is collected; provided, however, that in the case of an online service,
112 such as a mobile application, “homepage” shall include:
113 (1) the application’s platform page or download page;
114 (2) a link within the application, such as from the application configuration, “About,”
115 “Information,” or settings page; and
116 (3) any other location that allows individuals to review the notices required by this
117 chapter, including, but not limited to, before downloading the application.
118 “Identified or identifiable household”, a group of individuals who:
119 (1) cohabitate with one another at the same residential address in the commonwealth;
120 (2) use common devices or services; and
121 (3) can be readily identified, directly or indirectly.
122 “Identified or identifiable individual”, an individual who can be readily identified,
123 directly or indirectly.
124 “Individual”, a natural person who is a resident of the commonwealth; provided,
125 however, that “individual” shall not include a natural person acting as a sole proprietorship.
126 “Infer”, deriving information, data, assumptions, correlations, predictions or conclusions
127 from facts, evidence or another source of information or data.
7 of 71
128 “Institution of higher education”, any college, junior college, university or other public or
129 private educational institution that has been authorized to grant degrees pursuant to sections 30,
130 30A, and 31A of chapter 69 of the General Laws.
131 “Large data holder”, a controller that, in a calendar year:
132 (1) has annual global gross revenues in excess of $1,000,000,000; and
133 (2) determines the purposes and means of processing of the personal information of not
134 less than 200,000 individuals, excluding personal information processed solely for the purpose of
135 completing a payment-only credit, check or cash transaction where no personal information is
136 retained about the individual entering into the transaction.
137 “Minor”, an individual who a controller knows or reasonably should know is not less
138 than 13 years of age and not more than 16 years of age.
139 “Nonprofit organization”, any organization that is exempt from taxation under 26 U.S.C.
140 501(c), as amended from time to time.
141 “Personal information”, information, including, but not limited to, a unique persistent
142 identifier, that identifies, relates to, describes, is reasonably capable of being associated with, or
143 could reasonably be linked, directly or indirectly, with an identified or identifiable individual;
144 provided, however, that “personal information” shall not include publicly available or de-
145 identified information about a natural person; and provided further, that “personal information”
146 shall also include information, including, but not limited to, a unique persistent identifier, that
147 identifies, relates to, describes, is reasonably capable of being associated with, or could
148 reasonably be linked, directly or indirectly, with:
8 of 71
149 (1) an identified or identifiable natural person, only insofar as “personal information” is
150 used in paragraph (1) of the definition of “data broker” in this section; or
151 (2) an identified or identifiable household, only insofar as “personal information” is used
152 in: (i) subsection (b) of section 3; and (ii) any reference in this chapter to the sale or selling of
153 personal information or the processing of personal information for the purposes of targeted
154 cross-contextual or first-party advertising.
155 “Process”, any operation or set of operations performed on personal information or on
156 sets of personal information, whether or not by automated means, such as the collection, use,
157 storage, disclosure, sharing, analysis, prediction, deletion or modification of personal
158 information, including the actions of a controller directing a processor to process personal
159 information.
160 “Processor”, an entity that processes personal information on behalf of a controller;
161 provided, however, that determining whether an entity is acting as a processor or a controller
162 with respect to a specific processing of personal information is a fact-based determination that
163 depends upon the context in which the information is processed; and provided further, that:
164 (1) a processor that continues to adhere to a controller’s instructions with respect to a
165 specific processing of personal information remains a processor;
166 (2) if a processor begins, alone or jointly with others, determining the purposes and
167 means of the processing of personal information, it is a controller with respect to the processing;
168 and
9 of 71
169 (3) an entity that is not limited in its processing of personal information pursuant to a
170 controller’s instruction, or that fails to adhere to such instructions, is a controller and not a
171 processor with respect to a specific processing.
172 “Profiling”, any form of automated processing of personal information to evaluate,
173 analyze, or predict personal aspects concerning an identified or identifiable individual or
174 household’s economic situation, health, personal preferences, interests, reliability, behavior,
175 location or movements.
176 “Protected health information” shall have the same meaning as defined in 45 C.F.R.
177 160.103, established pursuant to HIPAA.
178 “Publicly available information”, information about an individual that:
179 (1) is lawfully made available from federal, state, or local government records; or
180 (2) a controller has a reasonable basis to believe is lawfully and intentionally made
181 available to the general public: (i) through widely distributed media; or (ii) by the individual,
182 unless the individual has restricted the information to a specific audience; provided, however,
183 that “publicly available information” shall not include: (A) biometric or genetic information; or
184 (B) personal information that is not publicly available and has been combined with publicly
185 available information.
186 “Research”, a systematic investigation, including research development, testing, and
187 evaluation, designed to develop or contribute to generalizable knowledge and that is conducted
188 in accordance with applicable ethics and privacy laws.
10 of 71
189 “Sale” or “selling”, disclosing, disseminating, making available, releasi