On Thursday, the MA House unanimously passed the Massachusetts Consumer Data Privacy Act, establishing important new data privacy protections.
In particular, the bill would do the following:
- Ban the sale of precise geolocation data, which is critical to prevent stalking or surveillance of individuals seeking reproductive or gender-affirming care, domestic violence survivors, workers, activists, and more.
- Require that personal data collection must be proportionate to providing requested services, and data must be protected and deleted when no longer necessary or required by law
- Establish rights for individuals over their online data, such as the right to access their personal information, the right to correct inaccurate information, the right to opt out of certain processes such as targeted advertising, the right to transport personal data, and the right to delete certain information.
- Specify that sensitive data cannot be sold or shared without a user’s affirmative consent. Sensitive data includes information such as biometric or genetic information, precise geolocation data, health and wellness information, reproductive and sexual health data, data of a minor under 18, government-issued identifiers, and data that reveals an individual’s racial or ethnic origin, national origin or citizenship or immigration status, religious beliefs, sex life, sexual orientation, status as transgender or non-binary, union membership, status as a military service member or veteran, and status as a victim of a crime.
- Prohibit targeted advertising to minors
- Enable the AG to enforce the law but also establishes a private right of action (“If someone violates your rights, you can sue them”) to enable consumers to hold the largest data holders accountable for any violations
The MA Senate passed a similar data privacy bill in September, and the two will negotiate a final version of the bill.
The House’s bill is stronger than the Senate’s in some ways (such as the creation of a private right of action), but weaker in other ways (the Senate bill contained an outright ban on the sale of sensitive data and stronger language limiting how much data companies can collect).
During the floor debate on the bill, we had supported the following amendments:
- #3 to reiterate that use of employer owned devices is a mandatory subject of collective bargaining, filed be Rep. Field
- #7 to restrict employer ability to disclose employee data without express employee consent, filed by Rep. Montaño
- #8 to limit the transfer of employee data outside of operationally necessary reasons, filed by Rep. Montaño
- #10 to ban surveillance pricing for groceries, filed by Rep. Sabadosa
- #13 to strengthen the definition of “affirmative consent,” filed by Rep. Sabadosa
- #16 to fix the data minimization language, filed by Rep. Decker
- #21 to strengthen the private right of action, filed by Rep. Cataldo
- #33 to clarify the definition of “transfer,” filed by Rep. Rogers
- #36 to protect LGBTQ youth data, filed by Rep. Montaño
- #38 to strengthen the data minimization language, filed by Rep. Kilcoyne
- #40 to strengthen the data minimization language, filed by Rep. Owens
Rather than considering each amendment in turn, the House created a single consolidated amendment that contained pieces of several amendments. It strengthened the data minimization language in the House Ways & Means bill draft, and it also ensured that the right of parents over their children’s online data would not include data related to LGBTQ identity.
