Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Massachusetts: Bill on data privacy protection act introduced to Massachusetts Legislature
Bill Senate Docket ('SD') 745 for An Act Establishing the Massachusetts Data Privacy Protection Act was introduced, on 19 January 2023, to the Massachusetts State House of Representatives. In particular, SD 745 highlights its application to 'covered entities' which include an entity or any person other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data. However, SD 745 clarifies that 'covered entities' do not include:
- government agencies or service providers to government entities;
- any entity which meets the following criteria:
- the entity or person's average gross revenue during the period did not exceed of $20,000,000;
- the entity or person, on average, did not annually collect or process the covered data of more than 75,000 individuals, so long as all covered data for such purpose was deleted or de-identified within 90 days; and
- no component of its revenue comes from transferring covered data during any year (or a part of a year if the covered entity has been in existence for less than one year) that occurs during the period.
In addition, SD 745 outlines that covered entities may not collect, process, or transfer covered data unless it is limited to what is reasonably necessary and proportionate to carry out, among other things:
- the provision or maintenance of a specific product or service requested by an individual;
- the initiation, management, completion, or fulfilment of an order for specific products or services requested by an individual;
- the authentication of users for a product or service;
- fulfilling a product or service warranty;
- preventing, detecting, protecting against, or responding to a security incident;
- complying with a legal obligation imposed by state or federal law;
- conducting a public or peer-reviewed scientific, historical, or statistical research project (subject to a series of preconditions); or
- transferring assets to a third party in the context of a merger, acquisition, bankruptcy, or similar transaction when the third party assumes control.
Further to the above, similar prohibitions under SD 745 include, among others:
- collecting, processing, or transferring a social security number, except when necessary (under a series of conditions);
- collecting or processing sensitive covered data, except where strictly necessary to provide or maintain a specific product or service requested by the individual; and
- transferring an individual's sensitive covered data to a third party, subject to exceptions.
You can read SD 745 and track its progress here.
UPDATE (14 March 2023)
Bill assigned number and referred to committee
SD 745 was assigned a bill number, namely Senate Bill 25, on 16 February 2023, and thereafter referred, on the same date, to the Committee on Advanced Information Technology, the Internet and Cybersecurity.
You can download the bill here and track its progress here.
UPDATE (10 May 2024)
Bill reported from committee and renumbered
On May 9, 2024, the bill was reported from the Committee on Advanced Information Technology, the Internet and Cybersecurity. In particular, the bill was accompanied by Senate Bill 2770, which was subsequently reported favorably, on the same date, by the Senate Committee on Ways and Means.
You can read the renumbered bill here and track its progress here.