Massachusetts: Bill on information Privacy and Security introduced to Legislature
Bill Senate Docket ('SD') 1971 for an Act Establishing the Massachusetts Information Privacy and Security Act was introduced, on 20 January 2023, to the House of Representatives of Massachusetts. In particular, SD 1971 would apply to, among others, a controller or processor that conducts business in the Commonwealth of Massachusetts, or where the processing activities of a controller or processor not physically located therein relate to the offering of goods or services that are targeted to individuals, or monitors the behaviour of individuals where such behaviour takes place within the Commonwealth of Massachusetts.
More specifically, Sections 7 through 17 and 26 of SD 1971 only apply to a controller that, during the preceding calendar year, satisfied at least one of the following additional thresholds or is an entity that is an affiliate and shares common branding with such a controller, in which case these sections only apply to the personal information processed by the affiliate on behalf of the controller:
- the controller has annual global gross revenues in excess of $25,000,000;
- the controller was a data broker; or
- the controller determined the purposes and means of processing of the personal information of not less than 100,000 individuals, excluding personal information processed solely for the purpose of completing a payment-only credit, check, or cash transaction where no personal information is retained about the individual entering into the transaction.
Further, SD 1971 sets out, for instance, general principles for processing personal information, lawful bases for processing personal information, and protections for the processing of sensitive information. Accordingly, SD 1971 provides various rights to individuals regarding the processing of their personal information, including the right to a privacy notice at or before the point of collection of an individual's personal information, the right to opt out of the processing of an individual's personal information for the purposes of sale and targeted advertising, rights to access and transport, delete, and correct personal information, and the right to revoke consent.
In addition, SD 1971 would require controllers in scope to establish, implement, and maintain reasonable policies, practices, and procedures to identify, assess, mitigate reasonably foreseeable privacy risks and cognisable harms related to their products and services, and carry out and document a risk assessment prior to such processing.
With regards to the Attorney General ('AG'), SD 1971 imbues the AG with powers to enforce the proposed act, including to issue a civil investigative demand whenever the AG has reasonable cause to believe that an entity has engaged in, is engaging in, or is about to engage in a violation of the act.
You can read SD 1971 and track its progress here.
UPDATE (25 January 2023)
Companion bill HD 3263 introduced to House
Bill House Docket ('HD') 3263 on an Act Establishing the Massachusetts Information Privacy and Security Act was introduced, on 20 January 2023, to the House of Representatives.
You can read the bill and track its progress here.
UPDATE (14 March 2023)
Bill assigned number and referred to committee
SD 1971 was assigned a bill number, namely Senate Bill 227, on 16 February 2023, and thereafter referred, on the same date, to the Committee on Economic Development and Emerging Technologies.