Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Massachusetts: Bill on information Privacy and Security introduced to Legislature

House Bill 60 for an Act Establishing the Massachusetts Information Privacy and Security Act, formerly referred to as Bill House Docket ('HD') 3263, was introduced, on 20 January 2023, to the House of Representatives. In particular, the bill would apply to, among others, a controller or processor that conducts business in the Commonwealth of Massachusetts, or where the processing activities of a controller or processor not physically located therein relate to the offering of goods or services that are targeted to individuals or monitors the behaviour of individuals where such behaviour takes place within the Commonwealth of Massachusetts.

More specifically, the bill sets out general principles for processing personal information, lawful bases for processing personal information, and protections for the processing of sensitive information. Accordingly, the bill provides various rights to individuals regarding the processing of their personal information, including the right to a privacy notice at or before the point of collection of an individual's personal information, the right to opt-out of the processing of an individual's personal information for the purposes of sale and targeted advertising, rights to access, transport, delete, and correct personal information, and the right to revoke consent.

In addition, the bill would require controllers in scope to establish, implement, and maintain reasonable policies, practices, and procedures to identify, assess, and mitigate reasonably foreseeable privacy risks and cognisable harms related to their products and services, and carry out and document a risk assessment prior to such processing. With regards to the Attorney General ('AG'), the bill provides the AG with powers to enforce the proposed act, including to issue a civil investigative demand whenever the AG has reasonable cause to believe that an entity has engaged in, is engaging in, or is about to engage in a violation of the act.

Finally, the bill is a companion bill to Senate Bill 227 which was also introduced, on 20 January 2023.

You can download the bill here and track its progress here.