Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Massachusetts: Bill for Massachusetts Data Privacy Protection Act reintroduced in House

On May 13, 2024, House Bill 4632 for an Act establishing the Massachusetts Data Privacy Act was reintroduced and reported out of the Massachusetts House Committee on Advanced Information Technology, the Internet, and Cybersecurity. In particular, the bill, which was accompanied by Senate Bill 227, House Bill 60, House Bill 63, House Bill 80, and House Bill 83, was subsequently reported favorably on the same date by the House Committee on Ways and Means.

What is the scope of the bill?

The bill defines 'covered entity' as any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data. It does not cover, among other things, the following:

  • government agencies or service providers to government agencies that exclusively and solely process information provided by government entities;
  • any entity or person that meets the criteria set out in §1(8)(ii) of the bill for the period of the three preceding calendar years (or for the period during which the covered entity or service provider has been in existence if such period is less than three years);
  • a national securities association that is registered under the Securities Exchange Act of 1934 and is operating solely for purposes under that Act; and
  • a non-profit organization that is established to detect and prevent fraudulent acts in connection with insurance and is operating solely for that purpose.

What legal obligations are placed on covered entities?

The bill introduces a duty of loyalty obligation on covered entities and service providers that ensure that they do not collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to carry out one of the following purposes, among others:

  • provide or maintain a specific product or service requested by the individual to whom the data pertains;
  • initiate, manage, complete a transaction, or fulfill an order for specific products or services requested by an individual;
  • authenticate users of a product or service;
  • fulfill a product or service warranty;
  • prevent, detect, protect against, or respond to a security incident;
  • prevent, detect, protect against, or respond to fraud, harassment, or illegal activity targeted at or involving the covered entity or its services; and
  • comply with a legal obligation imposed by state or federal law, or to investigate, establish, prepare for, exercise, or defend legal claims involving the covered entity or service provider.

Furthermore, the bill also makes provision for the circumstances in which a covered entity may process data previously collected on the above-stated legal basis, such as to protect against spam.  

What other provisions are included in the bill?

The bill also provides for data subject rights, including their right to access, correct, and delete their data, and their right to data portability. It also provides criteria for when a covered entity may decline or restrict these rights.

Moreover, the bill includes further obligations for covered entities when dealing with sensitive covered data and mandates the use of privacy policies.

On enforcement, the bill provides for a private right of action regarding a violation of its provisions. The Massachusetts Attorney General is also provided with the authority to bring an action against violating parties of the bill.

You can read the bill here and track its progress here.