Earlier this year, Massachusetts state senators introduced a consumer data privacy bill with a private right of action that could become the broadest in the country. The proposed law, An Act Relative to Consumer Data Privacy (S.120) would create a new category of litigation in local state and federal courts against businesses that collect personal information from Massachusetts consumers. S.120 was most recently referred to the Joint Committee on Consumer Protection and Professional Licensure. If enacted, S.120 would follow in the wake of a series of data privacy laws in Europe, California, and Illinois that have dramatically increased data privacy litigation risks for companies that collect consumer data, bringing a potential surge of data privacy class actions to Massachusetts courthouses.
A Recent Wave of Consumer Data Privacy Legislation
In recent years, legislation aimed at protecting consumer data privacy has developed at an unprecedented pace. In 2016 the European Parliament and Council adopted the General Data Protection Regulation (EU Regulation 2016/679) (“GDPR”), which applies to all companies processing personal data of individuals in the European Union. GDPR created a private right of action for affected individuals to seek judicial remedy against infringing companies, including through collective action in member states. See GDPR at Articles 79-84. Shortly after GDPR went into effect in May 2018, the California state legislature enacted the California Consumer Privacy Act (AB-375) (“CCPA”), which becomes effective on January 1, 2020. Under CCPA, California consumers have a private right of action for data breaches resulting from a failure to implement and maintain reasonable safeguards if the business does not cure the breach after receiving pre-suit notice. See CCPA at 1798.150.
The Illinois Biometric Information Privacy Act (740 ILCS/14) (“BIPA”), enacted in 2008, is an older statute that has had a recent resurgence. BIPA regulates the collection and storage of consumer and employee biometric information by companies doing business in Illinois. BIPA provides a private right of action for any violation of the statute, with statutory damages available to plaintiffs even if no actual harm was suffered. See BIPA at Section 20; Rosenbach v. Six Flags Entertainment Corp., 2019 WL 323902, 2019 IL 123186 (Ill. Jan. 25, 2019).
Consumer data privacy proposals modeled on GDPR, CCPA, and BIPA have cropped up across the country at all levels of government, including in the U.S. Senate, and state legislatures across the country, including Massachusetts.
Key Features of the Massachusetts Consumer Data Privacy Bill
As proposed, S.120 would apply to for-profit businesses that collect personal information from Massachusetts consumers if they either have annual gross revenues over $10 million or derive more than 50% of annual revenues from third party disclosures of consumer information. S.120 at Section 1(c). Notably, S.120 would apply to companies that do not meet CCPA’s higher revenue threshold of $25 million. See CCPA at 1798.140(c)(1)(A). The bill adopts many key features from CCPA and BIPA, with important distinctions.
Expansive Definition of Personal Information
S.120 broadly defines personal information as “any information relating to an identified or identifiable consumer.” S.120 at Section 1(m). Covered personal information includes “an individual’s physiological, biological or behavioral characteristics” and any other information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” Like BIPA, S.120 specifies retina or iris scans, fingerprints, face and hand patterns, and voiceprints as biometric personal information. S.120 at Section 1(b). However, S.120 expands on the categories in BIPA, adding DNA, palm and vein patterns, voice recordings, keystroke rhythms, gait patterns, and sleep, health, or exercise data that contains identifying information. These additional categories have the potential to make Massachusetts’ proposal significantly broader than BIPA in terms of the products and business activities within its reach, particularly in the healthcare, security, technology, and consumer electronics industries.
Consumer Rights to Notice, Disclosure, Deletion, and Opt-Out
S.120 would establish consumer rights similar to those created by CCPA and BIPA. These rights include advance notice about the occurrence and business purpose of data collection and disclosure. S.120 at Section 2. The law would also create a consumer right to request copies of collected personal information, and details about collection sources and third-party disclosures. S.120 at Section 3. Consumers could also direct the deletion of all such information (S.120 at Section 5) and opt-out of third party disclosures (S.120 at Section 6). The proposed law would require companies to display “clear and conspicuous” links to opt-out forms on the homepage of their websites (S.120 at Section 6) and prohibit discrimination against consumers who exercise their rights under the law (S.120 at Section 7).
Exceptions for Aggregate Data, Employee Information, and Scientific Research
S.120 contains exceptions for activities that are especially relevant to the business and scientific communities in Massachusetts. These exceptions include:
- Clinical trials under the human subject protection requirements of the FDA.
- News gathering protected by the First Amendment.
- Aggregated consumer information from which individual consumer identities have been removed that cannot be reidentified and linked to an individual consumer.
- Compliance with legal obligations and proceedings, and cooperation with law enforcement.
- Collection or disclosure of employee information if “within the scope of its role as an employer,” an important distinction between S.120 and BIPA, which applies equally to employees and consumers.
See S.120 at Sections 1(a), 1(m)(3), and 8.
Separately, S.120 exempts certain scientific research activities from the obligation to delete consumer information upon receipt of a verified request, but only if the consumer has provided informed consent and the research is in the public interest, is public or peer-reviewed, would be impaired by the deletion, and adheres to all other applicable ethics and privacy laws. S.120 at Section 5(d). In this exempted research context, collected consumer information can be used only for research purposes consistent with the collection context and not for a commercial purpose, must be aggregated with a prohibition on re-identification, and must be protected by controls and processes that prevent inadvertent release and unnecessary access. S.120 at Section 1(q).
Non-Waivable Private Right of Action for Statutory Damages without Actual Harm
S.120 creates a private right of action with significant statutory damages that might be recoverable in class actions without a requirement that a plaintiff demonstrate actual injury to establish standing. Under the proposed statutory language, any “consumer who has suffered a violation of this chapter may bring a lawsuit against the business or service provider that violated this chapter.” S.120 at Section 9. Critically, the statute directs: “the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter,” and any “violation of this chapter shall constitute an injury in fact to the consumer.” Id. This provision could remove what has been a critical hurdle for consumers attempting to recover damages in data privacy class actions to date, particularly in federal court following the Supreme Court’s ruling in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016).
A consumer who successfully brings a class action for violation of S.120 could recover up to $750 per consumer per incident (or actual damages, if greater), plus reasonable attorney fees and costs. These statutory damages would be available regardless of the degree of alleged knowledge or intent on the part of the defendant. Although the proposed law directs courts to consider “the nature and seriousness” and “willfulness of the defendant’s misconduct,” the bill does not specify that proving the defendant’s culpable mental state is a requirement for recovery. This could have dramatic ramifications for class action litigation risk and may exceed the scope of potential liability under CCPA and BIPA. CCPA consumer recovery is currently limited to certain data breaches and is capped at $750 per consumer per incident. BIPA provides for consumer recovery for any violation of the statute, but specifies that a plaintiff must demonstrate the violation was negligent (with recovery capped at $1,000 per incident) or reckless or intentional (with recovery capped at $5,000 per incident). S.120 contains neither of these limitations, and could therefore create broader categories of litigation risk.
To quantify the potential for enormous damages awards based on data breaches and other technical violations of the proposed law, consider that 391,532 Massachusetts residents were affected by data breaches in 2017 (excluding the 2.9 million residents affected by the Equifax breach in 2017). Based on these statistics, for data breaches alone (assuming those breaches indicate non-compliance with the proposed law’s requirements), S.120 could expose businesses to more than $293 million in annual potential statutory damages in class actions filed in Massachusetts state and federal courts. The extent of the total class action liability risk posed by S.120, including damages for technical violations, is more difficult to quantify, but could eclipse these numbers.
A final and important aspect of S.120 affecting class action exposure is its apparent prohibition of liability waivers, arbitration provisions, class action waivers, limitation of liability clauses, jury trial waivers, and other contractual provisions that could limit a company’s litigation risk. The proposed law expressly renders unenforceable “any provision of a contract or agreement of any kind that purports to waive or limit in anyway a consumer’s right under this chapter,” including any limitation on “any right to a remedy or means of enforcement.” S.120 at Section 14. However, under recent Supreme Court precedent holding that state laws may not discriminate against arbitration, this provision’s application to arbitration provisions is likely preempted by the Federal Arbitration Act. See Kindred Nursing Ctrs. L.P. v. Clark, 137 S.Ct. 1421 (2017); AT&T Mobility LLC v. Concepcion, 563 U. S. 333 (2011). Apart from this narrow federal preemption, other contractual provisions that limit litigation risk may be unavailable to companies defending against class actions under S.120, reducing the number of defense strategies available.
As a result of these key provisions in S.120, it is difficult to overstate the magnitude of class action litigation risk the proposed law may create for businesses collecting data from Massachusetts consumers. These businesses and their advisors should follow the progress of S.120 closely, and be prepared to creatively formulate litigation risk strategies to confront a potential new tidal wave of consumer class actions in Massachusetts. If the bill, or one like it, is enacted, business litigators will need to evaluate potential defenses to class-wide liability under existing precedent and constitutional limitations.
We will continue to share news of major developments with the proposed Massachusetts Consumer Data Privacy law with clients as they occur.
If you want to know more about S.120, CCPA, or other data privacy legislation, or have questions or concerns about data privacy and cybersecurity issues, please contact one of our attorneys: Peter Guffin at 207.791.1199 or Melanie Conroy at 617.488.8119.