On February 2, 2022, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity advanced an amended comprehensive data privacy bill, the Massachusetts Information Privacy and Security Act, introduced as S.46 by Senator Creem and as H.142 by Representative Vargas.
The Joint Committee had been considering the bill since March 2021, weighing public input following a virtual hearing in October 2021. The bill will now make its way through the Massachusetts Statehouse, including through additional committees and both Senate and House before reaching Governor Baker’s desk for signature. If enacted, the proposed law could reshape how businesses interact with Massachusetts consumers, increase the cost and complexity of privacy design and compliance, expand the Massachusetts Attorney General’s enforcement powers, and expose companies to new and significant litigation risks.
Key Features of Massachusetts’ New Comprehensive Data Privacy Proposal
The proposed Massachusetts Information Privacy and Security Act (MIPSA) (S.2687) draws on predecessor laws from Europe, California, and Illinois, and is similar to the recently enacted California Privacy Rights Act, Virginia Consumer Data Protection Act, and the Colorado Privacy Act, although there are some notable differences. MIPSA would take effect 18 months after enacted and, even as amended, contains sweeping privacy provisions that would make the Commonwealth a national leader in the regulation of data privacy and security. MIPSA’s notable features include:
- Broad application to businesses operating in Massachusetts that earn $25 million or more in gross global annual revenues, process the personal information of at least 100,000 individuals, or are data brokers that collect and sell sensitive or personal information of at least 10,000 individuals. Data brokers would be required to register with the Commonwealth.
- Expanded rights of access, correction, portability, disclosure, and deletion for Massachusetts residents’ personal information through a notice and consent framework, with an ability to opt out of the sale of personal information and targeted advertising.
- Strict regulation of biometric and sensitive data, including racial, religious, citizenship, health, geolocation, sexual identity, financial, government identification, and philosophical information, as well as information collected from children. The bill limits the ability to collect, use, sell, and share this data and, for minors (defined as people ages 13-16), requires the consent of both minors and their guardians.
- Stemming discrimination by forbidding the processing of personal information that violates anti-discrimination laws.
- Enforcement by the Attorney General, subject to a notice and cure period, with the ability to seek injunctions and civil penalties of: (i) $7,500 for each violation of the law, (ii) $500 per day for failure to register under the law up to $100,000 per year, (iii) $10,000 for violations of injunctions, and (iv) attorney fees and costs. The bill would also establish a Massachusetts Privacy Fund for civil penalties and registration fees collected under the proposed law to be used to support the attorney general’s activities under MIPSA.
- Increased data breach litigation through a private right of action for an individual whose personal information was subject to a data breach resulting from a controller’s failure to maintain reasonable protections. MIPSA would entitle these individuals to recover (i) $500 per individual per violation or actual damages, or (ii) injunctive or declaratory relief. Companies are protected by a safe harbor provision based on the implementation of an appropriate cybersecurity program. This provision also states that it does not alter an individual’s rights under Massachusetts consumer protection statute, Chapter 93A.
- Broad exceptions for (i) health information, including data subject to the federal Health Insurance Portability and Accountability Act of 1996, (ii) credit reporting activity, (iii) information collected pursuant to federal driver, education, farm credit, financial, and airline privacy laws, and (iv) information about job applicants, beneficiaries, and emergency contacts. The bill also states that it would not interfere with: compliance with other laws, law enforcement activities, investigation of legal claims, protection against threats to physical security, cybersecurity activities, contractual obligations, academic research, employee directories, or the exercise of free speech.
Notably, as amended, MIPSA would no longer create a new privacy-focused state agency with rulemaking and enforcement powers, and no longer specifically addresses employee surveillance. The amendments also narrowed the number of affected businesses, eliminated language creating duties of care, confidentiality, and loyalty, expanded the categories of exempted businesses, and narrowed the definition of biometric data.
As amended, the bill contains a significantly limited private right of action and reduces civil penalties and recovery amounts in private litigation. Finally, while the amended bill is not expressly hostile to arbitration or class action waivers, it provides that any contractual provision that would limit or waive any individual rights under the law would be deemed contrary to public policy, void, and unenforceable.
For a discussion of the predecessor version of MIPSA before its amendment by the Joint Committee, as well as recommendations for how businesses can prepare for MIPSA’s potential passage, see our analysis from November 2021.
Under current legislative deadlines, the last day for Formal Sessions in the Massachusetts Legislature is July 31, 2022, and the current legislative session will end on January 3, 2023. As the legislative deadlines approach and the proposed law makes its way through the Statehouse, we will continue to monitor the progress of MIPSA and share news of major developments with the proposed Massachusetts law.
If you want to know more about pending comprehensive data privacy legislation in Massachusetts, or have questions or concerns about data privacy and cybersecurity issues, please contact firm privacy partners Peter Guffin at 207.791.1199 or Melanie Conroy at 617.488.8119.