Massachusetts Legislature Punts on Privacy for Consumer Data

With another legislative session set to close, the Massachusetts Legislature has yet again punted the issue of comprehensive consumer data privacy to a future term. This development may come as a disappointment or relief, depending on an observer’s view on proposed legislation to date. Nonetheless, businesses should continue to evaluate their existing operations and obligations and consult with counsel to ensure they remain well prepared for future developments.

Massachusetts Consumer Data Privacy Introduced and Debated in 2019 and 2021

In 2019, Massachusetts state senators introduced a consumer data privacy bill with a broad private right of action. The proposed law, An Act Relative to Consumer Data Privacy (S.120), would have permitted any consumer to bring a lawsuit against any violating business or service provider, regardless of actual losses. S.120 was referred to the Joint Committee on Consumer Protection and Professional Licensure, which held a hearing in October 2019. Following public hearing, on February 5, 2020 the Joint Committee issued a Study Order on S.120. For an in-depth description of the 2019 bill and its fate, see our earlier alerts on that topic.

During the next legislative session in 2021, a successor bill, the Massachusetts Information Privacy and Security Act (H.142), was introduced. The proposed law would have reshaped how businesses interact with Massachusetts consumers, increased the cost and complexity of privacy design and compliance, expanded the Massachusetts attorney general’s enforcement powers, and exposed companies to new and significant litigation risks. Our prior alert provides a more in-depth analysis of the proposed law and its potential effects.

The newly created Joint Committee on Advanced Information Technology held a virtual hearing on the legislation in October 2021, and in March 2022 reported a new draft of the bill, titled the Massachusetts Information Privacy and Security Act (H.4514), recommending its passage and forwarding it on to review by the Joint Committee on Health Care Financing. The reporting date for the bill was extended to June 1, 2022 pending concurrence by the Senate, and the Senate ultimately concurred on May 26, 2022. However, on September 15, 2022 the bill met a final roadblock in this legislative session when, like its predecessor, it was sent to a study order.

A study order authorizes the Joint Committee to sit during recess to study the bill and, if appropriate, to file a report of findings. However, for the vast majority of bills sent to a study order, no further committee activity takes place. For this reason, many observers view a study order as a procedural mechanism to table a bill until a future legislative session.

The Future of Consumer Data Privacy in Massachusetts

Many believed the latest draft of comprehensive consumer data privacy legislation had favorable odds of passage and could have made Massachusetts an early mover in creating a comprehensive regulatory scheme for consumer data privacy. Now, the future of consumer data privacy law in Massachusetts is more uncertain. However, the legislative focus on data privacy is unlikely to abate. Absent federal legislation or regulation that would preempt state-level action, we are likely to see a comprehensive consumer data privacy law introduced in the next legislative term. The current legislative term comes to an end at the close of this year, and sponsors may introduce new legislation at the start of the new term in January 2023.

We will continue to monitor the proposed privacy legislation in Massachusetts and share news of major developments in the new legislative term.

In the meantime, of course, Massachusetts businesses should not assume they are off the hook for consumer privacy compliance. In other recent developments, five comprehensive state consumer privacy laws – the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), Colorado Privacy Act (CPA), and Utah Consumer Privacy Act (UCPA) -- take effect in 2023. These new laws may apply to Massachusetts companies doing business in those five states. Two of those laws – the CPRA and VCDPA -- take effect as early as January 1, 2023.

If you want to know more about pending comprehensive data privacy legislation in Massachusetts, or have questions or concerns about data privacy and cybersecurity issues, please contact firm privacy partners Peter Guffin at 207.791.1199 or Melanie Conroy at 617.488.8119.