State Legislature Hears Concerns About Proposed Massachusetts Consumer Data Privacy Bill
On October 7, 2019, the Joint Committee on Consumer Protection and Professional Licensure held a hearing on pending legislation, including An Act Relative to Consumer Data Privacy (S.120). Modeled on the California Consumer Privacy Act (CCPA), which becomes effective on January 1, 2020, S.120 would create a comprehensive consumer data privacy regime in Massachusetts. If enacted, S.120 could reshape how businesses interact with Massachusetts consumers, increase the cost and complexity of privacy design and compliance, and expose companies to new and significant litigation risks. For a summary of its key features, please see our earlier client alert.
During the hearing, speakers from a variety of industries urged lawmakers to consider potential pitfalls and unintended consequences that could result from the bill. Representatives appeared on behalf of technology, media, insurance, communications, automotive, consumer reporting, retail and small business trade associations. The overwhelming point of agreement was that legislators should exercise caution, and give the bill due consideration in light of the immense risks of hastily-crafted language. While some commenters proposed amendments, none spoke in favor of passing the bill as currently drafted, and others strenuously argued that the Joint Committee should recommend the bill not pass.
Specifically, speakers focused on the following features of S.120:
Arguments in Favor of Caution
Several speakers noted that S.120 was modeled on the original language of the CCPA, which has been repeatedly amended but has not yet gone into effect. They claimed that the CCPA was enacted through a rushed legislative process that resulted in a well-intentioned but ultimately flawed law. Presentations pointed to forthcoming CCPA ballot initiatives and regulations to be promulgated by the California attorney general’s office. Critics cautioned against following an untested model and urged a more deliberate approach that observes how the CCPA performs over time.
Speakers also warned that S.120 would promote a patchwork of state regulation, creating expensive and confusing inconsistencies for businesses operating across the country. They noted that the high cost of compliance – reportedly up to $55 billion for the CCPA alone – would be particularly prohibitive for small businesses. Like many prominent political and business leaders, speakers advocated for a comprehensive and preemptive federal consumer data privacy regime and cautioned against creating new state law.
Expansive Private Right of Action
Comments focused on the private right of action in S.120, which would permit any consumer alleging a violation to bring a suit without showing any loss of money or property. S.120 at Section 9. As currently drafted, S.120 would also nullify any waiver relating to the private right of action, including arbitration provisions or class action waivers. S.120 at Section 14. Although both provisions would likely be challenged in litigation, S.120 would create the most expansive data privacy right of action in the country. Speakers warned that this would make Massachusetts the national hub for data privacy class actions, burdening courts while providing little recovery to consumers. The cost of defending class actions would be especially burdensome for small businesses, and critics predicted that some companies may not survive. Noting that California lawmakers rejected an amendment that would have broadened the CCPA’s private right of action, presenters cautioned against treading into uncharted territory that could flood Massachusetts courts with consumer data privacy suits.
Focus on “Overbroad” Definitions
Many comments focused on concerns that definitions in S.120 are overbroad. The proposed bill defines “Personal Information” as “any information relating to an identified or identifiable consumer,” including “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” S.120 at Section 1(m). Critics argued that the definition encompasses voluminous but non-meaningful data that businesses would be burdened with bringing into compliance, despite being of no value to consumers.
In addition, S.120 defines “Consumer” as “a natural person who resides in the Commonwealth,” which could include employees and ensnare administrative activities. S.120 at Section 1(f). For these reasons, the CCPA was amended to exempt the collection of information from job applicants, employees, or contractors for one year. The proposed Massachusetts bill currently exempts “a business collecting or disclosing personal information of the business’s employees . . . within the scope of its role as an employer,” but critics would clarify that exemption. S.120 at Section 8(b)(1). Without clarification, they warned that S.120 could be interpreted beyond its intended scope.
The Joint Committee also heard industry-specific concerns. First, several speakers noted that the exemption for “personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act” (GLBA) is an information-level exemption that does not fully exempt financial institutions already federally regulated in how they handle consumer financial information. The GLBA exemption in S.120 is modeled after the CCPA. However, the CCPA’s GLBA exemption has been criticized because it could still subject GLBA-regulated entities to CCPA requirements for activities falling outside of the GLBA. Critics of both the CCPA and S.120 insist that exempting GLBA-regulated entities is the only way to create a practical regime.
Representatives of the consumer reporting and automotive industries also urged amendments that would broaden the exemptions to S.120. The CCPA was amended to address information related to warranty or recall-related vehicle repair and to exempt the sale of personal information in a consumer report governed by the Fair Credit Reporting Act (FCRA). Speakers advocated for similar amendments to S.120.
The liveliest portion of the hearing concerned the nondiscrimination provision of S.120 that provides, “a business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this chapter.” S.120 at Section 7. In one exchange, an advocate claimed that this provision would fundamentally change the business model of companies that provide online content to consumers in exchange for information and/or browser tracking. The speaker argued that S.120 would force these companies to provide their content for free to users who opt out. Representative Tackey Chan, Chair of the Joint Committee, and Representative Mindy Domb asked pointed questions about whether S.120 would actually create sweeping changes when consumers can already block information collection and browser tracking. In the exchange, the representatives acknowledged how personal information can function as a currency by which consumers can access online content without other payment. Representative Domb concluded her questioning by observing that the issue warranted further consideration.
Related to the nondiscrimination provision, advocates also encouraged the Joint Committee to amend S.120 and expressly carve out customer loyalty and discount programs, including for fraud prevention. In California, an amendment to the CCPA that would have exempted customer loyalty and discount programs failed to pass this legislative term. Speakers pointed out that, as currently drafted, S.120 could prohibit programs that consumers value and enjoy.
What to Watch
Following hearings, the Joint Committee is responsible for reporting out the bills under its consideration to the full legislative body. As part of this process, the Joint Committee may issue a Favorable Report or Unfavorable (or Ought Not to Pass) Report. Under the Joint Rules, the Joint Committee is required to report out S.120 by February 5, 2020. In a Favorable Report, the Joint Committee can recommend that S.120 pass in its original form or with amendments. An Unfavorable Report would effectively derail S.120 for the remainder of the current session. However, even with an Unfavorable Report, proponents could introduce a new version of the bill during the next legislative session in 2021.
As the February 2020 deadline approaches, we will continue to monitor the progress of S.120 and share news of major developments with the proposed Massachusetts consumer data privacy law.