Massachusetts 2023-2024 Regular Session

Massachusetts House Bill H83 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	1 of 1
2	2	HOUSE DOCKET, NO. 2281 FILED ON: 1/19/2023
3	3	HOUSE . . . . . . . . . . . . . . . No. 83
4	4	The Commonwealth of Massachusetts
5	5	_________________
6	6	PRESENTED BY:
7	7	Andres X. Vargas and David M. Rogers
8	8	_________________
9	9	To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
10	10	Court assembled:
11	11	The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
12	12	An Act to establish the Massachusetts data privacy protection act.
13	13	_______________
14	14	PETITION OF:
15	15	NAME:DISTRICT/ADDRESS :DATE ADDED:Andres X. Vargas3rd Essex1/10/2023David M. Rogers24th Middlesex1/19/2023Carmine Lawrence Gentile13th Middlesex2/9/2023 1 of 62
16	16	HOUSE DOCKET, NO. 2281 FILED ON: 1/19/2023
17	17	HOUSE . . . . . . . . . . . . . . . No. 83
18	18	By Representatives Vargas of Haverhill and Rogers of Cambridge, a petition (accompanied by
19	19	bill, House, No. 83) of Andres X. Vargas, David M. Rogers and Carmine Lawrence Gentile for
20	20	legislation to establish the Massachusetts data privacy protection act. Advanced Information
21	21	Technology, the Internet and Cybersecurity.
22	22	The Commonwealth of Massachusetts
23	23	_______________
24	24	In the One Hundred and Ninety-Third General Court
25	25	(2023-2024)
26	26	_______________
27	27	An Act to establish the Massachusetts data privacy protection act.
28	28	Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
29	29	of the same, as follows:
30	30	1 SECTION 1. The General Laws, as appearing in the 2018 Official Edition, are hereby
31	31	2amended by inserting after chapter 93K the following chapter:
32	32	3 Chapter 93L. Massachusetts Data Privacy Protection Act
33	33	4 Section 1. Definitions
34	34	5 As used in this chapter, the following words shall, unless the context clearly requires
35	35	6otherwise, have the following meanings:—
36	36	7 “affirmative express consent”, an affirmative act by an individual that clearly
37	37	8communicates the individual’s freely given, specific, and unambiguous authorization for an act
38	38	9or practice after having been informed, in response to a specific request from a covered entity
39	39	10that meets the requirements of this chapter. 2 of 62
40	40	11 “authentication”, the process of verifying an individual or entity for security purposes.
41	41	12 “biometric information”, any covered data generated from the technological processing
42	42	13of an individual’s unique biological, physical, or physiological characteristics that is linked or
43	43	14reasonably linkable to an individual, including:—
44	44	15 fingerprints;
45	45	16 voice prints;
46	46	17 iris or retina scans;
47	47	18 facial or hand mapping, geometry, or templates; or
48	48	19 gait or personally identifying physical movements.
49	49	20 The term “biometric information” does not include a digital or physical photograph; an
50	50	21audio or video recording; or data generated from a digital or physical photograph, or an audio or
51	51	22video recording, that cannot be used to identify an individual.
52	52	23 “collect” and “collection”, buying, renting, gathering, obtaining, receiving, accessing, or
53	53	24otherwise acquiring covered data by any means.
54	54	25 “control”, with respect to an entity:—
55	55	26 ownership of, or the power to vote, more than 50 percent of the outstanding shares of any
56	56	27class of voting security of the entity;
57	57	28 control over the election of a majority of the directors of the entity (or of individuals
58	58	29exercising similar functions); or 3 of 62
59	59	30 the power to exercise a controlling influence over the management of the entity.
60	60	31 “covered algorithm”, a computational process that uses machine learning, natural
61	61	32language processing, artificial intelligence techniques, or other computational processing
62	62	33techniques of similar or greater complexity and that makes a decision or facilitates human
63	63	34decision-making with respect to covered data, including determining the provision of products or
64	64	35services or to rank, order, promote, recommend, amplify, or similarly determine the delivery or
65	65	36display of information to an individual.
66	66	37 “covered data”, information, including derived data and unique persistent identifiers, that
67	67	38identifies or is linked or reasonably linkable, alone or in combination with other information, to
68	68	39an individual or a device that identifies or is linked or reasonably linkable to an individual. The
69	69	40term “covered data” does not include:—
70	70	41 de-identified data;
71	71	42 employee data covered under section 204 of chapter 149 of the general laws; or
72	72	43 publicly available information.
73	73	44 “covered entity”, any entity or any person, other than an individual acting in a non-
74	74	45commercial context, that alone or jointly with others determines the purposes and means of
75	75	46collecting, processing, or transferring covered data. The term “covered entity” does not
76	76	47include:—
77	77	48 government agencies or service providers to government agencies that exclusively and
78	78	49solely process information provided by government entities; 4 of 62
79	79	50 any entity or person that meets the following criteria for the period of the 3 preceding
80	80	51calendar years (or for the period during which the covered entity or service provider has been in
81	81	52existence if such period is less than 3 years):—
82	82	53 the entity or person’s average annual gross revenues during the period did not exceed
83	83	54$20,000,000;
84	84	55 the entity or person, on average, did not annually collect or process the covered data of
85	85	56more than 75,000 individuals during the period beyond the purpose of initiating, rendering,
86	86	57billing for, finalizing, completing, or otherwise collecting payment for a requested service or
87	87	58product, so long as all covered data for such purpose was deleted or de-identified within 90 days,
88	88	59except when necessary to investigate fraud or as consistent with a covered entity’s return policy;
89	89	60and
90	90	61 no component of its revenue comes from transferring covered data during any year (or
91	91	62part of a year if the covered entity has been in existence for less than 1 year) that occurs during
92	92	63the period.
93	93	64 “covered high-impact social media company”, a covered entity that provides any internet-
94	94	65accessible platform where —
95	95	66 such covered entity generates $3,000,000,000 or more in annual revenue;
96	96	67 such platform has 300,000,000 or more monthly active users for not fewer than 3 of the
97	97	68preceding 12 months on the online product or service of such covered entity; and
98	98	69 such platform constitutes an online product or service that is primarily used by users to
99	99	70access or share, user-generated content. 5 of 62
100	100	71 “covered minor”, an individual under the age of 18.
101	101	72 “de-identified data”, information that does not identify and is not linked or reasonably
102	102	73linkable to a distinct individual or a device, regardless of whether the information is aggregated,
103	103	74and if the covered entity or service provider:—
104	104	75 takes technical measures to ensure that the information cannot, at any point, be used to
105	105	76re-identify any individual or device that identifies or is linked or reasonably linkable to an
106	106	77individual;
107	107	78 publicly commits in a clear and conspicuous manner: —
108	108	79 to process and transfer the information solely in a de-identified form without any
109	109	80reasonable means for re-identification; and
110	110	81 to not attempt to re-identify the information with any individual or device that identifies
111	111	82or is linked or reasonably linkable to an individual; and
112	112	83 contractually obligates any person or entity that receives the information from the
113	113	84covered entity or service provider:—
114	114	85 to comply with all the provisions of this paragraph with respect to the information; and
115	115	86 to require that such contractual obligations be included contractually in all subsequent
116	116	87instances for which the data may be received.
117	117	88 “derived data”, covered data that is created by the derivation of information, data,
118	118	89assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another
119	119	90source of information or data about an individual or an individual’s device. 6 of 62
120	120	91 “device”, any electronic equipment capable of collecting, processing, or transferring data
121	121	92that is used by one or more individuals or households.
122	122	93 “first party advertising or marketing”, advertising or marketing conducted by a covered
123	123	94entity that collected covered data from the individual through either direct communications with
124	124	95the individual such as direct mail, email, or text message communications, or advertising or
125	125	96marketing conducted entirely within the first-party context, such as in a physical location
126	126	97operated by or on behalf of such covered entity, or on a web site or app operated by or on behalf
127	127	98of such covered entity.
128	128	99 “genetic information”, any covered data, regardless of its format, that concerns an
129	129	100individual’s genetic characteristics, including:—
130	130	101 raw sequence data that results from the sequencing of the complete, or a portion of the,
131	131	102extracted deoxyribonucleic acid (DNA) of an individual; or
132	132	103 genotypic and phenotypic information that results from analyzing raw sequence data
133	133	104described in subparagraph (A).
134	134	105 “individual”, a natural person who is a Massachusetts resident or present in
135	135	106Massachusetts.
136	136	107 “knowledge”,
137	137	108 with respect to a covered entity that is a covered high-impact social media company, the
138	138	109entity knew or should have known the individual was a covered minor; 7 of 62
139	139	110 with respect to a covered entity or service provider that is a large data holder, and
140	140	111otherwise is not a covered high-impact social media company, that the covered entity knew or
141	141	112acted in willful disregard of the fact that the individual was a covered minor; and
142	142	113 with respect to a covered entity or service provider that does not meet the requirements of
143	143	114clause (i) or (ii), actual knowledge.
144	144	115 “large data holder”, a covered entity or service provider that in the most recent calendar
145	145	116year:—
146	146	117 had annual gross revenues of $250,000,000 or more; and
147	147	118 collected, processed, or transferred the covered data of more than 5,000,000 individuals
148	148	119or devices that identify or are linked or reasonably linkable to 1 or more individuals, excluding
149	149	120covered data collected and processed solely for the purpose of initiating, rendering, billing for,
150	150	121finalizing, completing, or otherwise collecting payment for a requested product or service; and
151	151	122the sensitive covered data of more than 200,000 individuals or devices that identify or are linked
152	152	123or reasonably linkable to 1 or more individuals.
153	153	124 The term “large data holder” does not include any instance in which the covered entity or
154	154	125service provider would qualify as a large data holder solely on the basis of collecting or
155	155	126processing personal email addresses, personal telephone numbers, or log-in information of an
156	156	127individual or device to allow the individual or device to log in to an account administered by the
157	157	128covered entity or service provider.
158	158	129 “material”, with respect to an act, practice, or representation of a covered entity
159	159	130(including a representation made by the covered entity in a privacy policy or similar disclosure to 8 of 62
160	160	131individuals) involving the collection, processing, or transfer of covered data, that such act,
161	161	132practice, or representation is likely to affect a reasonable individual’s decision or conduct
162	162	133regarding a product or service;
163	163	134 “location information”, information derived from a device or from interactions between
164	164	135devices, with or without the knowledge of the user and regardless of the technological method
165	165	136used, that pertains to or directly or indirectly reveals the present or past geographical location of
166	166	137an individual or device within the Commonwealth of Massachusetts with sufficient precision to
167	167	138identify street-level location information within a range of 1,850 feet or less.
168	168	139 “OCABR”, the Office of Consumer Affairs and Business Regulation.
169	169	140 “process”, to conduct or direct any operation or set of operations performed on covered
170	170	141data, including analyzing, organizing, structuring, retaining, storing, using, or otherwise handling
171	171	142covered data.
172	172	143 “processing purpose”, a reason for which a covered entity or service provider collects,
173	173	144processes, or transfers covered data that is specific and granular enough for a reasonable
174	174	145individual to understand the material facts of how and why the covered entity or service provider
175	175	146collects, processes, or transfers the covered data.
176	176	147 “publicly available information”, any information that a covered entity or service
177	177	148provider has a reasonable basis to believe has been lawfully made available to the general public
178	178	149from:— 9 of 62
179	179	150 federal, state, or local government records, if the covered entity collects, processes, and
180	180	151transfers such information in accordance with any restrictions or terms of use placed on the
181	181	152information by the relevant government entity;
182	182	153 widely distributed media;
183	183	154 a website or online service made available to all members of the public, for free or for a
184	184	155fee, including where all members of the public, for free or for a fee, can log in to the website or
185	185	156online service;
186	186	157 a disclosure that has been made to the general public as required by federal, state, or local
187	187	158law; or
188	188	159 the visual observation of the physical presence of an individual or a device in a public
189	189	160place, not including data collected by a device in the individual’s possession.
190	190	161 For purposes of this paragraph, information from a website or online service is not
191	191	162available to all members of the public if the individual who made the information available via
192	192	163the website or online service has restricted the information to a specific audience.
193	193	164 The term “publicly available information” does not include: —
194	194	165 any obscene visual depiction, as defined in section 18 U.S.C. section 1460;
195	195	166 any inference made exclusively from multiple independent sources of publicly available
196	196	167information that reveals sensitive
197	197	168 covered data with respect to an individual;
198	198	169 biometric information; 10 of 62
199	199	170 publicly available information that has been combined with covered data;
200	200	171 genetic information, unless otherwise made available by the individual to whom the
201	201	172information pertains;
202	202	173 intimate images known to have been created or shared without consent..
203	203	174 “reasonably understandable”, of length and complexity such that an individual with an
204	204	175eighth-grade reading level, as established by the department of elementary and secondary
205	205	176education, can read and comprehend.
206	206	177 “sensitive covered data”, the following types of covered data:—
207	207	178 a government-issued identifier, such as a Social Security number, passport number, or
208	208	179driver’s license number, that is not required by law to be displayed in public.
209	209	180 any information that describes or reveals the past, present, or future physical health,
210	210	181mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
211	211	182 a financial account number, debit card number, credit card number, or information that
212	212	183describes or reveals the income level or bank account balances of an individual, except that the
213	213	184last four digits of a debit or credit card number shall not be deemed sensitive covered data.
214	214	185 biometric information.
215	215	186 genetic information.
216	216	187 location information. 11 of 62
217	217	188 an individual’s private communications such as voicemails, emails, texts, direct
218	218	189messages, or mail, or information identifying the parties to such communications, voice
219	219	190communications, video communications, and any information that pertains to the transmission of
220	220	191such communications, including telephone numbers called, telephone numbers from which calls
221	221	192were placed, the time calls were made, call duration, and location information of the parties to
222	222	193the call, unless the covered entity or a service provider acting on behalf of the covered entity is
223	223	194the sender or an intended recipient of the communication. Communications are not private for
224	224	195purposes of this clause if such communications are made from or to a device provided by an
225	225	196employer to an employee insofar as such employer provides conspicuous notice that such
226	226	197employer may access such communications.
227	227	198 account or device log-in credentials, or security or access codes for an account or device.
228	228	199 information identifying the sexual behavior of an individual in a manner inconsistent with
229	229	200the individual’s reasonable expectation regarding the collection, processing, or transfer of such
230	230	201information or when it is processed in a way that creates a substantial privacy risk for the
231	231	202individual.
232	232	203 calendar information, address book information, phone or text logs, photos, audio
233	233	204recordings, or videos, maintained for private use by an individual, regardless of whether such
234	234	205information is stored on the individual’s device or is accessible from that device and is backed up
235	235	206in a separate location. Such information is not sensitive for purposes of this paragraph if such
236	236	207information is sent from or to a device provided by an employer to an employee insofar as such
237	237	208employer provides conspicuous notice that it may access such information. 12 of 62
238	238	209 a photograph, film, video recording, or other similar medium that shows the naked or
239	239	210undergarment-clad private area of an individual.
240	240	211 information revealing the video content requested or selected by an individual collected
241	241	212by a covered entity that is not a provider of a service described in section 102(4). This clause
242	242	213does not include covered data used solely for transfers for independent video measurement.
243	243	214 information about an individual when the covered entity or service provider has
244	244	215knowledge that the individual is a covered minor.
245	245	216 an individual’s race, color, ethnicity, sex, gender identity, sexual orientation, national
246	246	217origin, immigration status, disability, religion, or union membership.
247	247	218 information identifying an individual’s online activities over time and across third-party
248	248	219websites or online services.
249	249	220 any other covered data collected, processed, or transferred for the purpose of identifying
250	250	221the types of covered data listed in clauses (1) through (16).
251	251	222 “service provider”, a person or entity that:—
252	252	223 collects, processes, or transfers covered data on behalf of, and at the direction of, a
253	253	224covered entity or a government agency; and
254	254	225 receives covered data from or on behalf of a covered entity or a government agency.
255	255	226 A service provider that receives service provider data from another service provider as
256	256	227permitted under this chapter shall be treated as a service provider under this chapter with respect
257	257	228to such data. 13 of 62
258	258	229 “service provider data”, covered data that is collected or processed by or has been
259	259	230transferred to a service provider by or on behalf of a covered entity or a government agency or
260	260	231another service provider for the purpose of allowing the service provider to whom such covered
261	261	232data is transferred to perform a service or function on behalf of, and at the direction of, such
262	262	233covered entity or government agency.
263	263	234 “small business”, a covered entity or a service provider that meets the following criteria
264	264	235for the period of the 3 preceding calendar years (or for the period during which the covered
265	265	236entity or service provider has been in existence if such period is less than 3 years): —
266	266	237 the covered entity or service provider’s average annual gross revenues during the period
267	267	238did not exceed $41,000,000;
268	268	239 the covered entity or service provider, on average, did not annually collect or process the
269	269	240covered data of more than 200,000 individuals during the period beyond the purpose of
270	270	241initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a
271	271	242requested service or product, so long as all covered data for such purpose was deleted or de-
272	272	243identified within 90 days, except when necessary to investigate fraud or as consistent with a
273	273	244covered entity’s return policy; and
274	274	245 the covered entity or service provider did not derive more than 50 percent of its revenue
275	275	246from transferring covered data during any year (or part of a year if the covered entity has been in
276	276	247existence for less than 1 year) that occurs during the period.
277	277	248 “substantial privacy risk”, the collection, processing, or transfer of covered data in a
278	278	249manner that may result in any reasonably foreseeable substantial physical injury, economic
279	279	250injury, highly offensive intrusion into the privacy expectations of a reasonable individual under 14 of 62
280	280	251the circumstances, or discrimination on the basis of race, color, religion, national origin, sex,
281	281	252sexual orientation, gender identity or disability.
282	282	253 “targeted advertising”, presenting to an individual or device identified by a unique
283	283	254identifier, or groups of individuals or devices identified by unique identifiers, an online
284	284	255advertisement that is selected based on known or predicted preferences, characteristics, or
285	285	256interests associated with the individual or a device identified by a unique identifier; and does not
286	286	257include:—
287	287	258 advertising or marketing to an individual or an individual’s device in response to the
288	288	259individual’s specific request for information or feedback;
289	289	260 contextual advertising, which is when an advertisement is displayed based on the content
290	290	261in which the advertisement appears and does not vary based on who is viewing the
291	291	262advertisement; or
292	292	263 processing covered data solely for measuring or reporting advertising or content,
293	293	264performance, reach, or frequency, including independent measurement.
294	294	265 “third party”, any person or entity, including a covered entity, that—
295	295	266 collects, processes, or transfers covered data and is not a consumer-facing business with
296	296	267which the individual linked or reasonably linkable to such covered data expects and intends to
297	297	268interact; and
298	298	269 is not a service provider with respect to such data. 15 of 62
299	299	270 This term does not include a person or entity that collects covered data from another
300	300	271entity if the two entities are related by common ownership or corporate control, but only if a
301	301	272reasonable consumer’s reasonable expectation would be that such entities share information.
302	302	273 “data broker”, a covered entity whose principal source of revenue is derived from
303	303	274processing or transferring covered data that the covered entity did not collect directly from the
304	304	275individuals linked or linkable to the covered data. This term does not include a covered entity
305	305	276insofar as such entity processes employee data collected by and received from a third party
306	306	277concerning any individual who is an employee of the third party for the sole purpose of such
307	307	278third-party providing benefits to the employee. An entity may not be considered to be a data
308	308	279broker for purposes of this chapter if the entity is acting as a service provider.
309	309	280 “third party data”, covered data that has been transferred to a third party.
310	310	281 “transfer”, to disclose, release, disseminate, make available, license, rent, or share
311	311	282covered data orally, in writing, electronically, or by any other means.
312	312	283 “unique identifier”, an identifier to the extent that such identifier is reasonably linkable to
313	313	284an individual or device that identifies or is linked or reasonably linkable to 1 or more individuals,
314	314	285including a device identifier, Internet Protocol address, cookie, beacon, pixel tag, mobile ad
315	315	286identifier, or similar technology, customer number, unique pseudonym, user alias, telephone
316	316	287number, or other form of persistent or probabilistic identifier that is linked or reasonably linkable
317	317	288to an individual or device. This term does not include an identifier assigned by a covered entity
318	318	289for the specific purpose of giving effect to an individual’s exercise of affirmative express consent
319	319	290or opt-outs of the collection, processing, and transfer of covered data pursuant to this chapter or
320	320	291otherwise limiting the collection, processing, or transfer of such information. 16 of 62
321	321	292 “widely distributed media”, information that is available to the general public, including
322	322	293information from a telephone book or online directory, a television, internet, or radio program,
323	323	294the news media, or an internet site that is available to the general public on an unrestricted basis,
324	324	295but does not include an obscene visual depiction, as defined in 18 U.S.C. section 1460.
325	325	296 Section 2. Duty of Loyalty
326	326	297 A covered entity may not collect, process, or transfer covered data unless the collection,
327	327	298processing, or transfer is limited to what is reasonably necessary and proportionate to carry out
328	328	299one of the following purposes:—
329	329	300 provide or maintain a specific product or service requested by the individual to whom the
330	330	301data pertains;
331	331	302 initiate, manage, complete a transaction, or fulfill an order for specific products or
332	332	303services requested by an individual, including any associated routine administrative, operational,
333	333	304and account-servicing activity such as billing, shipping, delivery, storage, and accounting;
334	334	305 authenticate users of a product or service;
335	335	306 fulfill a product or service warranty;
336	336	307 prevent, detect, protect against, or respond to a security incident. For purposes of this
337	337	308paragraph, security is defined as network security and physical security and life safety, including
338	338	309an intrusion or trespass, medical alerts, fire alarms, and access control security;
339	339	310 to prevent, detect, protect against, or respond to fraud, harassment, or illegal activity
340	340	311targeted at or involving the covered entity or its services. For purposes of this paragraph, the 17 of 62
341	341	312term “illegal activity”, a violation of a federal, state, or local law punishable as a felony or
342	342	313misdemeanor that can directly harm;
343	343	314 comply with a legal obligation imposed by state or federal law, or to investigate,
344	344	315establish, prepare for, exercise, or defend legal claims involving the covered entity or service
345	345	316provider;
346	346	317 effectuate a product recall pursuant to state or federal law;
347	347	318 conduct a public or peer-reviewed scientific, historical, or statistical research project
348	348	319that:—
349	349	320 is in the public interest; and
350	350	321 adheres to all relevant laws and regulations governing such research, including
351	351	322regulations for the protection of human subjects, or is excluded from criteria of the institutional
352	352	323review board;
353	353	324 deliver a communication that is not an advertisement to an individual, if the
354	354	325communication is reasonably anticipated by the individual within the context of the individual’s
355	355	326interactions with the covered entity;
356	356	327 deliver a communication at the direction of an individual between such individual and
357	357	328one or more individuals or entities;
358	358	329 ensure the data security and integrity of covered data in accordance with chapter 93H; 18 of 62
359	359	330 to support or promote participation by individuals in civic engagement activities and
360	360	331democratic governance, including voting, petitioning, engaging with government proceedings,
361	361	332providing indigent legal aid services, and unionizing; or
362	362	333 transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or
363	363	334similar transaction when the third party assumes control, in whole or in part, of the covered
364	364	335entity’s assets, only if the covered entity, in a reasonable time prior to such transfer, provides
365	365	336each affected individual with:—
366	366	337 a notice describing such transfer, including the name of the entity or entities receiving the
367	367	338individual’s covered data and their privacy policies; and
368	368	339 a reasonable opportunity to withdraw any previously given consents related to the
369	369	340individual’s covered data and a reasonable opportunity to request the deletion of the individual’s
370	370	341covered data.
371	371	342 A covered entity may, with respect to covered data previously collected in accordance
372	372	343with the previous subsection, process such data:—
373	373	344 as necessary to provide first-party advertising or marketing of products or services
374	374	345provided by the covered entity for individuals who are not covered minors;
375	375	346 to provide targeted advertising; provided, however, that such collection, processing, and
376	376	347transferring complies with the requirements of this chapter;
377	377	348 process such data as necessary to perform system maintenance or diagnostics;
378	378	349 develop, maintain, repair, or enhance a product or service for which such data was
379	379	350collected; 19 of 62
380	380	351 to conduct internal research or analytics to improve a product or service for which such
381	381	352data was collected;
382	382	353 perform inventory management or reasonable network management;
383	383	354 protect against spam; or
384	384	355 debug or repair errors that impair the functionality of a service or product for which such
385	385	356data was collected.
386	386	357 A covered entity or service provider shall not:—
387	387	358 engage in deceptive advertising or marketing with respect to a product or service offered
388	388	359to an individual; or
389	389	360 draw an individual into signing up for or acquiring a product or service through:—
390	390	361 the use of any false, fictitious, fraudulent, or materially misleading statement or
391	391	362representation; or
392	392	363 the design, modification, or manipulation of any user interface with the purpose or
393	393	364substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
394	394	365decision-making, or choice.
395	395	366 Nothing in this chapter shall be construed or interpreted to:—
396	396	367 limit or diminish free speech rights of covered entities guaranteed under the First
397	397	368Amendment to the Constitution of the United States or under Article 16 of Massachusetts
398	398	369Declaration of Rights; or 20 of 62
399	399	370 imply any purpose that is not enumerated in subsections (a) and (b), when applicable.
400	400	371 Section 3. Sensitive covered data.
401	401	372 A covered entity or service provider shall not:—
402	402	373 collect, process, or transfer a Social Security number, except when necessary to facilitate
403	403	374an extension of credit, authentication, fraud and identity fraud detection and prevention, the
404	404	375payment or collection of taxes, the enforcement of a contract between parties, or the prevention,
405	405	376investigation, or prosecution of fraud or illegal activity, or as otherwise required by state or
406	406	377federal law;
407	407	378 collect or process sensitive covered data, except where such collection or processing is
408	408	379strictly necessary to provide or maintain a specific product or service requested by the individual
409	409	380to whom the covered data pertains or is strictly necessary to effect a purpose enumerated in
410	410	381paragraphs (1), (2), (3), (5), (7), (9), (10), (11), (13), (14) of subsection (a) of section 2, and such
411	411	382data is only used for that purposes;
412	412	383 transfer an individual’s sensitive covered data to a third party, unless:—
413	413	384 the transfer is made pursuant to the affirmative express consent of the individual, given
414	414	385before each specific transfer takes place;
415	415	386 the transfer is necessary to comply with a legal obligation imposed by state or federal
416	416	387law, so long as such obligation preexisted the collection and previous notice of such obligation
417	417	388was provided to the individual to whom the data pertains; 21 of 62
418	418	389 the transfer is necessary to prevent an individual from imminent injury where the covered
419	419	390entity believes in good faith that the individual is at risk of death, serious physical injury, or
420	420	391serious health risk;
421	421	392 in the case of the transfer of a password, the transfer is necessary to use a designated
422	422	393password manager or is to a covered entity for the exclusive purpose of identifying passwords
423	423	394that are being re-used across sites or accounts;
424	424	395 in the case of the transfer of genetic information, the transfer is necessary to perform a
425	425	396medical diagnosis or medical treatment specifically requested by an individual, or to conduct
426	426	397medical research in accordance with federal and state law; and
427	427	398 in the case of transfer assets in case of a merger, if the transfer is made in accordance
428	428	399with paragraph (14) of subsection (a) of section (2); or
429	429	400 process sensitive covered data for purposes of targeted advertising.
430	430	401 Section 4. Consent practices
431	431	402 The requirements of this chapter with respect to a request for affirmative consent from a
432	432	403covered entity to an individual are the following:—
433	433	404 The request for affirmative consent should be provided to the individual in a clear and
434	434	405conspicuous standalone disclosure made through the primary medium used to offer the covered
435	435	406entity’s product or service, or only if the product or service is not offered in a medium that
436	436	407permits the making of the request under this paragraph, another medium regularly used in
437	437	408conjunction with the covered entity’s product or service; 22 of 62
438	438	409 The request includes a description of the processing purpose for which the individual’s
439	439	410consent is sought by:—
440	440	411 clearly stating the specific categories of covered data that the covered entity shall collect,
441	441	412process, and transfer necessary to effectuate the processing purpose; and
442	442	413 including a prominent heading and is reasonably understandable so that an individual can
443	443	414identify and understand the processing purpose for which consent is sought and the covered data
444	444	415to be collected, processed, or transferred by the covered entity for such processing purpose;
445	445	416 The request clearly explains the individual’s applicable rights related to consent;
446	446	417 The request is made in a manner reasonably accessible to and usable by individuals with
447	447	418disabilities;
448	448	419 The request is made available to the individual in each covered language in which the
449	449	420covered entity provides a product or service for which authorization is sought;
450	450	421 The option to refuse consent shall be at least as prominent as the option to accept, and the
451	451	422option to refuse consent shall take the same number of steps or fewer as the option to accept; and
452	452	423 Processing or transferring any covered data collected pursuant to affirmative express
453	453	424consent for a different processing purpose than that for which affirmative express consent was
454	454	425obtained shall require affirmative express consent for the subsequent processing purpose.
455	455	426 A covered entity shall not infer that an individual has provided affirmative express
456	456	427consent to a practice from the inaction of the individual or the individual’s continued use of a
457	457	428service or product provided by the covered entity. 23 of 62
458	458	429 A covered entity shall not obtain or attempt to obtain the affirmative express consent of
459	459	430an individual through:—
460	460	431 the use of any false, fictitious, fraudulent, or materially misleading statement or
461	461	432representation; or
462	462	433 the design, modification, or manipulation of any user interface with the purpose or
463	463	434substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
464	464	435decision-making, or choice to provide such consent or any covered data.
465	465	436 Section 5. Privacy by design
466	466	437 A covered entity and a service provider shall establish, implement, and maintain
467	467	438reasonable policies, practices, and procedures that reflect the role of the covered entity or service
468	468	439provider in the collection, processing, and transferring of covered data and that:—
469	469	440 consider applicable federal and state laws, rules, or regulations related to covered data the
470	470	441covered entity or service provider collects, processes, or transfers;
471	471	442 identify, assess, and mitigate privacy risks related to covered minors;
472	472	443 mitigate privacy risks, including substantial privacy risks, related to the products and
473	473	444services of the covered entity or the service provider, including in the design, development, and
474	474	445implementation of such products and services, considering the role of the covered entity or
475	475	446service provider and the information available to it; and
476	476	447 implement reasonable training and safeguards within the covered entity and service
477	477	448provider to promote compliance with all privacy laws applicable to covered data the covered
478	478	449entity collects, processes, or transfers or covered data the service provider collects, processes, or 24 of 62
479	479	450transfers on behalf of the covered entity and mitigate privacy risks, including substantial privacy
480	480	451risks, taking into account the role of the covered entity or service provider and the information
481	481	452available to it.
482	482	453 The policies, practices, and procedures established by a covered entity and a service
483	483	454provider under subsection (a), shall correspond with, as applicable:—
484	484	455 the size of the covered entity or the service provider and the nature, scope, and
485	485	456complexity of the activities engaged in by the covered entity or service provider, including
486	486	457whether the covered entity or service provider is a large data holder, nonprofit organization,
487	487	458small business, third party, or data broker, considering the role of the covered entity or service
488	488	459provider and the information available to it;
489	489	460 the sensitivity of the covered data collected, processed, or transferred by the covered
490	490	461entity or service provider;
491	491	462 the volume of covered data collected, processed, or transferred by the covered entity or
492	492	463service provider;
493	493	464 the number of individuals and devices to which the covered data collected, processed, or
494	494	465transferred by the covered entity or service provider relates; and
495	495	466 the cost of implementing such policies, practices, and procedures in relation to the risks
496	496	467and nature of the covered data.
497	497	468 Section 6. Pricing
498	498	469 A covered entity may not retaliate against an individual for:— 25 of 62
499	499	470 exercising any of the rights guaranteed by this chapter, or any regulations promulgated
500	500	471under this chapter; or
501	501	472 refusing to agree to collection or processing of covered data for a separate product or
502	502	473service, including denying goods or services, charging different prices or rates for goods or
503	503	474services, or providing a different level of quality of goods or services.
504	504	475 Nothing in subsection (a) shall be construed to:—
505	505	476 prohibit the relation of the price of a service or the level of service provided to an
506	506	477individual to the provision, by the individual, of financial information that is necessarily
507	507	478collected and processed only for the purpose of initiating, rendering, billing for, or collecting
508	508	479payment for a service or product requested by the individual;
509	509	480 prohibit a covered entity from offering a different price, rate, level, quality or selection of
510	510	481goods or services to an individual, including offering goods or services for no fee, if the offering
511	511	482is in connection with an individual’s voluntary participation in a bona fide loyalty, , rewards,
512	512	483premium features, discount or club card program, provided, that the covered entity may not sell
513	513	484covered data to a third-party as part of such a program unless:—
514	514	485 the sale is reasonably necessary to enable the third party to provide a benefit to which the
515	515	486consumer is entitled;
516	516	487 the sale of personal data to third parties is clearly disclosed in the terms of the program;
517	517	488and 26 of 62
518	518	489 the third party uses the personal data only for purposes of facilitating such a benefit to
519	519	490which the consumer is entitled and does not retain or otherwise use or disclose the personal data
520	520	491for any other purpose;
521	521	492 require a covered entity to provide a bona fide loyalty program that would require the
522	522	493covered entity to collect, process, or transfer covered data that the covered entity otherwise
523	523	494would not collect, process, or transfer;
524	524	495 prohibit a covered entity from offering a financial incentive or other consideration to an
525	525	496individual for participation in market research;
526	526	497 prohibit a covered entity from offering different types of pricing or functionalities with
527	527	498respect to a product or service based on an individual’s exercise of a right to delete; or
528	528	499 prohibit a covered entity from declining to provide a product or service insofar as the
529	529	500collection and processing of covered data is strictly necessary for such product or service.
530	530	501 Notwithstanding the provisions in this subsection, no covered entity may offer
531	531	502different types of pricing that are unjust, unreasonable, coercive, or usurious in nature.
532	532	503 Section 7. Privacy policy
533	533	504 Each covered entity and service provider shall make publicly available, in a clear,
534	534	505conspicuous, not misleading, a reasonably understandable privacy policy that provides a detailed
535	535	506and accurate representation of the data collection, processing, and transfer activities of the
536	536	507covered entity.
537	537	508 The privacy policy must be provided in a manner that is reasonably accessible to and
538	538	509usable by individuals with disabilities. The policy shall be made available to the public in each 27 of 62
539	539	510covered language in which the covered entity or service provider provides a product or service
540	540	511that is subject to the privacy policy; or carries out activities related to such product or service.
541	541	512 The privacy policy must include, at a minimum, the following:—
542	542	513 The identity and the contact information of:—
543	543	514 the covered entity or service provider to which the privacy policy applies, including the
544	544	515covered entity’s or service provider’s points of contact and generic electronic mail addresses, as
545	545	516applicable for privacy and data security inquiries;
546	546	517 any other entity within the same corporate structure as the covered entity or service
547	547	518provider to which covered data is transferred by the covered entity;
548	548	519 the categories of covered data the covered entity or service provider collects or processes;
549	549	520 the processing purposes for each category of covered data the covered entity or service
550	550	521provider collects or processes;
551	551	522 whether the covered entity or service provider transfers covered data and, if so, each
552	552	523category of service provider and third party to which the covered entity or service provider
553	553	524transfers covered data, the name of each data broker to which the covered entity or service
554	554	525provider transfers covered data, and the purposes for which such data is transferred to such
555	555	526categories of service providers and third parties or third-party collecting entities, except for a
556	556	527transfer to a governmental entity pursuant to a court order or law that prohibits the covered entity
557	557	528or service provider from disclosing such transfer;
558	558	529 The length of time the covered entity or service provider intends to retain each category
559	559	530of covered data, including sensitive covered data, or, if it is not possible to identify that 28 of 62
560	560	531timeframe, the criteria used to determine the length of time the covered entity or service provider
561	561	532intends to retain categories of covered data;
562	562	533 A prominent description of how an individual can exercise the rights described in this
563	563	534chapter;
564	564	535 A general description of the covered entity’s or service provider’s data security practices;
565	565	536and
566	566	537 The effective date of the privacy policy.
567	567	538 If a covered entity makes a material change to its privacy policy or practices, the covered
568	568	539entity shall notify each individual affected by such material change before implementing the
569	569	540material change with respect to any prospectively collected covered data and, except as provided
570	570	541in paragraphs (1) through (15) of section 2, provide a reasonable opportunity for each individual
571	571	542to withdraw consent to any further materially different collection, processing, or transfer of
572	572	543previously collected covered data under the changed policy.
573	573	544 The covered entity shall take all reasonable electronic measures to provide direct
574	574	545notification regarding material changes to the privacy policy to each affected individual, in each
575	575	546covered language in which the privacy policy is made available, and taking into account
576	576	547available technology and the nature of the relationship.
577	577	548 Nothing in this section shall be construed to affect the requirements for covered entities
578	578	549under other sections of this chapter.
579	579	550 Each large data holder shall retain copies of previous versions of its privacy policy for at
580	580	551least 10 years beginning after the date of enactment of this chapter and publish them on its 29 of 62
581	581	552website. Such large data holder shall make publicly available, in a clear, conspicuous, and
582	582	553readily accessible manner, a log describing the date and nature of each material change to its
583	583	554privacy policy over the past 10 years. The descriptions shall be sufficient for a reasonable
584	584	555individual to understand the material effect of each material change. The obligations in this
585	585	556paragraph shall not apply to any previous versions of a large data holder’s privacy policy, or any
586	586	557material changes to such policy, that precede the date of enactment of this Act.
587	587	558 In addition to the privacy policy required under subsection (a), a large data holder that is
588	588	559a covered entity shall provide a short form notice of no more than 500 words in length that
589	589	560includes the main features of their data practices.
590	590	561 Section 8. Individual data rights
591	591	562 A covered entity shall provide an individual, after receiving a verified request from the
592	592	563individual, with the right to:—
593	593	564 access:—
594	594	565 in a human-readable format that a reasonable individual can understand and download
595	595	566from the internet, the covered data (except covered data in a back-up or archival system) of the
596	596	567individual making the request that is collected, processed, or transferred by the covered entity or
597	597	568any service provider of the covered entity within the 24 months preceding the request;
598	598	569 the categories of any third party, if applicable, and an option for consumers to obtain the
599	599	570names of any such third party as well as and the categories of any service providers to whom the
600	600	571covered entity has transferred for consideration the covered data of the individual, as well as the
601	601	572categories of sources from which the covered data was collected; and 30 of 62
602	602	573 a description of the purpose for which the covered entity transferred the covered data of
603	603	574the individual to a third party or service provider;
604	604	575 correct any verifiable substantial inaccuracy or substantially incomplete information with
605	605	576respect to the covered data of the individual that is processed by the covered entity and instruct
606	606	577the covered entity to make reasonable efforts to notify all third parties or service providers to
607	607	578which the covered entity transferred such covered data of the corrected information;
608	608	579 delete covered data of the individual that is processed by the covered entity and instruct
609	609	580the covered entity to make reasonable efforts to notify all third parties or service provider to
610	610	581which the covered entity transferred such covered data of the individual’s deletion request; and
611	611	582 to the extent technically feasible, export to the individual or directly to another entity the
612	612	583covered data of the individual that is processed by the covered entity, including inferences linked
613	613	584or reasonably linkable to the individual but not including other derived data, without licensing
614	614	585restrictions that limit such transfers in:—
615	615	586 a human-readable format that a reasonable individual can understand and download from
616	616	587the internet; and
617	617	588 a portable, structured, interoperable, and machine-readable format.
618	618	589 A covered entity may not condition, effectively condition, attempt to condition, or
619	619	590attempt to effectively condition the exercise of a right described in subsection (a) through:—
620	620	591 the use of any false, fictitious, fraudulent, or materially misleading statement or
621	621	592representation; or 31 of 62
622	622	593 the design, modification, or manipulation of any user interface with the purpose or
623	623	594substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
624	624	595decision making, or choice to exercise such right.
625	625	596 Subject to subsections (d) and (e), each request under subsection (a) shall be completed
626	626	597within 30 days of such request from an individual, unless it is demonstrably impracticable or
627	627	598impracticably costly to verify such individual.
628	628	599 A response period set forth in this subsection may be extended once by 20 additional
629	629	600days when reasonably necessary, considering the complexity and number of the individual’s
630	630	601requests, so long as the covered entity informs the individual of any such extension within the
631	631	602initial 30-day response period, together with the reason for the extension.
632	632	603 A covered entity:—
633	633	604 shall provide an individual with the opportunity to exercise each of the rights described in
634	634	605subsection (a) and with respect to:—
635	635	606 the first two times that an individual exercises any right described in subsection (a) in any
636	636	60712-month period, shall allow the individual to exercise such right free of charge; and
637	637	608 any time beyond the initial two times described in subparagraph (A), may allow the
638	638	609individual to exercise such right for a reasonable fee for each request.
639	639	610 A covered entity may not permit an individual to exercise a right described in subsection
640	640	611(a), in whole or in part, if the covered entity:— 32 of 62
641	641	612 cannot reasonably verify that the individual making the request to exercise the right is the
642	642	613individual whose covered data is the subject of the request or an individual authorized to make
643	643	614such a request on the individual’s behalf;
644	644	615 reasonably believes that the request is made to interfere with a contract between the
645	645	616covered entity and another individual;
646	646	617 determines that the exercise of the right would require access to or correction of another
647	647	618individual’s sensitive covered data;
648	648	619 reasonably believes that the exercise of the right would require the covered entity to
649	649	620engage in an unfair or deceptive practice under state law; or
650	650	621 reasonably believes that the request is made to further fraud, support criminal activity, or
651	651	622the exercise of the right presents a data security threat.
652	652	623 If a covered entity cannot reasonably verify that a request to exercise a right described in
653	653	624subsection (a) is made by the individual whose covered data is the subject of the request (or an
654	654	625individual authorized to make such a request on the individual’s behalf), the covered entity:—
655	655	626 may request that the individual making the request to exercise the right provide any
656	656	627additional information necessary for the sole purpose of verifying the identity of the individual;
657	657	628and
658	658	629 may not process or transfer such additional information for any other purpose.
659	659	630 A covered entity may decline, with adequate explanation to the individual, to comply
660	660	631with a request to exercise a right described in subsection (a), in whole or in part, that would:— 33 of 62
661	661	632 require the covered entity to retain any covered data collected for a single, one-time
662	662	633transaction, if such covered data is not processed or transferred by the covered entity for any
663	663	634purpose other than completing such transaction;
664	664	635 be demonstrably impracticable or prohibitively costly to comply with, and the covered
665	665	636entity shall provide a description to the requestor detailing the inability to comply with the
666	666	637request;
667	667	638 require the covered entity to attempt to re-identify de-identified data;
668	668	639 require the covered entity to maintain covered data in an identifiable form or collect,
669	669	640retain, or access any data in order to be capable of associating a verified individual request with
670	670	641covered data of such individual;
671	671	642 result in the release of trade secrets or other privileged or confidential business
672	672	643information;
673	673	644 require the covered entity to correct any covered data that cannot be reasonably verified
674	674	645as being inaccurate or incomplete;
675	675	646 interfere with law enforcement, judicial proceedings, investigations, or reasonable efforts
676	676	647to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity, or
677	677	648enforce valid contracts;
678	678	649 violate state or federal law or the rights and freedoms of another individual, including
679	679	650under the Constitution of the United States and Massachusetts Declaration of Rights;
680	680	651 prevent a covered entity from being able to maintain a confidential record of deletion
681	681	652requests, maintained solely for the purpose of preventing covered data of an individual from 34 of 62
682	682	653being recollected after the individual submitted a deletion request and requested that the covered
683	683	654entity no longer collect, process, or transfer such data; or
684	684	655 endanger the source of the data if such data could only have been obtained from a single
685	685	656identified source.
686	686	657 A covered entity may decline, with adequate explanation to the individual, to comply
687	687	658with a request for deletion pursuant to paragraph (3) of subsection (a) if such request:—
688	688	659 unreasonably interfere with the provision of products or services by the covered entity to
689	689	660another person it currently serves;
690	690	661 requests to delete covered data that relates to (A) a public figure, public official, or
691	691	662limited-purpose public figure; or (B) any other individual that has no reasonable expectation of
692	692	663privacy with respect to such data;
693	693	664 requests to delete covered data reasonably necessary to perform a contract between the
694	694	665covered entity and the individual;
695	695	666 requests to delete covered data that the covered entity needs to retain in order to comply
696	696	667with professional ethical obligations;
697	697	668 requests to delete covered data that the covered entity reasonably believes may be
698	698	669evidence of unlawful activity or an abuse of the covered entity’s products or service; or
699	699	670 involves private elementary and secondary schools as defined by state law and private
700	700	671institutions of higher education as defined by title I of the Higher Education Act of 1965 and
701	701	672targets covered data that would unreasonably interfere with the provision of education services
702	702	673by or the ordinary operation of the school or institution. 35 of 62
703	703	674 In a circumstance that would allow a denial pursuant to this section, a covered entity shall
704	704	675partially comply with the remainder of the request if it is possible and not unduly burdensome to
705	705	676do so.
706	706	677 The receipt of a large number of verified requests, on its own, may not be considered to
707	707	678render compliance with a request demonstrably impracticable.
708	708	679 A covered entity shall facilitate the ability of individuals to make requests under
709	709	680subsection (a) in any covered language in which the covered entity provides a product or service.
710	710	681The mechanisms by which a covered entity enables individuals to make requests under
711	711	682subsection (a) shall be readily accessible and usable by individuals with disabilities.
712	712	683 Section 9. Advanced data rights.
713	713	684 Covered entities shall provide an individual with a clear and conspicuous, easy-to-
714	714	685execute means to withdraw affirmative express consent. Those means shall be as easy to execute
715	715	686by a reasonable individual as the means to provide consent.
716	716	687 Right to opt-out of covered data transfers. A covered entity:—
717	717	688 may not transfer or direct the transfer of the covered data of an individual to a third party
718	718	689if the individual objects to the transfer; and
719	719	690 shall allow an individual to object to such a transfer through an opt out mechanism, as
720	720	691described in section 12.
721	721	692 Right to opt out of targeted advertising. A covered entity or service provider that directly
722	722	693delivers a targeted advertisement shall:— 36 of 62
723	723	694 prior to engaging in targeted advertising to an individual or device and at all times,
724	724	695thereafter, provide such individual with a clear and conspicuous means to opt out of targeted
725	725	696advertising;
726	726	697 abide by any opt-out designation by an individual with respect to targeted advertising and
727	727	698notify the covered entity that directed the service provider to deliver the targeted advertisement
728	728	699of the opt-out decision; and
729	729	700 allow an individual to make an opt-out designation with respect to targeted advertising
730	730	701through an opt-out mechanism.
731	731	702 A covered entity or service provider that receives an opt-out notification pursuant to this
732	732	703section shall abide by such opt-out designations by an individual and notify any other person that
733	733	704directed the covered entity or service provider to serve, deliver, or otherwise handle the
734	734	705advertisement of the opt-out decision.
735	735	706 A covered entity may not condition, effectively condition, attempt to condition, or
736	736	707attempt to effectively condition the exercise of any individual right under this section through:—
737	737	708 the use of any false, fictitious, fraudulent, or materially misleading statement or
738	738	709representation; or
739	739	710 the design, modification, or manipulation of any user interface with the purpose or
740	740	711substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
741	741	712decision making, or choice to exercise any such right.
742	742	713 A covered entity shall notify third parties who had access to an individual’s covered data
743	743	714when the individual exercises any of the rights established in this section. The third party shall 37 of 62
744	744	715comply with the request to opt-out of sale or data transfer forwarded to them from a covered
745	745	716entity that provided, made available, or authorized the collection of the individual’s covered data.
746	746	717The third party shall comply with the request in the same way a covered entity is required to
747	747	718comply with the request. The third party shall no longer retain, use, or disclose the personal
748	748	719information unless the third party becomes a service provider or a covered entity in the terms of
749	749	720this chapter.
750	750	721 Section 10. Minors
751	751	722 A covered entity may not engage in targeted advertising to any individual if the covered
752	752	723entity has knowledge that the individual is a covered minor.
753	753	724 Section 11. Data Brokers
754	754	725 Each data broker shall place a clear, conspicuous, not misleading, and readily accessible
755	755	726notice on the website or mobile application of the data broker (if the data broker maintains such a
756	756	727website or mobile application) that:—
757	757	728 notifies individuals that the entity is a data broker;
758	758	729 includes a link to the data broker registry website; and
759	759	730 is reasonably accessible to and usable by individuals with disabilities.
760	760	731 Data broker registration. Not later than January 31 of each calendar year that follows a
761	761	732calendar year during which a covered entity acted as a data broker, data brokers shall register
762	762	733with the OCABR in accordance with this subsection.
763	763	734 In registering with the OCABR, a data broker shall do the following:— 38 of 62
764	764	735 Pay to the OCABR a registration fee of $100;
765	765	736 Provide the OCABR with the following information:—
766	766	737 The legal name and primary physical, email, and internet addresses of the data broker;
767	767	738 A description of the categories of covered data the data broker processes and transfers;
768	768	739 (C) The contact information of the data broker, including a contact person, a telephone
769	769	740number, an e-mail address, a website, and a physical mailing address; and
770	770	741 (D) A link to a website through which an individual may easily exercise the rights
771	771	742provided under this subsection.
772	772	743 The OCABR shall establish and maintain on a website a searchable, publicly available,
773	773	744central registry of third-party collecting entities that are registered with the OCABR under this
774	774	745subsection that includes a listing of all registered data brokers and a search feature that allows
775	775	746members of the public to identify individual data brokers and access to the registration
776	776	747information provided under subsection (b).
777	777	748 Penalties. A data broker that fails to register or provide the notice as required under this
778	778	749section shall be liable for: —
779	779	750 a civil penalty of $100 for each day the data broker fails to register or provide notice as
780	780	751required under this section, not to exceed a total of $10,000 for any year; and
781	781	752 an amount equal to the registration fees for each year that the data broker failed to
782	782	753register as required under this subsection. 39 of 62
783	783	754 Nothing in this subsection shall be construed as altering, limiting, or affecting any
784	784	755enforcement authorities or remedies under this chapter.
785	785	756 Section 11. Civil rights protections
786	786	757 A covered entity or a service provider may not collect, process, or transfer covered data
787	787	758or publicly available data in a manner that discriminates in or otherwise makes unavailable the
788	788	759equal enjoyment of goods or services (i.e., has a disparate impact) on the basis of race, color,
789	789	760religion, national origin, sex, sexual orientation, gender identity or disability.
790	790	761 This subsection shall not apply to:—
791	791	762 the collection, processing, or transfer of covered data for the purpose of: —
792	792	763 covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful
793	793	764discrimination; or
794	794	765 diversifying an applicant, participant, or customer pool; or
795	795	766 any private club or group not open to the public, as described in section 201(e) of the
796	796	767Civil Rights Act of 1964, 42 U.S.C. section 2000a(e).
797	797	768 Whenever the Attorney General obtains information that a covered entity or service
798	798	769provider may have collected, processed, or transferred covered data in violation of subsection
799	799	770(a), the Attorney General shall initiate enforcement actions relating to such violation in
800	800	771accordance with section (14) this chapter. 40 of 62
801	801	772 Not later than 3 years after the date of enactment of this chapter, and annually thereafter,
802	802	773the Attorney General shall submit to the legislature a report that includes a summary of the
803	803	774enforcement actions taken under this subsection.
804	804	775 Covered algorithm impact and evaluation. Notwithstanding any other provision of law,
805	805	776not later than 2 years after the date of enactment of this chapter, and annually thereafter, a large
806	806	777data holders that uses a covered algorithm in a manner that poses a consequential risk of harm to
807	807	778an individual or group of individuals, and uses such covered algorithm solely or in part, to
808	808	779collect, process, or transfer covered data or publicly available data shall conduct an impact
809	809	780assessment of such algorithm in accordance with paragraph (1).
810	810	781 The impact assessment required under subsection (d) shall provide the following: —
811	811	782 A detailed description of the design process and methodologies of the covered algorithm;
812	812	783 A statement of the purpose and proposed uses of the covered algorithm;
813	813	784 A detailed description of the data used by the covered algorithm, including the specific
814	814	785categories of data that will be processed as input and any data used to train the model that the
815	815	786covered algorithm relies on, if applicable;
816	816	787 A description of the outputs produced by the covered algorithm as well as the outcomes
817	817	788of their use;
818	818	789 An assessment of the necessity and proportionality of the covered algorithm in relation to
819	819	790its stated purpose; and 41 of 62
820	820	791 A detailed description of steps the large data holder has taken or will take to mitigate
821	821	792potential harms from the covered algorithm to an individual or group of individuals, including
822	822	793related to:—
823	823	794 covered minors;
824	824	795 making or facilitating advertising for, or determining access to, or restrictions on the use
825	825	796of housing, education, employment, healthcare, insurance, or credit opportunities;
826	826	797 determining access to, or restrictions on the use of, any place of public accommodation,
827	827	798particularly as such harms relate to the protected characteristics of individuals, including race,
828	828	799color, religion, national origin, sex, sexual orientation, gender identity or disability;
829	829	800 disparate impact on the basis of individuals’ race, color, religion, national origin, sex,
830	830	801sexual orientation, gender identity or disability status; or
831	831	802 disparate impact on the basis of individuals’ political party registration status.
832	832	803 Notwithstanding any other provision of law, not later than 2 years after the date of
833	833	804enactment of this chapter, a covered entity or service provider that knowingly develops a covered
834	834	805algorithm that is designed, solely or in part, to collect, process, or transfer covered data in
835	835	806furtherance of a consequential decision shall, prior to deploying the covered algorithm evaluate
836	836	807the design, structure, and inputs of the covered algorithm, including any training data used to
837	837	808develop the covered algorithm, to reduce the risk of the potential harms identified under the
838	838	809previous paragraph.
839	839	810 In complying with paragraphs (1) and (2), a covered entity and a service provider may
840	840	811focus the impact assessment or evaluation on any covered algorithm, or portions of a covered 42 of 62
841	841	812algorithm, that will be put to use and may reasonably contribute to the risk of the potential harms
842	842	813identified under paragraph (2).
843	843	814 A covered entity and a service provider shall:—
844	844	815 submit the impact assessment or evaluation conducted under paragraph (1) or (2) to the
845	845	816Attorney General not later than 30 days after completing an impact assessment or evaluation;
846	846	817 make such impact assessment and evaluation available to the legislature, upon request;
847	847	818and
848	848	819 make a summary of such impact assessment and evaluation publicly available in a their
849	849	820website or any other similar place that is easily accessible to individuals.
850	850	821 Covered entities and service providers may redact and segregate any trade secrets, as
851	851	822defined in 18 U.S.C. section 1839, or other confidential or proprietary information from public
852	852	823disclosure under this subsection.
853	853	824 The Attorney General may not use any information obtained solely and exclusively
854	854	825through a covered entity or a service provider’s disclosure of information to the Attorney
855	855	826General in compliance with this section for any other purpose than enforcing this chapter;
856	856	827provided, however, that it may be used for enforcing consent orders.
857	857	828 The previous subparagraph does not preclude the Attorney General from providing
858	858	829information about a covered entity to the legislature in response to a subpoena.
859	859	830 Section 12. Miscellaneous 43 of 62
860	860	831 Not later than 18 months after the date of enactment of this chapter, the OCABR shall
861	861	832establish or recognize one or more acceptable privacy protective, centralized mechanisms for
862	862	833individuals to exercise the opt-out rights recognized in section 9.
863	863	834 Any such centralized opt-out mechanism shall:—
864	864	835 require covered entities or service providers acting on behalf of covered entities to inform
865	865	836individuals about the centralized opt-out choice;
866	866	837 not be required to be the default setting, but may be the default setting provided that in all
867	867	838cases the mechanism clearly represents the individual’s affirmative, freely given, and
868	868	839unambiguous choice to opt out;
869	869	840 be consumer-friendly, clearly described, and easy-to-use by a reasonable individual;
870	870	841 be provided in any covered language in which the covered entity provides products or
871	871	842services subject to the opt-out; and
872	872	843 be provided in a manner that is reasonably accessible to and usable by individuals with
873	873	844disabilities.
874	874	845 A covered entity or service provider that is not a small business shall designate:—
875	875	846 1 or more qualified employees as privacy officers; and
876	876	847 1 or more qualified employees as data security officers.
877	877	848 An employee who is designated as a privacy officer or a data security officer pursuant to
878	878	849subsection (c) shall, at a minimum:— 44 of 62
879	879	850 implement a data privacy program and data security program to safeguard the privacy
880	880	851and security of covered data in compliance with the requirements of this chapter; and
881	881	852 facilitate the covered entity or service provider’s ongoing compliance with this chapter.
882	882	853 Each covered entity that is a large data holder shall conduct a privacy impact assessment
883	883	854that weighs the benefits of the large data holder’s covered data collecting, processing, and
884	884	855transfer practices against the potential adverse consequences of such practices, including
885	885	856substantial privacy risks, to individual privacy.
886	886	857 The assessment shall be conducted not later than 1 year after the date of enactment of this
887	887	858chapter or 1 year after the date on which a covered entity first meets the definition of large data
888	888	859holder, whichever is earlier, and biennially thereafter.
889	889	860 A privacy impact assessment required under subsection (e) shall be: —
890	890	861 reasonable and appropriate in scope given:—
891	891	862 the nature of the covered data collected, processed, and transferred by the large data
892	892	863holder;
893	893	864 the volume of the covered data collected, processed, and transferred by the large data
894	894	865holder; and
895	895	866 the potential material risks posed to the privacy of individuals by the collecting,
896	896	867processing, and transfer of covered data by the large data holder;
897	897	868 documented in written form and maintained by the large data holder unless rendered out
898	898	869of date by a subsequent assessment conducted under subsection (e); and 45 of 62
899	899	870 approved by the privacy protection officer designated pursuant to subsection (c).
900	900	871 In assessing the privacy risks, including substantial privacy risks, the large data holder
901	901	872must include reviews of the means by which technologies are used to secure covered data.
902	902	873 Section 13. Service providers.
903	903	874 A service provider:—
904	904	875 shall adhere to the instructions of a covered entity and only collect, process, and transfer
905	905	876service provider data to the extent necessary and proportionate to provide a service requested by
906	906	877the covered entity, as set out in the contract required by subsection (b), and this paragraph does
907	907	878not require a service provider to collect, process, or transfer covered data if the service provider
908	908	879would not otherwise do so;
909	909	880 may not collect, process, or transfer service provider data if the service provider has
910	910	881actual knowledge that a covered entity violated this chapter with respect to such data;
911	911	882 shall assist a covered entity in responding to a request made by an individual under this
912	912	883chapter, by either:—
913	913	884 providing appropriate technical and organizational measures, considering the nature of
914	914	885the processing and the information reasonably available to the service provider, for the covered
915	915	886entity to comply with such request for service provider data; or
916	916	887 fulfilling a request by a covered entity to execute an individual rights request that the
917	917	888covered entity has determined should be complied with, by either:—
918	918	889 complying with the request pursuant to the covered entity’s instructions; or 46 of 62
919	919	890 providing written verification to the covered entity that it does not hold covered data
920	920	891related to the request, that complying with the request would be inconsistent with its legal
921	921	892obligations, or that the request falls within an exception under this chapter;
922	922	893 may engage another service provider for purposes of processing service provider data on
923	923	894behalf of a covered entity only after providing that covered entity with notice and pursuant to a
924	924	895written contract that requires such other service provider to satisfy the obligations of the service
925	925	896provider with respect to such service provider data, including that the other service provider be
926	926	897treated as a service provider under this chapter;
927	927	898 shall, upon the reasonable request of the covered entity, make available to the covered
928	928	899entity information necessary to demonstrate the compliance of the service provider with the
929	929	900requirements of this chapter, which may include making available a report of an independent
930	930	901assessment arranged by the service provider on terms agreed to by the service provider and the
931	931	902covered entity, providing information necessary to enable the covered entity to conduct and
932	932	903document a privacy impact assessment required by this chapter;
933	933	904 shall, at the covered entity’s direction, delete or return all covered data to the covered
934	934	905entity as requested at the end of the provision of services, unless retention of the covered data is
935	935	906required by law;
936	936	907 shall develop, implement, and maintain reasonable administrative, technical, and physical
937	937	908safeguards that are designed to protect the security and confidentiality of covered data the service
938	938	909provider processes consistent with chapter 93H of the general laws; and
939	939	910 shall allow and cooperate with reasonable assessments by the covered entity or the
940	940	911covered entity’s designated assessor. Alternatively, the service provider may arrange for a 47 of 62
941	941	912qualified and independent assessor to conduct an assessment of the service provider’s policies
942	942	913and technical and organizational measures in support of the obligations under this chapter using
943	943	914an appropriate and accepted control standard or framework and assessment procedure for such
944	944	915assessments. The service provider shall provide a report of such assessment to the covered entity
945	945	916upon request.
946	946	917 A person or entity may only act as a service provider pursuant to a written contract
947	947	918between the covered entity and the service provider, or a written contract between one service
948	948	919provider and a second service provider as described under paragraph (4) of subsection (a), if the
949	949	920contract:—
950	950	921 sets forth the data processing procedures of the service provider with respect to
951	951	922collection, processing, or transfer performed on behalf of the covered entity or service provider;
952	952	923 clearly sets forth:—
953	953	924 instructions for collecting, processing, or transferring data;
954	954	925 the nature and purpose of collecting, processing, or transferring;
955	955	926 the type of data subject to collecting, processing, or transferring;
956	956	927 the duration of processing; and
957	957	928 the rights and obligations of both parties, including a method by which the service
958	958	929provider shall notify the covered entity of material changes to its privacy practices;
959	959	930 does not relieve a covered entity or a service provider of any requirement or liability
960	960	931imposed on such covered entity or service provider under this chapter; and 48 of 62
961	961	932 prohibits:—
962	962	933 collecting, processing, or transferring covered data in contravention to subsection (a); and
963	963	934 combining service provider data with covered data which the service provider receives
964	964	935from or on behalf of another person or persons or collects from the interaction of the service
965	965	936provider with an individual, provided that such combining is not necessary to effectuate a
966	966	937purpose described in paragraphs (1) through (15) of section 2(a) and is otherwise permitted under
967	967	938the contract required by this subsection.
968	968	939 Each service provider shall retain copies of previous contracts entered into in compliance
969	969	940with this subsection with each covered entity to which it provides requested products or services.
970	970	941 The classification of a person or entity as a covered entity or as a service provider and the
971	971	942relationship between covered entities and service providers are regulated by the following
972	972	943provisions:—
973	973	944 Determining whether a person is acting as a covered entity or service provider with
974	974	945respect to a specific processing of covered data is a fact-based determination that depends upon
975	975	946the context in which such data is processed.
976	976	947 A person or entity that is not limited in its processing of covered data pursuant to the
977	977	948instructions of a covered entity, or that fails to adhere to such instructions, is a covered entity and
978	978	949not a service provider with respect to a specific processing of covered data. A service provider
979	979	950that continues to adhere to the instructions of a covered entity with respect to a specific
980	980	951processing of covered data remains a service provider. If a service provider begins, alone or 49 of 62
981	981	952jointly with others, determining the purposes and means of the processing of covered data, it is a
982	982	953covered entity and not a service provider with respect to the processing of such data.
983	983	954 A covered entity that transfers covered data to a service provider or a service provider
984	984	955that transfers covered data to a covered entity or another service provider, in compliance with the
985	985	956requirements of this chapter, is not liable for a violation of this chapter by the service provider or
986	986	957covered entity to whom such covered data was transferred, if at the time of transferring such
987	987	958covered data, the covered entity or service provider did not have actual knowledge that the
988	988	959service provider or covered entity would violate this chapter.
989	989	960 A covered entity or service provider that receives covered data in compliance with the
990	990	961requirements of this chapter is not in violation of this chapter as a result of a violation by a
991	991	962covered entity or service provider from which such data was received.
992	992	963 A third party:—
993	993	964 shall not process third party data for a processing purpose other than the processing
994	994	965purpose for which—
995	995	966 the individual gave affirmative express consent or to effect a purpose enumerated in
996	996	967paragraph (2), (3), or (5) of subsection (a) of section 2 in the case of sensitive covered data; or
997	997	968 the covered entity made a disclosure pursuant to their privacy policy and in the case of
998	998	969data that is not sensitive data;
999	999	970 may reasonably rely on representations made by the covered entity that transferred the
1000	1000	971third-party data if the third party conducts reasonable due diligence on the representations of the
1001	1001	972covered entity and finds those representations to be credible. 50 of 62
1002	1002	973 Solely for the purposes of this section, the requirements for service providers to contract
1003	1003	974with, assist, and follow the instructions of covered entities shall be read to include requirements
1004	1004	975to contract with, assist, and follow the instructions of a government entity if the service provider
1005	1005	976is providing a service to a government entity.
1006	1006	977 Section 14. Enforcement. Private Right of Action and Attorney General enforcement.
1007	1007	978 A violation of this chapter or a regulation promulgated under this chapter constitutes an
1008	1008	979injury to that individual.
1009	1009	980 Private right of action. Any individual alleging a violation of this chapter by a covered
1010	1010	981entity that is not a small business may bring a civil action in the superior court or any court of
1011	1011	982competent jurisdiction.
1012	1012	983 An individual protected by this chapter may not be required, as a condition of service or
1013	1013	984otherwise, to file an administrative complaint with the commission or to accept mandatory
1014	1014	985arbitration of a claim under this chapter.
1015	1015	986 The civil action shall be directed to the covered entity, data processor, and the third-
1016	1016	987parties alleged to have committed the violation.
1017	1017	988 In a civil action in which the plaintiff prevails, the court may award: —
1018	1018	989 liquidated damages of not less than 0.15% of the annual global revenue of the covered
1019	1019	990entity or $15,000 per violation, whichever is greater;
1020	1020	991 punitive damages; and 51 of 62
1021	1021	992 any other relief, including but not limited to an injunction, that the court deems to be
1022	1022	993appropriate.
1023	1023	994 In addition to any relief awarded pursuant to the previous paragraph, the court shall
1024	1024	995award reasonable attorney’s fees and costs to any prevailing plaintiff.
1025	1025	996 The attorney general may bring an action pursuant to section 4 of chapter 93A against a
1026	1026	997covered entity, service provider, third party or data broker to remedy violations of this chapter
1027	1027	998and for other relief that may be appropriate.
1028	1028	999 If the court finds that the defendant has employed any method, chapter, or practice which
1029	1029	1000they knew or should have known to be in violation of this chapter, the court may require such
1030	1030	1001person to pay to the commonwealth a civil penalty of:—
1031	1031	1002 not less than 0.15% of the annual global revenue or $15,000, whichever is greater, per
1032	1032	1003violation; and
1033	1033	1004 not more than 4% of the annual global revenue of the covered entity, data processor, or
1034	1034	1005third-party or $20,000,000, whichever is greater, per action if such action includes multiple
1035	1035	1006violations to multiple individuals;
1036	1036	1007 All money awards shall be paid to the commonwealth. The commonwealth shall identify
1037	1037	1008the individuals affected by the violation and earmark such money awards, penalties, or
1038	1038	1009assessments collected for purposes of paying for the damages they suffered as a consequence of
1039	1039	1010the violation.
1040	1040	1011 When calculating awards and civil penalties in all the actions in this section, the court
1041	1041	1012shall consider:— 52 of 62
1042	1042	1013 the number of affected individuals;
1043	1043	1014 the severity of the violation or noncompliance;
1044	1044	1015 the risks caused by the violation or noncompliance;
1045	1045	1016 whether the violation or noncompliance was part of a pattern of noncompliance and
1046	1046	1017violations and not an isolated instance;
1047	1047	1018 whether the violation or noncompliance was willful and not the result of error;
1048	1048	1019 the precautions taken by the defendant to prevent a violation;
1049	1049	1020 the number of administrative actions, lawsuits, settlements, and consent-decrees under
1050	1050	1021this chapter involving the defendant;
1051	1051	1022 the number of administrative actions, lawsuits, settlements, and consent-decrees
1052	1052	1023involving the defendant in other states and at the federal level in issues involving information
1053	1053	1024privacy; and
1054	1054	1025 the international record of the defendant when it comes to information privacy issues.
1055	1055	1026 It is a violation of this chapter for a covered entity or anyone else acting on behalf of a
1056	1056	1027covered entity to retaliate against an individual who makes a good-faith complaint that there has
1057	1057	1028been a failure to comply with any part of this chapter.
1058	1058	1029 An injured individual by a violation of the previous paragraph may bring a civil action
1059	1059	1030for monetary damages and injunctive relief in any court of competent jurisdiction.
1060	1060	1031 Section 15. Enforcement - Miscellaneous 53 of 62
1061	1061	1032 Any provision of a contract or agreement of any kind, including a covered entity’s terms
1062	1062	1033of service or a privacy policy, including the short-form privacy notice required under section 3
1063	1063	1034that purports to waive or limit in any way an individual’s rights under this chapter, including but
1064	1064	1035not limited to any right to a remedy or means of enforcement shall be deemed contrary to public
1065	1065	1036policy and shall be void and unenforceable.
1066	1066	1037 No covered entity that is a provider of an interactive computer service, as defined in 47
1067	1067	1038U.S.C. section 230, shall be treated as the publisher or speaker of any personal information
1068	1068	1039provided by another information content provider, as defined in 47 U.S.C. section 230 and
1069	1069	1040allowing posting of information by a user without other action by the interactive computer
1070	1070	1041service shall not be deemed processing of the personal information by the interactive computer
1071	1071	1042service.
1072	1072	1043 No private or government action brought pursuant to this chapter shall preclude any other
1073	1073	1044action under this chapter.
1074	1074	1045 Section 16. Transparency
1075	1075	1046 Covered entities that receive any form of a legal request for disclosure of personal
1076	1076	1047information pursuant to this chapter shall:—
1077	1077	1048 provide the Attorney General and the general public a bi-monthly report containing the
1078	1078	1049following aggregate information related to legal requests received by the covered entity, their
1079	1079	1050affiliated data processors, and any third parties they contracted with:—
1080	1080	1051 The total number of legal requests, disaggregated by type of requests such as warrants,
1081	1081	1052court orders, and subpoenas; 54 of 62
1082	1082	1053 The number of legal requests that resulted in the covered entity disclosing personal
1083	1083	1054information;
1084	1084	1055 The number of legal requests that did not result in the covered entity disclosing personal
1085	1085	1056information, including the reasons why the information was not disclosed;
1086	1086	1057 The type of personal information sought in the legal requests received by the covered
1087	1087	1058entity;
1088	1088	1059 The total number of legal requests seeking the disclosure of location or biometric
1089	1089	1060information;
1090	1090	1061 The number of legal requests that resulted in the covered entity disclosing location or
1091	1091	1062biometric information;
1092	1092	1063 The number of legal requests that did not result in the covered entity disclosing location
1093	1093	1064or biometric information, including the reasons for such no disclosure; and
1094	1094	1065 The nature of the proceedings from which the requests were ordered and whether it was a
1095	1095	1066government entity or a private person seeking the legal request;
1096	1096	1067 take all reasonable measures and engage in all legal actions available to ensure that the
1097	1097	1068legal request is valid under applicable laws and statutes; and
1098	1098	1069 require their affiliate data processors and third parties they contracted with to have
1099	1099	1070similar practices and standards.
1100	1100	1071 Section 17. Non-applicability
1101	1101	1072 This chapter shall not apply to:— 55 of 62
1102	1102	1073 personal information captured from a patient by a health care provider or health care
1103	1103	1074facility or biometric information collected, processed, used, or stored exclusively for medical
1104	1104	1075education or research, public health or epidemiological purposes, health care treatment,
1105	1105	1076insurance, payment, or operations under the federal Health Insurance Portability and
1106	1106	1077Accountability chapter of 1996, or to X-ray, roentgen process, computed tomography, MRI, PET
1107	1107	1078scan, mammography, or other image or film of the human anatomy used exclusively to diagnose,
1108	1108	1079prognose, or treat an illness or other medical condition or to further validate scientific testing or
1109	1109	1080screening;
1110	1110	1081 individuals sharing their personal contact information such as email addresses with other
1111	1111	1082individuals in the workplace, or other social, political, or similar settings where the purpose of
1112	1112	1083the information is to facilitate communication among such individuals, provided that this chapter
1113	1113	1084shall cover any processing of such contact information beyond interpersonal communication; or
1114	1114	1085 covered entities’ publication of entity-based member or employee contact information
1115	1115	1086where such publication is intended to allow members of the public to contact such member or
1116	1116	1087employee in the ordinary course of the entity’s operations.
1117	1117	1088 Section 18. Relationship with other laws
1118	1118	1089 Nothing in this chapter shall diminish any individual’s rights or obligations under the
1119	1119	1090Massachusetts Fair Information Practices chapter and its regulations.
1120	1120	1091 Section 19. Implementation
1121	1121	1092 The Attorney General shall:— 56 of 62
1122	1122	1093 adopt, amend, or repeal regulations for the implementation, administration, and
1123	1123	1094enforcement of this chapter;
1124	1124	1095 gather facts and information applicable to the Attorney General’s obligation to enforce
1125	1125	1096this chapter and ensure its compliance;
1126	1126	1097 conduct investigations for possible violations of this chapter;
1127	1127	1098 refer cases for criminal prosecution to the appropriate federal, state, or local authorities;
1128	1128	1099and
1129	1129	1100 maintain an official internet website outlining the provisions of this Act.
1130	1130	1101 Section 20. Severability
1131	1131	1102 Should any provision of this chapter or part hereof be held under any circumstances in
1132	1132	1103any jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect
1133	1133	1104the validity or enforceability of any other provision of this or other parts of this chapter.
1134	1134	1105
1135	1135	1106 SECTION 2. Chapter 149 of the General Laws, as appearing in the 2018 Official Edition,
1136	1136	1107is hereby amended by inserting after section 203 the following section:—
1137	1137	1108 Section 204. Workplace Surveillance
1138	1138	1109 For the purposes of this section, the following words shall have the following meanings
1139	1139	1110unless the context clearly requires otherwise: — 57 of 62
1140	1140	1111 “Information” also referred to as “employee information,” or “employee data”,
1141	1141	1112information that identifies, relates to, describes, is reasonably capable of being associated with,
1142	1142	1113or could reasonably be linked, directly or indirectly, with a particular employee, regardless of
1143	1143	1114how the information is collected, inferred, or obtained.
1144	1144	1115 “Electronic monitoring”, the collection of information concerning employee activities,
1145	1145	1116communications, actions, biometrics, or behaviors by electronic means.
1146	1146	1117 “Employment-related decision”, any decision made by the employer that affects wages,
1147	1147	1118benefits, hours, work schedule, performance evaluation, hiring, discipline, promotion,
1148	1148	1119termination, job content, productivity requirements, workplace health and safety, or any other
1149	1149	1120terms and conditions of employment.
1150	1150	1121 “Vendor”, a business engaged in a contract with an employer to provide services,
1151	1151	1122software, or technology that collects, stores, analyzes, or interprets employee information.
1152	1152	1123 “Facial recognition technology” shall have the meaning established in section 220 of
1153	1153	1124chapter 6 of the General Laws, as amended by Chapter 253 of the Acts of 2020.
1154	1154	1125 An employer, or vendor acting on behalf of an employer, shall not electronically monitor
1155	1155	1126an employee unless:—
1156	1156	1127 the electronic monitoring only purpose is to:—
1157	1157	1128 enable tasks that are necessary to accomplish essential job functions;
1158	1158	1129 monitor production processes or quality;
1159	1159	1130 comply with employment, labor, or other relevant laws; 58 of 62
1160	1160	1131 protect the safety and security of employees; or
1161	1161	1132 carry on other purposes as determined by the department of labor standards; and
1162	1162	1133 the specific form of electronic monitoring is:—
1163	1163	1134 necessary to accomplish the allowable purpose;
1164	1164	1135 the least invasive means that could reasonably be used to accomplish the allowable
1165	1165	1136purpose;
1166	1166	1137 limited to the smallest number of employees; and
1167	1167	1138 collecting the least amount of information necessary to accomplish the purpose
1168	1168	1139mentioned in (1).
1169	1169	1140 Notwithstanding subsection (b), the following practices shall be prohibited:—
1170	1170	1141 use of electronic monitoring that either directly or indirectly harms an employee’s
1171	1171	1142physical health, mental health, personal safety or wellbeing;
1172	1172	1143 monitoring of employees who are off-duty and not performing work-related tasks;
1173	1173	1144 audio-visual monitoring of bathrooms or other similarly private areas including locker
1174	1174	1145rooms and changing areas;
1175	1175	1146 audio-visual monitoring of break rooms, lounges, and other social spaces, except to
1176	1176	1147investigate specific illegal activity;
1177	1177	1148 use of facial recognition technology other than for the purpose of verifying the identity of
1178	1178	1149an employee for security purposes; and 59 of 62
1179	1179	1150 any other forms of electronic monitoring such as may be prohibited by the department of
1180	1180	1151labor standards.
1181	1181	1152 Employers shall not require employees to install applications on personal or mobile
1182	1182	1153devices that collect employee information or require employees to wear data-collecting devices,
1183	1183	1154including those that are incorporated into items of clothing or personal accessories, unless the
1184	1184	1155electronic monitoring is necessary to accomplish essential job functions and is narrowly limited
1185	1185	1156to only the activities and times necessary to accomplish essential job functions.
1186	1186	1157 Information resulting from electronic monitoring shall be accessed only by authorized
1187	1187	1158agents and used only for the purpose and duration for which notice was given in accordance with
1188	1188	1159subsection (f).
1189	1189	1160 Employers shall provide employees with notice that electronic monitoring will occur
1190	1190	1161prior to conducting each specific form of electronic monitoring. The notice must, at a minimum,
1191	1191	1162include:—
1192	1192	1163 a description of:—
1193	1193	1164 the purpose that the specific form of electronic monitoring is intended to accomplish, as
1194	1194	1165specified in subsection (b);
1195	1195	1166 the specific activities, locations, communications, and job roles that will be electronically
1196	1196	1167monitored;
1197	1197	1168 the technologies used to conduct the specific form of electronic monitoring; 60 of 62
1198	1198	1169 the vendors or other third parties that information collected through electronic monitoring
1199	1199	1170will be disclosed or transferred to, including the name of the vendor and the purpose for the data
1200	1200	1171transfer;
1201	1201	1172 the organizational positions that are authorized to access the information collected
1202	1202	1173through the specific form of electronic monitoring, and under what conditions; and
1203	1203	1174 the dates, times, and frequency that electronic monitoring will occur;
1204	1204	1175 the names of any vendors conducting electronic monitoring on the employer’s behalf; and
1205	1205	1176 an explanation of:—
1206	1206	1177 the reasons why the specific form of electronic monitoring is necessary to accomplish the
1207	1207	1178purpose; and
1208	1208	1179 how the specific monitoring practice is the least invasive means available to accomplish
1209	1209	1180the allowable monitoring purpose.
1210	1210	1181 The notice mentioned in (f) shall be clear and conspicuous and provide the employee
1211	1211	1182with actual notice of electronic monitoring activities.
1212	1212	1183 A notice that provides electronic monitoring "may" take place or that the employer
1213	1213	1184"reserves the right" to monitor shall not suffice.
1214	1214	1185 An employer who engages in random or periodic electronic monitoring of employees will
1215	1215	1186inform the affected employees of the specific events which are being monitored at the time the
1216	1216	1187monitoring takes place with a notice that shall be clear and conspicuous. 61 of 62
1217	1217	1188 Notwithstanding the previous paragraph, notice of random or periodic electronic
1218	1218	1189monitoring may be given after electronic monitoring has occurred only if necessary to preserve
1219	1219	1190the integrity of an investigation of wrongdoing or protect the immediate safety of employees,
1220	1220	1191customers, or the public.
1221	1221	1192 Employers shall provide a copy of the above notice disclosure to the department of labor
1222	1222	1193standards.
1223	1223	1194 An employer shall only use employee information collected through electronic
1224	1224	1195monitoring to accomplish its purpose, unless the information documents illegal activity.
1225	1225	1196 When making a hiring or employment-related decision using information collected
1226	1226	1197through electronic monitoring, an employer shall:—
1227	1227	1198 not make the decision based solely on such information;
1228	1228	1199 give the affected employee access to the data and provide an opportunity to correct or
1229	1229	1200explain it;
1230	1230	1201 corroborate such information by other means, such as independent documentation by
1231	1231	1202supervisors or managers, or by consultation with other employees; and
1232	1232	1203 document and communicate to affected employees the basis for the corroboration prior to
1233	1233	1204the decision going into effect.
1234	1234	1205 Subsection (k) shall not apply to those cases when electronic monitoring data provides
1235	1235	1206evidence of illegal activity.
1236	1236	1207 62 of 62
1237	1237	1208 SECTION 3. Effective date.
1238	1238	1209 The provisions of this Act shall take effect 12 months after this Act is enacted.
1239	1239	1210 The enforcement of chapter 93L shall be delayed until 6 months after the effective date.
1240	1240	1211
1241	1241	1212