| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | SENATE DOCKET, NO. 1971 FILED ON: 1/20/2023 |
|---|
| 3 | 3 | | SENATE . . . . . . . . . . . . . . No. 227 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Barry R. Finegold |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act establishing the Massachusetts Information Privacy and Security Act. |
|---|
| 13 | 13 | | _______________ |
|---|
| 14 | 14 | | PETITION OF: |
|---|
| 15 | 15 | | NAME:DISTRICT/ADDRESS :Barry R. FinegoldSecond Essex and Middlesex 1 of 71 |
|---|
| 16 | 16 | | SENATE DOCKET, NO. 1971 FILED ON: 1/20/2023 |
|---|
| 17 | 17 | | SENATE . . . . . . . . . . . . . . No. 227 |
|---|
| 18 | 18 | | By Mr. Finegold, a petition (accompanied by bill, Senate, No. 227) of Barry R. Finegold for |
|---|
| 19 | 19 | | legislation to establish the Massachusetts Information Privacy and Security Act. Economic |
|---|
| 20 | 20 | | Development and Emerging Technologies. |
|---|
| 21 | 21 | | [SIMILAR MATTER FILED IN PREVIOUS SESSION |
|---|
| 22 | 22 | | SEE SENATE, NO. 2687 OF 2021-2022.] |
|---|
| 23 | 23 | | The Commonwealth of Massachusetts |
|---|
| 24 | 24 | | _______________ |
|---|
| 25 | 25 | | In the One Hundred and Ninety-Third General Court |
|---|
| 26 | 26 | | (2023-2024) |
|---|
| 27 | 27 | | _______________ |
|---|
| 28 | 28 | | An Act establishing the Massachusetts Information Privacy and Security Act. |
|---|
| 29 | 29 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 30 | 30 | | of the same, as follows: |
|---|
| 31 | 31 | | 1 SECTION 1. The General Laws are hereby amended by inserting after chapter 93L the |
|---|
| 32 | 32 | | 2following chapter:- |
|---|
| 33 | 33 | | 3 CHAPTER 93M. The Massachusetts Information Privacy and Security Act. |
|---|
| 34 | 34 | | 4 Section 1. Title |
|---|
| 35 | 35 | | 5 This chapter shall be known as the “Massachusetts Information Privacy and Security |
|---|
| 36 | 36 | | 6Act.” |
|---|
| 37 | 37 | | 7 Section 2. Definitions 2 of 71 |
|---|
| 38 | 38 | | 8 As used in this chapter, the following words shall have the following meanings, unless |
|---|
| 39 | 39 | | 9the context clearly requires otherwise: |
|---|
| 40 | 40 | | 10 “Affiliate”, an entity that controls, is controlled by, or is under common control or shares |
|---|
| 41 | 41 | | 11common branding with another entity; provided, however, that for the purposes of this definition, |
|---|
| 42 | 42 | | 12“control” or “controlled” shall mean: |
|---|
| 43 | 43 | | 13 (1) ownership of more than 50 per cent of the outstanding shares of any class of voting |
|---|
| 44 | 44 | | 14security of the entity; |
|---|
| 45 | 45 | | 15 (2) control in any manner over the election of a majority of the entity’s directors or of |
|---|
| 46 | 46 | | 16persons exercising similar functions; or |
|---|
| 47 | 47 | | 17 (3) the power to otherwise exercise a controlling influence over the management of the |
|---|
| 48 | 48 | | 18entity. |
|---|
| 49 | 49 | | 19 “Biometric information”, a retina or iris scan, fingerprint, voiceprint, map or scan of hand |
|---|
| 50 | 50 | | 20or face geometry, vein pattern, gait pattern, or other personal information generated from the |
|---|
| 51 | 51 | | 21specific technical processing of an individual’s unique biological or physiological patterns or |
|---|
| 52 | 52 | | 22characteristics used to identify a specific individual; provided, however, that “biometric |
|---|
| 53 | 53 | | 23information” shall not include: |
|---|
| 54 | 54 | | 24 (1) a digital or physical photograph; |
|---|
| 55 | 55 | | 25 (2) an audio or video recording; or |
|---|
| 56 | 56 | | 26 (3) data generated from a digital or physical photograph, or an audio or video recording, |
|---|
| 57 | 57 | | 27unless such data is generated to identify a specific individual. 3 of 71 |
|---|
| 58 | 58 | | 28 “Business associate” shall have the same meaning as in 45 C.F.R. 160.103. |
|---|
| 59 | 59 | | 29 “Child”, an individual who a controller knows or reasonably should know is under the |
|---|
| 60 | 60 | | 30age of 13. |
|---|
| 61 | 61 | | 31 “Collect”, buying, renting, gathering, obtaining, receiving, or otherwise accessing any |
|---|
| 62 | 62 | | 32personal information pertaining to an individual by any means, including, but not limited to, |
|---|
| 63 | 63 | | 33obtaining information from an individual, either actively or passively, or by observing an |
|---|
| 64 | 64 | | 34individual’s behavior. |
|---|
| 65 | 65 | | 35 “Common branding”, a shared name, service mark, trademark, or other indicator that an |
|---|
| 66 | 66 | | 36individual would reasonably understand to indicate that two or more entities are commonly |
|---|
| 67 | 67 | | 37owned. |
|---|
| 68 | 68 | | 38 “Consent”, a clear affirmative act signifying an individual’s freely given, specific, |
|---|
| 69 | 69 | | 39informed, and unambiguous agreement to allow the processing of specific categories of personal |
|---|
| 70 | 70 | | 40information relating to the individual for a narrowly defined particular purpose; provided, |
|---|
| 71 | 71 | | 41however, that “consent” may include a written statement, including a statement written by |
|---|
| 72 | 72 | | 42electronic means, or any other unambiguous affirmative action; and provided further, that the |
|---|
| 73 | 73 | | 43following shall not constitute “consent”: |
|---|
| 74 | 74 | | 44 (1) acceptance of a general or broad terms of use or similar document that contains |
|---|
| 75 | 75 | | 45descriptions of personal information processing along with other, unrelated information; |
|---|
| 76 | 76 | | 46 (2) hovering over, muting, pausing, or closing a given piece of content; or |
|---|
| 77 | 77 | | 47 (3) agreement obtained through dark patterns or a false, fictitious, fraudulent, or |
|---|
| 78 | 78 | | 48materially misleading statement or representation. 4 of 71 |
|---|
| 79 | 79 | | 49 “Controller”, the entity that, alone or jointly with others, determines the purposes and |
|---|
| 80 | 80 | | 50means of the processing of personal information of an individual. |
|---|
| 81 | 81 | | 51 “Covered entity” shall have the same meaning as in 45 C.F.R. 160.103. |
|---|
| 82 | 82 | | 52 “Dark pattern”, a user interface that is designed, modified, or manipulated with the |
|---|
| 83 | 83 | | 53purpose or substantial effect of obscuring, subverting or impairing a reasonable individual’s |
|---|
| 84 | 84 | | 54autonomy, decision-making, or choice. |
|---|
| 85 | 85 | | 55 “Data broker”, a controller that, in a calendar year, knowingly collects and sells to third |
|---|
| 86 | 86 | | 56parties: |
|---|
| 87 | 87 | | 57 (1) the personal information of not less than 25,000 individuals; provided, however, that |
|---|
| 88 | 88 | | 58the controller derives not less than 25 percent of its annual global gross revenues from the sale of |
|---|
| 89 | 89 | | 59personal information; |
|---|
| 90 | 90 | | 60 (2) the biometric, genetic, or specific geolocation information of not less than 10,000 |
|---|
| 91 | 91 | | 61individuals; or |
|---|
| 92 | 92 | | 62 (3) the personal information of not less than 10,000 individuals with whom the controller |
|---|
| 93 | 93 | | 63does not have a direct relationship, including, but not limited to, a relationship in which an |
|---|
| 94 | 94 | | 64individual is a past or present: (i) customer, client, subscriber, user, or registered user of the |
|---|
| 95 | 95 | | 65controller’s goods or services; (ii) an employee, contractor, or agent of the controller; (iii) an |
|---|
| 96 | 96 | | 66investor in the controller; or (iv) a donor to the controller. |
|---|
| 97 | 97 | | 67 The following activities conducted by a controller, and the collection and sale of personal |
|---|
| 98 | 98 | | 68information incidental to conducting these activities, shall not qualify the controller as a data |
|---|
| 99 | 99 | | 69broker: (A) providing 411 directory assistance or directory information services, including name, 5 of 71 |
|---|
| 100 | 100 | | 70address, and telephone number, on behalf of or as a function of a telecommunications carrier; (B) |
|---|
| 101 | 101 | | 71providing publicly available information related to an individual’s business or profession; or (C) |
|---|
| 102 | 102 | | 72providing publicly available information via real-time or near-real-time alert services for health |
|---|
| 103 | 103 | | 73or safety purposes. |
|---|
| 104 | 104 | | 74 “De-identified information”, information that cannot reasonably be used to infer |
|---|
| 105 | 105 | | 75information about, or otherwise be linked to, an identified or identifiable individual or |
|---|
| 106 | 106 | | 76household, or a device linked to such individual or household; provided, however, that the |
|---|
| 107 | 107 | | 77controller that possesses the information: |
|---|
| 108 | 108 | | 78 (1) takes reasonable technical and organizational measures to ensure that the information |
|---|
| 109 | 109 | | 79cannot, at any point, be associated with or used to re-identify an identified or identifiable |
|---|
| 110 | 110 | | 80individual or household; |
|---|
| 111 | 111 | | 81 (2) publicly commits to process the information solely in a de-identified fashion; |
|---|
| 112 | 112 | | 82 (3) does not attempt to re-identify the information; provided, however, that the controller |
|---|
| 113 | 113 | | 83may attempt to re-identify the information solely for the purpose of determining whether its de- |
|---|
| 114 | 114 | | 84identification procedures satisfy the provisions of this definition; and |
|---|
| 115 | 115 | | 85 (4) contractually obligates any recipients of the information to comply with the |
|---|
| 116 | 116 | | 86provisions of this definition with respect to the information and requires that such obligations be |
|---|
| 117 | 117 | | 87included contractually in all subsequent instances for which the information may be received. |
|---|
| 118 | 118 | | 88 “De-identification”, the creation of de-identified information from personal information. 6 of 71 |
|---|
| 119 | 119 | | 89 “Designated method for submitting a request”, a mailing address, email address, internet |
|---|
| 120 | 120 | | 90web page, internet web portal, toll-free telephone number, or other applicable contact |
|---|
| 121 | 121 | | 91information, whereby an individual may submit a request or direction under this chapter. |
|---|
| 122 | 122 | | 92 “Entity”, a sole proprietorship, or a corporation, association, partnership or other legal |
|---|
| 123 | 123 | | 93entity. |
|---|
| 124 | 124 | | 94 “Genetic information”, personal information, regardless of format, that: |
|---|
| 125 | 125 | | 95 (1) results from the analysis of a biological sample of an individual, or from another |
|---|
| 126 | 126 | | 96source enabling equivalent information to be obtained; and |
|---|
| 127 | 127 | | 97 (2) concerns an individual’s genetic material, including, but not limited to, |
|---|
| 128 | 128 | | 98deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, |
|---|
| 129 | 129 | | 99alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), |
|---|
| 130 | 130 | | 100uninterpreted data that results from analysis of the biological sample or other source, and any |
|---|
| 131 | 131 | | 101information extrapolated, derived, or inferred therefrom. |
|---|
| 132 | 132 | | 102 “Health care facility” shall have the same meaning as defined in section 25B of chapter |
|---|
| 133 | 133 | | 103111 of the General Laws. |
|---|
| 134 | 134 | | 104 “Health care provider” shall have the same meaning as defined in section 1 of chapter |
|---|
| 135 | 135 | | 105111 of the General Laws. |
|---|
| 136 | 136 | | 106 “Health record”, an individual’s health-related record, as maintained pursuant to section |
|---|
| 137 | 137 | | 10770 of chapter 111 of the General Laws. |
|---|
| 138 | 138 | | 108 “HIPAA”, the federal Health Insurance Portability and Accountability Act of 1996, 42 |
|---|
| 139 | 139 | | 109U.S.C. 1320d et seq., as amended from time to time. 7 of 71 |
|---|
| 140 | 140 | | 110 “Homepage”, the introductory page of an internet website and any internet web page |
|---|
| 141 | 141 | | 111where personal information is collected; provided, however, that in the case of an online service, |
|---|
| 142 | 142 | | 112such as a mobile application, “homepage” shall include: |
|---|
| 143 | 143 | | 113 (1) the application’s platform page or download page; |
|---|
| 144 | 144 | | 114 (2) a link within the application, such as from the application configuration, “About,” |
|---|
| 145 | 145 | | 115“Information,” or settings page; and |
|---|
| 146 | 146 | | 116 (3) any other location that allows individuals to review the notices required by this |
|---|
| 147 | 147 | | 117chapter, including, but not limited to, before downloading the application. |
|---|
| 148 | 148 | | 118 “Identified or identifiable household”, a group of individuals who: |
|---|
| 149 | 149 | | 119 (1) cohabitate with one another at the same residential address in the commonwealth; |
|---|
| 150 | 150 | | 120 (2) use common devices or services; and |
|---|
| 151 | 151 | | 121 (3) can be readily identified, directly or indirectly. |
|---|
| 152 | 152 | | 122 “Identified or identifiable individual”, an individual who can be readily identified, |
|---|
| 153 | 153 | | 123directly or indirectly. |
|---|
| 154 | 154 | | 124 “Individual”, a natural person who is a resident of the commonwealth; provided, |
|---|
| 155 | 155 | | 125however, that “individual” shall not include a natural person acting as a sole proprietorship. |
|---|
| 156 | 156 | | 126 “Infer”, deriving information, data, assumptions, correlations, predictions or conclusions |
|---|
| 157 | 157 | | 127from facts, evidence or another source of information or data. 8 of 71 |
|---|
| 158 | 158 | | 128 “Institution of higher education”, any college, junior college, university or other public or |
|---|
| 159 | 159 | | 129private educational institution that has been authorized to grant degrees pursuant to sections 30, |
|---|
| 160 | 160 | | 13030A, and 31A of chapter 69 of the General Laws. |
|---|
| 161 | 161 | | 131 “Large data holder”, a controller that, in a calendar year: |
|---|
| 162 | 162 | | 132 (1) has annual global gross revenues in excess of $1,000,000,000; and |
|---|
| 163 | 163 | | 133 (2) determines the purposes and means of processing of the personal information of not |
|---|
| 164 | 164 | | 134less than 200,000 individuals, excluding personal information processed solely for the purpose of |
|---|
| 165 | 165 | | 135completing a payment-only credit, check or cash transaction where no personal information is |
|---|
| 166 | 166 | | 136retained about the individual entering into the transaction. |
|---|
| 167 | 167 | | 137 “Minor”, an individual who a controller knows or reasonably should know is not less |
|---|
| 168 | 168 | | 138than 13 years of age and not more than 16 years of age. |
|---|
| 169 | 169 | | 139 “Nonprofit organization”, any organization that is exempt from taxation under 26 U.S.C. |
|---|
| 170 | 170 | | 140501(c), as amended from time to time. |
|---|
| 171 | 171 | | 141 “Personal information”, information, including, but not limited to, a unique persistent |
|---|
| 172 | 172 | | 142identifier, that identifies, relates to, describes, is reasonably capable of being associated with, or |
|---|
| 173 | 173 | | 143could reasonably be linked, directly or indirectly, with an identified or identifiable individual; |
|---|
| 174 | 174 | | 144provided, however, that “personal information” shall not include publicly available or de- |
|---|
| 175 | 175 | | 145identified information about a natural person; and provided further, that “personal information” |
|---|
| 176 | 176 | | 146shall also include information, including, but not limited to, a unique persistent identifier, that |
|---|
| 177 | 177 | | 147identifies, relates to, describes, is reasonably capable of being associated with, or could |
|---|
| 178 | 178 | | 148reasonably be linked, directly or indirectly, with: 9 of 71 |
|---|
| 179 | 179 | | 149 (1) an identified or identifiable natural person, only insofar as “personal information” is |
|---|
| 180 | 180 | | 150used in paragraph (1) of the definition of “data broker” in this section; or |
|---|
| 181 | 181 | | 151 (2) an identified or identifiable household, only insofar as “personal information” is used |
|---|
| 182 | 182 | | 152in: (i) subsection (b) of section 3; and (ii) any reference in this chapter to the sale or selling of |
|---|
| 183 | 183 | | 153personal information or the processing of personal information for the purposes of targeted |
|---|
| 184 | 184 | | 154cross-contextual or first-party advertising. |
|---|
| 185 | 185 | | 155 “Process”, any operation or set of operations performed on personal information or on |
|---|
| 186 | 186 | | 156sets of personal information, whether or not by automated means, such as the collection, use, |
|---|
| 187 | 187 | | 157storage, disclosure, sharing, analysis, prediction, deletion or modification of personal |
|---|
| 188 | 188 | | 158information, including the actions of a controller directing a processor to process personal |
|---|
| 189 | 189 | | 159information. |
|---|
| 190 | 190 | | 160 “Processor”, an entity that processes personal information on behalf of a controller; |
|---|
| 191 | 191 | | 161provided, however, that determining whether an entity is acting as a processor or a controller |
|---|
| 192 | 192 | | 162with respect to a specific processing of personal information is a fact-based determination that |
|---|
| 193 | 193 | | 163depends upon the context in which the information is processed; and provided further, that: |
|---|
| 194 | 194 | | 164 (1) a processor that continues to adhere to a controller’s instructions with respect to a |
|---|
| 195 | 195 | | 165specific processing of personal information remains a processor; |
|---|
| 196 | 196 | | 166 (2) if a processor begins, alone or jointly with others, determining the purposes and |
|---|
| 197 | 197 | | 167means of the processing of personal information, it is a controller with respect to the processing; |
|---|
| 198 | 198 | | 168and 10 of 71 |
|---|
| 199 | 199 | | 169 (3) an entity that is not limited in its processing of personal information pursuant to a |
|---|
| 200 | 200 | | 170controller’s instruction, or that fails to adhere to such instructions, is a controller and not a |
|---|
| 201 | 201 | | 171processor with respect to a specific processing. |
|---|
| 202 | 202 | | 172 “Profiling”, any form of automated processing of personal information to evaluate, |
|---|
| 203 | 203 | | 173analyze, or predict personal aspects concerning an identified or identifiable individual or |
|---|
| 204 | 204 | | 174household’s economic situation, health, personal preferences, interests, reliability, behavior, |
|---|
| 205 | 205 | | 175location or movements. |
|---|
| 206 | 206 | | 176 “Protected health information” shall have the same meaning as defined in 45 C.F.R. |
|---|
| 207 | 207 | | 177160.103, established pursuant to HIPAA. |
|---|
| 208 | 208 | | 178 “Publicly available information”, information about an individual that: |
|---|
| 209 | 209 | | 179 (1) is lawfully made available from federal, state, or local government records; or |
|---|
| 210 | 210 | | 180 (2) a controller has a reasonable basis to believe is lawfully and intentionally made |
|---|
| 211 | 211 | | 181available to the general public: (i) through widely distributed media; or (ii) by the individual, |
|---|
| 212 | 212 | | 182unless the individual has restricted the information to a specific audience; provided, however, |
|---|
| 213 | 213 | | 183that “publicly available information” shall not include: (A) biometric or genetic information; or |
|---|
| 214 | 214 | | 184(B) personal information that is not publicly available and has been combined with publicly |
|---|
| 215 | 215 | | 185available information. |
|---|
| 216 | 216 | | 186 “Research”, a systematic investigation, including research development, testing, and |
|---|
| 217 | 217 | | 187evaluation, designed to develop or contribute to generalizable knowledge and that is conducted |
|---|
| 218 | 218 | | 188in accordance with applicable ethics and privacy laws. 11 of 71 |
|---|
| 219 | 219 | | 189 “Sale” or “selling”, disclosing, disseminating, making available, releasing, renting, |
|---|
| 220 | 220 | | 190sharing, transferring, or otherwise communicating orally, in writing, or by electronic or other |
|---|
| 221 | 221 | | 191means, an individual’s personal information by the controller to a third party for monetary or |
|---|
| 222 | 222 | | 192other valuable consideration in a bargained-for exchange or otherwise for the purposes of |
|---|
| 223 | 223 | | 193targeted cross-contextual advertising; provided, however, that “sale” or “selling” shall not |
|---|
| 224 | 224 | | 194include the following: |
|---|
| 225 | 225 | | 195 (1) the disclosure of personal information to a processor where the processor only |
|---|
| 226 | 226 | | 196processes such personal information on behalf of the controller; |
|---|
| 227 | 227 | | 197 (2) the controller’s use or sharing of an identifier for an individual who, pursuant to |
|---|
| 228 | 228 | | 198section 8, has opted out of the processing of the individual’s personal information; provided, |
|---|
| 229 | 229 | | 199however, that the controller’s use or sharing of the identifier is solely for the purpose of alerting |
|---|
| 230 | 230 | | 200entities that the individual has opted out; |
|---|
| 231 | 231 | | 201 (3) the disclosure or transfer of personal information to an affiliate of the controller; |
|---|
| 232 | 232 | | 202 (4) the disclosure or transfer of personal information to a third party as an asset that is |
|---|
| 233 | 233 | | 203part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the |
|---|
| 234 | 234 | | 204third party assumes control of all or part of the controller’s assets; |
|---|
| 235 | 235 | | 205 (5) the disclosure of personal information to a third party for purposes of providing a |
|---|
| 236 | 236 | | 206product or service specifically requested by the individual; or |
|---|
| 237 | 237 | | 207 (6) when the individual uses or expressly directs the controller to disclose personal |
|---|
| 238 | 238 | | 208information to a third party or otherwise interact with a third party; provided, however, that the |
|---|
| 239 | 239 | | 209individual’s direction was not obtained through dark patterns; and provided further, that the 12 of 71 |
|---|
| 240 | 240 | | 210controller’s interaction with the third party is not for the purposes of targeted cross-contextual |
|---|
| 241 | 241 | | 211advertising. |
|---|
| 242 | 242 | | 212 “Sensitive information”, a form of personal information, including: |
|---|
| 243 | 243 | | 213 (1) an individual’s specific geolocation information; |
|---|
| 244 | 244 | | 214 (2) biometric or genetic information processed for the purpose of uniquely identifying an |
|---|
| 245 | 245 | | 215individual; |
|---|
| 246 | 246 | | 216 (3) the personal information of a child or minor; |
|---|
| 247 | 247 | | 217 (4) personal information that reveals an individual’s: (i) racial or ethnic origin; (ii) |
|---|
| 248 | 248 | | 218religious beliefs; or (iii) citizenship or immigration status; |
|---|
| 249 | 249 | | 219 (5) personal information processed concerning an individual’s past, present or future |
|---|
| 250 | 250 | | 220mental or physical health condition, disability, diagnosis or treatment; |
|---|
| 251 | 251 | | 221 (6) personal information processed concerning an individual’s sexual orientation, sex life |
|---|
| 252 | 252 | | 222or reproductive health, including, but not limited to, the use or purchase of contraceptives, birth |
|---|
| 253 | 253 | | 223control, abortifacients or other medication related to reproductive health; |
|---|
| 254 | 254 | | 224 (7) personal information that reveals an individual’s philosophical beliefs or union |
|---|
| 255 | 255 | | 225membership; |
|---|
| 256 | 256 | | 226 (8) personal information that reveals an individual’s social security number, driver’s |
|---|
| 257 | 257 | | 227license number, military identification number, passport number or state-issued identification |
|---|
| 258 | 258 | | 228card number; or 13 of 71 |
|---|
| 259 | 259 | | 229 (9) personal information that reveals an individual’s financial account number, or credit |
|---|
| 260 | 260 | | 230or debit card number, with or without any required security code, access code, personal |
|---|
| 261 | 261 | | 231identification number or password, that would permit access to an individual’s financial account. |
|---|
| 262 | 262 | | 232 “Specific geolocation information”, information derived from technology including, but |
|---|
| 263 | 263 | | 233not limited to, global positioning system level latitude and longitude coordinates or other |
|---|
| 264 | 264 | | 234mechanisms that directly identify the specific location of an individual within a geographic area |
|---|
| 265 | 265 | | 235that is equal to or less than the area of a circle with a radius of 1,850 feet; provided, however, |
|---|
| 266 | 266 | | 236that “specific geolocation information” shall exclude the content of communications or any |
|---|
| 267 | 267 | | 237information generated by or connected to advanced utility metering infrastructure systems or |
|---|
| 268 | 268 | | 238equipment for use by a utility. |
|---|
| 269 | 269 | | 239 “Targeted cross-contextual advertising”, the targeting of advertising to an individual |
|---|
| 270 | 270 | | 240based on the individual’s personal information obtained from the individual’s activity across |
|---|
| 271 | 271 | | 241distinctly-branded internet websites, online applications, services or physical premises; provided, |
|---|
| 272 | 272 | | 242however, that “targeted cross-contextual advertising” shall not include: |
|---|
| 273 | 273 | | 243 (1) processing personal information solely for measuring or reporting advertising |
|---|
| 274 | 274 | | 244performance, reach or frequency; |
|---|
| 275 | 275 | | 245 (2) contextual advertising that is displayed based on the content in which the |
|---|
| 276 | 276 | | 246advertisement appears and does not vary based on who is viewing the advertisement; or |
|---|
| 277 | 277 | | 247 (3) advertising that is based solely on an individual’s current intentional interaction with |
|---|
| 278 | 278 | | 248or visit to a controller’s distinctly-branded internet website, online application, service or |
|---|
| 279 | 279 | | 249physical premise; provided however, that the individual’s personal information is not: (i) used to |
|---|
| 280 | 280 | | 250build a profile about the individual or otherwise alter the individual’s experience outside the 14 of 71 |
|---|
| 281 | 281 | | 251current intentional interaction with the controller; or (ii) retained after the completion of the |
|---|
| 282 | 282 | | 252interaction; provided further, that an individual’s intentional interaction may include, but is not |
|---|
| 283 | 283 | | 253limited to, an individual’s current search query or specific request for information and feedback; |
|---|
| 284 | 284 | | 254and provided further, that hovering over, muting, pausing or closing a given piece of content |
|---|
| 285 | 285 | | 255does not constitute an individual’s intent to interact with a controller. |
|---|
| 286 | 286 | | 256 “Targeted first-party advertising”, the targeting of advertising to an individual based on a |
|---|
| 287 | 287 | | 257controller profiling an individual by using the personal information obtained from the |
|---|
| 288 | 288 | | 258individual’s activity within a controller’s own websites, online applications, services or physical |
|---|
| 289 | 289 | | 259premises; provided, however, that “targeted first-party advertising” shall not include advertising |
|---|
| 290 | 290 | | 260or the processing of personal information pursuant to the exemptions specified in paragraphs (1) |
|---|
| 291 | 291 | | 261through (3) of the definition of targeted cross-contextual advertising. |
|---|
| 292 | 292 | | 262 “Third party”, a natural person, entity, public authority, agency, or body other than the |
|---|
| 293 | 293 | | 263applicable individual, controller, processor, or affiliate of the controller or the processor. |
|---|
| 294 | 294 | | 264 “Trade secret” shall have the same meaning as defined in section 42 of chapter 93 of the |
|---|
| 295 | 295 | | 265General Laws. |
|---|
| 296 | 296 | | 266 “Unique persistent identifier”, an identifier that is reasonably linkable to an identified or |
|---|
| 297 | 297 | | 267identifiable natural person or household, including, but not limited to, a: |
|---|
| 298 | 298 | | 268 (1) device identifier; |
|---|
| 299 | 299 | | 269 (2) Internet Protocol address; |
|---|
| 300 | 300 | | 270 (3) cookie; |
|---|
| 301 | 301 | | 271 (4) beacon; 15 of 71 |
|---|
| 302 | 302 | | 272 (5) pixel tag; |
|---|
| 303 | 303 | | 273 (6) mobile ad identifier or similar technology; |
|---|
| 304 | 304 | | 274 (7) customer number; |
|---|
| 305 | 305 | | 275 (8) unique pseudonym; |
|---|
| 306 | 306 | | 276 (9) user alias; |
|---|
| 307 | 307 | | 277 (10) telephone number; or |
|---|
| 308 | 308 | | 278 (11) other form of persistent or probabilistic identifier that is linked or reasonably |
|---|
| 309 | 309 | | 279linkable to an identified or identifiable natural person or household. |
|---|
| 310 | 310 | | 280 “Upholding security, confidentiality and integrity”, protecting against, responding to, |
|---|
| 311 | 311 | | 281preventing, detecting, investigating, reporting or prosecuting identity theft, fraud, harassment, |
|---|
| 312 | 312 | | 282malicious, deceptive or illegal activities, or any other security incidents that compromise the |
|---|
| 313 | 313 | | 283availability, authenticity, confidentiality or integrity of stored or transmitted personal |
|---|
| 314 | 314 | | 284information. |
|---|
| 315 | 315 | | 285 “Verifiable request”, a request: |
|---|
| 316 | 316 | | 286 (1) to exercise any of the rights set forth in sections 10 through 13; and |
|---|
| 317 | 317 | | 287 (2) that a controller can use commercially reasonable means to determine is being made |
|---|
| 318 | 318 | | 288by the individual or by a person authorized to exercise rights on behalf of such individual with |
|---|
| 319 | 319 | | 289respect to the personal information at issue, pursuant to section 14. |
|---|
| 320 | 320 | | 290 Section 3. Scope and Applicability 16 of 71 |
|---|
| 321 | 321 | | 291 (a) This chapter shall apply to: |
|---|
| 322 | 322 | | 292 (1) a controller or processor that conducts business in the commonwealth; and |
|---|
| 323 | 323 | | 293 (2) the processing of personal information by a controller or processor not physically |
|---|
| 324 | 324 | | 294established in the commonwealth, where the processing activities are related to: (i) the offering |
|---|
| 325 | 325 | | 295of goods or services that are targeted to individuals; or (ii) the monitoring of behavior of |
|---|
| 326 | 326 | | 296individuals where such behavior takes place in the commonwealth; and |
|---|
| 327 | 327 | | 297 (3) an entity that voluntarily certifies to the attorney general that it is fully in compliance |
|---|
| 328 | 328 | | 298with, and agrees to be bound by, this chapter. |
|---|
| 329 | 329 | | 299 (b) Notwithstanding subsection (a) of this section, sections 7 through 17 and section 26 |
|---|
| 330 | 330 | | 300shall only apply to a controller that, during the preceding calendar year, satisfied at least 1 of the |
|---|
| 331 | 331 | | 301following additional thresholds or is an entity that is an affiliate of and shares common branding |
|---|
| 332 | 332 | | 302with such a controller, in which case sections 7 through 17 and section 26 shall apply only to the |
|---|
| 333 | 333 | | 303personal information processed by the affiliate on behalf of the controller: |
|---|
| 334 | 334 | | 304 (1) the controller had annual global gross revenues in excess of 25,000,000 dollars; |
|---|
| 335 | 335 | | 305 (2) the controller was a data broker; or |
|---|
| 336 | 336 | | 306 (3) the controller determined the purposes and means of processing of the personal |
|---|
| 337 | 337 | | 307information of not less than 100,000 individuals, excluding personal information processed |
|---|
| 338 | 338 | | 308solely for the purpose of completing a payment-only credit, check or cash transaction where no |
|---|
| 339 | 339 | | 309personal information is retained about the individual entering into the transaction. |
|---|
| 340 | 340 | | 310 (c) This chapter shall not apply to: 17 of 71 |
|---|
| 341 | 341 | | 311 (1) any agency, executive office, department, board, commission, bureau, division or |
|---|
| 342 | 342 | | 312authority of the commonwealth, or any of its branches, or any political subdivision thereof; |
|---|
| 343 | 343 | | 313 (2) a national securities association that is registered under 15 U.S.C. 78o-3 of the |
|---|
| 344 | 344 | | 314Securities Exchange Act of 1934, as amended from time to time; |
|---|
| 345 | 345 | | 315 (3) a registered futures association that is so designated pursuant to 7 U.S.C. 21, as |
|---|
| 346 | 346 | | 316amended from time to time; and |
|---|
| 347 | 347 | | 317 (4) an entity that serves as a congressionally designated nonprofit, national resource |
|---|
| 348 | 348 | | 318center and clearinghouse to assist victims, families, child-serving professionals and the general |
|---|
| 349 | 349 | | 319public on issues concerning missing or exploited children. |
|---|
| 350 | 350 | | 320 (d) The following information shall be exempt from this chapter: |
|---|
| 351 | 351 | | 321 (1) protected health information that is processed by a covered entity or business |
|---|
| 352 | 352 | | 322associate pursuant to 45 C.F.R. 160, 162, and 164; |
|---|
| 353 | 353 | | 323 (2) health records for the purposes of section 70 of chapter 111 of the General Laws, to |
|---|
| 354 | 354 | | 324the extent that the records are maintained pursuant to 45 C.F.R. 160, 162, and 164; |
|---|
| 355 | 355 | | 325 (3) information and documents that are created by a covered entity for purposes of |
|---|
| 356 | 356 | | 326complying with HIPAA; |
|---|
| 357 | 357 | | 327 (4) information used only for public health activities and purposes as authorized by |
|---|
| 358 | 358 | | 328HIPAA; |
|---|
| 359 | 359 | | 329 (5) patient identifying information for purposes of 42 C.F.R. 2, established pursuant to 42 |
|---|
| 360 | 360 | | 330U.S.C. 290dd-2, as amended from time to time; 18 of 71 |
|---|
| 361 | 361 | | 331 (6) information that is: (i) collected for a clinical trial subject to the Federal Policy for the |
|---|
| 362 | 362 | | 332Protection of Human Subjects under 45 C.F.R. 46; (ii) collected pursuant to good clinical |
|---|
| 363 | 363 | | 333practice guidelines issued by the International Council for Harmonisation of Technical |
|---|
| 364 | 364 | | 334Requirements for Pharmaceuticals for Human Use; (iii) collected pursuant to the human subject |
|---|
| 365 | 365 | | 335protection requirements under 21 C.F.R. 50 and 56; or (iv) personal information used or |
|---|
| 366 | 366 | | 336disclosed in research conducted in accordance with one or more of the requirements set forth in |
|---|
| 367 | 367 | | 337this paragraph; |
|---|
| 368 | 368 | | 338 (7) information and documents created for purposes of the federal Health Care Quality |
|---|
| 369 | 369 | | 339Improvement Act of 1986, 42 U.S.C. 11101 et seq., as amended from time to time; |
|---|
| 370 | 370 | | 340 (8) patient safety work product for purposes of the federal Patient Safety and Quality |
|---|
| 371 | 371 | | 341Improvement Act, 42 U.S.C. 299b-21 et seq., as amended from time to time; |
|---|
| 372 | 372 | | 342 (9) information that is: (i) derived from any of the health care-related information listed |
|---|
| 373 | 373 | | 343in this subsection; and (ii) de-identified in accordance with the requirements for de-identification |
|---|
| 374 | 374 | | 344pursuant to 45 C.F.R. 164; |
|---|
| 375 | 375 | | 345 (10) information that is treated in the same manner as, or that originates from and is |
|---|
| 376 | 376 | | 346intermingled to be indistinguishable with, information that is exempt under this subsection and |
|---|
| 377 | 377 | | 347maintained by: (i) a covered entity or business associate; (ii) a health care facility or health care |
|---|
| 378 | 378 | | 348provider; or (iii) a program of a qualified service organization as defined by 42 U.S.C. 290dd-2; |
|---|
| 379 | 379 | | 349 (11) an activity involving the processing of any personal information bearing on an |
|---|
| 380 | 380 | | 350individual’s credit worthiness, credit standing, credit capacity, character, general reputation, |
|---|
| 381 | 381 | | 351personal characteristics or mode of living by: (i) a consumer reporting agency, as defined in 15 |
|---|
| 382 | 382 | | 352U.S.C. 1681a(f); (ii) a furnisher of information, as set forth in 15 U.S.C. 1681s-2, that provides 19 of 71 |
|---|
| 383 | 383 | | 353information for use in a consumer report, as defined in 15 U.S.C. 1681a(d); and (iii) a user of a |
|---|
| 384 | 384 | | 354consumer report, as set forth in 15 U.S.C. 1681b; provided, however, that this paragraph shall |
|---|
| 385 | 385 | | 355apply only to the extent that: (A) the activity is regulated by the federal Fair Credit Reporting |
|---|
| 386 | 386 | | 356Act, 15 U.S.C. 1681 et seq., as amended from time to time; and (B) the personal information is |
|---|
| 387 | 387 | | 357processed solely as authorized by the federal Fair Credit Reporting Act; and provided further, |
|---|
| 388 | 388 | | 358that the exemption established pursuant to this paragraph shall not apply with respect to section |
|---|
| 389 | 389 | | 35926 of this chapter; |
|---|
| 390 | 390 | | 360 (12) personal information processed in compliance with the federal Driver’s Privacy |
|---|
| 391 | 391 | | 361Protection Act of 1994, 18 U.S.C. 2721 et seq., as amended from time to time; |
|---|
| 392 | 392 | | 362 (13) personal information regulated by the federal Family Educational Rights and Privacy |
|---|
| 393 | 393 | | 363Act, 20 U.S.C. 1232g et seq., as amended from time to time; |
|---|
| 394 | 394 | | 364 (14) personal information processed in compliance with the federal Farm Credit Act, 12 |
|---|
| 395 | 395 | | 365U.S.C. 2001 et seq., as amended from time to time; |
|---|
| 396 | 396 | | 366 (15) personal information processed in compliance with the federal Gramm-Leach-Bliley |
|---|
| 397 | 397 | | 367Act, 15 U.S.C. 6801 et seq., as amended from time to time; |
|---|
| 398 | 398 | | 368 (16) personal information processed in compliance with chapter 175I of the General |
|---|
| 399 | 399 | | 369Laws; |
|---|
| 400 | 400 | | 370 (17) personal information processed by an air carrier specifically in relation to price, |
|---|
| 401 | 401 | | 371route or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. 40101 et seq., |
|---|
| 402 | 402 | | 372as amended from time to time; provided, however, that this exemption shall apply solely to the 20 of 71 |
|---|
| 403 | 403 | | 373extent that provisions of this chapter may be preempted by section 41713 of the Airline |
|---|
| 404 | 404 | | 374Deregulation Act; and |
|---|
| 405 | 405 | | 375 (18) personal information processed for purposes of chapter 176Q of the General Laws. |
|---|
| 406 | 406 | | 376 (e) Section 7 and sections 9 through 13 of this chapter shall not apply to information that |
|---|
| 407 | 407 | | 377is processed: |
|---|
| 408 | 408 | | 378 (1) in the course of an individual acting in a professional or commercial context, to the |
|---|
| 409 | 409 | | 379extent that the information is collected and used within that context; |
|---|
| 410 | 410 | | 380 (2) in the course of an individual acting as a job applicant to, an employee of, or an agent |
|---|
| 411 | 411 | | 381or independent contractor of a controller, processor, or third party, to the extent that the |
|---|
| 412 | 412 | | 382information is collected and used within the context of the individual’s role; |
|---|
| 413 | 413 | | 383 (3) as the emergency contact information of an individual acting pursuant to paragraph |
|---|
| 414 | 414 | | 384(2) of this subsection, to the extent that the information is solely used for emergency contact |
|---|
| 415 | 415 | | 385purposes; or |
|---|
| 416 | 416 | | 386 (4) in order to administer benefits for another natural person relating to an individual |
|---|
| 417 | 417 | | 387acting pursuant to paragraph (2), to the extent that the information is used solely for the purposes |
|---|
| 418 | 418 | | 388of administering those benefits. |
|---|
| 419 | 419 | | 389 Section 4. Conflicting Provisions |
|---|
| 420 | 420 | | 390 (a) Wherever possible, law relating to individuals’ personal information shall be |
|---|
| 421 | 421 | | 391construed to harmonize with the provisions of this chapter, but in the event of a conflict between |
|---|
| 422 | 422 | | 392the provisions of other laws and this chapter, the provisions that afford the greatest protection for |
|---|
| 423 | 423 | | 393the right of privacy for individuals shall control. 21 of 71 |
|---|
| 424 | 424 | | 394 (b) Controllers and processors that comply with the verifiable parental consent |
|---|
| 425 | 425 | | 395requirements of the federal Children’s Online Privacy Protection Act, 15 U.S.C. 6501 et seq., as |
|---|
| 426 | 426 | | 396amended from time to time, shall be in compliance with any obligation to obtain parental consent |
|---|
| 427 | 427 | | 397under this chapter. Nothing in this chapter shall be construed to relieve or change any obligations |
|---|
| 428 | 428 | | 398that a controller, processor, or other entity may have under such Act. |
|---|
| 429 | 429 | | 399 Section 5. General Principles for Processing Personal Information |
|---|
| 430 | 430 | | 400 (a) Personal information shall be: |
|---|
| 431 | 431 | | 401 (1) processed lawfully, fairly and in a transparent manner in relation to the individual and |
|---|
| 432 | 432 | | 402in compliance with this chapter; |
|---|
| 433 | 433 | | 403 (2) collected for specified, explicit and legitimate purposes and not further processed in a |
|---|
| 434 | 434 | | 404manner that is incompatible with those purposes; |
|---|
| 435 | 435 | | 405 (3) processed in a manner that is adequate, relevant and limited to what is reasonably |
|---|
| 436 | 436 | | 406necessary in relation to the purposes for which it is processed; |
|---|
| 437 | 437 | | 407 (4) maintained in a manner such that the information is accurate and, where necessary, |
|---|
| 438 | 438 | | 408kept up to date; |
|---|
| 439 | 439 | | 409 (5) maintained in a form which permits identification of individuals for no longer than is |
|---|
| 440 | 440 | | 410necessary for the purposes for which the personal information is processed; and |
|---|
| 441 | 441 | | 411 (6) processed in a manner that ensures that the information remains appropriately secure. |
|---|
| 442 | 442 | | 412 (b) A controller shall be responsible for complying with subsection (a) by implementing |
|---|
| 443 | 443 | | 413procedures that are reasonable and appropriate, taking into consideration: 22 of 71 |
|---|
| 444 | 444 | | 414 (1) the size, scope and type of the controller; |
|---|
| 445 | 445 | | 415 (2) the amount of resources available to the controller; |
|---|
| 446 | 446 | | 416 (3) the amount and nature of personal information processed by the controller, including, |
|---|
| 447 | 447 | | 417but not limited to, whether the personal information is sensitive information; and |
|---|
| 448 | 448 | | 418 (4) the need for upholding security, integrity and confidentiality with respect to the |
|---|
| 449 | 449 | | 419personal information processed by the controller. |
|---|
| 450 | 450 | | 420 (c) A controller that is compliant with the regulations promulgated pursuant to chapter |
|---|
| 451 | 451 | | 42193H of the General Laws with respect to “personal information,” as that term is defined in |
|---|
| 452 | 452 | | 422section 1 of said chapter 93H, shall be in compliance with the principle set forth in paragraph (6) |
|---|
| 453 | 453 | | 423of subsection (a) of this section with respect to such personal information. |
|---|
| 454 | 454 | | 424 Section 6. Lawful Bases for Processing Personal Information |
|---|
| 455 | 455 | | 425 (a) Processing shall be lawful and in compliance with this chapter only if: |
|---|
| 456 | 456 | | 426 (1) the individual has given consent to the processing of their personal information for |
|---|
| 457 | 457 | | 427one or more specific purposes; |
|---|
| 458 | 458 | | 428 (2) processing is necessary for the performance of a contract to which the individual is |
|---|
| 459 | 459 | | 429party or in order to take steps at the request of the individual prior to entering into a contract; |
|---|
| 460 | 460 | | 430 (3) processing is necessary for compliance with a legal obligation to which the controller |
|---|
| 461 | 461 | | 431is subject; |
|---|
| 462 | 462 | | 432 (4) processing is necessary in order to protect the vital interests of the individual or of |
|---|
| 463 | 463 | | 433another natural person; provided, however, that the processing cannot be manifestly based on 23 of 71 |
|---|
| 464 | 464 | | 434another legal basis and the individual or other natural person is at risk or danger of death or |
|---|
| 465 | 465 | | 435serious physical injury; or |
|---|
| 466 | 466 | | 436 (5) processing is necessary for the purposes of the legitimate interests pursued by the |
|---|
| 467 | 467 | | 437controller or by a third party, except where such interests are overridden by the individual’s |
|---|
| 468 | 468 | | 438reasonable expectations of privacy or other legal rights; provided, however, that the controller |
|---|
| 469 | 469 | | 439shall conspicuously disclose such processing to the individual in advance and consider the |
|---|
| 470 | 470 | | 440following factors when assessing whether to process personal information pursuant to this |
|---|
| 471 | 471 | | 441paragraph: |
|---|
| 472 | 472 | | 442 (i) the context in which the personal information would be collected; |
|---|
| 473 | 473 | | 443 (ii) whether the processing is reasonably necessary and proportionate to: (A) provide or |
|---|
| 474 | 474 | | 444maintain a specific product or service requested or reasonably anticipated by the individual to |
|---|
| 475 | 475 | | 445whom the personal information pertains; or (B) perform other specified purposes that are |
|---|
| 476 | 476 | | 446compatible with the reasonable expectations of the individual based on the individual’s |
|---|
| 477 | 477 | | 447relationship with the controller; |
|---|
| 478 | 478 | | 448 (iii) whether the controller or third party can achieve their legitimate interests in another |
|---|
| 479 | 479 | | 449less intrusive way; |
|---|
| 480 | 480 | | 450 (iv) the amount of personal information that would be processed; |
|---|
| 481 | 481 | | 451 (v) the nature of the personal information that would be processed, taking into account |
|---|
| 482 | 482 | | 452whether processing the information, such as in the case of processing the business contact |
|---|
| 483 | 483 | | 453information of an individual acting in a commercial or business context, poses minimal risks to |
|---|
| 484 | 484 | | 454the individual; 24 of 71 |
|---|
| 485 | 485 | | 455 (vi) the possible unlawful disparate impacts and the financial, physical, reputational, or |
|---|
| 486 | 486 | | 456other cognizable harms or consequences for the individual whose personal information would be |
|---|
| 487 | 487 | | 457processed; |
|---|
| 488 | 488 | | 458 (vii) whether the processing interferes with an individual’s right to privacy pursuant to |
|---|
| 489 | 489 | | 459section 1B of chapter 214 of the General Laws; and |
|---|
| 490 | 490 | | 460 (viii) the need for upholding security, integrity and confidentiality with respect to the |
|---|
| 491 | 491 | | 461personal information that would be processed. |
|---|
| 492 | 492 | | 462 (b) A controller shall not rely on paragraph (5) of subsection (a) as a lawful basis for |
|---|
| 493 | 493 | | 463processing personal information for the purposes of profiling in furtherance of solely automated |
|---|
| 494 | 494 | | 464decisions that produce legal or similarly significant effects concerning the individual, including, |
|---|
| 495 | 495 | | 465but not limited to, decisions that result in the provision or denial of financial or lending services, |
|---|
| 496 | 496 | | 466housing, insurance, education enrollment or opportunity, criminal justice, employment |
|---|
| 497 | 497 | | 467opportunities, health care services or access to essential goods or services. |
|---|
| 498 | 498 | | 468 Section 7. Right to Privacy Notice |
|---|
| 499 | 499 | | 469 (a) At or before the point of the collection of an individual’s personal information, |
|---|
| 500 | 500 | | 470controllers shall provide the individual with a reasonably accessible, clear and meaningful |
|---|
| 501 | 501 | | 471privacy notice that shall include: |
|---|
| 502 | 502 | | 472 (1) a clear and conspicuous description of: (i) whether the controller sells personal |
|---|
| 503 | 503 | | 473information to third parties or processes personal information for the purposes of targeted cross- |
|---|
| 504 | 504 | | 474contextual or first-party advertising; (ii) what categories of sensitive information, if any, the |
|---|
| 505 | 505 | | 475controller processes and for what purposes; (iii) an individual’s rights pursuant to sections 8 25 of 71 |
|---|
| 506 | 506 | | 476through 13; (iv) how and where individuals may request to exercise these rights; and (v) a link to |
|---|
| 507 | 507 | | 477the attorney general’s online mechanism through which the individual may contact the attorney |
|---|
| 508 | 508 | | 478general to submit a complaint pursuant to subsection (p) of section 25; |
|---|
| 509 | 509 | | 479 (2) the categories of personal information processed by the controller; |
|---|
| 510 | 510 | | 480 (3) the controller’s purposes for processing the personal information; |
|---|
| 511 | 511 | | 481 (4) the categories of personal information, if any, that the controller sells to third parties; |
|---|
| 512 | 512 | | 482 (5) the categories of third parties, if any, to whom the controller sells personal |
|---|
| 513 | 513 | | 483information; |
|---|
| 514 | 514 | | 484 (6) whether the controller sells personal information to registered data brokers, along |
|---|
| 515 | 515 | | 485with a link to the web page pursuant to paragraph (3) of subsection (p) of section 25; |
|---|
| 516 | 516 | | 486 (7) the affiliates to whom the controller discloses personal information; |
|---|
| 517 | 517 | | 487 (8) the categories of sources from which personal information is collected; |
|---|
| 518 | 518 | | 488 (9) the length of time the controller intends to retain each category of personal |
|---|
| 519 | 519 | | 489information, or, if that is not possible, the criteria used to determine such period; provided, |
|---|
| 520 | 520 | | 490however, that a controller shall retain personal information for a duration consistent with |
|---|
| 521 | 521 | | 491paragraph (5) of subsection (a) of section 5; |
|---|
| 522 | 522 | | 492 (10) the effective date of the privacy notice; |
|---|
| 523 | 523 | | 493 (11) whether or not any personal information processed by the controller is sold to, |
|---|
| 524 | 524 | | 494processed in, stored in or otherwise accessible to the People’s Republic of China, Russia, Iran or |
|---|
| 525 | 525 | | 495North Korea; and 26 of 71 |
|---|
| 526 | 526 | | 496 (12) a contact method, such as an active email address or other online mechanism, that |
|---|
| 527 | 527 | | 497the individual may use to contact the controller. |
|---|
| 528 | 528 | | 498 (b) A controller shall not collect additional categories of personal information or process |
|---|
| 529 | 529 | | 499personal information collected for additional purposes that are incompatible with the disclosed |
|---|
| 530 | 530 | | 500purposes for which the personal information was collected, without providing the individual with |
|---|
| 531 | 531 | | 501notice consistent with subsection (a) of this section. |
|---|
| 532 | 532 | | 502 (c) An entity that, acting as a third party, controls the collection of an individual’s |
|---|
| 533 | 533 | | 503personal information may satisfy its obligation under this section by providing the required |
|---|
| 534 | 534 | | 504information prominently and conspicuously on the homepage of its internet website; provided, |
|---|
| 535 | 535 | | 505however, that if an entity, acting as a third party, controls the collection of personal information |
|---|
| 536 | 536 | | 506about an individual on its premises, including in a vehicle, then the entity shall, at or before the |
|---|
| 537 | 537 | | 507point of collection, satisfy its obligation under subsection (a) of this section by providing the |
|---|
| 538 | 538 | | 508required information in a clear and conspicuous manner at such location. |
|---|
| 539 | 539 | | 509 (d) Nothing in this section shall require a controller to provide the information in a |
|---|
| 540 | 540 | | 510manner that would disclose the controller’s trade secrets. |
|---|
| 541 | 541 | | 511 (e) The categories of sensitive information required to be disclosed by a controller |
|---|
| 542 | 542 | | 512pursuant to this section shall specifically include each applicable subcategory set forth in |
|---|
| 543 | 543 | | 513paragraphs (1) through (9) in the definition of sensitive information in section 2. |
|---|
| 544 | 544 | | 514 (f) A large data holder shall retain and make publicly available on its internet website: |
|---|
| 545 | 545 | | 515 (1) copies of previous versions of its privacy notices for at least 10 years; and 27 of 71 |
|---|
| 546 | 546 | | 516 (2) a log describing the date and nature of each change to its privacy notice that is likely |
|---|
| 547 | 547 | | 517to affect a reasonable individual’s decision or conduct regarding a large data holder’s product or |
|---|
| 548 | 548 | | 518service. |
|---|
| 549 | 549 | | 519 (g) Subsection (f) shall only apply to privacy notices created or generated after the |
|---|
| 550 | 550 | | 520effective date of this section and shall not be retroactive. |
|---|
| 551 | 551 | | 521 Section 8. Opting Out of the Sale of Personal Information and Targeted Advertising |
|---|
| 552 | 552 | | 522 (a) An individual shall have the right to opt out of the processing of the individual’s |
|---|
| 553 | 553 | | 523personal information for the purposes of: |
|---|
| 554 | 554 | | 524 (1) the sale of the personal information; |
|---|
| 555 | 555 | | 525 (2) targeted cross-contextual advertising; or |
|---|
| 556 | 556 | | 526 (3) targeted first-party advertising. |
|---|
| 557 | 557 | | 527 (b) A controller shall comply with an opt-out request pursuant to this section as soon as |
|---|
| 558 | 558 | | 528reasonably possible; provided, however, that a controller shall comply with an opt-out request |
|---|
| 559 | 559 | | 529with respect to paragraph (1) of subsection (a) in a time frame that is reasonably proportionate to |
|---|
| 560 | 560 | | 530the amount of time it takes the controller to sell such personal information to third parties; and |
|---|
| 561 | 561 | | 531provided further, that in any event, a controller shall comply with an opt-out request pursuant to |
|---|
| 562 | 562 | | 532this section not later than 15 days after receipt of the request. |
|---|
| 563 | 563 | | 533 (c) A controller that has received an opt-out request pursuant to this section shall be |
|---|
| 564 | 564 | | 534prohibited from processing the individual’s personal information for the purposes of the sale of |
|---|
| 565 | 565 | | 535the personal information or for targeted cross-contextual or first-party advertising, unless the |
|---|
| 566 | 566 | | 536individual subsequently provides consent for such processing. After complying with an 28 of 71 |
|---|
| 567 | 567 | | 537individual’s opt-out request, a controller shall wait for not less than 12 months before requesting |
|---|
| 568 | 568 | | 538the individual’s consent to process the individual’s personal information for the purposes of the |
|---|
| 569 | 569 | | 539sale of the personal information or for targeted cross-contextual or first-party advertising. |
|---|
| 570 | 570 | | 540 (d) A data broker that has been sold an individual’s personal information shall not further |
|---|
| 571 | 571 | | 541process an individual’s personal information for the purposes of the sale of the personal |
|---|
| 572 | 572 | | 542information or for targeted cross-contextual advertising, unless the individual has received |
|---|
| 573 | 573 | | 543explicit notice and is provided an opportunity to exercise the opt-out right pursuant to this |
|---|
| 574 | 574 | | 544section. |
|---|
| 575 | 575 | | 545 (e) If a controller communicates to any entity authorized by the controller to collect |
|---|
| 576 | 576 | | 546personal information that an individual has requested to exercise the opt-out right pursuant to this |
|---|
| 577 | 577 | | 547section, that entity shall thereafter only use that individual’s personal information for purposes |
|---|
| 578 | 578 | | 548specified by the controller, or as otherwise permitted by this chapter, and shall be prohibited |
|---|
| 579 | 579 | | 549from: |
|---|
| 580 | 580 | | 550 (1) processing the individual’s personal information for the purposes of the sale of the |
|---|
| 581 | 581 | | 551personal information or for targeted cross-contextual or first-party advertising; and |
|---|
| 582 | 582 | | 552 (2) processing that individual’s personal information: (i) outside of the direct relationship |
|---|
| 583 | 583 | | 553between the entity and the controller; or (ii) for any purpose other than for the specific purpose |
|---|
| 584 | 584 | | 554of providing or performing the services offered to the controller. |
|---|
| 585 | 585 | | 555 (f) A controller that pursuant to subsection (e) communicates an individual’s opt-out |
|---|
| 586 | 586 | | 556request to an entity shall not be liable under this chapter if the entity receiving the opt-out request |
|---|
| 587 | 587 | | 557violates the restrictions set forth in this chapter; provided, however, that at the time of 29 of 71 |
|---|
| 588 | 588 | | 558communicating the opt-out request, the controller does not know or should not reasonably know |
|---|
| 589 | 589 | | 559that the entity intends to commit such a violation. |
|---|
| 590 | 590 | | 560 (g) An individual may designate an authorized agent to act on the individual’s behalf to |
|---|
| 591 | 591 | | 561opt out of the processing of such individual’s personal information for one or more of the |
|---|
| 592 | 592 | | 562purposes specified in subsection (a). The individual may designate such authorized agent by way |
|---|
| 593 | 593 | | 563of, among other things, a technology, including, but not limited to, an internet link or a browser |
|---|
| 594 | 594 | | 564setting, browser extension or global device setting, indicating the individual’s intent to opt out of |
|---|
| 595 | 595 | | 565such processing. A controller shall comply with an opt-out request received from an authorized |
|---|
| 596 | 596 | | 566agent if the controller is able to verify, with commercially reasonable effort, the authorized |
|---|
| 597 | 597 | | 567agent’s authority to act on the individual’s behalf. An authorized agent shall: |
|---|
| 598 | 598 | | 568 (1) not use an individual’s personal information for any purposes other than to fulfill the |
|---|
| 599 | 599 | | 569individual’s requests, for verification or for fraud prevention; and |
|---|
| 600 | 600 | | 570 (2) implement and maintain reasonable security procedures and practices to protect the |
|---|
| 601 | 601 | | 571individual’s personal information. |
|---|
| 602 | 602 | | 572 (h) A controller shall allow an individual to opt out of the processing of the individual’s |
|---|
| 603 | 603 | | 573personal information for one or more of the purposes specified in subsection (a) through an opt- |
|---|
| 604 | 604 | | 574out preference signal sent with the individual’s consent to the controller by a platform, |
|---|
| 605 | 605 | | 575technology or mechanism indicating the individual’s intent to opt out of such processing; |
|---|
| 606 | 606 | | 576provided, however, that such platform, technology or mechanism shall meet the requirements |
|---|
| 607 | 607 | | 577and technical specifications established by the attorney general pursuant to subsection (u) of |
|---|
| 608 | 608 | | 578section 25; and provided further, that a controller shall notify individuals about any such |
|---|
| 609 | 609 | | 579platform, technology or mechanism in any privacy notice provided pursuant to section 7. 30 of 71 |
|---|
| 610 | 610 | | 580 (i) If an individual decides to opt out of the processing of the individual’s personal |
|---|
| 611 | 611 | | 581information for one or more of the purposes specified in subsection (a) through an opt-out |
|---|
| 612 | 612 | | 582preference signal sent in accordance with this chapter and the individual’s decision conflicts with |
|---|
| 613 | 613 | | 583the individual’s existing controller-specific privacy setting or voluntary participation in the |
|---|
| 614 | 614 | | 584controller’s bona fide loyalty, rewards, premium features, discounts or club card program, the |
|---|
| 615 | 615 | | 585controller shall comply with the individual’s opt-out preference signal but may notify the |
|---|
| 616 | 616 | | 586individual of the conflict and provide the individual with the choice to opt back into such |
|---|
| 617 | 617 | | 587controller-specific privacy setting or participation in such a program; provided, however, that the |
|---|
| 618 | 618 | | 588controller shall not use dark patterns to coerce the individual to opt back in to such controller- |
|---|
| 619 | 619 | | 589specific privacy setting or participation in such program. |
|---|
| 620 | 620 | | 590 (j) If a controller responds to an individual’s opt-out request pursuant to this section by |
|---|
| 621 | 621 | | 591informing the individual of a charge for the use of any product or service, the controller shall |
|---|
| 622 | 622 | | 592present the terms of any financial incentive offered in accordance with section 16 for the |
|---|
| 623 | 623 | | 593collection, processing, sale or retention of the individual’s personal information. |
|---|
| 624 | 624 | | 594 (k) A request to exercise the right to opt out pursuant to this section shall not need to be a |
|---|
| 625 | 625 | | 595verifiable request. If a controller, however, has a good-faith, reasonable and documented belief |
|---|
| 626 | 626 | | 596that the request is fraudulent, the controller may deny the request. The controller shall inform the |
|---|
| 627 | 627 | | 597requestor that it will not comply with the request and shall provide an explanation why it |
|---|
| 628 | 628 | | 598believes the request is fraudulent. |
|---|
| 629 | 629 | | 599 (l) For each calendar year in which a controller is a large data holder, the controller shall |
|---|
| 630 | 630 | | 600prepare a report that details the number of requests that is has received to opt out pursuant to |
|---|
| 631 | 631 | | 601paragraphs (1), (2) and (3) of subsection (a); provided, however, that the controller shall specify 31 of 71 |
|---|
| 632 | 632 | | 602the number of such requests that the controller has denied; and provided further, that the |
|---|
| 633 | 633 | | 603controller shall make its report publicly available on its internet website and submit the report to |
|---|
| 634 | 634 | | 604the attorney general not later than January 31 following each year in which a controller meets the |
|---|
| 635 | 635 | | 605definition of a large data holder under this chapter. |
|---|
| 636 | 636 | | 606 Section 9. Protections for Sensitive Information |
|---|
| 637 | 637 | | 607 (a) A controller shall not process an individual’s sensitive information for the purposes of |
|---|
| 638 | 638 | | 608the sale of such information or for targeted cross-contextual or first-party advertising, unless the |
|---|
| 639 | 639 | | 609controller has obtained the consent of the individual, or, in the case of a child, the child’s parent |
|---|
| 640 | 640 | | 610or guardian. |
|---|
| 641 | 641 | | 611 (b) A controller shall not otherwise process an individual’s sensitive information without |
|---|
| 642 | 642 | | 612first obtaining the consent of the individual, or, in the case of a child, the child’s parent or |
|---|
| 643 | 643 | | 613guardian, except to the limited extent necessary to: |
|---|
| 644 | 644 | | 614 (1) perform the services or provide the goods reasonably expected by an average |
|---|
| 645 | 645 | | 615individual who requests those services or goods; |
|---|
| 646 | 646 | | 616 (2) maintain or service accounts, provide customer service, process or fulfill orders and |
|---|
| 647 | 647 | | 617transactions, verify customer information, process payments, provide financing, provide analytic |
|---|
| 648 | 648 | | 618services, provide storage or provide other similar services; |
|---|
| 649 | 649 | | 619 (3) verify, maintain, improve or upgrade the quality or safety of the service or device that |
|---|
| 650 | 650 | | 620is owned, manufactured, manufactured for or controlled by the controller; or |
|---|
| 651 | 651 | | 621 (4) perform short-term, transient use, including, but not limited to, advertising that is |
|---|
| 652 | 652 | | 622based solely on an individual’s personal information derived from the individual’s current 32 of 71 |
|---|
| 653 | 653 | | 623intentional interaction with the controller; provided, however, that the sensitive information shall |
|---|
| 654 | 654 | | 624not be an individual’s precise geolocation information; and provided further, that the individual’s |
|---|
| 655 | 655 | | 625sensitive information shall not be: (i) disclosed to another third party; or (ii) used to build a |
|---|
| 656 | 656 | | 626profile about the individual or otherwise alter the individual’s experience outside the current |
|---|
| 657 | 657 | | 627interaction with the controller; or |
|---|
| 658 | 658 | | 628 (5) otherwise process the information pursuant to an exemption stipulated in section 24. |
|---|
| 659 | 659 | | 629 (c) If a controller does not receive consent for the processing of an individual’s sensitive |
|---|
| 660 | 660 | | 630information, the controller shall wait for not less than 12 months before making a subsequent |
|---|
| 661 | 661 | | 631request for the individual or, in the case of a child, the child’s parent or guardian, to consent to |
|---|
| 662 | 662 | | 632such processing. |
|---|
| 663 | 663 | | 633 Section 10. Right to Access and Transport Personal Information |
|---|
| 664 | 664 | | 634 (a) For the purposes of this section, “specific pieces of information” shall not include any |
|---|
| 665 | 665 | | 635data generated to uphold security, confidentiality and integrity. |
|---|
| 666 | 666 | | 636 (b) An individual shall have the right to request that a controller that processes the |
|---|
| 667 | 667 | | 637individual’s personal information disclose to the individual the specific pieces of personal |
|---|
| 668 | 668 | | 638information that the controller has processed about the individual, including inferences linked or |
|---|
| 669 | 669 | | 639reasonably linkable to the individual. |
|---|
| 670 | 670 | | 640 (c) In response to a verifiable request pursuant to subsection (b), a controller shall |
|---|
| 671 | 671 | | 641provide to the individual the specific pieces of personal information that the controller has |
|---|
| 672 | 672 | | 642processed about the individual in a portable format that is easily understandable to the average 33 of 71 |
|---|
| 673 | 673 | | 643individual and, to the extent technically feasible, in a readily usable format that allows the |
|---|
| 674 | 674 | | 644individual to transmit the information to another controller without hindrance. |
|---|
| 675 | 675 | | 645 (d) The disclosure of the required information pursuant to this section shall cover the 12- |
|---|
| 676 | 676 | | 646month period preceding the controller’s receipt of the verifiable request; provided, however, that |
|---|
| 677 | 677 | | 647an individual may request that the controller disclose the required information beyond the 12- |
|---|
| 678 | 678 | | 648month period, and the controller shall be required to provide such information unless doing so |
|---|
| 679 | 679 | | 649proves impossible or would constitute an undue burden for the controller; and provided further, |
|---|
| 680 | 680 | | 650that an individual’s ability to request information beyond the 12-month period shall be disclosed |
|---|
| 681 | 681 | | 651in a controller’s privacy notice pursuant to clause (iii) of paragraph (1) of subsection (a) of |
|---|
| 682 | 682 | | 652section 7. |
|---|
| 683 | 683 | | 653 (e) Nothing in this section shall require a controller to provide the information requested |
|---|
| 684 | 684 | | 654in a manner that would disclose the controller’s trade secrets. |
|---|
| 685 | 685 | | 655 Section 11. Right to Delete Personal Information |
|---|
| 686 | 686 | | 656 (a) An individual shall have the right to request that a controller delete any personal |
|---|
| 687 | 687 | | 657information processed about the individual. |
|---|
| 688 | 688 | | 658 (b) A controller that receives a verifiable request to delete the individual’s personal |
|---|
| 689 | 689 | | 659information shall: |
|---|
| 690 | 690 | | 660 (1) delete the individual’s personal information from its records; |
|---|
| 691 | 691 | | 661 (2) notify all processors to whom the controller has disclosed the individual’s personal |
|---|
| 692 | 692 | | 662information to delete the individual’s personal information from their records; and 34 of 71 |
|---|
| 693 | 693 | | 663 (3) notify all third parties to whom the controller has sold the individual’s personal |
|---|
| 694 | 694 | | 664information to delete the personal information from their records, unless doing so proves |
|---|
| 695 | 695 | | 665impossible or would constitute an undue burden for the controller. |
|---|
| 696 | 696 | | 666 (c) A controller may maintain a confidential record of deletion requests solely for: |
|---|
| 697 | 697 | | 667 (1) preventing the sale of the personal information of the individual who has submitted a |
|---|
| 698 | 698 | | 668deletion request; |
|---|
| 699 | 699 | | 669 (2) ensuring that such individual’s personal information is deleted from the controller’s |
|---|
| 700 | 700 | | 670records; or |
|---|
| 701 | 701 | | 671 (3) other purposes to the extent permissible pursuant to section 24 and subsection (i) of |
|---|
| 702 | 702 | | 672section 15. |
|---|
| 703 | 703 | | 673 (d) A controller, or a processor acting pursuant to its contract with the controller, shall |
|---|
| 704 | 704 | | 674not be required to comply with an individual’s request to delete the individual’s personal |
|---|
| 705 | 705 | | 675information if it is reasonably necessary for the controller or processor to maintain the |
|---|
| 706 | 706 | | 676individual’s personal information in order to: |
|---|
| 707 | 707 | | 677 (1) complete the transaction for which the personal information was collected, provide a |
|---|
| 708 | 708 | | 678good or service requested by the individual or reasonably anticipated by the individual within the |
|---|
| 709 | 709 | | 679context of the controller’s ongoing relationship with the individual, or otherwise perform a |
|---|
| 710 | 710 | | 680contract between the controller and the individual; |
|---|
| 711 | 711 | | 681 (2) enable solely internal uses that are: (i) reasonably aligned with the expectations of the |
|---|
| 712 | 712 | | 682individual based on the individual’s relationship with the controller; and (ii) compatible with the |
|---|
| 713 | 713 | | 683context in which the individual provided the personal information; 35 of 71 |
|---|
| 714 | 714 | | 684 (3) maintain personal information that relates to a public figure and for which the |
|---|
| 715 | 715 | | 685individual making the deletion request has no reasonable expectation of privacy; or |
|---|
| 716 | 716 | | 686 (4) comply with a legal obligation or otherwise process personal information pursuant to |
|---|
| 717 | 717 | | 687an exemption stipulated in section 24. |
|---|
| 718 | 718 | | 688 (e) The controller or processor shall retain personal information pursuant to subsection |
|---|
| 719 | 719 | | 689(d) solely for the applicable purposes under that subsection. |
|---|
| 720 | 720 | | 690 Section 12. Right to Correct Personal Information |
|---|
| 721 | 721 | | 691 (a) An individual shall have the right to request that a controller correct inaccurate |
|---|
| 722 | 722 | | 692personal information processed about the individual, taking into account the nature of the |
|---|
| 723 | 723 | | 693personal information and the purposes of the processing of such information. |
|---|
| 724 | 724 | | 694 (b) A controller that receives a verifiable request to correct inaccurate personal |
|---|
| 725 | 725 | | 695information shall correct the inaccurate personal information as directed by the individual. |
|---|
| 726 | 726 | | 696 Section 13. Right to Revoke Consent |
|---|
| 727 | 727 | | 697 (a) If a controller chooses to process an individual’s personal information on the basis of |
|---|
| 728 | 728 | | 698the individual’s consent pursuant to paragraph (1) of subsection (a) of section 6, the option for an |
|---|
| 729 | 729 | | 699individual to refuse consent shall be clear, at least as prominent as the option to accept, and easy |
|---|
| 730 | 730 | | 700to use by a reasonable individual. |
|---|
| 731 | 731 | | 701 (b) In addition to an individual’s opt-out right pursuant to section 8, an individual shall |
|---|
| 732 | 732 | | 702have the right to revoke consent that the individual previously gave to a controller to process the |
|---|
| 733 | 733 | | 703individual’s personal information for any other purposes. The controller shall: 36 of 71 |
|---|
| 734 | 734 | | 704 (1) provide a mechanism for individuals to revoke consent that is clear, conspicuous and |
|---|
| 735 | 735 | | 705easy to use by a reasonable individual; and |
|---|
| 736 | 736 | | 706 (2) in response to an individual’s verifiable request to revoke the individual’s consent, |
|---|
| 737 | 737 | | 707cease to process the individual’s personal information as soon as reasonably possible. |
|---|
| 738 | 738 | | 708 Section 14. Exercising Privacy Rights |
|---|
| 739 | 739 | | 709 (a) An individual may exercise the rights set forth in sections 8 through 13 by submitting |
|---|
| 740 | 740 | | 710a request, at any time, to a controller specifying which rights the individual wishes to exercise. |
|---|
| 741 | 741 | | 711 (b) With respect to the processing of personal information of a child, the child’s parent or |
|---|
| 742 | 742 | | 712legal guardian may exercise the rights set forth in sections 8 through 13 on the child’s behalf. |
|---|
| 743 | 743 | | 713 (c) With respect to the processing of personal information concerning an individual |
|---|
| 744 | 744 | | 714subject to guardianship, conservatorship or other protective arrangement under article V or |
|---|
| 745 | 745 | | 715article 5A of chapter 190B of the General Laws, the individual’s guardian or conservator may |
|---|
| 746 | 746 | | 716exercise the rights set forth in sections 8 through 13 on the individual’s behalf. |
|---|
| 747 | 747 | | 717 Section 15. Responding to Requests to Exercise Privacy Rights |
|---|
| 748 | 748 | | 718 (a) Except as otherwise provided in this chapter, a controller shall comply with an |
|---|
| 749 | 749 | | 719individual’s request to exercise the rights set forth in sections 10 through 13. |
|---|
| 750 | 750 | | 720 (b) A controller shall inform the individual of any action taken on a request to exercise |
|---|
| 751 | 751 | | 721any of the rights set forth in sections 10 through 13 without undue delay and in any event within |
|---|
| 752 | 752 | | 72245 days of receipt of the request; provided, however, that the period may be extended once by 45 |
|---|
| 753 | 753 | | 723additional days where reasonably necessary, taking into account the complexity and number of 37 of 71 |
|---|
| 754 | 754 | | 724the requests; and provided further, that the controller shall notify the individual of any such |
|---|
| 755 | 755 | | 725extension within 45 days of receipt of the request, together with the reasons for the delay. |
|---|
| 756 | 756 | | 726 (c) A controller shall not be obligated to comply with a request to exercise the rights set |
|---|
| 757 | 757 | | 727forth in sections 10 through 13 if the request is not a verifiable request. In such a case, the |
|---|
| 758 | 758 | | 728controller shall notify the individual that it is unable to act on the request until it receives |
|---|
| 759 | 759 | | 729additional information reasonably necessary to verify that the request is being made by the |
|---|
| 760 | 760 | | 730individual or by another person who is entitled to exercise such rights on behalf of the individual |
|---|
| 761 | 761 | | 731pursuant to section 14. |
|---|
| 762 | 762 | | 732 (d) A verifiable request to exercise the rights set forth in sections 10 through 13 shall not |
|---|
| 763 | 763 | | 733extend to personal information about the individual that belongs to, or the controller maintains |
|---|
| 764 | 764 | | 734on behalf of, another natural person. A controller may rely on representations made in a |
|---|
| 765 | 765 | | 735verifiable request as to rights with respect to personal information and shall not be required to |
|---|
| 766 | 766 | | 736seek out other persons that may have or claim to have rights to personal information or to take |
|---|
| 767 | 767 | | 737any action under this chapter in the event of a dispute between or among persons claiming rights |
|---|
| 768 | 768 | | 738to personal information in the controller’s possession. |
|---|
| 769 | 769 | | 739 (e) When a controller, pursuant to section 23, is incapable of complying with an |
|---|
| 770 | 770 | | 740individual’s verifiable request, the controller shall, if possible, notify the individual that it is |
|---|
| 771 | 771 | | 741unable to identify the individual and cannot act on the request. The individual, or a person |
|---|
| 772 | 772 | | 742entitled to exercise the rights of this chapter on behalf of the individual pursuant to section 14, |
|---|
| 773 | 773 | | 743may provide additional information to the controller enabling the individual’s identification for |
|---|
| 774 | 774 | | 744the purposes of exercising the rights set forth in sections 10 through 13. 38 of 71 |
|---|
| 775 | 775 | | 745 (f) If a controller declines to take action regarding an individual’s request, the controller |
|---|
| 776 | 776 | | 746shall notify the individual of the justification for declining to take action and provide the |
|---|
| 777 | 777 | | 747individual with instructions on how to submit a complaint pursuant to subsection (i) of this |
|---|
| 778 | 778 | | 748section. Such notification shall occur without undue delay, but not later than 45 days after the |
|---|
| 779 | 779 | | 749initial receipt of the request or not later than 45 days after notifying the individual of the |
|---|
| 780 | 780 | | 750applicability of an extension pursuant to subsection (b). |
|---|
| 781 | 781 | | 751 (g) A controller shall not be obligated to provide the information required by section 10 |
|---|
| 782 | 782 | | 752to the same individual more than twice in a 12-month period. Information provided in response |
|---|
| 783 | 783 | | 753to a request shall be provided by the controller to the individual free of charge. |
|---|
| 784 | 784 | | 754 (h) If requests from an individual, or from a person entitled to exercise the rights of this |
|---|
| 785 | 785 | | 755chapter on behalf of such individual pursuant to section 14, are manifestly unfounded, excessive |
|---|
| 786 | 786 | | 756or repetitive, the controller may: (1) charge a reasonable fee to cover the administrative costs of |
|---|
| 787 | 787 | | 757complying with the request; or (2) refuse to act on the request. The controller shall bear the |
|---|
| 788 | 788 | | 758burden of demonstrating the manifestly unfounded or excessive nature of the request. |
|---|
| 789 | 789 | | 759 (i) When informing an individual of any action taken or not taken in response to a |
|---|
| 790 | 790 | | 760request, the controller shall provide the individual with a link to the attorney general’s online |
|---|
| 791 | 791 | | 761mechanism through which the individual may contact the attorney general to submit a complaint. |
|---|
| 792 | 792 | | 762The controller shall maintain records of all rejected requests for not less than 24 months and shall |
|---|
| 793 | 793 | | 763compile and provide a copy of such records to the attorney general upon the attorney general’s |
|---|
| 794 | 794 | | 764request. |
|---|
| 795 | 795 | | 765 Section 16. Non-Discrimination Against Individuals’ Good Faith Exercise of Privacy |
|---|
| 796 | 796 | | 766Rights 39 of 71 |
|---|
| 797 | 797 | | 767 (a) A controller shall not discriminate against an individual for exercising in good faith |
|---|
| 798 | 798 | | 768any of the rights set forth in this chapter, including, but not limited to, by: |
|---|
| 799 | 799 | | 769 (1) denying goods or services to the individual; |
|---|
| 800 | 800 | | 770 (2) charging different prices or rates for goods or services, including through the use of |
|---|
| 801 | 801 | | 771discounts or other benefits or imposing penalties; |
|---|
| 802 | 802 | | 772 (3) providing a different level of quality of goods or services to the individual; |
|---|
| 803 | 803 | | 773 (4) suggesting that the individual will receive a different price or rate for goods or |
|---|
| 804 | 804 | | 774services or a different level of quality or goods or services; or |
|---|
| 805 | 805 | | 775 (5) retaliating against a job applicant to, an employee of, or an agent or independent |
|---|
| 806 | 806 | | 776contractor of the controller for exercising their rights under this chapter. |
|---|
| 807 | 807 | | 777 (b) This section shall not prohibit a controller from offering a different price, rate, level, |
|---|
| 808 | 808 | | 778quality or selection of goods or services to an individual, including offering goods or services for |
|---|
| 809 | 809 | | 779no fee, if: |
|---|
| 810 | 810 | | 780 (1) the offering is in connection with an individual’s voluntary participation in a bona |
|---|
| 811 | 811 | | 781fide loyalty, rewards, premium features, discounts or club card program; and |
|---|
| 812 | 812 | | 782 (2) the difference is reasonably related to the value provided to the controller by the |
|---|
| 813 | 813 | | 783individual’s personal information. |
|---|
| 814 | 814 | | 784 (c) Nothing in this section shall be construed to: |
|---|
| 815 | 815 | | 785 (1) require a controller to provide a product or service that requires an individual’s |
|---|
| 816 | 816 | | 786personal information that the controller does not process; or 40 of 71 |
|---|
| 817 | 817 | | 787 (2) prohibit a controller from offering a financial incentive, including payments to |
|---|
| 818 | 818 | | 788individuals as compensation, for the processing of personal information; provided, however, that |
|---|
| 819 | 819 | | 789such payments shall be reasonably related to the value provided to the controller by the |
|---|
| 820 | 820 | | 790individual’s personal information. |
|---|
| 821 | 821 | | 791 Section 17. Disclosure of Methods for Exercising Privacy Rights |
|---|
| 822 | 822 | | 792 (a) A controller shall make available and describe in a privacy notice pursuant to section |
|---|
| 823 | 823 | | 7937 not less than 2 designated methods for submitting a request to exercise the rights set forth in |
|---|
| 824 | 824 | | 794sections 8 through 13. The designated methods shall be reasonably accessible to individuals and |
|---|
| 825 | 825 | | 795take into account the ways in which individuals interact with the controller, the need for secure |
|---|
| 826 | 826 | | 796and reliable communication of the request, and the ability of the controller to determine whether |
|---|
| 827 | 827 | | 797the request is a verifiable request. If a controller maintains an internet website, the controller |
|---|
| 828 | 828 | | 798shall make its website available as one such designated method for submitting a request. A |
|---|
| 829 | 829 | | 799controller shall not require an individual to create a new account but may require an individual to |
|---|
| 830 | 830 | | 800use an existing account in order to exercise a right under this chapter. |
|---|
| 831 | 831 | | 801 (b) A controller that processes personal information for the purposes of selling such |
|---|
| 832 | 832 | | 802information or for targeted cross-contextual advertising shall provide a clear and conspicuous |
|---|
| 833 | 833 | | 803link on the controller’s internet homepages to an internet web page that enables an individual, or |
|---|
| 834 | 834 | | 804an individual’s authorized agent, to exercise their right to opt out of such processing. |
|---|
| 835 | 835 | | 805 (c) A controller that processes personal information for the purposes of targeted first- |
|---|
| 836 | 836 | | 806party advertising shall provide a clear and conspicuous link on the controller’s internet |
|---|
| 837 | 837 | | 807homepages to an internet web page that enables an individual, or an individual’s authorized |
|---|
| 838 | 838 | | 808agent, to exercise their right to opt out of such processing. 41 of 71 |
|---|
| 839 | 839 | | 809 (d) In lieu of complying with both subsections (b) and (c), a controller that is subject to |
|---|
| 840 | 840 | | 810both subsections may utilize a single clearly labeled link on the controller’s internet homepages, |
|---|
| 841 | 841 | | 811if that link easily allows an individual, or an individual’s authorized agent, to exercise their right |
|---|
| 842 | 842 | | 812to opt out of the processing of the individual’s personal information for the purposes of the sale |
|---|
| 843 | 843 | | 813of such information and for targeted cross-contextual and first-party advertising. |
|---|
| 844 | 844 | | 814 (e) A controller shall: |
|---|
| 845 | 845 | | 815 (1) ensure that all persons responsible for handling individuals’ inquiries about the |
|---|
| 846 | 846 | | 816controller’s privacy practices or compliance with this chapter are informed of: (i) all |
|---|
| 847 | 847 | | 817requirements set forth under this chapter; and (ii) how to direct individuals to exercise their |
|---|
| 848 | 848 | | 818rights set forth in sections 8 through 13 of this chapter; |
|---|
| 849 | 849 | | 819 (2) include a separate link to the applicable web pages required under subsections (b), (c), |
|---|
| 850 | 850 | | 820or (d) of this section in any privacy notice that the controller is required to provide to individuals |
|---|
| 851 | 851 | | 821pursuant to section 7; |
|---|
| 852 | 852 | | 822 (3) process any personal information collected from the individual in connection with the |
|---|
| 853 | 853 | | 823submission of the individual’s request to exercise any of the rights set forth in sections 8 through |
|---|
| 854 | 854 | | 82413 solely for the purposes of complying with the request; |
|---|
| 855 | 855 | | 825 (4) process any personal information collected in connection with the controller’s |
|---|
| 856 | 856 | | 826verification of the individual’s request solely for the purposes of verification and not further |
|---|
| 857 | 857 | | 827disclose the personal information, retain it longer than necessary for purposes of verification or |
|---|
| 858 | 858 | | 828use it for unrelated purposes; 42 of 71 |
|---|
| 859 | 859 | | 829 (5) not require an individual to provide additional information beyond what is necessary |
|---|
| 860 | 860 | | 830to direct the controller, pursuant to section 8, to not process the individual’s personal information |
|---|
| 861 | 861 | | 831for the purposes of the sale of such information or for targeted cross-contextual or first-party |
|---|
| 862 | 862 | | 832advertising; and |
|---|
| 863 | 863 | | 833 (6) not condition, effectively condition, attempt to condition or attempt to effectively |
|---|
| 864 | 864 | | 834condition the exercise of the rights set forth in sections 8 through 13 through the use of dark |
|---|
| 865 | 865 | | 835patterns or any false fictitious, fraudulent or materially misleading statement or representation. |
|---|
| 866 | 866 | | 836 Section 18. No Waiver |
|---|
| 867 | 867 | | 837 Any provision of a contract or agreement that purports to waive or limit in any way |
|---|
| 868 | 868 | | 838individual rights under this chapter shall be deemed contrary to public policy and shall be void |
|---|
| 869 | 869 | | 839and unenforceable. |
|---|
| 870 | 870 | | 840 Section 19. Relationship Among Controllers, Processors and Third Parties |
|---|
| 871 | 871 | | 841 (a) A processor shall not be required to comply with a request to exercise the rights set |
|---|
| 872 | 872 | | 842forth in sections 8 through 13 that the processor receives directly from an individual, or from a |
|---|
| 873 | 873 | | 843person entitled to exercise such rights on behalf of the individual, to the extent that the processor |
|---|
| 874 | 874 | | 844has processed the individual’s personal information on behalf of the controller. |
|---|
| 875 | 875 | | 845 (b) A processor shall adhere to the instructions of the controller and assist the controller |
|---|
| 876 | 876 | | 846in meeting its obligations under this chapter. Taking into account the nature of the processing |
|---|
| 877 | 877 | | 847and with respect to the personal information available to the processor as a result of its |
|---|
| 878 | 878 | | 848relationship with the controller, a processor shall: 43 of 71 |
|---|
| 879 | 879 | | 849 (1) take appropriate technical and organizational measures, insofar as is possible, to fulfill |
|---|
| 880 | 880 | | 850the controller’s obligation to respond to individuals’ requests to exercise their rights pursuant to |
|---|
| 881 | 881 | | 851sections 8 through 13; |
|---|
| 882 | 882 | | 852 (2) provide information to the controller necessary to enable the controller to conduct and |
|---|
| 883 | 883 | | 853document any risk assessment required by section 21; and |
|---|
| 884 | 884 | | 854 (3) assist the controller in meeting the controller’s obligations in relation to the security |
|---|
| 885 | 885 | | 855of processing the personal information and in relation to the notification of a breach of security |
|---|
| 886 | 886 | | 856of the system of the processor pursuant to chapter 93H of the General Laws; provided, however, |
|---|
| 887 | 887 | | 857that the controller and the processor shall: (i) implement appropriate technical and organizational |
|---|
| 888 | 888 | | 858measures to ensure a level of security appropriate to the risk; and (ii) establish a clear allocation |
|---|
| 889 | 889 | | 859of the responsibilities between them to implement such measures. |
|---|
| 890 | 890 | | 860 (c) When working with the controller to respond to a verifiable request to delete an |
|---|
| 891 | 891 | | 861individual’s personal information, the processor shall notify any processors or third parties who |
|---|
| 892 | 892 | | 862may have accessed the personal information from or through the processor to delete the personal |
|---|
| 893 | 893 | | 863information, unless the information was accessed at the direction of the controller or unless |
|---|
| 894 | 894 | | 864doing so proves impossible or would constitute an undue burden. |
|---|
| 895 | 895 | | 865 (d) Notwithstanding the instructions of the controller, a processor shall ensure that each |
|---|
| 896 | 896 | | 866person processing personal information is subject to a duty of confidentiality with respect to the |
|---|
| 897 | 897 | | 867information. |
|---|
| 898 | 898 | | 868 (e) If a processor engages another entity to assist the processor in processing personal |
|---|
| 899 | 899 | | 869information on behalf of the controller, the processor shall provide the controller with an |
|---|
| 900 | 900 | | 870opportunity to object and the engagement shall be pursuant to a written contract, in accordance 44 of 71 |
|---|
| 901 | 901 | | 871with the provisions of subsection (f), that requires the entity to meet the obligations of the |
|---|
| 902 | 902 | | 872processor with respect to the personal information. |
|---|
| 903 | 903 | | 873 (f) A contract between a controller and a processor shall govern the processor’s |
|---|
| 904 | 904 | | 874procedures with respect to processing individuals’ personal information that the processor |
|---|
| 905 | 905 | | 875receives from or on behalf of the controller. The contract shall be binding on both parties and |
|---|
| 906 | 906 | | 876clearly set forth the processing instructions to which the processor is bound, including: |
|---|
| 907 | 907 | | 877 (1) the nature and purpose of the processing; |
|---|
| 908 | 908 | | 878 (2) the type of personal information subject to the processing; |
|---|
| 909 | 909 | | 879 (3) the duration of the processing; |
|---|
| 910 | 910 | | 880 (4) the rights and obligations of both parties; |
|---|
| 911 | 911 | | 881 (5) the requirements imposed by subsections (d) and (e); and |
|---|
| 912 | 912 | | 882 (6) the following requirements: |
|---|
| 913 | 913 | | 883 (i) at the controller’s direction, the processor shall delete or return all personal |
|---|
| 914 | 914 | | 884information to the controller as requested at the end of the provision of services, unless retention |
|---|
| 915 | 915 | | 885of the personal information is required by law; |
|---|
| 916 | 916 | | 886 (ii) upon the reasonable request of the controller, the processor shall make available to |
|---|
| 917 | 917 | | 887the controller all information in its possession necessary to demonstrate compliance with the |
|---|
| 918 | 918 | | 888obligations under this chapter; |
|---|
| 919 | 919 | | 889 (iii) the processor shall: (A) allow for, and cooperate with, reasonable audits and |
|---|
| 920 | 920 | | 890inspections by the controller or the controller’s designated auditor; or (B) arrange for, with the 45 of 71 |
|---|
| 921 | 921 | | 891controller’s consent, a qualified and independent auditor to conduct, at least annually and at the |
|---|
| 922 | 922 | | 892processor’s expense, an audit of the processor’s policies and technical and organizational |
|---|
| 923 | 923 | | 893measures in support of the obligations under this chapter using an appropriate and accepted |
|---|
| 924 | 924 | | 894control standard or framework and audit procedure for such audits; provided, however, that the |
|---|
| 925 | 925 | | 895processor shall disclose a report of the audit to the controller upon request; and |
|---|
| 926 | 926 | | 896 (iv) the processor shall be prohibited from: (A) selling the personal information; (B) |
|---|
| 927 | 927 | | 897processing personal information other than for the purposes specified in the contract or as |
|---|
| 928 | 928 | | 898otherwise permitted by this chapter; (C) processing personal information outside of the direct |
|---|
| 929 | 929 | | 899relationship between the processor and the controller; or (D) combining, for the purpose of |
|---|
| 930 | 930 | | 900targeted advertising, the personal information with the personal information that the processor |
|---|
| 931 | 931 | | 901receives from, or on behalf of, another entity or that it collects from its own interaction with the |
|---|
| 932 | 932 | | 902individual. |
|---|
| 933 | 933 | | 903 (g) In no event may any contract relieve a controller or a processor from the liabilities |
|---|
| 934 | 934 | | 904imposed on it by this chapter. |
|---|
| 935 | 935 | | 905 (h) A controller shall exercise reasonable due diligence in: |
|---|
| 936 | 936 | | 906 (1) selecting a processor; and |
|---|
| 937 | 937 | | 907 (2) deciding whether to sell personal information to a third party. |
|---|
| 938 | 938 | | 908 Section 20. Data Broker Registration |
|---|
| 939 | 939 | | 909 (a) Not later than January 31 following each year in which a controller meets the |
|---|
| 940 | 940 | | 910definition of a data broker under this chapter, the controller shall register with the attorney |
|---|
| 941 | 941 | | 911general pursuant to the requirements of this section. 46 of 71 |
|---|
| 942 | 942 | | 912 (b) When registering with the attorney general, a data broker shall pay a registration fee |
|---|
| 943 | 943 | | 913of 200 dollars and provide the following information: |
|---|
| 944 | 944 | | 914 (1) the data broker’s name and primary physical, email and internet website addresses; |
|---|
| 945 | 945 | | 915 (2) any privacy notice that the data broker discloses to individuals pursuant to section 7; |
|---|
| 946 | 946 | | 916 (3) how individuals may request to exercise their rights under sections 8 through 13; |
|---|
| 947 | 947 | | 917 (4) whether the data broker implements a purchaser credentialing process; |
|---|
| 948 | 948 | | 918 (5) whether the data broker processes the personal information of minors or children; |
|---|
| 949 | 949 | | 919 (6) whether it qualifies as a data broker pursuant to paragraph (1), (2) or (3) of the |
|---|
| 950 | 950 | | 920definition of data broker in section 2; |
|---|
| 951 | 951 | | 921 (7) whether the data broker is a large data holder; and |
|---|
| 952 | 952 | | 922 (8) any additional information the data broker may wish to provide. |
|---|
| 953 | 953 | | 923 Section 21. Risk Assessments |
|---|
| 954 | 954 | | 924 (a) A controller shall establish, implement and maintain reasonable policies, practices and |
|---|
| 955 | 955 | | 925procedures to identify, assess and mitigate reasonably foreseeable privacy risks and cognizable |
|---|
| 956 | 956 | | 926harms related to their products and services, including the design, development and |
|---|
| 957 | 957 | | 927implementation of such products and services. |
|---|
| 958 | 958 | | 928 (b) A controller shall, prior to the processing, carry out and document a risk assessment |
|---|
| 959 | 959 | | 929of the impact of each of the following processing operations: 47 of 71 |
|---|
| 960 | 960 | | 930 (1) processing personal information for the purposes of: (i) the sale of the personal |
|---|
| 961 | 961 | | 931information; (ii) targeted cross-contextual advertising; or (iii) targeted first-party advertising; |
|---|
| 962 | 962 | | 932 (2) processing personal information for the purposes of profiling or otherwise |
|---|
| 963 | 963 | | 933systematically and extensively evaluating personal aspects relating to individuals; provided, |
|---|
| 964 | 964 | | 934however, that such processing presents a reasonably foreseeable risk of resulting in: |
|---|
| 965 | 965 | | 935 (i) discrimination on the basis of race, color, religion, national origin, sex or disability or |
|---|
| 966 | 966 | | 936other unfair or deceptive treatment of, or unlawful disparate impact on, individuals; |
|---|
| 967 | 967 | | 937 (ii) financial, physical or reputational harm to individuals; |
|---|
| 968 | 968 | | 938 (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or |
|---|
| 969 | 969 | | 939concerns, of individuals, where such intrusion would be offensive to a reasonable person; or |
|---|
| 970 | 970 | | 940 (iv) other substantial cognizable harms to individuals; |
|---|
| 971 | 971 | | 941 (3) processing sensitive information; and |
|---|
| 972 | 972 | | 942 (4) any other processing that is likely to result in a high risk of harm to individuals, taking |
|---|
| 973 | 973 | | 943into account the nature, scope, context, and purposes of the processing and whether the |
|---|
| 974 | 974 | | 944processing involves new technologies. |
|---|
| 975 | 975 | | 945 (c) The assessment shall contain at a minimum: |
|---|
| 976 | 976 | | 946 (1) a systematic description of the envisioned processing operations and the purposes of |
|---|
| 977 | 977 | | 947the processing, including, where applicable, the legitimate interest pursued by the controller or |
|---|
| 978 | 978 | | 948third party; 48 of 71 |
|---|
| 979 | 979 | | 949 (2) a description and brief justification of the lawful basis, pursuant to section 6, that the |
|---|
| 980 | 980 | | 950controller is relying on to process the individual’s personal information; |
|---|
| 981 | 981 | | 951 (3) an assessment of the necessity of the processing operations in relation to the purposes, |
|---|
| 982 | 982 | | 952taking into account whether the controller or third party can achieve their legitimate interests in |
|---|
| 983 | 983 | | 953another less intrusive way; |
|---|
| 984 | 984 | | 954 (4) an assessment of the proportionality of the processing operations in relation to the |
|---|
| 985 | 985 | | 955purposes, taking into account the amount and nature of the personal information to be processed; |
|---|
| 986 | 986 | | 956 (5) a description of: (i) the context of the processing; (ii) the relationship between the |
|---|
| 987 | 987 | | 957controller and the individual whose personal information would be processed; and (iii) whether |
|---|
| 988 | 988 | | 958the controller is processing an individual’s personal information in ways in which the individual |
|---|
| 989 | 989 | | 959would reasonably expect; |
|---|
| 990 | 990 | | 960 (6) an assessment of the risks of the processing operations to individuals; provided, |
|---|
| 991 | 991 | | 961however, that such assessment shall include, but not be limited to, whether the processing: (i) |
|---|
| 992 | 992 | | 962poses reasonably foreseeable risks to children or minors; (ii) presents a reasonably foreseeable |
|---|
| 993 | 993 | | 963risk of disparate impact on the basis of individuals’ race, color, religion, national origin, sex or |
|---|
| 994 | 994 | | 964disability; or (iii) would result in the provision or denial of financial or lending services, housing, |
|---|
| 995 | 995 | | 965insurance, education enrollment or opportunity, criminal justice, employment opportunities, |
|---|
| 996 | 996 | | 966health care services or access to essential goods or services; and |
|---|
| 997 | 997 | | 967 (7) the measures envisioned to mitigate the risks, including, but not limited to, safeguards |
|---|
| 998 | 998 | | 968such as de-identification and security measures to ensure the protection of personal information |
|---|
| 999 | 999 | | 969in compliance with this chapter, taking into account the individuals’ reasonable expectations of |
|---|
| 1000 | 1000 | | 970privacy or other legal rights. 49 of 71 |
|---|
| 1001 | 1001 | | 971 (d) In any risk assessment required pursuant to this section, a large data holder shall also: |
|---|
| 1002 | 1002 | | 972 (1) specify whether the processing is based in whole or in part on an algorithmic |
|---|
| 1003 | 1003 | | 973computational process that: |
|---|
| 1004 | 1004 | | 974 (i) uses machine learning, natural language processing, artificial intelligence techniques |
|---|
| 1005 | 1005 | | 975or other techniques of similar or greater complexity; |
|---|
| 1006 | 1006 | | 976 (ii) makes a decision or facilitates human decision-making with respect to personal |
|---|
| 1007 | 1007 | | 977information, including decisions that determine the provision of products or services or that rank, |
|---|
| 1008 | 1008 | | 978order, promote, recommend, amplify or similarly determine the delivery or display of |
|---|
| 1009 | 1009 | | 979information to an individual; and |
|---|
| 1010 | 1010 | | 980 (iii) poses a reasonably foreseeable risk of substantial cognizable harm to individuals; and |
|---|
| 1011 | 1011 | | 981 (2) include a description of: |
|---|
| 1012 | 1012 | | 982 (i) the design process and methodologies of any such algorithmic computational process |
|---|
| 1013 | 1013 | | 983pursuant to paragraph (1); |
|---|
| 1014 | 1014 | | 984 (ii) the categories of data that would be processed as input or used to train the model that |
|---|
| 1015 | 1015 | | 985any such algorithmic computational process relies on; and |
|---|
| 1016 | 1016 | | 986 (iii) the outputs that would be produced by any such algorithmic computational process. |
|---|
| 1017 | 1017 | | 987 (e) Subsections (a) through (d) shall not apply to processing: |
|---|
| 1018 | 1018 | | 988 (1) that a controller performs pursuant to paragraph (3) of section 6; and 50 of 71 |
|---|
| 1019 | 1019 | | 989 (2) for which the controller has already carried out a risk assessment for the purpose of |
|---|
| 1020 | 1020 | | 990compliance with another applicable law that regulates the specific processing operation or set of |
|---|
| 1021 | 1021 | | 991operations in question; provided, however, that such assessment has reasonably comparable |
|---|
| 1022 | 1022 | | 992scope and effect to the assessment that would otherwise be conducted pursuant to this section. |
|---|
| 1023 | 1023 | | 993 (f) For the purpose of complying with this section, a controller may leverage its existing |
|---|
| 1024 | 1024 | | 994work product of risk assessments that the controller has conducted or is conducting for the |
|---|
| 1025 | 1025 | | 995purpose of complying with another applicable law. |
|---|
| 1026 | 1026 | | 996 (g) A single risk assessment may address a set of similar processing operations that |
|---|
| 1027 | 1027 | | 997present similar high risks. |
|---|
| 1028 | 1028 | | 998 (h) The controller shall carry out a review of the risk assessment if there is a change of |
|---|
| 1029 | 1029 | | 999the risk represented by the processing operations. |
|---|
| 1030 | 1030 | | 1000 (i) A controller shall implement procedures to comply with this section that are |
|---|
| 1031 | 1031 | | 1001reasonable and appropriate taking into consideration: |
|---|
| 1032 | 1032 | | 1002 (1) the size, scope, and type of the controller; |
|---|
| 1033 | 1033 | | 1003 (2) the amount of resources available to the controller; |
|---|
| 1034 | 1034 | | 1004 (3) the amount and nature of personal information processed by the controller, including, |
|---|
| 1035 | 1035 | | 1005but not limited to, whether the personal information is sensitive information; and |
|---|
| 1036 | 1036 | | 1006 (4) the need for upholding security, integrity and confidentiality with respect to the |
|---|
| 1037 | 1037 | | 1007personal information processed by the controller. 51 of 71 |
|---|
| 1038 | 1038 | | 1008 (j) The attorney general may require, pursuant to a civil investigative demand, that a |
|---|
| 1039 | 1039 | | 1009controller disclose any risk assessment that is relevant to an investigation conducted by the |
|---|
| 1040 | 1040 | | 1010attorney general. The controller shall accordingly make the risk assessment available to the |
|---|
| 1041 | 1041 | | 1011attorney general, who may evaluate the risk assessment for compliance with the responsibilities |
|---|
| 1042 | 1042 | | 1012set forth in this chapter. Risk assessments shall be confidential and exempt from public |
|---|
| 1043 | 1043 | | 1013inspection and copying under chapter 66 of the General Laws. The disclosure of a risk |
|---|
| 1044 | 1044 | | 1014assessment pursuant to a civil investigative demand from the attorney general shall not constitute |
|---|
| 1045 | 1045 | | 1015a waiver of attorney-client privilege or work product protection with respect to the assessment |
|---|
| 1046 | 1046 | | 1016and any information contained in the assessment. |
|---|
| 1047 | 1047 | | 1017 (k) Risk assessments shall apply to processing activities created or generated after the |
|---|
| 1048 | 1048 | | 1018effective date of this section and shall not be retroactive. |
|---|
| 1049 | 1049 | | 1019 Section 22. Processing That Unlawfully Discriminates |
|---|
| 1050 | 1050 | | 1020 (a) A controller shall not process personal information in a manner that discriminates in, |
|---|
| 1051 | 1051 | | 1021or otherwise makes unavailable, the equal enjoyment of goods or services on the basis of race, |
|---|
| 1052 | 1052 | | 1022color, religion, national origin, sex or disability. |
|---|
| 1053 | 1053 | | 1023 (b) A controller that processes personal information in a manner that violates chapter |
|---|
| 1054 | 1054 | | 1024151B of the General Laws or any other state or federal law prohibiting unlawful discrimination |
|---|
| 1055 | 1055 | | 1025against individuals shall also be in violation of this chapter. |
|---|
| 1056 | 1056 | | 1026 (c) Nothing in this section shall be construed to limit controllers from processing personal |
|---|
| 1057 | 1057 | | 1027information for the purpose of: 52 of 71 |
|---|
| 1058 | 1058 | | 1028 (1) legitimate testing to prevent unlawful discrimination or otherwise determine the |
|---|
| 1059 | 1059 | | 1029extent or effectiveness of the controller’s compliance with this section; or |
|---|
| 1060 | 1060 | | 1030 (2) diversifying an applicant, participant or customer pool. |
|---|
| 1061 | 1061 | | 1031 (d) This section shall not apply to any private club or group not open to the public, |
|---|
| 1062 | 1062 | | 1032pursuant to section 201(e) of the Civil Rights Act of 1964, 42 U.S.C. 2000a(e), as amended from |
|---|
| 1063 | 1063 | | 1033time to time. |
|---|
| 1064 | 1064 | | 1034 Section 23. De-Identified Information |
|---|
| 1065 | 1065 | | 1035 This chapter shall not be construed to require a controller or processor to do any of the |
|---|
| 1066 | 1066 | | 1036following solely for the purpose of complying with this chapter: |
|---|
| 1067 | 1067 | | 1037 (1) maintain information in an identifiable, linkable or associable form, or collect, obtain, |
|---|
| 1068 | 1068 | | 1038retain or access any information or technology, in order to be capable of linking or associating a |
|---|
| 1069 | 1069 | | 1039verifiable request with personal information; or |
|---|
| 1070 | 1070 | | 1040 (2) reidentify or otherwise link de-identified information; provided, however, that the |
|---|
| 1071 | 1071 | | 1041controller, pursuant to subsection (e) of section 15, shall provide applicable notice to the |
|---|
| 1072 | 1072 | | 1042individual that it is unable to identify the individual. |
|---|
| 1073 | 1073 | | 1043 Section 24. Limitations |
|---|
| 1074 | 1074 | | 1044 (a) The obligations imposed on controllers or processors under this chapter shall not |
|---|
| 1075 | 1075 | | 1045restrict a controller’s or a processor’s ability to: |
|---|
| 1076 | 1076 | | 1046 (1) comply with federal, state or local laws, rules or regulations; 53 of 71 |
|---|
| 1077 | 1077 | | 1047 (2) comply with a civil, criminal or regulatory inquiry, subpoena or summons by federal, |
|---|
| 1078 | 1078 | | 1048state, local or other governmental authorities; |
|---|
| 1079 | 1079 | | 1049 (3) cooperate with law enforcement agencies concerning conduct or activity that the |
|---|
| 1080 | 1080 | | 1050controller or processor reasonably and in good faith believes may violate federal, state or local |
|---|
| 1081 | 1081 | | 1051laws, rules or regulations; |
|---|
| 1082 | 1082 | | 1052 (4) investigate, establish, exercise, prepare for or defend legal claims. |
|---|
| 1083 | 1083 | | 1053 (5) take immediate steps to protect the security or protection of an individual or another |
|---|
| 1084 | 1084 | | 1054natural person, if that individual or other natural person is at risk or danger of death or serious |
|---|
| 1085 | 1085 | | 1055physical injury; |
|---|
| 1086 | 1086 | | 1056 (6) process the personal information of a child or minor solely in order to submit |
|---|
| 1087 | 1087 | | 1057information relating to child victimization to law enforcement or to the nonprofit, national |
|---|
| 1088 | 1088 | | 1058resource center and clearinghouse congressionally designated to provide assistance to victims, |
|---|
| 1089 | 1089 | | 1059families, child-serving professionals and the general public on missing and exploited children |
|---|
| 1090 | 1090 | | 1060issues; or |
|---|
| 1091 | 1091 | | 1061 (7) assist another controller, processor or third party with any of the obligations under |
|---|
| 1092 | 1092 | | 1062this subsection. |
|---|
| 1093 | 1093 | | 1063 (b) The obligations imposed on controllers or processors under sections 8 through 13 |
|---|
| 1094 | 1094 | | 1064shall not restrict a controller or processor’s ability to process personal information for the |
|---|
| 1095 | 1095 | | 1065following purposes, provided that the use of the individual’s personal information is reasonably |
|---|
| 1096 | 1096 | | 1066necessary and proportionate for such purposes: |
|---|
| 1097 | 1097 | | 1067 (1) helping to uphold security, confidentiality and integrity; 54 of 71 |
|---|
| 1098 | 1098 | | 1068 (2) debugging to identify and repair errors that impair existing intended functionality; |
|---|
| 1099 | 1099 | | 1069 (3) fulfilling the terms of a written warranty or product recall conducted in accordance |
|---|
| 1100 | 1100 | | 1070with federal law; |
|---|
| 1101 | 1101 | | 1071 (4) engaging in public or peer-reviewed scientific, historical or statistical research in the |
|---|
| 1102 | 1102 | | 1072public interest that conforms or adheres to all other applicable ethics and privacy laws; provided, |
|---|
| 1103 | 1103 | | 1073however, that such research is approved, monitored and governed by an institutional review |
|---|
| 1104 | 1104 | | 1074board, human subjects research ethics review board or a similar independent oversight entity that |
|---|
| 1105 | 1105 | | 1075determines whether: |
|---|
| 1106 | 1106 | | 1076 (i) the research is likely to provide substantial benefits that do not exclusively accrue to |
|---|
| 1107 | 1107 | | 1077the controller; |
|---|
| 1108 | 1108 | | 1078 (ii) the expected benefits of the research outweigh the privacy risks; and |
|---|
| 1109 | 1109 | | 1079 (iii) the controller has implemented reasonable safeguards to mitigate privacy risks |
|---|
| 1110 | 1110 | | 1080associated with research, including any risks associated with reidentification. |
|---|
| 1111 | 1111 | | 1081 (c) Obligations imposed on controllers or processors under this chapter shall not: |
|---|
| 1112 | 1112 | | 1082 (1) apply to the processing of personal information by a natural person in the course of a |
|---|
| 1113 | 1113 | | 1083purely personal or household activity; |
|---|
| 1114 | 1114 | | 1084 (2) apply where compliance by the controller or processor would violate an evidentiary |
|---|
| 1115 | 1115 | | 1085privilege under the laws of the commonwealth or be construed to prevent a controller or |
|---|
| 1116 | 1116 | | 1086processor from providing personal information concerning an individual to a person covered by |
|---|
| 1117 | 1117 | | 1087an evidentiary privilege under the laws of the commonwealth as part of a privileged |
|---|
| 1118 | 1118 | | 1088communication; 55 of 71 |
|---|
| 1119 | 1119 | | 1089 (3) adversely affect the right of an individual or any other person to exercise free speech, |
|---|
| 1120 | 1120 | | 1090pursuant to the First Amendment to the United States Constitution, or to exercise another right |
|---|
| 1121 | 1121 | | 1091provided for by law; or |
|---|
| 1122 | 1122 | | 1092 (4) apply to an entity’s publication of entity-based member or employee contact |
|---|
| 1123 | 1123 | | 1093information where such publication is intended to allow members of the public to contact such |
|---|
| 1124 | 1124 | | 1094member or employee in the ordinary course of the entity’s operations. |
|---|
| 1125 | 1125 | | 1095 (d) Personal information that is processed by a controller pursuant to an exemption under |
|---|
| 1126 | 1126 | | 1096subsections (a) through (c) shall: |
|---|
| 1127 | 1127 | | 1097 (1) not be processed for any purpose other than those expressly listed in subsections (a) |
|---|
| 1128 | 1128 | | 1098through (c), unless otherwise allowed by this chapter; and |
|---|
| 1129 | 1129 | | 1099 (2) notwithstanding anything in this section to the contrary, be processed: (i) in |
|---|
| 1130 | 1130 | | 1100accordance with section 5 of this chapter; and (ii) subject to reasonable administrative, technical |
|---|
| 1131 | 1131 | | 1101and physical measures to reduce reasonably foreseeable risks of harm to individuals. |
|---|
| 1132 | 1132 | | 1102 (e) If a controller processes personal information pursuant to an exemption in subsections |
|---|
| 1133 | 1133 | | 1103(a) through (c) of this section, the controller bears the burden of demonstrating that such |
|---|
| 1134 | 1134 | | 1104processing qualifies for the exemption and complies with the requirements of subsection (d). |
|---|
| 1135 | 1135 | | 1105 (f) A controller or processor that discloses personal information to a processor or third |
|---|
| 1136 | 1136 | | 1106party in compliance with the requirements of this chapter shall not be in violation of this chapter |
|---|
| 1137 | 1137 | | 1107if the recipient processes such personal information in violation of this chapter; provided, |
|---|
| 1138 | 1138 | | 1108however, that at the time of disclosing the personal information, the disclosing controller or 56 of 71 |
|---|
| 1139 | 1139 | | 1109processor did not know or should not reasonably have known that the recipient intended to |
|---|
| 1140 | 1140 | | 1110commit a violation. |
|---|
| 1141 | 1141 | | 1111 (g) A processor or third party receiving personal information from a controller or |
|---|
| 1142 | 1142 | | 1112processor in compliance with the requirements of this chapter shall not be in violation of this |
|---|
| 1143 | 1143 | | 1113chapter if the controller or processor from which it receives the personal information fails to |
|---|
| 1144 | 1144 | | 1114comply with applicable obligations under this chapter; provided, however, that the processor or |
|---|
| 1145 | 1145 | | 1115third party shall be liable for its own violations of this chapter. |
|---|
| 1146 | 1146 | | 1116 (h) If an individual has already consented to a controller’s use, disclosure, or sale of their |
|---|
| 1147 | 1147 | | 1117personal information to produce a physical item, such as a school yearbook, sections 8 through |
|---|
| 1148 | 1148 | | 111813 shall not apply to the controller’s use, disclosure, or sale of the particular pieces of the |
|---|
| 1149 | 1149 | | 1119individual’s personal information for the production of that physical item; provided, however, |
|---|
| 1150 | 1150 | | 1120that: |
|---|
| 1151 | 1151 | | 1121 (1) the controller has incurred significant expense in reliance on the individual’s consent; |
|---|
| 1152 | 1152 | | 1122 (2) compliance with the individual’s request to exercise the rights set forth in sections 8 |
|---|
| 1153 | 1153 | | 1123through 13 would not be commercially reasonable; and |
|---|
| 1154 | 1154 | | 1124 (3) the controller complies with the individual’s request as soon as it is commercially |
|---|
| 1155 | 1155 | | 1125reasonable to do so. |
|---|
| 1156 | 1156 | | 1126 Section 25. Powers of the Attorney General |
|---|
| 1157 | 1157 | | 1127 (a) Whenever the attorney general has reasonable cause to believe that an entity has |
|---|
| 1158 | 1158 | | 1128engaged in, is engaging in, or is about to engage in a violation of this chapter, the attorney |
|---|
| 1159 | 1159 | | 1129general may issue a civil investigative demand. The provisions of section 6 of chapter 93A of the 57 of 71 |
|---|
| 1160 | 1160 | | 1130General Laws shall apply mutatis mutandis to civil investigative demands issued under this |
|---|
| 1161 | 1161 | | 1131chapter. |
|---|
| 1162 | 1162 | | 1132 (b) The attorney general shall have the authority to enforce the provisions of this chapter. |
|---|
| 1163 | 1163 | | 1133A violation of this chapter, except as otherwise specified in section 26, shall not serve as the |
|---|
| 1164 | 1164 | | 1134basis for or be subject to a private right of action under this chapter. Nothing in this chapter, |
|---|
| 1165 | 1165 | | 1135except as otherwise specified in section 26, shall be construed as creating a new private right of |
|---|
| 1166 | 1166 | | 1136action or serving as the basis for a private right of action that would not otherwise have had a |
|---|
| 1167 | 1167 | | 1137basis under any other law but for the enactment of this chapter. This chapter neither relieves any |
|---|
| 1168 | 1168 | | 1138party from any duties or obligations imposed, nor alters any independent rights that individuals |
|---|
| 1169 | 1169 | | 1139have, under chapter 93A of the General Laws, other state or federal laws, the Massachusetts |
|---|
| 1170 | 1170 | | 1140Constitution, or the United States Constitution. |
|---|
| 1171 | 1171 | | 1141 (c) Prior to initiating any civil action under this chapter, the attorney general shall provide |
|---|
| 1172 | 1172 | | 1142an entity written notice identifying the specific provisions of this chapter that the attorney |
|---|
| 1173 | 1173 | | 1143general alleges have been or are being violated. |
|---|
| 1174 | 1174 | | 1144 (d) (1) The entity shall have a period of 30 days in which to cure a violation after being |
|---|
| 1175 | 1175 | | 1145provided notice by the attorney general. If within that time period the entity cures the noticed |
|---|
| 1176 | 1176 | | 1146violation and provides the attorney general an express written statement that the alleged |
|---|
| 1177 | 1177 | | 1147violations have been cured and that no such further violations shall occur, the attorney general |
|---|
| 1178 | 1178 | | 1148shall initiate no action against the entity. |
|---|
| 1179 | 1179 | | 1149 (2) The cure period stipulated in paragraph (1) shall not apply when: |
|---|
| 1180 | 1180 | | 1150 (i) the court has previously issued a temporary restraining order, preliminary injunction, |
|---|
| 1181 | 1181 | | 1151or permanent injunction or assessed civil penalties against the entity for a violation of: (A) this 58 of 71 |
|---|
| 1182 | 1182 | | 1152chapter; or (B) chapter 93A of the General Laws, provided that such violation occurs after the |
|---|
| 1183 | 1183 | | 1153effective date of this section; |
|---|
| 1184 | 1184 | | 1154 (ii) the attorney general and the entity have previously reached a settlement that includes |
|---|
| 1185 | 1185 | | 1155an admission by the entity that it has violated: (A) this chapter, not including any express written |
|---|
| 1186 | 1186 | | 1156statement provided pursuant to paragraph (1); or (B) chapter 93A of the General Laws, provided |
|---|
| 1187 | 1187 | | 1157that such admission occurs after the effective date of this section; |
|---|
| 1188 | 1188 | | 1158 (iii) the attorney general has clear and convincing evidence that the entity willfully and |
|---|
| 1189 | 1189 | | 1159wantonly violated this chapter; |
|---|
| 1190 | 1190 | | 1160 (iv) the violation is a data broker’s failure to register pursuant to section 20 of this |
|---|
| 1191 | 1191 | | 1161chapter; or |
|---|
| 1192 | 1192 | | 1162 (v) the violation occurs more than twelve months after the effective date of this section |
|---|
| 1193 | 1193 | | 1163and the violating entity is: (A) a large data holder; or (B) a data broker pursuant to paragraph (1) |
|---|
| 1194 | 1194 | | 1164of the definition of data broker in section 2. |
|---|
| 1195 | 1195 | | 1165 (3) In its notice pursuant to subsection (c), the attorney general shall specify the length, if |
|---|
| 1196 | 1196 | | 1166any, of the period in which the entity can cure the noticed violation. |
|---|
| 1197 | 1197 | | 1167 (e)(1) The attorney general may initiate a civil action against an entity in the name of the |
|---|
| 1198 | 1198 | | 1168commonwealth or as parens patriae on behalf of individuals if the entity: |
|---|
| 1199 | 1199 | | 1169 (i) fails to cure a violation within 30 days after receipt of the attorney general’s notice of |
|---|
| 1200 | 1200 | | 1170the violation; |
|---|
| 1201 | 1201 | | 1171 (ii) breaches an express written statement provided to the attorney general pursuant to |
|---|
| 1202 | 1202 | | 1172subsection (d); or 59 of 71 |
|---|
| 1203 | 1203 | | 1173 (iii) is not eligible for a cure period pursuant to subsection (d). |
|---|
| 1204 | 1204 | | 1174 (2) The attorney general may seek: |
|---|
| 1205 | 1205 | | 1175 (i) civil penalties of up to 7,500 dollars for each violation under this chapter; and |
|---|
| 1206 | 1206 | | 1176 (ii) a temporary restraining order, preliminary injunction, or permanent injunction to |
|---|
| 1207 | 1207 | | 1177restrain any violations of this chapter. |
|---|
| 1208 | 1208 | | 1178 (f) A data broker that fails to register as required by section 20 shall be subject to |
|---|
| 1209 | 1209 | | 1179injunction and may be liable for civil penalties, fees and costs in a civil action brought on behalf |
|---|
| 1210 | 1210 | | 1180of the commonwealth by the attorney general as follows: |
|---|
| 1211 | 1211 | | 1181 (1) a civil penalty of up to 500 dollars for each day, not to exceed a total of 100,000 |
|---|
| 1212 | 1212 | | 1182dollars for each year, that the data broker fails to register as required by section 20; and |
|---|
| 1213 | 1213 | | 1183 (2) fees equal to the fees that were due during the period the data broker failed to register. |
|---|
| 1214 | 1214 | | 1184 (g) The superior court shall have jurisdiction of actions brought under this section. Such |
|---|
| 1215 | 1215 | | 1185actions may be brought in any county where a defendant resides or has its principal place of |
|---|
| 1216 | 1216 | | 1186business or in which the violation occurred in whole or in part, or, with the consent of a |
|---|
| 1217 | 1217 | | 1187defendant, in the superior court for Suffolk County. |
|---|
| 1218 | 1218 | | 1188 (h) In determining the overall amount of civil penalties to seek or assess against an entity, |
|---|
| 1219 | 1219 | | 1189the attorney general or the court shall include, but not be limited to, the following in its |
|---|
| 1220 | 1220 | | 1190consideration: |
|---|
| 1221 | 1221 | | 1191 (1) the size, scope and type of the entity; |
|---|
| 1222 | 1222 | | 1192 (2) the amount of resources available to the entity; 60 of 71 |
|---|
| 1223 | 1223 | | 1193 (3) the amount and nature of personal information processed by the entity; |
|---|
| 1224 | 1224 | | 1194 (4) the number of violations; |
|---|
| 1225 | 1225 | | 1195 (5) the number of violations affecting children or minors; |
|---|
| 1226 | 1226 | | 1196 (6) the nature and severity of the violation; |
|---|
| 1227 | 1227 | | 1197 (7) the risks caused by the violation; |
|---|
| 1228 | 1228 | | 1198 (8) whether the entity’s violation was an isolated instance or part of a pattern of |
|---|
| 1229 | 1229 | | 1199violations and noncompliance with this chapter; |
|---|
| 1230 | 1230 | | 1200 (9) whether the entity is a data broker that did not register pursuant to section 20; |
|---|
| 1231 | 1231 | | 1201 (10) whether the violation was willful and not the result of error; |
|---|
| 1232 | 1232 | | 1202 (11) the length of time over which the violation occurred; |
|---|
| 1233 | 1233 | | 1203 (12) the precautions taken by the entity to prevent a violation; |
|---|
| 1234 | 1234 | | 1204 (13) the good faith cooperation of the entity with any investigations conducted by the |
|---|
| 1235 | 1235 | | 1205attorney general pursuant to this section; |
|---|
| 1236 | 1236 | | 1206 (14) efforts undertaken by the entity to cure the violation; and |
|---|
| 1237 | 1237 | | 1207 (15) the entity’s past violations of information privacy rules, regulations, codes, |
|---|
| 1238 | 1238 | | 1208ordinances and laws in other jurisdictions. |
|---|
| 1239 | 1239 | | 1209 (i) Any entity that violates the terms of an injunction or other order issued under this |
|---|
| 1240 | 1240 | | 1210section shall forfeit and pay a civil penalty of up to 10,000 dollars for each violation. For the |
|---|
| 1241 | 1241 | | 1211purposes of this section, the court issuing such an injunction or order shall retain jurisdiction, and 61 of 71 |
|---|
| 1242 | 1242 | | 1212the cause shall be continued, and in such case the attorney general acting in the name of the |
|---|
| 1243 | 1243 | | 1213commonwealth may petition for recovery of such civil penalty. |
|---|
| 1244 | 1244 | | 1214 (j) The attorney general may recover reasonable expenses, including attorney fees, |
|---|
| 1245 | 1245 | | 1215incurred in investigating and preparing the case in any action initiated under this chapter. |
|---|
| 1246 | 1246 | | 1216 (k) If two or more entities are involved in the same processing that violates this chapter, |
|---|
| 1247 | 1247 | | 1217the liability shall be allocated among the parties according to principles of comparative fault. |
|---|
| 1248 | 1248 | | 1218 (l) Notwithstanding any general or special law to the contrary, the court may require that |
|---|
| 1249 | 1249 | | 1219the amount of a civil penalty imposed pursuant to this section exceeds the economic benefit |
|---|
| 1250 | 1250 | | 1220realized by an entity for noncompliance. |
|---|
| 1251 | 1251 | | 1221 (m) If a series of steps or transactions were component parts of a single transaction |
|---|
| 1252 | 1252 | | 1222intended to avoid the reach of this chapter, the attorney general and the court shall disregard the |
|---|
| 1253 | 1253 | | 1223intermediate steps or transactions and consider everything one transaction for purposes of |
|---|
| 1254 | 1254 | | 1224effectuating the purposes of this chapter. |
|---|
| 1255 | 1255 | | 1225 (n) Not later than 30 days after the end of each calendar year, the attorney general shall |
|---|
| 1256 | 1256 | | 1226publish a public, easily accessible report that provides, for that calendar year, the following |
|---|
| 1257 | 1257 | | 1227information: |
|---|
| 1258 | 1258 | | 1228 (1) the number of written notices issued pursuant to subsection (c) and the number of |
|---|
| 1259 | 1259 | | 1229entities that received such notices; |
|---|
| 1260 | 1260 | | 1230 (2) examples of alleged violations that have been cured by an entity pursuant to |
|---|
| 1261 | 1261 | | 1231subsection (d); and |
|---|
| 1262 | 1262 | | 1232 (3) categories of violations of this chapter and the number of violations per category. 62 of 71 |
|---|
| 1263 | 1263 | | 1233 (o) The attorney general shall receive and may investigate sworn complaints from an |
|---|
| 1264 | 1264 | | 1234individual or other natural person that an entity has engaged in, is engaging in, or is about to |
|---|
| 1265 | 1265 | | 1235engage in any violation of this chapter. |
|---|
| 1266 | 1266 | | 1236 (p) The attorney general shall maintain the following internet web pages: |
|---|
| 1267 | 1267 | | 1237 (1) a web page that includes an online mechanism through which any individual or other |
|---|
| 1268 | 1268 | | 1238natural person may contact the attorney general to submit a sworn complaint; |
|---|
| 1269 | 1269 | | 1239 (2) a web page that enables data brokers to register pursuant to section 20; and |
|---|
| 1270 | 1270 | | 1240 (3) a web page that: |
|---|
| 1271 | 1271 | | 1241 (i) makes publicly accessible the information provided by each data broker pursuant to |
|---|
| 1272 | 1272 | | 1242section 20; provided, however, that the information shall be disaggregated by data broker; and |
|---|
| 1273 | 1273 | | 1243 (ii) includes a link and mechanism, if feasible, by which an individual may: (A) pursuant |
|---|
| 1274 | 1274 | | 1244to section 8, opt out of the processing of the individual’s personal information by all registered |
|---|
| 1275 | 1275 | | 1245data brokers for the purposes of the sale of such information or for targeted cross-contextual |
|---|
| 1276 | 1276 | | 1246advertising; and (B) pursuant to section 11, request that all registered data brokers delete any |
|---|
| 1277 | 1277 | | 1247personal information processed about the individual. |
|---|
| 1278 | 1278 | | 1248 (q) The attorney general shall promote public awareness and understanding of the risks, |
|---|
| 1279 | 1279 | | 1249rules, responsibilities, safeguards and rights in relation to the processing of personal information, |
|---|
| 1280 | 1280 | | 1250including, but not limited to, the rights of children and minors with respect to their own |
|---|
| 1281 | 1281 | | 1251information. The attorney general shall provide guidance to individuals regarding what to do if |
|---|
| 1282 | 1282 | | 1252they believe their rights under this chapter have been violated. 63 of 71 |
|---|
| 1283 | 1283 | | 1253 (r) The attorney general shall create and make publicly accessible the following |
|---|
| 1284 | 1284 | | 1254templates: |
|---|
| 1285 | 1285 | | 1255 (1) a template privacy policy that meets the requirements of section 7; |
|---|
| 1286 | 1286 | | 1256 (2) a template contract between a controller and a processor that meets the requirements |
|---|
| 1287 | 1287 | | 1257of section 19; and |
|---|
| 1288 | 1288 | | 1258 (3) a template risk assessment that meets the requirements of section 21. |
|---|
| 1289 | 1289 | | 1259 (s) The attorney general shall seek to collaborate with entities responsible for enforcing |
|---|
| 1290 | 1290 | | 1260personal information privacy laws in other jurisdictions. The attorney general shall have the |
|---|
| 1291 | 1291 | | 1261power to determine, pursuant to section 28, whether the provisions of a personal information |
|---|
| 1292 | 1292 | | 1262privacy law in another jurisdiction are equally or more protective of personal information than |
|---|
| 1293 | 1293 | | 1263the provisions of this chapter. |
|---|
| 1294 | 1294 | | 1264 (t) The attorney general shall establish a mechanism pursuant to which an entity that |
|---|
| 1295 | 1295 | | 1265processes the personal information of one or more individuals but does not meet the applicability |
|---|
| 1296 | 1296 | | 1266criteria set forth in subsection (b) of section 3 may voluntarily certify that it is fully in |
|---|
| 1297 | 1297 | | 1267compliance with, and agrees to be bound by, this chapter. The attorney general shall make a list |
|---|
| 1298 | 1298 | | 1268of those entities available to the public. |
|---|
| 1299 | 1299 | | 1269 (u) The attorney general shall adopt regulations for the purposes of carrying out this |
|---|
| 1300 | 1300 | | 1270chapter, including, but not limited to, the following areas: |
|---|
| 1301 | 1301 | | 1271 (1) supplementing any of the definitions used in this chapter or adding in new definitions |
|---|
| 1302 | 1302 | | 1272for terms that are used but not otherwise defined in this chapter, in order to address changes in |
|---|
| 1303 | 1303 | | 1273technology, data collection, obstacles to implementation and privacy concerns; 64 of 71 |
|---|
| 1304 | 1304 | | 1274 (2) ensuring that the notices and information that controllers are required to provide |
|---|
| 1305 | 1305 | | 1275pursuant to section 7 are: |
|---|
| 1306 | 1306 | | 1276 (i) provided in a manner that may be easily understood by the average individual; |
|---|
| 1307 | 1307 | | 1277 (ii) accessible to individuals with disabilities; and |
|---|
| 1308 | 1308 | | 1278 (iii) available in the language primarily used to interact with the individual; |
|---|
| 1309 | 1309 | | 1279 (3) detailing the requirements and technical specifications for a platform, technology or |
|---|
| 1310 | 1310 | | 1280mechanism that sends an opt-out preference signal indicating an individual’s intent to opt out of |
|---|
| 1311 | 1311 | | 1281the processing of such individual’s personal information for one or more of the purposes |
|---|
| 1312 | 1312 | | 1282specified in subsection (a) of section 8; provided, however that the requirements and technical |
|---|
| 1313 | 1313 | | 1283specifications shall be updated from time to time to reflect the means by which individuals |
|---|
| 1314 | 1314 | | 1284interact with controllers; and provided further, that any such platform, technology or mechanism |
|---|
| 1315 | 1315 | | 1285shall: |
|---|
| 1316 | 1316 | | 1286 (i) not unfairly disadvantage another controller; |
|---|
| 1317 | 1317 | | 1287 (ii) clearly represent the individual’s affirmative, freely-given and unambiguous intent to |
|---|
| 1318 | 1318 | | 1288opt out pursuant to subsection (a) of section 8 and be free of default settings constraining or |
|---|
| 1319 | 1319 | | 1289presupposing that intent; |
|---|
| 1320 | 1320 | | 1290 (iii) be consumer-friendly, clearly described and easy to use by the average individual; |
|---|
| 1321 | 1321 | | 1291 (iv) be as consistent as possible with any other similar platform, technology or |
|---|
| 1322 | 1322 | | 1292mechanism required by any federal or state law or regulation; and 65 of 71 |
|---|
| 1323 | 1323 | | 1293 (v) enable the controller to accurately determine if the mechanism represents a legitimate |
|---|
| 1324 | 1324 | | 1294opt-out request pursuant to section 8; and |
|---|
| 1325 | 1325 | | 1295 (4) supplementing or revising the list of industry recognized cybersecurity frameworks |
|---|
| 1326 | 1326 | | 1296specified in paragraphs (1) and (2) of subsection (d) of section 26, in order to address changes in |
|---|
| 1327 | 1327 | | 1297technology, data collection, obstacles to implementation, best practices with respect to |
|---|
| 1328 | 1328 | | 1298cybersecurity controls and privacy concerns. |
|---|
| 1329 | 1329 | | 1299 (v) The attorney general shall conduct research and monitor relevant developments |
|---|
| 1330 | 1330 | | 1300relating to the protection of personal information, the development of information and |
|---|
| 1331 | 1331 | | 1301communication technologies and commercial practices and the enactment and implementation of |
|---|
| 1332 | 1332 | | 1302privacy laws by the federal government or other states, territories or countries. Specific topics for |
|---|
| 1333 | 1333 | | 1303research shall include, but are not limited to, the following areas: |
|---|
| 1334 | 1334 | | 1304 (1) the available best methods for: (i) individuals to exercise the rights set forth in |
|---|
| 1335 | 1335 | | 1305sections 8 through 13; and (ii) entities to conspicuously and clearly disclose how to exercise such |
|---|
| 1336 | 1336 | | 1306rights; |
|---|
| 1337 | 1337 | | 1307 (2) automated decision-making technologies; |
|---|
| 1338 | 1338 | | 1308 (3) eye-tracking technology and targeted advertising based on information collected |
|---|
| 1339 | 1339 | | 1309through eye-tracking technology; |
|---|
| 1340 | 1340 | | 1310 (4) financial incentive programs offered by controllers for the processing of personal |
|---|
| 1341 | 1341 | | 1311information; |
|---|
| 1342 | 1342 | | 1312 (5) the data broker industry, including data brokers that have registered pursuant to |
|---|
| 1343 | 1343 | | 1313section 20; 66 of 71 |
|---|
| 1344 | 1344 | | 1314 (6) the effectiveness of allowing an individual to designate an authorized agent to |
|---|
| 1345 | 1345 | | 1315exercise a right on their behalf pursuant to section 8; and |
|---|
| 1346 | 1346 | | 1316 (7) whether to change or eliminate the cure period established in subsection (d) of section |
|---|
| 1347 | 1347 | | 131725. |
|---|
| 1348 | 1348 | | 1318 (w) Every twelve months, the attorney general shall provide a full written report to the |
|---|
| 1349 | 1349 | | 1319joint committee on advanced information technology, the internet and cybersecurity. The report |
|---|
| 1350 | 1350 | | 1320shall summarize the attorney general’s work pursuant to this section and detail the attorney |
|---|
| 1351 | 1351 | | 1321general’s research and any recommendations with respect to privacy-related legislation. The first |
|---|
| 1352 | 1352 | | 1322such report shall be submitted 12 months after the effective date of this subsection. |
|---|
| 1353 | 1353 | | 1323 (x) The monetary amounts referred to in this chapter shall be indexed biennially for |
|---|
| 1354 | 1354 | | 1324inflation by the attorney general, who, not later than December 31 of each even numbered year, |
|---|
| 1355 | 1355 | | 1325shall calculate and publish such indexed amounts, using the federal consumer price index for the |
|---|
| 1356 | 1356 | | 1326Boston statistical area and rounding to the nearest dollar. |
|---|
| 1357 | 1357 | | 1327 Section 26. Private Right of Action and Safe Harbor |
|---|
| 1358 | 1358 | | 1328 (a) For the purposes of this section, except for the purposes of determining whether this |
|---|
| 1359 | 1359 | | 1329section applies to a given controller, the terms “breach of security” and “personal information” |
|---|
| 1360 | 1360 | | 1330shall have the same meanings as such terms are defined in section 1 of chapter 93H of the |
|---|
| 1361 | 1361 | | 1331General Laws. |
|---|
| 1362 | 1362 | | 1332 (b) Any individual whose personal information is subject to a breach of security as a |
|---|
| 1363 | 1363 | | 1333result of a controller’s failure to implement and maintain reasonable cybersecurity controls may |
|---|
| 1364 | 1364 | | 1334institute a civil action for any of the following: 67 of 71 |
|---|
| 1365 | 1365 | | 1335 (1) damages from the controller in an amount up to 500 dollars per individual per |
|---|
| 1366 | 1366 | | 1336incident or actual damages, whichever is greater; |
|---|
| 1367 | 1367 | | 1337 (2) injunctive or declaratory relief; or |
|---|
| 1368 | 1368 | | 1338 (3) any other relief the court deems proper. |
|---|
| 1369 | 1369 | | 1339 (c) In determining the amount of statutory damages against the controller, the court shall |
|---|
| 1370 | 1370 | | 1340consider any one or more of the relevant circumstances presented by any of the parties to the |
|---|
| 1371 | 1371 | | 1341case, including, but not limited to, the criteria stipulated in paragraphs (1) through (15) of |
|---|
| 1372 | 1372 | | 1342subsection (h) of section 25. |
|---|
| 1373 | 1373 | | 1343 (d) In any cause of action founded in tort that is brought pursuant to this section and that |
|---|
| 1374 | 1374 | | 1344alleges that the controller’s failure to implement reasonable cybersecurity controls resulted in a |
|---|
| 1375 | 1375 | | 1345breach of security concerning personal information, the court shall not assess punitive damages |
|---|
| 1376 | 1376 | | 1346against a controller if such controller created, maintained and complied with a written |
|---|
| 1377 | 1377 | | 1347cybersecurity program that contains administrative, technical and physical safeguards for the |
|---|
| 1378 | 1378 | | 1348protection of personal information and that conforms to an industry recognized cybersecurity |
|---|
| 1379 | 1379 | | 1349framework; provided, however, that the controller designed and implemented its cybersecurity |
|---|
| 1380 | 1380 | | 1350program in accordance with the regulations adopted pursuant to chapter 93H of the General |
|---|
| 1381 | 1381 | | 1351Laws; and provided further, that: |
|---|
| 1382 | 1382 | | 1352 (1) such cybersecurity program conforms to the current version of or any combination of |
|---|
| 1383 | 1383 | | 1353the current versions of: |
|---|
| 1384 | 1384 | | 1354 (i) the “Framework for Improving Critical Infrastructure Cybersecurity” published by the |
|---|
| 1385 | 1385 | | 1355National Institute of Standards and Technology; 68 of 71 |
|---|
| 1386 | 1386 | | 1356 (ii) the National Institute of Standards and Technology’s special publication 800-171; |
|---|
| 1387 | 1387 | | 1357 (iii) the National Institute of Standards and Technology’s special publications 800-53 and |
|---|
| 1388 | 1388 | | 1358800-53a; |
|---|
| 1389 | 1389 | | 1359 (iv) the Federal Risk and Authorization Management Program’s “FedRAMP Security |
|---|
| 1390 | 1390 | | 1360Assessment Framework”; |
|---|
| 1391 | 1391 | | 1361 (v) the Center for Internet Security’s “Center for Internet Security Critical Security |
|---|
| 1392 | 1392 | | 1362Controls for Effective Cyber Defense”; or |
|---|
| 1393 | 1393 | | 1363 (vi) the “ISO/IEC 27000-series” information security standards published by the |
|---|
| 1394 | 1394 | | 1364International Organization for Standardization and the International Electrotechnical |
|---|
| 1395 | 1395 | | 1365Commission; or |
|---|
| 1396 | 1396 | | 1366 (2) such program complies with the current version of the “Payment Card Industry Data |
|---|
| 1397 | 1397 | | 1367Security Standard” and the current version of another applicable industry recognized |
|---|
| 1398 | 1398 | | 1368cybersecurity framework described in paragraph (1). |
|---|
| 1399 | 1399 | | 1369 (e) When a revision to a document listed in paragraphs (1) or (2) of subsection (d) is |
|---|
| 1400 | 1400 | | 1370published, a controller whose cybersecurity program conforms to a prior version of that |
|---|
| 1401 | 1401 | | 1371document shall be said to conform to the current version of that document if the controller |
|---|
| 1402 | 1402 | | 1372conforms to such revision not later than six months after the publication date of the revision. |
|---|
| 1403 | 1403 | | 1373 (f) The scale and scope of a controller’s cybersecurity program shall be based on: |
|---|
| 1404 | 1404 | | 1374 (1) the size, scope and type of the controller; |
|---|
| 1405 | 1405 | | 1375 (2) the amount of resources available to the controller; 69 of 71 |
|---|
| 1406 | 1406 | | 1376 (3) the amount and nature of personal information processed by the controller; and |
|---|
| 1407 | 1407 | | 1377 (4) the need for upholding security, integrity and confidentiality with respect to the |
|---|
| 1408 | 1408 | | 1378personal information processed by the controller. |
|---|
| 1409 | 1409 | | 1379 (g) Subsection (d) shall not apply if the controller’s failure to implement reasonable |
|---|
| 1410 | 1410 | | 1380cybersecurity controls was the result of gross negligence or willful or wanton conduct. |
|---|
| 1411 | 1411 | | 1381 (h) Nothing in this section shall limit the authority of the attorney general to initiate |
|---|
| 1412 | 1412 | | 1382actions pursuant to: |
|---|
| 1413 | 1413 | | 1383 (1) section 25 of this chapter; |
|---|
| 1414 | 1414 | | 1384 (2) chapter 93A or 93H of the General Laws; or |
|---|
| 1415 | 1415 | | 1385 (3) any other general law. |
|---|
| 1416 | 1416 | | 1386 (i) The cause of action established by this section shall apply only to violations as defined |
|---|
| 1417 | 1417 | | 1387in this section. |
|---|
| 1418 | 1418 | | 1388 Section 27. Massachusetts Privacy Fund |
|---|
| 1419 | 1419 | | 1389 (a) There shall be established upon the books of the commonwealth a separate special |
|---|
| 1420 | 1420 | | 1390fund to be known as the Massachusetts Privacy Fund. |
|---|
| 1421 | 1421 | | 1391 (b) All civil penalties, expenses, attorney fees and registration fees collected pursuant to |
|---|
| 1422 | 1422 | | 1392sections 20 and 25 shall be paid into the state treasury and credited to the Massachusetts Privacy |
|---|
| 1423 | 1423 | | 1393Fund. Interest earned on moneys in the fund shall remain in the fund and be credited to it. Any |
|---|
| 1424 | 1424 | | 1394moneys remaining in the fund, including interest thereon, at the end of each fiscal year shall |
|---|
| 1425 | 1425 | | 1395remain in the fund and not revert to the general fund. 70 of 71 |
|---|
| 1426 | 1426 | | 1396 (c) The attorney general shall have discretion to allocate the proceeds of any settlement of |
|---|
| 1427 | 1427 | | 1397a civil action pursuant to this chapter to: |
|---|
| 1428 | 1428 | | 1398 (1) the Massachusetts Privacy Fund; |
|---|
| 1429 | 1429 | | 1399 (2) the general fund; or |
|---|
| 1430 | 1430 | | 1400 (3) where possible, directly to individuals impacted by the violation of the chapter. |
|---|
| 1431 | 1431 | | 1401 (d) Moneys in the Massachusetts Privacy Fund shall be used to support the work of the |
|---|
| 1432 | 1432 | | 1402attorney general pursuant to section 25. Moneys in the fund shall be subject to appropriation and |
|---|
| 1433 | 1433 | | 1403shall not be used to supplant general fund appropriations to the attorney general. |
|---|
| 1434 | 1434 | | 1404 Section 28. Reciprocity and Interoperability |
|---|
| 1435 | 1435 | | 1405 (a) A controller or processor shall be in compliance with provisions of this chapter if: |
|---|
| 1436 | 1436 | | 1406 (1) it complies with comparable provisions of a personal information privacy law in |
|---|
| 1437 | 1437 | | 1407another jurisdiction; |
|---|
| 1438 | 1438 | | 1408 (2) the controller or processor applies the provisions of that law to its processing |
|---|
| 1439 | 1439 | | 1409activities concerning individuals; and |
|---|
| 1440 | 1440 | | 1410 (3) the attorney general determines that the provisions of that law in the other jurisdiction |
|---|
| 1441 | 1441 | | 1411are equally or more protective of personal information than the provisions of this chapter. |
|---|
| 1442 | 1442 | | 1412 (b) The attorney general may charge a fee to a controller or processor that asserts |
|---|
| 1443 | 1443 | | 1413compliance with a comparable law under subsection (a); provided, however, that the fee shall |
|---|
| 1444 | 1444 | | 1414reflect costs reasonably expected to be incurred by the attorney general to determine whether the |
|---|
| 1445 | 1445 | | 1415provisions of such law are equally or more protective than the provisions of this chapter. 71 of 71 |
|---|
| 1446 | 1446 | | 1416 Section 29. Severability |
|---|
| 1447 | 1447 | | 1417 (a) The provisions of this chapter are severable. If any provision of this chapter, or the |
|---|
| 1448 | 1448 | | 1418application of any provision of this chapter, is held invalid, the remaining provisions, or |
|---|
| 1449 | 1449 | | 1419applications of provisions, shall remain in full force and not be affected. |
|---|
| 1450 | 1450 | | 1420 (b) If a court were to find in a final, unreviewable judgment that the exclusion of one or |
|---|
| 1451 | 1451 | | 1421more entities or activities from the applicability of this chapter renders the chapter |
|---|
| 1452 | 1452 | | 1422unconstitutional, those exceptions shall be rendered null and invalid and the exemption shall not |
|---|
| 1453 | 1453 | | 1423continue. |
|---|
| 1454 | 1454 | | 1424 Section 30. Implementation for Nonprofits and Institutions of Higher Education |
|---|
| 1455 | 1455 | | 1425 This chapter shall apply to nonprofit organizations and institutions of higher education. |
|---|
| 1456 | 1456 | | 1426 SECTION 2. Chapter 93M of the General Laws shall take effect 18 months after the |
|---|
| 1457 | 1457 | | 1427passage of this act; provided, however, that: |
|---|
| 1458 | 1458 | | 1428 (1) section 2 and subsections (p) through (w) of section 25 of the chapter shall take effect |
|---|
| 1459 | 1459 | | 1429upon the passage of this act; and |
|---|
| 1460 | 1460 | | 1430 (2) section 30 of the chapter shall take effect 30 months after the passage of this act. |
|---|