Massachusetts 2023-2024 Regular Session

Massachusetts Senate Bill S25 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	1 of 1
2	2	SENATE DOCKET, NO. 745 FILED ON: 1/18/2023
3	3	SENATE . . . . . . . . . . . . . . No. 25
4	4	The Commonwealth of Massachusetts
5	5	_________________
6	6	PRESENTED BY:
7	7	Cynthia Stone Creem
8	8	_________________
9	9	To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
10	10	Court assembled:
11	11	The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
12	12	An Act establishing the Massachusetts Data Privacy Protection Act.
13	13	_______________
14	14	PETITION OF:
15	15	NAME:DISTRICT/ADDRESS :Cynthia Stone CreemNorfolk and MiddlesexJason M. LewisFifth Middlesex2/9/2023 1 of 62
16	16	SENATE DOCKET, NO. 745 FILED ON: 1/18/2023
17	17	SENATE . . . . . . . . . . . . . . No. 25
18	18	By Ms. Creem, a petition (accompanied by bill, Senate, No. 25) of Cynthia Stone Creem and
19	19	Jason M. Lewis for legislation to establish the Massachusetts Data Privacy Protection Act.
20	20	Advanced Information Technology, the Internet and Cybersecurity.
21	21	The Commonwealth of Massachusetts
22	22	_______________
23	23	In the One Hundred and Ninety-Third General Court
24	24	(2023-2024)
25	25	_______________
26	26	An Act establishing the Massachusetts Data Privacy Protection Act.
27	27	Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
28	28	of the same, as follows:
29	29	1 SECTION 1. The General Laws, as appearing in the 2020 Official Edition, are hereby
30	30	2amended by inserting after chapter 93K the following chapter:
31	31	3 Chapter 93L. Massachusetts Data Privacy Protection Act
32	32	4 Section 1. Definitions
33	33	5 (a)As used in this chapter, the following words shall, unless the context clearly requires
34	34	6otherwise, have the following meanings:—
35	35	7 (1)affirmative express consent”, an affirmative act by an individual that clearly
36	36	8communicates the individual’s freely given, specific, and unambiguous authorization for an act
37	37	9or practice after having been informed, in response to a specific request from a covered entity
38	38	10that meets the requirements of this chapter.
39	39	11 (2)“authentication”, the process of verifying an individual or entity for security purposes. 2 of 62
40	40	12 (3)“biometric information”, any covered data generated from the technological
41	41	13processing of an individual’s unique biological, physical, or physiological characteristics that is
42	42	14linked or reasonably linkable to an individual, including:—
43	43	15 (i)fingerprints;
44	44	16 (ii)voice prints;
45	45	17 (iii)iris or retina scans;
46	46	18 (iv)facial or hand mapping, geometry, or templates; or
47	47	19 (v)gait or personally identifying physical movements.
48	48	20 The term “biometric information” does not include a digital or physical photograph; an
49	49	21audio or video recording; or data generated from a digital or physical photograph, or an audio or
50	50	22video recording, that cannot be used to identify an individual.
51	51	23 (4)“collect” and “collection”, buying, renting, gathering, obtaining, receiving, accessing,
52	52	24or otherwise acquiring covered data by any means.
53	53	25 (5)“control”, with respect to an entity:—
54	54	26 (i)ownership of, or the power to vote, more than 50 percent of the outstanding shares of
55	55	27any class of voting security of the entity;
56	56	28 (ii)control over the election of a majority of the directors of the entity (or of individuals
57	57	29exercising similar functions); or
58	58	30 (iii)the power to exercise a controlling influence over the management of the entity. 3 of 62
59	59	31 (6)“covered algorithm”, a computational process that uses machine learning, natural
60	60	32language processing, artificial intelligence techniques, or other computational processing
61	61	33techniques of similar or greater complexity and that makes a decision or facilitates human
62	62	34decision-making with respect to covered data, including determining the provision of products or
63	63	35services or to rank, order, promote, recommend, amplify, or similarly determine the delivery or
64	64	36display of information to an individual.
65	65	37 (7)“covered data”, information, including derived data and unique persistent
66	66	38identifiers, that identifies or is linked or reasonably linkable, alone or in combination with other
67	67	39information, to an individual or a device that identifies or is linked or reasonably linkable to an
68	68	40individual. The term “covered data” does not include:—
69	69	41 (i)de-identified data;
70	70	42 (ii)employee data covered under section 204 of chapter 149 of the general laws; or
71	71	43 (iii)publicly available information.
72	72	44 (8)“covered entity”, any entity or any person, other than an individual acting in a non-
73	73	45commercial context, that alone or jointly with others determines the purposes and means of
74	74	46collecting, processing, or transferring covered data. The term “covered entity” does not
75	75	47include:—
76	76	48 (i)government agencies or service providers to government agencies that exclusively and
77	77	49solely process information provided by government entities; 4 of 62
78	78	50 (ii)any entity or person that meets the following criteria for the period of the 3 preceding
79	79	51calendar years (or for the period during which the covered entity or service provider has been in
80	80	52existence if such period is less than 3 years):—
81	81	53 (A)the entity or person’s average annual gross revenues during the period did not exceed
82	82	54$20,000,000;
83	83	55 (B)the entity or person, on average, did not annually collect or process the covered data
84	84	56of more than 75,000 individuals during the period beyond the purpose of initiating, rendering,
85	85	57billing for, finalizing, completing, or otherwise collecting payment for a requested service or
86	86	58product, so long as all covered data for such purpose was deleted or de-identified within 90 days,
87	87	59except when necessary to investigate fraud or as consistent with a covered entity’s return policy;
88	88	60and
89	89	61 (C)no component of its revenue comes from transferring covered data during any year (or
90	90	62part of a year if the covered entity has been in existence for less than 1 year) that occurs during
91	91	63the period.
92	92	64 (9)“covered high-impact social media company”, a covered entity that provides any
93	93	65internet-accessible platform where—
94	94	66 (i)such covered entity generates $3,000,000,000 or more in annual revenue;
95	95	67 (ii)such platform has 300,000,000 or more monthly active users for not fewer than 3 of
96	96	68the preceding 12 months on the online product or service of such covered entity; and
97	97	69 (iii)such platform constitutes an online product or service that is primarily used by users
98	98	70to access or share, user-generated content. 5 of 62
99	99	71 (10)“covered minor”, an individual under the age of 18.
100	100	72 (11)“de-identified data”, information that does not identify and is not linked or
101	101	73reasonably linkable to a distinct individual or a device, regardless of whether the information is
102	102	74aggregated, and if the covered entity or service provider:—
103	103	75 (i)takes technical measures to ensure that the information cannot, at any point, be used to
104	104	76re-identify any individual or device that identifies or is linked or reasonably linkable to an
105	105	77individual;
106	106	78 (ii)publicly commits in a clear and conspicuous manner: —
107	107	79 (A)to process and transfer the information solely in a de-identified form without any
108	108	80reasonable means for re-identification; and
109	109	81 (B)to not attempt to re-identify the information with any individual or device that
110	110	82identifies or is linked or reasonably linkable to an individual; and
111	111	83 (iii)contractually obligates any person or entity that receives the information from the
112	112	84covered entity or service provider:—
113	113	85 (A)to comply with all the provisions of this paragraph with respect to the information;
114	114	86and
115	115	87 (B)to require that such contractual obligations be included contractually in all subsequent
116	116	88instances for which the data may be received. 6 of 62
117	117	89 (12)“derived data”, covered data that is created by the derivation of information, data,
118	118	90assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another
119	119	91source of information or data about an individual or an individual’s device.
120	120	92 (13)“device”, any electronic equipment capable of collecting, processing, or transferring
121	121	93data that is used by one or more individuals or households.
122	122	94 (14)“first party advertising or marketing”, advertising or marketing conducted by a
123	123	95covered entity that collected covered data from the individual through either direct
124	124	96communications with the individual such as direct mail, email, or text message communications,
125	125	97or advertising or marketing conducted entirely within the first-party context, such as in a
126	126	98physical location operated by or on behalf of such covered entity, or on a web site or app
127	127	99operated by or on behalf of such covered entity.
128	128	100 (15)“genetic information”, any covered data, regardless of its format, that concerns an
129	129	101individual’s genetic characteristics, including:—
130	130	102 (i)raw sequence data that results from the sequencing of the complete, or a portion of the,
131	131	103extracted deoxyribonucleic acid (DNA) of an individual; or
132	132	104 (ii)genotypic and phenotypic information that results from analyzing raw sequence data
133	133	105described in subparagraph (A).
134	134	106 (16“individual”, a natural person who is a Massachusetts resident or present in
135	135	107Massachusetts.
136	136	108 (17)“knowledge”, 7 of 62
137	137	109 (i)with respect to a covered entity that is a covered high-impact social media company,
138	138	110the entity knew or should have known the individual was a covered minor;
139	139	111 (ii)with respect to a covered entity or service provider that is a large data holder, and
140	140	112otherwise is not a covered high-impact social media company, that the covered entity knew or
141	141	113acted in willful disregard of the fact that the individual was a covered minor; and
142	142	114 (iii)with respect to a covered entity or service provider that does not meet the
143	143	115requirements of clause (i) or (ii), actual knowledge.
144	144	116 (18)“large data holder”, a covered entity or service provider that in the most recent
145	145	117calendar year:—
146	146	118 (i)had annual gross revenues of $250,000,000 or more; and
147	147	119 (ii)collected, processed, or transferred the covered data of more than 5,000,000
148	148	120individuals or devices that identify or are linked or reasonably linkable to 1 or more individuals,
149	149	121excluding covered data collected and processed solely for the purpose of initiating, rendering,
150	150	122billing for, finalizing, completing, or otherwise collecting payment for a requested product or
151	151	123service; and the sensitive covered data of more than 200,000 individuals or devices that identify
152	152	124or are linked or reasonably linkable to 1 or more individuals.
153	153	125 The term “large data holder” does not include any instance in which the covered entity or
154	154	126service provider would qualify as a large data holder solely on the basis of collecting or
155	155	127processing personal email addresses, personal telephone numbers, or log-in information of an
156	156	128individual or device to allow the individual or device to log in to an account administered by the
157	157	129covered entity or service provider. 8 of 62
158	158	130 (19)“material”, with respect to an act, practice, or representation of a covered entity
159	159	131(including a representation made by the covered entity in a privacy policy or similar disclosure to
160	160	132individuals) involving the collection, processing, or transfer of covered data, that such act,
161	161	133practice, or representation is likely to affect a reasonable individual’s decision or conduct
162	162	134regarding a product or service;
163	163	135 (20)“location information”, information derived from a device or from interactions
164	164	136between devices, with or without the knowledge of the user and regardless of the technological
165	165	137method used, that pertains to or directly or indirectly reveals the present or past geographical
166	166	138location of an individual or device within the Commonwealth of Massachusetts with sufficient
167	167	139precision to identify street-level location information within a range of 1,850 feet or less.
168	168	140 (21)“OCABR”, the Office of Consumer Affairs and Business Regulation.
169	169	141 (22“process”, to conduct or direct any operation or set of operations performed on
170	170	142covered data, including analyzing, organizing, structuring, retaining, storing, using, or otherwise
171	171	143handling covered data.
172	172	144 (23“processing purpose”, a reason for which a covered entity or service provider
173	173	145collects, processes, or transfers covered data that is specific and granular enough for a reasonable
174	174	146individual to understand the material facts of how and why the covered entity or service provider
175	175	147collects, processes, or transfers the covered data.
176	176	148 (24)“publicly available information”, any information that a covered entity or service
177	177	149provider has a reasonable basis to believe has been lawfully made available to the general public
178	178	150from:— 9 of 62
179	179	151 (i)federal, state, or local government records, if the covered entity collects, processes, and
180	180	152transfers such information in accordance with any restrictions or terms of use placed on the
181	181	153information by the relevant government entity;
182	182	154 (ii)widely distributed media;
183	183	155 (iii)a website or online service made available to all members of the public, for free or for
184	184	156a fee, including where all members of the public, for free or for a fee, can log in to the website or
185	185	157online service;
186	186	158 (iv)a disclosure that has been made to the general public as required by federal, state, or
187	187	159local law; or
188	188	160 (v)the visual observation of the physical presence of an individual or a device in a public
189	189	161place, not including data collected by a device in the individual’s possession.
190	190	162 For purposes of this paragraph, information from a website or online service is not
191	191	163available to all members of the public if the individual who made the information available via
192	192	164the website or online service has restricted the information to a specific audience.
193	193	165 The term “publicly available information” does not include: —
194	194	166 (i)any obscene visual depiction, as defined in section 18 U.S.C. section 1460;
195	195	167 (ii)any inference made exclusively from multiple independent sources of publicly
196	196	168available information that reveals sensitive
197	197	169 (iii) covered data with respect to an individual;
198	198	170 (iv)biometric information; 10 of 62
199	199	171 (v)publicly available information that has been combined with covered data;
200	200	172 (vi)genetic information, unless otherwise made available by the individual to whom the
201	201	173information pertains;
202	202	174 (vii)intimate images known to have been created or shared without consent..
203	203	175 (25)“reasonably understandable”, of length and complexity such that an individual with
204	204	176an eighth-grade reading level, as established by the department of elementary and secondary
205	205	177education, can read and comprehend.
206	206	178 (26)“sensitive covered data”, the following types of covered data:—
207	207	179 (i)a government-issued identifier, such as a Social Security number, passport number, or
208	208	180driver’s license number, that is not required by law to be displayed in public.
209	209	181 (ii)any information that describes or reveals the past, present, or future physical health,
210	210	182mental health, disability, diagnosis, or healthcare condition or treatment of an individual.
211	211	183 (iii)a financial account number, debit card number, credit card number, or information
212	212	184that describes or reveals the income level or bank account balances of an individual, except that
213	213	185the last four digits of a debit or credit card number shall not be deemed sensitive covered data.
214	214	186 (iv)biometric information.
215	215	187 (v)genetic information.
216	216	188 (vi)location information. 11 of 62
217	217	189 (vii)an individual’s private communications such as voicemails, emails, texts, direct
218	218	190messages, or mail, or information identifying the parties to such communications, voice
219	219	191communications, video communications, and any information that pertains to the transmission of
220	220	192such communications, including telephone numbers called, telephone numbers from which calls
221	221	193were placed, the time calls were made, call duration, and location information of the parties to
222	222	194the call, unless the covered entity or a service provider acting on behalf of the covered entity is
223	223	195the sender or an intended recipient of the communication. Communications are not private for
224	224	196purposes of this clause if such communications are made from or to a device provided by an
225	225	197employer to an employee insofar as such employer provides conspicuous notice that such
226	226	198employer may access such communications.
227	227	199 (viii)account or device log-in credentials, or security or access codes for an account or
228	228	200device.
229	229	201 (ix)information identifying the sexual behavior of an individual in a manner
230	230	202inconsistent with the individual’s reasonable expectation regarding the collection, processing, or
231	231	203transfer of such information or when it is processed in a way that creates a substantial privacy
232	232	204risk for the individual.
233	233	205 (x)calendar information, address book information, phone or text logs, photos, audio
234	234	206recordings, or videos, maintained for private use by an individual, regardless of whether such
235	235	207information is stored on the individual’s device or is accessible from that device and is backed up
236	236	208in a separate location. Such information is not sensitive for purposes of this paragraph if such
237	237	209information is sent from or to a device provided by an employer to an employee insofar as such
238	238	210employer provides conspicuous notice that it may access such information. 12 of 62
239	239	211 (xi)a photograph, film, video recording, or other similar medium that shows the naked or
240	240	212undergarment-clad private area of an individual.
241	241	213 (xii)information revealing the video content requested or selected by an individual
242	242	214collected by a covered entity that is not a provider of a service described in section 102(4). This
243	243	215clause does not include covered data used solely for transfers for independent video
244	244	216measurement.
245	245	217 (xiii)information about an individual when the covered entity or service provider has
246	246	218knowledge that the individual is a covered minor.
247	247	219 (xiv)an individual’s race, color, ethnicity, sex, gender identity, sexual orientation,
248	248	220national origin, immigration status, disability, religion, or union membership.
249	249	221 (xv)information identifying an individual’s online activities over time and across
250	250	222third-party websites or online services.
251	251	223 (xvi)any other covered data collected, processed, or transferred for the purpose of
252	252	224identifying the types of covered data listed in clauses (1) through (16).
253	253	225 (27)“service provider”, a person or entity that:—
254	254	226 (i)collects, processes, or transfers covered data on behalf of, and at the direction of, a
255	255	227covered entity or a government agency; and
256	256	228 (ii)receives covered data from or on behalf of a covered entity or a government agency. 13 of 62
257	257	229 A service provider that receives service provider data from another service provider as
258	258	230permitted under this chapter shall be treated as a service provider under this chapter with respect
259	259	231to such data.
260	260	232 (28)“service provider data”, covered data that is collected or processed by or has been
261	261	233transferred to a service provider by or on behalf of a covered entity or a government agency or
262	262	234another service provider for the purpose of allowing the service provider to whom such covered
263	263	235data is transferred to perform a service or function on behalf of, and at the direction of, such
264	264	236covered entity or government agency.
265	265	237 (29)“small business”, a covered entity or a service provider that meets the following
266	266	238criteria for the period of the 3 preceding calendar years (or for the period during which the
267	267	239covered entity or service provider has been in existence if such period is less than 3 years):—
268	268	240 (i)the covered entity or service provider’s average annual gross revenues during the
269	269	241period did not exceed $41,000,000;
270	270	242 (ii)the covered entity or service provider, on average, did not annually collect or process
271	271	243the covered data of more than 200,000 individuals during the period beyond the purpose of
272	272	244initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a
273	273	245requested service or product, so long as all covered data for such purpose was deleted or de-
274	274	246identified within 90 days, except when necessary to investigate fraud or as consistent with a
275	275	247covered entity’s return policy; and
276	276	248 (iii)the covered entity or service provider did not derive more than 50 percent of its
277	277	249revenue from transferring covered data during any year (or part of a year if the covered entity has
278	278	250been in existence for less than 1 year) that occurs during the period. 14 of 62
279	279	251 (30)“substantial privacy risk”, the collection, processing, or transfer of covered data in
280	280	252a manner that may result in any reasonably foreseeable substantial physical injury, economic
281	281	253injury, highly offensive intrusion into the privacy expectations of a reasonable individual under
282	282	254the circumstances, or discrimination on the basis of race, color, religion, national origin, sex,
283	283	255sexual orientation, gender identity or disability.
284	284	256 (31) “targeted advertising”, presenting to an individual or device identified by a unique
285	285	257identifier, or groups of individuals or devices identified by unique identifiers, an online
286	286	258advertisement that is selected based on known or predicted preferences, characteristics, or
287	287	259interests associated with the individual or a device identified by a unique identifier; and does not
288	288	260include:—
289	289	261 (i)advertising or marketing to an individual or an individual’s device in response to the
290	290	262individual’s specific request for information or feedback;
291	291	263 (ii)contextual advertising, which is when an advertisement is displayed based on the
292	292	264content in which the advertisement appears and does not vary based on who is viewing the
293	293	265advertisement; or
294	294	266 (iii)processing covered data solely for measuring or reporting advertising or content,
295	295	267performance, reach, or frequency, including independent measurement.
296	296	268 (32)“third party”, any person or entity, including a covered entity, that—
297	297	269 (i)collects, processes, or transfers covered data and is not a consumer-facing business
298	298	270with which the individual linked or reasonably linkable to such covered data expects and intends
299	299	271to interact; and 15 of 62
300	300	272 (ii)is not a service provider with respect to such data.
301	301	273 This term does not include a person or entity that collects covered data from another
302	302	274entity if the two entities are related by common ownership or corporate control, but only if a
303	303	275reasonable consumer’s reasonable expectation would be that such entities share information.
304	304	276 (33)“data broker”, a covered entity whose principal source of revenue is derived from
305	305	277processing or transferring covered data that the covered entity did not collect directly from the
306	306	278individuals linked or linkable to the covered data. This term does not include a covered entity
307	307	279insofar as such entity processes employee data collected by and received from a third party
308	308	280concerning any individual who is an employee of the third party for the sole purpose of such
309	309	281third-party providing benefits to the employee. An entity may not be considered to be a data
310	310	282broker for purposes of this chapter if the entity is acting as a service provider.
311	311	283 (34)“third party data”, covered data that has been transferred to a third party.
312	312	284 (35)“transfer”, to disclose, release, disseminate, make available, license, rent, or share
313	313	285covered data orally, in writing, electronically, or by any other means.
314	314	286 (36)“unique identifier”, an identifier to the extent that such identifier is reasonably
315	315	287linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more
316	316	288individuals, including a device identifier, Internet Protocol address, cookie, beacon, pixel tag,
317	317	289mobile ad identifier, or similar technology, customer number, unique pseudonym, user alias,
318	318	290telephone number, or other form of persistent or probabilistic identifier that is linked or
319	319	291reasonably linkable to an individual or device. This term does not include an identifier assigned
320	320	292by a covered entity for the specific purpose of giving effect to an individual’s exercise of
321	321	293affirmative express consent or opt-outs of the collection, processing, and transfer of covered data 16 of 62
322	322	294pursuant to this chapter or otherwise limiting the collection, processing, or transfer of such
323	323	295information.
324	324	296 (37)“widely distributed media”, information that is available to the general public,
325	325	297including information from a telephone book or online directory, a television, internet, or radio
326	326	298program, the news media, or an internet site that is available to the general public on an
327	327	299unrestricted basis, but does not include an obscene visual depiction, as defined in 18 U.S.C.
328	328	300section 1460.
329	329	301 Section 2. Duty of Loyalty
330	330	302 (a)A covered entity may not collect, process, or tran sfer covered data unless the
331	331	303collection, processing, or transfer is limited to what is reasonably necessary and proportionate to
332	332	304carry out one of the following purposes:—
333	333	305 (1)provide or maintain a specific product or service requested by the individual to whom
334	334	306the data pertains;
335	335	307 (2)initiate, manage, complete a transaction, or fulfill an order for specific products or
336	336	308services requested by an individual, including any associated routine administrative, operational,
337	337	309and account-servicing activity such as billing, shipping, delivery, storage, and accounting;
338	338	310 (3)authenticate users of a product or service;
339	339	311 (4)fulfill a product or service warranty;
340	340	312 (5)prevent, detect, protect against, or respond to a security incident. For purposes of this
341	341	313paragraph, security is defined as network security and physical security and life safety, including
342	342	314an intrusion or trespass, medical alerts, fire alarms, and access control security; 17 of 62
343	343	315 (6)to prevent, detect, protect against, or respond to fraud, harassment, or illegal activity
344	344	316targeted at or involving the covered entity or its services. For purposes of this paragraph, the
345	345	317term “illegal activity”, a violation of a federal, state, or local law punishable as a felony or
346	346	318misdemeanor that can directly harm;
347	347	319 (7)comply with a legal obligation imposed by state or federal law, or to investigate,
348	348	320establish, prepare for, exercise, or defend legal claims involving the covered entity or service
349	349	321provider;
350	350	322 (8)effectuate a product recall pursuant to state or federal law;
351	351	323 (9)conduct a public or peer-reviewed scientific, historical, or statistical research project
352	352	324that:—
353	353	325 (i)is in the public interest; and
354	354	326 (ii)adheres to all relevant laws and regulations governing such research, including
355	355	327regulations for the protection of human subjects, or is excluded from criteria of the institutional
356	356	328review board;
357	357	329 (10)deliver a communication that is not an advertisement to an individual, if the
358	358	330communication is reasonably anticipated by the individual within the context of the individual’s
359	359	331interactions with the covered entity;
360	360	332 (11)deliver a communication at the direction of an individual between such individual
361	361	333and one or more individuals or entities;
362	362	334 (12)ensure the data security and integrity of covered data in accordance with chapter
363	363	33593H; 18 of 62
364	364	336 (13)to support or promote participation by individuals in civic engagement activities and
365	365	337democratic governance, including voting, petitioning, engaging with government proceedings,
366	366	338providing indigent legal aid services, and unionizing; or
367	367	339 (14)transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or
368	368	340similar transaction when the third party assumes control, in whole or in part, of the covered
369	369	341entity’s assets, only if the covered entity, in a reasonable time prior to such transfer, provides
370	370	342each affected individual with:—
371	371	343 (i)a notice describing such transfer, including the name of the entity or entities receiving
372	372	344the individual’s covered data and their privacy policies; and
373	373	345 (ii)a reasonable opportunity to withdraw any previously given consents related to the
374	374	346individual’s covered data and a reasonable opportunity to request the deletion of the individual’s
375	375	347covered data.
376	376	348 (b)A covered entity may, with respect to covered data previously collected in accordance
377	377	349with the previous subsection, process such data:—
378	378	350 (1) as necessary to provide first-party advertising or marketing of products or services
379	379	351provided by the covered entity for individuals who are not covered minors;
380	380	352 (2)to provide targeted advertising; provided, however, that such collection, processing,
381	381	353and transferring complies with the requirements of this chapter;
382	382	354 (3)process such data as necessary to perform system maintenance or diagnostics;
383	383	355 (4)develop, maintain, repair, or enhance a product or service for which such data was
384	384	356collected; 19 of 62
385	385	357 (5)to conduct internal research or analytics to improve a product or service for which
386	386	358such data was collected;
387	387	359 (6)perform inventory management or reasonable network management;
388	388	360 (7)protect against spam; or
389	389	361 (8)debug or repair errors that impair the functionality of a service or product for which
390	390	362such data was collected.
391	391	363 (c)A covered entity or service provider shall not:—
392	392	364 (1) engage in deceptive advertising or marketing with respect to a product or service
393	393	365offered to an individual; or
394	394	366 (2)draw an individual into signing up for or acquiring a product or service through:—
395	395	367 (i)the use of any false, fictitious, fraudulent, or materially misleading statement or
396	396	368representation; or
397	397	369 (ii)the design, modification, or manipulation of any user interface with the purpose or
398	398	370substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
399	399	371decision-making, or choice.
400	400	372 (d)Nothing in this chapter shall be construed or interpreted to:—
401	401	373 (1)limit or diminish free speech rights of covered entities guaranteed under the First
402	402	374Amendment to the Constitution of the United States or under Article 16 of Massachusetts
403	403	375Declaration of Rights; or 20 of 62
404	404	376 (2)imply any purpose that is not enumerated in subsections (a) and (b), when applicable.
405	405	377 Section 3. Sensitive covered data.
406	406	378 (a)A covered entity or service provider shall not:—
407	407	379 (1)collect, process, or transfer a Social Security number, except when necessary to
408	408	380facilitate an extension of credit, authentication, fraud and identity fraud detection and prevention,
409	409	381the payment or collection of taxes, the enforcement of a contract between parties, or the
410	410	382prevention, investigation, or prosecution of fraud or illegal activity, or as otherwise required by
411	411	383state or federal law;
412	412	384 (2)collect or process sensitive covered data, except where such collection or processing is
413	413	385strictly necessary to provide or maintain a specific product or service requested by the individual
414	414	386to whom the covered data pertains or is strictly necessary to effect a purpose enumerated in
415	415	387paragraphs (1), (2), (3), (5), (7), (9), (10), (11), (13), (14) of subsection (a) of section 2, and such
416	416	388data is only used for that purposes;
417	417	389 (3)transfer an individual’s sensitive covered data to a third party, unless:—
418	418	390 (i)the transfer is made pursuant to the affirmative express consent of the individual, given
419	419	391before each specific transfer takes place;
420	420	392 (ii)the transfer is necessary to comply with a legal obligation imposed by state or federal
421	421	393law, so long as such obligation preexisted the collection and previous notice of such obligation
422	422	394was provided to the individual to whom the data pertains; 21 of 62
423	423	395 (iii)the transfer is necessary to prevent an individual from imminent injury where the
424	424	396covered entity believes in good faith that the individual is at risk of death, serious physical
425	425	397injury, or serious health risk;
426	426	398 (iv)in the case of the transfer of a password, the transfer is necessary to use a designated
427	427	399password manager or is to a covered entity for the exclusive purpose of identifying passwords
428	428	400that are being re-used across sites or accounts;
429	429	401 (v)in the case of the transfer of genetic information, the transfer is necessary to perform a
430	430	402medical diagnosis or medical treatment specifically requested by an individual, or to conduct
431	431	403medical research in accordance with federal and state law; and
432	432	404 (vi)in the case of transfer assets in case of a merger, if the transfer is made in accordance
433	433	405with paragraph (14) of subsection (a) of section (2); or
434	434	406 (4)process sensitive covered data for purposes of targeted advertising.
435	435	407 Section 4. Consent practices
436	436	408 (a)The requirements of this chapter with respect to a request for affirmative consent from
437	437	409a covered entity to an individual are the following:—
438	438	410 (1)The request for affirmative consent should be provided to the individual in a clear and
439	439	411conspicuous standalone disclosure made through the primary medium used to offer the covered
440	440	412entity’s product or service, or only if the product or service is not offered in a medium that
441	441	413permits the making of the request under this paragraph, another medium regularly used in
442	442	414conjunction with the covered entity’s product or service; 22 of 62
443	443	415 (2)The request includes a description of the processing purpose for which the individual’s
444	444	416consent is sought by:—
445	445	417 (i)clearly stating the specific categories of covered data that the covered entity shall
446	446	418collect, process, and transfer necessary to effectuate the processing purpose; and
447	447	419 (ii)including a prominent heading and is reasonably understandable so that an individual
448	448	420can identify and understand the processing purpose for which consent is sought and the covered
449	449	421data to be collected, processed, or transferred by the covered entity for such processing purpose;
450	450	422 (3)The request clearly explains the individual’s applicable rights related to consent;
451	451	423 (4)The request is made in a manner reasonably accessible to and usable by individuals
452	452	424with disabilities;
453	453	425 (5)The request is made available to the individual in each covered language in which the
454	454	426covered entity provides a product or service for which authorization is sought;
455	455	427 (6)The option to refuse consent shall be at least as prominent as the option to accept, and
456	456	428the option to refuse consent shall take the same number of steps or fewer as the option to accept;
457	457	429and
458	458	430 (7)Processing or transferring any covered data collected pursuant to affirmative express
459	459	431consent for a different processing purpose than that for which affirmative express consent was
460	460	432obtained shall require affirmative express consent for the subsequent processing purpose.
461	461	433 (b)A covered entity shall not infer that an individual has provided affirmative express
462	462	434consent to a practice from the inaction of the individual or the individual’s continued use of a
463	463	435service or product provided by the covered entity. 23 of 62
464	464	436 (c)A covered entity shall not obtain or attempt to obtain the affirmative express consent
465	465	437of an individual through:—
466	466	438 (1)the use of any false, fictitious, fraudulent, or materially misleading statement or
467	467	439representation; or
468	468	440 (2)the design, modification, or manipulation of any user interface with the purpose or
469	469	441substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
470	470	442decision-making, or choice to provide such consent or any covered data.
471	471	443 Section 5. Privacy by design
472	472	444 (a)A covered entity and a service provider shall establish, implement, and maintain
473	473	445reasonable policies, practices, and procedures that reflect the role of the covered entity or service
474	474	446provider in the collection, processing, and transferring of covered data and that:—
475	475	447 (1)consider applicable federal and state laws, rules, or regulations related to covered data
476	476	448the covered entity or service provider collects, processes, or transfers;
477	477	449 (2)identify, assess, and mitigate privacy risks related to covered minors;
478	478	450 (3)mitigate privacy risks, including substantial privacy risks, related to the products and
479	479	451services of the covered entity or the service provider, including in the design, development, and
480	480	452implementation of such products and services, considering the role of the covered entity or
481	481	453service provider and the information available to it; and
482	482	454 (4)implement reasonable training and safeguards within the covered entity and service
483	483	455provider to promote compliance with all privacy laws applicable to covered data the covered
484	484	456entity collects, processes, or transfers or covered data the service provider collects, processes, or 24 of 62
485	485	457transfers on behalf of the covered entity and mitigate privacy risks, including substantial privacy
486	486	458risks, taking into account the role of the covered entity or service provider and the information
487	487	459available to it.
488	488	460 (b)The policies, practices, and procedures established by a covered entity and a service
489	489	461provider under subsection (a), shall correspond with, as applicable:—
490	490	462 (1)the size of the covered entity or the service provider and the nature, scope, and
491	491	463complexity of the activities engaged in by the covered entity or service provider, including
492	492	464whether the covered entity or service provider is a large data holder, nonprofit organization,
493	493	465small business, third party, or data broker, considering the role of the covered entity or service
494	494	466provider and the information available to it;
495	495	467 (2)the sensitivity of the covered data collected, processed, or transferred by the covered
496	496	468entity or service provider;
497	497	469 (3)the volume of covered data collected, processed, or transferred by the covered entity
498	498	470or service provider;
499	499	471 (4)the number of individuals and devices to which the covered data collected, processed,
500	500	472or transferred by the covered entity or service provider relates; and
501	501	473 (5)the cost of implementing such policies, practices, and procedures in relation to the
502	502	474risks and nature of the covered data.
503	503	475 Section 6. Pricing
504	504	476 (a)A covered entity may not retaliate against an individual for:— 25 of 62
505	505	477 (1)exercising any of the rights guaranteed by this chapter, or any regulations promulgated
506	506	478under this chapter; or
507	507	479 (2)refusing to agree to collection or processing of covered data for a separate product or
508	508	480service, including denying goods or services, charging different prices or rates for goods or
509	509	481services, or providing a different level of quality of goods or services.
510	510	482 (b)Nothing in subsection (a) shall be construed to:—
511	511	483 (1)prohibit the relation of the price of a service or the level of service provided to an
512	512	484individual to the provision, by the individual, of financial information that is necessarily
513	513	485collected and processed only for the purpose of initiating, rendering, billing for, or collecting
514	514	486payment for a service or product requested by the individual;
515	515	487 (2)prohibit a covered entity from offering a different price, rate, level, quality or selection
516	516	488of goods or services to an individual, including offering goods or services for no fee, if the
517	517	489offering is in connection with an individual’s voluntary participation in a bona fide loyalty, ,
518	518	490rewards, premium features, discount or club card program, provided, that the covered entity may
519	519	491not sell covered data to a third-party as part of such a program unless:—
520	520	492 (i)the sale is reasonably necessary to enable the third party to provide a benefit to which
521	521	493the consumer is entitled;
522	522	494 (ii)the sale of personal data to third parties is clearly disclosed in the terms of the
523	523	495program; and 26 of 62
524	524	496 (iii)the third party uses the personal data only for purposes of facilitating such a benefit to
525	525	497which the consumer is entitled and does not retain or otherwise use or disclose the personal data
526	526	498for any other purpose;
527	527	499 (3)require a covered entity to provide a bona fide loyalty program that would require the
528	528	500covered entity to collect, process, or transfer covered data that the covered entity otherwise
529	529	501would not collect, process, or transfer;
530	530	502 (4)prohibit a covered entity from offering a financial incentive or other consideration to
531	531	503an individual for participation in market research;
532	532	504 (5)prohibit a covered entity from offering different types of pricing or functionalities with
533	533	505respect to a product or service based on an individual’s exercise of a right to delete; or
534	534	506 (6)prohibit a covered entity from declining to provide a product or service insofar as the
535	535	507collection and processing of covered data is strictly necessary for such product or service.
536	536	508 (c)Notwithstanding the provisions in this subsection, no covered entity may offer
537	537	509different types of pricing that are unjust, unreasonable, coercive, or usurious in nature.
538	538	510 Section 7. Privacy policy
539	539	511 (a)Each covered entity and service provider shall make publicly available, in a clear,
540	540	512conspicuous, not misleading, a reasonably understandable privacy policy that provides a detailed
541	541	513and accurate representation of the data collection, processing, and transfer activities of the
542	542	514covered entity.
543	543	515 (b)The privacy policy must be provided in a manner that is reasonably accessible to and
544	544	516usable by individuals with disabilities. The policy shall be made available to the public in each 27 of 62
545	545	517covered language in which the covered entity or service provider provides a product or service
546	546	518that is subject to the privacy policy; or carries out activities related to such product or service.
547	547	519 (c)The privacy policy must include, at a minimum, the following:—
548	548	520 (1)The identity and the contact information of:—
549	549	521 (i)the covered entity or service provider to which the privacy policy applies, including the
550	550	522covered entity’s or service provider’s points of contact and generic electronic mail addresses, as
551	551	523applicable for privacy and data security inquiries;
552	552	524 (ii)any other entity within the same corporate structure as the covered entity or service
553	553	525provider to which covered data is transferred by the covered entity;
554	554	526 (iii)the categories of covered data the covered entity or service provider collects or
555	555	527processes;
556	556	528 (iv)the processing purposes for each category of covered data the covered entity or
557	557	529service provider collects or processes;
558	558	530 (v)whether the covered entity or service provider transfers covered data and, if so, each
559	559	531category of service provider and third party to which the covered entity or service provider
560	560	532transfers covered data, the name of each data broker to which the covered entity or service
561	561	533provider transfers covered data, and the purposes for which such data is transferred to such
562	562	534categories of service providers and third parties or third-party collecting entities, except for a
563	563	535transfer to a governmental entity pursuant to a court order or law that prohibits the covered entity
564	564	536or service provider from disclosing such transfer; 28 of 62
565	565	537 (vi)The length of time the covered entity or service provider intends to retain each
566	566	538category of covered data, including sensitive covered data, or, if it is not possible to identify that
567	567	539timeframe, the criteria used to determine the length of time the covered entity or service provider
568	568	540intends to retain categories of covered data;
569	569	541 (vii)A prominent description of how an individual can exercise the rights described in
570	570	542this chapter;
571	571	543 (viii)A general description of the covered entity’s or service provider’s data security
572	572	544practices; and
573	573	545 (ix)The effective date of the privacy policy.
574	574	546 (d)If a covered entity makes a material change to its privacy policy or practices, the
575	575	547covered entity shall notify each individual affected by such material change before implementing
576	576	548the material change with respect to any prospectively collected covered data and, except as
577	577	549provided in paragraphs (1) through (15) of section 2, provide a reasonable opportunity for each
578	578	550individual to withdraw consent to any further materially different collection, processing, or
579	579	551transfer of previously collected covered data under the changed policy.
580	580	552 (e)The covered entity shall take all reasonable electronic measures to provide direct
581	581	553notification regarding material changes to the privacy policy to each affected individual, in each
582	582	554covered language in which the privacy policy is made available, and taking into account
583	583	555available technology and the nature of the relationship.
584	584	556 (f)Nothing in this section shall be construed to affect the requirements for covered
585	585	557entities under other sections of this chapter. 29 of 62
586	586	558 (g)Each large data holder shall retain copies of previous versions of its privacy policy for
587	587	559at least 10 years beginning after the date of enactment of this chapter and publish them on its
588	588	560website. Such large data holder shall make publicly available, in a clear, conspicuous, and
589	589	561readily accessible manner, a log describing the date and nature of each material change to its
590	590	562privacy policy over the past 10 years. The descriptions shall be sufficient for a reasonable
591	591	563individual to understand the material effect of each material change. The obligations in this
592	592	564paragraph shall not apply to any previous versions of a large data holder’s privacy policy, or any
593	593	565material changes to such policy, that precede the date of enactment of this Act.
594	594	566 (h)In addition to the privacy policy required under subsection (a), a large data holder that
595	595	567is a covered entity shall provide a short form notice of no more than 500 words in length that
596	596	568includes the main features of their data practices.
597	597	569 Section 8. Individual data rights
598	598	570 (a)A covered entity shall provide an individual, after receiving a verified request from the
599	599	571individual, with the right to:—
600	600	572 (1)access:—
601	601	573 (i)in a human-readable format that a reasonable individual can understand and download
602	602	574from the internet, the covered data (except covered data in a back-up or archival system) of the
603	603	575individual making the request that is collected, processed, or transferred by the covered entity or
604	604	576any service provider of the covered entity within the 24 months preceding the request;
605	605	577 (ii)the categories of any third party, if applicable, and an option for consumers to obtain
606	606	578the names of any such third party as well as and the categories of any service providers to whom 30 of 62
607	607	579the covered entity has transferred for consideration the covered data of the individual, as well as
608	608	580the categories of sources from which the covered data was collected; and
609	609	581 (iii)a description of the purpose for which the covered entity transferred the covered data
610	610	582of the individual to a third party or service provider;
611	611	583 (2)correct any verifiable substantial inaccuracy or substantially incomplete information
612	612	584with respect to the covered data of the individual that is processed by the covered entity and
613	613	585instruct the covered entity to make reasonable efforts to notify all third parties or service
614	614	586providers to which the covered entity transferred such covered data of the corrected information;
615	615	587 (3)delete covered data of the individual that is processed by the covered entity and
616	616	588instruct the covered entity to make reasonable efforts to notify all third parties or service
617	617	589provider to which the covered entity transferred such covered data of the individual’s deletion
618	618	590request; and
619	619	591 (4)to the extent technically feasible, export to the individual or directly to another entity
620	620	592the covered data of the individual that is processed by the covered entity, including inferences
621	621	593linked or reasonably linkable to the individual but not including other derived data, without
622	622	594licensing restrictions that limit such transfers in:—
623	623	595 (i)a human-readable format that a reasonable individual can understand and download
624	624	596from the internet; and
625	625	597 (ii)a portable, structured, interoperable, and machine-readable format.
626	626	598 (b)A covered entity may not condition, effectively condition, attempt to condition, or
627	627	599attempt to effectively condition the exercise of a right described in subsection (a) through:— 31 of 62
628	628	600 (1)the use of any false, fictitious, fraudulent, or materially misleading statement or
629	629	601representation; or
630	630	602 (2)the design, modification, or manipulation of any user interface with the purpose or
631	631	603substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
632	632	604decision making, or choice to exercise such right.
633	633	605 (c)Subject to subsections (d) and (e), each request under subsection (a) shall be
634	634	606completed within 30 days of such request from an individual, unless it is demonstrably
635	635	607impracticable or impracticably costly to verify such individual.
636	636	608 (d)A response period set forth in this subsection may be extended once by 20 additional
637	637	609days when reasonably necessary, considering the complexity and number of the individual’s
638	638	610requests, so long as the covered entity informs the individual of any such extension within the
639	639	611initial 30-day response period, together with the reason for the extension.
640	640	612 (e)A covered entity:—
641	641	613 (1)shall provide an individual with the opportunity to exercise each of the rights
642	642	614described in subsection (a) and with respect to:—
643	643	615 (A)the first two times that an individual exercises any right described in subsection (a) in
644	644	616any 12-month period, shall allow the individual to exercise such right free of charge; and
645	645	617 (B)any time beyond the initial two times described in subparagraph (A), may allow the
646	646	618individual to exercise such right for a reasonable fee for each request.
647	647	619 (f)A covered entity may not permit an individual to exercise a right described in
648	648	620subsection (a), in whole or in part, if the covered entity:— 32 of 62
649	649	621 (1)cannot reasonably verify that the individual making the request to exercise the right is
650	650	622the individual whose covered data is the subject of the request or an individual authorized to
651	651	623make such a request on the individual’s behalf;
652	652	624 (2)reasonably believes that the request is made to interfere with a contract between the
653	653	625covered entity and another individual;
654	654	626 (3)determines that the exercise of the right would require access to or correction of
655	655	627another individual’s sensitive covered data;
656	656	628 (4)reasonably believes that the exercise of the right would require the covered entity to
657	657	629engage in an unfair or deceptive practice under state law; or
658	658	630 (5)reasonably believes that the request is made to further fraud, support criminal activity,
659	659	631or the exercise of the right presents a data security threat.
660	660	632 (g)If a covered entity cannot reasonably verify that a request to exercise a right described
661	661	633in subsection (a) is made by the individual whose covered data is the subject of the request (or an
662	662	634individual authorized to make such a request on the individual’s behalf), the covered entity:—
663	663	635 (1)may request that the individual making the request to exercise the right provide any
664	664	636additional information necessary for the sole purpose of verifying the identity of the individual;
665	665	637and
666	666	638 (2)may not process or transfer such additional information for any other purpose.
667	667	639 (h)A covered entity may decline, with adequate explanation to the individual, to comply
668	668	640with a request to exercise a right described in subsection (a), in whole or in part, that would:— 33 of 62
669	669	641 (1)require the covered entity to retain any covered data collected for a single, one-time
670	670	642transaction, if such covered data is not processed or transferred by the covered entity for any
671	671	643purpose other than completing such transaction;
672	672	644 (2)be demonstrably impracticable or prohibitively costly to comply with, and the covered
673	673	645entity shall provide a description to the requestor detailing the inability to comply with the
674	674	646request;
675	675	647 (3)require the covered entity to attempt to re-identify de-identified data;
676	676	648 (4)require the covered entity to maintain covered data in an identifiable form or collect,
677	677	649retain, or access any data in order to be capable of associating a verified individual request with
678	678	650covered data of such individual;
679	679	651 (5)result in the release of trade secrets or other privileged or confidential business
680	680	652information;
681	681	653 (6)require the covered entity to correct any covered data that cannot be reasonably
682	682	654verified as being inaccurate or incomplete;
683	683	655 (7)interfere with law enforcement, judicial proceedings, investigations, or reasonable
684	684	656efforts to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity,
685	685	657or enforce valid contracts;
686	686	658 (8)violate state or federal law or the rights and freedoms of another individual, including
687	687	659under the Constitution of the United States and Massachusetts Declaration of Rights;
688	688	660 (9)prevent a covered entity from being able to maintain a confidential record of deletion
689	689	661requests, maintained solely for the purpose of preventing covered data of an individual from 34 of 62
690	690	662being recollected after the individual submitted a deletion request and requested that the covered
691	691	663entity no longer collect, process, or transfer such data; or
692	692	664 (10)endanger the source of the data if such data could only have been obtained from a
693	693	665single identified source.
694	694	666 (i)A covered entity may decline, with adequate explanation to the individual, to comply
695	695	667with a request for deletion pursuant to paragraph (3) of subsection (a) if such request:—
696	696	668 (1)unreasonably interfere with the provision of products or services by the covered entity
697	697	669to another person it currently serves;
698	698	670 (2)requests to delete covered data that relates to (A) a public figure, public official, or
699	699	671limited-purpose public figure; or (B) any other individual that has no reasonable expectation of
700	700	672privacy with respect to such data;
701	701	673 (3)requests to delete covered data reasonably necessary to perform a contract between the
702	702	674covered entity and the individual;
703	703	675 (4)requests to delete covered data that the covered entity needs to retain in order to
704	704	676comply with professional ethical obligations;
705	705	677 (5)requests to delete covered data that the covered entity reasonably believes may be
706	706	678evidence of unlawful activity or an abuse of the covered entity’s products or service; or
707	707	679 (6)involves private elementary and secondary schools as defined by state law and private
708	708	680institutions of higher education as defined by title I of the Higher Education Act of 1965 and
709	709	681targets covered data that would unreasonably interfere with the provision of education services
710	710	682by or the ordinary operation of the school or institution. 35 of 62
711	711	683 (j)In a circumstance that would allow a denial pursuant to this section, a covered entity
712	712	684shall partially comply with the remainder of the request if it is possible and not unduly
713	713	685burdensome to do so.
714	714	686 (k)The receipt of a large number of verified requests, on its own, may not be considered
715	715	687to render compliance with a request demonstrably impracticable.
716	716	688 (l)A covered entity shall facilitate the ability of individuals to make requests under
717	717	689subsection (a) in any covered language in which the covered entity provides a product or service.
718	718	690The mechanisms by which a covered entity enables individuals to make requests under
719	719	691subsection (a) shall be readily accessible and usable by individuals with disabilities.
720	720	692 Section 9. Advanced data rights.
721	721	693 (a)Covered entities shall provide an individual with a clear and conspicuous, easy-to-
722	722	694execute means to withdraw affirmative express consent. Those means shall be as easy to execute
723	723	695by a reasonable individual as the means to provide consent.
724	724	696 (b)Right to opt-out of covered data transfers. A covered entity:—
725	725	697 (1)may not transfer or direct the transfer of the covered data of an individual to a third
726	726	698party if the individual objects to the transfer; and
727	727	699 (2)shall allow an individual to object to such a transfer through an opt out mechanism, as
728	728	700described in section 12.
729	729	701 (c)Right to opt out of targeted advertising. A covered entity or service provider that
730	730	702directly delivers a targeted advertisement shall:— 36 of 62
731	731	703 (1)prior to engaging in targeted advertising to an individual or device and at all times,
732	732	704thereafter, provide such individual with a clear and conspicuous means to opt out of targeted
733	733	705advertising;
734	734	706 (2)abide by any opt-out designation by an individual with respect to targeted advertising
735	735	707and notify the covered entity that directed the service provider to deliver the targeted
736	736	708advertisement of the opt-out decision; and
737	737	709 (3)allow an individual to make an opt-out designation with respect to targeted advertising
738	738	710through an opt-out mechanism.
739	739	711 (d)A covered entity or service provider that receives an opt-out notification pursuant to
740	740	712this section shall abide by such opt-out designations by an individual and notify any other person
741	741	713that directed the covered entity or service provider to serve, deliver, or otherwise handle the
742	742	714advertisement of the opt-out decision.
743	743	715 (e)A covered entity may not condition, effectively condition, attempt to condition, or
744	744	716attempt to effectively condition the exercise of any individual right under this section through:—
745	745	717 (1)the use of any false, fictitious, fraudulent, or materially misleading statement or
746	746	718representation; or
747	747	719 (2)the design, modification, or manipulation of any user interface with the purpose or
748	748	720substantial effect of obscuring, subverting, or impairing a reasonable individual’s autonomy,
749	749	721decision making, or choice to exercise any such right.
750	750	722 (f)A covered entity shall notify third parties who had access to an individual’s covered
751	751	723data when the individual exercises any of the rights established in this section. The third party 37 of 62
752	752	724shall comply with the request to opt-out of sale or data transfer forwarded to them from a
753	753	725covered entity that provided, made available, or authorized the collection of the individual’s
754	754	726covered data. The third party shall comply with the request in the same way a covered entity is
755	755	727required to comply with the request. The third party shall no longer retain, use, or disclose the
756	756	728personal information unless the third party becomes a service provider or a covered entity in the
757	757	729terms of this chapter.
758	758	730 Section 10. Minors
759	759	731 (a)A covered entity may not engage in targeted advertising to any individual if the
760	760	732covered entity has knowledge that the individual is a covered minor.
761	761	733 Section 11. Data Brokers
762	762	734 (a)Each data broker shall place a clear, conspicuous, not misleading, and readily
763	763	735accessible notice on the website or mobile application of the data broker (if the data broker
764	764	736maintains such a website or mobile application) that:—
765	765	737 (1)notifies individuals that the entity is a data broker;
766	766	738 (2)includes a link to the data broker registry website; and
767	767	739 (3)is reasonably accessible to and usable by individuals with disabilities.
768	768	740 (b)Data broker registration. Not later than January 31 of each calendar year that follows a
769	769	741calendar year during which a covered entity acted as a data broker, data brokers shall register
770	770	742with the OCABR in accordance with this subsection.
771	771	743 (1)In registering with the OCABR, a data broker shall do the following:— 38 of 62
772	772	744 (i)Pay to the OCABR a registration fee of $100;
773	773	745 (ii)Provide the OCABR with the following information:—
774	774	746 (A)The legal name and primary physical, email, and internet addresses of the data broker;
775	775	747 (B)A description of the categories of covered data the data broker processes and
776	776	748transfers;
777	777	749 (C) The contact information of the data broker, including a contact person, a telephone
778	778	750number, an e-mail address, a website, and a physical mailing address; and
779	779	751 (D) A link to a website through which an individual may easily exercise the rights
780	780	752provided under this subsection.
781	781	753 (c)The OCABR shall establish and maintain on a website a searchable, publicly available,
782	782	754central registry of third-party collecting entities that are registered with the OCABR under this
783	783	755subsection that includes a listing of all registered data brokers and a search feature that allows
784	784	756members of the public to identify individual data brokers and access to the registration
785	785	757information provided under subsection (b).
786	786	758 (d)Penalties. A data broker that fails to register or provide the notice as required under
787	787	759this section shall be liable for:—
788	788	760 (1)a civil penalty of $100 for each day the data broker fails to register or provide notice
789	789	761as required under this section, not to exceed a total of $10,000 for any year; and
790	790	762 (2)an amount equal to the registration fees for each year that the data broker failed to
791	791	763register as required under this subsection. 39 of 62
792	792	764 (e)Nothing in this subsection shall be construed as altering, limiting, or affecting any
793	793	765enforcement authorities or remedies under this chapter.
794	794	766 Section 11. Civil rights protections
795	795	767 (a)A covered entity or a service provider may not collect, process, or transfer covered
796	796	768data or publicly available data in a manner that discriminates in or otherwise makes unavailable
797	797	769the equal enjoyment of goods or services (i.e., has a disparate impact) on the basis of race, color,
798	798	770religion, national origin, sex, sexual orientation, gender identity or disability.
799	799	771 (b)This subsection shall not apply to:—
800	800	772 (1)the collection, processing, or transfer of covered data for the purpose of:—
801	801	773 (i) covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful
802	802	774discrimination; or
803	803	775 (ii)diversifying an applicant, participant, or customer pool; or
804	804	776 (2)any private club or group not open to the public, as described in section 201(e) of the
805	805	777Civil Rights Act of 1964, 42 U.S.C. section 2000a(e).
806	806	778 (c)Whenever the Attorney General obtains information that a covered entity or service
807	807	779provider may have collected, processed, or transferred covered data in violation of subsection
808	808	780(a), the Attorney General shall initiate enforcement actions relating to such violation in
809	809	781accordance with section (14) this chapter. 40 of 62
810	810	782 (1)Not later than 3 years after the date of enactment of this chapter, and annually
811	811	783thereafter, the Attorney General shall submit to the legislature a report that includes a summary
812	812	784of the enforcement actions taken under this subsection.
813	813	785 (d)Covered algorithm impact and evaluation. Notwithstanding any other provision of law,
814	814	786not later than 2 years after the date of enactment of this chapter, and annually thereafter, a large
815	815	787data holders that uses a covered algorithm in a manner that poses a consequential risk of harm to
816	816	788an individual or group of individuals, and uses such covered algorithm solely or in part, to
817	817	789collect, process, or transfer covered data or publicly available data shall conduct an impact
818	818	790assessment of such algorithm in accordance with paragraph (1).
819	819	791 (1)The impact assessment required under subsection (d) shall provide the following: —
820	820	792 (i)A detailed description of the design process and methodologies of the covered
821	821	793algorithm;
822	822	794 (ii)A statement of the purpose and proposed uses of the covered algorithm;
823	823	795 (iii)A detailed description of the data used by the covered algorithm, including the
824	824	796specific categories of data that will be processed as input and any data used to train the model
825	825	797that the covered algorithm relies on, if applicable;
826	826	798 (iv)A description of the outputs produced by the covered algorithm as well as the
827	827	799outcomes of their use;
828	828	800 (v)An assessment of the necessity and proportionality of the covered algorithm in relation
829	829	801to its stated purpose; and 41 of 62
830	830	802 (vi)A detailed description of steps the large data holder has taken or will take to mitigate
831	831	803potential harms from the covered algorithm to an individual or group of individuals, including
832	832	804related to:—
833	833	805 (A)covered minors;
834	834	806 (B)making or facilitating advertising for, or determining access to, or restrictions on the
835	835	807use of housing, education, employment, healthcare, insurance, or credit opportunities;
836	836	808 (C)determining access to, or restrictions on the use of, any place of public
837	837	809accommodation, particularly as such harms relate to the protected characteristics of individuals,
838	838	810including race, color, religion, national origin, sex, sexual orientation, gender identity or
839	839	811disability;
840	840	812 (D)disparate impact on the basis of individuals’ race, color, religion, national origin, sex,
841	841	813sexual orientation, gender identity or disability status; or
842	842	814 (E)disparate impact on the basis of individuals’ political party registration status.
843	843	815 (e)Notwithstanding any other provision of law, not later than 2 years after the date of
844	844	816enactment of this chapter, a covered entity or service provider that knowingly develops a covered
845	845	817algorithm that is designed, solely or in part, to collect, process, or transfer covered data in
846	846	818furtherance of a consequential decision shall, prior to deploying the covered algorithm evaluate
847	847	819the design, structure, and inputs of the covered algorithm, including any training data used to
848	848	820develop the covered algorithm, to reduce the risk of the potential harms identified under the
849	849	821previous paragraph. 42 of 62
850	850	822 (f)In complying with paragraphs (1) and (2), a covered entity and a service provider may
851	851	823focus the impact assessment or evaluation on any covered algorithm, or portions of a covered
852	852	824algorithm, that will be put to use and may reasonably contribute to the risk of the potential harms
853	853	825identified under paragraph (2).
854	854	826 (g)A covered entity and a service provider shall:—
855	855	827 (1)submit the impact assessment or evaluation conducted under paragraph (1) or (2) to
856	856	828the Attorney General not later than 30 days after completing an impact assessment or evaluation;
857	857	829 (2)make such impact assessment and evaluation available to the legislature, upon request;
858	858	830and
859	859	831 (3)make a summary of such impact assessment and evaluation publicly available in a
860	860	832their website or any other similar place that is easily accessible to individuals.
861	861	833 (h)Covered entities and service providers may redact and segregate any trade secrets, as
862	862	834defined in 18 U.S.C. section 1839, or other confidential or proprietary information from public
863	863	835disclosure under this subsection.
864	864	836 (i)The Attorney General may not use any information obtained solely and exclusively
865	865	837through a covered entity or a service provider’s disclosure of information to the Attorney
866	866	838General in compliance with this section for any other purpose than enforcing this chapter;
867	867	839provided, however, that it may be used for enforcing consent orders.
868	868	840 (1)The previous subparagraph does not preclude the Attorney General from providing
869	869	841information about a covered entity to the legislature in response to a subpoena.
870	870	842 Section 12. Miscellaneous 43 of 62
871	871	843 (a)Not later than 18 months after the date of enactment of this chapter, the OCABR shall
872	872	844establish or recognize one or more acceptable privacy protective, centralized mechanisms for
873	873	845individuals to exercise the opt-out rights recognized in section 9.
874	874	846 (b)Any such centralized opt-out mechanism shall:—
875	875	847 (1)require covered entities or service providers acting on behalf of covered entities to
876	876	848inform individuals about the centralized opt-out choice;
877	877	849 (2)not be required to be the default setting, but may be the default setting provided that in
878	878	850all cases the mechanism clearly represents the individual’s affirmative, freely given, and
879	879	851unambiguous choice to opt out;
880	880	852 (3)be consumer-friendly, clearly described, and easy-to-use by a reasonable individual;
881	881	853 (4) be provided in any covered language in which the covered entity provides products or
882	882	854services subject to the opt-out; and
883	883	855 (5)be provided in a manner that is reasonably accessible to and usable by individuals with
884	884	856disabilities.
885	885	857 (c)A covered entity or service provider that is not a small business shall designate:—
886	886	858 (1)1 or more qualified employees as privacy officers; and
887	887	859 (2)1 or more qualified employees as data security officers.
888	888	860 (d)An employee who is designated as a privacy officer or a data security officer pursuant
889	889	861to subsection (c) shall, at a minimum:— 44 of 62
890	890	862 (1)implement a data privacy program and data security program to safeguard the privacy
891	891	863and security of covered data in compliance with the requirements of this chapter; and
892	892	864 (2)facilitate the covered entity or service provider’s ongoing compliance with this
893	893	865chapter.
894	894	866 (e)Each covered entity that is a large data holder shall conduct a privacy impact
895	895	867assessment that weighs the benefits of the large data holder’s covered data collecting, processing,
896	896	868and transfer practices against the potential adverse consequences of such practices, including
897	897	869substantial privacy risks, to individual privacy.
898	898	870 (1)The assessment shall be conducted not later than 1 year after the date of enactment of
899	899	871this chapter or 1 year after the date on which a covered entity first meets the definition of large
900	900	872data holder, whichever is earlier, and biennially thereafter.
901	901	873 (f)A privacy impact assessment required under subsection (e) shall be:—
902	902	874 (1)reasonable and appropriate in scope given:—
903	903	875 (i)the nature of the covered data collected, processed, and transferred by the large data
904	904	876holder;
905	905	877 (ii)the volume of the covered data collected, processed, and transferred by the large data
906	906	878holder; and
907	907	879 (iii)the potential material risks posed to the privacy of individuals by the collecting,
908	908	880processing, and transfer of covered data by the large data holder; 45 of 62
909	909	881 (2)documented in written form and maintained by the large data holder unless rendered
910	910	882out of date by a subsequent assessment conducted under subsection (e); and
911	911	883 (3)approved by the privacy protection officer designated pursuant to subsection (c).
912	912	884 (g)In assessing the privacy risks, including substantial privacy risks, the large data holder
913	913	885must include reviews of the means by which technologies are used to secure covered data.
914	914	886 Section 13. Service providers.
915	915	887 (a)A service provider:—
916	916	888 (1)shall adhere to the instructions of a covered entity and only collect, process, and
917	917	889transfer service provider data to the extent necessary and proportionate to provide a service
918	918	890requested by the covered entity, as set out in the contract required by subsection (b), and this
919	919	891paragraph does not require a service provider to collect, process, or transfer covered data if the
920	920	892service provider would not otherwise do so;
921	921	893 (2)may not collect, process, or transfer service provider data if the service provider has
922	922	894actual knowledge that a covered entity violated this chapter with respect to such data;
923	923	895 (3)shall assist a covered entity in responding to a request made by an individual under
924	924	896this chapter, by either:—
925	925	897 (i)providing appropriate technical and organizational measures, considering the nature of
926	926	898the processing and the information reasonably available to the service provider, for the covered
927	927	899entity to comply with such request for service provider data; or 46 of 62
928	928	900 (ii)fulfilling a request by a covered entity to execute an individual rights request that the
929	929	901covered entity has determined should be complied with, by either:—
930	930	902 (A)complying with the request pursuant to the covered entity’s instructions; or
931	931	903 (B)providing written verification to the covered entity that it does not hold covered data
932	932	904related to the request, that complying with the request would be inconsistent with its legal
933	933	905obligations, or that the request falls within an exception under this chapter;
934	934	906 (4)may engage another service provider for purposes of processing service provider
935	935	907data on behalf of a covered entity only after providing that covered entity with notice and
936	936	908pursuant to a written contract that requires such other service provider to satisfy the obligations
937	937	909of the service provider with respect to such service provider data, including that the other service
938	938	910provider be treated as a service provider under this chapter;
939	939	911 (5)shall, upon the reasonable request of the covered entity, make available to the covered
940	940	912entity information necessary to demonstrate the compliance of the service provider with the
941	941	913requirements of this chapter, which may include making available a report of an independent
942	942	914assessment arranged by the service provider on terms agreed to by the service provider and the
943	943	915covered entity, providing information necessary to enable the covered entity to conduct and
944	944	916document a privacy impact assessment required by this chapter;
945	945	917 (6)shall, at the covered entity’s direction, delete or return all covered data to the covered
946	946	918entity as requested at the end of the provision of services, unless retention of the covered data is
947	947	919required by law; 47 of 62
948	948	920 (7)shall develop, implement, and maintain reasonable administrative, technical, and
949	949	921physical safeguards that are designed to protect the security and confidentiality of covered data
950	950	922the service provider processes consistent with chapter 93H of the general laws; and
951	951	923 (8)shall allow and cooperate with reasonable assessments by the covered entity or
952	952	924the covered entity’s designated assessor. Alternatively, the service provider may arrange for a
953	953	925qualified and independent assessor to conduct an assessment of the service provider’s policies
954	954	926and technical and organizational measures in support of the obligations under this chapter using
955	955	927an appropriate and accepted control standard or framework and assessment procedure for such
956	956	928assessments. The service provider shall provide a report of such assessment to the covered entity
957	957	929upon request.
958	958	930 (b)A person or entity may only act as a service provider pursuant to a written contract
959	959	931between the covered entity and the service provider, or a written contract between one service
960	960	932provider and a second service provider as described under paragraph (4) of subsection (a), if the
961	961	933contract:—
962	962	934 (1)sets forth the data processing procedures of the service provider with respect to
963	963	935collection, processing, or transfer performed on behalf of the covered entity or service provider;
964	964	936 (2)clearly sets forth:—
965	965	937 (i)instructions for collecting, processing, or transferring data;
966	966	938 (ii)the nature and purpose of collecting, processing, or transferring;
967	967	939 (iii)the type of data subject to collecting, processing, or transferring;
968	968	940 (iv)the duration of processing; and 48 of 62
969	969	941 (v)the rights and obligations of both parties, including a method by which the service
970	970	942provider shall notify the covered entity of material changes to its privacy practices;
971	971	943 (3)does not relieve a covered entity or a service provider of any requirement or liability
972	972	944imposed on such covered entity or service provider under this chapter; and
973	973	945 (4)prohibits:—
974	974	946 (i)collecting, processing, or transferring covered data in contravention to subsection (a);
975	975	947and
976	976	948 (ii)combining service provider data with covered data which the service provider receives
977	977	949from or on behalf of another person or persons or collects from the interaction of the service
978	978	950provider with an individual, provided that such combining is not necessary to effectuate a
979	979	951purpose described in paragraphs (1) through (15) of section 2(a) and is otherwise permitted under
980	980	952the contract required by this subsection.
981	981	953 (c)Each service provider shall retain copies of previous contracts entered into in
982	982	954compliance with this subsection with each covered entity to which it provides requested products
983	983	955or services.
984	984	956 (d)The classification of a person or entity as a covered entity or as a service provider and
985	985	957the relationship between covered entities and service providers are regulated by the following
986	986	958provisions:—
987	987	959 (1)Determining whether a person is acting as a covered entity or service provider with
988	988	960respect to a specific processing of covered data is a fact-based determination that depends upon
989	989	961the context in which such data is processed. 49 of 62
990	990	962 (2)A person or entity that is not limited in its processing of covered data pursuant to the
991	991	963instructions of a covered entity, or that fails to adhere to such instructions, is a covered entity and
992	992	964not a service provider with respect to a specific processing of covered data. A service provider
993	993	965that continues to adhere to the instructions of a covered entity with respect to a specific
994	994	966processing of covered data remains a service provider. If a service provider begins, alone or
995	995	967jointly with others, determining the purposes and means of the processing of covered data, it is a
996	996	968covered entity and not a service provider with respect to the processing of such data.
997	997	969 (3)A covered entity that transfers covered data to a service provider or a service provider
998	998	970that transfers covered data to a covered entity or another service provider, in compliance with the
999	999	971requirements of this chapter, is not liable for a violation of this chapter by the service provider or
1000	1000	972covered entity to whom such covered data was transferred, if at the time of transferring such
1001	1001	973covered data, the covered entity or service provider did not have actual knowledge that the
1002	1002	974service provider or covered entity would violate this chapter.
1003	1003	975 (4)A covered entity or service provider that receives covered data in compliance with the
1004	1004	976requirements of this chapter is not in violation of this chapter as a result of a violation by a
1005	1005	977covered entity or service provider from which such data was received.
1006	1006	978 (e)A third party:—
1007	1007	979 (1)shall not process third party data for a processing purpose other than the processing
1008	1008	980purpose for which—
1009	1009	981 (i)the individual gave affirmative express consent or to effect a purpose enumerated in
1010	1010	982paragraph (2), (3), or (5) of subsection (a) of section 2 in the case of sensitive covered data; or 50 of 62
1011	1011	983 (ii)the covered entity made a disclosure pursuant to their privacy policy and in the case of
1012	1012	984data that is not sensitive data;
1013	1013	985 (2)may reasonably rely on representations made by the covered entity that transferred the
1014	1014	986third-party data if the third party conducts reasonable due diligence on the representations of the
1015	1015	987covered entity and finds those representations to be credible.
1016	1016	988 (f)Solely for the purposes of this section, the requirements for service providers to
1017	1017	989contract with, assist, and follow the instructions of covered entities shall be read to include
1018	1018	990requirements to contract with, assist, and follow the instructions of a government entity if the
1019	1019	991service provider is providing a service to a government entity.
1020	1020	992 Section 14. Enforcement. Private Right of Action and Attorney General enforcement.
1021	1021	993 (a)A violation of this chapter or a regulation promulgated under this chapter constitutes
1022	1022	994an injury to that individual.
1023	1023	995 (b)Private right of action. Any individual alleging a violation of this chapter by a covered
1024	1024	996entity that is not a small business may bring a civil action in the superior court or any court of
1025	1025	997competent jurisdiction.
1026	1026	998 (c)An individual protected by this chapter may not be required, as a condition of service
1027	1027	999or otherwise, to file an administrative complaint with the commission or to accept mandatory
1028	1028	1000arbitration of a claim under this chapter.
1029	1029	1001 (d)The civil action shall be directed to the covered entity, data processor, and the third-
1030	1030	1002parties alleged to have committed the violation.
1031	1031	1003 (e)In a civil action in which the plaintiff prevails, the court may award:— 51 of 62
1032	1032	1004 (1)liquidated damages of not less than 0.15% of the annual global revenue of the covered
1033	1033	1005entity or $15,000 per violation, whichever is greater;
1034	1034	1006 (2)punitive damages; and
1035	1035	1007 (3)any other relief, including but not limited to an injunction, that the court deems to be
1036	1036	1008appropriate.
1037	1037	1009 (f)In addition to any relief awarded pursuant to the previous paragraph, the court shall
1038	1038	1010award reasonable attorney’s fees and costs to any prevailing plaintiff.
1039	1039	1011 (g)The attorney general may bring an action pursuant to section 4 of chapter 93A against
1040	1040	1012a covered entity, service provider, third party or data broker to remedy violations of this chapter
1041	1041	1013and for other relief that may be appropriate.
1042	1042	1014 (1)If the court finds that the defendant has employed any method, chapter, or practice
1043	1043	1015which they knew or should have known to be in violation of this chapter, the court may require
1044	1044	1016such person to pay to the commonwealth a civil penalty of:—
1045	1045	1017 (i)not less than 0.15% of the annual global revenue or $15,000, whichever is greater, per
1046	1046	1018violation; and
1047	1047	1019 (ii)not more than 4% of the annual global revenue of the covered entity, data processor,
1048	1048	1020or third-party or $20,000,000, whichever is greater, per action if such action includes multiple
1049	1049	1021violations to multiple individuals;
1050	1050	1022 (2)All money awards shall be paid to the commonwealth. The commonwealth shall
1051	1051	1023identify the individuals affected by the violation and earmark such money awards, penalties, or 52 of 62
1052	1052	1024assessments collected for purposes of paying for the damages they suffered as a consequence of
1053	1053	1025the violation.
1054	1054	1026 (h)When calculating awards and civil penalties in all the actions in this section, the court
1055	1055	1027shall consider:—
1056	1056	1028 (1)the number of affected individuals;
1057	1057	1029 (2)the severity of the violation or noncompliance;
1058	1058	1030 (3)the risks caused by the violation or noncompliance;
1059	1059	1031 (4)whether the violation or noncompliance was part of a pattern of noncompliance and
1060	1060	1032violations and not an isolated instance;
1061	1061	1033 (5)whether the violation or noncompliance was willful and not the result of error;
1062	1062	1034 (6)the precautions taken by the defendant to prevent a violation;
1063	1063	1035 (7)the number of administrative actions, lawsuits, settlements, and consent-decrees under
1064	1064	1036this chapter involving the defendant;
1065	1065	1037 (8)the number of administrative actions, lawsuits, settlements, and consent-decrees
1066	1066	1038involving the defendant in other states and at the federal level in issues involving information
1067	1067	1039privacy; and
1068	1068	1040 (9)the international record of the defendant when it comes to information privacy issues. 53 of 62
1069	1069	1041 (i)It is a violation of this chapter for a covered entity or anyone else acting on behalf of a
1070	1070	1042covered entity to retaliate against an individual who makes a good-faith complaint that there has
1071	1071	1043been a failure to comply with any part of this chapter.
1072	1072	1044 (1)An injured individual by a violation of the previous paragraph may bring a civil action
1073	1073	1045for monetary damages and injunctive relief in any court of competent jurisdiction.
1074	1074	1046 Section 15. Enforcement - Miscellaneous
1075	1075	1047 (a)Any provision of a contract or agreement of any kind, including a covered entity’s
1076	1076	1048terms of service or a privacy policy, including the short-form privacy notice required under
1077	1077	1049section 3 that purports to waive or limit in any way an individual’s rights under this chapter,
1078	1078	1050including but not limited to any right to a remedy or means of enforcement shall be deemed
1079	1079	1051contrary to public policy and shall be void and unenforceable.
1080	1080	1052 (b)No covered entity that is a provider of an interactive computer service, as defined in
1081	1081	105347 U.S.C. section 230, shall be treated as the publisher or speaker of any personal information
1082	1082	1054provided by another information content provider, as defined in 47 U.S.C. section 230 and
1083	1083	1055allowing posting of information by a user without other action by the interactive computer
1084	1084	1056service shall not be deemed processing of the personal information by the interactive computer
1085	1085	1057service.
1086	1086	1058 (c)No private or government action brought pursuant to this chapter shall preclude any
1087	1087	1059other action under this chapter.
1088	1088	1060 Section 16. Transparency 54 of 62
1089	1089	1061 (a)Covered entities that receive any form of a legal request for disclosure of personal
1090	1090	1062information pursuant to this chapter shall:—
1091	1091	1063 (1)provide the Attorney General and the general public a bi-monthly report containing the
1092	1092	1064following aggregate information related to legal requests received by the covered entity, their
1093	1093	1065affiliated data processors, and any third parties they contracted with:—
1094	1094	1066 (i)The total number of legal requests, disaggregated by type of requests such as warrants,
1095	1095	1067court orders, and subpoenas;
1096	1096	1068 (ii)The number of legal requests that resulted in the covered entity disclosing personal
1097	1097	1069information;
1098	1098	1070 (iii)The number of legal requests that did not result in the covered entity disclosing
1099	1099	1071personal information, including the reasons why the information was not disclosed;
1100	1100	1072 (iv)The type of personal information sought in the legal requests received by the covered
1101	1101	1073entity;
1102	1102	1074 (v)The total number of legal requests seeking the disclosure of location or biometric
1103	1103	1075information;
1104	1104	1076 (vi)The number of legal requests that resulted in the covered entity disclosing location or
1105	1105	1077biometric information;
1106	1106	1078 (vii)The number of legal requests that did not result in the covered entity disclosing
1107	1107	1079location or biometric information, including the reasons for such no disclosure; and 55 of 62
1108	1108	1080 (viii)The nature of the proceedings from which the requests were ordered and whether it
1109	1109	1081was a government entity or a private person seeking the legal request;
1110	1110	1082 (b)take all reasonable measures and engage in all legal actions available to ensure that the
1111	1111	1083legal request is valid under applicable laws and statutes; and
1112	1112	1084 (c)require their affiliate data processors and third parties they contracted with to have
1113	1113	1085similar practices and standards.
1114	1114	1086 Section 17. Non-applicability
1115	1115	1087 (a)This chapter shall not apply to:—
1116	1116	1088 (1)personal information captured from a patient by a health care provider or health care
1117	1117	1089facility or biometric information collected, processed, used, or stored exclusively for medical
1118	1118	1090education or research, public health or epidemiological purposes, health care treatment,
1119	1119	1091insurance, payment, or operations under the federal Health Insurance Portability and
1120	1120	1092Accountability chapter of 1996, or to X-ray, roentgen process, computed tomography, MRI, PET
1121	1121	1093scan, mammography, or other image or film of the human anatomy used exclusively to diagnose,
1122	1122	1094prognose, or treat an illness or other medical condition or to further validate scientific testing or
1123	1123	1095screening;
1124	1124	1096 (2)individuals sharing their personal contact information such as email addresses with
1125	1125	1097other individuals in the workplace, or other social, political, or similar settings where the purpose
1126	1126	1098of the information is to facilitate communication among such individuals, provided that this
1127	1127	1099chapter shall cover any processing of such contact information beyond interpersonal
1128	1128	1100communication; or 56 of 62
1129	1129	1101 (3)covered entities’ publication of entity-based member or employee contact information
1130	1130	1102where such publication is intended to allow members of the public to contact such member or
1131	1131	1103employee in the ordinary course of the entity’s operations.
1132	1132	1104 Section 18. Relationship with other laws
1133	1133	1105 (a)Nothing in this chapter shall diminish any individual’s rights or obligations under the
1134	1134	1106Massachusetts Fair Information Practices chapter and its regulations.
1135	1135	1107 Section 19. Implementation
1136	1136	1108 (a)The Attorney General shall:—
1137	1137	1109 (1)adopt, amend, or repeal regulations for the implementation, administration, and
1138	1138	1110enforcement of this chapter;
1139	1139	1111 (2)gather facts and information applicable to the Attorney General’s obligation to enforce
1140	1140	1112this chapter and ensure its compliance;
1141	1141	1113 (3)conduct investigations for possible violations of this chapter;
1142	1142	1114 (4)refer cases for criminal prosecution to the appropriate federal, state, or local
1143	1143	1115authorities; and
1144	1144	1116 (5)maintain an official internet website outlining the provisions of this Act.
1145	1145	1117 Section 20. Severability 57 of 62
1146	1146	1118 (a)Should any provision of this chapter or part hereof be held under any circumstances in
1147	1147	1119any jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect
1148	1148	1120the validity or enforceability of any other provision of this or other parts of this chapter.
1149	1149	1121 SECTION 2. Chapter 149 of the General Laws, as appearing in the 2018 Official Edition,
1150	1150	1122is hereby amended by inserting after section 203 the following section:—
1151	1151	1123 Section 204. Workplace Surveillance
1152	1152	1124 (a)For the purposes of this section, the following words shall have the following
1153	1153	1125meanings unless the context clearly requires otherwise:—
1154	1154	1126 (1)"Information” also referred to as “employee information,” or “employee data”,
1155	1155	1127information that identifies, relates to, describes, is reasonably capable of being associated with,
1156	1156	1128or could reasonably be linked, directly or indirectly, with a particular employee, regardless of
1157	1157	1129how the information is collected, inferred, or obtained.
1158	1158	1130 (2)“Electronic monitoring”, the collection of information concerning employee activities,
1159	1159	1131communications, actions, biometrics, or behaviors by electronic means.
1160	1160	1132 (3)“Employment-related decision”, any decision made by the employer that affects
1161	1161	1133wages, benefits, hours, work schedule, performance evaluation, hiring, discipline, promotion,
1162	1162	1134termination, job content, productivity requirements, workplace health and safety, or any other
1163	1163	1135terms and conditions of employment.
1164	1164	1136 (4)“Vendor”, a business engaged in a contract with an employer to provide services,
1165	1165	1137software, or technology that collects, stores, analyzes, or interprets employee information. 58 of 62
1166	1166	1138 (5)“Facial recognition technology” shall have the meaning established in section 220 of
1167	1167	1139chapter 6 of the General Laws, as amended by Chapter 253 of the Acts of 2020.
1168	1168	1140 (b)An employer, or vendor acting on behalf of an employer, shall not electronically
1169	1169	1141monitor an employee unless:—
1170	1170	1142 (1)the electronic monitoring only purpose is to:—
1171	1171	1143 (i)enable tasks that are necessary to accomplish essential job functions;
1172	1172	1144 (ii)monitor production processes or quality;
1173	1173	1145 (iii)comply with employment, labor, or other relevant laws;
1174	1174	1146 (iv)protect the safety and security of employees; or
1175	1175	1147 (v)carry on other purposes as determined by the department of labor standards; and
1176	1176	1148 (2)the specific form of electronic monitoring is:—
1177	1177	1149 (i)necessary to accomplish the allowable purpose;
1178	1178	1150 (ii)the least invasive means that could reasonably be used to accomplish the allowable
1179	1179	1151purpose;
1180	1180	1152 (iii)limited to the smallest number of employees; and
1181	1181	1153 (iv)collecting the least amount of information necessary to accomplish the purpose
1182	1182	1154mentioned in (1).
1183	1183	1155 (c)Notwithstanding subsection (b), the following practices shall be prohibited: — 59 of 62
1184	1184	1156 (1)use of electronic monitoring that either directly or indirectly harms an employee’s
1185	1185	1157physical health, mental health, personal safety or wellbeing;
1186	1186	1158 (2)monitoring of employees who are off-duty and not performing work-related tasks;
1187	1187	1159 (3)audio-visual monitoring of bathrooms or other similarly private areas including locker
1188	1188	1160rooms and changing areas;
1189	1189	1161 (4)audio-visual monitoring of break rooms, lounges, and other social spaces, except to
1190	1190	1162investigate specific illegal activity;
1191	1191	1163 (5)use of facial recognition technology other than for the purpose of verifying the identity
1192	1192	1164of an employee for security purposes; and
1193	1193	1165 (6)any other forms of electronic monitoring such as may be prohibited by the department
1194	1194	1166of labor standards.
1195	1195	1167 (d)Employers shall not require employees to install applications on personal or mobile
1196	1196	1168devices that collect employee information or require employees to wear data-collecting devices,
1197	1197	1169including those that are incorporated into items of clothing or personal accessories, unless the
1198	1198	1170electronic monitoring is necessary to accomplish essential job functions and is narrowly limited
1199	1199	1171to only the activities and times necessary to accomplish essential job functions.
1200	1200	1172 (e)Information resulting from electronic monitoring shall be accessed only by authorized
1201	1201	1173agents and used only for the purpose and duration for which notice was given in accordance with
1202	1202	1174subsection (f). 60 of 62
1203	1203	1175 (f)Employers shall provide employees with notice that electronic monitoring will occur
1204	1204	1176prior to conducting each specific form of electronic monitoring. The notice must, at a minimum,
1205	1205	1177include:—
1206	1206	1178 (1)a description of:—
1207	1207	1179 (i)the purpose that the specific form of electronic monitoring is intended to accomplish,
1208	1208	1180as specified in subsection (b);
1209	1209	1181 (ii)the specific activities, locations, communications, and job roles that will be
1210	1210	1182electronically monitored;
1211	1211	1183 (iii)the technologies used to conduct the specific form of electronic monitoring;
1212	1212	1184 (iv)the vendors or other third parties that information collected through electronic
1213	1213	1185monitoring will be disclosed or transferred to, including the name of the vendor and the purpose
1214	1214	1186for the data transfer;
1215	1215	1187 (v)the organizational positions that are authorized to access the information collected
1216	1216	1188through the specific form of electronic monitoring, and under what conditions; and
1217	1217	1189 (vi)the dates, times, and frequency that electronic monitoring will occur;
1218	1218	1190 (2)the names of any vendors conducting electronic monitoring on the employer’s behalf;
1219	1219	1191and
1220	1220	1192 (3)an explanation of:—
1221	1221	1193 (i)the reasons why the specific form of electronic monitoring is necessary to accomplish
1222	1222	1194the purpose; and 61 of 62
1223	1223	1195 (ii)how the specific monitoring practice is the least invasive means available to
1224	1224	1196accomplish the allowable monitoring purpose.
1225	1225	1197 (g)The notice mentioned in (f) shall be clear and conspicuous and provide the employee
1226	1226	1198with actual notice of electronic monitoring activities.
1227	1227	1199 (1)A notice that provides electronic monitoring "may" take place or that the employer
1228	1228	1200"reserves the right" to monitor shall not suffice.
1229	1229	1201 (h)An employer who engages in random or periodic electronic monitoring of employees
1230	1230	1202will inform the affected employees of the specific events which are being monitored at the time
1231	1231	1203the monitoring takes place with a notice that shall be clear and conspicuous.
1232	1232	1204 (1)Notwithstanding the previous paragraph, notice of random or periodic electronic
1233	1233	1205monitoring may be given after electronic monitoring has occurred only if necessary to preserve
1234	1234	1206the integrity of an investigation of wrongdoing or protect the immediate safety of employees,
1235	1235	1207customers, or the public.
1236	1236	1208 (i)Employers shall provide a copy of the above notice disclosure to the department of
1237	1237	1209labor standards.
1238	1238	1210 (j)An employer shall only use employee information collected through electronic
1239	1239	1211monitoring to accomplish its purpose, unless the information documents illegal activity.
1240	1240	1212 (k)When making a hiring or employment-related decision using information collected
1241	1241	1213through electronic monitoring, an employer shall:—
1242	1242	1214 (1)not make the decision based solely on such information; 62 of 62
1243	1243	1215 (2)give the affected employee access to the data and provide an opportunity to correct or
1244	1244	1216explain it;
1245	1245	1217 (3)corroborate such information by other means, such as independent documentation by
1246	1246	1218supervisors or managers, or by consultation with other employees; and
1247	1247	1219 (4)document and communicate to affected employees the basis for the corroboration prior
1248	1248	1220to the decision going into effect.
1249	1249	1221 (l)Subsection (k) shall not apply to those cases when electronic monitoring data provides
1250	1250	1222evidence of illegal activity.
1251	1251	1223 SECTION 3. Effective date.
1252	1252	1224 (a)The provisions of this Act shall take effect 12 months after this Act is enacted.
1253	1253	1225 (b)The enforcement of chapter 93L shall be delayed until 6 months after the effective
1254	1254	1226date.