Massachusetts 2025-2026 Regular Session

Massachusetts House Bill H104 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	1 of 1
2	2	HOUSE DOCKET, NO. 2110 FILED ON: 1/15/2025
3	3	HOUSE . . . . . . . . . . . . . . . No. 104
4	4	The Commonwealth of Massachusetts
5	5	_________________
6	6	PRESENTED BY:
7	7	Andres X. Vargas and David M. Rogers
8	8	_________________
9	9	To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
10	10	Court assembled:
11	11	The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
12	12	An Act establishing the Massachusetts Data Privacy Act.
13	13	_______________
14	14	PETITION OF:
15	15	NAME:DISTRICT/ADDRESS :DATE ADDED:Andres X. Vargas3rd Essex1/15/2025David M. Rogers24th Middlesex1/15/2025Mindy Domb3rd Hampshire1/27/2025Lindsay N. Sabadosa1st Hampshire1/27/2025Natalie M. Higgins4th Worcester1/28/2025Erika Uyterhoeven27th Middlesex1/31/2025Rebecca L. RauschNorfolk, Worcester and Middlesex1/31/2025James B. EldridgeMiddlesex and Worcester2/12/2025James C. Arena-DeRosa8th Middlesex2/20/2025James Arciero2nd Middlesex2/24/2025Adrianne Pusateri Ramos14th Essex3/11/2025 1 of 64
16	16	HOUSE DOCKET, NO. 2110 FILED ON: 1/15/2025
17	17	HOUSE . . . . . . . . . . . . . . . No. 104
18	18	By Representatives Vargas of Haverhill and Rogers of Cambridge, a petition (accompanied by
19	19	bill, House, No. 104) of Andres X. Vargas, David M. Rogers and others for legislation to
20	20	establish the Massachusetts data privacy act. Advanced Information Technology, the Internet
21	21	and Cybersecurity.
22	22	The Commonwealth of Massachusetts
23	23	_______________
24	24	In the One Hundred and Ninety-Fourth General Court
25	25	(2025-2026)
26	26	_______________
27	27	An Act establishing the Massachusetts Data Privacy Act.
28	28	Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
29	29	of the same, as follows:
30	30	1 SECTION 1.
31	31	2 The General Laws, as appearing in the 2022 Official Edition, are hereby amended by
32	32	3inserting after chapter 93L the following chapter:
33	33	4 Chapter 93M. Massachusetts Data Privacy Act
34	34	5 Section 1. Definitions
35	35	6 (a)As used in this chapter, the following words shall, unless the context clearly
36	36	7requires otherwise, have the following meanings:
37	37	8 (1)“authentication”, the process of verifying an individual or entity for security
38	38	9purposes. 2 of 64
39	39	10 (2)“biometric data”, data generated from the technological processing of an
40	40	11individual’s unique biological, physical, or physiological characteristics that is linked or
41	41	12reasonably linkable to an individual, including but not limited to retina or iris scans, fingerprint,
42	42	13voiceprint, map or scan of hand or face geometry, vein pattern, gait pattern; provided, however,
43	43	14that “biometric information” shall not include:
44	44	15 (i)a digital or physical photograph;
45	45	16 (ii)an audio or video recording; or
46	46	17 (iii)data generated from a digital or physical photograph, or an audio or video
47	47	18recording, unless such data is generated to identify a specific individual.
48	48	19 (3)"chapter”, this chapter of the General Laws, as from time to time may be
49	49	20amended, and any regulations promulgated under said chapter.
50	50	21 (4)“collect” and “collection”, buying, renting, licensing, gathering, obtaining,
51	51	22receiving, accessing, or otherwise acquiring covered data by any means. This includes receiving
52	52	23information from the consumer either actively, through interactions such as user registration, or
53	53	24passively, by observing the consumer’s behavior.
54	54	25 (5)“consent”, a clear affirmative act signifying an individual’s freely given, specific,
55	55	26informed, and unambiguous agreement to allow the processing of specific categories of personal
56	56	27information relating to the individual for a narrowly defined particular purpose after having been
57	57	28informed, in response to a specific request from a covered entity that meets the requirements of
58	58	29this chapter; provided, however, that “consent” may include a written statement, including a 3 of 64
59	59	30statement written by electronic means, or any other unambiguous affirmative action; and
60	60	31provided further, that the following shall not constitute “consent”:
61	61	32 (i)acceptance of a general or broad terms of use or similar document that contains
62	62	33descriptions of personal information processing along with other, unrelated information;
63	63	34 (ii)hovering over, muting, pausing, or closing a given piece of content; or
64	64	35 (iii)agreement obtained through dark patterns or a false, fictitious, fraudulent, or
65	65	36materially misleading statement or representation.
66	66	37 (6)“control”, with respect to an entity:
67	67	38 (i)ownership of, or the power to vote, more than 50 percent of the outstanding shares
68	68	39of any class of voting security of the entity;
69	69	40 (ii)control over the election of a majority of the directors of the entity (or of
70	70	41individuals exercising similar functions); or
71	71	42 (iii)the power to exercise a controlling influence over the management of the entity.
72	72	43 (7)“covered data”, information, including derived data, inferences, and unique
73	73	44persistent identifiers, that identifies or is linked or reasonably linkable, alone or in combination
74	74	45with other information, to an individual or a device that identifies or is linked or reasonably
75	75	46linkable to an individual. However, the term “covered data” does not include de-identified data
76	76	47or publicly available information. 4 of 64
77	77	48 (8)“covered entity”, any entity or any person, other than an individual acting in a
78	78	49non-commercial context, that alone or jointly with others determines the purposes and means of
79	79	50collecting, processing, or transferring covered data.
80	80	51 The term “covered entity” does not include:
81	81	52 (i)government agencies or service providers to government agencies that exclusively
82	82	53and solely process information provided by government entities;
83	83	54 (ii)any entity or person that meets the following criteria for the period of the 3
84	84	55preceding calendar years (or for the period during which the covered entity or service provider
85	85	56has been in existence if such period is less than 3 years):
86	86	57 (A)the entity or person’s average annual gross revenues during the period did not
87	87	58exceed $20,000,000;
88	88	59 (B)the entity or person, on average, did not annually collect or process the covered
89	89	60data of more than 25,000 individuals during the period, other than for the purpose of initiating,
90	90	61rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested
91	91	62service or product, so long as all covered data for such purpose was deleted or de-identified
92	92	63within 90 days, except when necessary to investigate fraud or as consistent with a covered
93	93	64entity’s return policy; and
94	94	65 (C)no component of its revenue comes from transferring covered data during any
95	95	66year (or part of a year if the covered entity has been in existence for less than 1 year) that occurs
96	96	67during the period. 5 of 64
97	97	68 (iii)a national securities association that is registered under 15 U.S.C. 78o-3 of the
98	98	69Securities Exchange Act of 1934.and is operating solely for purposes under that act.
99	99	70 (iv)a nonprofit organization that is established to detect and prevent fraudulent acts in
100	100	71connection with insurance and is operating solely for that purpose.
101	101	72 (9)“covered high-impact social media company”, a covered entity that provides any
102	102	73internet-accessible platform where:
103	103	74 (i)such covered entity generates $3,000,000,000 or more in annual revenue;
104	104	75 (ii)such platform has 300,000,000 or more monthly active users for not fewer than 3
105	105	76of the preceding 12 months on the online product or service of such covered entity; and
106	106	77 (iii)such platform constitutes an online product or service that is primarily used by
107	107	78users to access or share user-generated content.
108	108	79 (10)“dark pattern or deceptive design”, a user interface that is designed, modified, or
109	109	80manipulated with the purpose or substantial effect of obscuring, subverting, or impairing a
110	110	81reasonable individual’s autonomy, decision-making, or choice, including, but not limited to, any
111	111	82practice the Federal Trade Commission refers to as a “dark pattern.”
112	112	83 (11)“data broker”, a covered entity whose principal source of revenue is derived from
113	113	84processing or transferring covered data that the covered entity did not collect directly from the
114	114	85individuals linked or linkable to the covered data. This term does not include a covered entity
115	115	86insofar as such entity processes employee data collected by and received from a third party
116	116	87concerning any individual who is an employee of the third party for the sole purpose of such 6 of 64
117	117	88third-party providing benefits to the employee. An entity may not be considered to be a data
118	118	89broker for purposes of this chapter if the entity is acting as a service provider.
119	119	90 (12)“de-identified data”, information that does not identify and is not linked or
120	120	91reasonably linkable to a distinct individual or a device, regardless of whether the information is
121	121	92aggregated, and if the covered entity or service provider:
122	122	93 (i)takes technical measures to ensure that the information cannot, at any point, be
123	123	94used to re-identify any individual or device that identifies or is linked or reasonably linkable to
124	124	95an individual;
125	125	96 (ii)publicly commits in a clear and conspicuous manner:
126	126	97 (A)to process and transfer the information solely in a de-identified form without any
127	127	98reasonable means for re-identification; and
128	128	99 (B)to not attempt to re-identify the information with any individual or device that
129	129	100identifies or is linked or reasonably linkable to an individual; and
130	130	101 (iii)contractually obligates any person or entity that receives the information from the
131	131	102covered entity or service provider:
132	132	103 (A)to comply with all the provisions of this paragraph with respect to the
133	133	104information; and
134	134	105 (B)to require that such contractual obligations be included contractually in all
135	135	106subsequent instances for which the data may be received. 7 of 64
136	136	107 (13)“derived data”, covered data that is created by the derivation of information, data,
137	137	108assumptions, correlations, inferences, predictions, or conclusions from facts, evidence, or another
138	138	109source of information or data about an individual or an individual’s device.
139	139	110 (14)“device”, any electronic equipment capable of collecting, processing, or
140	140	111transferring data that is used by one or more individuals or households.
141	141	112 (15)“genetic information”, any covered data, regardless of its format, that concerns an
142	142	113individual’s genetic characteristics, including but not limited to:
143	143	114 (i)raw sequence data that results from the sequencing of the complete, or a portion
144	144	115of the, extracted deoxyribonucleic acid (DNA) of an individual; or
145	145	116 (ii)genotypic and phenotypic information that results from analyzing raw sequence
146	146	117data described in subparagraph (i).
147	147	118 (16)“homepage”, the introductory page of an internet website and any internet web
148	148	119page where personal information is collected; provided, however, that in the case of an online
149	149	120service, such as a mobile application, “homepage” shall include:
150	150	121 (i)the application’s platform page or download page;
151	151	122 (ii)a link within the application, such as from the application configuration, “About,”
152	152	123“Information,” or settings page; and
153	153	124 (iii)any other location that allows individuals to review the notices required by this
154	154	125chapter, including, but not limited to, before downloading the application. 8 of 64
155	155	126 (17)“individual”, a natural person who is a Massachusetts resident or is present in
156	156	127Massachusetts.
157	157	128 (18)“knowledge”,
158	158	129 (i)with respect to a covered entity that is a covered high-impact social media company,
159	159	130the entity knew or should have known the individual was a minor;
160	160	131 (ii)with respect to a covered entity or service provider that is a large data holder, and
161	161	132otherwise is not a covered high-impact social media company, that the covered entity knew or
162	162	133acted in willful disregard of the fact that the individual was a minor; and
163	163	134 (iii)with respect to a covered entity or service provider that does not meet the
164	164	135requirements of clause (i) or (ii), actual knowledge.
165	165	136 (19)“large data holder”, a covered entity or service provider that in the most recent
166	166	137calendar year:
167	167	138 (i)had annual gross revenues of $200,000,000 or more; and
168	168	139 (ii)collected, processed, or transferred the covered data of more than 2,000,000
169	169	140individuals or devices that identify or are linked or reasonably linkable to one or more
170	170	141individuals, excluding covered data collected and processed solely for the purpose of initiating,
171	171	142rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested
172	172	143product or service; or the sensitive covered data of more than 200,000 individuals or devices that
173	173	144identify or are linked or reasonably linkable to one or more individuals.
174	174	145 The term “large data holder” does not include any instance in which the covered entity or
175	175	146service provider would qualify as a large data holder solely on the basis of collecting or 9 of 64
176	176	147processing personal email addresses, personal telephone numbers, or log-in information of an
177	177	148individual or device to allow the individual or device to log in to an account administered by the
178	178	149covered entity or service provider.
179	179	150 (20)“material”, with respect to an act, practice, or representation of a covered entity
180	180	151(including a representation made by the covered entity in a privacy policy or similar disclosure to
181	181	152individuals) involving the collection, processing, or transfer of covered data, that such act,
182	182	153practice, or representation is likely to affect a reasonable individual’s decision or conduct
183	183	154regarding a product or service
184	184	155 (21)“minor”, an individual under the age of 18.
185	185	156 (22)“OCABR”, the Office of Consumer Affairs and Business Regulation.
186	186	157 (23)“precise geolocation information,” information derived from a device or from
187	187	158interactions between devices, with or without the knowledge of the user and regardless of the
188	188	159technological method used, that pertains to or directly or indirectly reveals the present or past
189	189	160geographical location of an individual or device within the Commonwealth of Massachusetts
190	190	161with sufficient precision to identify street-level location information within a range of 1,850 feet
191	191	162or less.
192	192	163 (24)“process”, any operation or set of operations performed on information or on sets
193	193	164of information, whether or not by automated means, including but not limited to the use, storage,
194	194	165analysis, deletion, or modification of information.
195	195	166 (25)“processing purpose”, a reason for which a covered entity or service provider
196	196	167collects, processes, or transfers covered data that is specific and granular enough for a reasonable 10 of 64
197	197	168individual to understand the material facts of how and why the covered entity or service provider
198	198	169collects, processes, or transfers the covered data.
199	199	170 (26)"profiling", any form of automated processing performed on personal data to
200	200	171evaluate, analyze or predict personal aspects related to an identified or identifiable individual's
201	201	172economic situation, health, personal preferences, interests, reliability, behavior, location or
202	202	173movements.
203	203	174 (27)“publicly available information”, any information that a covered entity or service
204	204	175provider has a reasonable basis to believe has been lawfully made available to the general public
205	205	176from:
206	206	177 (i)federal, state, or local government records, if the covered entity collects,
207	207	178processes, and transfers such information in accordance with any restrictions or terms of use
208	208	179placed on the information by the relevant government entity;
209	209	180 (ii)widely distributed media;
210	210	181 (iii)a website or online service made available to all members of the public, for free or
211	211	182for a fee, including where all members of the public, for free or for a fee, can log in to the
212	212	183website or online service;
213	213	184 (iv)a disclosure that has been made to the general public as required by federal, state,
214	214	185or local law; or
215	215	186 (v)the visual observation of the physical presence of an individual or a device in a
216	216	187public place, not including data collected by a device in the individual’s possession. 11 of 64
217	217	188 For purposes of this paragraph, information from a website or online service is not
218	218	189available to all members of the public if the individual who made the information available via
219	219	190the website or online service has either restricted the information to a specific audience or
220	220	191reasonably expects that the information will not be distributed to so many persons as to become a
221	221	192matter of public knowledge.
222	222	193 The term “publicly available information” does not include:
223	223	194 (i)any obscene visual depiction, as defined in 18 U.S.C. section 1460;
224	224	195 (ii)any inference made exclusively from multiple independent sources of publicly
225	225	196available information that reveals sensitive covered data with respect to an individual;
226	226	197 (iii)biometric information;
227	227	198 (iv)publicly available information that has been combined with covered data;
228	228	199 (v)genetic information, unless otherwise made available by the individual to whom
229	229	200the information pertains:
230	230	201 (vi)intimate images known to have been created or shared without consent.
231	231	202 (28)“reasonably understandable”, of length and complexity such that an individual
232	232	203with an eighth-grade reading level, as established by the department of elementary and secondary
233	233	204education, can read and comprehend.
234	234	205 (29)“sensitive covered data”, a form of coved data, including:
235	235	206 (i)an individual’s precise geolocation information; 12 of 64
236	236	207 (ii)biometric or genetic information;
237	237	208 (iii)the covered data of an individual when a covered entity or service provider has
238	238	209knowledge the individual is a minor;
239	239	210 (iv)covered data that reveals an individual’s:
240	240	211 (A)race, color, ethnicity, or national origin;
241	241	212 (B)sex or gender identity;
242	242	213 (C)religious beliefs;
243	243	214 (D)citizenship or immigration status;
244	244	215 (E)military service; or
245	245	216 (F)status as a victim of a crime.
246	246	217 (v)covered data processed concerning an individual’s past, present or future mental
247	247	218or physical health condition, disability, diagnosis or treatment, including pregnancy and cosmetic
248	248	219treatment;
249	249	220 (vi)covered data processed concerning an individual’s sexual orientation, sex life or
250	250	221reproductive health, including, but not limited to, the use or purchase of contraceptives, birth
251	251	222control, abortifacients or other medication, products or services related to reproductive health;
252	252	223 (vii)covered data that reveals an individual’s philosophical beliefs or union
253	253	224membership; 13 of 64
254	254	225 (viii)covered data that reveals an individual’s government-issued identifier, including
255	255	226but not limited to, social security number, driver’s license number, military identification
256	256	227number, passport number or state-issued identification card number but does not include a
257	257	228government-issued identifier required by law to be displayed in public;
258	258	229 (ix)covered data that reveals an individual’s financial account number, or credit or
259	259	230debit card number, with or without any required security code, access code, personal
260	260	231identification number or password, that would permit access to an individual’s financial account,
261	261	232or information that describes or reveals the income level or bank account balances of an
262	262	233individual;
263	263	234 (x)covered data that reveals account or device log-in credentials, or security or
264	264	235access codes for an account or device;
265	265	236 (xi)covered data that reveals an individual’s private communications such as
266	266	237voicemails, emails, texts, direct messages, or mail, or information identifying the parties to such
267	267	238communications, voice communications, video communications, and any information that
268	268	239pertains to the transmission of such communications, including telephone numbers called,
269	269	240telephone numbers from which calls were placed, the time calls were made, call duration, and
270	270	241location information of the parties to the call, unless the covered entity or a service provider
271	271	242acting on behalf of the covered entity is the sender or an intended recipient of the
272	272	243communication. Communications are not private for purposes of this clause if such
273	273	244communications are made from or to a device provided by an employer to an employee insofar
274	274	245as such employer provides conspicuous notice that such employer may access such
275	275	246communications; 14 of 64
276	276	247 (xii)covered data that reveals calendar information, address book information, phone
277	277	248or text logs, photos, audio recordings, or videos, maintained for private use by an individual,
278	278	249regardless of whether such information is stored on the individual’s device or is accessible from
279	279	250that device and is backed up in a separate location. Such information is not sensitive for purposes
280	280	251of this paragraph if such information is sent from or to a device provided by an employer to an
281	281	252employee insofar as such employer provides conspicuous notice that it may access such
282	282	253information.
283	283	254 (xiii)a photograph, film, video recording, or other similar medium that shows the
284	284	255naked or undergarment-clad private area of an individual;
285	285	256 (xiv)covered data that reveals the video content requested or selected by an individual
286	286	257collected by a covered entity. This clause does not include covered data used solely for transfers
287	287	258for independent video measurement.
288	288	259 (xv)covered data that reveals an individual’s online activities over time and across
289	289	260third-party websites or online services.
290	290	261 (xvi)any other covered data collected, processed, or transferred for the purpose of
291	291	262identifying the types of covered data listed in clauses (i) through (xv), inclusive.
292	292	263 (30)“service provider”, a person or entity that:
293	293	264 (i)collects, processes, or transfers covered data on behalf of, and at the direction of,
294	294	265a covered entity or a government agency; and
295	295	266 (ii)receives covered data from or on behalf of a covered entity or a government
296	296	267agency. 15 of 64
297	297	268 A service provider that receives service provider data from another service provider as
298	298	269permitted under this chapter shall be treated as a service provider under this chapter with respect
299	299	270to such data.
300	300	271 (31)“service provider data”, covered data that is collected or processed by or has been
301	301	272transferred to a service provider by or on behalf of a covered entity or a government agency or
302	302	273another service provider for the purpose of allowing the service provider to whom such covered
303	303	274data is transferred to perform a service or function on behalf of, and at the direction of, such
304	304	275covered entity or government agency.
305	305	276 (32)“targeted advertising”, presenting to an individual or device identified by a unique
306	306	277identifier, or groups of individuals or devices identified by unique identifiers, an online
307	307	278advertisement that is selected based on known or predicted preferences, characteristics, or
308	308	279interests associated with the individual or a device identified by a unique identifier; provided,
309	309	280however, that “targeted advertising” does not include:
310	310	281 (i)advertising or marketing to an individual or an individual’s device in response to
311	311	282the individual’s specific request for information or feedback;
312	312	283 (ii)contextual advertising, which is when an advertisement is displayed based on the
313	313	284content with or in which the advertisement appears and does not vary based on who is viewing
314	314	285the advertisement; or
315	315	286 (iii)processing covered data strictly necessary for the sole purpose of measuring or
316	316	287reporting advertising or content performance, reach, or frequency, including independent
317	317	288measurement. 16 of 64
318	318	289 (33)“third party”, any person or entity, including a covered entity, that
319	319	290 (i)collects, processes, or transfers covered data and is not a consumer-facing
320	320	291business with which the individual linked or reasonably linkable to such covered data expects
321	321	292and intends to interact; and
322	322	293 (ii)is not a service provider with respect to such data.
323	323	294 This term does not include a person or entity that collects covered data from another
324	324	295entity if the two entities are related by common ownership or corporate control, but only if a
325	325	296reasonable consumer’s reasonable expectation would be that such entities share information.
326	326	297 (34)“third party data”, covered data that has been transferred to a third party.
327	327	298 (35)“transfer”, to disclose, sell, release, disseminate, make available, license, rent, or
328	328	299share covered data orally, in writing, electronically, or by any other means.
329	329	300 (36)“unique identifier”, an identifier to the extent that such identifier is reasonably
330	330	301linkable to an individual or device that identifies or is linked or reasonably linkable to 1 or more
331	331	302individuals, including a device identifier, Internet Protocol address, cookie, beacon, pixel tag,
332	332	303mobile ad identifier, or similar technology, customer number, unique pseudonym, user alias,
333	333	304telephone number, or other form of persistent or probabilistic identifier that is linked or
334	334	305reasonably linkable to an individual or device. This term does not include an identifier assigned
335	335	306by a covered entity for the specific purpose of giving effect to an individual’s exercise of consent
336	336	307or opt-outs of the collection, processing, and transfer of covered data pursuant to this chapter or
337	337	308otherwise limiting the collection, processing, or transfer of such information. 17 of 64
338	338	309 (37)“widely distributed media”, information that is available to the general public,
339	339	310including information from a telephone book or online directory, a television, internet, or radio
340	340	311program, the news media, or an internet site that is available to the general public on an
341	341	312unrestricted basis, but does not include an obscene visual depiction, as defined in 18 U.S.C.
342	342	313section 1460.
343	343	314 Section 2. Duty of Loyalty
344	344	315 (a)A covered entity or service provider may not collect, process, or transfer covered data
345	345	316unless the collection, processing, or transfer is limited to what is reasonably necessary and
346	346	317proportionate to carry out one of the following purposes:
347	347	318 (1)provide or maintain a specific product or service requested by the individual to whom
348	348	319the data pertains;
349	349	320 (2)initiate, manage, complete a transaction, or fulfill an order for specific products or
350	350	321services requested by an individual, including any associated routine administrative, operational,
351	351	322and account-servicing activity such as billing, shipping, delivery, storage, and accounting;
352	352	323 (3)authenticate users of a product or service;
353	353	324 (4)fulfill a product or service warranty;
354	354	325 (5)prevent, detect, protect against, or respond to a security incident. For purposes of this
355	355	326paragraph, security is defined as network security and physical security and life safety, including
356	356	327an intrusion or trespass, medical alerts, fire alarms, and access control security;
357	357	328 (6)to prevent, detect, protect against, or respond to fraud, harassment, or illegal activity
358	358	329targeted at or involving the covered entity or its services. For purposes of this paragraph, the 18 of 64
359	359	330term “illegal activity”, a violation of a federal, state, or local law punishable as a felony or
360	360	331misdemeanor that can directly harm;
361	361	332 (7)comply with a legal obligation imposed by state or federal law, or to investigate,
362	362	333establish, prepare for, exercise, or defend legal claims involving the covered entity or service
363	363	334provider;
364	364	335 (8)effectuate a product recall pursuant to state or federal law;
365	365	336 (9)conduct a public or peer-reviewed scientific, historical, or statistical research project
366	366	337that:
367	367	338 (i)is in the public interest; and
368	368	339 (ii)adheres to all relevant laws and regulations governing such research, including
369	369	340regulations for the protection of human subjects, or is excluded from criteria of the institutional
370	370	341review board;
371	371	342 (10)deliver a communication that is not an advertisement to an individual, if the
372	372	343communication is reasonably anticipated by the individual within the context of the individual’s
373	373	344interactions with the covered entity;
374	374	345 (11)deliver a communication at the direction of an individual between such individual
375	375	346and one or more individuals or entities;
376	376	347 (12)ensure the data security and integrity of covered data in accordance with chapter
377	377	34893H; or 19 of 64
378	378	349 (13)transfer assets to a third party in the context of a merger, acquisition, bankruptcy, or
379	379	350similar transaction when the third party assumes control, in whole or in part, of the covered
380	380	351entity’s assets, only if the covered entity, in a reasonable time prior to such transfer, provides
381	381	352each affected individual with:
382	382	353 (i)a notice describing such transfer, including the name of the entity or entities receiving
383	383	354the individual’s covered data and their privacy policies; and
384	384	355 (ii)a reasonable opportunity to withdraw any previously given consents related to the
385	385	356individual’s covered data and a reasonable opportunity to request the deletion of the individual’s
386	386	357covered data.
387	387	358 (b)A covered entity or service provider may, with respect to covered data previously
388	388	359collected in accordance with the previous subsection, process such data:
389	389	360 (1) as necessary to provide advertising or marketing of products or services provided by
390	390	361the covered entity to an individual who is not a minor or device by electronic or non-electronic
391	391	362means, provided that the delivery of such advertising or marketing complies with the
392	392	363requirements of this chapter;
393	393	364 (2)process such data as necessary to perform system maintenance or diagnostics;
394	394	365 (3)develop, maintain, repair, or enhance a product or service for which such data was
395	395	366collected;
396	396	367 (4)to conduct internal research or analytics to improve a product or service for which
397	397	368such data was collected;
398	398	369 (5)perform inventory management or reasonable network management; 20 of 64
399	399	370 (6)protect against spam; or
400	400	371 (7)debug or repair errors that impair the functionality of a service or product for which
401	401	372such data was collected.
402	402	373 (c)A covered entity or service provider shall not:
403	403	374 (1) engage in deceptive advertising or marketing with respect to a product or service
404	404	375offered to an individual; or
405	405	376 (2)draw an individual into signing up for or acquiring a product or service through:—
406	406	377 (i)the use of any false, fictitious, fraudulent, or materially misleading statement or
407	407	378representation; or
408	408	379 (ii)the use of a dark pattern or deceptive design.
409	409	380 (d)Nothing in this chapter shall be construed or interpreted to:
410	410	381 (1)limit or diminish free speech rights of covered entities guaranteed under the First
411	411	382Amendment to the Constitution of the United States or under Article 16 of Massachusetts
412	412	383Declaration of Rights; or
413	413	384 (2)imply any purpose that is not enumerated in subsections (a) and (b), when applicable.
414	414	385 Section 3. Sensitive Covered Data
415	415	386 (a)A covered entity or service provider shall not:
416	416	387 (1)collect, process, or transfer a Social Security number, except when necessary to
417	417	388facilitate an extension of credit, authentication, fraud and identity fraud detection and prevention, 21 of 64
418	418	389the payment or collection of taxes, the enforcement of a contract between parties, or the
419	419	390prevention, investigation, or prosecution of fraud or illegal activity, or as otherwise required by
420	420	391state or federal law;
421	421	392 (2)collect or process sensitive covered data, except where such collection or processing is
422	422	393strictly necessary to provide or maintain a specific product or service requested by the individual
423	423	394to whom the covered data pertains or is strictly necessary to effect a purpose enumerated in
424	424	395paragraphs (1), (2), (3), (5), (7), (9), (10), (11), (13), of subsection (a) of section 2, and such data
425	425	396is only used for that purposes;
426	426	397 (3)transfer an individual’s sensitive covered data to a third party, unless:
427	427	398 (i)the transfer is made pursuant to the consent of the individual, given before each
428	428	399specific transfer takes place;
429	429	400 (ii)the transfer is necessary to comply with a legal obligation imposed by state or federal
430	430	401law, so long as such obligation preexisted the collection and previous notice of such obligation
431	431	402was provided to the individual to whom the data pertains;
432	432	403 (iii)the transfer is necessary to prevent an individual from imminent injury where the
433	433	404covered entity believes in good faith that the individual is at risk of death, serious physical
434	434	405injury, or serious health risk;
435	435	406 (iv)in the case of the transfer of a password, the transfer is necessary to use a designated
436	436	407password manager or is to a covered entity for the exclusive purpose of identifying passwords
437	437	408that are being reused across sites or accounts; 22 of 64
438	438	409 (v)in the case of the transfer of genetic information, the transfer is necessary to perform a
439	439	410medical diagnosis or medical treatment specifically requested by an individual, or to conduct
440	440	411medical research in accordance with federal and state law; or
441	441	412 (vi)in the case of transfer assets in case of a merger, if the transfer is made in accordance
442	442	413with paragraph (13) of subsection (a) of section (2); or
443	443	414 (4)process sensitive covered data for the purposes of targeted advertising.
444	444	415 Section 4. Data Subject Rights
445	445	416 (a)A covered entity shall provide an individual, after receiving a verified request from the
446	446	417individual, with the right to:
447	447	418 (1)access:
448	448	419 (i)in a human-readable format that a reasonable individual can understand and download
449	449	420from the internet and transmit freely, the covered data (except covered data in a back-up or
450	450	421archival system) of the individual making the request that is collected, processed, or transferred
451	451	422by the covered entity or any service provider of the covered entity within the 12 months
452	452	423preceding the request;
453	453	424 (ii)the categories of any third party or service provider, if applicable, and an option for
454	454	425consumers to obtain the names of any such third party as well as and the categories of any
455	455	426service providers to whom the covered entity has transferred the covered data of the individual,
456	456	427as well as the categories of sources from which the covered data was collected; and
457	457	428 (iii)a description of the purpose for which the covered entity transferred the covered data
458	458	429of the individual to a third party or service provider; 23 of 64
459	459	430 (2)correct any verifiable substantial inaccuracy or substantially incomplete information
460	460	431with respect to the covered data of the individual that is processed by the covered entity and
461	461	432instruct the covered entity to make reasonable efforts to notify all third parties or service
462	462	433providers to which the covered entity transferred such covered data of the corrected information;
463	463	434 (3)delete covered data of the individual that is processed by the covered entity and
464	464	435instruct the covered entity to make reasonable efforts to notify all third parties or service
465	465	436provider to which the covered entity transferred such covered data of the individual’s deletion
466	466	437request; and
467	467	438 (4)to the extent technically feasible, export to the individual or directly to another entity
468	468	439the covered data of the individual that is processed by the covered entity, including inferences
469	469	440linked or reasonably linkable to the individual but not including other derived data, without
470	470	441licensing restrictions that limit such transfers in:
471	471	442 (i)a human-readable format that a reasonable individual can understand and download
472	472	443from the internet and transmit freely; and
473	473	444 (ii)a portable, structured, interoperable, and machine-readable format.
474	474	445 (b)A covered entity may not condition, effectively condition, attempt to condition, or
475	475	446attempt to effectively condition the exercise of a right described in subsection (a) through:
476	476	447 (1)the use of any false, fictitious, fraudulent, or materially misleading statement or
477	477	448representation; or
478	478	449 (2) the use of any dark pattern or deceptive design. 24 of 64
479	479	450 (c)Subject to subsections (d) and (e), each request under subsection (a) shall be
480	480	451completed within 45 days of such request from an individual, unless it is demonstrably
481	481	452impracticable or impracticably costly to verify such individual’s request.
482	482	453 (d)A response period set forth in this subsection may be extended once by 20 additional
483	483	454days when reasonably necessary, considering the complexity and number of the individual’s
484	484	455requests, so long as the covered entity informs the individual of any such extension within the
485	485	456initial 45-day response period, together with the reason for the extension.
486	486	457 (e)A covered entity:
487	487	458 (1)shall provide an individual with the opportunity to exercise each of the rights
488	488	459described in subsection (a) and with respect to:
489	489	460 (i)the first two times that an individual exercises any right described in subsection (a) in
490	490	461any 12-month period, shall allow the individual to exercise such right free of charge; and
491	491	462 (ii)any time beyond the initial two times described in subparagraph (i), may allow the
492	492	463individual to exercise such right for a reasonable fee for each request.
493	493	464 (f)A covered entity may not permit an individual to exercise a right described in
494	494	465subsection (a), in whole or in part, if the covered entity:
495	495	466 (1)cannot reasonably verify that the individual making the request to exercise the right is
496	496	467the individual whose covered data is the subject of the request or an agent authorized to make
497	497	468such a request on the individual’s behalf;
498	498	469 (2)reasonably believes that the request is made to interfere with a contract between the
499	499	470covered entity and another individual; 25 of 64
500	500	471 (3)determines that the exercise of the right would require access to or correction of
501	501	472another individual’s sensitive covered data;
502	502	473 (4)reasonably believes that the exercise of the right would require the covered entity to
503	503	474engage in an unfair or deceptive practice under state law; or
504	504	475 (5)reasonably believes that the request is made to further fraud, support criminal activity,
505	505	476or the exercise of the right presents a data security threat.
506	506	477 (g)If a covered entity cannot reasonably verify that a request to exercise a right described
507	507	478in subsection (a) is made by the individual whose covered data is the subject of the request, the
508	508	479covered entity:
509	509	480 (1)may request that the individual making the request to exercise the right provide any
510	510	481additional information necessary for the sole purpose of verifying the identity of the individual;
511	511	482and
512	512	483 (2)may not process or transfer such additional information for any other purpose.
513	513	484 (h)A covered entity may decline, with adequate explanation to the individual, to comply
514	514	485with a request to exercise a right described in subsection (a), in whole or in part, that would:
515	515	486 (1)require the covered entity to retain any covered data collected for a single, one-time
516	516	487transaction, if such covered data is not processed or transferred by the covered entity for any
517	517	488purpose other than completing such transaction;
518	518	489 (2)be demonstrably impracticable or prohibitively costly to comply with, and the covered
519	519	490entity shall provide a description to the requestor detailing the inability to comply with the
520	520	491request; 26 of 64
521	521	492 (3)require the covered entity to attempt to re-identify any de-identified data;
522	522	493 (4)require the covered entity to either maintain covered data in an identifiable form or to
523	523	494collect, retain, or access any data in order to be capable of associating a verified individual
524	524	495request with covered data of such individual;
525	525	496 (5)result in the release of trade secrets or other privileged or confidential business
526	526	497information;
527	527	498 (6)require the covered entity to correct any covered data that cannot be reasonably
528	528	499verified as being inaccurate or incomplete;
529	529	500 (7)interfere with law enforcement, judicial proceedings, investigations, or reasonable
530	530	501efforts to guard against, detect, prevent, or investigate fraudulent, malicious, or unlawful activity,
531	531	502or enforce valid contracts;
532	532	503 (8)violate state or federal law or the rights and freedoms of another individual, including
533	533	504under the Constitution of the United States and Massachusetts Declaration of Rights;
534	534	505 (9)prevent a covered entity from being able to maintain a confidential record of deletion
535	535	506requests, maintained solely for the purpose of preventing covered data of an individual from
536	536	507being recollected after the individual submitted a deletion request and requested that the covered
537	537	508entity no longer collect, process, or transfer such data; or
538	538	509 (10)endanger the source of the data if such data could only have been obtained from a
539	539	510single identified source.
540	540	511 (i)A covered entity may decline, with adequate explanation to the individual, to comply
541	541	512with a request for deletion pursuant to paragraph (3) of subsection (a) if such request: 27 of 64
542	542	513 (1)unreasonably interferes with the provision of products or services by the covered
543	543	514entity to another person it currently serves;
544	544	515 (2)requests to delete covered data that relates to (A) a public figure, public official, or
545	545	516limited-purpose public figure; or (B) any other individual that has no reasonable expectation of
546	546	517privacy with respect to such data;
547	547	518 (3)requests to delete covered data reasonably necessary to perform a contract between the
548	548	519covered entity and the individual;
549	549	520 (4)requests to delete covered data that the covered entity needs to retain in order to
550	550	521comply with professional ethical obligations;
551	551	522 (5)requests to delete covered data that the covered entity reasonably believes may be
552	552	523evidence of unlawful activity or an abuse of the covered entity’s products or service; or
553	553	524 (6) is directed to a consumer reporting agency, as defined in 15 U.S.C. 1681a(f) and
554	554	525targets covered data that is used for the purpose of evaluating a consumer’s creditworthiness,
555	555	526credit standing, credit capacity, character, general reputation, personal characteristics or mode of
556	556	527living, subject to and strictly maintained in accordance with, the provisions of the Fair Credit
557	557	528Reporting Act, 15 U.S.C. 1681 et seq.
558	558	529 (j)In a circumstance that would allow a denial pursuant to this section, a covered entity
559	559	530shall partially comply with the remainder of the request if it is possible and not unduly
560	560	531burdensome to do so.
561	561	532 (k)The receipt of a large number of verified requests, on its own, may not be considered
562	562	533to render compliance with a request demonstrably impracticable. 28 of 64
563	563	534 (l)A covered entity shall facilitate the ability of individuals to make requests under
564	564	535subsection (a) in any language in which the covered entity provides a product or service. The
565	565	536mechanisms by which a covered entity enables individuals to make requests under subsection (a)
566	566	537shall be readily accessible and usable by individuals with disabilities. Such mechanisms shall, at
567	567	538a minimum, be accessible in the same or a similar location as the privacy policies required by
568	568	539section 9 of this chapter.
569	569	540 Section 5. Consent Practices
570	570	541 (a)The requirements of this chapter with respect to a request for consent from a covered
571	571	542entity or service provider to an individual are the following:
572	572	543 (1)The request for consent shall be provided to the individual in a clear and conspicuous
573	573	544standalone disclosure made through the primary medium used to offer the covered entity’s
574	574	545product or service, or, in the case that the product or service is not offered in a medium that does
575	575	546permits the making of the request under this paragraph, another medium regularly used in
576	576	547conjunction with the covered entity’s product or service;
577	577	548 (2)The request includes a description of the processing purpose for which the individual’s
578	578	549consent is sought by:
579	579	550 (i)clearly stating the specific categories of covered data that the covered entity shall
580	580	551collect, process, and transfer necessary to effectuate the processing purpose; and
581	581	552 (ii)including a prominent heading and is reasonably understandable so that an individual
582	582	553can identify and understand the processing purpose for which consent is sought and the covered
583	583	554data to be collected, processed, or transferred by the covered entity for such processing purpose; 29 of 64
584	584	555 (3)The request clearly explains the individual’s applicable rights related to consent;
585	585	556 (4)The request is made in a manner reasonably accessible to and usable by individuals
586	586	557with disabilities;
587	587	558 (5)The request is made available to the individual in each covered language in which the
588	588	559covered entity provides a product or service for which authorization is sought;
589	589	560 (6)The option to refuse consent shall be at least as prominent as the option to accept, and
590	590	561the option to refuse consent shall take the same number of steps or fewer as the option to accept;
591	591	562 (7)Processing or transferring any covered data collected pursuant to consent for a
592	592	563different processing purpose than that for which consent was obtained shall require consent for
593	593	564the subsequent processing purpose;
594	594	565 (8)The request for consent must be displayed at or before the point of collection; and
595	595	566 (9) The request must be accompanied by a copy of the covered entity’s or service
596	596	567provider’s privacy policy subject to the requirements of section 9, which may be included with
597	597	568the request as a hyperlink, and, if the covered entity is a large data holder, shall also include the
598	598	569short form privacy policy as required by subsection (h) of section 9.
599	599	570 (b)A covered entity shall not infer that an individual has provided consent to a practice
600	600	571from the inaction of the individual or the individual’s continued use of a service or product
601	601	572provided by the covered entity.
602	602	573 (c)A covered entity shall not obtain or attempt to obtain the consent of an individual
603	603	574through: 30 of 64
604	604	575 (1) the use of any false, fictitious, fraudulent, or materially misleading statement or
605	605	576representation;
606	606	577 (2) the use of any dark pattern or deceptive design; or
607	607	578 (3) conditioning or limiting access to an individual’s account.
608	608	579 Section 6. Privacy by Design
609	609	580 (a)A covered entity or service provider shall establish, implement, and maintain
610	610	581reasonable policies, practices, and procedures that reflect the role of the covered entity or service
611	611	582provider in the collection, processing, and transferring of covered data and that:
612	612	583 (1)consider applicable federal and state laws, rules, or regulations related to covered data
613	613	584the covered entity or service provider collects, processes, or transfers;
614	614	585 (2)identify, assess, and mitigate privacy risks related to minors;
615	615	586 (3)mitigate privacy risks related to the products and services of the covered entity or the
616	616	587service provider, including in the design, development, and implementation of such products and
617	617	588services, considering the role of the covered entity or service provider and the information
618	618	589available to it;
619	619	590 (4)evaluate the length of time that covered data shall be retained and circumstances under
620	620	591which covered data shall be deleted, de-identified, or otherwise modified with respect to the
621	621	592purposes for which it was collected or processed and the sensitivity of the covered data; and
622	622	593 (5)implement reasonable training and safeguards within the covered entity and service
623	623	594provider to promote compliance with all privacy laws applicable to covered data the covered 31 of 64
624	624	595entity collects, processes, or transfers or covered data the service provider collects, processes, or
625	625	596transfers on behalf of the covered entity and mitigate privacy risks taking into account the role of
626	626	597the covered entity or service provider and the information available to it.
627	627	598 (b)The policies, practices, and procedures established by a covered entity or service
628	628	599provider under subsection (a), shall correspond with, as applicable:
629	629	600 (1)the size of the covered entity or the service provider and the nature, scope, and
630	630	601complexity of the activities engaged in by the covered entity or service provider, including
631	631	602whether the covered entity or service provider is a large data holder, nonprofit organization,
632	632	603small business, third party, or data broker, considering the role of the covered entity or service
633	633	604provider and the information available to it;
634	634	605 (2)the sensitivity of the covered data collected, processed, or transferred by the covered
635	635	606entity or service provider;
636	636	607 (3)the volume of covered data collected, processed, or transferred by the covered entity
637	637	608or service provider;
638	638	609 (4)the number of individuals and devices to which the covered data collected, processed,
639	639	610or transferred by the covered entity or service provider relates; and
640	640	611 (5)the cost of implementing such policies, practices, and procedures in relation to the
641	641	612risks and nature of the covered data.
642	642	613 Section 7. Pricing
643	643	614 (a) A covered entity may not retaliate against an individual for: 32 of 64
644	644	615 (1)exercising any of the rights guaranteed by this chapter, or any regulations promulgated
645	645	616under this chapter; or
646	646	617 (2)refusing to agree to collection or processing of covered data for a separate product or
647	647	618service, including denying goods or services, charging different prices or rates for goods or
648	648	619services, or providing a different level of quality of goods or services.
649	649	620 (b) Nothing in subsection (a) shall be construed to:
650	650	621 (1)prohibit the relation of the price of a service or the level of service provided to an
651	651	622individual to the provision, by the individual, of financial information that is necessarily
652	652	623collected and processed only for the purpose of initiating, rendering, billing for, or collecting
653	653	624payment for a service or product requested by the individual;
654	654	625 (2)prohibit a covered entity from offering a different price, rate, level, quality or selection
655	655	626of goods or services to an individual, including offering goods or services for no fee, if the
656	656	627offering is in connection with an individual’s voluntary participation in a bona fide loyalty,
657	657	628rewards, premium features, discount or club card program, provided, that the covered entity may
658	658	629not sell covered data to a third-party as part of such a program unless:
659	659	630 (i)the sale is reasonably necessary to enable the third party to provide a benefit to which
660	660	631the consumer is entitled;
661	661	632 (ii)the sale of personal data to third parties is clearly disclosed in the terms of the
662	662	633program; and 33 of 64
663	663	634 (iii)the third party uses the personal data only for purposes of facilitating such a benefit to
664	664	635which the consumer is entitled and does not retain or otherwise use or disclose the personal data
665	665	636for any other purpose;
666	666	637 (3)require a covered entity to provide a bona fide loyalty program that would require the
667	667	638covered entity to collect, process, or transfer covered data that the covered entity otherwise
668	668	639would not collect, process, or transfer;
669	669	640 (4)prohibit a covered entity from offering a financial incentive or other consideration to
670	670	641an individual for participation in market research;
671	671	642 (5)prohibit a covered entity from offering different types of pricing or functionalities with
672	672	643respect to a product or service based on an individual’s exercise of a right to delete; or
673	673	644 (6)prohibit a covered entity from declining to provide a product or service insofar as the
674	674	645collection and processing of covered data is strictly necessary for such product or service.
675	675	646 (c) Notwithstanding the provisions in this section, no covered entity may offer different
676	676	647types of pricing that are unjust, unreasonable, coercive, or usurious in nature.
677	677	648 Section 8. Civil Rights Protections
678	678	649 (a) A covered entity or a service provider may not collect, process, or transfer covered
679	679	650data or publicly available data in a manner that discriminates in or otherwise makes unavailable
680	680	651the equal enjoyment of goods or services (i.e., has a disparate impact) on the basis of race, color,
681	681	652religion, national origin, sex, sexual orientation, gender identity, disability, genetic information,
682	682	653pregnancy or a condition related to said pregnancy including, but not limited to, lactation or the 34 of 64
683	683	654need to express breast milk for a nursing child, ancestry or status as a veteran, or any other basis
684	684	655protected by chapter 151B.
685	685	656 (b) This subsection shall not apply to:
686	686	657 (1) the collection, processing, or transfer of covered data for the purpose of:
687	687	658 (i) covered entity’s or a service provider’s self-testing to prevent or mitigate unlawful
688	688	659discrimination; or
689	689	660 (ii) diversifying an applicant, participant, or customer pool; or
690	690	661 (2) any private club or group not open to the public, as described in section 201(e) of the
691	691	662Civil Rights Act of 1964, 42 U.S.C. section 2000a(e).
692	692	663 (c) Whenever the Attorney General obtains information that a covered entity or service
693	693	664provider may have collected, processed, or transferred covered data in violation of subsection
694	694	665(a), the Attorney General shall initiate enforcement actions relating to such violation in
695	695	666accordance with section 12 of this chapter.
696	696	667 (1) Not later than 3 years after the date of enactment of this chapter, and annually no
697	697	668later than December 31 of each year thereafter, the Attorney General shall submit to the joint
698	698	669committee on ways and means, the joint committee on racial equity, civil rights, and inclusion,
699	699	670and the joint committee on advanced information technology, the internet and cybersecurity a
700	700	671report that includes a summary of the enforcement actions taken under this subsection.
701	701	672 Section 9. Privacy Policy 35 of 64
702	702	673 (a)Each covered entity or service provider shall make publicly available, in a clear and
703	703	674conspicuous location on its homepage, a reasonably understandable and not misleading privacy
704	704	675policy that provides a detailed and accurate representation of the data collection, processing, and
705	705	676transfer activities of the covered entity or service provider.
706	706	677 (b)The privacy policy must be provided in a manner that is reasonably accessible to and
707	707	678usable by individuals with disabilities. The policy shall be made available to the public in each
708	708	679covered language in which the covered entity or service provider provides a product or service
709	709	680that is subject to the privacy policy; or carries out activities related to such product or service.
710	710	681 (c)The privacy policy must include, at a minimum:
711	711	682 (1)The identity and the contact information of:
712	712	683 (i)the covered entity or service provider to which the privacy policy applies, including the
713	713	684covered entity’s or service provider’s points of contact and generic electronic mail addresses, as
714	714	685applicable for privacy and data security inquiries;
715	715	686 (ii)any other entity within the same corporate structure as the covered entity or service
716	716	687provider to which covered data is transferred by the covered entity;
717	717	688 (2)the categories of covered data the covered entity or service provider collects or
718	718	689processes;
719	719	690 (3)the processing purposes for each category of covered data the covered entity or service
720	720	691provider collects or processes;
721	721	692 (4)whether the covered entity or service provider transfers covered data and, if so, each
722	722	693category of service provider and third party to which the covered entity or service provider 36 of 64
723	723	694transfers covered data, the name of each data broker to which the covered entity or service
724	724	695provider transfers covered data, and the purposes for which such data is transferred to such
725	725	696categories of service providers and third parties or third-party collecting entities, except for a
726	726	697transfer to a governmental entity pursuant to a court order or law that prohibits the covered entity
727	727	698or service provider from disclosing such transfer;
728	728	699 (5)The length of time the covered entity or service provider intends to retain each
729	729	700category of covered data, including sensitive covered data, or, if it is not possible to identify that
730	730	701timeframe, the criteria used to determine the length of time the covered entity or service provider
731	731	702intends to retain categories of covered data;
732	732	703 (6)A prominent, clear, and reasonably understandable description of how an individual
733	733	704can exercise the rights described in this chapter;
734	734	705 (7)A general description of the covered entity’s or service provider’s data security
735	735	706practices; and
736	736	707 (8)The effective date of the privacy policy.
737	737	708 (d)If a covered entity or service provider makes a material change to its privacy policy or
738	738	709practices, the covered entity or service provider shall notify each individual affected by such
739	739	710material change before implementing the material change with respect to any prospectively
740	740	711collected covered data and, except as provided in paragraphs (1) through (13) of section 2,
741	741	712subsection (a), provide a reasonable opportunity for each individual to withdraw consent to any
742	742	713further materially different collection, processing, or transfer of previously collected covered
743	743	714data under the changed policy. 37 of 64
744	744	715 (e)A covered entity or service provider shall take all reasonable electronic measures to
745	745	716provide direct notification regarding material changes to the privacy policy to each affected
746	746	717individual, in each covered language in which the privacy policy is made available, and taking
747	747	718into account available technology and the nature of the relationship.
748	748	719 (f)Nothing in this section shall be construed to affect the requirements for covered
749	749	720entities or service providers under other sections of this chapter.
750	750	721 (g)Each large data holder shall retain copies of previous versions of its privacy policy for
751	751	722at least 10 years beginning after the date of enactment of this chapter and publish them on its
752	752	723website. Such large data holder shall make publicly available, in a clear, conspicuous, and
753	753	724readily accessible manner, a log describing the date and nature of each material change to its
754	754	725privacy policy over the past 10 years. The descriptions shall be sufficient for a reasonable
755	755	726individual to understand the material effect of each material change. The obligations in this
756	756	727paragraph shall not apply to any previous versions of a large data holder’s privacy policy, or any
757	757	728material changes to such policy, that precede the date of enactment of this Act.
758	758	729 (h)In addition to the privacy policy required under subsection (a), a large data holder that
759	759	730is a covered entity shall provide a short form notice of no more than 500 words in length that
760	760	731includes the main features of their data practices.
761	761	732 (i)Each covered entity or service provider that collects, processes, or transfers biometric
762	762	733data shall provide a separate privacy policy detailing the collection, processing, and transfer of
763	763	734such biometric data, subject to the provisions of subsections (a) through (h) of this section.
764	764	735 (j)Each covered entity or service provider that collects, processes, or transfers specific
765	765	736precise geolocation information shall provide a separate privacy policy detailing the collection, 38 of 64
766	766	737processing, and transfer of such precise geolocation information, subject to the provisions of
767	767	738subsections (a) through (h) of this section.
768	768	739 Section 10. Advanced Data Rights
769	769	740 (a)A covered entity or service provider shall provide an individual with a clear and
770	770	741conspicuous, easy-to-execute means to withdraw consent. Those means shall be at least as easy
771	771	742to execute by an individual as the means to provide consent and shall, at a minimum, be
772	772	743accessible in the same or a substantially similar location as the privacy policies required by
773	773	744section 9.
774	774	745 (b)Right to opt out of covered data transfers. A covered entity:
775	775	746 (1)may not transfer or direct the transfer of the covered data of an individual to a
776	776	747third party if the individual or an agent authorized to make such a request on the individual’s
777	777	748behalf objects to the transfer; and
778	778	749 (2)shall allow an individual to object to such a transfer through an opt out
779	779	750mechanism, at a minimum, accessible in the same or a substantially similar location as the
780	780	751privacy policies required by section 9.
781	781	752 (c)Right to opt out of targeted advertising. A covered entity or service provider that
782	782	753directly delivers a targeted advertisement shall:
783	783	754 (1)prior to engaging in targeted advertising to an individual or device and at all
784	784	755times, thereafter, provide such individual with a clear and conspicuous means to opt out of
785	785	756targeted advertising; 39 of 64
786	786	757 (2)abide by any opt out designation by an individual or an agent authorized to make
787	787	758such a request on the individual’s behalf with respect to targeted advertising and notify the
788	788	759covered entity that directed the service provider to deliver the targeted advertisement of the opt
789	789	760out decision; and
790	790	761 (3)allow an individual to make an opt out designation with respect to targeted
791	791	762advertising through an opt out mechanism, at a minimum, accessible in the same or a
792	792	763substantially similar location as the privacy policies required by section 9.
793	793	764 (d)Right to opt out of profiling. A covered entity or service provider that engages in
794	794	765profiling in furtherance of automated decisions that produce legal or similarly significant effects
795	795	766on an individual shall:
796	796	767 (1)provide such individual with a clear and conspicuous means to opt out of such
797	797	768profiling; and
798	798	769 (2)allow an individual to object to such profiling through an opt out mechanism, at a
799	799	770minimum, accessible in the same or a substantially similar location as the privacy policies
800	800	771required by section 9.
801	801	772 (e)A covered entity or service provider that receives an opt out notification pursuant
802	802	773to this section shall abide by such opt out designations in a commercially reasonable timeframe.
803	803	774Such covered entity or service provider shall notify any other person that directed the covered
804	804	775entity or service provider to either serve, deliver, or otherwise process targeted advertisements or
805	805	776to engage in profiling in furtherance of automated decisions of the individual's opt out decision
806	806	777within a commercially reasonable timeframe. 40 of 64
807	807	778 (f)A covered entity or service provider may not condition, effectively condition,
808	808	779attempt to condition, or attempt to effectively condition the exercise of any individual right under
809	809	780this section through:
810	810	781 (1)the use of any false, fictitious, fraudulent, or materially misleading statement or
811	811	782representation; or
812	812	783 (2)the use of a dark pattern or deceptive design.
813	813	784 (g)A covered entity shall notify third parties who had access to an individual’s
814	814	785covered data when the individual exercises any of the rights established in this section. The third
815	815	786party shall comply with the request to opt out of sale or data transfer forwarded to them from a
816	816	787covered entity that provided, made available, or authorized the collection of the individual’s
817	817	788covered data. The third party shall comply with the request in the same way a covered entity is
818	818	789required to comply with the request. The third party shall no longer retain, use, or disclose the
819	819	790personal information unless the third party becomes a service provider or a covered entity in the
820	820	791terms of this chapter.
821	821	792 (h)A covered entity that communicates an individual’s opt out request to a third
822	822	793party or service provider pursuant to this section shall not be liable under this chapter if the third
823	823	794party or service provider receiving the opt-out request violates the restrictions set forth in this
824	824	795chapter; provided, however, that at the time of communicating the opt-out request, the covered
825	825	796entity does not know or should not reasonably know that the third party or service provider
826	826	797intends to commit such a violation.
827	827	798 (i)If an individual decides to opt out of the processing of the individual’s covered
828	828	799data for the purposes specified in subsections (b), (c), or (d) and such decision conflicts with the 41 of 64
829	829	800individual’s existing, voluntary participation in a covered entity’s bona fide loyalty, rewards,
830	830	801premium features, discounts or club card program, the covered entity shall comply with the
831	831	802individual’s opt out preference signal but may notify the individual of the conflict and provide
832	832	803the individual with the choice to opt back into such processing for participation in such a
833	833	804program; provided, however, that the controller shall not use dark patterns or deceptive design to
834	834	805coerce the individual to opt back into such processing related to that individual’s participation in
835	835	806such program.
836	836	807 (j)A covered entity or service provider shall not require an individual to create an
837	837	808account for the purposes of exercising any right under this chapter.
838	838	809 Section 11. Service Providers
839	839	810 (a)A service provider:
840	840	811 (1)shall adhere to the instructions of a covered entity and only collect, process, and
841	841	812transfer service provider data to the extent necessary and proportionate to provide a service
842	842	813requested by the covered entity, as set out in the contract required by subsection (b), and this
843	843	814paragraph does not require a service provider to collect, process, or transfer covered data if the
844	844	815service provider would not otherwise do so;
845	845	816 (2)may not collect, process, or transfer service provider data if the service provider has
846	846	817actual knowledge that a covered entity violated this chapter with respect to such data;
847	847	818 (3)shall assist a covered entity in responding to a request made by an individual under
848	848	819this chapter, by either: 42 of 64
849	849	820 (i)providing appropriate technical and organizational measures, considering the nature of
850	850	821the processing and the information reasonably available to the service provider, for the covered
851	851	822entity to comply with such request for service provider data; or
852	852	823 (ii)fulfilling a request by a covered entity to execute an individual rights request that the
853	853	824covered entity has determined should be complied with, by either:
854	854	825 (A)complying with the request pursuant to the covered entity’s instructions; or
855	855	826 (B)providing written verification to the covered entity that it does not hold covered data
856	856	827related to the request, that complying with the request would be inconsistent with its legal
857	857	828obligations, or that the request falls within an exception under this chapter;
858	858	829 (4)may engage another service provider for purposes of processing service provider data
859	859	830on behalf of a covered entity only after providing that covered entity with notice and pursuant to
860	860	831a written contract that requires such other service provider to satisfy the obligations of the
861	861	832service provider with respect to such service provider data, including that the other service
862	862	833provider be treated as a service provider under this chapter;
863	863	834 (5)shall, upon the reasonable request of the covered entity, make available to the covered
864	864	835entity information necessary to demonstrate the compliance of the service provider with the
865	865	836requirements of this chapter, which may include making available a report of an independent
866	866	837assessment arranged by the service provider on terms agreed to by the service provider and the
867	867	838covered entity or providing information necessary to enable the covered entity to conduct and
868	868	839document a privacy impact assessment; 43 of 64
869	869	840 (6)shall, at the covered entity’s direction, delete or return all covered data to the covered
870	870	841entity as requested at the end of the provision of services, unless retention of the covered data is
871	871	842required by law;
872	872	843 (7)shall develop, implement, and maintain reasonable administrative, technical, and
873	873	844physical safeguards that are designed to protect the security and confidentiality of covered data
874	874	845the service provider processes consistent with chapter 93H of the general laws; and
875	875	846 (8)shall allow and cooperate with reasonable assessments by the covered entity or the
876	876	847covered entity’s designated assessor. Alternatively, the service provider may arrange for a
877	877	848qualified and independent assessor to conduct an assessment of the service provider’s policies
878	878	849and technical and organizational measures in support of the obligations under this chapter using
879	879	850an appropriate and accepted control standard or framework and assessment procedure for such
880	880	851assessments. The service provider shall provide a report of such assessment to the covered entity
881	881	852upon request.
882	882	853 (b)A person or entity may only act as a service provider pursuant to a written contract
883	883	854between the covered entity and the service provider, or a written contract between one service
884	884	855provider and a second service provider as described under paragraph (4) of subsection (a), if the
885	885	856contract:
886	886	857 (1)sets forth the data processing procedures of the service provider with respect to
887	887	858collection, processing, or transfer performed on behalf of the covered entity or service provider;
888	888	859 (2)clearly sets forth:
889	889	860 (i)instructions for collecting, processing, or transferring data; 44 of 64
890	890	861 (ii)the nature and purpose of collecting, processing, or transferring;
891	891	862 (iii)the type of data subject to collecting, processing, or transferring;
892	892	863 (iv)the duration of processing; and
893	893	864 (v)the rights and obligations of both parties, including a method by which the service
894	894	865provider shall notify the covered entity of material changes to its privacy practices;
895	895	866 (3)does not relieve a covered entity or a service provider of any requirement or liability
896	896	867imposed on such covered entity or service provider under this chapter; and
897	897	868 (4)prohibits:
898	898	869 (i)collecting, processing, or transferring covered data in contravention to subsection (a);
899	899	870and
900	900	871 (ii)combining service provider data with covered data which the service provider receives
901	901	872from or on behalf of another person or persons or collects from the interaction of the service
902	902	873provider with an individual, provided that such combining is not necessary to effectuate a
903	903	874purpose described in paragraphs (1) through (13) of section 2(a) and is otherwise permitted under
904	904	875the contract required by this subsection.
905	905	876 (c)Each service provider shall retain copies of previous contracts entered into in
906	906	877compliance with this subsection with each covered entity to which it provides requested products
907	907	878or services. 45 of 64
908	908	879 (d)The classification of a person or entity as a covered entity or as a service provider and
909	909	880the relationship between covered entities and service providers are regulated by the following
910	910	881provisions:
911	911	882 (1)Determining whether a person is acting as a covered entity or service provider with
912	912	883respect to a specific processing of covered data is a fact-based determination that depends upon
913	913	884the context in which such data is processed.
914	914	885 (2)A person or entity that is not limited in its processing of covered data pursuant to the
915	915	886instructions of a covered entity, or that fails to adhere to such instructions, is a covered entity and
916	916	887not a service provider with respect to a specific processing of covered data. A service provider
917	917	888that continues to adhere to the instructions of a covered entity with respect to a specific
918	918	889processing of covered data remains a service provider. If a service provider begins, alone or
919	919	890jointly with others, determining the purposes and means of the processing of covered data, it is a
920	920	891covered entity and not a service provider with respect to the processing of such data.
921	921	892 (3)A covered entity that transfers covered data to a service provider or a service provider
922	922	893that transfers covered data to a covered entity or another service provider, in compliance with the
923	923	894requirements of this chapter, is not liable for a violation of this chapter by the service provider or
924	924	895covered entity to whom such covered data was transferred, if at the time of transferring such
925	925	896covered data, the covered entity or service provider did not have actual knowledge that the
926	926	897service provider or covered entity would violate this chapter.
927	927	898 (4)A covered entity or service provider that receives covered data in compliance with the
928	928	899requirements of this chapter is not in violation of this chapter as a result of a violation by a
929	929	900covered entity or service provider from which such data was received. 46 of 64
930	930	901 (e)A third party:
931	931	902 (1)shall not process third party data for a processing purpose other than the processing
932	932	903purpose for which
933	933	904 (i)the individual gave consent or to effect a purpose enumerated in paragraph (2), (3), or
934	934	905(5) of subsection (a) of section 2 in the case of sensitive covered data; or
935	935	906 (ii)the covered entity made a disclosure pursuant to their privacy policy and in the case of
936	936	907data that is not sensitive covered data; and
937	937	908 (2)may reasonably rely on representations made by the covered entity that transferred the
938	938	909third-party data if the third party conducts reasonable due diligence on the representations of the
939	939	910covered entity and finds those representations to be credible.
940	940	911 (f)Solely for the purposes of this section, the requirements for service providers to
941	941	912contract with, assist, and follow the instructions of covered entities shall be read to include
942	942	913requirements to contract with, assist, and follow the instructions of a government entity if the
943	943	914service provider is providing a service to a government entity.
944	944	915 Section 12. Enforcement
945	945	916 (a) A violation of this chapter constitutes an injury to that individual and shall be deemed
946	946	917an unfair or deceptive act or practice in the conduct of trade or commerce under chapter 93A,
947	947	918provided that if the court finds for any petitioner, subject to section 9, paragraph (3) of such
948	948	919chapter, recovery under such chapter shall be in the amount of actual damages or $5,000,
949	949	920whichever is higher. 47 of 64
950	950	921 (b) Private right of action. Any individual alleging a violation of this chapter by a covered
951	951	922entity, service provider, or third party that is a large data holder may bring a civil action in the
952	952	923superior court or any court of competent jurisdiction.
953	953	924 (c) An individual protected by this chapter may not be required, as a condition of service
954	954	925or otherwise, to file an administrative complaint with the attorney general or to accept mandatory
955	955	926arbitration of a claim under this chapter.
956	956	927 (d) The civil action shall be directed to the covered entity, service provider, and third-
957	957	928parties alleged to have committed the violation.
958	958	929 (e) In a civil action in which the plaintiff prevails, the court may award:
959	959	930 (1)liquidated damages of not less than 0.15% of the annual global revenue of the covered
960	960	931entity or $15,000 per violation, whichever is greater;
961	961	932 (2)punitive damages; and
962	962	933 (3)any other relief, including but not limited to an injunction, that the court deems to be
963	963	934appropriate.
964	964	935 (f) In addition to any relief awarded pursuant to the previous paragraph, the court shall
965	965	936award reasonable attorney’s fees and costs to any prevailing plaintiff.
966	966	937 (g) The Attorney General may bring an action pursuant to section 4 of chapter 93A
967	967	938against a covered entity, service provider, or third party to remedy violations of this chapter and
968	968	939for other relief, including but not limited to an injunction, that may be appropriate, subject to the
969	969	940following: 48 of 64
970	970	941 (1)If the court finds that the defendant has employed any method, act, or practice
971	971	942which they knew or should have known to be in violation of this chapter, the court may require
972	972	943the defendant to pay to the commonwealth a civil penalty of:
973	973	944 (i) not less than 0.15% of the annual global revenue or $15,000, whichever is greater, per
974	974	945violation; and
975	975	946 (ii) not more than 4% of the annual global revenue of the covered entity, service provider,
976	976	947or third-party or $20,000,000, whichever is greater, per action if such action includes multiple
977	977	948violations to multiple individuals;
978	978	949 (2)If the court finds that a defendant has engaged in flagrant, willful and repeat
979	979	950violations of this chapter, the court may issue an order to suspend or prohibit a covered entity,
980	980	951service provider, or third party from operating in the commonwealth or collecting, processing,
981	981	952and transferring covered data and any other relief, including but not limited to an injunction, that
982	982	953the court deems to be appropriate.
983	983	954 (3)In addition to any penalty or relief awarded under this subsection, a defendant
984	984	955violating this chapter shall also be liable to the commonwealth for the reasonable costs of
985	985	956investigation and litigation of such violation, including reasonable attorneys’ fees and reasonable
986	986	957expert fees.
987	987	958 (h) When calculating awards and civil penalties in all the actions in this section, the court
988	988	959shall consider:
989	989	960 (1)the number of affected individuals;
990	990	961 (2)the severity of the violation or noncompliance; 49 of 64
991	991	962 (3)the risks caused by the violation or noncompliance;
992	992	963 (4)whether the violation or noncompliance was part of a pattern of noncompliance
993	993	964and violations and not an isolated instance;
994	994	965 (5)whether the violation or noncompliance was willful and not the result of error;
995	995	966 (6)the precautions taken by the defendant to prevent a violation;
996	996	967 (7)the number of administrative actions, lawsuits, settlements, and consent-decrees
997	997	968under this chapter involving the defendant;
998	998	969 (8)the number of administrative actions, lawsuits, settlements, and consent-decrees
999	999	970involving the defendant in other states and at the federal level in issues involving information
1000	1000	971privacy; and
1001	1001	972 (9)the international record of the defendant when it comes to information privacy
1002	1002	973issues.
1003	1003	974 (i) It is a violation of this chapter for a covered entity or anyone else acting on behalf of a
1004	1004	975covered entity to retaliate against an individual who makes a good-faith complaint that there has
1005	1005	976been a failure to comply with any part of this chapter.
1006	1006	977 (1)An injured individual by a violation of the previous paragraph may bring a civil
1007	1007	978action for monetary damages and injunctive relief in any court of competent jurisdiction.
1008	1008	979 (j) Any provision of a contract or agreement of any kind, including a covered entity’s
1009	1009	980terms of service or a privacy policy, including the short-form privacy notice required under
1010	1010	981section 9 subsection (h) that purports to waive or limit in any way an individual’s rights under 50 of 64
1011	1011	982this chapter, including but not limited to any right to a remedy or means of enforcement shall be
1012	1012	983deemed contrary to public policy and shall be void and unenforceable.
1013	1013	984 (k) No private or government action brought pursuant to this chapter shall preclude any
1014	1014	985other action under this chapter.
1015	1015	986 Section 13. Information Non-applicability
1016	1016	987 (a)This chapter shall not apply to only the following specific types of information:
1017	1017	988 (1)personal information captured from a patient by a health care provider or health
1018	1018	989care facility or biometric information collected, processed, used, or stored exclusively for
1019	1019	990medical education or research, public health or epidemiological purposes, health care treatment,
1020	1020	991insurance, payment, or operations under the federal Health Insurance Portability and
1021	1021	992Accountability Act of 1996, or to X-ray, roentgen process, computed tomography, MRI, PET
1022	1022	993scan, mammography, or other image or film of the human anatomy used exclusively to diagnose,
1023	1023	994prognose, or treat an illness or other medical condition or to further validate scientific testing or
1024	1024	995screening;
1025	1025	996 (2)nonpublic personal information that is processed by a financial institution subject
1026	1026	997to, and in compliance with, the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., as amended
1027	1027	998from time to time;
1028	1028	999 (3)personal information regulated by the federal Family Educational Rights and
1029	1029	1000Privacy Act, 20 U.S.C. 1232g et seq., as amended from time to time;
1030	1030	1001 (4)individuals sharing their personal contact information such as email addresses
1031	1031	1002with other individuals in the workplace, or other social, political, or similar settings where the 51 of 64
1032	1032	1003purpose of the information is to facilitate communication among such individuals, provided that
1033	1033	1004this chapter shall cover any processing of such contact information beyond interpersonal
1034	1034	1005communication; or
1035	1035	1006 (5)covered entities’ publication of entity-based member or employee contact
1036	1036	1007information where such publication is intended to allow members of the public to contact such
1037	1037	1008member or employee in the ordinary course of the entity’s operations.
1038	1038	1009 (b)For the purpose of this section, the burden of proving that information is exempt
1039	1039	1010from the provisions of this chapter shall be upon the party claiming the exemption.
1040	1040	1011 Section 14. Implementation
1041	1041	1012 (a) The Attorney General shall adopt rules and regulations for the implementation,
1042	1042	1013administration, and enforcement of this chapter and may from time to time amend or repeal said
1043	1043	1014regulations. The rules and regulations shall include but are not limited to:
1044	1044	1015 (1) establishing or adopting baseline technical requirements that determine if a given
1045	1045	1016dataset has been or can be considered sufficiently de-identified;
1046	1046	1017 (2) establishing reasonable policies, practices, and procedures that satisfy the
1047	1047	1018requirements set forward in Section 6;
1048	1048	1019 (3) establishing a nonexclusive list of practices that constitute deceptive designs or dark
1049	1049	1020patterns or otherwise violate the requirements set forward in Section 5; and
1050	1050	1021 (4) further defining when a covered entity is a data broker and additional compliance
1051	1051	1022requirements for data brokers under this chapter. 52 of 64
1052	1052	1023 (b) The Attorney General may:
1053	1053	1024 (1)gather facts and information applicable to the Attorney General’s obligation to enforce
1054	1054	1025this chapter and ensure its compliance, consistent with the provisions of section 4 of chapter
1055	1055	102693A;
1056	1056	1027 (2) conduct investigations for possible violations of this chapter; and
1057	1057	1028 (3) refer cases for civil enforcement or criminal prosecution to the appropriate federal,
1058	1058	1029state, or local authorities.
1059	1059	1030 (c) The Attorney General shall, within one year after the effective date of chapter, create
1060	1060	1031an official internet website that outlines the provisions of this chapter and provides individuals
1061	1061	1032with a form or other mechanism to report violations of this chapter to the Office of the Attorney
1062	1062	1033General. The Attorney General shall update the website at least annually. The website shall
1063	1063	1034include statistics on the Attorney General’s enforcement actions undertaken under this chapter,
1064	1064	1035broken down by fiscal year, including but not limited to:
1065	1065	1036 (1) number of complaints received;
1066	1066	1037 (2) number of open investigations;
1067	1067	1038 (3) number of closed investigations; and
1068	1068	1039 (4) a summary of case dispositions in which a violation of this chapter occurred.
1069	1069	1040 Section 15. Authorized Agents
1070	1070	1041 (a)An individual may designate another person to serve as the individual’s
1071	1071	1042authorized agent to exercise the individual’s rights under section 4, to withdraw consent under 53 of 64
1072	1072	1043section 10, or opt out of the processing of such individual's covered data for one or more of the
1073	1073	1044purposes specified in section 10.
1074	1074	1045 (b)An individual may designate an authorized agent as provided in subsection (a) by
1075	1075	1046technological means, including, but not limited to, an Internet link or a browser setting, browser
1076	1076	1047extension or global device setting that indicates the individual’s intent to opt out processing for
1077	1077	1048one or more of the purposes specified in section 10.
1078	1078	1049 (c)A covered entity or service provider shall comply with a request received from an
1079	1079	1050authorized agent if the covered entity or service provider is able to verify the identity of the
1080	1080	1051individual and the authorized agent's authority to act on such individual’s behalf by the same
1081	1081	1052means and subject to the same restrictions as a covered entity under section 4(g).
1082	1082	1053 (d)In the case of covered data concerning an individual known to be a child as
1083	1083	1054defined by the Children’s Online Privacy Protection Act, 15 U.S.C. 6501, the parent or legal
1084	1084	1055guardian of such child may exercise the rights provided under this chapter on the child's behalf.
1085	1085	1056 (e)In the case of covered data concerning an individual subject to a guardianship,
1086	1086	1057conservatorship or other protective arrangement, the guardian or the conservator of the
1087	1087	1058individual may exercise the rights provided under this chapter on the individual's behalf.
1088	1088	1059 Section 16. Advertising to Minors
1089	1089	1060 (a)A covered entity or service provider may not engage in targeted advertising to any
1090	1090	1061individual if the covered entity has knowledge that the individual is a minor.
1091	1091	1062 Section 17. Data Brokers 54 of 64
1092	1092	1063 (a)Each data broker shall place a clear, conspicuous, not misleading, and readily
1093	1093	1064accessible notice on the website or mobile application of the data broker (if the data broker
1094	1094	1065maintains such a website or mobile application) that:
1095	1095	1066 (1)notifies individuals that the entity is a data broker;
1096	1096	1067 (2)includes a link to the data broker registry website; and
1097	1097	1068 (3)is reasonably accessible to and usable by individuals with disabilities.
1098	1098	1069 (b)Data broker registration. Not later than January 31 of each calendar year that follows a
1099	1099	1070calendar year during which a covered entity acted as a data broker, data brokers shall register
1100	1100	1071with the OCABR in accordance with this subsection.
1101	1101	1072 (1)In registering with the OCABR, a data broker shall do the following:
1102	1102	1073 (i)Pay to the OCABR a registration fee of $100;
1103	1103	1074 (ii)Provide the OCABR with the following information:
1104	1104	1075 (A)The legal name and primary physical, email, and internet addresses of the data broker;
1105	1105	1076 (B)A description of the categories of covered data the data broker processes and
1106	1106	1077transfers;
1107	1107	1078 (C) The contact information of the data broker, including a contact person, a telephone
1108	1108	1079number, an e-mail address, a website, and a physical mailing address; and
1109	1109	1080 (D) A link to a website through which an individual may easily exercise the rights
1110	1110	1081provided under this subsection. 55 of 64
1111	1111	1082 (c)The OCABR shall establish and maintain on a website a searchable, publicly available,
1112	1112	1083central registry of third-party collecting entities that are registered with the OCABR under this
1113	1113	1084subsection that includes a listing of all registered data brokers and a search feature that allows
1114	1114	1085members of the public to identify individual data brokers and access to the registration
1115	1115	1086information provided under subsection (b).
1116	1116	1087 (d)Penalties. A data broker that fails to register or provide the notice as required under
1117	1117	1088this section shall be subject to enforcement proceedings under section 12.
1118	1118	1089 Section 18. Severability and Relationship to Other Laws
1119	1119	1090 (a)Should any provision of this chapter or part hereof be held under any
1120	1120	1091circumstances in any court of competent jurisdiction to be invalid or unenforceable, such
1121	1121	1092invalidity or unenforceability shall not affect the validity or enforceability of any other provision
1122	1122	1093of this or other parts of this chapter.
1123	1123	1094 (b)Nothing in this chapter shall diminish any individual’s rights or obligations under
1124	1124	1095chapters 66A, 93A, 93H, or under sections 1B or 3B of chapter 214.
1125	1125	1096 SECTION 2. The General Laws, as appearing in the 2022 Official Edition, are hereby
1126	1126	1097further amended by inserting after chapter 93M the following chapter:
1127	1127	1098 Chapter 93N. Privacy Protections for Location Information Derived from Electronic
1128	1128	1099Devices
1129	1129	1100 Section 1. Definitions
1130	1130	1101 (a)As used in this chapter, the following words shall, unless the context clearly
1131	1131	1102requires otherwise, have the following meanings: 56 of 64
1132	1132	1103 (1)“Application”, a software program that runs on the operating system of a device.
1133	1133	1104 (2)“Collect”, to obtain, infer, generate, create, receive, or access an individual’s
1134	1134	1105location information.
1135	1135	1106 (3)“Consent”, freely given, specific, informed, unambiguous, opt-in consent. This
1136	1136	1107term does not include either of the following: (i) agreement secured without first providing to the
1137	1137	1108individual a clear and conspicuous disclosure of all information material to the provision of
1138	1138	1109consent, apart from any privacy policy, terms of service, terms of use, general release, user
1139	1139	1110agreement, or other similar document; or (ii) agreement obtained through the use of a user
1140	1140	1111interface designed or manipulated with the substantial effect of subverting or impairing user
1141	1141	1112autonomy, decision making, or choice.
1142	1142	1113 (4)“Covered entity”, any individual, partnership, corporation, limited liability
1143	1143	1114company, association, or other group, however organized. A covered entity does not include a
1144	1144	1115state or local government agency, or any court of Massachusetts, a clerk of the court, or a judge
1145	1145	1116or justice thereof. A covered entity does not include an individual acting in a non-commercial
1146	1146	1117context. A covered entity includes all agents of the entity.
1147	1147	1118 (5)“Device”, a mobile telephone, as defined in section 1 of chapter 90 of the general
1148	1148	1119laws, or any other electronic device that is or may commonly be carried by or on an individual
1149	1149	1120and is capable of connecting to a cellular, bluetooth, or other wireless network.
1150	1150	1121 (6) “Disclose”, to make location information available to a third party, including but
1151	1151	1122not limited to by sharing, publishing, releasing, transferring, disseminating, providing access to,
1152	1152	1123or otherwise communicating such location information orally, in writing, electronically, or by
1153	1153	1124any other means. 57 of 64
1154	1154	1125 (7)“Individual”, a person located in the Commonwealth of Massachusetts.
1155	1155	1126 (8)“Location information”, information derived from a device or from interactions
1156	1156	1127between devices, with or without the knowledge of the user and regardless of the technological
1157	1157	1128method used, that pertains to or directly or indirectly reveals the present or past geographical
1158	1158	1129location of an individual or device within the Commonwealth of Massachusetts with sufficient
1159	1159	1130precision to identify street-level location information within a range of 1,850 feet or less.
1160	1160	1131Location information includes but is not limited to (i) an internet protocol address capable of
1161	1161	1132revealing the physical or geographical location of an individual; (ii) Global Positioning System
1162	1162	1133(GPS) coordinates; and (iii) cell-site location information. This term does not include location
1163	1163	1134information identifiable or derived solely from the visual content of a legally obtained image,
1164	1164	1135including the location of the device that captured such image, or publicly posted words.
1165	1165	1136 (9)“Location Privacy Policy”, a description of the policies, practices, and procedures
1166	1166	1137controlling a covered entity’s collection, processing, management, storage, retention, and
1167	1167	1138deletion of location information.
1168	1168	1139 (10)“Monetize”, to collect, process, or disclose an individual’s location information
1169	1169	1140for profit or in exchange for monetary or other consideration. This term includes but is not
1170	1170	1141limited to selling, renting, trading, or leasing location information.
1171	1171	1142 (11)“Person”, any natural person.
1172	1172	1143 (12)“Permissible purpose”, one of the following purposes: (i) provision of a product,
1173	1173	1144service, or service feature to the individual to whom the location information pertains when that
1174	1174	1145individual requested the provision of such product, service, or service feature by subscribing to,
1175	1175	1146creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, 58 of 64
1176	1176	1147execution, or completion of a financial or commercial transaction or fulfill an order for specific
1177	1177	1148products or services requested by an individual, including any associated routine administrative,
1178	1178	1149operational, and account-servicing activity such as billing, shipping, delivery, storage, and
1179	1179	1150accounting; (iii) compliance with an obligation under federal or state law; or (iv) response to an
1180	1180	1151emergency service agency, an emergency alert, a 911 communication, or any other
1181	1181	1152communication reporting an imminent threat to human life.
1182	1182	1153 (13)“Process”, to perform any action or set of actions on or with location information,
1183	1183	1154including but not limited to collecting, accessing, using, storing, retaining, analyzing, creating,
1184	1184	1155generating, aggregating, altering, correlating, operating on, recording, modifying, organizing,
1185	1185	1156structuring, disposing of, destroying, de-identifying, or otherwise manipulating location
1186	1186	1157information. This term does not include disclosing location information.
1187	1187	1158 (14)“Reasonably understandable”, of length and complexity such that an individual
1188	1188	1159with an eighth-grade reading level, as established by the department of elementary and secondary
1189	1189	1160education, can read and comprehend.
1190	1190	1161 (15)“Service feature”, a discrete aspect of a service provided by a covered entity,
1191	1191	1162including but not limited to real-time directions, real-time weather, and identity authentication.
1192	1192	1163 (16)"Service provider”, an individual, partnership, corporation, limited liability
1193	1193	1164company, association, or other group, however organized, that collects, processes, or transfers
1194	1194	1165location information for the sole purpose of, and only to the extent that such service provider is,
1195	1195	1166conducting business activities on behalf of, for the benefit of, at the direction of, and under
1196	1196	1167contractual agreement with a covered entity. 59 of 64
1197	1197	1168 (17)“Third party”, any covered entity or person other than (i) a covered entity that
1198	1198	1169collected or processed location information in accordance with this chapter or its service
1199	1199	1170providers, or (ii) the individual to whom the location information pertains. This term does not
1200	1200	1171include government entities.
1201	1201	1172 Section 2. Protection of location information
1202	1202	1173 (a)It shall be unlawful for a covered entity to collect or process an individual’s
1203	1203	1174location information except for a permissible purpose. Prior to collecting or processing an
1204	1204	1175individual’s location information for one of those permissible purposes, a covered entity shall
1205	1205	1176provide the individual with a copy of the Location Privacy Policy and obtain consent from that
1206	1206	1177individual; provided, however, that this shall not be required when the collection and processing
1207	1207	1178is done in (1) compliance with an obligation under federal or state law or (2) in response to an
1208	1208	1179emergency service agency, an emergency alert, a 911 communication, or any other
1209	1209	1180communication reporting an imminent threat to human life.
1210	1210	1181 (b)If a covered entity collects location information for the provision of multiple
1211	1211	1182permissible purposes, it shall be mentioned in the Location Privacy Policy and individuals shall
1212	1212	1183provide discrete consent for each purpose; provided, however, that this shall not be required for
1213	1213	1184the purpose of collecting and processing location information to comply with an obligation under
1214	1214	1185federal or state law or to respond to an emergency service agency, an emergency alert, a 911
1215	1215	1186communication, or any other communication reporting an imminent threat to human life.
1216	1216	1187 (c) A covered entity that directly delivers targeted advertisements as part of its product or
1217	1217	1188services shall provide individuals with a clear, conspicuous, and simple means to opt out of the 60 of 64
1218	1218	1189processing of their location information for purposes of selecting and delivering targeted
1219	1219	1190advertisements.
1220	1220	1191 (d) Consent provided under this section shall expire (1) after one year, (2) when the initial
1221	1221	1192purpose for processing the information has been satisfied, or (3) when the individual revokes
1222	1222	1193consent, whichever occurs first, provided that consent may be renewed pursuant to the same
1223	1223	1194procedures. Upon expiration of consent, any location information possessed by a covered entity
1224	1224	1195shall be permanently destroyed.
1225	1225	1196 (e) It shall be unlawful for a covered entity or service provider that lawfully collects and
1226	1226	1197processes location information to:
1227	1227	1198 (1)collect more precise location information than necessary to carry out the
1228	1228	1199permissible purpose;
1229	1229	1200 (2)retain location information longer than necessary to carry out the permissible
1230	1230	1201purpose;
1231	1231	1202 (3)sell, rent, trade, or lease location information to third parties; or
1232	1232	1203 (4)derive or infer from location information any data that is not necessary to carry
1233	1233	1204out a permissible purpose.
1234	1234	1205 (5)disclose, cause to disclose, or assist with or facilitate the disclosure of an
1235	1235	1206individual’s location information to third parties, unless such disclosure is (i) necessary to carry
1236	1236	1207out the permissible purpose for which the information was collected, or (ii) requested by the
1237	1237	1208individual to whom the location data pertains. 61 of 64
1238	1238	1209 (f) It shall be unlawful for a covered entity or service providers to disclose location
1239	1239	1210information to any federal, state, or local government agency or official unless (1) the agency or
1240	1240	1211official serves the covered entity or service provider with a valid warrant or establishes the
1241	1241	1212existence of exigent circumstances that make it impracticable to obtain a warrant, (2) disclosure
1242	1242	1213is mandated under federal or state law, including in response to a court order or lawfully issued
1243	1243	1214and properly served subpoena or civil investigative demand under state or federal law, or (3) the
1244	1244	1215data subject requests such disclosure.
1245	1245	1216 (g) A covered entity shall maintain and make available to the data subject a Location
1246	1246	1217Privacy Policy, which shall include, at a minimum, the following:
1247	1247	1218 (1)the permissible purpose for which the covered entity is collecting, processing, or
1248	1248	1219disclosing any location information;
1249	1249	1220 (2)the type of location information collected, including the precision of the data;
1250	1250	1221 (3)the identities of service providers with which the covered entity contracts with
1251	1251	1222respect to location data;
1252	1252	1223 (4)any disclosures of location data necessary to carry out a permissible purpose and
1253	1253	1224the identities of the third parties to whom the location information could be disclosed;
1254	1254	1225 (5)whether the covered entity’s practices include the internal use of location
1255	1255	1226information for purposes of targeted advertisement;
1256	1256	1227 (6)the data management and data security policies governing location information;
1257	1257	1228and 62 of 64
1258	1258	1229 (7)the retention schedule and guidelines for permanently deleting location
1259	1259	1230information.
1260	1260	1231 (h) A covered entity in lawful possession of location information shall provide notice to
1261	1261	1232individuals to whom that information pertains of any change to its Location Privacy Policy at
1262	1262	1233least 20 business days before the change goes into effect, and shall request and obtain consent
1263	1263	1234before collecting or processing location information in accordance with the new Location
1264	1264	1235Privacy Policy.
1265	1265	1236 (i) It shall be unlawful for a government entity to monetize location information.
1266	1266	1237 Section 3: Prohibition Against Retaliation
1267	1267	1238 A covered entity shall not take adverse action against an individual because the
1268	1268	1239individual exercised or refused to waive any of such individual’s rights under this chapter, unless
1269	1269	1240location data is essential to the provision of the good, service, or service feature that the
1270	1270	1241individual requests, and then only to the extent that such data is essential. This prohibition
1271	1271	1242includes but is not limited to:
1272	1272	1243 (1)refusing to provide a good or service to the individual;
1273	1273	1244 (2)charging different prices or rates for goods or services, including through the use
1274	1274	1245of discounts or other benefits or imposing penalties; or
1275	1275	1246 (3)providing a different level or quality of goods or services to the individual.
1276	1276	1247 Section 4. Enforcement 63 of 64
1277	1277	1248 (a)A violation of this chapter or a regulation promulgated under this chapter
1278	1278	1249regarding an individual’s location information constitutes an injury to that individual and shall be
1279	1279	1250deemed an unfair or deceptive act or practice in the conduct of trade or commerce under chapter
1280	1280	125193A.
1281	1281	1252 (b)Any individual alleging a violation of this chapter by a covered entity or service
1282	1282	1253provider may bring a civil action in the superior court or any court of competent jurisdiction;
1283	1283	1254provided that, venue in the superior court shall be proper in the county in which the plaintiff
1284	1284	1255resides or was located at the time of any violation.
1285	1285	1256 (c) An individual protected by this chapter shall not be required, as a condition of service
1286	1286	1257or otherwise, to file an administrative complaint with the attorney general or to accept mandatory
1287	1287	1258arbitration of a claim arising under this chapter.
1288	1288	1259 (d) In a civil action in which the plaintiff prevails, the court may award (1) actual
1289	1289	1260damages, including damages for emotional distress, or $5,000 per violation, whichever is greater,
1290	1290	1261(2) punitive damages; and (3) any other relief, including but not limited to an injunction or
1291	1291	1262declaratory judgment, that the court deems to be appropriate. The court shall consider each
1292	1292	1263instance in which a covered entity or service provider collects, processes, or discloses location
1293	1293	1264information in a manner prohibited by this chapter or a regulation promulgated under this chapter
1294	1294	1265as constituting a separate violation of this chapter or regulation promulgated under this chapter.
1295	1295	1266In addition to any relief awarded, the court shall award reasonable attorney’s fees and costs to
1296	1296	1267any prevailing plaintiff. 64 of 64
1297	1297	1268 (e) The attorney general may bring an action pursuant to section 4 of chapter 93A against
1298	1298	1269a covered entity or service provider to remedy violations of this chapter and for other relief that
1299	1299	1270may be appropriate.
1300	1300	1271 (f) Any provision of a contract or agreement of any kind, including a covered entity’s
1301	1301	1272terms of service or policies, including but not limited to the Location Privacy Policy, that
1302	1302	1273purports to waive or limit in any way an individual’s rights under this chapter, including but not
1303	1303	1274limited to any right to a remedy or means of enforcement, shall be deemed contrary to state law
1304	1304	1275and shall be void and unenforceable.
1305	1305	1276 (g) No private or government action brought pursuant to this chapter shall preclude any
1306	1306	1277other action under this chapter.
1307	1307	1278 Section 5. Implementation
1308	1308	1279 The Attorney General may adopt, amend or repeal rules and regulations for the
1309	1309	1280implementation, administration, and enforcement of this chapter.
1310	1310	1281 SECTION 3. Location Information Collected Before Effective Date
1311	1311	1282 Location information collected, processed, and stored prior to the effective date of this
1312	1312	1283Act shall be subject to subsections 2(e)(3), 2(e)(5), and 2(f) of Chapter 93N.
1313	1313	1284 SECTION 4. Effective Date
1314	1314	1285 This Act shall take effect 1 year after enactment.