| 1 | 1 | | 1 of 3 |
|---|
| 2 | 2 | | HOUSE DOCKET, NO. 2965 FILED ON: 1/16/2025 |
|---|
| 3 | 3 | | HOUSE . . . . . . . . . . . . . . . No. 86 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Kate Lipper-Garabedian and David T. Vieira |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act to protect location privacy. |
|---|
| 13 | 13 | | _______________ |
|---|
| 14 | 14 | | PETITION OF: |
|---|
| 15 | 15 | | NAME:DISTRICT/ADDRESS :DATE ADDED:Kate Lipper-Garabedian32nd Middlesex1/16/2025David T. Vieira3rd Barnstable1/16/2025Mindy Domb3rd Hampshire1/28/2025Lindsay N. Sabadosa1st Hampshire1/28/2025David Paul Linsky5th Middlesex1/28/2025Erika Uyterhoeven27th Middlesex1/28/2025Joanne M. ComerfordHampshire, Franklin and Worcester1/28/2025Carmine Lawrence Gentile13th Middlesex1/28/2025Danillo A. Sena37th Middlesex1/28/2025Joseph W. McGonagle, Jr.28th Middlesex1/28/2025Brian W. Murray10th Worcester1/28/2025John Francis Moran9th Suffolk1/28/2025Natalie M. Blais1st Franklin1/28/2025William F. MacGregor10th Suffolk1/28/2025Aaron L. Saunders7th Hampden1/28/2025Tram T. Nguyen18th Essex1/28/2025Samantha Montaño15th Suffolk1/28/2025Paul McMurtry11th Norfolk1/28/2025 2 of 3 |
|---|
| 16 | 16 | | Natalie M. Higgins4th Worcester1/28/2025Jason M. LewisFifth Middlesex1/28/2025Bradley H. Jones, Jr.20th Middlesex1/28/2025Patrick Joseph Kearney4th Plymouth1/28/2025Sean Garballey23rd Middlesex1/29/2025Simon Cataldo14th Middlesex1/29/2025Thomas M. Stanley9th Middlesex1/29/2025Kimberly N. Ferguson1st Worcester1/29/2025Rebecca L. RauschNorfolk, Worcester and Middlesex1/29/2025Patricia A. Duffy5th Hampden1/29/2025Sean Reid11th Essex1/30/2025Carlos González10th Hampden2/3/2025Hannah Kane11th Worcester2/3/2025Christopher M. Markey9th Bristol2/3/2025Edward R. Philips8th Norfolk2/3/2025Greg Schwartz12th Middlesex2/3/2025Homar Gómez2nd Hampshire2/5/2025Steven Owens29th Middlesex2/5/2025John H. Rogers12th Norfolk2/5/2025Christine P. Barber34th Middlesex2/6/2025Michelle L. Badger1st Plymouth2/6/2025Estela A. Reyes4th Essex2/12/2025Jacob R. OliveiraHampden, Hampshire and Worcester2/12/2025Mike Connolly26th Middlesex2/12/2025James B. EldridgeMiddlesex and Worcester2/12/2025Manny Cruz7th Essex2/12/2025Angelo J. Puppolo, Jr.12th Hampden2/12/2025Susannah M. Whipps2nd Franklin2/12/2025James C. Arena-DeRosa8th Middlesex2/12/2025Jennifer Balinsky Armini8th Essex2/12/2025Joshua Tarsky13th Norfolk2/12/2025Judith A. Garcia11th Suffolk2/21/2025Kristin E. Kassner2nd Essex2/21/2025Marjorie C. Decker25th Middlesex2/21/2025Marcus S. Vaughn9th Norfolk2/21/2025Rob Consalvo14th Suffolk2/21/2025James Arciero2nd Middlesex2/24/2025William C. Galvin6th Norfolk3/11/2025Kevin G. Honan17th Suffolk3/11/2025 3 of 3 |
|---|
| 17 | 17 | | Bruce E. TarrFirst Essex and Middlesex3/11/2025Priscila S. Sousa6th Middlesex3/11/2025Rodney M. Elliott16th Middlesex3/11/2025Paul J. Donato35th Middlesex3/11/2025John J. Marsi6th Worcester3/11/2025James K. Hawkins2nd Bristol3/11/2025Thomas W. MoakleyBarnstable, Dukes and Nantucket3/11/2025Adrian C. Madaro1st Suffolk3/11/2025Daniel M. Donahue16th Worcester3/11/2025Christopher J. Worrell5th Suffolk3/11/2025Antonio F. D. Cabral13th Bristol3/11/2025Adrianne Pusateri Ramos14th Essex3/11/2025Jay D. Livingstone8th Suffolk3/11/2025 1 of 10 |
|---|
| 18 | 18 | | HOUSE DOCKET, NO. 2965 FILED ON: 1/16/2025 |
|---|
| 19 | 19 | | HOUSE . . . . . . . . . . . . . . . No. 86 |
|---|
| 20 | 20 | | By Representatives Lipper-Garabedian of Melrose and Vieira of Falmouth, a petition |
|---|
| 21 | 21 | | (accompanied by bill, House, No. 86) of Kate Lipper-Garabedian, David T. Vieira and others |
|---|
| 22 | 22 | | relative to regulation of location information derived from electronic devices. Advanced |
|---|
| 23 | 23 | | Information Technology, the Internet and Cybersecurity. |
|---|
| 24 | 24 | | The Commonwealth of Massachusetts |
|---|
| 25 | 25 | | _______________ |
|---|
| 26 | 26 | | In the One Hundred and Ninety-Fourth General Court |
|---|
| 27 | 27 | | (2025-2026) |
|---|
| 28 | 28 | | _______________ |
|---|
| 29 | 29 | | An Act to protect location privacy. |
|---|
| 30 | 30 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 31 | 31 | | of the same, as follows: |
|---|
| 32 | 32 | | 1 SECTION 1. The General Laws, as appearing in the 2018 Official Edition, are hereby |
|---|
| 33 | 33 | | 2amended by inserting after chapter 93K the following chapter: |
|---|
| 34 | 34 | | 3 CHAPTER 93L. Privacy Protections for Location Information Derived from Electronic |
|---|
| 35 | 35 | | 4Devices |
|---|
| 36 | 36 | | 5 Section 1. Definitions |
|---|
| 37 | 37 | | 6 As used in this chapter, the following words shall, unless the context clearly requires |
|---|
| 38 | 38 | | 7otherwise, have the following meanings:— |
|---|
| 39 | 39 | | 8 “Application”, a software program that runs on the operating system of a device. |
|---|
| 40 | 40 | | 9 “Collect”, to obtain, infer, generate, create, receive, or access an individual’s location |
|---|
| 41 | 41 | | 10information. 2 of 10 |
|---|
| 42 | 42 | | 11 “Consent”, freely given, specific, informed, unambiguous, opt-in consent. This term does |
|---|
| 43 | 43 | | 12not include either of the following: (i) agreement secured without first providing to the individual |
|---|
| 44 | 44 | | 13a clear and conspicuous disclosure of all information material to the provision of consent, apart |
|---|
| 45 | 45 | | 14from any privacy policy, terms of service, terms of use, general release, user agreement, or other |
|---|
| 46 | 46 | | 15similar document; or (ii) agreement obtained through the use of a user interface designed or |
|---|
| 47 | 47 | | 16manipulated with the substantial effect of subverting or impairing user autonomy, decision |
|---|
| 48 | 48 | | 17making, or choice. |
|---|
| 49 | 49 | | 18 “Covered entity”, any individual, partnership, corporation, limited liability company, |
|---|
| 50 | 50 | | 19association, or other group, however organized. A covered entity does not include a state or local |
|---|
| 51 | 51 | | 20government agency, or any court of Massachusetts, a clerk of the court, or a judge or justice |
|---|
| 52 | 52 | | 21thereof. A covered entity does not include an individual acting in a non-commercial context. A |
|---|
| 53 | 53 | | 22covered entity includes all agents of the entity. |
|---|
| 54 | 54 | | 23 “Device”, a mobile telephone, as defined in section 1 of chapter 90 of the general laws, or |
|---|
| 55 | 55 | | 24any other electronic device that is or may commonly be carried by or on an individual and is |
|---|
| 56 | 56 | | 25capable of connecting to a cellular, bluetooth, or other wireless network. |
|---|
| 57 | 57 | | 26 “Disclose”, to make location information available to a third party, including but not |
|---|
| 58 | 58 | | 27limited to by sharing, publishing, releasing, transferring, disseminating, providing access to, or |
|---|
| 59 | 59 | | 28otherwise communicating such location information orally, in writing, electronically, or by any |
|---|
| 60 | 60 | | 29other means. |
|---|
| 61 | 61 | | 30 “Individual”, a person located in the Commonwealth of Massachusetts. |
|---|
| 62 | 62 | | 31 “Location information”, information derived from a device or from interactions between |
|---|
| 63 | 63 | | 32devices, with or without the knowledge of the user and regardless of the technological method 3 of 10 |
|---|
| 64 | 64 | | 33used, that pertains to or directly or indirectly reveals the present or past geographical location of |
|---|
| 65 | 65 | | 34an individual or device within the Commonwealth of Massachusetts with sufficient precision to |
|---|
| 66 | 66 | | 35identify street-level location information within a range of 1,850 feet or less. Location |
|---|
| 67 | 67 | | 36information includes but is not limited to (i) an internet protocol address capable of revealing the |
|---|
| 68 | 68 | | 37physical or geographical location of an individual; (ii) Global Positioning System (GPS) |
|---|
| 69 | 69 | | 38coordinates; and (iii) cell-site location information. This term does not include location |
|---|
| 70 | 70 | | 39information identifiable or derived solely from the visual content of a legally obtained image, |
|---|
| 71 | 71 | | 40including the location of the device that captured such image, or publicly posted words. |
|---|
| 72 | 72 | | 41 “Location Privacy Policy”, a description of the policies, practices, and procedures |
|---|
| 73 | 73 | | 42controlling a covered entity’s collection, processing, management, storage, retention, and |
|---|
| 74 | 74 | | 43deletion of location information. |
|---|
| 75 | 75 | | 44 “Monetize”, to collect, process, or disclose an individual’s location information for profit |
|---|
| 76 | 76 | | 45or in exchange for monetary or other consideration. This term includes but is not limited to |
|---|
| 77 | 77 | | 46selling, renting, trading, or leasing location information. |
|---|
| 78 | 78 | | 47 “Person”, any natural person. |
|---|
| 79 | 79 | | 48 “Permissible purpose”, one of the following purposes: (i) provision of a product, service, |
|---|
| 80 | 80 | | 49or service feature to the individual to whom the location information pertains when that |
|---|
| 81 | 81 | | 50individual requested the provision of such product, service, or service feature by subscribing to, |
|---|
| 82 | 82 | | 51creating an account, or otherwise contracting with a covered entity; (ii) initiation, management, |
|---|
| 83 | 83 | | 52execution, or completion of a financial or commercial transaction or fulfill an order for specific |
|---|
| 84 | 84 | | 53products or services requested by an individual, including any associated routine administrative, |
|---|
| 85 | 85 | | 54operational, and account-servicing activity such as billing, shipping, delivery, storage, and 4 of 10 |
|---|
| 86 | 86 | | 55accounting; (iii) compliance with an obligation under federal or state law; or (iv) Response to an |
|---|
| 87 | 87 | | 56emergency service agency, an emergency alert, a 911 communication, or any other |
|---|
| 88 | 88 | | 57communication reporting an imminent threat to human life. |
|---|
| 89 | 89 | | 58 “Process”, to perform any action or set of actions on or with location information, |
|---|
| 90 | 90 | | 59including but not limited to collecting, accessing, using, storing, retaining, analyzing, creating, |
|---|
| 91 | 91 | | 60generating, aggregating, altering, correlating, operating on, recording, modifying, organizing, |
|---|
| 92 | 92 | | 61structuring, disposing of, destroying, de-identifying, or otherwise manipulating location |
|---|
| 93 | 93 | | 62information. This term does not include disclosing location information. |
|---|
| 94 | 94 | | 63 “Reasonably understandable”, of length and complexity such that an individual with an |
|---|
| 95 | 95 | | 64eighth-grade reading level, as established by the department of elementary and secondary |
|---|
| 96 | 96 | | 65education, can read and comprehend. |
|---|
| 97 | 97 | | 66 “Service feature”, a discrete aspect of a service provided by a covered entity, including |
|---|
| 98 | 98 | | 67but not limited to real-time directions, real-time weather, and identity authentication |
|---|
| 99 | 99 | | 68 "Service provider”, an individual, partnership, corporation, limited liability company, |
|---|
| 100 | 100 | | 69association, or other group, however organized, that collects, processes, or transfers location |
|---|
| 101 | 101 | | 70information for the sole purpose of, and only to the extent that such service provider is, |
|---|
| 102 | 102 | | 71conducting business activities on behalf of, for the benefit of, at the direction of, and under |
|---|
| 103 | 103 | | 72contractual agreement with a covered entity. |
|---|
| 104 | 104 | | 73 “Third party”, any covered entity or person other than (i) a covered entity that collected |
|---|
| 105 | 105 | | 74or processed location information in accordance with this chapter or its service providers, or (ii) |
|---|
| 106 | 106 | | 75the individual to whom the location information pertains. This term does not include government |
|---|
| 107 | 107 | | 76entities. 5 of 10 |
|---|
| 108 | 108 | | 77 Section 2. Protection of location information |
|---|
| 109 | 109 | | 78 (a)It shall be unlawful for a covered entity to collect or process an individual’s |
|---|
| 110 | 110 | | 79location information except for a permissible purpose. Prior to collecting or processing an |
|---|
| 111 | 111 | | 80individual’s location information for one of those permissible purposes, a covered entity shall |
|---|
| 112 | 112 | | 81provide the individual with a copy of the Location Privacy Policy and obtain consent from that |
|---|
| 113 | 113 | | 82individual; provided, however, that this shall not be required when the collection and processing |
|---|
| 114 | 114 | | 83is done in (1) compliance with an obligation under federal or state law or (2) in response to an |
|---|
| 115 | 115 | | 84emergency service agency, an emergency alert, a 911 communication, or any other |
|---|
| 116 | 116 | | 85communication reporting an imminent threat to human life. |
|---|
| 117 | 117 | | 86 (b)If a covered entity collects location information for the provision of multiple |
|---|
| 118 | 118 | | 87permissible purposes, it should be mentioned in the Location Privacy Policy and individuals shall |
|---|
| 119 | 119 | | 88provide discrete consent for each purpose; provided, however, that this shall not be required for |
|---|
| 120 | 120 | | 89the purpose of collecting and processing location information to comply with an obligation under |
|---|
| 121 | 121 | | 90federal or state law or to respond to an emergency service agency, an emergency alert, a 911 |
|---|
| 122 | 122 | | 91communication, or any other communication reporting an imminent threat to human life. |
|---|
| 123 | 123 | | 92 (c)A covered entity that directly delivers targeted advertisements as part of its |
|---|
| 124 | 124 | | 93product or services shall provide individuals with a clear, conspicuous, and simple means to opt |
|---|
| 125 | 125 | | 94out of the processing of their location information for purposes of selecting and delivering |
|---|
| 126 | 126 | | 95targeted advertisements. |
|---|
| 127 | 127 | | 96 (d)Consent provided under this section shall expire (1) after one year, (2) when the |
|---|
| 128 | 128 | | 97initial purpose for processing the information has been satisfied, or (3) when the individual |
|---|
| 129 | 129 | | 98revokes consent, whichever occurs first, provided that consent may be renewed pursuant to the 6 of 10 |
|---|
| 130 | 130 | | 99same procedures. Upon expiration of consent, any location information possessed by a covered |
|---|
| 131 | 131 | | 100entity must be permanently destroyed. |
|---|
| 132 | 132 | | 101 (e)It shall be unlawful for a covered entity or service provider that lawfully collects |
|---|
| 133 | 133 | | 102and processes location information to:— |
|---|
| 134 | 134 | | 103 (1)collect more precise location information than necessary to carry out the |
|---|
| 135 | 135 | | 104permissible purpose; |
|---|
| 136 | 136 | | 105 (2)retain location information longer than necessary to carry out the permissible |
|---|
| 137 | 137 | | 106purpose; |
|---|
| 138 | 138 | | 107 (3)sell, rent, trade, or lease location information to third parties; or |
|---|
| 139 | 139 | | 108 (4)derive or infer from location information any data that is not necessary to carry |
|---|
| 140 | 140 | | 109out a permissible purpose. |
|---|
| 141 | 141 | | 110 (5)disclose, cause to disclose, or assist with or facilitate the disclosure of an |
|---|
| 142 | 142 | | 111individual’s location information to third parties, unless such disclosure is (i) necessary to carry |
|---|
| 143 | 143 | | 112out the permissible purpose for which the information was collected, or (ii) requested by the |
|---|
| 144 | 144 | | 113individual to whom the location data pertains. |
|---|
| 145 | 145 | | 114 (f)It shall be unlawful for a covered entity or service providers to disclose location |
|---|
| 146 | 146 | | 115information to any federal, state, or local government agency or official unless (1) the agency or |
|---|
| 147 | 147 | | 116official serves the covered entity or service provider with a valid warrant or establishes the |
|---|
| 148 | 148 | | 117existence of exigent circumstances that make it impracticable to obtain a warrant, (2) disclosure |
|---|
| 149 | 149 | | 118is mandated under federal or state law, including in response to a court order or lawfully issued 7 of 10 |
|---|
| 150 | 150 | | 119and properly served subpoena or civil investigative demand under state or federal law, or (3) the |
|---|
| 151 | 151 | | 120data subject requests such disclosure. |
|---|
| 152 | 152 | | 121 (g)A covered entity shall maintain and make available to the data subject a Location |
|---|
| 153 | 153 | | 122Privacy Policy, which shall include, at a minimum, the following:— |
|---|
| 154 | 154 | | 123 (1)the permissible purpose for which the covered entity is collecting, processing, or |
|---|
| 155 | 155 | | 124disclosing any location information; |
|---|
| 156 | 156 | | 125 (2)the type of location information collected, including the precision of the data; |
|---|
| 157 | 157 | | 126 (3)the identities of service providers with which the covered entity contracts with |
|---|
| 158 | 158 | | 127respect to location data; |
|---|
| 159 | 159 | | 128 (4)any disclosures of location data necessary to carry out a permissible purpose and |
|---|
| 160 | 160 | | 129the identities of the third parties to whom the location information could be disclosed; |
|---|
| 161 | 161 | | 130 (5)whether the covered entity’s practices include the internal use of location |
|---|
| 162 | 162 | | 131information for purposes of targeted advertisement |
|---|
| 163 | 163 | | 132 (6)the data management and data security policies governing location information; |
|---|
| 164 | 164 | | 133 (7)the retention schedule and guidelines for permanently deleting location |
|---|
| 165 | 165 | | 134information. |
|---|
| 166 | 166 | | 135 (h)A covered entity in lawful possession of location information shall provide notice |
|---|
| 167 | 167 | | 136to individuals to whom that information pertains of any change to its Location Privacy Policy at |
|---|
| 168 | 168 | | 137least 20 business days before the change goes into effect, and shall request and obtain consent 8 of 10 |
|---|
| 169 | 169 | | 138before collecting or processing location information in accordance with the new Location |
|---|
| 170 | 170 | | 139Privacy Policy. |
|---|
| 171 | 171 | | 140 (i)It shall be unlawful for a government entity to monetize location information. |
|---|
| 172 | 172 | | 141 Section 3: Prohibition Against Retaliation |
|---|
| 173 | 173 | | 142 A covered entity shall not take adverse action against an individual because the |
|---|
| 174 | 174 | | 143individual exercised or refused to waive any of such individual’s rights under this chapter, unless |
|---|
| 175 | 175 | | 144location data is essential to the provision of the good, service, or service feature that the |
|---|
| 176 | 176 | | 145individual requests, and then only to the extent that such data is essential. This prohibition |
|---|
| 177 | 177 | | 146includes but is not limited to: |
|---|
| 178 | 178 | | 147 (1)refusing to provide a good or service to the individual; |
|---|
| 179 | 179 | | 148 (2)charging different prices or rates for goods or services, including through the use |
|---|
| 180 | 180 | | 149of discounts or other benefits or imposing penalties; or |
|---|
| 181 | 181 | | 150 (3)providing a different level or quality of goods or services to the individual. |
|---|
| 182 | 182 | | 151 Section 4. Enforcement |
|---|
| 183 | 183 | | 152 (a)A violation of this chapter or a regulation promulgated under this chapter |
|---|
| 184 | 184 | | 153regarding an individual’s location information constitutes an injury to that individual and shall be |
|---|
| 185 | 185 | | 154deemed an unfair or deceptive act or practice in the conduct of trade or commerce under chapter |
|---|
| 186 | 186 | | 15593A . |
|---|
| 187 | 187 | | 156 (b)Any individual alleging a violation of this chapter by a covered entity or service |
|---|
| 188 | 188 | | 157provider may bring a civil action in the superior court or any court of competent jurisdiction; 9 of 10 |
|---|
| 189 | 189 | | 158provided that, venue in the superior court shall be proper in the county in which the plaintiff |
|---|
| 190 | 190 | | 159resides or was located at the time of any violation. |
|---|
| 191 | 191 | | 160 (c)An individual protected by this chapter shall not be required, as a condition of |
|---|
| 192 | 192 | | 161service or otherwise, to file an administrative complaint with the attorney general or to accept |
|---|
| 193 | 193 | | 162mandatory arbitration of a claim arising under this chapter. |
|---|
| 194 | 194 | | 163 (d)In a civil action in which the plaintiff prevails, the court may award (1) actual |
|---|
| 195 | 195 | | 164damages, including damages for emotional distress, or $5,000 per violation, whichever is greater, |
|---|
| 196 | 196 | | 165(2) punitive damages; and (3) any other relief, including but not limited to an injunction or |
|---|
| 197 | 197 | | 166declaratory judgment, that the court deems to be appropriate. The court shall consider each |
|---|
| 198 | 198 | | 167instance in which a covered entity or service provider collects, processes, or discloses location |
|---|
| 199 | 199 | | 168information in a manner prohibited by this chapter or a regulation promulgated under this chapter |
|---|
| 200 | 200 | | 169as constituting a separate violation of this chapter or regulation promulgated under this chapter. |
|---|
| 201 | 201 | | 170In addition to any relief awarded, the court shall award reasonable attorney’s fees and costs to |
|---|
| 202 | 202 | | 171any prevailing plaintiff. |
|---|
| 203 | 203 | | 172 (e)The attorney general may bring an action pursuant to section 4 of chapter 93A |
|---|
| 204 | 204 | | 173against a covered entity or service provider to remedy violations of this chapter and for other |
|---|
| 205 | 205 | | 174relief that may be appropriate. |
|---|
| 206 | 206 | | 175 (f)Any provision of a contract or agreement of any kind, including a covered entity’s |
|---|
| 207 | 207 | | 176terms of service or policies, including but not limited to the Location Privacy Policy, that |
|---|
| 208 | 208 | | 177purports to waive or limit in any way an individual’s rights under this chapter, including but not |
|---|
| 209 | 209 | | 178limited to any right to a remedy or means of enforcement, shall be deemed contrary to state law |
|---|
| 210 | 210 | | 179and shall be void and unenforceable. 10 of 10 |
|---|
| 211 | 211 | | 180 (g)No private or government action brought pursuant to this chapter shall preclude |
|---|
| 212 | 212 | | 181any other action under this chapter. |
|---|
| 213 | 213 | | 182 SECTION 2. Location Information Collected Before Effective Date |
|---|
| 214 | 214 | | 183 Location information collected, processed, and stored prior to the effective date of this |
|---|
| 215 | 215 | | 184Act shall be subject to subsections 2(e)(3), 2(e)(5), and 2(f). |
|---|
| 216 | 216 | | 185 SECTION 3. Effective Date |
|---|
| 217 | 217 | | 186 This Act shall take effect 1 year after enactment. |
|---|