| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | SENATE DOCKET, NO. 2355 FILED ON: 1/17/2025 |
|---|
| 3 | 3 | | SENATE . . . . . . . . . . . . . . No. 301 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Barry R. Finegold |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act advancing the economic development of the commonwealth through comprehensive data |
|---|
| 13 | 13 | | privacy. |
|---|
| 14 | 14 | | _______________ |
|---|
| 15 | 15 | | PETITION OF: |
|---|
| 16 | 16 | | NAME:DISTRICT/ADDRESS :Barry R. FinegoldSecond Essex and Middlesex 1 of 71 |
|---|
| 17 | 17 | | SENATE DOCKET, NO. 2355 FILED ON: 1/17/2025 |
|---|
| 18 | 18 | | SENATE . . . . . . . . . . . . . . No. 301 |
|---|
| 19 | 19 | | By Mr. Finegold, a petition (accompanied by bill, Senate, No. 301) of Barry R. Finegold for |
|---|
| 20 | 20 | | legislation to establish the Massachusetts Information Privacy and Security Act. Economic |
|---|
| 21 | 21 | | Development and Emerging Technologies. |
|---|
| 22 | 22 | | [SIMILAR MATTER FILED IN PREVIOUS SESSION |
|---|
| 23 | 23 | | SEE SENATE, NO. 227 OF 2023-2024.] |
|---|
| 24 | 24 | | The Commonwealth of Massachusetts |
|---|
| 25 | 25 | | _______________ |
|---|
| 26 | 26 | | In the One Hundred and Ninety-Fourth General Court |
|---|
| 27 | 27 | | (2025-2026) |
|---|
| 28 | 28 | | _______________ |
|---|
| 29 | 29 | | An Act advancing the economic development of the commonwealth through comprehensive data |
|---|
| 30 | 30 | | privacy. |
|---|
| 31 | 31 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 32 | 32 | | of the same, as follows: |
|---|
| 33 | 33 | | 1 SECTION 1. The General Laws are hereby amended by inserting after chapter 93L the |
|---|
| 34 | 34 | | 2following chapter:- |
|---|
| 35 | 35 | | 3 CHAPTER 93M. The Massachusetts Information Privacy and Security Act. |
|---|
| 36 | 36 | | 4 Section 1. Title |
|---|
| 37 | 37 | | 5 This chapter shall be known as the “Massachusetts Information Privacy and Security |
|---|
| 38 | 38 | | 6Act.” |
|---|
| 39 | 39 | | 7 Section 2. Definitions 2 of 71 |
|---|
| 40 | 40 | | 8 As used in this chapter, the following words shall have the following meanings unless the |
|---|
| 41 | 41 | | 9context clearly requires otherwise: |
|---|
| 42 | 42 | | 10 “Affiliate”, an entity that controls, is controlled by or is under common control or shares |
|---|
| 43 | 43 | | 11common branding with another entity; provided, however, that for the purposes of this definition, |
|---|
| 44 | 44 | | 12“control” or “controlled” shall mean: |
|---|
| 45 | 45 | | 13 (i) ownership of more than 50 per cent of the outstanding shares of any class of voting |
|---|
| 46 | 46 | | 14security of the entity; |
|---|
| 47 | 47 | | 15 (ii) control in any manner over the election of a majority of the entity’s directors or of |
|---|
| 48 | 48 | | 16persons exercising similar functions; or |
|---|
| 49 | 49 | | 17 (iii) the power to otherwise exercise a controlling influence over the management of the |
|---|
| 50 | 50 | | 18entity. |
|---|
| 51 | 51 | | 19 “Biometric information”, a retina or iris scan, fingerprint, voiceprint, map or scan of hand |
|---|
| 52 | 52 | | 20or face geometry, vein pattern, gait pattern or other personal information generated from the |
|---|
| 53 | 53 | | 21specific technical processing of an individual’s unique biological or physiological patterns or |
|---|
| 54 | 54 | | 22characteristics used to identify a specific individual; provided, however, that “biometric |
|---|
| 55 | 55 | | 23information” shall not include: |
|---|
| 56 | 56 | | 24 (1) a digital or physical photograph; |
|---|
| 57 | 57 | | 25 (2) an audio or video recording; or |
|---|
| 58 | 58 | | 26 (3) data generated from a digital or physical photograph, or an audio or video recording, |
|---|
| 59 | 59 | | 27unless such data is generated to identify a specific individual. 3 of 71 |
|---|
| 60 | 60 | | 28 “Business associate” shall have the same meaning as in 45 C.F.R. 160.103. |
|---|
| 61 | 61 | | 29 “Child”, an individual who a controller knows or reasonably should know is under the |
|---|
| 62 | 62 | | 30age of 13. |
|---|
| 63 | 63 | | 31 “Collect”, buy, rent, gather, obtain, receive or otherwise access any personal information |
|---|
| 64 | 64 | | 32pertaining to an individual by any means including, but not limited to, obtaining information |
|---|
| 65 | 65 | | 33from an individual, either actively or passively, or by observing an individual’s behavior. |
|---|
| 66 | 66 | | 34 “Common branding”, a shared name, service mark, trademark or other indicator that an |
|---|
| 67 | 67 | | 35individual would reasonably understand to indicate that 2 or more entities are commonly owned. |
|---|
| 68 | 68 | | 36 “Consent”, a clear affirmative act signifying an individual’s freely given, specific, |
|---|
| 69 | 69 | | 37informed and unambiguous agreement to allow the processing of specific categories of personal |
|---|
| 70 | 70 | | 38information relating to the individual for a narrowly defined particular purpose; provided, |
|---|
| 71 | 71 | | 39however, that “consent” may include a written statement, including a statement written by |
|---|
| 72 | 72 | | 40electronic means, or any other unambiguous affirmative action; and provided further, that the |
|---|
| 73 | 73 | | 41following shall not constitute “consent”: |
|---|
| 74 | 74 | | 42 (i) acceptance of a general or broad terms of use or similar document that contains |
|---|
| 75 | 75 | | 43descriptions of personal information processing along with other, unrelated information; |
|---|
| 76 | 76 | | 44 (ii) hovering over, muting, pausing or closing a given piece of content; or |
|---|
| 77 | 77 | | 45 (iii) agreement obtained through dark patterns or a false, fictitious, fraudulent or |
|---|
| 78 | 78 | | 46materially misleading statement or representation. |
|---|
| 79 | 79 | | 47 “Controller”, the entity that, alone or jointly with others, determines the purposes and |
|---|
| 80 | 80 | | 48means of the processing of personal information of an individual. 4 of 71 |
|---|
| 81 | 81 | | 49 “Covered entity” shall have the same meaning as in 45 C.F.R. 160.103. |
|---|
| 82 | 82 | | 50 “Dark pattern”, a user interface that is designed, modified or manipulated with the |
|---|
| 83 | 83 | | 51purpose or substantial effect of obscuring, subverting or impairing a reasonable individual’s |
|---|
| 84 | 84 | | 52autonomy, decision-making or choice. |
|---|
| 85 | 85 | | 53 “Data broker”, a controller that, in a calendar year, knowingly collects and sells to third |
|---|
| 86 | 86 | | 54parties: |
|---|
| 87 | 87 | | 55 (i) the personal information of not less than 25,000 individuals; provided, however, that |
|---|
| 88 | 88 | | 56the controller derives not less than 25 per cent of its annual global gross revenues from the sale |
|---|
| 89 | 89 | | 57of personal information; |
|---|
| 90 | 90 | | 58 (ii) the biometric, genetic or specific geolocation information of not less than 10,000 |
|---|
| 91 | 91 | | 59individuals; or |
|---|
| 92 | 92 | | 60 (iii) the personal information of not less than 10,000 individuals with whom the controller |
|---|
| 93 | 93 | | 61does not have a direct relationship including, but not limited to, a relationship in which an |
|---|
| 94 | 94 | | 62individual is a past or present: (A) customer, client, subscriber, user or registered user of the |
|---|
| 95 | 95 | | 63controller’s goods or services; (B) an employee, contractor or agent of the controller; (C) an |
|---|
| 96 | 96 | | 64investor in the controller; or (D) a donor to the controller. |
|---|
| 97 | 97 | | 65 The following activities conducted by a controller, and the collection and sale of personal |
|---|
| 98 | 98 | | 66information incidental to conducting these activities, shall not qualify the controller as a data |
|---|
| 99 | 99 | | 67broker: (i) providing 411 directory assistance or directory information services, including name, |
|---|
| 100 | 100 | | 68address or telephone number, on behalf of or as a function of a telecommunications carrier; (ii) |
|---|
| 101 | 101 | | 69providing publicly available information related to an individual’s business or profession; or (iii) 5 of 71 |
|---|
| 102 | 102 | | 70providing publicly available information via real-time or near-real-time alert services for health |
|---|
| 103 | 103 | | 71or safety purposes. |
|---|
| 104 | 104 | | 72 “De-identified information”, information that cannot reasonably be used to infer |
|---|
| 105 | 105 | | 73information about, or otherwise be linked to, an identified or identifiable individual or |
|---|
| 106 | 106 | | 74household, or a device linked to such individual or household; provided, however, that the |
|---|
| 107 | 107 | | 75controller that possesses the information: |
|---|
| 108 | 108 | | 76 (i) takes reasonable technical and organizational measures to ensure that the information |
|---|
| 109 | 109 | | 77cannot, at any point, be associated with or used to re-identify an identified or identifiable |
|---|
| 110 | 110 | | 78individual or household; |
|---|
| 111 | 111 | | 79 (ii) publicly commits to process the information solely in a de-identified fashion; |
|---|
| 112 | 112 | | 80 (iii) does not attempt to re-identify the information; provided, however, that the controller |
|---|
| 113 | 113 | | 81may attempt to re-identify the information solely for the purpose of determining whether its de- |
|---|
| 114 | 114 | | 82identification procedures satisfy the provisions of this definition; and |
|---|
| 115 | 115 | | 83 (iv) contractually obligates any recipients of the information to comply with the |
|---|
| 116 | 116 | | 84provisions of this definition with respect to the information and requires that such obligations be |
|---|
| 117 | 117 | | 85included contractually in all subsequent instances for which the information may be received. |
|---|
| 118 | 118 | | 86 “De-identification”, the creation of de-identified information from personal information. |
|---|
| 119 | 119 | | 87 “Designated method for submitting a request”, a mailing address, email address, internet |
|---|
| 120 | 120 | | 88web page, internet web portal, toll-free telephone number or other applicable contact information |
|---|
| 121 | 121 | | 89through which an individual may submit a request or direction under this chapter. 6 of 71 |
|---|
| 122 | 122 | | 90 “Entity”, a sole proprietorship or a corporation, association, partnership or other legal |
|---|
| 123 | 123 | | 91entity. |
|---|
| 124 | 124 | | 92 “Genetic information”, personal information, regardless of format, that: |
|---|
| 125 | 125 | | 93 (i) results from the analysis of a biological sample of an individual, or from another |
|---|
| 126 | 126 | | 94source enabling equivalent information to be obtained; and |
|---|
| 127 | 127 | | 95 (ii) concerns an individual’s genetic material including, but not limited to, |
|---|
| 128 | 128 | | 96deoxyribonucleic acids, ribonucleic acids, genes, chromosomes, alleles, genomes, alterations or |
|---|
| 129 | 129 | | 97modifications to deoxyribonucleic acids or ribonucelic acids, single nucleotide polymorphisms, |
|---|
| 130 | 130 | | 98uninterpreted data that results from analysis of the biological sample or other source or any |
|---|
| 131 | 131 | | 99information extrapolated, derived, or inferred therefrom. |
|---|
| 132 | 132 | | 100 “Health care facility” shall have the same meaning as defined in section 25B of chapter |
|---|
| 133 | 133 | | 101111. |
|---|
| 134 | 134 | | 102 “Health care provider” shall have the same meaning as defined in section 1 of said |
|---|
| 135 | 135 | | 103chapter 111. |
|---|
| 136 | 136 | | 104 “Health record”, an individual’s health-related record, as maintained pursuant to section |
|---|
| 137 | 137 | | 10570 of said chapter 111. |
|---|
| 138 | 138 | | 106 “HIPAA”, the federal Health Insurance Portability and Accountability Act of 1996, 42 |
|---|
| 139 | 139 | | 107U.S.C. 1320d et seq., as amended from time to time. |
|---|
| 140 | 140 | | 108 “Homepage”, the introductory page of an internet website and any internet web page |
|---|
| 141 | 141 | | 109where personal information is collected; provided, however, that in the case of an online service, |
|---|
| 142 | 142 | | 110such as a mobile application, “homepage” shall include: 7 of 71 |
|---|
| 143 | 143 | | 111 (i) the application’s platform page or download page; |
|---|
| 144 | 144 | | 112 (ii) a link within the application, such as from the application configuration, “About,” |
|---|
| 145 | 145 | | 113“Information,” or settings page; and |
|---|
| 146 | 146 | | 114 (iii) any other location that allows individuals to review the notices required by this |
|---|
| 147 | 147 | | 115chapter including, but not limited to, before downloading the application. |
|---|
| 148 | 148 | | 116 “Identified or identifiable household”, a group of individuals who: |
|---|
| 149 | 149 | | 117 (i) cohabitate with one another at the same residential address in the commonwealth; |
|---|
| 150 | 150 | | 118 (ii) use common devices or services; and |
|---|
| 151 | 151 | | 119 (iii) can be readily identified, directly or indirectly. |
|---|
| 152 | 152 | | 120 “Identified or identifiable individual”, an individual who can be readily identified, |
|---|
| 153 | 153 | | 121directly or indirectly. |
|---|
| 154 | 154 | | 122 “Individual”, a natural person who is a resident of the commonwealth; provided, |
|---|
| 155 | 155 | | 123however, that “individual” shall not include a natural person acting as a sole proprietorship. |
|---|
| 156 | 156 | | 124 “Infer”, deriving information, data, assumptions, correlations, predictions or conclusions |
|---|
| 157 | 157 | | 125from facts, evidence or another source of information or data. |
|---|
| 158 | 158 | | 126 “Institution of higher education”, any college, junior college, university or other public or |
|---|
| 159 | 159 | | 127private educational institution that has been authorized to grant degrees pursuant to sections 30, |
|---|
| 160 | 160 | | 12830A or 31A of chapter 69. |
|---|
| 161 | 161 | | 129 “Large data holder”, a controller that, in a calendar year: 8 of 71 |
|---|
| 162 | 162 | | 130 (i) has annual global gross revenues in excess of $1,000,000,000; and |
|---|
| 163 | 163 | | 131 (ii) determines the purposes and means of processing of the personal information of not |
|---|
| 164 | 164 | | 132less than 200,000 individuals, excluding personal information processed solely for the purpose of |
|---|
| 165 | 165 | | 133completing a payment-only credit, check or cash transaction where no personal information is |
|---|
| 166 | 166 | | 134retained about the individual entering into the transaction. |
|---|
| 167 | 167 | | 135 “Minor”, an individual who a controller knows or reasonably should know is not less |
|---|
| 168 | 168 | | 136than 13 years of age and not more than 16 years of age. |
|---|
| 169 | 169 | | 137 “Nonprofit organization”, any organization that is exempt from taxation under 26 U.S.C. |
|---|
| 170 | 170 | | 138501(c), as amended from time to time. |
|---|
| 171 | 171 | | 139 “Personal information”, information including, but not limited to, a unique persistent |
|---|
| 172 | 172 | | 140identifier, that identifies, relates to, describes, is reasonably capable of being associated with or |
|---|
| 173 | 173 | | 141could reasonably be linked, directly or indirectly, with an identified or identifiable individual; |
|---|
| 174 | 174 | | 142provided, however, that “personal information” shall not include publicly available or de- |
|---|
| 175 | 175 | | 143identified information about a natural person; and provided further, that “personal information” |
|---|
| 176 | 176 | | 144shall also include information including, but not limited to, a unique persistent identifier that |
|---|
| 177 | 177 | | 145identifies, relates to, describes, is reasonably capable of being associated with or could |
|---|
| 178 | 178 | | 146reasonably be linked, directly or indirectly, with: |
|---|
| 179 | 179 | | 147 (i) an identified or identifiable natural person, only insofar as “personal information” is |
|---|
| 180 | 180 | | 148used in clause (i) of the definition of “data broker” in this section; or |
|---|
| 181 | 181 | | 149 (ii) an identified or identifiable household, only insofar as “personal information” is used |
|---|
| 182 | 182 | | 150in: (i) subsection (b) of section 3; or (ii) any reference in this chapter to the sale or selling of 9 of 71 |
|---|
| 183 | 183 | | 151personal information or the processing of personal information for the purposes of targeted |
|---|
| 184 | 184 | | 152cross-contextual or first-party advertising. |
|---|
| 185 | 185 | | 153 “Process”, any operation or set of operations performed on personal information or on |
|---|
| 186 | 186 | | 154sets of personal information, whether or not by automated means, such as the collection, use, |
|---|
| 187 | 187 | | 155storage, disclosure, sharing, analysis, prediction, deletion or modification of personal |
|---|
| 188 | 188 | | 156information, including the actions of a controller directing a processor to process personal |
|---|
| 189 | 189 | | 157information. |
|---|
| 190 | 190 | | 158 “Processor”, an entity that processes personal information on behalf of a controller; |
|---|
| 191 | 191 | | 159provided, however, that determining whether an entity is acting as a processor or a controller |
|---|
| 192 | 192 | | 160with respect to a specific processing of personal information is a fact-based determination that |
|---|
| 193 | 193 | | 161depends upon the context in which the information is processed; and provided further, that: |
|---|
| 194 | 194 | | 162 (i) a processor that continues to adhere to a controller’s instructions with respect to the |
|---|
| 195 | 195 | | 163specific processing of personal information remains a processor; |
|---|
| 196 | 196 | | 164 (ii) if a processor begins, alone or jointly with others, determining the purposes and |
|---|
| 197 | 197 | | 165means of the processing of personal information, it is a controller with respect to the processing; |
|---|
| 198 | 198 | | 166and |
|---|
| 199 | 199 | | 167 (iii) an entity that is not limited in its processing of personal information pursuant to a |
|---|
| 200 | 200 | | 168controller’s instruction, or that fails to adhere to such instructions, is a controller and not a |
|---|
| 201 | 201 | | 169processor with respect to a specific processing. |
|---|
| 202 | 202 | | 170 “Profiling”, any form of automated processing of personal information to evaluate, |
|---|
| 203 | 203 | | 171analyze, or predict personal aspects concerning an identified or identifiable individual or 10 of 71 |
|---|
| 204 | 204 | | 172household’s economic situation, health, personal preferences, interests, reliability, behavior, |
|---|
| 205 | 205 | | 173location or movements. |
|---|
| 206 | 206 | | 174 “Protected health information” shall have the same meaning as defined in 45 C.F.R. |
|---|
| 207 | 207 | | 175160.103, established pursuant to HIPAA. |
|---|
| 208 | 208 | | 176 “Publicly available information”, information about an individual that: |
|---|
| 209 | 209 | | 177 (i) is lawfully made available from federal, state or local government records; or |
|---|
| 210 | 210 | | 178 (ii) a controller has a reasonable basis to believe is lawfully and intentionally made |
|---|
| 211 | 211 | | 179available to the general public: (A) through widely distributed media; or (B) by the individual, |
|---|
| 212 | 212 | | 180unless the individual has restricted the information to a specific audience; provided, however, |
|---|
| 213 | 213 | | 181that “publicly available information” shall not include biometric or genetic information or |
|---|
| 214 | 214 | | 182personal information that is not publicly available and has been combined with publicly available |
|---|
| 215 | 215 | | 183information. |
|---|
| 216 | 216 | | 184 “Research”, a systematic investigation, including research development, testing and |
|---|
| 217 | 217 | | 185evaluation, designed to develop or contribute to generalizable knowledge and that is conducted |
|---|
| 218 | 218 | | 186in accordance with applicable ethics and privacy laws. |
|---|
| 219 | 219 | | 187 “Sale” or “selling”, disclosing, disseminating, making available, releasing, renting, |
|---|
| 220 | 220 | | 188sharing, transferring or otherwise communicating orally, in writing or by electronic or other |
|---|
| 221 | 221 | | 189means, an individual’s personal information by the controller to a third party for monetary or |
|---|
| 222 | 222 | | 190other valuable consideration in a bargained-for exchange or otherwise for the purposes of |
|---|
| 223 | 223 | | 191targeted cross-contextual advertising; provided, however, that “sale” or “selling” shall not |
|---|
| 224 | 224 | | 192include: 11 of 71 |
|---|
| 225 | 225 | | 193 (i) the disclosure of personal information to a processor where the processor only |
|---|
| 226 | 226 | | 194processes such personal information on behalf of the controller; |
|---|
| 227 | 227 | | 195 (ii) the controller’s use or sharing of an identifier for an individual who, pursuant to |
|---|
| 228 | 228 | | 196section 8, has opted out of the processing of the individual’s personal information; provided, |
|---|
| 229 | 229 | | 197however, that the controller’s use or sharing of the identifier is solely for the purpose of alerting |
|---|
| 230 | 230 | | 198entities that the individual has opted out; |
|---|
| 231 | 231 | | 199 (iii) the disclosure or transfer of personal information to an affiliate of the controller; |
|---|
| 232 | 232 | | 200 (iv) the disclosure or transfer of personal information to a third party as an asset that is |
|---|
| 233 | 233 | | 201part of a proposed or actual merger, acquisition, bankruptcy or other transaction in which the |
|---|
| 234 | 234 | | 202third party assumes control of all or part of the controller’s assets; |
|---|
| 235 | 235 | | 203 (v) the disclosure of personal information to a third party for purposes of providing a |
|---|
| 236 | 236 | | 204product or service specifically requested by the individual; or |
|---|
| 237 | 237 | | 205 (vi) when the individual uses or expressly directs the controller to disclose personal |
|---|
| 238 | 238 | | 206information to a third party or otherwise interact with a third party; provided, however, that the |
|---|
| 239 | 239 | | 207individual’s direction was not obtained through dark patterns; and provided further, that the |
|---|
| 240 | 240 | | 208controller’s interaction with the third party is not for the purposes of targeted cross-contextual |
|---|
| 241 | 241 | | 209advertising. |
|---|
| 242 | 242 | | 210 “Sensitive information”, a form of personal information, including: |
|---|
| 243 | 243 | | 211 (i) an individual’s specific geolocation information; |
|---|
| 244 | 244 | | 212 (ii) biometric or genetic information processed for the purpose of uniquely identifying an |
|---|
| 245 | 245 | | 213individual; 12 of 71 |
|---|
| 246 | 246 | | 214 (iii) the personal information of a child or minor; |
|---|
| 247 | 247 | | 215 (iv) personal information that reveals an individual’s: (A) racial or ethnic origin; (B) |
|---|
| 248 | 248 | | 216religious beliefs; or (C) citizenship or immigration status; |
|---|
| 249 | 249 | | 217 (v) personal information processed concerning an individual’s past, present or future |
|---|
| 250 | 250 | | 218mental or physical health condition, disability, diagnosis or treatment; |
|---|
| 251 | 251 | | 219 (vi) personal information processed concerning an individual’s sexual orientation, sex life |
|---|
| 252 | 252 | | 220or reproductive health including, but not limited to, the use or purchase of contraceptives, birth |
|---|
| 253 | 253 | | 221control, abortifacients or other medication related to reproductive health; |
|---|
| 254 | 254 | | 222 (vii) personal information that reveals an individual’s philosophical beliefs or union |
|---|
| 255 | 255 | | 223membership; |
|---|
| 256 | 256 | | 224 (viii) personal information that reveals an individual’s social security number, driver’s |
|---|
| 257 | 257 | | 225license number, military identification number, passport number or state-issued identification |
|---|
| 258 | 258 | | 226card number; or |
|---|
| 259 | 259 | | 227 (ix) personal information that reveals an individual’s financial account number, or credit |
|---|
| 260 | 260 | | 228or debit card number, with or without any required security code, access code, personal |
|---|
| 261 | 261 | | 229identification number or password, that would permit access to an individual’s financial account. |
|---|
| 262 | 262 | | 230 “Specific geolocation information”, information derived from technology including, but |
|---|
| 263 | 263 | | 231not limited to, global positioning system level latitude and longitude coordinates or other |
|---|
| 264 | 264 | | 232mechanisms that directly identify the specific location of an individual within a geographic area |
|---|
| 265 | 265 | | 233that is not greater than the area of a circle with a radius of 1,850 feet; provided, however, that |
|---|
| 266 | 266 | | 234“specific geolocation information” shall exclude the content of communications or any 13 of 71 |
|---|
| 267 | 267 | | 235information generated by or connected to advanced utility metering infrastructure systems or |
|---|
| 268 | 268 | | 236equipment for use by a utility. |
|---|
| 269 | 269 | | 237 “Targeted cross-contextual advertising”, the targeting of advertising to an individual |
|---|
| 270 | 270 | | 238based on the individual’s personal information obtained from the individual’s activity across |
|---|
| 271 | 271 | | 239distinctly-branded internet websites, online applications, services or physical premises; provided, |
|---|
| 272 | 272 | | 240however, that “targeted cross-contextual advertising” shall not include: |
|---|
| 273 | 273 | | 241 (i) processing personal information solely for measuring or reporting advertising |
|---|
| 274 | 274 | | 242performance, reach or frequency; |
|---|
| 275 | 275 | | 243 (ii) contextual advertising that is displayed based on the content in which the |
|---|
| 276 | 276 | | 244advertisement appears and does not vary based on who is viewing the advertisement; or |
|---|
| 277 | 277 | | 245 (iii) advertising that is based solely on an individual’s current intentional interaction with |
|---|
| 278 | 278 | | 246or visit to a controller’s distinctly-branded internet website, online application, service or |
|---|
| 279 | 279 | | 247physical premise; provided however, that the individual’s personal information is not: (A) used |
|---|
| 280 | 280 | | 248to build a profile about the individual or otherwise alter the individual’s experience outside the |
|---|
| 281 | 281 | | 249current intentional interaction with the controller; or (B) retained after the completion of the |
|---|
| 282 | 282 | | 250interaction; provided further, that an individual’s intentional interaction may include, but is not |
|---|
| 283 | 283 | | 251limited to, an individual’s current search query or specific request for information and feedback; |
|---|
| 284 | 284 | | 252and provided further, that hovering over, muting, pausing or closing a given piece of content |
|---|
| 285 | 285 | | 253does not constitute an individual’s intent to interact with a controller. |
|---|
| 286 | 286 | | 254 “Targeted first-party advertising”, the targeting of advertising to an individual based on a |
|---|
| 287 | 287 | | 255controller profiling an individual by using the personal information obtained from the |
|---|
| 288 | 288 | | 256individual’s activity within a controller’s own websites, online applications, services or physical 14 of 71 |
|---|
| 289 | 289 | | 257premises; provided, however, that “targeted first-party advertising” shall not include advertising |
|---|
| 290 | 290 | | 258or the processing of personal information pursuant to the exemptions specified in clauses (i) |
|---|
| 291 | 291 | | 259through (iii), inclusive, of the definition of targeted cross-contextual advertising. |
|---|
| 292 | 292 | | 260 “Third party”, a natural person, entity, public authority, agency or body other than the |
|---|
| 293 | 293 | | 261applicable individual, controller, processor or affiliate of the controller or the processor. |
|---|
| 294 | 294 | | 262 “Trade secret” shall have the same meaning as defined in section 42 of chapter 93. |
|---|
| 295 | 295 | | 263 “Unique persistent identifier”, an identifier that is reasonably linkable to an identified or |
|---|
| 296 | 296 | | 264identifiable natural person or household including, but not limited to: |
|---|
| 297 | 297 | | 265 (i) a device identifier; |
|---|
| 298 | 298 | | 266 (ii) an Internet Protocol address; |
|---|
| 299 | 299 | | 267 (iii) a cookie; |
|---|
| 300 | 300 | | 268 (iv) a beacon; |
|---|
| 301 | 301 | | 269 (v) a pixel tag; |
|---|
| 302 | 302 | | 270 (vi) a mobile advertising identifier or similar technology; |
|---|
| 303 | 303 | | 271 (vii) a customer number; |
|---|
| 304 | 304 | | 272 (viii) a unique pseudonym; |
|---|
| 305 | 305 | | 273 (ix) a user alias; |
|---|
| 306 | 306 | | 274 (x) a telephone number; or 15 of 71 |
|---|
| 307 | 307 | | 275 (xi) another form of persistent or probabilistic identifier that is linked or reasonably |
|---|
| 308 | 308 | | 276linkable to an identified or identifiable natural person or household. |
|---|
| 309 | 309 | | 277 “Upholding security, confidentiality and integrity”, protecting against, responding to, |
|---|
| 310 | 310 | | 278preventing, detecting, investigating, reporting or prosecuting identity theft, fraud, harassment, |
|---|
| 311 | 311 | | 279malicious, deceptive or illegal activities, or any other security incidents that compromise the |
|---|
| 312 | 312 | | 280availability, authenticity, confidentiality or integrity of stored or transmitted personal |
|---|
| 313 | 313 | | 281information. |
|---|
| 314 | 314 | | 282 “Verifiable request”, a request: |
|---|
| 315 | 315 | | 283 (i) to exercise any of the rights set forth in sections 10 through 13; and |
|---|
| 316 | 316 | | 284 (ii) that a controller can use commercially reasonable means to determine is being made |
|---|
| 317 | 317 | | 285by the individual or by a person authorized to exercise rights on behalf of such individual with |
|---|
| 318 | 318 | | 286respect to the personal information at issue pursuant to section 14. |
|---|
| 319 | 319 | | 287 Section 3. Scope and Applicability |
|---|
| 320 | 320 | | 288 (a) This chapter shall apply to: |
|---|
| 321 | 321 | | 289 (i) a controller or processor that conducts business in the commonwealth; |
|---|
| 322 | 322 | | 290 (ii) the processing of personal information by a controller or processor not physically |
|---|
| 323 | 323 | | 291established in the commonwealth, where the processing activities are related to: (A) the offering |
|---|
| 324 | 324 | | 292of goods or services that are targeted to individuals; or (B) the monitoring of behavior of |
|---|
| 325 | 325 | | 293individuals where such behavior takes place in the commonwealth; or 16 of 71 |
|---|
| 326 | 326 | | 294 (iii) an entity that voluntarily certifies to the attorney general that it is fully in compliance |
|---|
| 327 | 327 | | 295with, and agrees to be bound by, this chapter. |
|---|
| 328 | 328 | | 296 (b) Notwithstanding subsection (a), sections 7 through 17, inclusive, and section 26 shall |
|---|
| 329 | 329 | | 297only apply to a controller that, during the preceding calendar year, satisfied at least 1 of the |
|---|
| 330 | 330 | | 298following additional thresholds or is an entity that is an affiliate of and shares common branding |
|---|
| 331 | 331 | | 299with such a controller, in which case sections 7 through 17, inclusive, and section 26 shall apply |
|---|
| 332 | 332 | | 300only to the personal information processed by the affiliate on behalf of the controller: |
|---|
| 333 | 333 | | 301 (1) The controller had annual global gross revenues in excess of 25,000,000 dollars; |
|---|
| 334 | 334 | | 302 (2) The controller was a data broker; or |
|---|
| 335 | 335 | | 303 (3) The controller determined the purposes and means of processing of the personal |
|---|
| 336 | 336 | | 304information of not less than 100,000 individuals, excluding personal information processed |
|---|
| 337 | 337 | | 305solely for the purpose of completing a payment-only credit, check or cash transaction where no |
|---|
| 338 | 338 | | 306personal information is retained about the individual entering into the transaction. |
|---|
| 339 | 339 | | 307 (c) This chapter shall not apply to: |
|---|
| 340 | 340 | | 308 (i) any agency, executive office, department, board, commission, bureau, division or |
|---|
| 341 | 341 | | 309authority of the commonwealth, or any of its branches or any political subdivision thereof; |
|---|
| 342 | 342 | | 310 (ii) a national securities association that is registered under 15 U.S.C. 78o-3 of the |
|---|
| 343 | 343 | | 311Securities Exchange Act of 1934, as amended from time to time; |
|---|
| 344 | 344 | | 312 (iii) a registered futures association that is so designated pursuant to 7 U.S.C. 21, as |
|---|
| 345 | 345 | | 313amended from time to time; or 17 of 71 |
|---|
| 346 | 346 | | 314 (iv) an entity that serves as a congressionally designated nonprofit, national resource |
|---|
| 347 | 347 | | 315center or clearinghouse to assist victims, families, child-serving professionals or the general |
|---|
| 348 | 348 | | 316public on issues concerning missing or exploited children. |
|---|
| 349 | 349 | | 317 (d) The following information shall be exempt from this chapter: |
|---|
| 350 | 350 | | 318 (i) protected health information that is processed by a covered entity or business associate |
|---|
| 351 | 351 | | 319pursuant to 45 C.F.R. 160, 162 or 164; |
|---|
| 352 | 352 | | 320 (ii) health records for the purposes of section 70 of chapter 111, to the extent that the |
|---|
| 353 | 353 | | 321records are maintained pursuant to 45 C.F.R. 160, 162 or 164; |
|---|
| 354 | 354 | | 322 (iii) information and documents that are created by a covered entity for purposes of |
|---|
| 355 | 355 | | 323complying with HIPAA; |
|---|
| 356 | 356 | | 324 (iv) information used only for public health activities or purposes as authorized by |
|---|
| 357 | 357 | | 325HIPAA; |
|---|
| 358 | 358 | | 326 (v) patient identifying information for purposes of 42 C.F.R. 2, established pursuant to 42 |
|---|
| 359 | 359 | | 327U.S.C. 290dd-2, as amended from time to time; |
|---|
| 360 | 360 | | 328 (vi) information that is: (A) collected for a clinical trial subject to the Federal Policy for |
|---|
| 361 | 361 | | 329the Protection of Human Subjects under 45 C.F.R. 46; (B) collected pursuant to good clinical |
|---|
| 362 | 362 | | 330practice guidelines issued by the International Council for Harmonisation of Technical |
|---|
| 363 | 363 | | 331Requirements for Pharmaceuticals for Human Use; (C) collected pursuant to the human subject |
|---|
| 364 | 364 | | 332protection requirements under 21 C.F.R. 50 and 56; or (D) personal information used or |
|---|
| 365 | 365 | | 333disclosed in research conducted in accordance with one or more of the requirements set forth in |
|---|
| 366 | 366 | | 334this paragraph; 18 of 71 |
|---|
| 367 | 367 | | 335 (vii) information and documents created for purposes of the federal Health Care Quality |
|---|
| 368 | 368 | | 336Improvement Act of 1986, 42 U.S.C. 11101 et seq., as amended from time to time; |
|---|
| 369 | 369 | | 337 (viii) patient safety work product for purposes of the federal Patient Safety and Quality |
|---|
| 370 | 370 | | 338Improvement Act, 42 U.S.C. 299b-21 et seq., as amended from time to time; |
|---|
| 371 | 371 | | 339 (ix) information that is: (A) derived from any of the health care-related information listed |
|---|
| 372 | 372 | | 340in this subsection; and (B) de-identified in accordance with the requirements for de-identification |
|---|
| 373 | 373 | | 341pursuant to 45 C.F.R. 164; |
|---|
| 374 | 374 | | 342 (x) information that is treated in the same manner as, or that originates from and is |
|---|
| 375 | 375 | | 343intermingled to be indistinguishable with, information that is exempt under this subsection and |
|---|
| 376 | 376 | | 344maintained by: (A) a covered entity or business associate; (B) a health care facility or health care |
|---|
| 377 | 377 | | 345provider; or (C) a program of a qualified service organization as defined by 42 U.S.C. 290dd-2; |
|---|
| 378 | 378 | | 346 (xi) an activity involving the processing of any personal information bearing on an |
|---|
| 379 | 379 | | 347individual’s credit worthiness, credit standing, credit capacity, character, general reputation, |
|---|
| 380 | 380 | | 348personal characteristics or mode of living by: (A) a consumer reporting agency, as defined in 15 |
|---|
| 381 | 381 | | 349U.S.C. 1681a(f); (B) a furnisher of information, as set forth in 15 U.S.C. 1681s-2, that provides |
|---|
| 382 | 382 | | 350information for use in a consumer report, as defined in 15 U.S.C. 1681a(d); or (C) a user of a |
|---|
| 383 | 383 | | 351consumer report, as set forth in 15 U.S.C. 1681b; provided, however, that this paragraph shall |
|---|
| 384 | 384 | | 352apply only to the extent that the activity is regulated by the federal Fair Credit Reporting Act, 15 |
|---|
| 385 | 385 | | 353U.S.C. 1681 et seq., as amended from time to time, and the personal information is processed |
|---|
| 386 | 386 | | 354solely as authorized by the federal Fair Credit Reporting Act; and provided further, that the |
|---|
| 387 | 387 | | 355exemption established pursuant to this paragraph shall not apply with respect to section 26; 19 of 71 |
|---|
| 388 | 388 | | 356 (xii) personal information processed in compliance with the federal Driver’s Privacy |
|---|
| 389 | 389 | | 357Protection Act of 1994, 18 U.S.C. 2721 et seq., as amended from time to time; |
|---|
| 390 | 390 | | 358 (xiii) personal information regulated by the federal Family Educational Rights and |
|---|
| 391 | 391 | | 359Privacy Act, 20 U.S.C. 1232g et seq., as amended from time to time; |
|---|
| 392 | 392 | | 360 (xiv) personal information processed in compliance with the federal Farm Credit Act, 12 |
|---|
| 393 | 393 | | 361U.S.C. 2001 et seq., as amended from time to time; |
|---|
| 394 | 394 | | 362 (xv) personal information processed in compliance with the federal Gramm-Leach-Bliley |
|---|
| 395 | 395 | | 363Act, 15 U.S.C. 6801 et seq., as amended from time to time; |
|---|
| 396 | 396 | | 364 (xvi) personal information processed in compliance with chapter 175I; |
|---|
| 397 | 397 | | 365 (xvii) personal information processed by an air carrier specifically in relation to price, |
|---|
| 398 | 398 | | 366route or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. 40101 et seq., |
|---|
| 399 | 399 | | 367as amended from time to time; provided, however, that this exemption shall apply solely to the |
|---|
| 400 | 400 | | 368extent that provisions of this chapter may be preempted by section 41713 of the Airline |
|---|
| 401 | 401 | | 369Deregulation Act; and |
|---|
| 402 | 402 | | 370 (xviii) personal information processed for purposes of chapter 176Q. |
|---|
| 403 | 403 | | 371 (e) Section 7 and sections 9 through 13, inclusive, shall not apply to information that is |
|---|
| 404 | 404 | | 372processed: |
|---|
| 405 | 405 | | 373 (i) in the course of an individual acting in a professional or commercial context, to the |
|---|
| 406 | 406 | | 374extent that the information is collected and used within that context; 20 of 71 |
|---|
| 407 | 407 | | 375 (ii) in the course of an individual acting as a job applicant to, an employee of or an agent |
|---|
| 408 | 408 | | 376or independent contractor of a controller, processor or third party, to the extent that the |
|---|
| 409 | 409 | | 377information is collected and used within the context of the individual’s role; |
|---|
| 410 | 410 | | 378 (iii) as the emergency contact information of an individual acting pursuant to claus (ii) of |
|---|
| 411 | 411 | | 379this subsection, to the extent that the information is solely used for emergency contact purposes; |
|---|
| 412 | 412 | | 380or |
|---|
| 413 | 413 | | 381 (iv) in order to administer benefits for another natural person relating to an individual |
|---|
| 414 | 414 | | 382acting pursuant to clause (ii), to the extent that the information is used solely for the purposes of |
|---|
| 415 | 415 | | 383administering those benefits. |
|---|
| 416 | 416 | | 384 Section 4. Conflicting Provisions |
|---|
| 417 | 417 | | 385 (a) Wherever possible, law relating to individuals’ personal information shall be |
|---|
| 418 | 418 | | 386construed to harmonize with the provisions of this chapter, but in the event of a conflict between |
|---|
| 419 | 419 | | 387the provisions of other laws and this chapter, the provisions that afford the greatest protection for |
|---|
| 420 | 420 | | 388the right of privacy for individuals shall control. |
|---|
| 421 | 421 | | 389 (b) Controllers and processors that comply with the verifiable parental consent |
|---|
| 422 | 422 | | 390requirements of the federal Children’s Online Privacy Protection Act, 15 U.S.C. 6501 et seq., as |
|---|
| 423 | 423 | | 391amended from time to time, shall be in compliance with any obligation to obtain parental consent |
|---|
| 424 | 424 | | 392under this chapter. Nothing in this chapter shall be construed to relieve or change any obligations |
|---|
| 425 | 425 | | 393that a controller, processor or other entity may have under any such applicable federal law. |
|---|
| 426 | 426 | | 394 Section 5. General Principles for Processing Personal Information |
|---|
| 427 | 427 | | 395 (a) Personal information shall be: 21 of 71 |
|---|
| 428 | 428 | | 396 (i) processed lawfully, fairly and in a transparent manner in relation to the individual and |
|---|
| 429 | 429 | | 397in compliance with this chapter; |
|---|
| 430 | 430 | | 398 (ii) collected for specified, explicit and legitimate purposes and not further processed in a |
|---|
| 431 | 431 | | 399manner that is incompatible with those purposes; |
|---|
| 432 | 432 | | 400 (iii) processed in a manner that is adequate, relevant and limited to what is reasonably |
|---|
| 433 | 433 | | 401necessary in relation to the purposes for which it is processed; |
|---|
| 434 | 434 | | 402 (iv) maintained in a manner such that the information is accurate and, where necessary, |
|---|
| 435 | 435 | | 403kept up to date; |
|---|
| 436 | 436 | | 404 (v) maintained in a form which permits identification of an individual for no longer than |
|---|
| 437 | 437 | | 405is necessary for the purposes for which the personal information is processed; and |
|---|
| 438 | 438 | | 406 (vi) processed in a manner that ensures that the information remains appropriately secure. |
|---|
| 439 | 439 | | 407 (b) A controller shall be responsible for complying with subsection (a) by implementing |
|---|
| 440 | 440 | | 408procedures that are reasonable and appropriate, taking into consideration: |
|---|
| 441 | 441 | | 409 (i) the size, scope and type of the controller; |
|---|
| 442 | 442 | | 410 (ii) the amount of resources available to the controller; |
|---|
| 443 | 443 | | 411 (iii) the amount and nature of personal information processed by the controller including, |
|---|
| 444 | 444 | | 412but not limited to, whether the personal information is sensitive information; and |
|---|
| 445 | 445 | | 413 (iv) the need for upholding security, integrity and confidentiality with respect to the |
|---|
| 446 | 446 | | 414personal information processed by the controller. 22 of 71 |
|---|
| 447 | 447 | | 415 (c) A controller that is compliant with the regulations promulgated pursuant to chapter |
|---|
| 448 | 448 | | 41693H with respect to “personal information,” as that term is defined in section 1 of said chapter |
|---|
| 449 | 449 | | 41793H, shall be in compliance with the principle set forth in clause (vi) of subsection (a) with |
|---|
| 450 | 450 | | 418respect to such personal information. |
|---|
| 451 | 451 | | 419 Section 6. Lawful Basis for Processing Personal Information |
|---|
| 452 | 452 | | 420 (a) Processing shall be lawful and in compliance with this chapter only if: |
|---|
| 453 | 453 | | 421 (i) the individual has given consent to the processing of their personal information for 1 |
|---|
| 454 | 454 | | 422or more specific purposes; |
|---|
| 455 | 455 | | 423 (ii) processing is necessary for the performance of a contract to which the individual is |
|---|
| 456 | 456 | | 424party or in order to take steps at the request of the individual prior to entering into a contract; |
|---|
| 457 | 457 | | 425 (iii) processing is necessary for compliance with a legal obligation to which the controller |
|---|
| 458 | 458 | | 426is subject; |
|---|
| 459 | 459 | | 427 (iv) processing is necessary in order to protect the vital interests of the individual or of |
|---|
| 460 | 460 | | 428another natural person; provided, however, that the processing cannot be manifestly based on |
|---|
| 461 | 461 | | 429another legal basis and the individual or other natural person is at risk or danger of death or |
|---|
| 462 | 462 | | 430serious physical injury; or |
|---|
| 463 | 463 | | 431 (v) processing is necessary for the purposes of the legitimate interests pursued by the |
|---|
| 464 | 464 | | 432controller or by a third party, except where such interests are overridden by the individual’s |
|---|
| 465 | 465 | | 433reasonable expectations of privacy or other legal rights; provided, however, that the controller |
|---|
| 466 | 466 | | 434shall conspicuously disclose such processing to the individual in advance and consider when |
|---|
| 467 | 467 | | 435assessing whether to process such personal information: 23 of 71 |
|---|
| 468 | 468 | | 436 (A) the context in which the personal information would be collected; |
|---|
| 469 | 469 | | 437 (B) whether the processing is reasonably necessary and proportionate to provide or |
|---|
| 470 | 470 | | 438maintain a specific product or service requested or reasonably anticipated by the individual to |
|---|
| 471 | 471 | | 439whom the personal information pertains or to perform other specified purposes that are |
|---|
| 472 | 472 | | 440compatible with the reasonable expectations of the individual based on the individual’s |
|---|
| 473 | 473 | | 441relationship with the controller; |
|---|
| 474 | 474 | | 442 (C) whether the controller or third party can achieve their legitimate interests in another, |
|---|
| 475 | 475 | | 443less intrusive, way; |
|---|
| 476 | 476 | | 444 (D) the amount of personal information that would be processed; |
|---|
| 477 | 477 | | 445 (E) the nature of the personal information that would be processed, taking into account |
|---|
| 478 | 478 | | 446whether processing the information, such as in the case of processing the business contact |
|---|
| 479 | 479 | | 447information of an individual acting in a commercial or business context, poses minimal risks to |
|---|
| 480 | 480 | | 448the individual; |
|---|
| 481 | 481 | | 449 (F) the possible unlawful disparate impacts and the financial, physical, reputational or |
|---|
| 482 | 482 | | 450other cognizable harms or consequences for the individual whose personal information would be |
|---|
| 483 | 483 | | 451processed; |
|---|
| 484 | 484 | | 452 (G) whether the processing interferes with an individual’s right to privacy pursuant to |
|---|
| 485 | 485 | | 453section 1B of chapter 214; and |
|---|
| 486 | 486 | | 454 (H) the need for upholding security, integrity and confidentiality with respect to the |
|---|
| 487 | 487 | | 455personal information that would be processed. 24 of 71 |
|---|
| 488 | 488 | | 456 (b) A controller shall not rely on clause (v) of subsection (a) as a lawful basis for |
|---|
| 489 | 489 | | 457processing personal information for the purposes of profiling in furtherance of solely automated |
|---|
| 490 | 490 | | 458decisions that produce legal or similarly significant effects concerning the individual including, |
|---|
| 491 | 491 | | 459but not limited to, decisions that result in the provision or denial of financial or lending services, |
|---|
| 492 | 492 | | 460housing, insurance, education enrollment or opportunity, criminal justice, employment |
|---|
| 493 | 493 | | 461opportunities, health care services or access to essential goods or services. |
|---|
| 494 | 494 | | 462 Section 7. Right to Privacy Notice |
|---|
| 495 | 495 | | 463 (a) At or before the point of the collection of an individual’s personal information, |
|---|
| 496 | 496 | | 464controllers shall provide the individual with a reasonably accessible, clear and meaningful |
|---|
| 497 | 497 | | 465privacy notice that shall include: |
|---|
| 498 | 498 | | 466 (i) a clear and conspicuous description of: (A) whether the controller sells personal |
|---|
| 499 | 499 | | 467information to third parties or processes personal information for the purposes of targeted cross- |
|---|
| 500 | 500 | | 468contextual or first-party advertising; (B) what categories of sensitive information, if any, the |
|---|
| 501 | 501 | | 469controller processes and for what purposes; (C) an individual’s rights pursuant to sections 8 |
|---|
| 502 | 502 | | 470through 13, inclusive; (D) how and where individuals may request to exercise these rights; and |
|---|
| 503 | 503 | | 471(E) a link to the attorney general’s online mechanism through which the individual may contact |
|---|
| 504 | 504 | | 472the attorney general to submit a complaint pursuant to subsection (p) of section 25; |
|---|
| 505 | 505 | | 473 (ii) the categories of personal information processed by the controller; |
|---|
| 506 | 506 | | 474 (iii) the controller’s purposes for processing the personal information; |
|---|
| 507 | 507 | | 475 (iv) the categories of personal information, if any, that the controller sells to third parties; 25 of 71 |
|---|
| 508 | 508 | | 476 (v) the categories of third parties, if any, to whom the controller sells personal |
|---|
| 509 | 509 | | 477information; |
|---|
| 510 | 510 | | 478 (vi) whether the controller sells personal information to registered data brokers, along |
|---|
| 511 | 511 | | 479with a link to the web page pursuant to clause (iii) of subsection (p) of section 25; |
|---|
| 512 | 512 | | 480 (vii) the affiliates to whom the controller discloses personal information; |
|---|
| 513 | 513 | | 481 (viii) the categories of sources from which personal information is collected; |
|---|
| 514 | 514 | | 482 (ix) the length of time the controller intends to retain each category of personal |
|---|
| 515 | 515 | | 483information, or, if that is not possible, the criteria used to determine such period; provided, |
|---|
| 516 | 516 | | 484however, that a controller shall retain personal information for a duration consistent with clause |
|---|
| 517 | 517 | | 485(v) of subsection (a) of section 5; |
|---|
| 518 | 518 | | 486 (x) the effective date of the privacy notice; |
|---|
| 519 | 519 | | 487 (xi) whether or not any personal information processed by the controller is sold to, |
|---|
| 520 | 520 | | 488processed in, stored in or otherwise accessible to the People’s Republic of China, the Russian |
|---|
| 521 | 521 | | 489Federation, the Islamic Republic of Iran, the Democratic People’s Republic of Korea or the |
|---|
| 522 | 522 | | 490Republic of Cuba; and |
|---|
| 523 | 523 | | 491 (xii) a contact method, such as an active email address or other online mechanism, that |
|---|
| 524 | 524 | | 492the individual may use to contact the controller. |
|---|
| 525 | 525 | | 493 (b) A controller shall not collect additional categories of personal information or process |
|---|
| 526 | 526 | | 494personal information collected for additional purposes that are incompatible with the disclosed |
|---|
| 527 | 527 | | 495purposes for which the personal information was collected without providing the individual with |
|---|
| 528 | 528 | | 496notice consistent with subsection (a) of this section. 26 of 71 |
|---|
| 529 | 529 | | 497 (c) An entity that, acting as a third party, controls the collection of an individual’s |
|---|
| 530 | 530 | | 498personal information may satisfy its obligations under this section by providing the required |
|---|
| 531 | 531 | | 499information prominently and conspicuously on the homepage of its internet website; provided, |
|---|
| 532 | 532 | | 500however, that if an entity, acting as a third party, controls the collection of personal information |
|---|
| 533 | 533 | | 501about an individual on its premises, including in a vehicle, then the entity shall, at or before the |
|---|
| 534 | 534 | | 502point of collection, satisfy its obligation under subsection (a) by providing the required |
|---|
| 535 | 535 | | 503information in a clear and conspicuous manner at such location. |
|---|
| 536 | 536 | | 504 (d) Nothing in this section shall require a controller to provide the information in a |
|---|
| 537 | 537 | | 505manner that would disclose the controller’s trade secrets. |
|---|
| 538 | 538 | | 506 (e) The categories of sensitive information required to be disclosed by a controller |
|---|
| 539 | 539 | | 507pursuant to this section shall specifically include each applicable subcategory set forth in clauses |
|---|
| 540 | 540 | | 508(i) through (ix), inclusive, of the definition of sensitive information under section 2. |
|---|
| 541 | 541 | | 509 (f) A large data holder shall retain and make publicly available on its internet website: |
|---|
| 542 | 542 | | 510 (i) copies of previous versions of its privacy notices for at least 10 years; and |
|---|
| 543 | 543 | | 511 (ii) a log describing the date and nature of each change to its privacy notice that is likely |
|---|
| 544 | 544 | | 512to affect a reasonable individual’s decision or conduct regarding a large data holder’s product or |
|---|
| 545 | 545 | | 513service. |
|---|
| 546 | 546 | | 514 (g) Subsection (f) shall only apply to privacy notices created or generated after the |
|---|
| 547 | 547 | | 515effective date of this section and shall not be retroactive. |
|---|
| 548 | 548 | | 516 Section 8. Opting Out of the Sale of Personal Information and Targeted Advertising 27 of 71 |
|---|
| 549 | 549 | | 517 (a) An individual shall have the right to opt out of the processing of the individual’s |
|---|
| 550 | 550 | | 518personal information for the purposes of: |
|---|
| 551 | 551 | | 519 (i) the sale of the personal information; |
|---|
| 552 | 552 | | 520 (ii) targeted cross-contextual advertising; or |
|---|
| 553 | 553 | | 521 (iii) targeted first-party advertising. |
|---|
| 554 | 554 | | 522 (b) A controller shall comply with an opt-out request pursuant to this section as soon as |
|---|
| 555 | 555 | | 523reasonably possible; provided, however, that a controller shall comply with an opt-out request |
|---|
| 556 | 556 | | 524with respect to clause (i) of subsection (a) in a time frame that is reasonably proportionate to the |
|---|
| 557 | 557 | | 525amount of time it takes the controller to sell such personal information to third parties; and |
|---|
| 558 | 558 | | 526provided further, that in any event, a controller shall comply with an opt-out request pursuant to |
|---|
| 559 | 559 | | 527this section not later than 15 days after receipt of the request. |
|---|
| 560 | 560 | | 528 (c) A controller that has received an opt-out request pursuant to this section shall be |
|---|
| 561 | 561 | | 529prohibited from processing the individual’s personal information for the purposes of the sale of |
|---|
| 562 | 562 | | 530the personal information or for targeted cross-contextual or first-party advertising, as applicable, |
|---|
| 563 | 563 | | 531unless the individual subsequently provides consent for such processing. After complying with |
|---|
| 564 | 564 | | 532an individual’s opt-out request, a controller shall wait for not less than 12 months before |
|---|
| 565 | 565 | | 533requesting the individual’s consent to process the individual’s personal information for the |
|---|
| 566 | 566 | | 534purposes of the sale of the personal information or for targeted cross-contextual or first-party |
|---|
| 567 | 567 | | 535advertising, as applicable. |
|---|
| 568 | 568 | | 536 (d) A data broker that has been sold an individual’s personal information shall not further |
|---|
| 569 | 569 | | 537process an individual’s personal information for the purposes of the sale of the personal 28 of 71 |
|---|
| 570 | 570 | | 538information or for targeted cross-contextual advertising unless the individual has received |
|---|
| 571 | 571 | | 539explicit notice and is provided an opportunity to exercise the opt-out right pursuant to this |
|---|
| 572 | 572 | | 540section. |
|---|
| 573 | 573 | | 541 (e) If a controller communicates to any entity authorized by the controller to collect |
|---|
| 574 | 574 | | 542personal information that an individual has requested to exercise the opt-out right pursuant to this |
|---|
| 575 | 575 | | 543section, that entity shall thereafter only use that individual’s personal information for purposes |
|---|
| 576 | 576 | | 544specified by the controller, or as otherwise permitted by this chapter, and shall be prohibited |
|---|
| 577 | 577 | | 545from: |
|---|
| 578 | 578 | | 546 (i) processing the individual’s personal information for the purposes of the sale of the |
|---|
| 579 | 579 | | 547personal information or for targeted cross-contextual or first-party advertising; and |
|---|
| 580 | 580 | | 548 (ii) processing that individual’s personal information: (A) outside of the direct |
|---|
| 581 | 581 | | 549relationship between the entity and the controller; or (B) for any purpose other than for the |
|---|
| 582 | 582 | | 550specific purpose of providing or performing the services offered to the controller. |
|---|
| 583 | 583 | | 551 (f) A controller that, pursuant to subsection (e), communicates an individual’s opt-out |
|---|
| 584 | 584 | | 552request to an entity shall not be liable under this chapter if the entity receiving the opt-out request |
|---|
| 585 | 585 | | 553violates the restrictions set forth in this chapter and, at the time of communicating the opt-out |
|---|
| 586 | 586 | | 554request, the controller does not know or should not reasonably have known that the entity intends |
|---|
| 587 | 587 | | 555to commit such a violation. |
|---|
| 588 | 588 | | 556 (g) An individual may designate an authorized agent to act on the individual’s behalf to |
|---|
| 589 | 589 | | 557opt out of the processing of such individual’s personal information for one or more of the |
|---|
| 590 | 590 | | 558purposes specified in subsection (a). The individual may designate such authorized agent by |
|---|
| 591 | 591 | | 559means including, but not limited to, a technology such as an internet link or a browser setting, 29 of 71 |
|---|
| 592 | 592 | | 560browser extension or global device setting, indicating the individual’s intent to opt out of such |
|---|
| 593 | 593 | | 561processing. A controller shall comply with an opt-out request received from an authorized agent |
|---|
| 594 | 594 | | 562if the controller is able to verify, with commercially reasonable effort, the authorized agent’s |
|---|
| 595 | 595 | | 563authority to act on the individual’s behalf. An authorized agent shall: |
|---|
| 596 | 596 | | 564 (i) not use an individual’s personal information for any purposes other than to fulfill the |
|---|
| 597 | 597 | | 565individual’s requests, for verification or for fraud prevention; and |
|---|
| 598 | 598 | | 566 (ii) implement and maintain reasonable security procedures and practices to protect the |
|---|
| 599 | 599 | | 567individual’s personal information. |
|---|
| 600 | 600 | | 568 (h) A controller shall allow an individual to opt out of the processing of the individual’s |
|---|
| 601 | 601 | | 569personal information for one or more of the purposes specified in subsection (a) through an opt- |
|---|
| 602 | 602 | | 570out preference signal sent with the individual’s consent to the controller by a platform, |
|---|
| 603 | 603 | | 571technology or mechanism indicating the individual’s intent to opt out of such processing; |
|---|
| 604 | 604 | | 572provided, however, that such platform, technology or mechanism shall meet the requirements |
|---|
| 605 | 605 | | 573and technical specifications established by the attorney general pursuant to subsection (u) of |
|---|
| 606 | 606 | | 574section 25; and provided further, that a controller shall notify individuals about any such |
|---|
| 607 | 607 | | 575platform, technology or mechanism in any privacy notice provided pursuant to section 7. |
|---|
| 608 | 608 | | 576 (i) If an individual decides to opt out of the processing of the individual’s personal |
|---|
| 609 | 609 | | 577information for one or more of the purposes specified in subsection (a) through an opt-out |
|---|
| 610 | 610 | | 578preference signal sent in accordance with this chapter and the individual’s decision conflicts with |
|---|
| 611 | 611 | | 579the individual’s existing controller-specific privacy setting or voluntary participation in the |
|---|
| 612 | 612 | | 580controller’s bona fide loyalty, rewards, premium features, discounts or club card program, the |
|---|
| 613 | 613 | | 581controller shall comply with the individual’s opt-out preference signal but may notify the 30 of 71 |
|---|
| 614 | 614 | | 582individual of the conflict and provide the individual with the choice to opt back into such |
|---|
| 615 | 615 | | 583controller-specific privacy setting or participation in such a program; provided, however, that the |
|---|
| 616 | 616 | | 584controller shall not use dark patterns to coerce the individual to opt back in to such controller- |
|---|
| 617 | 617 | | 585specific privacy setting or participation in such program. |
|---|
| 618 | 618 | | 586 (j) If a controller responds to an individual’s opt-out request pursuant to this section by |
|---|
| 619 | 619 | | 587informing the individual of a charge for the use of any product or service, the controller shall |
|---|
| 620 | 620 | | 588present the terms of any financial incentive offered in accordance with section 16 for the |
|---|
| 621 | 621 | | 589collection, processing, sale or retention of the individual’s personal information. |
|---|
| 622 | 622 | | 590 (k) A request to exercise the right to opt out pursuant to this section shall not need to be a |
|---|
| 623 | 623 | | 591verifiable request. If a controller, however, has a good-faith, reasonable and documented belief |
|---|
| 624 | 624 | | 592that the request is fraudulent, the controller may deny the request. The controller shall inform the |
|---|
| 625 | 625 | | 593requestor that it will not comply with the request and shall provide an explanation why it |
|---|
| 626 | 626 | | 594believes the request is fraudulent. |
|---|
| 627 | 627 | | 595 (l) For each calendar year in which a controller is a large data holder, the controller shall |
|---|
| 628 | 628 | | 596prepare a report that details the number of requests that is has received to opt out pursuant to |
|---|
| 629 | 629 | | 597clauses (i), (ii) and (iii) of subsection (a); provided, however, that the controller shall specify the |
|---|
| 630 | 630 | | 598number of such requests that the controller has denied; and provided further, that the controller |
|---|
| 631 | 631 | | 599shall make its report publicly available on its internet website and submit the report to the |
|---|
| 632 | 632 | | 600attorney general not later than January 31 following each year in which a controller meets the |
|---|
| 633 | 633 | | 601definition of a large data holder under this chapter. |
|---|
| 634 | 634 | | 602 Section 9. Protections for Sensitive Information 31 of 71 |
|---|
| 635 | 635 | | 603 (a) A controller shall not process an individual’s sensitive information for the purposes of |
|---|
| 636 | 636 | | 604the sale of such information or for targeted cross-contextual or first-party advertising unless the |
|---|
| 637 | 637 | | 605controller has obtained the consent of the individual or, in the case of a child, the child’s parent |
|---|
| 638 | 638 | | 606or guardian. |
|---|
| 639 | 639 | | 607 (b) A controller shall not otherwise process an individual’s sensitive information without |
|---|
| 640 | 640 | | 608first obtaining the consent of the individual or, in the case of a child, the child’s parent or |
|---|
| 641 | 641 | | 609guardian, except to the limited extent necessary to: |
|---|
| 642 | 642 | | 610 (i) perform the services or provide the goods reasonably expected by an average |
|---|
| 643 | 643 | | 611individual who requests those services or goods; |
|---|
| 644 | 644 | | 612 (ii) maintain or service accounts, provide customer service, process or fulfill orders and |
|---|
| 645 | 645 | | 613transactions, verify customer information, process payments, provide financing, provide analytic |
|---|
| 646 | 646 | | 614services, provide storage or provide other similar services; |
|---|
| 647 | 647 | | 615 (iii) verify, maintain, improve or upgrade the quality or safety of the service or device |
|---|
| 648 | 648 | | 616that is owned, manufactured, manufactured for or controlled by the controller; or |
|---|
| 649 | 649 | | 617 (iv) perform short-term, transient use including, but not limited to, advertising that is |
|---|
| 650 | 650 | | 618based solely on an individual’s personal information derived from the individual’s current |
|---|
| 651 | 651 | | 619intentional interaction with the controller; provided, however, that the sensitive information shall |
|---|
| 652 | 652 | | 620not be an individual’s precise geolocation information; and provided further, that the individual’s |
|---|
| 653 | 653 | | 621sensitive information shall not be: (A) disclosed to another third party; or (B) used to build a |
|---|
| 654 | 654 | | 622profile about the individual or otherwise alter the individual’s experience outside the current |
|---|
| 655 | 655 | | 623interaction with the controller; or 32 of 71 |
|---|
| 656 | 656 | | 624 (v) otherwise process the information pursuant to an exemption stipulated in section 24. |
|---|
| 657 | 657 | | 625 (c) If a controller does not receive consent for the processing of an individual’s sensitive |
|---|
| 658 | 658 | | 626information, the controller shall wait for not less than 12 months before making a subsequent |
|---|
| 659 | 659 | | 627request for the individual or, in the case of a child, the child’s parent or guardian, to consent to |
|---|
| 660 | 660 | | 628such processing. |
|---|
| 661 | 661 | | 629 Section 10. Right to Access and Transport Personal Information |
|---|
| 662 | 662 | | 630 (a) For the purposes of this section, “specific pieces of information” shall not include any |
|---|
| 663 | 663 | | 631data generated to uphold security, confidentiality and integrity. |
|---|
| 664 | 664 | | 632 (b) An individual shall have the right to request that a controller that processes the |
|---|
| 665 | 665 | | 633individual’s personal information disclose to the individual the specific pieces of personal |
|---|
| 666 | 666 | | 634information that the controller has processed about the individual, including inferences linked or |
|---|
| 667 | 667 | | 635reasonably linkable to the individual. |
|---|
| 668 | 668 | | 636 (c) In response to a verifiable request pursuant to subsection (b), a controller shall |
|---|
| 669 | 669 | | 637provide to the individual the specific pieces of personal information that the controller has |
|---|
| 670 | 670 | | 638processed about the individual in a portable format that is easily understandable to the average |
|---|
| 671 | 671 | | 639individual and, to the extent technically feasible, in a readily usable format that allows the |
|---|
| 672 | 672 | | 640individual to transmit the information to another controller without hindrance. |
|---|
| 673 | 673 | | 641 (d) The disclosure of the required information pursuant to this section shall cover the 12- |
|---|
| 674 | 674 | | 642month period preceding the controller’s receipt of the verifiable request; provided, however, that |
|---|
| 675 | 675 | | 643an individual may request that the controller disclose the required information beyond the 12- |
|---|
| 676 | 676 | | 644month period, and the controller shall be required to provide such information unless doing so 33 of 71 |
|---|
| 677 | 677 | | 645proves impossible or would constitute an undue burden for the controller; and provided further, |
|---|
| 678 | 678 | | 646that an individual’s ability to request information beyond the 12-month period shall be disclosed |
|---|
| 679 | 679 | | 647in a controller’s privacy notice pursuant to clause (i) of subsection (a) of section 7. |
|---|
| 680 | 680 | | 648 (e) Nothing in this section shall require a controller to provide the information requested |
|---|
| 681 | 681 | | 649in a manner that would disclose the controller’s trade secrets. |
|---|
| 682 | 682 | | 650 Section 11. Right to Delete Personal Information |
|---|
| 683 | 683 | | 651 (a) An individual shall have the right to request that a controller delete any personal |
|---|
| 684 | 684 | | 652information processed about the individual. |
|---|
| 685 | 685 | | 653 (b) A controller that receives a verifiable request to delete the individual’s personal |
|---|
| 686 | 686 | | 654information shall: |
|---|
| 687 | 687 | | 655 (i) delete the individual’s personal information from its records; |
|---|
| 688 | 688 | | 656 (ii) notify all processors to whom the controller has disclosed the individual’s personal |
|---|
| 689 | 689 | | 657information to delete the individual’s personal information from their records; and |
|---|
| 690 | 690 | | 658 (iii) notify all third parties to whom the controller has sold the individual’s personal |
|---|
| 691 | 691 | | 659information to delete the personal information from their records, unless doing so proves |
|---|
| 692 | 692 | | 660impossible or would constitute an undue burden for the controller. |
|---|
| 693 | 693 | | 661 (c) A controller may maintain a confidential record of deletion requests solely for: |
|---|
| 694 | 694 | | 662 (i) preventing the sale of the personal information of the individual who has submitted a |
|---|
| 695 | 695 | | 663deletion request; 34 of 71 |
|---|
| 696 | 696 | | 664 (ii) ensuring that such individual’s personal information is deleted from the controller’s |
|---|
| 697 | 697 | | 665records; or |
|---|
| 698 | 698 | | 666 (iii) other purposes to the extent permissible pursuant to section 24 and subsection (i) of |
|---|
| 699 | 699 | | 667section 15. |
|---|
| 700 | 700 | | 668 (d) A controller or a processor acting pursuant to its contract with the controller shall not |
|---|
| 701 | 701 | | 669be required to comply with an individual’s request to delete the individual’s personal information |
|---|
| 702 | 702 | | 670if it is reasonably necessary for the controller or processor to maintain the individual’s personal |
|---|
| 703 | 703 | | 671information in order to: |
|---|
| 704 | 704 | | 672 (i) complete the transaction for which the personal information was collected, provide a |
|---|
| 705 | 705 | | 673good or service requested by the individual or reasonably anticipated by the individual within the |
|---|
| 706 | 706 | | 674context of the controller’s ongoing relationship with the individual or otherwise perform a |
|---|
| 707 | 707 | | 675contract between the controller and the individual; |
|---|
| 708 | 708 | | 676 (ii) enable solely internal uses that are: (A) reasonably aligned with the expectations of |
|---|
| 709 | 709 | | 677the individual based on the individual’s relationship with the controller; and (B) compatible with |
|---|
| 710 | 710 | | 678the context in which the individual provided the personal information; |
|---|
| 711 | 711 | | 679 (iii) maintain personal information that relates to a public figure and for which the |
|---|
| 712 | 712 | | 680individual making the deletion request has no reasonable expectation of privacy; or |
|---|
| 713 | 713 | | 681 (iv) comply with a legal obligation or otherwise process personal information pursuant to |
|---|
| 714 | 714 | | 682an exemption stipulated in section 24. |
|---|
| 715 | 715 | | 683 (e) The controller or processor shall retain personal information pursuant to subsection |
|---|
| 716 | 716 | | 684(d) solely for the applicable purposes under that subsection. 35 of 71 |
|---|
| 717 | 717 | | 685 Section 12. Right to Correct Personal Information |
|---|
| 718 | 718 | | 686 (a) An individual shall have the right to request that a controller correct inaccurate |
|---|
| 719 | 719 | | 687personal information processed about the individual, taking into account the nature of the |
|---|
| 720 | 720 | | 688personal information and the purposes of the processing of such information. |
|---|
| 721 | 721 | | 689 (b) A controller that receives a verifiable request to correct inaccurate personal |
|---|
| 722 | 722 | | 690information shall correct the inaccurate personal information as directed by the individual. |
|---|
| 723 | 723 | | 691 Section 13. Right to Revoke Consent |
|---|
| 724 | 724 | | 692 (a) If a controller chooses to process an individual’s personal information on the basis of |
|---|
| 725 | 725 | | 693the individual’s consent pursuant to clause (i) of subsection (a) of section 6, the option for an |
|---|
| 726 | 726 | | 694individual to refuse consent shall be clear, at least as prominent as the option to accept and easy |
|---|
| 727 | 727 | | 695to use by a reasonable individual. |
|---|
| 728 | 728 | | 696 (b) In addition to an individual’s opt-out right pursuant to section 8, an individual shall |
|---|
| 729 | 729 | | 697have the right to revoke consent that the individual previously gave to a controller to process the |
|---|
| 730 | 730 | | 698individual’s personal information for any other purposes. The controller shall: |
|---|
| 731 | 731 | | 699 (i) provide a mechanism for individuals to revoke consent that is clear, conspicuous and |
|---|
| 732 | 732 | | 700easy to use by a reasonable individual; and |
|---|
| 733 | 733 | | 701 (ii) in response to an individual’s verifiable request to revoke the individual’s consent, |
|---|
| 734 | 734 | | 702cease to process the individual’s personal information as soon as reasonably possible. |
|---|
| 735 | 735 | | 703 Section 14. Exercising Privacy Rights 36 of 71 |
|---|
| 736 | 736 | | 704 (a) An individual may exercise the rights set forth in sections 8 through 13, inclusive, by |
|---|
| 737 | 737 | | 705submitting a request, at any time, to a controller specifying which rights the individual wishes to |
|---|
| 738 | 738 | | 706exercise. |
|---|
| 739 | 739 | | 707 (b) With respect to the processing of personal information of a child, the child’s parent or |
|---|
| 740 | 740 | | 708legal guardian may exercise the rights set forth in sections 8 through 13, inclusive, on the child’s |
|---|
| 741 | 741 | | 709behalf. |
|---|
| 742 | 742 | | 710 (c) With respect to the processing of personal information concerning an individual |
|---|
| 743 | 743 | | 711subject to guardianship, conservatorship or other protective arrangement under article V or |
|---|
| 744 | 744 | | 712article 5A of chapter 190B, the individual’s guardian or conservator may exercise the rights set |
|---|
| 745 | 745 | | 713forth in sections 8 through 13, inclusive, on the individual’s behalf. |
|---|
| 746 | 746 | | 714 Section 15. Responding to Requests to Exercise Privacy Rights |
|---|
| 747 | 747 | | 715 (a) Except as otherwise provided in this chapter, a controller shall comply with an |
|---|
| 748 | 748 | | 716individual’s request to exercise the rights set forth in sections 10 through 13, inclusive. |
|---|
| 749 | 749 | | 717 (b) A controller shall inform the individual of any action taken on a request to exercise |
|---|
| 750 | 750 | | 718any of the rights set forth in sections 10 through 13, inclusive, without undue delay and in any |
|---|
| 751 | 751 | | 719event within 45 days of receipt of the request; provided, however, that the period may be |
|---|
| 752 | 752 | | 720extended once by 45 additional days where reasonably necessary, taking into account the |
|---|
| 753 | 753 | | 721complexity and number of the requests; and provided further, that the controller shall notify the |
|---|
| 754 | 754 | | 722individual of any such extension within 45 days of receipt of the request, together with the |
|---|
| 755 | 755 | | 723reasons for the delay. 37 of 71 |
|---|
| 756 | 756 | | 724 (c) A controller shall not be obligated to comply with a request to exercise the rights set |
|---|
| 757 | 757 | | 725forth in sections 10 through 13, inclusive, if the request is not a verifiable request. In such a case, |
|---|
| 758 | 758 | | 726the controller shall notify the individual that it is unable to act on the request until it receives |
|---|
| 759 | 759 | | 727additional information reasonably necessary to verify that the request is being made by the |
|---|
| 760 | 760 | | 728individual or by another person who is entitled to exercise such rights on behalf of the individual |
|---|
| 761 | 761 | | 729pursuant to section 14. |
|---|
| 762 | 762 | | 730 (d) A verifiable request to exercise the rights set forth in sections 10 through 13, |
|---|
| 763 | 763 | | 731inclusive, shall not extend to personal information about the individual that belongs to, or the |
|---|
| 764 | 764 | | 732controller maintains on behalf of, another natural person. A controller may rely on |
|---|
| 765 | 765 | | 733representations made in a verifiable request as to rights with respect to personal information and |
|---|
| 766 | 766 | | 734shall not be required to seek out other persons that may have or claim to have rights to personal |
|---|
| 767 | 767 | | 735information or to take any action under this chapter in the event of a dispute between or among |
|---|
| 768 | 768 | | 736persons claiming rights to personal information in the controller’s possession. |
|---|
| 769 | 769 | | 737 (e) When a controller, pursuant to section 23, is incapable of complying with an |
|---|
| 770 | 770 | | 738individual’s verifiable request, the controller shall, if possible, notify the individual that it is |
|---|
| 771 | 771 | | 739unable to identify the individual and cannot act on the request. The individual, or a person |
|---|
| 772 | 772 | | 740entitled to exercise the rights of this chapter on behalf of the individual pursuant to section 14, |
|---|
| 773 | 773 | | 741may provide additional information to the controller enabling the individual’s identification for |
|---|
| 774 | 774 | | 742the purposes of exercising the rights set forth in sections 10 through 13, inclusive. |
|---|
| 775 | 775 | | 743 (f) If a controller declines to take action regarding an individual’s request, the controller |
|---|
| 776 | 776 | | 744shall notify the individual of the justification for declining to take action and provide the |
|---|
| 777 | 777 | | 745individual with instructions on how to submit a complaint pursuant to subsection (i). Such 38 of 71 |
|---|
| 778 | 778 | | 746notification shall occur without undue delay, but not later than 45 days after the initial receipt of |
|---|
| 779 | 779 | | 747the request or not later than 45 days after notifying the individual of the applicability of an |
|---|
| 780 | 780 | | 748extension pursuant to subsection (b). |
|---|
| 781 | 781 | | 749 (g) A controller shall not be obligated to provide the information required by section 10 |
|---|
| 782 | 782 | | 750to the same individual more than twice in a 12-month period. Information provided in response |
|---|
| 783 | 783 | | 751to a request shall be provided by the controller to the individual free of charge. |
|---|
| 784 | 784 | | 752 (h) If requests from an individual, or from a person entitled to exercise the rights of this |
|---|
| 785 | 785 | | 753chapter on behalf of such individual pursuant to section 14, are manifestly unfounded, excessive |
|---|
| 786 | 786 | | 754or repetitive, the controller may: (i) charge a reasonable fee to cover the administrative costs of |
|---|
| 787 | 787 | | 755complying with the request; or (ii) refuse to act on the request. The controller shall bear the |
|---|
| 788 | 788 | | 756burden of demonstrating the manifestly unfounded or excessive nature of the request. |
|---|
| 789 | 789 | | 757 (i) When informing an individual of any action taken or not taken in response to a |
|---|
| 790 | 790 | | 758request, the controller shall provide the individual with a link to the attorney general’s online |
|---|
| 791 | 791 | | 759mechanism through which the individual may contact the attorney general to submit a complaint. |
|---|
| 792 | 792 | | 760The controller shall maintain records of all rejected requests for not less than 24 months and shall |
|---|
| 793 | 793 | | 761compile and provide a copy of such records to the attorney general upon the attorney general’s |
|---|
| 794 | 794 | | 762request. |
|---|
| 795 | 795 | | 763 Section 16. Non-Discrimination Against Individuals’ Good Faith Exercise of Privacy |
|---|
| 796 | 796 | | 764Rights |
|---|
| 797 | 797 | | 765 (a) A controller shall not discriminate against an individual for exercising in good faith |
|---|
| 798 | 798 | | 766any of the rights set forth in this chapter including, but not limited to, by: 39 of 71 |
|---|
| 799 | 799 | | 767 (i) denying goods or services to the individual; |
|---|
| 800 | 800 | | 768 (ii) charging different prices or rates for goods or services, including through the use of |
|---|
| 801 | 801 | | 769discounts or other benefits or imposing penalties; |
|---|
| 802 | 802 | | 770 (iii) providing a different level of quality of goods or services to the individual; |
|---|
| 803 | 803 | | 771 (iv) suggesting that the individual will receive a different price or rate for goods or |
|---|
| 804 | 804 | | 772services or a different level of quality or goods or services; or |
|---|
| 805 | 805 | | 773 (v) retaliating against a job applicant to, an employee of or an agent or independent |
|---|
| 806 | 806 | | 774contractor of the controller for exercising their rights under this chapter. |
|---|
| 807 | 807 | | 775 (b) This section shall not prohibit a controller from offering a different price, rate, level, |
|---|
| 808 | 808 | | 776quality or selection of goods or services to an individual, including offering goods or services for |
|---|
| 809 | 809 | | 777no fee, if: |
|---|
| 810 | 810 | | 778 (i) the offering is in connection with an individual’s voluntary participation in a bona fide |
|---|
| 811 | 811 | | 779loyalty, rewards, premium features, discounts or club card program; and |
|---|
| 812 | 812 | | 780 (ii) the difference is reasonably related to the value provided to the controller by the |
|---|
| 813 | 813 | | 781individual’s personal information. |
|---|
| 814 | 814 | | 782 (c) Nothing in this section shall be construed to: |
|---|
| 815 | 815 | | 783 (i) require a controller to provide a product or service that requires an individual’s |
|---|
| 816 | 816 | | 784personal information that the controller does not process; or |
|---|
| 817 | 817 | | 785 (ii) prohibit a controller from offering a financial incentive, including payments to |
|---|
| 818 | 818 | | 786individuals as compensation, for the processing of personal information; provided, however, that 40 of 71 |
|---|
| 819 | 819 | | 787such payments shall be reasonably related to the value provided to the controller by the |
|---|
| 820 | 820 | | 788individual’s personal information. |
|---|
| 821 | 821 | | 789 Section 17. Disclosure of Methods for Exercising Privacy Rights |
|---|
| 822 | 822 | | 790 (a) A controller shall make available and describe in a privacy notice pursuant to section |
|---|
| 823 | 823 | | 7917 not less than 2 designated methods for submitting a request to exercise the rights set forth in |
|---|
| 824 | 824 | | 792sections 8 through 13, inclusive. The designated methods shall be reasonably accessible to |
|---|
| 825 | 825 | | 793individuals and take into account the ways in which individuals interact with the controller, the |
|---|
| 826 | 826 | | 794need for secure and reliable communication of the request and the ability of the controller to |
|---|
| 827 | 827 | | 795determine whether the request is a verifiable request. If a controller maintains an internet |
|---|
| 828 | 828 | | 796website, the controller shall make its website available as 1 such designated method for |
|---|
| 829 | 829 | | 797submitting a request. A controller shall not require an individual to create a new account but may |
|---|
| 830 | 830 | | 798require an individual to use an existing account in order to exercise a right under this chapter. |
|---|
| 831 | 831 | | 799 (b) A controller that processes personal information for the purposes of selling such |
|---|
| 832 | 832 | | 800information or for targeted cross-contextual advertising shall provide a clear and conspicuous |
|---|
| 833 | 833 | | 801link on the controller’s internet homepages to an internet web page that enables an individual or |
|---|
| 834 | 834 | | 802an individual’s authorized agent to exercise their right to opt out of such processing. |
|---|
| 835 | 835 | | 803 (c) A controller that processes personal information for the purposes of targeted first- |
|---|
| 836 | 836 | | 804party advertising shall provide a clear and conspicuous link on the controller’s internet |
|---|
| 837 | 837 | | 805homepage to an internet web page that enables an individual, or an individual’s authorized agent, |
|---|
| 838 | 838 | | 806to exercise their right to opt out of such processing. |
|---|
| 839 | 839 | | 807 (d) In lieu of complying with both subsections (b) and (c), a controller that is subject to |
|---|
| 840 | 840 | | 808both subsections may utilize a single clearly labeled link on the controller’s internet homepages, 41 of 71 |
|---|
| 841 | 841 | | 809if that link easily allows an individual or an individual’s authorized agent to exercise their right |
|---|
| 842 | 842 | | 810to opt out of the processing of the individual’s personal information for the purposes of the sale |
|---|
| 843 | 843 | | 811of such information and for targeted cross-contextual and first-party advertising. |
|---|
| 844 | 844 | | 812 (e) A controller shall: |
|---|
| 845 | 845 | | 813 (i) ensure that all persons responsible for handling individuals’ inquiries about the |
|---|
| 846 | 846 | | 814controller’s privacy practices or compliance with this chapter are informed of: (A) all |
|---|
| 847 | 847 | | 815requirements set forth under this chapter; and (B) how to direct individuals to exercise their |
|---|
| 848 | 848 | | 816rights set forth in sections 8 through 13, inclusive; |
|---|
| 849 | 849 | | 817 (ii) include a separate link to the applicable web pages required under subsections (b), (c) |
|---|
| 850 | 850 | | 818or (d) of this section in any privacy notice that the controller is required to provide to individuals |
|---|
| 851 | 851 | | 819pursuant to section 7; |
|---|
| 852 | 852 | | 820 (iii) process any personal information collected from the individual in connection with |
|---|
| 853 | 853 | | 821the submission of the individual’s request to exercise any of the rights set forth in sections 8 |
|---|
| 854 | 854 | | 822through 13, inclusive, solely for the purposes of complying with the request; |
|---|
| 855 | 855 | | 823 (iv) process any personal information collected in connection with the controller’s |
|---|
| 856 | 856 | | 824verification of the individual’s request solely for the purposes of verification and not further |
|---|
| 857 | 857 | | 825disclose the personal information, retain it longer than necessary for purposes of verification or |
|---|
| 858 | 858 | | 826use it for unrelated purposes; |
|---|
| 859 | 859 | | 827 (v) not require an individual to provide additional information beyond what is necessary |
|---|
| 860 | 860 | | 828to direct the controller, pursuant to section 8, to not process the individual’s personal information 42 of 71 |
|---|
| 861 | 861 | | 829for the purposes of the sale of such information or for targeted cross-contextual or first-party |
|---|
| 862 | 862 | | 830advertising; and |
|---|
| 863 | 863 | | 831 (vi) not condition, effectively condition, attempt to condition or attempt to effectively |
|---|
| 864 | 864 | | 832condition the exercise of the rights set forth in sections 8 through 13, inclusive, through the use |
|---|
| 865 | 865 | | 833of dark patterns or any false, fictitious, fraudulent or materially misleading statement or |
|---|
| 866 | 866 | | 834representation. |
|---|
| 867 | 867 | | 835 Section 18. No Waiver |
|---|
| 868 | 868 | | 836 Any provision of a contract or agreement that purports to waive or limit in any way |
|---|
| 869 | 869 | | 837individual rights under this chapter shall be deemed contrary to public policy and shall be void |
|---|
| 870 | 870 | | 838and unenforceable. |
|---|
| 871 | 871 | | 839 Section 19. Relationship Among Controllers, Processors and Third Parties |
|---|
| 872 | 872 | | 840 (a) A processor shall not be required to comply with a request to exercise the rights set |
|---|
| 873 | 873 | | 841forth in sections 8 through 13, inclusive, that the processor receives directly from an individual, |
|---|
| 874 | 874 | | 842or from a person entitled to exercise such rights on behalf of the individual, to the extent that the |
|---|
| 875 | 875 | | 843processor has processed the individual’s personal information on behalf of the controller. |
|---|
| 876 | 876 | | 844 (b) A processor shall adhere to the instructions of the controller and assist the controller |
|---|
| 877 | 877 | | 845in meeting its obligations under this chapter. Taking into account the nature of the processing |
|---|
| 878 | 878 | | 846and with respect to the personal information available to the processor as a result of its |
|---|
| 879 | 879 | | 847relationship with the controller, a processor shall: 43 of 71 |
|---|
| 880 | 880 | | 848 (i) take appropriate technical and organizational measures, insofar as is possible, to fulfill |
|---|
| 881 | 881 | | 849the controller’s obligation to respond to individuals’ requests to exercise their rights pursuant to |
|---|
| 882 | 882 | | 850sections 8 through 13, inclusive; |
|---|
| 883 | 883 | | 851 (ii) provide information to the controller necessary to enable the controller to conduct and |
|---|
| 884 | 884 | | 852document any risk assessment required by section 21; and |
|---|
| 885 | 885 | | 853 (iii) assist the controller in meeting the controller’s obligations in relation to the security |
|---|
| 886 | 886 | | 854of processing the personal information and in relation to the notification of a breach of security |
|---|
| 887 | 887 | | 855of the system of the processor pursuant to chapter 93H; provided, however, that the controller |
|---|
| 888 | 888 | | 856and the processor shall: (A) implement appropriate technical and organizational measures to |
|---|
| 889 | 889 | | 857ensure a level of security appropriate to the risk; and (B) establish a clear allocation of the |
|---|
| 890 | 890 | | 858responsibilities between the processor and controller to implement such measures. |
|---|
| 891 | 891 | | 859 (c) When working with the controller to respond to a verifiable request to delete an |
|---|
| 892 | 892 | | 860individual’s personal information, the processor shall notify any processors or third parties who |
|---|
| 893 | 893 | | 861may have accessed the personal information from or through the processor to delete the personal |
|---|
| 894 | 894 | | 862information unless the information was accessed at the direction of the controller or doing so |
|---|
| 895 | 895 | | 863proves impossible or would constitute an undue burden. |
|---|
| 896 | 896 | | 864 (d) Notwithstanding the instructions of the controller, a processor shall ensure that each |
|---|
| 897 | 897 | | 865person processing personal information is subject to a duty of confidentiality with respect to the |
|---|
| 898 | 898 | | 866information. |
|---|
| 899 | 899 | | 867 (e) If a processor engages another entity to assist the processor in processing personal |
|---|
| 900 | 900 | | 868information on behalf of the controller, the processor shall provide the controller with an |
|---|
| 901 | 901 | | 869opportunity to object and the engagement shall be pursuant to a written contract, in accordance 44 of 71 |
|---|
| 902 | 902 | | 870with the provisions of subsection (f), that requires the entity to meet the obligations of the |
|---|
| 903 | 903 | | 871processor with respect to the personal information. |
|---|
| 904 | 904 | | 872 (f) A contract between a controller and a processor shall govern the processor’s |
|---|
| 905 | 905 | | 873procedures with respect to processing individuals’ personal information which the processor |
|---|
| 906 | 906 | | 874receives from or on behalf of the controller. The contract shall be binding on both parties and |
|---|
| 907 | 907 | | 875clearly set forth the processing instructions to which the processor is bound, including: |
|---|
| 908 | 908 | | 876 (i) the nature and purpose of the processing; |
|---|
| 909 | 909 | | 877 (ii) the type of personal information subject to the processing; |
|---|
| 910 | 910 | | 878 (iii) the duration of the processing; |
|---|
| 911 | 911 | | 879 (iv) the rights and obligations of both parties; |
|---|
| 912 | 912 | | 880 (v) the requirements imposed by subsections (d) and (e); and |
|---|
| 913 | 913 | | 881 (vi) the following requirements: |
|---|
| 914 | 914 | | 882 (A) at the controller’s direction, the processor shall delete or return all personal |
|---|
| 915 | 915 | | 883information to the controller as requested at the end of the provision of services, unless retention |
|---|
| 916 | 916 | | 884of the personal information is required by law; |
|---|
| 917 | 917 | | 885 (B) upon the reasonable request of the controller, the processor shall make available to |
|---|
| 918 | 918 | | 886the controller all information in its possession necessary to demonstrate compliance with the |
|---|
| 919 | 919 | | 887obligations under this chapter; |
|---|
| 920 | 920 | | 888 (C) the processor shall allow for, and cooperate with, reasonable audits and inspections |
|---|
| 921 | 921 | | 889by the controller or the controller’s designated auditor or arrange for, with the controller’s 45 of 71 |
|---|
| 922 | 922 | | 890consent, a qualified and independent auditor to conduct, at least annually and at the processor’s |
|---|
| 923 | 923 | | 891expense, an audit of the processor’s policies and technical and organizational measures in |
|---|
| 924 | 924 | | 892support of the obligations under this chapter using an appropriate and accepted control standard |
|---|
| 925 | 925 | | 893or framework and audit procedure for such audits; provided, however, that the processor shall |
|---|
| 926 | 926 | | 894disclose a report of the audit to the controller upon request; and |
|---|
| 927 | 927 | | 895 (D) the processor shall be prohibited from selling the personal information, processing |
|---|
| 928 | 928 | | 896personal information other than for the purposes specified in the contract or as otherwise |
|---|
| 929 | 929 | | 897permitted by this chapter, processing personal information outside of the direct relationship |
|---|
| 930 | 930 | | 898between the processor and the controller or combining, for the purpose of targeted advertising, |
|---|
| 931 | 931 | | 899the personal information with personal information that the processor receives from, or on behalf |
|---|
| 932 | 932 | | 900of, another entity or that it collects from its own interaction with the individual. |
|---|
| 933 | 933 | | 901 (g) In no event shall any contract relieve a controller or a processor from the liabilities |
|---|
| 934 | 934 | | 902imposed on it by this chapter. |
|---|
| 935 | 935 | | 903 (h) A controller shall exercise reasonable due diligence in: |
|---|
| 936 | 936 | | 904 (i) selecting a processor; and |
|---|
| 937 | 937 | | 905 (ii) deciding whether to sell personal information to a third party. |
|---|
| 938 | 938 | | 906 Section 20. Data Broker Registration |
|---|
| 939 | 939 | | 907 (a) Not later than January 31 following each year in which a controller meets the |
|---|
| 940 | 940 | | 908definition of a data broker under this chapter, the controller shall register with the attorney |
|---|
| 941 | 941 | | 909general pursuant to the requirements of this section. 46 of 71 |
|---|
| 942 | 942 | | 910 (b) When registering with the attorney general, a data broker shall pay a registration fee |
|---|
| 943 | 943 | | 911of $200 and provide the following information: |
|---|
| 944 | 944 | | 912 (i) the data broker’s name and primary physical, email and internet website addresses; |
|---|
| 945 | 945 | | 913 (ii) any privacy notice that the data broker discloses to individuals pursuant to section 7; |
|---|
| 946 | 946 | | 914 (iii) how individuals may request to exercise their rights under sections 8 through 13, |
|---|
| 947 | 947 | | 915inclusive; |
|---|
| 948 | 948 | | 916 (iv) whether the data broker implements a purchaser credentialing process; |
|---|
| 949 | 949 | | 917 (v) whether the data broker processes the personal information of minors or children; |
|---|
| 950 | 950 | | 918 (vi) whether it qualifies as a data broker pursuant to clause (i), (ii) or (iii) of the definition |
|---|
| 951 | 951 | | 919of a data broker under section 2; |
|---|
| 952 | 952 | | 920 (vii) whether the data broker is a large data holder; and |
|---|
| 953 | 953 | | 921 (viii) any additional information the data broker may wish to provide. |
|---|
| 954 | 954 | | 922 Section 21. Risk Assessments |
|---|
| 955 | 955 | | 923 (a) A controller shall establish, implement and maintain reasonable policies, practices and |
|---|
| 956 | 956 | | 924procedures to identify, assess and mitigate reasonably foreseeable privacy risks and cognizable |
|---|
| 957 | 957 | | 925harms related to their products and services, including the design, development and |
|---|
| 958 | 958 | | 926implementation of such products and services. |
|---|
| 959 | 959 | | 927 (b) A controller shall, prior to the processing, carry out and document a risk assessment |
|---|
| 960 | 960 | | 928of the impact of each of the following processing operations: 47 of 71 |
|---|
| 961 | 961 | | 929 (i) processing personal information for the purposes of: (A) the sale of the personal |
|---|
| 962 | 962 | | 930information; (B) targeted cross-contextual advertising; or (C) targeted first-party advertising; |
|---|
| 963 | 963 | | 931 (ii) processing personal information for the purposes of profiling or otherwise |
|---|
| 964 | 964 | | 932systematically and extensively evaluating personal aspects relating to individuals; provided, |
|---|
| 965 | 965 | | 933however, that such processing presents a reasonably foreseeable risk of resulting in: |
|---|
| 966 | 966 | | 934 (A) discrimination on the basis of race, color, religion, national origin, sex or disability or |
|---|
| 967 | 967 | | 935other unfair or deceptive treatment of, or unlawful disparate impact on, individuals; |
|---|
| 968 | 968 | | 936 (B) financial, physical or reputational harm to individuals; |
|---|
| 969 | 969 | | 937 (C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or |
|---|
| 970 | 970 | | 938concerns, of individuals, where such intrusion would be offensive to a reasonable person; or |
|---|
| 971 | 971 | | 939 (D) other substantial cognizable harms to individuals; |
|---|
| 972 | 972 | | 940 (iii) processing sensitive information; and |
|---|
| 973 | 973 | | 941 (iv) any other processing that is likely to result in a high risk of harm to individuals, |
|---|
| 974 | 974 | | 942taking into account the nature, scope, context and purposes of the processing and whether the |
|---|
| 975 | 975 | | 943processing involves new technologies. |
|---|
| 976 | 976 | | 944 (c) The assessment shall contain at a minimum: |
|---|
| 977 | 977 | | 945 (i) a systematic description of the envisioned processing operations and the purposes of |
|---|
| 978 | 978 | | 946the processing, including, where applicable, the legitimate interest pursued by the controller or |
|---|
| 979 | 979 | | 947third party; 48 of 71 |
|---|
| 980 | 980 | | 948 (ii) a description and brief justification of the lawful basis, pursuant to section 6, that the |
|---|
| 981 | 981 | | 949controller is relying on to process the individual’s personal information; |
|---|
| 982 | 982 | | 950 (iii) an assessment of the necessity of the processing operations in relation to the |
|---|
| 983 | 983 | | 951purposes, taking into account whether the controller or third party can achieve their legitimate |
|---|
| 984 | 984 | | 952interests in another, less intrusive way; |
|---|
| 985 | 985 | | 953 (iv) an assessment of the proportionality of the processing operations in relation to the |
|---|
| 986 | 986 | | 954purposes, taking into account the amount and nature of the personal information to be processed; |
|---|
| 987 | 987 | | 955 (v) a description of: (A) the context of the processing; (B) the relationship between the |
|---|
| 988 | 988 | | 956controller and the individual whose personal information would be processed; and (C) whether |
|---|
| 989 | 989 | | 957the controller is processing an individual’s personal information in ways which the individual |
|---|
| 990 | 990 | | 958would reasonably expect; |
|---|
| 991 | 991 | | 959 (vi) an assessment of the risks of the processing operations to individuals; provided, |
|---|
| 992 | 992 | | 960however, that such assessment shall include, but not be limited to, whether the processing: (A) |
|---|
| 993 | 993 | | 961poses reasonably foreseeable risks to children or minors; (B) presents a reasonably foreseeable |
|---|
| 994 | 994 | | 962risk of disparate impact on the basis of individuals’ race, color, religion, national origin, sex or |
|---|
| 995 | 995 | | 963disability; or (C) would result in the provision or denial of financial or lending services, housing, |
|---|
| 996 | 996 | | 964insurance, education enrollment or opportunity, criminal justice, employment opportunities, |
|---|
| 997 | 997 | | 965health care services or access to essential goods or services; and |
|---|
| 998 | 998 | | 966 (vii) the measures envisioned to mitigate such risks including, but not limited to, |
|---|
| 999 | 999 | | 967safeguards such as de-identification and security measures to ensure the protection of personal |
|---|
| 1000 | 1000 | | 968information in compliance with this chapter, taking into account individuals’ reasonable |
|---|
| 1001 | 1001 | | 969expectations of privacy or other legal rights. 49 of 71 |
|---|
| 1002 | 1002 | | 970 (d) In any risk assessment required pursuant to this section, a large data holder shall also: |
|---|
| 1003 | 1003 | | 971 (i) specify whether the processing is based in whole or in part on an algorithmic |
|---|
| 1004 | 1004 | | 972computational process that: |
|---|
| 1005 | 1005 | | 973 (A) uses machine learning, natural language processing, artificial intelligence techniques |
|---|
| 1006 | 1006 | | 974or other techniques of similar or greater complexity; |
|---|
| 1007 | 1007 | | 975 (B) makes a decision or facilitates human decision-making with respect to personal |
|---|
| 1008 | 1008 | | 976information, including decisions that determine the provision of products or services or that rank, |
|---|
| 1009 | 1009 | | 977order, promote, recommend, amplify or similarly determine the delivery or display of |
|---|
| 1010 | 1010 | | 978information to an individual; or |
|---|
| 1011 | 1011 | | 979 (C) poses a reasonably foreseeable risk of substantial cognizable harm to individuals; and |
|---|
| 1012 | 1012 | | 980 (ii) include a description of: |
|---|
| 1013 | 1013 | | 981 (A) the design process and methodologies of any such algorithmic computational process |
|---|
| 1014 | 1014 | | 982pursuant to clause (i); |
|---|
| 1015 | 1015 | | 983 (B) the categories of data that would be processed as input or used to train the model that |
|---|
| 1016 | 1016 | | 984any such algorithmic computational process relies on; and |
|---|
| 1017 | 1017 | | 985 (C) the outputs that would be produced by any such algorithmic computational process. |
|---|
| 1018 | 1018 | | 986 (e) Subsections (a) through (d) shall not apply to processing: |
|---|
| 1019 | 1019 | | 987 (i) that a controller performs pursuant to clause(iii) of section 6; and 50 of 71 |
|---|
| 1020 | 1020 | | 988 (ii) for which the controller has already carried out a risk assessment for the purpose of |
|---|
| 1021 | 1021 | | 989compliance with another applicable law that regulates the specific processing operation or set of |
|---|
| 1022 | 1022 | | 990operations in question; provided, however, that such assessment shall have reasonably |
|---|
| 1023 | 1023 | | 991comparable scope and effect to the assessment that would otherwise be conducted pursuant to |
|---|
| 1024 | 1024 | | 992this section. |
|---|
| 1025 | 1025 | | 993 (f) For the purpose of complying with this section, a controller may leverage its existing |
|---|
| 1026 | 1026 | | 994work product of risk assessments that the controller has conducted or is conducting for the |
|---|
| 1027 | 1027 | | 995purpose of complying with another applicable law. |
|---|
| 1028 | 1028 | | 996 (g) A single risk assessment may address a set of similar processing operations that |
|---|
| 1029 | 1029 | | 997present similar high risks. |
|---|
| 1030 | 1030 | | 998 (h) The controller shall carry out a review of the risk assessment if there is a change of |
|---|
| 1031 | 1031 | | 999the risk represented by the processing operations. |
|---|
| 1032 | 1032 | | 1000 (i) A controller shall implement procedures to comply with this section that are |
|---|
| 1033 | 1033 | | 1001reasonable and appropriate taking into consideration: (i) the size, scope and type of the |
|---|
| 1034 | 1034 | | 1002controller; (ii) the amount of resources available to the controller; (iii) the amount and nature of |
|---|
| 1035 | 1035 | | 1003personal information processed by the controller including, but not limited to, whether the |
|---|
| 1036 | 1036 | | 1004personal information is sensitive information; and (iv) the need for upholding security, integrity |
|---|
| 1037 | 1037 | | 1005and confidentiality with respect to the personal information processed by the controller. |
|---|
| 1038 | 1038 | | 1006 (j) The attorney general may require, pursuant to a civil investigative demand, that a |
|---|
| 1039 | 1039 | | 1007controller disclose any risk assessment that is relevant to an investigation conducted by the |
|---|
| 1040 | 1040 | | 1008attorney general. The controller shall accordingly make the risk assessment available to the |
|---|
| 1041 | 1041 | | 1009attorney general, who may evaluate the risk assessment for compliance with the responsibilities 51 of 71 |
|---|
| 1042 | 1042 | | 1010set forth in this chapter. Risk assessments shall be confidential and exempt from public |
|---|
| 1043 | 1043 | | 1011inspection and copying under chapter 66. The disclosure of a risk assessment pursuant to a civil |
|---|
| 1044 | 1044 | | 1012investigative demand from the attorney general shall not constitute a waiver of attorney-client |
|---|
| 1045 | 1045 | | 1013privilege or work product protection with respect to the assessment and any information |
|---|
| 1046 | 1046 | | 1014contained in the assessment. |
|---|
| 1047 | 1047 | | 1015 (k) Risk assessments shall apply to processing activities created or generated after the |
|---|
| 1048 | 1048 | | 1016effective date of this section and shall not be retroactive. |
|---|
| 1049 | 1049 | | 1017 Section 22. Processing That Unlawfully Discriminates |
|---|
| 1050 | 1050 | | 1018 (a) A controller shall not process personal information in a manner that discriminates in, |
|---|
| 1051 | 1051 | | 1019or otherwise makes unavailable, the equal enjoyment of goods or services on the basis of race, |
|---|
| 1052 | 1052 | | 1020color, religion, national origin, sex or disability or other protected characteristic. |
|---|
| 1053 | 1053 | | 1021 (b) A controller that processes personal information in a manner that violates chapter |
|---|
| 1054 | 1054 | | 1022151B or any other state or federal law prohibiting unlawful discrimination against individuals |
|---|
| 1055 | 1055 | | 1023shall also be in violation of this chapter. |
|---|
| 1056 | 1056 | | 1024 (c) Nothing in this section shall be construed to limit controllers from processing personal |
|---|
| 1057 | 1057 | | 1025information for the purpose of: |
|---|
| 1058 | 1058 | | 1026 (i) legitimate testing to prevent unlawful discrimination or otherwise determine the extent |
|---|
| 1059 | 1059 | | 1027or effectiveness of the controller’s compliance with this section; or |
|---|
| 1060 | 1060 | | 1028 (ii) diversifying an applicant, participant or customer pool. 52 of 71 |
|---|
| 1061 | 1061 | | 1029 (d) This section shall not apply to any private club or group not open to the public, |
|---|
| 1062 | 1062 | | 1030pursuant to section 201(e) of the Civil Rights Act of 1964, 42 U.S.C. 2000a(e), as amended from |
|---|
| 1063 | 1063 | | 1031time to time. |
|---|
| 1064 | 1064 | | 1032 Section 23. De-Identified Information |
|---|
| 1065 | 1065 | | 1033 This chapter shall not be construed to require a controller or processor, solely for the |
|---|
| 1066 | 1066 | | 1034purpose of complying with this chapter, to: |
|---|
| 1067 | 1067 | | 1035 (i) maintain information in an identifiable, linkable or associable form or collect, obtain, |
|---|
| 1068 | 1068 | | 1036retain or access any information or technology in order to be capable of linking or associating a |
|---|
| 1069 | 1069 | | 1037verifiable request with personal information; or |
|---|
| 1070 | 1070 | | 1038 (ii) reidentify or otherwise link de-identified information; provided, however, that the |
|---|
| 1071 | 1071 | | 1039controller, pursuant to subsection (e) of section 15, shall provide applicable notice to the |
|---|
| 1072 | 1072 | | 1040individual that it is unable to identify the individual. |
|---|
| 1073 | 1073 | | 1041 Section 24. Limitations |
|---|
| 1074 | 1074 | | 1042 (a) The obligations imposed on controllers or processors under this chapter shall not |
|---|
| 1075 | 1075 | | 1043restrict a controller’s or a processor’s ability to: |
|---|
| 1076 | 1076 | | 1044 (i) comply with federal, state or local laws, rules or regulations; |
|---|
| 1077 | 1077 | | 1045 (ii) comply with a civil, criminal or regulatory inquiry, subpoena or summons by federal, |
|---|
| 1078 | 1078 | | 1046state, local or other governmental authorities; 53 of 71 |
|---|
| 1079 | 1079 | | 1047 (iii) cooperate with law enforcement agencies concerning conduct or activity that the |
|---|
| 1080 | 1080 | | 1048controller or processor reasonably and in good faith believes may violate federal, state or local |
|---|
| 1081 | 1081 | | 1049laws, rules or regulations; |
|---|
| 1082 | 1082 | | 1050 (iv) investigate, establish, exercise, prepare for or defend legal claims. |
|---|
| 1083 | 1083 | | 1051 (v) take immediate steps to protect the security or protection of an individual or another |
|---|
| 1084 | 1084 | | 1052natural person if that individual or other natural person is at risk or danger of death or serious |
|---|
| 1085 | 1085 | | 1053physical injury; |
|---|
| 1086 | 1086 | | 1054 (vi) process the personal information of a child or minor solely to submit information |
|---|
| 1087 | 1087 | | 1055relating to child victimization to law enforcement or to a nonprofit, national resource center or |
|---|
| 1088 | 1088 | | 1056clearinghouse congressionally designated to provide assistance to victims, families, child-serving |
|---|
| 1089 | 1089 | | 1057professionals or the general public on missing and exploited children issues; or |
|---|
| 1090 | 1090 | | 1058 (vii) assist another controller, processor or third party with any of the obligations under |
|---|
| 1091 | 1091 | | 1059this subsection. |
|---|
| 1092 | 1092 | | 1060 (b) The obligations imposed on controllers or processors under sections 8 through 13, |
|---|
| 1093 | 1093 | | 1061inclusive, shall not restrict a controller or processor’s ability to process personal information for |
|---|
| 1094 | 1094 | | 1062the following purposes, provided that the use of the individual’s personal information is |
|---|
| 1095 | 1095 | | 1063reasonably necessary and proportionate for such purposes: |
|---|
| 1096 | 1096 | | 1064 (i) helping to uphold security, confidentiality and integrity; |
|---|
| 1097 | 1097 | | 1065 (ii) debugging to identify and repair errors that impair existing intended functionality; |
|---|
| 1098 | 1098 | | 1066 (iii) fulfilling the terms of a written warranty or product recall conducted in accordance |
|---|
| 1099 | 1099 | | 1067with federal law; 54 of 71 |
|---|
| 1100 | 1100 | | 1068 (iv) engaging in public or peer-reviewed scientific, historical or statistical research in the |
|---|
| 1101 | 1101 | | 1069public interest that conforms or adheres to all other applicable ethics and privacy laws; provided, |
|---|
| 1102 | 1102 | | 1070however, that such research is approved, monitored and governed by an institutional review |
|---|
| 1103 | 1103 | | 1071board, human subjects research ethics review board or a similar independent oversight entity that |
|---|
| 1104 | 1104 | | 1072determines whether: |
|---|
| 1105 | 1105 | | 1073 (A) the research is likely to provide substantial benefits that do not exclusively accrue to |
|---|
| 1106 | 1106 | | 1074the controller; |
|---|
| 1107 | 1107 | | 1075 (B) the expected benefits of the research outweigh the privacy risks; and |
|---|
| 1108 | 1108 | | 1076 (C) the controller has implemented reasonable safeguards to mitigate privacy risks |
|---|
| 1109 | 1109 | | 1077associated with research, including any risks associated with reidentification. |
|---|
| 1110 | 1110 | | 1078 (c) Obligations imposed on controllers or processors under this chapter shall not: |
|---|
| 1111 | 1111 | | 1079 (i) apply to the processing of personal information by a natural person in the course of a |
|---|
| 1112 | 1112 | | 1080purely personal or household activity; |
|---|
| 1113 | 1113 | | 1081 (ii) apply where compliance by the controller or processor would violate an evidentiary |
|---|
| 1114 | 1114 | | 1082privilege under the laws of the commonwealth or be construed to prevent a controller or |
|---|
| 1115 | 1115 | | 1083processor from providing personal information concerning an individual to a person covered by |
|---|
| 1116 | 1116 | | 1084an evidentiary privilege under the laws of the commonwealth as part of a privileged |
|---|
| 1117 | 1117 | | 1085communication; |
|---|
| 1118 | 1118 | | 1086 (iii) adversely affect the right of an individual or any other person to exercise free speech, |
|---|
| 1119 | 1119 | | 1087pursuant to the First Amendment to the United States Constitution, or to exercise another right |
|---|
| 1120 | 1120 | | 1088provided for by law; or 55 of 71 |
|---|
| 1121 | 1121 | | 1089 (iv) apply to an entity’s publication of entity-based member or employee contact |
|---|
| 1122 | 1122 | | 1090information where such publication is intended to allow members of the public to contact such |
|---|
| 1123 | 1123 | | 1091member or employee in the ordinary course of the entity’s operations. |
|---|
| 1124 | 1124 | | 1092 (d) Personal information that is processed by a controller pursuant to an exemption under |
|---|
| 1125 | 1125 | | 1093subsections (a) through (c) shall: |
|---|
| 1126 | 1126 | | 1094 (i) not be processed for any purpose other than those expressly listed in subsections (a) |
|---|
| 1127 | 1127 | | 1095through (c), inclusive, unless otherwise allowed by this chapter; and |
|---|
| 1128 | 1128 | | 1096 (ii) notwithstanding anything in this section to the contrary, be processed: (A) in |
|---|
| 1129 | 1129 | | 1097accordance with section 5; and (B) subject to reasonable administrative, technical and physical |
|---|
| 1130 | 1130 | | 1098measures to reduce reasonably foreseeable risks of harm to individuals. |
|---|
| 1131 | 1131 | | 1099 (e) If a controller processes personal information pursuant to an exemption in subsections |
|---|
| 1132 | 1132 | | 1100(a) through (c), inclusive, the controller shall demonstrate that such processing qualifies for such |
|---|
| 1133 | 1133 | | 1101exemption and complies with the requirements of subsection (d). |
|---|
| 1134 | 1134 | | 1102 (f) A controller or processor that discloses personal information to a processor or third |
|---|
| 1135 | 1135 | | 1103party in compliance with the requirements of this chapter shall not be in violation of this chapter |
|---|
| 1136 | 1136 | | 1104if the recipient processes such personal information in violation of this chapter; provided, |
|---|
| 1137 | 1137 | | 1105however, that, at the time of disclosing the personal information, the disclosing controller or |
|---|
| 1138 | 1138 | | 1106processor did not know or should not reasonably have known that the recipient intended to |
|---|
| 1139 | 1139 | | 1107commit a violation. |
|---|
| 1140 | 1140 | | 1108 (g) A processor or third party receiving personal information from a controller or |
|---|
| 1141 | 1141 | | 1109processor in compliance with the requirements of this chapter shall not be in violation of this 56 of 71 |
|---|
| 1142 | 1142 | | 1110chapter if the controller or processor from which it receives the personal information fails to |
|---|
| 1143 | 1143 | | 1111comply with applicable obligations under this chapter; provided, however, that the processor or |
|---|
| 1144 | 1144 | | 1112third party shall be liable for its own violations of this chapter. |
|---|
| 1145 | 1145 | | 1113 (h) If an individual has already consented to a controller’s use, disclosure or sale of their |
|---|
| 1146 | 1146 | | 1114personal information to produce a physical item, such as a school yearbook, sections 8 through |
|---|
| 1147 | 1147 | | 111513, inclusive, shall not apply to the controller’s use, disclosure or sale of the particular pieces of |
|---|
| 1148 | 1148 | | 1116the individual’s personal information for the production of that physical item; provided, |
|---|
| 1149 | 1149 | | 1117however, that: |
|---|
| 1150 | 1150 | | 1118 (i) the controller has incurred significant expense in reliance on the individual’s consent; |
|---|
| 1151 | 1151 | | 1119 (ii) compliance with the individual’s request to exercise the rights set forth in sections 8 |
|---|
| 1152 | 1152 | | 1120through 13, inclusive, would not be commercially reasonable; and |
|---|
| 1153 | 1153 | | 1121 (iii) the controller complies with the individual’s request as soon as it is commercially |
|---|
| 1154 | 1154 | | 1122reasonable to do so, if applicable. |
|---|
| 1155 | 1155 | | 1123 Section 25. Powers of the Attorney General |
|---|
| 1156 | 1156 | | 1124 (a) Whenever the attorney general has reasonable cause to believe that an entity has |
|---|
| 1157 | 1157 | | 1125engaged in, is engaging in or will imminently engage in a violation of this chapter, the attorney |
|---|
| 1158 | 1158 | | 1126general may issue a civil investigative demand. The provisions of section 6 of chapter 93A shall |
|---|
| 1159 | 1159 | | 1127apply mutatis mutandis to civil investigative demands issued under this chapter. |
|---|
| 1160 | 1160 | | 1128 (b) The attorney general shall have the authority to enforce the provisions of this chapter. |
|---|
| 1161 | 1161 | | 1129A violation of this chapter, except as otherwise specified in section 26, shall not serve as the |
|---|
| 1162 | 1162 | | 1130basis for or be subject to a private right of action under this chapter. Nothing in this chapter, 57 of 71 |
|---|
| 1163 | 1163 | | 1131except as otherwise specified in section 26, shall be construed as creating a new private right of |
|---|
| 1164 | 1164 | | 1132action or serving as the basis for a private right of action that would not otherwise have had a |
|---|
| 1165 | 1165 | | 1133basis under any other law but for the enactment of this chapter. This chapter neither relieves any |
|---|
| 1166 | 1166 | | 1134party from any duties or obligations imposed, nor alters any independent rights that individuals |
|---|
| 1167 | 1167 | | 1135have, under chapter 93A, other state or federal laws, the Massachusetts Constitution or the |
|---|
| 1168 | 1168 | | 1136United States Constitution. |
|---|
| 1169 | 1169 | | 1137 (c) Prior to initiating any civil action under this chapter, the attorney general shall provide |
|---|
| 1170 | 1170 | | 1138an entity written notice identifying the specific provisions of this chapter that the attorney |
|---|
| 1171 | 1171 | | 1139general alleges have been or are being violated. |
|---|
| 1172 | 1172 | | 1140 (d)(1) The entity shall have a period of 30 days in which to cure a violation after being |
|---|
| 1173 | 1173 | | 1141provided notice by the attorney general. If within that time period the entity cures the noticed |
|---|
| 1174 | 1174 | | 1142violation and provides the attorney general an express written statement that the alleged |
|---|
| 1175 | 1175 | | 1143violations have been cured and that no such further violations shall occur, the attorney general |
|---|
| 1176 | 1176 | | 1144shall initiate no action against the entity. |
|---|
| 1177 | 1177 | | 1145 (2) The cure period stipulated in paragraph (1) shall not apply when: |
|---|
| 1178 | 1178 | | 1146 (i) the court has previously issued a temporary restraining order, preliminary injunction |
|---|
| 1179 | 1179 | | 1147or permanent injunction or assessed civil penalties against the entity for a violation of: (A) this |
|---|
| 1180 | 1180 | | 1148chapter; or (B) chapter 93A, provided that such violation occurred after the effective date of this |
|---|
| 1181 | 1181 | | 1149section; |
|---|
| 1182 | 1182 | | 1150 (ii) the attorney general and the entity have previously reached a settlement that includes |
|---|
| 1183 | 1183 | | 1151an admission by the entity that it has violated: (A) this chapter, not including any express written 58 of 71 |
|---|
| 1184 | 1184 | | 1152statement provided pursuant to paragraph (1); or (B) chapter 93A, provided that such admission |
|---|
| 1185 | 1185 | | 1153occurs after the effective date of this section; |
|---|
| 1186 | 1186 | | 1154 (iii) the attorney general has clear and convincing evidence that the entity willfully and |
|---|
| 1187 | 1187 | | 1155wantonly violated this chapter; |
|---|
| 1188 | 1188 | | 1156 (iv) the violation is a data broker’s failure to register pursuant to section 20; or |
|---|
| 1189 | 1189 | | 1157 (v) the violation occurs more than 12 months after the effective date of this section and |
|---|
| 1190 | 1190 | | 1158the violating entity is: (A) a large data holder; or (B) a data broker pursuant to clause (i) of the |
|---|
| 1191 | 1191 | | 1159definition of a data broker under section 2. |
|---|
| 1192 | 1192 | | 1160 (3) In its notice pursuant to subsection (c), the attorney general shall specify the length, if |
|---|
| 1193 | 1193 | | 1161any, of the period in which the entity may cure the noticed violation. |
|---|
| 1194 | 1194 | | 1162 (e)(1) The attorney general may initiate a civil action against an entity in the name of the |
|---|
| 1195 | 1195 | | 1163commonwealth or as parens patriae on behalf of individuals if the entity: |
|---|
| 1196 | 1196 | | 1164 (i) fails to cure a violation within 30 days after receipt of the attorney general’s notice of |
|---|
| 1197 | 1197 | | 1165the violation; |
|---|
| 1198 | 1198 | | 1166 (ii) breaches an express written statement provided to the attorney general pursuant to |
|---|
| 1199 | 1199 | | 1167subsection (d); or |
|---|
| 1200 | 1200 | | 1168 (iii) is not eligible for a cure period pursuant to subsection (d). |
|---|
| 1201 | 1201 | | 1169 (2) The attorney general may seek: |
|---|
| 1202 | 1202 | | 1170 (i) civil penalties of up to $7,500 for each violation under this chapter; or 59 of 71 |
|---|
| 1203 | 1203 | | 1171 (ii) a temporary restraining order, preliminary injunction or permanent injunction to |
|---|
| 1204 | 1204 | | 1172restrain any violations of this chapter. |
|---|
| 1205 | 1205 | | 1173 (f) A data broker that fails to register as required by section 20 shall be subject to |
|---|
| 1206 | 1206 | | 1174injunction and may be liable for civil penalties, fees and costs in a civil action brought on behalf |
|---|
| 1207 | 1207 | | 1175of the commonwealth by the attorney general as follows: |
|---|
| 1208 | 1208 | | 1176 (i) a civil penalty of up to $500 for each day, not to exceed a total of $100,000 for each |
|---|
| 1209 | 1209 | | 1177year, that the data broker fails to register as required by section 20; and |
|---|
| 1210 | 1210 | | 1178 (2) fees equal to the fees that would have been due during the period the data broker |
|---|
| 1211 | 1211 | | 1179failed to register. |
|---|
| 1212 | 1212 | | 1180 (g) The superior court shall have jurisdiction over actions brought under this section. |
|---|
| 1213 | 1213 | | 1181Such actions may be brought in any county where a defendant resides or has its principal place |
|---|
| 1214 | 1214 | | 1182of business or in which the violation occurred in whole or in part, or, with the consent of a |
|---|
| 1215 | 1215 | | 1183defendant, in the superior court for Suffolk County. |
|---|
| 1216 | 1216 | | 1184 (h) In determining the overall amount of civil penalties to seek or assess against an entity, |
|---|
| 1217 | 1217 | | 1185the attorney general or the court shall include, but not be limited to, the following in its |
|---|
| 1218 | 1218 | | 1186consideration: |
|---|
| 1219 | 1219 | | 1187 (i) the size, scope and type of the entity; |
|---|
| 1220 | 1220 | | 1188 (ii) the amount of resources available to the entity; |
|---|
| 1221 | 1221 | | 1189 (iii) the amount and nature of personal information processed by the entity; |
|---|
| 1222 | 1222 | | 1190 (iv) the number of violations; 60 of 71 |
|---|
| 1223 | 1223 | | 1191 (v) the number of violations affecting children or minors; |
|---|
| 1224 | 1224 | | 1192 (vi) the nature and severity of the violation; |
|---|
| 1225 | 1225 | | 1193 (vii) the risks caused by the violation; |
|---|
| 1226 | 1226 | | 1194 (viii) whether the entity’s violation was an isolated instance or part of a pattern of |
|---|
| 1227 | 1227 | | 1195violations and noncompliance with this chapter; |
|---|
| 1228 | 1228 | | 1196 (ix) whether the entity is a data broker that did not register pursuant to section 20; |
|---|
| 1229 | 1229 | | 1197 (x) whether the violation was willful and not the result of error; |
|---|
| 1230 | 1230 | | 1198 (xi) the length of time over which the violation occurred; |
|---|
| 1231 | 1231 | | 1199 (xii) the precautions taken by the entity to prevent a violation; |
|---|
| 1232 | 1232 | | 1200 (xiii) the good faith cooperation of the entity with any investigations conducted by the |
|---|
| 1233 | 1233 | | 1201attorney general pursuant to this section; |
|---|
| 1234 | 1234 | | 1202 (xiv) efforts undertaken by the entity to cure the violation; and |
|---|
| 1235 | 1235 | | 1203 (xv) the entity’s past violations of information privacy rules, regulations, codes, |
|---|
| 1236 | 1236 | | 1204ordinances or laws in other jurisdictions. |
|---|
| 1237 | 1237 | | 1205 (i) Any entity that violates the terms of an injunction or other order issued under this |
|---|
| 1238 | 1238 | | 1206section shall forfeit and pay a civil penalty of not more than $10,000 for each violation. For the |
|---|
| 1239 | 1239 | | 1207purposes of this section, the court issuing such an injunction or order shall retain jurisdiction, and |
|---|
| 1240 | 1240 | | 1208the cause shall be continued, and in such case the attorney general acting in the name of the |
|---|
| 1241 | 1241 | | 1209commonwealth may petition for recovery of such civil penalty. 61 of 71 |
|---|
| 1242 | 1242 | | 1210 (j) The attorney general may recover reasonable expenses, including attorney fees, |
|---|
| 1243 | 1243 | | 1211incurred in investigating and preparing the case in any action initiated under this chapter. |
|---|
| 1244 | 1244 | | 1212 (k) If 2 or more entities are involved in the same processing that violates this chapter, the |
|---|
| 1245 | 1245 | | 1213liability shall be allocated among the parties according to principles of comparative fault. |
|---|
| 1246 | 1246 | | 1214 (l) Notwithstanding any general or special law to the contrary, the court may require that |
|---|
| 1247 | 1247 | | 1215the amount of a civil penalty imposed pursuant to this section exceeds the economic benefit |
|---|
| 1248 | 1248 | | 1216realized by an entity for noncompliance. |
|---|
| 1249 | 1249 | | 1217 (m) If a series of steps or transactions were component parts of a single transaction |
|---|
| 1250 | 1250 | | 1218intended to avoid the reach of this chapter, the attorney general and the court shall disregard the |
|---|
| 1251 | 1251 | | 1219intermediate steps or transactions and consider all to be 1 transaction for purposes of effectuating |
|---|
| 1252 | 1252 | | 1220the purposes of this chapter. |
|---|
| 1253 | 1253 | | 1221 (n) Not later than 30 days after the end of each calendar year, the attorney general shall |
|---|
| 1254 | 1254 | | 1222publish a public, easily accessible report that provides, for that calendar year, the following |
|---|
| 1255 | 1255 | | 1223information: |
|---|
| 1256 | 1256 | | 1224 (i) the number of written notices issued pursuant to subsection (c) and the number of |
|---|
| 1257 | 1257 | | 1225entities that received such notices; |
|---|
| 1258 | 1258 | | 1226 (ii) examples of alleged violations that have been cured by an entity pursuant to |
|---|
| 1259 | 1259 | | 1227subsection (d); and |
|---|
| 1260 | 1260 | | 1228 (iii) categories of violations of this chapter and the number of violations per category. 62 of 71 |
|---|
| 1261 | 1261 | | 1229 (o) The attorney general shall receive and may investigate sworn complaints from an |
|---|
| 1262 | 1262 | | 1230individual or other natural person that an entity has engaged in, is engaging in or will imminently |
|---|
| 1263 | 1263 | | 1231engage in any violation of this chapter. |
|---|
| 1264 | 1264 | | 1232 (p) The attorney general shall maintain the following internet web pages: |
|---|
| 1265 | 1265 | | 1233 (i) a web page that includes an online mechanism through which any individual or other |
|---|
| 1266 | 1266 | | 1234natural person may contact the attorney general to submit a sworn complaint; |
|---|
| 1267 | 1267 | | 1235 (ii) a web page that enables data brokers to register pursuant to section 20; and |
|---|
| 1268 | 1268 | | 1236 (iii) a web page that: |
|---|
| 1269 | 1269 | | 1237 (A) makes publicly accessible the information provided by each data broker pursuant to |
|---|
| 1270 | 1270 | | 1238section 20; provided, however, that the information shall be disaggregated by data broker; and |
|---|
| 1271 | 1271 | | 1239 (B) includes a link and mechanism, if feasible, by which an individual may, pursuant to |
|---|
| 1272 | 1272 | | 1240section 8, opt out of the processing of the individual’s personal information by all registered data |
|---|
| 1273 | 1273 | | 1241brokers for the purposes of the sale of such information or for targeted cross-contextual |
|---|
| 1274 | 1274 | | 1242advertising or, pursuant to section 11, request that all registered data brokers delete any personal |
|---|
| 1275 | 1275 | | 1243information processed about the individual. |
|---|
| 1276 | 1276 | | 1244 (q) The attorney general shall promote public awareness and understanding of the risks, |
|---|
| 1277 | 1277 | | 1245rules, responsibilities, safeguards and rights in relation to the processing of personal information |
|---|
| 1278 | 1278 | | 1246including, but not limited to, the rights of children and minors with respect to their own |
|---|
| 1279 | 1279 | | 1247information. The attorney general shall provide guidance to individuals regarding available |
|---|
| 1280 | 1280 | | 1248recourse if they believe their rights under this chapter have been violated. 63 of 71 |
|---|
| 1281 | 1281 | | 1249 (r) The attorney general shall create and make publicly accessible the following |
|---|
| 1282 | 1282 | | 1250templates: |
|---|
| 1283 | 1283 | | 1251 (i) a template privacy policy that is in compliance with section 7; |
|---|
| 1284 | 1284 | | 1252 (ii) a template contract between a controller and a processor that is in compliance with |
|---|
| 1285 | 1285 | | 1253section 19; and |
|---|
| 1286 | 1286 | | 1254 (iii) a template risk assessment that is in compliance with section 21. |
|---|
| 1287 | 1287 | | 1255 (s) The attorney general shall seek to collaborate with entities responsible for enforcing |
|---|
| 1288 | 1288 | | 1256personal information privacy laws in other jurisdictions. The attorney general shall have the |
|---|
| 1289 | 1289 | | 1257power to determine, pursuant to section 28, whether the provisions of a personal information |
|---|
| 1290 | 1290 | | 1258privacy law in another jurisdiction are equally or more protective of personal information than |
|---|
| 1291 | 1291 | | 1259the provisions of this chapter. |
|---|
| 1292 | 1292 | | 1260 (t) The attorney general shall establish a mechanism pursuant to which an entity that |
|---|
| 1293 | 1293 | | 1261processes the personal information of 1 or more individuals but does not meet the applicability |
|---|
| 1294 | 1294 | | 1262criteria set forth in subsection (b) of section 3 may voluntarily certify that it is fully in |
|---|
| 1295 | 1295 | | 1263compliance with, and agrees to be bound by, this chapter. The attorney general shall make a list |
|---|
| 1296 | 1296 | | 1264of those entities available to the public. |
|---|
| 1297 | 1297 | | 1265 (u) The attorney general shall adopt regulations for the purposes of carrying out this |
|---|
| 1298 | 1298 | | 1266chapter, including, but not limited to: |
|---|
| 1299 | 1299 | | 1267 (i) supplementing any of the definitions used in this chapter or adding in new definitions |
|---|
| 1300 | 1300 | | 1268for terms that are used but not otherwise defined in this chapter, in order to address changes in |
|---|
| 1301 | 1301 | | 1269technology, data collection, obstacles to implementation or privacy concerns; 64 of 71 |
|---|
| 1302 | 1302 | | 1270 (ii) ensuring that the notices and information that controllers are required to provide |
|---|
| 1303 | 1303 | | 1271pursuant to section 7 are: |
|---|
| 1304 | 1304 | | 1272 (A) provided in a manner that may be easily understood by the average individual; |
|---|
| 1305 | 1305 | | 1273 (B) accessible to individuals with disabilities; and |
|---|
| 1306 | 1306 | | 1274 (C) available in the language primarily used to interact with the individual; |
|---|
| 1307 | 1307 | | 1275 (iii) detailing the requirements and technical specifications for a platform, technology or |
|---|
| 1308 | 1308 | | 1276mechanism that sends an opt-out preference signal indicating an individual’s intent to opt out of |
|---|
| 1309 | 1309 | | 1277the processing of such individual’s personal information for 1 or more of the purposes specified |
|---|
| 1310 | 1310 | | 1278in subsection (a) of section 8; provided, however, that such requirements or technical |
|---|
| 1311 | 1311 | | 1279specifications shall be updated from time to time to reflect the means by which individuals |
|---|
| 1312 | 1312 | | 1280interact with controllers; and provided further, that any such platform, technology or mechanism |
|---|
| 1313 | 1313 | | 1281shall: |
|---|
| 1314 | 1314 | | 1282 (A) not unfairly disadvantage another controller; |
|---|
| 1315 | 1315 | | 1283 (B) clearly represent the individual’s affirmative, freely-given and unambiguous intent to |
|---|
| 1316 | 1316 | | 1284opt out pursuant to subsection (a) of section 8 and be free of default settings constraining or |
|---|
| 1317 | 1317 | | 1285presupposing that intent; |
|---|
| 1318 | 1318 | | 1286 (C) be consumer-friendly, clearly described and easy to use by the average individual; |
|---|
| 1319 | 1319 | | 1287 (D) be as consistent as possible with any other similar platform, technology or |
|---|
| 1320 | 1320 | | 1288mechanism required by any federal or state law or regulation; and 65 of 71 |
|---|
| 1321 | 1321 | | 1289 (E) enable the controller to accurately determine if the mechanism represents a legitimate |
|---|
| 1322 | 1322 | | 1290opt-out request pursuant to section 8; and |
|---|
| 1323 | 1323 | | 1291 (iv) supplementing or revising the list of industry recognized cybersecurity frameworks |
|---|
| 1324 | 1324 | | 1292specified in clauses (i) and (ii) of subsection (d) of section 26, in order to address changes in |
|---|
| 1325 | 1325 | | 1293technology, data collection, obstacles to implementation, best practices with respect to |
|---|
| 1326 | 1326 | | 1294cybersecurity controls or privacy concerns. |
|---|
| 1327 | 1327 | | 1295 (v) The attorney general shall conduct research and monitor relevant developments |
|---|
| 1328 | 1328 | | 1296relating to the protection of personal information, the development of information and |
|---|
| 1329 | 1329 | | 1297communication technologies and commercial practices and the enactment and implementation of |
|---|
| 1330 | 1330 | | 1298privacy laws by the federal government or other states, territories or countries. Specific topics for |
|---|
| 1331 | 1331 | | 1299research shall include, but are not limited to: |
|---|
| 1332 | 1332 | | 1300 (i) the available best methods for: (A) individuals to exercise the rights set forth in |
|---|
| 1333 | 1333 | | 1301sections 8 through 13, inclusive; and (B) entities to conspicuously and clearly disclose how to |
|---|
| 1334 | 1334 | | 1302exercise such rights; |
|---|
| 1335 | 1335 | | 1303 (ii) automated decision-making technologies; |
|---|
| 1336 | 1336 | | 1304 (iii) eye-tracking technology and targeted advertising based on information collected |
|---|
| 1337 | 1337 | | 1305through eye-tracking technology; |
|---|
| 1338 | 1338 | | 1306 (iv) financial incentive programs offered by controllers for the processing of personal |
|---|
| 1339 | 1339 | | 1307information; |
|---|
| 1340 | 1340 | | 1308 (v) the data broker industry, including data brokers that have registered pursuant to |
|---|
| 1341 | 1341 | | 1309section 20; 66 of 71 |
|---|
| 1342 | 1342 | | 1310 (vi) the effectiveness of allowing an individual to designate an authorized agent to |
|---|
| 1343 | 1343 | | 1311exercise a right on their behalf pursuant to section 8; and |
|---|
| 1344 | 1344 | | 1312 (vii) whether to change or eliminate the cure period established in subsection (d) of |
|---|
| 1345 | 1345 | | 1313section 25. |
|---|
| 1346 | 1346 | | 1314 (w) Every 12 months, the attorney general shall provide a full written report to the joint |
|---|
| 1347 | 1347 | | 1315committee on advanced information technology, the internet and cybersecurity. The report shall |
|---|
| 1348 | 1348 | | 1316summarize the attorney general’s work pursuant to this section and detail the attorney general’s |
|---|
| 1349 | 1349 | | 1317research and any recommendations with respect to privacy-related legislation. The first such |
|---|
| 1350 | 1350 | | 1318report shall be submitted 12 months after the effective date of this subsection. |
|---|
| 1351 | 1351 | | 1319 (x) Monetary amounts referred to in this chapter shall be indexed biennially for inflation |
|---|
| 1352 | 1352 | | 1320by the attorney general, who, not later than December 31 of each even numbered year, shall |
|---|
| 1353 | 1353 | | 1321calculate and publish such indexed amounts, using the federal consumer price index for the |
|---|
| 1354 | 1354 | | 1322Boston statistical area and rounding to the nearest dollar. |
|---|
| 1355 | 1355 | | 1323 Section 26. Private Right of Action and Safe Harbor |
|---|
| 1356 | 1356 | | 1324 (a) For the purposes of this section, except for the purposes of determining whether this |
|---|
| 1357 | 1357 | | 1325section applies to a given controller, the terms “breach of security” and “personal information” |
|---|
| 1358 | 1358 | | 1326shall have the same meanings as such terms are defined in section 1 of chapter 93H. |
|---|
| 1359 | 1359 | | 1327 (b) Any individual whose personal information is subject to a breach of security as a |
|---|
| 1360 | 1360 | | 1328result of a controller’s failure to implement and maintain reasonable cybersecurity controls may |
|---|
| 1361 | 1361 | | 1329institute a civil action for any of the following: 67 of 71 |
|---|
| 1362 | 1362 | | 1330 (i) damages from the controller in an amount up to $500 per individual per incident or |
|---|
| 1363 | 1363 | | 1331actual damages, whichever is greater; |
|---|
| 1364 | 1364 | | 1332 (ii) injunctive or declaratory relief; or |
|---|
| 1365 | 1365 | | 1333 (iii) any other relief the court deems proper. |
|---|
| 1366 | 1366 | | 1334 (c) In determining the amount of statutory damages against the controller, the court shall |
|---|
| 1367 | 1367 | | 1335consider any 1 or more of the relevant circumstances presented by any of the parties to the case, |
|---|
| 1368 | 1368 | | 1336including, but not limited to, the criteria stipulated in clauses (i) through (xv), inclusive, of |
|---|
| 1369 | 1369 | | 1337subsection (h) of section 25. |
|---|
| 1370 | 1370 | | 1338 (d) In any cause of action founded in tort that is brought pursuant to this section and that |
|---|
| 1371 | 1371 | | 1339alleges that the controller’s failure to implement reasonable cybersecurity controls resulted in a |
|---|
| 1372 | 1372 | | 1340breach of security concerning personal information, the court shall not assess punitive damages |
|---|
| 1373 | 1373 | | 1341against a controller if such controller created, maintained and complied with a written |
|---|
| 1374 | 1374 | | 1342cybersecurity program that contains administrative, technical and physical safeguards for the |
|---|
| 1375 | 1375 | | 1343protection of personal information and that conforms to an industry recognized cybersecurity |
|---|
| 1376 | 1376 | | 1344framework; provided, however, that the controller designed and implemented its cybersecurity |
|---|
| 1377 | 1377 | | 1345program in accordance with the regulations adopted pursuant to chapter 93H; and provided |
|---|
| 1378 | 1378 | | 1346further, that: |
|---|
| 1379 | 1379 | | 1347 (i) such cybersecurity program conforms to the current version of or any combination of |
|---|
| 1380 | 1380 | | 1348the current versions of: |
|---|
| 1381 | 1381 | | 1349 (A) the “Framework for Improving Critical Infrastructure Cybersecurity” published by |
|---|
| 1382 | 1382 | | 1350the National Institute of Standards and Technology; 68 of 71 |
|---|
| 1383 | 1383 | | 1351 (B) the National Institute of Standards and Technology’s special publication 800-171; |
|---|
| 1384 | 1384 | | 1352 (C) the National Institute of Standards and Technology’s special publications 800-53 and |
|---|
| 1385 | 1385 | | 1353800-53a; |
|---|
| 1386 | 1386 | | 1354 (D) the Federal Risk and Authorization Management Program’s “FedRAMP Security |
|---|
| 1387 | 1387 | | 1355Assessment Framework”; |
|---|
| 1388 | 1388 | | 1356 (E) the Center for Internet Security’s “Center for Internet Security Critical Security |
|---|
| 1389 | 1389 | | 1357Controls for Effective Cyber Defense”; or |
|---|
| 1390 | 1390 | | 1358 (F) the “ISO/IEC 27000-series” information security standards published by the |
|---|
| 1391 | 1391 | | 1359International Organization for Standardization and the International Electrotechnical |
|---|
| 1392 | 1392 | | 1360Commission; or |
|---|
| 1393 | 1393 | | 1361 (ii) such program complies with the current version of the “Payment Card Industry Data |
|---|
| 1394 | 1394 | | 1362Security Standard” and the current version of another applicable industry recognized |
|---|
| 1395 | 1395 | | 1363cybersecurity framework described in clause (i). |
|---|
| 1396 | 1396 | | 1364 (e) When a revision to a document listed in clause (i) or (ii) of subsection (d) is |
|---|
| 1397 | 1397 | | 1365published, a controller whose cybersecurity program conforms to a prior version of that |
|---|
| 1398 | 1398 | | 1366document shall be said to conform to the current version of that document if the controller |
|---|
| 1399 | 1399 | | 1367conforms to such revision not later than 6 months after the publication date of the revision. |
|---|
| 1400 | 1400 | | 1368 (f) The scale and scope of a controller’s cybersecurity program shall be based on: |
|---|
| 1401 | 1401 | | 1369 (i) the size, scope and type of the controller; |
|---|
| 1402 | 1402 | | 1370 (ii) the amount of resources available to the controller; 69 of 71 |
|---|
| 1403 | 1403 | | 1371 (iii) the amount and nature of personal information processed by the controller; and |
|---|
| 1404 | 1404 | | 1372 (iv) the need for upholding security, integrity and confidentiality with respect to the |
|---|
| 1405 | 1405 | | 1373personal information processed by the controller. |
|---|
| 1406 | 1406 | | 1374 (g) Subsection (d) shall not apply if the controller’s failure to implement reasonable |
|---|
| 1407 | 1407 | | 1375cybersecurity controls was the result of gross negligence or willful or wanton conduct. |
|---|
| 1408 | 1408 | | 1376 (h) Nothing in this section shall limit the authority of the attorney general to initiate |
|---|
| 1409 | 1409 | | 1377actions pursuant to: |
|---|
| 1410 | 1410 | | 1378 (i) section 25 of this chapter; |
|---|
| 1411 | 1411 | | 1379 (ii) chapter 93A or 93H; or |
|---|
| 1412 | 1412 | | 1380 (iii) any other general law. |
|---|
| 1413 | 1413 | | 1381 (i) The cause of action established by this section shall apply only to violations as defined |
|---|
| 1414 | 1414 | | 1382in this section. |
|---|
| 1415 | 1415 | | 1383 Section 27. Massachusetts Privacy Fund |
|---|
| 1416 | 1416 | | 1384 (a) There shall be established upon the books of the commonwealth a separate fund to be |
|---|
| 1417 | 1417 | | 1385known as the Massachusetts Privacy Fund. |
|---|
| 1418 | 1418 | | 1386 (b) All civil penalties, expenses, attorney fees and registration fees collected pursuant to |
|---|
| 1419 | 1419 | | 1387sections 20 and 25 shall be paid into the state treasury and credited to the Massachusetts Privacy |
|---|
| 1420 | 1420 | | 1388Fund. Interest earned on moneys in the fund shall remain in the fund and be credited to it. Any |
|---|
| 1421 | 1421 | | 1389moneys remaining in the fund, including interest thereon, at the end of each fiscal year shall |
|---|
| 1422 | 1422 | | 1390remain in the fund and not revert to the General Fund. 70 of 71 |
|---|
| 1423 | 1423 | | 1391 (c) The attorney general shall have discretion to allocate the proceeds of any settlement of |
|---|
| 1424 | 1424 | | 1392a civil action pursuant to this chapter to: |
|---|
| 1425 | 1425 | | 1393 (i) the Massachusetts Privacy Fund; |
|---|
| 1426 | 1426 | | 1394 (ii) the General Fund; or |
|---|
| 1427 | 1427 | | 1395 (iii) where possible, directly to individuals impacted by the violation of the chapter. |
|---|
| 1428 | 1428 | | 1396 (d) Moneys in the Massachusetts Privacy Fund shall be used to support the work of the |
|---|
| 1429 | 1429 | | 1397attorney general pursuant to section 25. Moneys in the fund shall be subject to appropriation and |
|---|
| 1430 | 1430 | | 1398shall not be used to supplant General Fund appropriations to the attorney general. |
|---|
| 1431 | 1431 | | 1399 Section 28. Reciprocity and Interoperability |
|---|
| 1432 | 1432 | | 1400 (a) A controller or processor shall be in compliance with provisions of this chapter if: |
|---|
| 1433 | 1433 | | 1401 (i) the controller or processor complies with comparable provisions of a personal |
|---|
| 1434 | 1434 | | 1402information privacy law in another jurisdiction; |
|---|
| 1435 | 1435 | | 1403 (ii) the controller or processor applies the provisions of that law to its processing |
|---|
| 1436 | 1436 | | 1404activities concerning individuals; and |
|---|
| 1437 | 1437 | | 1405 (iii) the attorney general determines that the provisions of that law in the other |
|---|
| 1438 | 1438 | | 1406jurisdiction are equally or more protective of personal information than the provisions of this |
|---|
| 1439 | 1439 | | 1407chapter. |
|---|
| 1440 | 1440 | | 1408 (b) The attorney general may charge a fee to a controller or processor that asserts |
|---|
| 1441 | 1441 | | 1409compliance with a comparable law under subsection (a); provided, however, that the fee shall 71 of 71 |
|---|
| 1442 | 1442 | | 1410reflect costs reasonably expected to be incurred by the attorney general to determine whether the |
|---|
| 1443 | 1443 | | 1411provisions of such law are equally or more protective than the provisions of this chapter. |
|---|
| 1444 | 1444 | | 1412 Section 29. Implementation for Nonprofits and Institutions of Higher Education |
|---|
| 1445 | 1445 | | 1413 This chapter shall apply to nonprofit organizations and institutions of higher education. |
|---|
| 1446 | 1446 | | 1414 SECTION 2. Except as otherwise provided herein, chapter 93M of the General Laws, as |
|---|
| 1447 | 1447 | | 1415inserted by section 1, shall take effect 18 months after the passage of this act; provided, however, |
|---|
| 1448 | 1448 | | 1416that: |
|---|
| 1449 | 1449 | | 1417 (i) section 2 and subsections (p) through (w), inclusive, of section 25 of said chapter 93M |
|---|
| 1450 | 1450 | | 1418shall take effect upon enactment; and |
|---|
| 1451 | 1451 | | 1419 (ii) section 30 of said chapter 93M shall take effect 30 months after enactment. |
|---|