| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | SENATE DOCKET, NO. 2520 FILED ON: 1/17/2025 |
|---|
| 3 | 3 | | SENATE . . . . . . . . . . . . . . No. 33 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | William J. Driscoll, Jr. |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act establishing the Comprehensive Massachusetts Consumer Data Privacy Act. |
|---|
| 13 | 13 | | _______________ |
|---|
| 14 | 14 | | PETITION OF: |
|---|
| 15 | 15 | | NAME:DISTRICT/ADDRESS :William J. Driscoll, Jr.Norfolk, Plymouth and Bristol 1 of 31 |
|---|
| 16 | 16 | | SENATE DOCKET, NO. 2520 FILED ON: 1/17/2025 |
|---|
| 17 | 17 | | SENATE . . . . . . . . . . . . . . No. 33 |
|---|
| 18 | 18 | | By Mr. Driscoll, a petition (accompanied by bill, Senate, No. 33) of William J. Driscoll, Jr. for |
|---|
| 19 | 19 | | legislation to establish the comprehensive Massachusetts consumer data privacy act. Advanced |
|---|
| 20 | 20 | | Information Technology, the Internet and Cybersecurity. |
|---|
| 21 | 21 | | The Commonwealth of Massachusetts |
|---|
| 22 | 22 | | _______________ |
|---|
| 23 | 23 | | In the One Hundred and Ninety-Fourth General Court |
|---|
| 24 | 24 | | (2025-2026) |
|---|
| 25 | 25 | | _______________ |
|---|
| 26 | 26 | | An Act establishing the Comprehensive Massachusetts Consumer Data Privacy Act. |
|---|
| 27 | 27 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 28 | 28 | | of the same, as follows: |
|---|
| 29 | 29 | | 1 SECTION 1. The General Laws, as appearing in the 2022 Official Edition, are hereby |
|---|
| 30 | 30 | | 2amended by inserting after chapter 93L the following chapter:- |
|---|
| 31 | 31 | | 3 CHAPTER 93M. |
|---|
| 32 | 32 | | 4 Massachusetts Consumer Privacy Act |
|---|
| 33 | 33 | | 5 Section 1. As used in this chapter, unless the context otherwise indicates, the following |
|---|
| 34 | 34 | | 6terms have the following meanings. |
|---|
| 35 | 35 | | 7 “Adult”, any individual who is at least eighteen years of age. |
|---|
| 36 | 36 | | 8 "Affiliate", a legal entity that shares common branding with another legal entity or |
|---|
| 37 | 37 | | 9controls, is controlled by or is under common control with another legal entity. For the purposes |
|---|
| 38 | 38 | | 10of this subdivision, "control" or "controlled" means (A) ownership of, or the power to vote, more |
|---|
| 39 | 39 | | 11than fifty per cent of the outstanding shares of any class of voting security of a company, (B) 2 of 31 |
|---|
| 40 | 40 | | 12control in any manner over the election of a majority of the directors or of individuals exercising |
|---|
| 41 | 41 | | 13similar functions, or (C) the power to exercise controlling influence over the management of a |
|---|
| 42 | 42 | | 14company. |
|---|
| 43 | 43 | | 15 "Authenticate", to use reasonable means to determine that a request to exercise any of the |
|---|
| 44 | 44 | | 16rights afforded pursuant to this act is being made by, or on behalf of, the consumer who is |
|---|
| 45 | 45 | | 17entitled to exercise such consumer rights with respect to the personal data at issue. |
|---|
| 46 | 46 | | 18 "Biometric data", data generated by automatic measurements of an individual's biological |
|---|
| 47 | 47 | | 19characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological |
|---|
| 48 | 48 | | 20patterns or characteristics that are used to identify a specific individual. "Biometric data" does |
|---|
| 49 | 49 | | 21not include (A) a digital or physical photograph, (B) an audio or video recording, or (C) any data |
|---|
| 50 | 50 | | 22generated from a digital or physical photograph, or an audio or video recording, unless such data |
|---|
| 51 | 51 | | 23is generated to identify a specific individual. |
|---|
| 52 | 52 | | 24 "Business associate" shall have the same meaning as provided in the Health Insurance |
|---|
| 53 | 53 | | 25Portability and Accountability Act of 1996, 42 USC 1320d. |
|---|
| 54 | 54 | | 26 "Child" shall have the same meaning as provided in the federal Children’s Online Privacy |
|---|
| 55 | 55 | | 27Act, 15 U.S.C. 6501. |
|---|
| 56 | 56 | | 28 "Consent", a clear affirmative act signifying a consumer's freely given, specific, informed |
|---|
| 57 | 57 | | 29and unambiguous agreement to allow the processing of personal data relating to the consumer. |
|---|
| 58 | 58 | | 30"Consent" may include a written statement, including by electronic means, or any other |
|---|
| 59 | 59 | | 31unambiguous affirmative action. "Consent" does not include (A) acceptance of a general or |
|---|
| 60 | 60 | | 32broad terms of use or similar document that contains descriptions of personal data processing 3 of 31 |
|---|
| 61 | 61 | | 33along with other, unrelated information, (B) hovering over, muting, pausing or closing a given |
|---|
| 62 | 62 | | 34piece of content, or (C) agreement obtained through the use of dark patterns. |
|---|
| 63 | 63 | | 35 "Consumer", an individual who is a resident of this state. "Consumer" does not include an |
|---|
| 64 | 64 | | 36individual acting in a commercial or employment context or as an employee, owner, director, |
|---|
| 65 | 65 | | 37officer or contractor of a company, partnership, sole proprietorship, nonprofit or government |
|---|
| 66 | 66 | | 38agency whose communications or transactions with the controller occur solely within the context |
|---|
| 67 | 67 | | 39of that individual's role with the company, partnership, sole proprietorship, nonprofit or |
|---|
| 68 | 68 | | 40government agency. |
|---|
| 69 | 69 | | 41 “Consumer Health Data”, means any personal data that a controller uses to identify a |
|---|
| 70 | 70 | | 42consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, |
|---|
| 71 | 71 | | 43gender-affirming health data and reproductive or sexual health data. |
|---|
| 72 | 72 | | 44 "Controller", an individual who, or legal entity that, alone or jointly with others |
|---|
| 73 | 73 | | 45determines the purpose and means of processing personal data. |
|---|
| 74 | 74 | | 46 "COPPA", the Children's Online Privacy Protection Act of 1998, 15 USC 6501 et seq., |
|---|
| 75 | 75 | | 47and the regulations, rules, guidance and exemptions adopted pursuant to said act, as said act and |
|---|
| 76 | 76 | | 48such regulations, rules, guidance and exemptions may be amended from time to time. |
|---|
| 77 | 77 | | 49 "Covered entity", shall have the same meaning as provided in the Health Insurance |
|---|
| 78 | 78 | | 50Portability and Accountability Act of 1996, 42 USC 1320d. |
|---|
| 79 | 79 | | 51 "Dark pattern", (A) a user interface designed or manipulated with the effect of |
|---|
| 80 | 80 | | 52substantially subverting or impairing user autonomy, decision-making or choice, and (B) 4 of 31 |
|---|
| 81 | 81 | | 53includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark |
|---|
| 82 | 82 | | 54pattern". |
|---|
| 83 | 83 | | 55 "Decisions that produce legal or similarly significant effects concerning the consumer", |
|---|
| 84 | 84 | | 56decisions made by the controller that result in the provision or denial by the controller of |
|---|
| 85 | 85 | | 57financial or lending services, housing, insurance, education enrollment or opportunity, criminal |
|---|
| 86 | 86 | | 58justice, employment opportunities, health care services or access to basic necessities such as food |
|---|
| 87 | 87 | | 59and water. |
|---|
| 88 | 88 | | 60 "De-identified data", data that cannot reasonably be used to infer information about, or |
|---|
| 89 | 89 | | 61otherwise be linked to, an identified or identifiable individual, or a device linked to such |
|---|
| 90 | 90 | | 62individual, if the controller that possesses such data (A) takes reasonable measures to ensure that |
|---|
| 91 | 91 | | 63such data cannot be associated with an individual, (B) publicly commits to process such data |
|---|
| 92 | 92 | | 64only in a de-identified fashion and not attempt to re-identify such data, and (C) contractually |
|---|
| 93 | 93 | | 65obligates any recipients of such data to satisfy the criteria set forth in subparagraphs (A) and (B) |
|---|
| 94 | 94 | | 66of this subdivision. |
|---|
| 95 | 95 | | 67 “Gender-affirming health care services” shall have the same meaning as provided in |
|---|
| 96 | 96 | | 68section 1 of chapter 9A of the General Laws as amended by chapter 127 of the Acts of 2022. |
|---|
| 97 | 97 | | 69 “Gender-affirming health data”, any personal data concerning an effort made by a |
|---|
| 98 | 98 | | 70consumer to seek, or a consumer’s receipt of, gender-affirming health care services. |
|---|
| 99 | 99 | | 71 “Geofence”, any technology that uses global positioning coordinates, cell tower |
|---|
| 100 | 100 | | 72connectivity, cellular data, radio frequency identification, wireless fidelity technology data or |
|---|
| 101 | 101 | | 73any other form of location detection, or any combination of such coordinates, connectivity, data, |
|---|
| 102 | 102 | | 74identification or other form of location detection, to establish a virtual boundary. 5 of 31 |
|---|
| 103 | 103 | | 75 “Heightened risk of harm to minors”, processing minors' personal data in a manner that |
|---|
| 104 | 104 | | 76presents any reasonably foreseeable risk of (A) any unfair or deceptive treatment of, or any |
|---|
| 105 | 105 | | 77unlawful disparate impact on, minors, (B) any financial, physical or reputational injury to |
|---|
| 106 | 106 | | 78minors, or (C) any physical or other intrusion upon the solitude or seclusion, or the private affairs |
|---|
| 107 | 107 | | 79or concerns, of minors if such intrusion would be offensive to a reasonable person; |
|---|
| 108 | 108 | | 80 "HIPAA", the Health Insurance Portability and Accountability Act of 1996, 42 USC |
|---|
| 109 | 109 | | 811320d et seq., as amended from time to time. |
|---|
| 110 | 110 | | 82 "Identified or identifiable individual", an individual who can be readily identified, |
|---|
| 111 | 111 | | 83directly or indirectly. |
|---|
| 112 | 112 | | 84 "Institution of higher education", any individual who, or school, board, association, |
|---|
| 113 | 113 | | 85limited liability company or corporation that, is licensed or accredited to offer one or more |
|---|
| 114 | 114 | | 86programs of higher learning leading to one or more degrees. |
|---|
| 115 | 115 | | 87 “Mental health facility”, any health care facility in which at least seventy per cent of the |
|---|
| 116 | 116 | | 88health care services provided in such facility are mental health services. |
|---|
| 117 | 117 | | 89 “Minor”, any consumer who is younger than eighteen years of age. |
|---|
| 118 | 118 | | 90 "Nonprofit organization", any organization that is exempt from taxation under Section |
|---|
| 119 | 119 | | 91501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986, or any |
|---|
| 120 | 120 | | 92subsequent corresponding internal revenue code of the United States, as amended from time to |
|---|
| 121 | 121 | | 93time. |
|---|
| 122 | 122 | | 94 “Online service, product or feature”, any service, product or feature that is provided |
|---|
| 123 | 123 | | 95online. "Online service, product or feature" does not include any (A) telecommunications 6 of 31 |
|---|
| 124 | 124 | | 96service, as defined in 47 USC 153, as amended from time to time, (B) broadband Internet access |
|---|
| 125 | 125 | | 97service, as defined in 47 CFR 54.400, as amended from time to time, or (C) delivery or use of a |
|---|
| 126 | 126 | | 98physical product; |
|---|
| 127 | 127 | | 99 "Personal data", any information that is linked or reasonably linkable to an identified or |
|---|
| 128 | 128 | | 100identifiable individual. "Personal data" does not include de-identified data or publicly available |
|---|
| 129 | 129 | | 101information. |
|---|
| 130 | 130 | | 102 "Precise geolocation data", information derived from technology, including, but not |
|---|
| 131 | 131 | | 103limited to, global positioning system level latitude and longitude coordinates or other |
|---|
| 132 | 132 | | 104mechanisms, that directly identifies the specific location of an individual with precision and |
|---|
| 133 | 133 | | 105accuracy within a radius of one thousand seven hundred fifty feet. "Precise geolocation data" |
|---|
| 134 | 134 | | 106does not include: (i) the content of communications; or (ii) any data generated by or connected to |
|---|
| 135 | 135 | | 107advanced utility metering infrastructure systems or equipment for use by a utility. |
|---|
| 136 | 136 | | 108 "Process" or "processing", any operation or set of operations performed, whether by |
|---|
| 137 | 137 | | 109manual or automated means, on personal data or on sets of personal data, such as the collection, |
|---|
| 138 | 138 | | 110use, storage, disclosure, analysis, deletion or modification of personal data. |
|---|
| 139 | 139 | | 111 "Processor", an individual who, or legal entity that, processes personal data on behalf of a |
|---|
| 140 | 140 | | 112controller. |
|---|
| 141 | 141 | | 113 "Profiling", any form of automated processing performed on personal data to evaluate, |
|---|
| 142 | 142 | | 114analyze or predict personal aspects related to an identified or identifiable individual's economic |
|---|
| 143 | 143 | | 115situation, health, personal preferences, interests, reliability, behavior, location or movements. |
|---|
| 144 | 144 | | 116 "Protected health information", shall have the same meaning as provided in HIPAA. 7 of 31 |
|---|
| 145 | 145 | | 117 "Pseudonymous data", personal data that cannot be attributed to a specific individual |
|---|
| 146 | 146 | | 118without the use of additional information, provided such additional information is kept separately |
|---|
| 147 | 147 | | 119and is subject to appropriate technical and organizational measures to ensure that the personal |
|---|
| 148 | 148 | | 120data is not attributed to an identified or identifiable individual. |
|---|
| 149 | 149 | | 121 "Publicly available information", information that (A) is lawfully made available through |
|---|
| 150 | 150 | | 122federal, state or municipal government records or widely distributed media, or (B) a controller |
|---|
| 151 | 151 | | 123has a reasonable basis to believe a consumer has lawfully made available to the general public. |
|---|
| 152 | 152 | | 124 “Reproductive or sexual health care”, any health care-related services or products |
|---|
| 153 | 153 | | 125rendered or provided concerning a consumer’s reproductive system or sexual well-being, |
|---|
| 154 | 154 | | 126including, but not limited to, any such service or product rendered or provided concerning (A) an |
|---|
| 155 | 155 | | 127individual health condition, status, disease, diagnosis, diagnostic test or treatment, (B) a social, |
|---|
| 156 | 156 | | 128psychological, behavioral or medical intervention, (C) a surgery or procedure, including, but not |
|---|
| 157 | 157 | | 129limited to, an abortion, (D) a use or purchase of a medication, including, but not limited to, a |
|---|
| 158 | 158 | | 130medication used or purchased for the purposes of an abortion, (E) a bodily function, vital sign or |
|---|
| 159 | 159 | | 131symptom, (F) a measurement of a bodily function, vital sign or symptom, or (G) an abortion, |
|---|
| 160 | 160 | | 132including, but not limited to, medical or nonmedical services, products, diagnostics, counseling |
|---|
| 161 | 161 | | 133or follow-up services for an abortion. |
|---|
| 162 | 162 | | 134 “Reproductive or sexual health data”, any personal data concerning an effort made by a |
|---|
| 163 | 163 | | 135consumer to seek, or a consumer's receipt of, reproductive or sexual health care. |
|---|
| 164 | 164 | | 136 “Reproductive or sexual health facility”, any health care facility in which at least seventy |
|---|
| 165 | 165 | | 137per cent of the health care-related services or products rendered or provided in such facility are |
|---|
| 166 | 166 | | 138reproductive or sexual health care. 8 of 31 |
|---|
| 167 | 167 | | 139 "Sale of personal data", the exchange of personal data for monetary or other valuable |
|---|
| 168 | 168 | | 140consideration by the controller to a third party. "Sale of personal data" does not include (A) the |
|---|
| 169 | 169 | | 141disclosure of personal data to a processor that processes the personal data on behalf of the |
|---|
| 170 | 170 | | 142controller, (B) the disclosure of personal data to a third party for purposes of providing a product |
|---|
| 171 | 171 | | 143or service requested by the consumer, (C) the disclosure or transfer of personal data to an |
|---|
| 172 | 172 | | 144affiliate of the controller, (D) the disclosure of personal data where the consumer directs the |
|---|
| 173 | 173 | | 145controller to disclose the personal data or intentionally uses the controller to interact with a third |
|---|
| 174 | 174 | | 146party, (E) the disclosure of personal data that the consumer (i) intentionally made available to the |
|---|
| 175 | 175 | | 147general public via a channel of mass media, and (ii) did not restrict to a specific audience, or (F) |
|---|
| 176 | 176 | | 148the disclosure or transfer of personal data to a third party as an asset that is part of a merger, |
|---|
| 177 | 177 | | 149acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or |
|---|
| 178 | 178 | | 150other transaction, in which the third party assumes control of all or part of the controller's assets. |
|---|
| 179 | 179 | | 151 "Sensitive data", personal data that includes (A) data revealing racial or ethnic origin, |
|---|
| 180 | 180 | | 152religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or |
|---|
| 181 | 181 | | 153citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose |
|---|
| 182 | 182 | | 154of uniquely identifying an individual, (C) personal data collected from a known child, (D) |
|---|
| 183 | 183 | | 155precise geolocation data; (E) status as transgender or nonbinary; (F) consumer health data; or (G) |
|---|
| 184 | 184 | | 156data concerning an individual’s status as victim of a crime. |
|---|
| 185 | 185 | | 157 "Targeted advertising", displaying advertisements to a consumer where the advertisement |
|---|
| 186 | 186 | | 158is selected based on personal data obtained or inferred from that consumer's activities over time |
|---|
| 187 | 187 | | 159and across nonaffiliated Internet web sites or online applications to predict such consumer's |
|---|
| 188 | 188 | | 160preferences or interests. "Targeted advertising" does not include (A) advertisements based on |
|---|
| 189 | 189 | | 161activities within a controller's own Internet web sites or online applications, (B) advertisements 9 of 31 |
|---|
| 190 | 190 | | 162based on the context of a consumer's current search query, visit to an Internet web site or online |
|---|
| 191 | 191 | | 163application, (C) advertisements directed to a consumer in response to the consumer's request for |
|---|
| 192 | 192 | | 164information or feedback, or (D) processing personal data solely to measure or report advertising |
|---|
| 193 | 193 | | 165frequency, performance or reach. |
|---|
| 194 | 194 | | 166 "Third party", an individual or legal entity, such as a public authority, agency or body, |
|---|
| 195 | 195 | | 167other than the consumer, controller or processor or an affiliate of the processor or the controller. |
|---|
| 196 | 196 | | 168 "Trade secret", shall have the same meaning as provided in section 2 of chapter 93 of the |
|---|
| 197 | 197 | | 169General Laws. |
|---|
| 198 | 198 | | 170 Section 2. The provisions of this act apply to persons that conduct business in this state or |
|---|
| 199 | 199 | | 171persons that produce products or services that are targeted to residents of this state and that |
|---|
| 200 | 200 | | 172during the preceding calendar year: (A) Controlled or processed the personal data of not less than |
|---|
| 201 | 201 | | 173one hundred thousand consumers, excluding personal data controlled or processed solely for the |
|---|
| 202 | 202 | | 174purpose of completing a payment transaction; or (B) controlled or processed the personal data of |
|---|
| 203 | 203 | | 175not less than twenty-five thousand consumers and derived more than twenty-five per cent of their |
|---|
| 204 | 204 | | 176gross revenue from the sale of personal data. |
|---|
| 205 | 205 | | 177 Section 3. (a) The provisions of this act do not apply to any: (1) Body, authority, board, |
|---|
| 206 | 206 | | 178bureau, commission, district or agency of this state or of any political subdivision of this state, or |
|---|
| 207 | 207 | | 179person who has entered into a contract with such entity while such person is processing |
|---|
| 208 | 208 | | 180consumer health data on behalf of such entity; (2) institution of higher education; (2) national |
|---|
| 209 | 209 | | 181securities association that is registered under 15 USC 78o-3 of the Securities Exchange Act of |
|---|
| 210 | 210 | | 1821934, as amended from time to time; (3) financial institution or data subject to Title V of the 10 of 31 |
|---|
| 211 | 211 | | 183Gramm-Leach-Bliley Act, 15 USC 6801 et seq.; or (4) covered entity or business associate, as |
|---|
| 212 | 212 | | 184defined in 45 CFR 160.103. |
|---|
| 213 | 213 | | 185 (b)The following information and data is exempt from of the provisions of this act: |
|---|
| 214 | 214 | | 186(1) Protected health information under HIPAA; (2) patient-identifying information for purposes |
|---|
| 215 | 215 | | 187of 42 USC 290dd-2; (3) identifiable private information for purposes of the federal policy for the |
|---|
| 216 | 216 | | 188protection of human subjects under 45 CFR 46; (4) identifiable private information that is |
|---|
| 217 | 217 | | 189otherwise information collected as part of human subjects research pursuant to the good clinical |
|---|
| 218 | 218 | | 190practice guidelines issued by the International Council for Harmonization of Technical |
|---|
| 219 | 219 | | 191Requirements for Pharmaceuticals for Human Use; (5) the protection of human subjects under 21 |
|---|
| 220 | 220 | | 192CFR Parts 6, 50 and 56, or personal data used or shared in research, as defined in 45 CFR |
|---|
| 221 | 221 | | 193164.501, that is conducted in accordance with the standards set forth in this subdivision and |
|---|
| 222 | 222 | | 194subdivisions (3) and (4) of this subsection, or other research conducted in accordance with |
|---|
| 223 | 223 | | 195applicable law; (6) information and documents created for purposes of the Health Care Quality |
|---|
| 224 | 224 | | 196Improvement Act of 1986, 42 USC 11101 et seq.; (7) information derived from any of the health |
|---|
| 225 | 225 | | 197care related information listed in this subsection that is deidentified in accordance with the |
|---|
| 226 | 226 | | 198requirements for de-identification pursuant to HIPAA; (8) information originating from and |
|---|
| 227 | 227 | | 199intermingled to be indistinguishable with, or information treated in the same manner as, |
|---|
| 228 | 228 | | 200information exempt under this subsection that is maintained by a covered entity or business |
|---|
| 229 | 229 | | 201associate, program or qualified service organization, as specified in 42 USC 290dd-2, as |
|---|
| 230 | 230 | | 202amended from time to time; (9) information used for public health activities and purposes as |
|---|
| 231 | 231 | | 203authorized by HIPAA, community health activities and population health activities; (10) the |
|---|
| 232 | 232 | | 204collection, maintenance, disclosure, sale, communication or use of any personal information |
|---|
| 233 | 233 | | 205bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general 11 of 31 |
|---|
| 234 | 234 | | 206reputation, personal characteristics or mode of living by a consumer reporting agency, furnisher |
|---|
| 235 | 235 | | 207or user that provides information for use in a consumer report, and by a user of a consumer |
|---|
| 236 | 236 | | 208report, but only to the extent that such activity is regulated by and authorized under the Fair |
|---|
| 237 | 237 | | 209Credit Reporting Act, 15 USC 1681 et seq., as amended from time to time; (11) personal data |
|---|
| 238 | 238 | | 210collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act of |
|---|
| 239 | 239 | | 2111994, 18 USC 2721 et seq., as amended from time to time; (12) personal data regulated by the |
|---|
| 240 | 240 | | 212Family Educational Rights and Privacy Act, 20 USC 1232g et seq., as amended from time to |
|---|
| 241 | 241 | | 213time; (13) personal data collected, processed, sold or disclosed in compliance with the Farm |
|---|
| 242 | 242 | | 214Credit Act, 12 USC 2001 et seq., as amended from time to time; (14) data processed or |
|---|
| 243 | 243 | | 215maintained (A) in the course of an individual applying to, employed by or acting as an agent or |
|---|
| 244 | 244 | | 216independent contractor of a controller, processor or third party, to the extent that the data is |
|---|
| 245 | 245 | | 217collected and used within the context of that role, (B) as the emergency contact information of an |
|---|
| 246 | 246 | | 218individual under Section 1 of this act used for emergency contact purposes, or (C) that is |
|---|
| 247 | 247 | | 219necessary to retain to administer benefits for another individual relating to the individual who is |
|---|
| 248 | 248 | | 220the subject of the information under subdivision (1) of this subsection and used for the purposes |
|---|
| 249 | 249 | | 221of administering such benefits; and (15) personal data collected, processed, sold or disclosed in |
|---|
| 250 | 250 | | 222relation to price, route or service, as such terms are used in the Airline Deregulation Act, 49 USC |
|---|
| 251 | 251 | | 22340101 et seq., as amended from time to time, by an air carrier subject to said act, to the extent |
|---|
| 252 | 252 | | 224Section 1 of this act are preempted by the Airline Deregulation Act, 49 USC 41713, as amended |
|---|
| 253 | 253 | | 225from time to time. |
|---|
| 254 | 254 | | 226 (c)Controllers and processors that comply with the verifiable parental consent |
|---|
| 255 | 255 | | 227requirements of COPPA shall be deemed compliant with any obligation to obtain parental |
|---|
| 256 | 256 | | 228consent pursuant to Section 1 of this act. 12 of 31 |
|---|
| 257 | 257 | | 229 Section 4. (a) A consumer shall have the right to: (1) confirm whether or not a controller |
|---|
| 258 | 258 | | 230is processing the consumer's personal data and access such personal data, unless such |
|---|
| 259 | 259 | | 231confirmation or access would require the controller to reveal a trade secret; (2) correct |
|---|
| 260 | 260 | | 232inaccuracies in the consumer's personal data, taking into account the nature of the personal data |
|---|
| 261 | 261 | | 233and the purposes of the processing of the consumer's personal data; (3) delete personal data |
|---|
| 262 | 262 | | 234provided by, or obtained about, the consumer; (4) obtain a copy of the consumer's personal data |
|---|
| 263 | 263 | | 235processed by the controller, in a portable and, to the extent technically feasible, readily usable |
|---|
| 264 | 264 | | 236format that allows the consumer to transmit the data to another controller without hindrance, |
|---|
| 265 | 265 | | 237where the processing is carried out by automated means, provided such controller shall not be |
|---|
| 266 | 266 | | 238required to reveal any trade secret; and (5) opt out of the processing of the personal data for |
|---|
| 267 | 267 | | 239purposes of (A) targeted advertising, (B) the sale of personal data, except as provided in |
|---|
| 268 | 268 | | 240subsection (b) of section 6 of this act, or (C) profiling in furtherance of solely automated |
|---|
| 269 | 269 | | 241decisions that produce legal or similarly significant effects concerning the consumer. |
|---|
| 270 | 270 | | 242 (b)A consumer may exercise rights under this section by a secure and reliable means |
|---|
| 271 | 271 | | 243established by the controller and described to the consumer in the controller's privacy notice. A |
|---|
| 272 | 272 | | 244consumer may designate an authorized agent in accordance with section 5 of this act to exercise |
|---|
| 273 | 273 | | 245the rights of such consumer to opt out of the processing of such consumer's personal data for |
|---|
| 274 | 274 | | 246purposes of subdivision (5) (A) and (B) of subsection (a) of this section on behalf of the |
|---|
| 275 | 275 | | 247consumer. In the case of processing personal data of a known child, the parent or legal guardian |
|---|
| 276 | 276 | | 248may exercise such consumer rights on the child's behalf. In the case of processing personal data |
|---|
| 277 | 277 | | 249concerning a consumer subject to a guardianship, conservatorship or other protective |
|---|
| 278 | 278 | | 250arrangement, the guardian or the conservator of the consumer may exercise such rights on the |
|---|
| 279 | 279 | | 251consumer's behalf. 13 of 31 |
|---|
| 280 | 280 | | 252 (c)Except as otherwise provided in this act, a controller shall comply with a request |
|---|
| 281 | 281 | | 253by a consumer to exercise the consumer rights authorized pursuant to said sections as follows: |
|---|
| 282 | 282 | | 254 (1)A controller shall respond to the consumer without undue delay, but not later than |
|---|
| 283 | 283 | | 255forty-five days after receipt of the request. The controller may extend the response period by |
|---|
| 284 | 284 | | 256forty-five additional days when reasonably necessary, considering the complexity and number of |
|---|
| 285 | 285 | | 257the consumer's requests, provided the controller informs the consumer of any such extension |
|---|
| 286 | 286 | | 258within the initial forty-five-day response period and of the reason for the extension. |
|---|
| 287 | 287 | | 259 (2)If a controller declines to take action regarding the consumer's request, the |
|---|
| 288 | 288 | | 260controller shall inform the consumer without undue delay, but not later than forty-five days after |
|---|
| 289 | 289 | | 261receipt of the request, of the justification for declining to take action and instructions for how to |
|---|
| 290 | 290 | | 262appeal the decision. |
|---|
| 291 | 291 | | 263 (3)Information provided in response to a consumer request shall be provided by a |
|---|
| 292 | 292 | | 264controller, free of charge, once per consumer during any twelve-month period. If requests from a |
|---|
| 293 | 293 | | 265consumer are manifestly unfounded, technically infeasible, excessive or repetitive, the controller |
|---|
| 294 | 294 | | 266may charge the consumer a reasonable fee to cover the administrative costs of complying with |
|---|
| 295 | 295 | | 267the request or decline to act on the request. The controller bears the burden of demonstrating the |
|---|
| 296 | 296 | | 268manifestly unfounded, technically infeasible, excessive or repetitive nature of the request. |
|---|
| 297 | 297 | | 269 (4)If a controller is unable to authenticate a request to exercise any of the rights |
|---|
| 298 | 298 | | 270afforded under subdivisions (1) to (4), inclusive, of subsection (a) of this section using |
|---|
| 299 | 299 | | 271commercially reasonable efforts, the controller shall not be required to comply with a request to |
|---|
| 300 | 300 | | 272initiate an action pursuant to this section and shall provide notice to the consumer that the |
|---|
| 301 | 301 | | 273controller is unable to authenticate the request to exercise such right or rights until such 14 of 31 |
|---|
| 302 | 302 | | 274consumer provides additional information reasonably necessary to authenticate such consumer |
|---|
| 303 | 303 | | 275and such consumer's request to exercise such right or rights. A controller shall not be required to |
|---|
| 304 | 304 | | 276authenticate an opt-out request, but a controller may deny an opt-out request if the controller has |
|---|
| 305 | 305 | | 277a good faith, reasonable and documented belief that such request is fraudulent. If a controller |
|---|
| 306 | 306 | | 278denies an opt-out request because the controller believes such request is fraudulent, the controller |
|---|
| 307 | 307 | | 279shall send a notice to the person who made such request disclosing that such controller believes |
|---|
| 308 | 308 | | 280such request is fraudulent, why such controller believes such request is fraudulent and that such |
|---|
| 309 | 309 | | 281controller shall not comply with such request. |
|---|
| 310 | 310 | | 282 (5)A controller that has obtained personal data about a consumer from a source other |
|---|
| 311 | 311 | | 283than the consumer shall be deemed in compliance with a consumer's request to delete such data |
|---|
| 312 | 312 | | 284pursuant to subdivision (3) of subsection (a) of this section by (A) retaining a record of the |
|---|
| 313 | 313 | | 285deletion request and the minimum data necessary for the purpose of ensuring the consumer's |
|---|
| 314 | 314 | | 286personal data remains deleted from the controller's records and not using such retained data for |
|---|
| 315 | 315 | | 287any other purpose pursuant to the provisions of Section 1 of this act, or (B) opting the consumer |
|---|
| 316 | 316 | | 288out of the processing of such personal data for any purpose except for those exempted pursuant |
|---|
| 317 | 317 | | 289to the provisions of Section 1 of this act. |
|---|
| 318 | 318 | | 290 (d) A controller shall establish a process for a consumer to appeal the controller's refusal |
|---|
| 319 | 319 | | 291to take action on a request within a reasonable period of time after the consumer's receipt of the |
|---|
| 320 | 320 | | 292decision. The appeal process shall be conspicuously available and similar to the process for |
|---|
| 321 | 321 | | 293submitting requests to initiate action pursuant to this section. Not later than sixty days after |
|---|
| 322 | 322 | | 294receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not |
|---|
| 323 | 323 | | 295taken in response to the appeal, including a written explanation of the reasons for the decisions. |
|---|
| 324 | 324 | | 296If the appeal is denied, the controller shall also provide the consumer with an online mechanism, 15 of 31 |
|---|
| 325 | 325 | | 297if available, or other method through which the consumer may contact the Attorney General to |
|---|
| 326 | 326 | | 298submit a complaint. |
|---|
| 327 | 327 | | 299 Section 5. A consumer may designate another person to serve as the consumer's |
|---|
| 328 | 328 | | 300authorized agent, and act on such consumer's behalf, to opt out of the processing of such |
|---|
| 329 | 329 | | 301consumer's personal data for one or more of the purposes specified in subdivision (5) (A) and (B) |
|---|
| 330 | 330 | | 302of subsection (a) of section 4 of this act. A controller shall comply with an opt-out request |
|---|
| 331 | 331 | | 303received from an authorized agent if the controller is able to verify, with commercially |
|---|
| 332 | 332 | | 304reasonable effort, the identity of the consumer and the authorized agent's authority to act on such |
|---|
| 333 | 333 | | 305consumer's behalf. |
|---|
| 334 | 334 | | 306 Section 6. (a) A controller shall: (1) Limit the collection of personal data to what is |
|---|
| 335 | 335 | | 307adequate, relevant and reasonably necessary in relation to the purposes for which such data is |
|---|
| 336 | 336 | | 308processed, as disclosed to the consumer; (2) except as otherwise provided in Section 1 of this act, |
|---|
| 337 | 337 | | 309not process personal data for purposes that are neither reasonably necessary to, nor compatible |
|---|
| 338 | 338 | | 310with, the disclosed purposes for which such personal data is processed, as disclosed to the |
|---|
| 339 | 339 | | 311consumer, unless the controller obtains the consumer's consent; (3) establish, implement and |
|---|
| 340 | 340 | | 312maintain reasonable administrative, technical and physical data security practices to protect the |
|---|
| 341 | 341 | | 313confidentiality, integrity and accessibility of personal data appropriate to the volume and nature |
|---|
| 342 | 342 | | 314of the personal data at issue; (4) not process sensitive data concerning a consumer without |
|---|
| 343 | 343 | | 315obtaining the consumer's consent; (5) in the case of the processing of sensitive data concerning a |
|---|
| 344 | 344 | | 316known child, without processing such data in accordance with COPPA; (6) not process personal |
|---|
| 345 | 345 | | 317data in violation of the laws of this state and federal laws that prohibit unlawful discrimination |
|---|
| 346 | 346 | | 318against consumers; (7) provide an effective mechanism for a consumer to revoke the consumer's |
|---|
| 347 | 347 | | 319consent under this section that is at least as easy as the mechanism by which the consumer 16 of 31 |
|---|
| 348 | 348 | | 320provided the consumer's consent and, upon revocation of such consent, cease to process the data |
|---|
| 349 | 349 | | 321as soon as practicable, but not later than forty-five days after the receipt of such request; and (8) |
|---|
| 350 | 350 | | 322not process the personal data of a consumer for purposes of targeted advertising, or sell the |
|---|
| 351 | 351 | | 323consumer's personal data without the consumer's consent, under circumstances where a |
|---|
| 352 | 352 | | 324controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen |
|---|
| 353 | 353 | | 325years of age but younger than sixteen years of age. A controller shall not discriminate against a |
|---|
| 354 | 354 | | 326consumer for exercising any of the consumer rights contained in Section 4 of this act, including |
|---|
| 355 | 355 | | 327denying goods or services, charging different prices or rates for goods or services or providing a |
|---|
| 356 | 356 | | 328different level of quality of goods or services to the consumer. |
|---|
| 357 | 357 | | 329 (b)Nothing in subsection (a) of this section shall be construed to require a controller |
|---|
| 358 | 358 | | 330to provide a product or service that requires the personal data of a consumer which the controller |
|---|
| 359 | 359 | | 331does not collect or maintain, or prohibit a controller from offering a different price, rate, level, |
|---|
| 360 | 360 | | 332quality or selection of goods or services to a consumer, including offering goods or services for |
|---|
| 361 | 361 | | 333no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide |
|---|
| 362 | 362 | | 334loyalty, rewards, premium features, discounts or club card program. |
|---|
| 363 | 363 | | 335 (c)A controller shall provide consumers with a reasonably accessible, clear and |
|---|
| 364 | 364 | | 336meaningful privacy notice that includes: (1) The categories of personal data processed by the |
|---|
| 365 | 365 | | 337controller; (2) the purpose for processing personal data; (3) how consumers may exercise their |
|---|
| 366 | 366 | | 338consumer rights, including how a consumer may appeal a controller's decision with regard to the |
|---|
| 367 | 367 | | 339consumer's request; (4) the categories of personal data that the controller shares with third |
|---|
| 368 | 368 | | 340parties, if any; (5) the categories of third parties, if any, with which the controller shares personal |
|---|
| 369 | 369 | | 341data; and (6) an active electronic mail address or other mechanism that the consumer may use to |
|---|
| 370 | 370 | | 342contact the controller. 17 of 31 |
|---|
| 371 | 371 | | 343 (d)If a controller sells personal data to third parties or processes personal data for |
|---|
| 372 | 372 | | 344targeted advertising, the controller shall clearly and conspicuously disclose such processing, as |
|---|
| 373 | 373 | | 345well as the manner in which a consumer may exercise the right to opt out of such processing. |
|---|
| 374 | 374 | | 346 (e)(1) A controller shall establish, and shall describe in a privacy notice, one or more |
|---|
| 375 | 375 | | 347secure and reliable means for consumers to submit a request to exercise their consumer rights |
|---|
| 376 | 376 | | 348pursuant to this act. Such means shall take into account the ways in which consumers normally |
|---|
| 377 | 377 | | 349interact with the controller, the need for secure and reliable communication of such requests and |
|---|
| 378 | 378 | | 350the ability of the controller to verify the identity of the consumer making the request. |
|---|
| 379 | 379 | | 351 A controller shall not require a consumer to create a new account in order to exercise |
|---|
| 380 | 380 | | 352consumer rights, but may require a consumer to use an existing account. Any such means shall |
|---|
| 381 | 381 | | 353include: |
|---|
| 382 | 382 | | 354 (A)(i) Providing a clear and conspicuous link on the controller's Internet web site to |
|---|
| 383 | 383 | | 355an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the |
|---|
| 384 | 384 | | 356targeted advertising or sale of the consumer's personal data; and |
|---|
| 385 | 385 | | 357 (ii) Not later than July 1, 2025, allowing a consumer to opt out of any processing of the |
|---|
| 386 | 386 | | 358consumer's personal data for the purposes of targeted advertising, or any sale of such personal |
|---|
| 387 | 387 | | 359data, through an opt out preference signal sent, with such consumer's consent, by a platform, |
|---|
| 388 | 388 | | 360technology or mechanism to the controller indicating such consumer's intent to opt out of any |
|---|
| 389 | 389 | | 361such processing or sale. Such platform, technology or mechanism shall: |
|---|
| 390 | 390 | | 362 (I)Not unfairly disadvantage another controller; 18 of 31 |
|---|
| 391 | 391 | | 363 (II)Not make use of a default setting, but, rather, require the consumer to make an |
|---|
| 392 | 392 | | 364affirmative, freely given and unambiguous choice to opt out of any processing of such |
|---|
| 393 | 393 | | 365consumer's personal data pursuant to Section 1 of this act; |
|---|
| 394 | 394 | | 366 (III)Be consumer-friendly and easy to use by the average consumer; |
|---|
| 395 | 395 | | 367 (IV)Be as consistent as possible with any other similar platform, technology or |
|---|
| 396 | 396 | | 368mechanism required by any federal or state law or regulation; and |
|---|
| 397 | 397 | | 369 (V)Enable the controller to accurately determine whether the consumer is a resident |
|---|
| 398 | 398 | | 370of this state and whether the consumer has made a legitimate request to opt out of any sale of |
|---|
| 399 | 399 | | 371such consumer's personal data or targeted advertising. |
|---|
| 400 | 400 | | 372 (B)A controller that recognizes opt out preference signals that have been approved by |
|---|
| 401 | 401 | | 373other state laws or regulations shall be deemed to be in compliance with subsection (A) of this |
|---|
| 402 | 402 | | 374section. |
|---|
| 403 | 403 | | 375 (C)If a consumer's decision to opt out of any processing of the consumer's personal |
|---|
| 404 | 404 | | 376data for the purposes of targeted advertising, or any sale of such personal data, through an opt- |
|---|
| 405 | 405 | | 377out preference signal sent in accordance with the provisions of subparagraph (A) of this |
|---|
| 406 | 406 | | 378subdivision conflicts with the consumer's existing voluntary participation in a controller's bona |
|---|
| 407 | 407 | | 379fide loyalty, rewards, premium features, discounts or club card program, the controller shall |
|---|
| 408 | 408 | | 380comply with such consumer's opt-out preference signal but may notify such consumer of such |
|---|
| 409 | 409 | | 381conflict and provide to such consumer the choice to confirm participation in such program. |
|---|
| 410 | 410 | | 382 (2) If a controller responds to consumer opt‐out requests received pursuant to |
|---|
| 411 | 411 | | 383subparagraph (A) of subdivision (1) of this subsection by informing the consumer of a charge for 19 of 31 |
|---|
| 412 | 412 | | 384the use of any product or service, the controller shall present the terms of any financial incentive |
|---|
| 413 | 413 | | 385offered pursuant to subsection (b) of this section for the retention, use, sale or sharing of the |
|---|
| 414 | 414 | | 386consumer's personal data. |
|---|
| 415 | 415 | | 387 (f) A controller shall not: (1) use a geofence to establish a virtual boundary that is within |
|---|
| 416 | 416 | | 388one thousand seven hundred fifty feet of any mental health facility or reproductive or sexual |
|---|
| 417 | 417 | | 389health facility for the purpose of identifying, tracking, collecting data from or sending any |
|---|
| 418 | 418 | | 390notification to a consumer regarding the consumer’s consumer health data; or (2) sell, or offer to |
|---|
| 419 | 419 | | 391sell, consumer health data without first obtaining the consumer’s consent. |
|---|
| 420 | 420 | | 392 Section 7. (a) Each controller that offers any online service, product or feature to |
|---|
| 421 | 421 | | 393consumers whom such controller has actual knowledge, or willfully disregards, are minors shall |
|---|
| 422 | 422 | | 394use reasonable care to avoid any heightened risk of harm to minors caused by such online |
|---|
| 423 | 423 | | 395service, product or feature. In any enforcement action brought by the Attorney General pursuant |
|---|
| 424 | 424 | | 396to this act, there shall be a rebuttable presumption that a controller used reasonable care as |
|---|
| 425 | 425 | | 397required under this section if the controller complied with the provisions of this act concerning |
|---|
| 426 | 426 | | 398data protection assessments. |
|---|
| 427 | 427 | | 399 (b) (1) Subject to the consent requirement established in subdivision (3) of this |
|---|
| 428 | 428 | | 400subsection, no controller that offers any online service, product or feature to consumers whom |
|---|
| 429 | 429 | | 401such controller has actual knowledge, or willfully disregards, are minors shall: (A) Process any |
|---|
| 430 | 430 | | 402minor's personal data (i) for the purposes of (I) targeted advertising, (II) any sale of personal |
|---|
| 431 | 431 | | 403data, or (III) profiling in furtherance of any fully automated decision made by such controller |
|---|
| 432 | 432 | | 404that produces any legal or similarly significant effect concerning the provision or denial by such |
|---|
| 433 | 433 | | 405controller of any financial or lending services, housing, insurance, education enrollment or 20 of 31 |
|---|
| 434 | 434 | | 406opportunity, criminal justice, employment opportunity, health care services or access to essential |
|---|
| 435 | 435 | | 407goods or services, (ii) unless such processing is reasonably necessary to provide such online |
|---|
| 436 | 436 | | 408service, product or feature, (iii) for any processing purpose (I) other than the processing purpose |
|---|
| 437 | 437 | | 409that the controller disclosed at the time such controller collected such personal data, or (II) that is |
|---|
| 438 | 438 | | 410reasonably necessary for, and compatible with, the processing purpose described in subparagraph |
|---|
| 439 | 439 | | 411(A)(iii)(I) of this subdivision, or (iv) for longer than is reasonably necessary to provide such |
|---|
| 440 | 440 | | 412online service, product or feature; or (B) use any system design feature to significantly increase, |
|---|
| 441 | 441 | | 413sustain or extend any minor's use of such online service, product or feature. The provisions of |
|---|
| 442 | 442 | | 414this subdivision shall not apply to any service or application that is used by and under the |
|---|
| 443 | 443 | | 415direction of an educational entity, including, but not limited to, a learning management system or |
|---|
| 444 | 444 | | 416a student engagement program. |
|---|
| 445 | 445 | | 417 (2) Subject to the consent requirement established in subdivision (3) of this subsection, |
|---|
| 446 | 446 | | 418no controller that offers an online service, product or feature to consumers whom such controller |
|---|
| 447 | 447 | | 419has actual knowledge, or willfully disregards, are minors shall collect a minor's precise |
|---|
| 448 | 448 | | 420geolocation data unless: (A) Such precise geolocation data is reasonably necessary for the |
|---|
| 449 | 449 | | 421controller to provide such online service, product or feature and, if such data is necessary to |
|---|
| 450 | 450 | | 422provide such online service, product or feature, such controller may only collect such data for the |
|---|
| 451 | 451 | | 423time necessary to provide such online service, product or feature; and (B) the controller provides |
|---|
| 452 | 452 | | 424to the minor a signal indicating that such controller is collecting such precise geolocation data, |
|---|
| 453 | 453 | | 425which signal shall be available to such minor for the entire duration of such collection. |
|---|
| 454 | 454 | | 426 (3) No controller shall engage in the activities described in subdivisions (1) and (2) of |
|---|
| 455 | 455 | | 427this subsection unless the controller obtains the minor's consent or, if the minor is younger than |
|---|
| 456 | 456 | | 428thirteen years of age, the consent of such minor's parent or legal guardian. A controller that 21 of 31 |
|---|
| 457 | 457 | | 429complies with the verifiable parental consent requirements established in the Children's Online |
|---|
| 458 | 458 | | 430Privacy Protection Act of 1998, 15 USC 6501 et seq., and the regulations, rules, guidance and |
|---|
| 459 | 459 | | 431exemptions adopted pursuant to said act, as said act and such regulations, rules, guidance and |
|---|
| 460 | 460 | | 432exemptions may be amended from time to time, shall be deemed to have satisfied any |
|---|
| 461 | 461 | | 433requirement to obtain parental consent under this subdivision. |
|---|
| 462 | 462 | | 434 (c) (1) No controller that offers any online service, product or feature to consumers whom |
|---|
| 463 | 463 | | 435such controller has actual knowledge, or willfully disregards, are minors shall: (A) Provide any |
|---|
| 464 | 464 | | 436consent mechanism that is designed to substantially subvert or impair, or is manipulated with the |
|---|
| 465 | 465 | | 437effect of substantially subverting or impairing, user autonomy, decision-making or choice; or (B) |
|---|
| 466 | 466 | | 438except as provided in subdivision (2) of this subsection, offer any direct messaging apparatus for |
|---|
| 467 | 467 | | 439use by minors without providing readily accessible and easy-to-use safeguards to limit the ability |
|---|
| 468 | 468 | | 440of adults to send unsolicited communications to minors with whom they are not connected. |
|---|
| 469 | 469 | | 441 (2) The provisions of subparagraph (B) of subdivision (1) of this subsection shall not |
|---|
| 470 | 470 | | 442apply to services where the predominant or exclusive function is: (A) Electronic mail; or (B) |
|---|
| 471 | 471 | | 443direct messaging consisting of text, photos or videos that are sent between devices by electronic |
|---|
| 472 | 472 | | 444means, where messages are (i) shared between the sender and the recipient, (ii) only visible to |
|---|
| 473 | 473 | | 445the sender and the recipient, and (iii) not posted publicly. |
|---|
| 474 | 474 | | 446 Section 8. (a) A processor shall adhere to the instructions of a controller and shall assist |
|---|
| 475 | 475 | | 447the controller in meeting the controller's obligations under Section 1 of this act. Such assistance |
|---|
| 476 | 476 | | 448shall include: (1) Taking into account the nature of processing and the information available to |
|---|
| 477 | 477 | | 449the processor, by appropriate technical and organizational measures, insofar as is reasonably |
|---|
| 478 | 478 | | 450practicable, to fulfill the controller's obligation to respond to consumer rights requests; (2) taking 22 of 31 |
|---|
| 479 | 479 | | 451into account the nature of processing and the information available to the processor, by assisting |
|---|
| 480 | 480 | | 452the controller in meeting the controller's obligations in relation to the security of processing the |
|---|
| 481 | 481 | | 453personal data and in relation to the notification of a breach of security pursuant to chapter 93H of |
|---|
| 482 | 482 | | 454the General Laws, of the system of the processor, in order to meet the controller's obligations; |
|---|
| 483 | 483 | | 455and (3) providing necessary information to enable the controller to conduct and document data |
|---|
| 484 | 484 | | 456protection assessments. |
|---|
| 485 | 485 | | 457 (b)A contract between a controller and a processor shall govern the processor's data |
|---|
| 486 | 486 | | 458processing procedures with respect to processing performed on behalf of the controller. The |
|---|
| 487 | 487 | | 459contract shall be binding and clearly set forth instructions for processing data, the nature and |
|---|
| 488 | 488 | | 460purpose of processing, the type of data subject to processing, the duration of processing and the |
|---|
| 489 | 489 | | 461rights and obligations of both parties. The contract shall also require that the processor: (1) |
|---|
| 490 | 490 | | 462Ensure that each person processing personal data is subject to a duty of confidentiality with |
|---|
| 491 | 491 | | 463respect to the data; (2) at the controller's direction, delete or return all personal data to the |
|---|
| 492 | 492 | | 464controller as requested at the end of the provision of services, unless retention of the personal |
|---|
| 493 | 493 | | 465data is required by law; (3) upon the reasonable request of the controller, make available to the |
|---|
| 494 | 494 | | 466controller all information in its possession necessary to demonstrate the processor's compliance |
|---|
| 495 | 495 | | 467with the obligations in Section 1 of this act; and (4) allow, and cooperate with, reasonable |
|---|
| 496 | 496 | | 468assessments by the controller or the controller's designated assessor, or the processor may |
|---|
| 497 | 497 | | 469arrange for a qualified and independent assessor to conduct an assessment of the processor's |
|---|
| 498 | 498 | | 470policies and technical and organizational measures in support of the obligations under Section 1 |
|---|
| 499 | 499 | | 471of this act, using an appropriate and accepted control standard or framework and assessment |
|---|
| 500 | 500 | | 472procedure for such assessments. The processor shall provide a report of such assessment to the |
|---|
| 501 | 501 | | 473controller upon request; and (5) engage any subcontractor pursuant to a written contract that 23 of 31 |
|---|
| 502 | 502 | | 474requires the subcontractor to meet the obligations of the processor with respect to the personal |
|---|
| 503 | 503 | | 475data. |
|---|
| 504 | 504 | | 476 (c)Nothing in this section shall be construed to relieve a controller or processor from |
|---|
| 505 | 505 | | 477the liabilities imposed on the controller or processor by virtue of such controller's or processor's |
|---|
| 506 | 506 | | 478role in the processing relationship, as described in Section 1 of this act. |
|---|
| 507 | 507 | | 479 (d)Determining whether a person is acting as a controller or processor with respect to |
|---|
| 508 | 508 | | 480a specific processing of data is a fact-based determination that depends upon the context in |
|---|
| 509 | 509 | | 481which personal data is to be processed. A person who is not limited in such person's processing |
|---|
| 510 | 510 | | 482of personal data pursuant to a controller's instructions, or who fails to adhere to such instructions, |
|---|
| 511 | 511 | | 483is a controller and not a processor with respect to a specific processing of data. A processor that |
|---|
| 512 | 512 | | 484continues to adhere to a controller's instructions with respect to a specific processing of personal |
|---|
| 513 | 513 | | 485data remains a processor. If a processor begins, alone or jointly with others, determining the |
|---|
| 514 | 514 | | 486purposes and means of the processing of personal data, the processor is a controller with respect |
|---|
| 515 | 515 | | 487to such processing and may be subject to an enforcement action under section 12 of this act. |
|---|
| 516 | 516 | | 488 Section 9. (a) A controller shall conduct and document a data protection assessment for |
|---|
| 517 | 517 | | 489each of the controller's processing activities that presents a heightened risk of harm to a |
|---|
| 518 | 518 | | 490consumer. For the purposes of this section, processing that presents a heightened risk of harm to |
|---|
| 519 | 519 | | 491a consumer includes: (1) The processing of personal data for the purposes of targeted |
|---|
| 520 | 520 | | 492advertising; (2) the sale of personal data; (3) the processing of personal data for the purposes of |
|---|
| 521 | 521 | | 493profiling, where such profiling presents a reasonably foreseeable risk of (A) unfair or deceptive |
|---|
| 522 | 522 | | 494treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational |
|---|
| 523 | 523 | | 495injury to consumers, (C) a physical or other intrusion upon the solitude or seclusion, or the 24 of 31 |
|---|
| 524 | 524 | | 496private affairs or concerns, of consumers, where such intrusion would be offensive to a |
|---|
| 525 | 525 | | 497reasonable person, or (D) other substantial injury to consumers; and (4) the processing of |
|---|
| 526 | 526 | | 498sensitive data. |
|---|
| 527 | 527 | | 499 (b)Data protection assessments conducted pursuant to subsection (a) of this section |
|---|
| 528 | 528 | | 500shall identify and weigh the benefits that may flow, directly and indirectly, from the processing |
|---|
| 529 | 529 | | 501to the controller, the consumer, other stakeholders and the public against the potential risks to the |
|---|
| 530 | 530 | | 502rights of the consumer associated with such processing, as mitigated by safeguards that can be |
|---|
| 531 | 531 | | 503employed by the controller to reduce such risks. The controller shall factor into any such data |
|---|
| 532 | 532 | | 504protection assessment the use of de-identified data and the reasonable expectations of consumers, |
|---|
| 533 | 533 | | 505as well as the context of the processing and the relationship between the controller and the |
|---|
| 534 | 534 | | 506consumer whose personal data will be processed. |
|---|
| 535 | 535 | | 507 (c) Each controller that, as of the effective date of this act, offers any online service, |
|---|
| 536 | 536 | | 508product or feature to consumers whom such controller has actual knowledge, or willfully |
|---|
| 537 | 537 | | 509disregards, are minors shall conduct a data protection assessment for such online service, product |
|---|
| 538 | 538 | | 510or feature (1) in a manner that is consistent with this section; and (2) that addresses (A) the |
|---|
| 539 | 539 | | 511purpose of such online service, product or feature; (B) the categories of minors’ personal data |
|---|
| 540 | 540 | | 512that such online service, product or feature processes, (C) the purposes for which such controller |
|---|
| 541 | 541 | | 513processes minors’ personal data with respect to such online service, product or feature, and (D) |
|---|
| 542 | 542 | | 514any heightened risk of harm to minors that is a reasonably foreseeable result of offering such |
|---|
| 543 | 543 | | 515online service, product or feature to minors. |
|---|
| 544 | 544 | | 516 (d) Each controller that conducts a data protection assessment pursuant to subsection (c) |
|---|
| 545 | 545 | | 517of this section shall: (1) Review such data protection assessment as necessary to account for any 25 of 31 |
|---|
| 546 | 546 | | 518material change to the processing operations of the online service, product or feature that is the |
|---|
| 547 | 547 | | 519subject of such data protection assessment; and (2) maintain documentation concerning such data |
|---|
| 548 | 548 | | 520protection assessment for the longer of (A) the three-year period beginning on the date on which |
|---|
| 549 | 549 | | 521such processing operations cease, or (B) as long as such controller offers such online service, |
|---|
| 550 | 550 | | 522product or feature. |
|---|
| 551 | 551 | | 523 (c)The Attorney General may require that a controller disclose any data protection |
|---|
| 552 | 552 | | 524assessment that is relevant to an investigation conducted by the Attorney General, and the |
|---|
| 553 | 553 | | 525controller shall make the data protection assessment available to the Attorney General. The |
|---|
| 554 | 554 | | 526Attorney General may evaluate the data protection assessment for compliance with the |
|---|
| 555 | 555 | | 527responsibilities set forth in this act. Data protection assessments shall be confidential and shall be |
|---|
| 556 | 556 | | 528exempt from disclosure under the Public Records Act, as set forth in chapter 66 of the General |
|---|
| 557 | 557 | | 529Laws. To the extent any information contained in a data protection assessment disclosed to the |
|---|
| 558 | 558 | | 530Attorney General includes information subject to attorney-client privilege or work product |
|---|
| 559 | 559 | | 531protection, such disclosure shall not constitute a waiver of such privilege or protection. |
|---|
| 560 | 560 | | 532 (d)A single data protection assessment may address a comparable set of processing |
|---|
| 561 | 561 | | 533operations that include similar activities. |
|---|
| 562 | 562 | | 534 (e)If a controller conducts a data protection assessment for the purpose of complying |
|---|
| 563 | 563 | | 535with another applicable law or regulation, the data protection assessment shall be deemed to |
|---|
| 564 | 564 | | 536satisfy the requirements established in this section if such data protection assessment is |
|---|
| 565 | 565 | | 537reasonably similar in scope and effect to the data protection assessment that would otherwise be |
|---|
| 566 | 566 | | 538conducted pursuant to this section. 26 of 31 |
|---|
| 567 | 567 | | 539 (f)Data protection assessment requirements shall apply to processing activities |
|---|
| 568 | 568 | | 540created or generated after January 1, 2024, and are not retroactive. |
|---|
| 569 | 569 | | 541 Section 10. (a) Any controller in possession of de-identified data shall: (1) Take |
|---|
| 570 | 570 | | 542reasonable measures to ensure that the data cannot be associated with an individual; (2) publicly |
|---|
| 571 | 571 | | 543commit to maintaining and using de-identified data without attempting to reidentify the data; and |
|---|
| 572 | 572 | | 544(3) contractually obligate any recipients of the deidentified data to comply with all provisions of |
|---|
| 573 | 573 | | 545Section 1 of this act. |
|---|
| 574 | 574 | | 546 (b)Nothing in this act shall be construed to: (1) Require a controller or processor to |
|---|
| 575 | 575 | | 547re-identify de-identified data or pseudonymous data; or (2) maintain data in identifiable form, or |
|---|
| 576 | 576 | | 548collect, obtain, retain or access any data or technology, in order to be capable of associating an |
|---|
| 577 | 577 | | 549authenticated consumer request with personal data. |
|---|
| 578 | 578 | | 550 (c)Nothing in this act shall be construed to require a controller or processor to |
|---|
| 579 | 579 | | 551comply with an authenticated consumer rights request if the controller: (1) Is not reasonably |
|---|
| 580 | 580 | | 552capable of associating the request with the personal data or it would be unreasonably |
|---|
| 581 | 581 | | 553burdensome for the controller to associate the request with the personal data; (2) does not use the |
|---|
| 582 | 582 | | 554personal data to recognize or respond to the specific consumer who is the subject of the personal |
|---|
| 583 | 583 | | 555data, or associate the personal data with other personal data about the same specific consumer; |
|---|
| 584 | 584 | | 556and (3) does not sell the personal data to any third party or otherwise voluntarily disclose the |
|---|
| 585 | 585 | | 557personal data to any third party other than a processor, except as otherwise permitted in this |
|---|
| 586 | 586 | | 558section. |
|---|
| 587 | 587 | | 559 (d)The rights afforded under subdivisions (1) to (4), inclusive, of subsection (a) of |
|---|
| 588 | 588 | | 560section 4 of this act shall not apply to pseudonymous data in cases where the controller is able to 27 of 31 |
|---|
| 589 | 589 | | 561demonstrate that any information necessary to identify the consumer is kept separately and is |
|---|
| 590 | 590 | | 562subject to effective technical and organizational controls that prevent the controller from |
|---|
| 591 | 591 | | 563accessing such information. |
|---|
| 592 | 592 | | 564 (e)A controller that discloses pseudonymous data or de-identified data shall exercise |
|---|
| 593 | 593 | | 565reasonable oversight to monitor compliance with any contractual commitments to which the |
|---|
| 594 | 594 | | 566pseudonymous data or de-identified data is subject and shall take appropriate steps to address |
|---|
| 595 | 595 | | 567any breaches of those contractual commitments. |
|---|
| 596 | 596 | | 568 Section 11. (a) Nothing in this act shall be construed to restrict a controller's or |
|---|
| 597 | 597 | | 569processor's ability to: (1) Comply with federal, state or municipal ordinances or regulations; (2) |
|---|
| 598 | 598 | | 570comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by |
|---|
| 599 | 599 | | 571federal, state, municipal or other governmental authorities; (3) cooperate with law enforcement |
|---|
| 600 | 600 | | 572agencies concerning conduct or activity that the controller or processor reasonably and in good |
|---|
| 601 | 601 | | 573faith believes may violate federal, state or municipal ordinances or regulations; (4) investigate, |
|---|
| 602 | 602 | | 574establish, exercise, prepare for or defend legal claims; (5) provide a product or service |
|---|
| 603 | 603 | | 575specifically requested by a consumer; (6) perform under a contract to which a consumer is a |
|---|
| 604 | 604 | | 576party, including fulfilling the terms of a written warranty; (7) take steps at the request of a |
|---|
| 605 | 605 | | 577consumer prior to entering into a contract; (8) take immediate steps to protect an interest that is |
|---|
| 606 | 606 | | 578essential for the life or physical safety of the consumer or another individual, and where the |
|---|
| 607 | 607 | | 579processing cannot be manifestly based on another legal basis; (9) prevent, detect, protect against |
|---|
| 608 | 608 | | 580or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive |
|---|
| 609 | 609 | | 581activities or any illegal activity, preserve the integrity or security of systems or investigate, report |
|---|
| 610 | 610 | | 582or prosecute those responsible for any such action; (10) engage in public or peer-reviewed |
|---|
| 611 | 611 | | 583scientific or statistical research in the public interest that adheres to all other applicable ethics 28 of 31 |
|---|
| 612 | 612 | | 584and privacy laws and is approved, monitored and governed by an institutional review board that |
|---|
| 613 | 613 | | 585determines, or similar independent oversight entities that determine, (A) whether the deletion of |
|---|
| 614 | 614 | | 586the information is likely to provide substantial benefits that do not exclusively accrue to the |
|---|
| 615 | 615 | | 587controller, (B) the expected benefits of the research outweigh the privacy risks, and (C) whether |
|---|
| 616 | 616 | | 588the controller has implemented reasonable safeguards to mitigate privacy risks associated with |
|---|
| 617 | 617 | | 589research, including any risks associated with re-identification; (11) assist another controller, |
|---|
| 618 | 618 | | 590processor or third party with any of the obligations under Section 1 of this act; or (12) process |
|---|
| 619 | 619 | | 591personal data for reasons of public interest in the area of public health, community health or |
|---|
| 620 | 620 | | 592population health, but solely to the extent that such processing is (A) subject to suitable and |
|---|
| 621 | 621 | | 593specific measures to safeguard the rights of the consumer whose personal data is being |
|---|
| 622 | 622 | | 594processed, and (B) under the responsibility of a professional subject to confidentiality obligations |
|---|
| 623 | 623 | | 595under federal, state or local law. |
|---|
| 624 | 624 | | 596 (b)The obligations imposed on controllers or processors under Section 1 of this act |
|---|
| 625 | 625 | | 597shall not restrict a controller's or processor's ability to collect, use or retain data for internal use |
|---|
| 626 | 626 | | 598to: (1) Conduct internal research to develop, improve or repair products, services or technology; |
|---|
| 627 | 627 | | 599(2) effectuate a product recall; (3) identify and repair technical errors that impair existing or |
|---|
| 628 | 628 | | 600intended functionality; or (4) perform internal operations that are reasonably aligned with the |
|---|
| 629 | 629 | | 601expectations of the consumer or reasonably anticipated based on the consumer's existing |
|---|
| 630 | 630 | | 602relationship with the controller, or are otherwise compatible with processing data in furtherance |
|---|
| 631 | 631 | | 603of the provision of a product or service specifically requested by a consumer or the performance |
|---|
| 632 | 632 | | 604of a contract to which the consumer is a party. |
|---|
| 633 | 633 | | 605 (c)The obligations imposed on controllers or processors under Section 1 of this act |
|---|
| 634 | 634 | | 606shall not apply where compliance by the controller or processor with said sections would violate 29 of 31 |
|---|
| 635 | 635 | | 607an evidentiary privilege under the laws of this state. Nothing in this act shall be construed to |
|---|
| 636 | 636 | | 608prevent a controller or processor from providing personal data concerning a consumer to a |
|---|
| 637 | 637 | | 609person covered by an evidentiary privilege under the laws of the state as part of a privileged |
|---|
| 638 | 638 | | 610communication. |
|---|
| 639 | 639 | | 611 (d)A controller or processor that discloses personal data to a processor or third-party |
|---|
| 640 | 640 | | 612controller in accordance with of this act shall not be deemed to have violated said sections if the |
|---|
| 641 | 641 | | 613processor or third-party controller that receives and processes such personal data violates said |
|---|
| 642 | 642 | | 614sections, provided, at the time the disclosing controller or processor disclosed such personal data, |
|---|
| 643 | 643 | | 615the disclosing controller or processor did not have actual knowledge that the receiving processor |
|---|
| 644 | 644 | | 616or third-party controller would violate said sections. A third-party controller or processor |
|---|
| 645 | 645 | | 617receiving personal data from a controller or processor in compliance with of this act is likewise |
|---|
| 646 | 646 | | 618not in violation of said sections for the transgressions of the controller or processor from which |
|---|
| 647 | 647 | | 619such third-party controller or processor receives such personal data. |
|---|
| 648 | 648 | | 620 (e)Nothing in this act shall be construed to: (1) Impose any obligation on a controller |
|---|
| 649 | 649 | | 621or processor that adversely affects the rights or freedoms of any person, including, but not |
|---|
| 650 | 650 | | 622limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in |
|---|
| 651 | 651 | | 623the First Amendment to the United States Constitution; or (2) apply to any person's processing of |
|---|
| 652 | 652 | | 624personal data in the course of such person's purely personal or household activities. |
|---|
| 653 | 653 | | 625 (f)Personal data processed by a controller pursuant to this section may be processed |
|---|
| 654 | 654 | | 626to the extent that such processing is: (1) Reasonably necessary and proportionate to the purposes |
|---|
| 655 | 655 | | 627listed in this section; and (2) adequate, relevant and limited to what is necessary in relation to the |
|---|
| 656 | 656 | | 628specific purposes listed in this section. Personal data collected, used or retained pursuant to 30 of 31 |
|---|
| 657 | 657 | | 629subsection (b) of this section shall, where applicable, take into account the nature and purpose or |
|---|
| 658 | 658 | | 630purposes of such collection, use or retention. Such data shall be subject to reasonable |
|---|
| 659 | 659 | | 631administrative, technical and physical measures to protect the confidentiality, integrity and |
|---|
| 660 | 660 | | 632accessibility of the personal data and to reduce reasonably foreseeable risks of harm to |
|---|
| 661 | 661 | | 633consumers relating to such collection, use or retention of personal data. |
|---|
| 662 | 662 | | 634 (g)If a controller processes personal data pursuant to an exemption in this section, |
|---|
| 663 | 663 | | 635the controller bears the burden of demonstrating that such processing qualifies for the exemption |
|---|
| 664 | 664 | | 636and complies with the requirements in subsection (f) of this section. |
|---|
| 665 | 665 | | 637 (h)Processing personal data for the purposes expressly identified in this section shall |
|---|
| 666 | 666 | | 638not solely make a legal entity a controller with respect to such processing. |
|---|
| 667 | 667 | | 639 Section 12. (a) The Attorney General shall have exclusive authority to enforce violations |
|---|
| 668 | 668 | | 640this act. |
|---|
| 669 | 669 | | 641 (b)During the period beginning on July 1, 2026 and ending on December 31, 2027, |
|---|
| 670 | 670 | | 642the Attorney General shall, prior to initiating any action for a violation of any provision of this |
|---|
| 671 | 671 | | 643act, issue a notice of violation to the controller if the Attorney General determines that a cure is |
|---|
| 672 | 672 | | 644possible. If the controller fails to cure such violation within sixty days of receipt of the notice of |
|---|
| 673 | 673 | | 645violation, the Attorney General may bring an action pursuant to this section. |
|---|
| 674 | 674 | | 646 (c) Not later than February 1, 2027, the Attorney General shall submit a report, in |
|---|
| 675 | 675 | | 647accordance with to the joint standing committee of the General Assembly having cognizance of |
|---|
| 676 | 676 | | 648matters relating to the judiciary disclosing: (1) The number of notices of violation the Attorney |
|---|
| 677 | 677 | | 649General has issued; (2) the nature of each violation; (3) the number of violations that were cured 31 of 31 |
|---|
| 678 | 678 | | 650during the sixty-day cure period; and (4) any other matter the Attorney General deems relevant |
|---|
| 679 | 679 | | 651for the purposes of such report. |
|---|
| 680 | 680 | | 652 (d) Beginning on January 1, 2028, the Attorney General may, in determining whether to |
|---|
| 681 | 681 | | 653grant a controller or processor the opportunity to cure an alleged violation described in |
|---|
| 682 | 682 | | 654subsection (b) of this section, consider: (1) The number of violations; (2) the size and complexity |
|---|
| 683 | 683 | | 655of the controller or processor; (3) the nature and extent of the controller's or processor's |
|---|
| 684 | 684 | | 656processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of |
|---|
| 685 | 685 | | 657persons or property; and (6) whether such alleged violation was likely caused by human or |
|---|
| 686 | 686 | | 658technical error. |
|---|
| 687 | 687 | | 659 (d)Nothing in section 1 of this act shall be construed as providing the basis for, or be |
|---|
| 688 | 688 | | 660subject to, a private right of action for violations of said section or any other law. |
|---|
| 689 | 689 | | 661 (e)A violation of the requirements of this act shall constitute an unfair trade practice |
|---|
| 690 | 690 | | 662for purposes of Chapter 93A of the General Laws. Notwithstanding section 9 of said chapter |
|---|
| 691 | 691 | | 66393A, the provisions of this act shall be enforced solely by the Attorney General. |
|---|
| 692 | 692 | | 664 Section 13. This act shall be effective July 1, 2026 |
|---|