| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | SENATE DOCKET, NO. 1455 FILED ON: 1/16/2025 |
|---|
| 3 | 3 | | SENATE . . . . . . . . . . . . . . No. 36 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Dylan A. Fernandes |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act to provide accountability in the use of biometric recognition technology and |
|---|
| 13 | 13 | | comprehensive enforcement. |
|---|
| 14 | 14 | | _______________ |
|---|
| 15 | 15 | | PETITION OF: |
|---|
| 16 | 16 | | NAME:DISTRICT/ADDRESS :Dylan A. FernandesPlymouth and Barnstable 1 of 8 |
|---|
| 17 | 17 | | SENATE DOCKET, NO. 1455 FILED ON: 1/16/2025 |
|---|
| 18 | 18 | | SENATE . . . . . . . . . . . . . . No. 36 |
|---|
| 19 | 19 | | By Mr. Fernandes, a petition (accompanied by bill, Senate, No. 36) of Dylan A. Fernandes for |
|---|
| 20 | 20 | | legislation to protect residents from abusive use of their biometric information. Advanced |
|---|
| 21 | 21 | | Information Technology, the Internet and Cybersecurity. |
|---|
| 22 | 22 | | The Commonwealth of Massachusetts |
|---|
| 23 | 23 | | _______________ |
|---|
| 24 | 24 | | In the One Hundred and Ninety-Fourth General Court |
|---|
| 25 | 25 | | (2025-2026) |
|---|
| 26 | 26 | | _______________ |
|---|
| 27 | 27 | | An Act to provide accountability in the use of biometric recognition technology and |
|---|
| 28 | 28 | | comprehensive enforcement. |
|---|
| 29 | 29 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 30 | 30 | | of the same, as follows: |
|---|
| 31 | 31 | | 1 SECTION 1. Chapter 110H of the General Laws, as appearing in the 2022 Official |
|---|
| 32 | 32 | | 2Edition, is hereby amended by adding the following chapter:— |
|---|
| 33 | 33 | | 3 Chapter 110I. Regulation of biometric recognition technology |
|---|
| 34 | 34 | | 4 Section 1. Definitions |
|---|
| 35 | 35 | | 5 (a) As used in this chapter, the following words shall, unless the context clearly requires |
|---|
| 36 | 36 | | 6otherwise, have the following meanings:— |
|---|
| 37 | 37 | | 7 ''Agency'' , any agency, executive office, department, board, commission, bureau, |
|---|
| 38 | 38 | | 8division or authority of the commonwealth, or any of its branches, or of any political subdivision |
|---|
| 39 | 39 | | 9thereof. 2 of 8 |
|---|
| 40 | 40 | | 10 “Abusive trade practice” , any conduct by a covered entity that 1) materially interferes |
|---|
| 41 | 41 | | 11with the ability of an end user to understand a term or condition of the agreement between |
|---|
| 42 | 42 | | 12covered entities and end users relating to biometric recognition technology or biometric data or |
|---|
| 43 | 43 | | 132) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the |
|---|
| 44 | 44 | | 14material risks, costs, or conditions of the covered entity’s product or service that uses biometric |
|---|
| 45 | 45 | | 15recognition technology; or b) The inability of the end user to protect their interests in selecting or |
|---|
| 46 | 46 | | 16using a covered entity’s product or service; or c) The reasonable reliance by the end user on a |
|---|
| 47 | 47 | | 17covered entity’s representation to act in the interests of the end user. |
|---|
| 48 | 48 | | 18 “Biometric data” means information that pertains to measurable biological or |
|---|
| 49 | 49 | | 19behavioral characteristics of an individual that can be used singularly, or in combination with |
|---|
| 50 | 50 | | 20each other, or with other information, for verification, recognition, or identification of an |
|---|
| 51 | 51 | | 21individual. Examples include but are not limited to fingerprints, retina and iris patterns, |
|---|
| 52 | 52 | | 22voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, |
|---|
| 53 | 53 | | 23keystroke dynamics, and mouse movements. |
|---|
| 54 | 54 | | 24 Biometric data does not include writing samples, written signatures, mere |
|---|
| 55 | 55 | | 25photographs, human biological samples used for valid scientific testing or screening, |
|---|
| 56 | 56 | | 26demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, |
|---|
| 57 | 57 | | 27or eye color. |
|---|
| 58 | 58 | | 28 Biometric data does not include donated organs, tissues, parts of the human body, |
|---|
| 59 | 59 | | 29blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric |
|---|
| 60 | 60 | | 30transplants obtained or stored by a federally designated organ procurement agency. 3 of 8 |
|---|
| 61 | 61 | | 31 Biometric data does not include information captured from a patient by a health |
|---|
| 62 | 62 | | 32care provider or health care facility, or collected, processed, used, or stored exclusively for |
|---|
| 63 | 63 | | 33medical education or research, public health or epidemiological purposes, health care treatment, |
|---|
| 64 | 64 | | 34health insurance, payment, or operations, so long as such information is protected under the |
|---|
| 65 | 65 | | 35federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and |
|---|
| 66 | 66 | | 36state laws and regulations. |
|---|
| 67 | 67 | | 37 Biometric data does not include information captured from an X-ray, roentgen |
|---|
| 68 | 68 | | 38process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of |
|---|
| 69 | 69 | | 39the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or |
|---|
| 70 | 70 | | 40to further validate scientific testing or screening. |
|---|
| 71 | 71 | | 41 “Biometric recognition technology” , Technology that (i) analyzes biometric data; |
|---|
| 72 | 72 | | 42(ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal |
|---|
| 73 | 73 | | 43identification of a specific individual. |
|---|
| 74 | 74 | | 44 “Consent” , any freely given, specific, informed and unambiguous indication of the |
|---|
| 75 | 75 | | 45consumer's wishes by which the consumer, or the consumer's legal guardian, by a person who |
|---|
| 76 | 76 | | 46has power of attorney or is acting as a conservator for the consumer, such as by a statement or by |
|---|
| 77 | 77 | | 47a clear affirmative action, signifies agreement to the processing of biometric data relating to the |
|---|
| 78 | 78 | | 48consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of |
|---|
| 79 | 79 | | 49use or similar document that contains descriptions of biometric data processing along with other, |
|---|
| 80 | 80 | | 50unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a |
|---|
| 81 | 81 | | 51given piece of content does not constitute consent. Likewise, agreement obtained through use of |
|---|
| 82 | 82 | | 52an abusive trade practice does not constitute consent. 4 of 8 |
|---|
| 83 | 83 | | 53 “Controller” , Any covered entity that, alone or jointly with others, determines the |
|---|
| 84 | 84 | | 54purposes and means of processing biometric data. |
|---|
| 85 | 85 | | 55 “Covered entity” , Any person, including corporate affiliates, that collects, stores, or |
|---|
| 86 | 86 | | 56processes biometric data; provided, that the federal government or any state or local government, |
|---|
| 87 | 87 | | 57law enforcement agency, national security agency or intelligence agency shall not be covered |
|---|
| 88 | 88 | | 58entities. |
|---|
| 89 | 89 | | 59 “Data” , Any material upon which written, drawn, spoken, visual, or electromagnetic |
|---|
| 90 | 90 | | 60information or images are recorded or preserved, regardless of physical form or characteristics. |
|---|
| 91 | 91 | | 61 “Deceptive data practice” , Any act or practice involving the processing or transfer of |
|---|
| 92 | 92 | | 62covered data in a manner that constitutes a deceptive act or practice as described in section 2 of |
|---|
| 93 | 93 | | 63chapter 93A. |
|---|
| 94 | 94 | | 64 “Electronic” , Relating to technology having electrical, digital, magnetic, wireless, |
|---|
| 95 | 95 | | 65optical, electromagnetic or similar capabilities. |
|---|
| 96 | 96 | | 66 “Encrypted” , Data that has been transformed according to procedures outlined in 45 CFR |
|---|
| 97 | 97 | | 67§ 164.312(a)(2)(iv) and (e)(2)(ii) into a form in which there is a low probability of assigning |
|---|
| 98 | 98 | | 68meaning without use of a confidential process or key, unless further defined by regulation of the |
|---|
| 99 | 99 | | 69department of consumer affairs and business regulation. |
|---|
| 100 | 100 | | 70 “End user” , An individual providing biometric data to a covered entity. |
|---|
| 101 | 101 | | 71 “Harmful data practice” , The processing or transfer of covered data in a manner that |
|---|
| 102 | 102 | | 72causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2) |
|---|
| 103 | 103 | | 73physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the 5 of 8 |
|---|
| 104 | 104 | | 74individual’s private affairs or concerns, where such intrusion would be highly offensive to a |
|---|
| 105 | 105 | | 75reasonable person; or (3) other substantial injury to an individual. |
|---|
| 106 | 106 | | 76 “Legal effect” , An effect that changes an entity or person's legal duties, liabilities, |
|---|
| 107 | 107 | | 77obligations, benefits owed, protections granted by law, or ability to utilize legal remedies. |
|---|
| 108 | 108 | | 78 “Person” , A natural person, corporation, association, partnership or other legal entity. |
|---|
| 109 | 109 | | 79 “Personal information” , For purposes of this section, “personal information” means |
|---|
| 110 | 110 | | 80biometric data. |
|---|
| 111 | 111 | | 81 “Unfair data practice” , The processing or transfer of covered data in a manner that |
|---|
| 112 | 112 | | 82causes or is likely to cause substantial injury to end users which is not reasonably avoidable by |
|---|
| 113 | 113 | | 83end users themselves and not outweighed by countervailing benefits to end users. |
|---|
| 114 | 114 | | 84 Section 2. Duties of loyalty, care, and confidentiality for covered entities |
|---|
| 115 | 115 | | 85 (a) A covered entity shall be prohibited from taking any actions with respect to |
|---|
| 116 | 116 | | 86processing biometric data or designing biometric recognition technologies that conflict with an |
|---|
| 117 | 117 | | 87end user’s best interests. |
|---|
| 118 | 118 | | 88 (b) A covered entity shall be required to secure biometric data from unauthorized access |
|---|
| 119 | 119 | | 89in a reasonable manner that is the same as or more protective than the manner in which the |
|---|
| 120 | 120 | | 90covered entity secures other confidential and sensitive data and shall be prohibited from |
|---|
| 121 | 121 | | 91engaging in harmful data practices. |
|---|
| 122 | 122 | | 92 (c) A covered entity shall not: (i) process or transfer biometric data in any manner not |
|---|
| 123 | 123 | | 93consented to by the end user; (ii) engage in the sale of biometric data to a third party; (iii) |
|---|
| 124 | 124 | | 94disclose biometric data with any other person or entity except as consistent with the duties of 6 of 8 |
|---|
| 125 | 125 | | 95loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), |
|---|
| 126 | 126 | | 96respectively; or (iv) disclose or share biometric data with any other person unless that person |
|---|
| 127 | 127 | | 97enters into a contract with the covered entity that imposes on the person the same duties of care, |
|---|
| 128 | 128 | | 98loyalty, and confidentiality toward the end user as are imposed on the covered entity under this |
|---|
| 129 | 129 | | 99subsection. |
|---|
| 130 | 130 | | 100 (d) A covered entity shall take reasonable steps to ensure that the practices of any person |
|---|
| 131 | 131 | | 101to whom the online service provider discloses or sells, or with whom the online service provider |
|---|
| 132 | 132 | | 102shares, biometric data fulfill the duties of care, loyalty, and confidentiality assumed by the |
|---|
| 133 | 133 | | 103person under the contract described in subparagraph (c), including by auditing, on a regular |
|---|
| 134 | 134 | | 104basis, the data security and data practices of any such person. |
|---|
| 135 | 135 | | 105 (e) A covered entity shall not discriminate against a consumer because of the withheld |
|---|
| 136 | 136 | | 106consent under this title, including, but not limited to: (i) denying goods or services to the end |
|---|
| 137 | 137 | | 107user; (ii) charging different prices or rates for goods or services, including through the use of |
|---|
| 138 | 138 | | 108discounts or other benefits or imposing penalties; (iii) providing a different level or quality of |
|---|
| 139 | 139 | | 109goods or services to the end user; (iv) suggesting that the end user will receive a different price |
|---|
| 140 | 140 | | 110or rate for goods or services or a different level or quality of goods or services. |
|---|
| 141 | 141 | | 111 Section 3. Regulating unfair, deceptive, and abusive biometric data practices |
|---|
| 142 | 142 | | 112 (a) A covered entity shall not: (i) engage in a deceptive data practice; (ii) engage in an |
|---|
| 143 | 143 | | 113unfair data practice; or (iii) engage in an abusive trade practice. |
|---|
| 144 | 144 | | 114 (b) It is the intent of the legislature that in construing paragraph (a) of this section in |
|---|
| 145 | 145 | | 115actions unfair and deceptive trade practices, the courts will be guided by the interpretations given 7 of 8 |
|---|
| 146 | 146 | | 116by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade |
|---|
| 147 | 147 | | 117Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended. |
|---|
| 148 | 148 | | 118 (c) The attorney general may make rules and regulations interpreting the provisions of |
|---|
| 149 | 149 | | 119subsection 2(a) of this chapter. |
|---|
| 150 | 150 | | 120 Section 4. Limits on decision-making and public surveillance |
|---|
| 151 | 151 | | 121 (a) Covered entities shall not use biometric data to help make decisions that produce legal |
|---|
| 152 | 152 | | 122effects or similarly significant effects concerning end users. Decisions that include legal effects |
|---|
| 153 | 153 | | 123or similarly significant effects concerning end users include, without limitation, denial or |
|---|
| 154 | 154 | | 124degradation of consequential services or support, such as financial or lending services, housing, |
|---|
| 155 | 155 | | 125insurance, educational enrollment, criminal justice, employment opportunities, health care |
|---|
| 156 | 156 | | 126services, and access to basic necessities, such as food and water. |
|---|
| 157 | 157 | | 127 (b) Covered entities may not operate, install, or commission the operation or installation |
|---|
| 158 | 158 | | 128of equipment incorporating biometric recognition technology in any place, whether licensed or |
|---|
| 159 | 159 | | 129unlicensed, which is open to and accepts or solicits the patronage of the general public. |
|---|
| 160 | 160 | | 130 (c) The legislature finds that the practices covered by this section are matters vitally |
|---|
| 161 | 161 | | 131affecting the public interest for the purpose of applying the Massachusetts Consumer Protection |
|---|
| 162 | 162 | | 132law, chapter 93a. A violation of this section is not reasonable in relation to the development and |
|---|
| 163 | 163 | | 133preservation of business and is an unfair or deceptive act in trade or commerce and an unfair |
|---|
| 164 | 164 | | 134method of competition for the purpose of applying the Massachusetts Consumer Protection law, |
|---|
| 165 | 165 | | 135chapter 93a. |
|---|
| 166 | 166 | | 136 Section 5. Applicability of other state and federal laws 8 of 8 |
|---|
| 167 | 167 | | 137 This chapter does not relieve a person or agency from the duty to comply with |
|---|
| 168 | 168 | | 138requirements of any applicable general or special law or federal law regarding the protection and |
|---|
| 169 | 169 | | 139privacy of personal information. |
|---|
| 170 | 170 | | 140 Section 6. Enforcement |
|---|
| 171 | 171 | | 141 The attorney general may bring an action pursuant to section 4 of chapter 93A against a |
|---|
| 172 | 172 | | 142person or otherwise to remedy violations of this chapter and for other relief that may be |
|---|
| 173 | 173 | | 143appropriate. |
|---|