1 of 1
SENATE DOCKET, NO. 1455 FILED ON: 1/16/2025
SENATE . . . . . . . . . . . . . . No. 36
The Commonwealth of Massachusetts
_________________
PRESENTED BY:
Dylan A. Fernandes
_________________
To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General
Court assembled:
The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill:
An Act to provide accountability in the use of biometric recognition technology and
comprehensive enforcement.
_______________
PETITION OF:
NAME:DISTRICT/ADDRESS :Dylan A. FernandesPlymouth and Barnstable 1 of 8
SENATE DOCKET, NO. 1455 FILED ON: 1/16/2025
SENATE . . . . . . . . . . . . . . No. 36
By Mr. Fernandes, a petition (accompanied by bill, Senate, No. 36) of Dylan A. Fernandes for
legislation to protect residents from abusive use of their biometric information. Advanced
Information Technology, the Internet and Cybersecurity.
The Commonwealth of Massachusetts
_______________
In the One Hundred and Ninety-Fourth General Court
(2025-2026)
_______________
An Act to provide accountability in the use of biometric recognition technology and
comprehensive enforcement.
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority
of the same, as follows:
1 SECTION 1. Chapter 110H of the General Laws, as appearing in the 2022 Official
2Edition, is hereby amended by adding the following chapter:—
3 Chapter 110I. Regulation of biometric recognition technology
4 Section 1. Definitions
5 (a) As used in this chapter, the following words shall, unless the context clearly requires
6otherwise, have the following meanings:—
7 ''Agency'' , any agency, executive office, department, board, commission, bureau,
8division or authority of the commonwealth, or any of its branches, or of any political subdivision
9thereof. 2 of 8
10 “Abusive trade practice” , any conduct by a covered entity that 1) materially interferes
11with the ability of an end user to understand a term or condition of the agreement between
12covered entities and end users relating to biometric recognition technology or biometric data or
132) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the
14material risks, costs, or conditions of the covered entity’s product or service that uses biometric
15recognition technology; or b) The inability of the end user to protect their interests in selecting or
16using a covered entity’s product or service; or c) The reasonable reliance by the end user on a
17covered entity’s representation to act in the interests of the end user.
18 “Biometric data” means information that pertains to measurable biological or
19behavioral characteristics of an individual that can be used singularly, or in combination with
20each other, or with other information, for verification, recognition, or identification of an
21individual. Examples include but are not limited to fingerprints, retina and iris patterns,
22voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting,
23keystroke dynamics, and mouse movements.
24 Biometric data does not include writing samples, written signatures, mere
25photographs, human biological samples used for valid scientific testing or screening,
26demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color,
27or eye color.
28 Biometric data does not include donated organs, tissues, parts of the human body,
29blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric
30transplants obtained or stored by a federally designated organ procurement agency. 3 of 8
31 Biometric data does not include information captured from a patient by a health
32care provider or health care facility, or collected, processed, used, or stored exclusively for
33medical education or research, public health or epidemiological purposes, health care treatment,
34health insurance, payment, or operations, so long as such information is protected under the
35federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and
36state laws and regulations.
37 Biometric data does not include information captured from an X-ray, roentgen
38process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of
39the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or
40to further validate scientific testing or screening.
41 “Biometric recognition technology” , Technology that (i) analyzes biometric data;
42(ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal
43identification of a specific individual.
44 “Consent” , any freely given, specific, informed and unambiguous indication of the
45consumer's wishes by which the consumer, or the consumer's legal guardian, by a person who
46has power of attorney or is acting as a conservator for the consumer, such as by a statement or by
47a clear affirmative action, signifies agreement to the processing of biometric data relating to the
48consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of
49use or similar document that contains descriptions of biometric data processing along with other,
50unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a
51given piece of content does not constitute consent. Likewise, agreement obtained through use of
52an abusive trade practice does not constitute consent. 4 of 8
53 “Controller” , Any covered entity that, alone or jointly with others, determines the
54purposes and means of processing biometric data.
55 “Covered entity” , Any person, including corporate affiliates, that collects, stores, or
56processes biometric data; provided, that the federal government or any state or local government,
57law enforcement agency, national security agency or intelligence agency shall not be covered
58entities.
59 “Data” , Any material upon which written, drawn, spoken, visual, or electromagnetic
60information or images are recorded or preserved, regardless of physical form or characteristics.
61 “Deceptive data practice” , Any act or practice involving the processing or transfer of
62covered data in a manner that constitutes a deceptive act or practice as described in section 2 of
63chapter 93A.
64 “Electronic” , Relating to technology having electrical, digital, magnetic, wireless,
65optical, electromagnetic or similar capabilities.
66 “Encrypted” , Data that has been transformed according to procedures outlined in 45 CFR
67§ 164.312(a)(2)(iv) and (e)(2)(ii) into a form in which there is a low probability of assigning
68meaning without use of a confidential process or key, unless further defined by regulation of the
69department of consumer affairs and business regulation.
70 “End user” , An individual providing biometric data to a covered entity.
71 “Harmful data practice” , The processing or transfer of covered data in a manner that
72causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2)
73physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the 5 of 8
74individual’s private affairs or concerns, where such intrusion would be highly offensive to a
75reasonable person; or (3) other substantial injury to an individual.
76 “Legal effect” , An effect that changes an entity or person's legal duties, liabilities,
77obligations, benefits owed, protections granted by law, or ability to utilize legal remedies.
78 “Person” , A natural person, corporation, association, partnership or other legal entity.
79 “Personal information” , For purposes of this section, “personal information” means
80biometric data.
81 “Unfair data practice” , The processing or transfer of covered data in a manner that
82causes or is likely to cause substantial injury to end users which is not reasonably avoidable by
83end users themselves and not outweighed by countervailing benefits to end users.
84 Section 2. Duties of loyalty, care, and confidentiality for covered entities
85 (a) A covered entity shall be prohibited from taking any actions with respect to
86processing biometric data or designing biometric recognition technologies that conflict with an
87end user’s best interests.
88 (b) A covered entity shall be required to secure biometric data from unauthorized access
89in a reasonable manner that is the same as or more protective than the manner in which the
90covered entity secures other confidential and sensitive data and shall be prohibited from
91engaging in harmful data practices.
92 (c) A covered entity shall not: (i) process or transfer biometric data in any manner not
93consented to by the end user; (ii) engage in the sale of biometric data to a third party; (iii)
94disclose biometric data with any other person or entity except as consistent with the duties of 6 of 8
95loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii),
96respectively; or (iv) disclose or share biometric data with any other person unless that person
97enters into a contract with the covered entity that imposes on the person the same duties of care,
98loyalty, and confidentiality toward the end user as are imposed on the covered entity under this
99subsection.
100 (d) A covered entity shall take reasonable steps to ensure that the practices of any person
101to whom the online service provider discloses or sells, or with whom the online service provider
102shares, biometric data fulfill the duties of care, loyalty, and confidentiality assumed by the
103person under the contract described in subparagraph (c), including by auditing, on a regular
104basis, the data security and data practices of any such person.
105 (e) A covered entity shall not discriminate against a consumer because of the withheld
106consent under this title, including, but not limited to: (i) denying goods or services to the end
107user; (ii) charging different prices or rates for goods or services, including through the use of
108discounts or other benefits or imposing penalties; (iii) providing a different level or quality of
109goods or services to the end user; (iv) suggesting that the end user will receive a different price
110or rate for goods or services or a different level or quality of goods or services.
111 Section 3. Regulating unfair, deceptive, and abusive biometric data practices
112 (a) A covered entity shall not: (i) engage in a deceptive data practice; (ii) engage in an
113unfair data practice; or (iii) engage in an abusive trade practice.
114 (b) It is the intent of the legislature that in construing paragraph (a) of this section in
115actions unfair and deceptive trade practices, the courts will be guided by the interpretations given 7 of 8
116by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade
117Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.
118 (c) The attorney general may make rules and regulations interpreting the provisions of
119subsection 2(a) of this chapter.
120 Section 4. Limits on decision-making and public surveillance
121 (a) Covered entities shall not use biometric data to help make decisions that produce legal
122effects or similarly significant effects concerning end users. Decisions that include legal effects
123or similarly significant effects concerning end users include, without limitation, denial or
124degradation of consequential services or support, such as financial or lending services, housing,
125insurance, educational enrollment, criminal justice, employment opportunities, health care
126services, and access to basic necessities, such as food and water.
127 (b) Covered entities may not operate, install, or commission the operation or installation
128of equipment incorporating biometric recognition technology in any place, whether licensed or
129unlicensed, which is open to and accepts or solicits the patronage of the general public.
130 (c) The legislature finds that the practices covered by this section are matters vitally
131affecting the public interest for the purpose of applying the Massachusetts Consumer Protection
132law, chapter 93a. A violation of this section is not reasonable in relation to the development and
133preservation of business and is an unfair or deceptive act in trade or commerce and an unfair
134method of competition for the purpose of applying the Massachusetts Consumer Protection law,
135chapter 93a.
136 Section 5. Applicability of other state and federal laws 8 of 8
137 This chapter does not relieve a person or agency from the duty to comply with
138requirements of any applicable general or special law or federal law regarding the protection and
139privacy of personal information.
140 Section 6. Enforcement
141 The attorney general may bring an action pursuant to section 4 of chapter 93A against a
142person or otherwise to remedy violations of this chapter and for other relief that may be
143appropriate.