| 1 | 1 | | 1 of 1 |
|---|
| 2 | 2 | | SENATE DOCKET, NO. 2204 FILED ON: 1/17/2025 |
|---|
| 3 | 3 | | SENATE . . . . . . . . . . . . . . No. 43 |
|---|
| 4 | 4 | | The Commonwealth of Massachusetts |
|---|
| 5 | 5 | | _________________ |
|---|
| 6 | 6 | | PRESENTED BY: |
|---|
| 7 | 7 | | Mark C. Montigny |
|---|
| 8 | 8 | | _________________ |
|---|
| 9 | 9 | | To the Honorable Senate and House of Representatives of the Commonwealth of Massachusetts in General |
|---|
| 10 | 10 | | Court assembled: |
|---|
| 11 | 11 | | The undersigned legislators and/or citizens respectfully petition for the adoption of the accompanying bill: |
|---|
| 12 | 12 | | An Act to protect personal biometric data. |
|---|
| 13 | 13 | | _______________ |
|---|
| 14 | 14 | | PETITION OF: |
|---|
| 15 | 15 | | NAME:DISTRICT/ADDRESS :Mark C. MontignySecond Bristol and Plymouth 1 of 6 |
|---|
| 16 | 16 | | SENATE DOCKET, NO. 2204 FILED ON: 1/17/2025 |
|---|
| 17 | 17 | | SENATE . . . . . . . . . . . . . . No. 43 |
|---|
| 18 | 18 | | By Mr. Montigny, a petition (accompanied by bill, Senate, No. 43) of Mark C. Montigny for |
|---|
| 19 | 19 | | legislation to protect personal biometric data. Advanced Information Technology, the Internet |
|---|
| 20 | 20 | | and Cybersecurity. |
|---|
| 21 | 21 | | [SIMILAR MATTER FILED IN PREVIOUS SESSION |
|---|
| 22 | 22 | | SEE SENATE, NO. 195 OF 2023-2024.] |
|---|
| 23 | 23 | | The Commonwealth of Massachusetts |
|---|
| 24 | 24 | | _______________ |
|---|
| 25 | 25 | | In the One Hundred and Ninety-Fourth General Court |
|---|
| 26 | 26 | | (2025-2026) |
|---|
| 27 | 27 | | _______________ |
|---|
| 28 | 28 | | An Act to protect personal biometric data. |
|---|
| 29 | 29 | | Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority |
|---|
| 30 | 30 | | of the same, as follows: |
|---|
| 31 | 31 | | 1 The General Laws, as appearing in the 2022 Official Edition, are hereby amended by |
|---|
| 32 | 32 | | 2inserting after chapter 93L the following chapter:- |
|---|
| 33 | 33 | | 3 Chapter 93M. Biometric Information Privacy Act. |
|---|
| 34 | 34 | | 4 Section 1. Definitions. |
|---|
| 35 | 35 | | 5 As used in this chapter, the following words shall, unless the context clearly requires |
|---|
| 36 | 36 | | 6otherwise, have the following meanings: |
|---|
| 37 | 37 | | 7 "Biometric identifier" means a physiological or biological characteristic that is used by or |
|---|
| 38 | 38 | | 8on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an |
|---|
| 39 | 39 | | 9individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of 2 of 6 |
|---|
| 40 | 40 | | 10gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing |
|---|
| 41 | 41 | | 11samples, written signatures, photographs, human biological samples used for valid scientific |
|---|
| 42 | 42 | | 12testing or screening, demographic data, tattoo descriptions, or physical descriptions such as |
|---|
| 43 | 43 | | 13height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or |
|---|
| 44 | 44 | | 14tissues or blood or serum stored on behalf of recipients or potential recipients of living or |
|---|
| 45 | 45 | | 15cadaveric transplants and obtained or stored by a federally designated organ procurement |
|---|
| 46 | 46 | | 16agency. Biometric identifiers do not include information captured from a patient in a health care |
|---|
| 47 | 47 | | 17setting or information collected, used, or stored for health care treatment, payment, or operations |
|---|
| 48 | 48 | | 18under the federal Health Insurance Portability and Accountability Act of 1996. Biometric |
|---|
| 49 | 49 | | 19identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, |
|---|
| 50 | 50 | | 20mammography, or other image or film of the human anatomy used to diagnose, prognose, or |
|---|
| 51 | 51 | | 21treat an illness or other medical condition or to further validate scientific testing or screening. |
|---|
| 52 | 52 | | 22 "Biometric information" means any information, regardless of how it is captured, |
|---|
| 53 | 53 | | 23converted, stored, or shared, based on an individual's biometric identifier used to identify an |
|---|
| 54 | 54 | | 24individual. Biometric information does not include information derived from items or procedures |
|---|
| 55 | 55 | | 25excluded under the definition of biometric identifiers. |
|---|
| 56 | 56 | | 26 "Commercial Establishment" means a place of entertainment, a retail store, or a food and |
|---|
| 57 | 57 | | 27drink establishment. |
|---|
| 58 | 58 | | 28 "Confidential and sensitive information" means personal information that can be used to |
|---|
| 59 | 59 | | 29uniquely identify an individual or an individual's account or property. Examples of confidential |
|---|
| 60 | 60 | | 30and sensitive information include, but are not limited to, a genetic marker, genetic testing 3 of 6 |
|---|
| 61 | 61 | | 31information, a unique identifier number to locate an account or property, an account number, a |
|---|
| 62 | 62 | | 32PIN number, a pass code, a driver's license number, or a social security number. |
|---|
| 63 | 63 | | 33 "Private entity" means any individual, partnership, corporation, limited liability company, |
|---|
| 64 | 64 | | 34association, or other group, however organized. |
|---|
| 65 | 65 | | 35 "Written consent " means informed written consent. |
|---|
| 66 | 66 | | 36 Section 2. Collection, Retention, Destruction, and Disclosure of Biometric Information. |
|---|
| 67 | 67 | | 37 (a) A private entity in possession of biometric identifiers or biometric information must |
|---|
| 68 | 68 | | 38develop a written policy, made available to the person from whom biometric information is to be |
|---|
| 69 | 69 | | 39collected or was collected, establishing a retention schedule and guidelines for permanently |
|---|
| 70 | 70 | | 40destroying biometric identifiers and biometric information when the initial purpose for collecting |
|---|
| 71 | 71 | | 41or obtaining such identifiers or information has been satisfied or within 1 year of the individual's |
|---|
| 72 | 72 | | 42last interaction with the private entity, whichever occurs first. Absent a valid order, warrant, or |
|---|
| 73 | 73 | | 43subpoena issued by a court of competent jurisdiction or a local or federal governmental agency, a |
|---|
| 74 | 74 | | 44private entity in possession of biometric identifiers or biometric information must comply with |
|---|
| 75 | 75 | | 45its established retention schedule and destruction guidelines. |
|---|
| 76 | 76 | | 46 (b) No private entity may collect, capture, purchase, receive through trade, or otherwise |
|---|
| 77 | 77 | | 47obtain a person's or a customer's biometric identifier or biometric information, unless it first: |
|---|
| 78 | 78 | | 48 (1) informs the subject or the subject's legally authorized representative in writing that a |
|---|
| 79 | 79 | | 49biometric identifier or biometric information is being collected or stored; 4 of 6 |
|---|
| 80 | 80 | | 50 (2) informs the subject or the subject's legally authorized representative in writing of the |
|---|
| 81 | 81 | | 51specific purpose and length of term for which a biometric identifier or biometric information is |
|---|
| 82 | 82 | | 52being collected, stored, and used; and |
|---|
| 83 | 83 | | 53 (3) receives written consent executed by the subject of the biometric identifier or |
|---|
| 84 | 84 | | 54biometric information or the subject's legally authorized representative. Written consent may be |
|---|
| 85 | 85 | | 55obtained by electronic means. |
|---|
| 86 | 86 | | 56 (c) No private entity in possession of a biometric identifier or biometric information may |
|---|
| 87 | 87 | | 57sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or |
|---|
| 88 | 88 | | 58biometric information. |
|---|
| 89 | 89 | | 59 (d) No private entity in possession of a biometric identifier or biometric information may |
|---|
| 90 | 90 | | 60disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or |
|---|
| 91 | 91 | | 61biometric information unless: |
|---|
| 92 | 92 | | 62 (1) the subject of the biometric identifier or biometric information or the subject's legally |
|---|
| 93 | 93 | | 63authorized representative provides written consent to the disclosure or redisclosure; |
|---|
| 94 | 94 | | 64 (2) the disclosure or redisclosure completes a financial transaction requested or |
|---|
| 95 | 95 | | 65authorized by the subject of the biometric identifier or the biometric information or the subject's |
|---|
| 96 | 96 | | 66legally authorized representative; |
|---|
| 97 | 97 | | 67 (3) the disclosure or redisclosure is required by state or federal law or municipal |
|---|
| 98 | 98 | | 68ordinance; or |
|---|
| 99 | 99 | | 69 (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of |
|---|
| 100 | 100 | | 70competent jurisdiction. 5 of 6 |
|---|
| 101 | 101 | | 71 (e) A private entity in possession of a biometric identifier or biometric information shall: |
|---|
| 102 | 102 | | 72 (1) store, transmit, and protect from disclosure all biometric identifiers and biometric |
|---|
| 103 | 103 | | 73information using the reasonable standard of care within the private entity's industry; and |
|---|
| 104 | 104 | | 74 (2) store, transmit, and protect from disclosure all biometric identifiers and biometric |
|---|
| 105 | 105 | | 75information in a manner that is the same as or more protective than the manner in which the |
|---|
| 106 | 106 | | 76private entity stores, transmits, and protects other confidential and sensitive information. |
|---|
| 107 | 107 | | 77 (f) No commercial establishment shall use a person's or a customer's biometric identifier |
|---|
| 108 | 108 | | 78or biometric information to identify them. |
|---|
| 109 | 109 | | 79 Section 3. Right of Action. |
|---|
| 110 | 110 | | 80 (a) Any person aggrieved by a violation of this chapter shall have a cause of action |
|---|
| 111 | 111 | | 81pursuant to the procedures set forth in chapter 93A. Damages pursuant to any said action shall |
|---|
| 112 | 112 | | 82be no less than $5,000 per violation or actual damages suffered, whichever is greater, or up to |
|---|
| 113 | 113 | | 83three but not less than two times such amount if the court finds that the violation was a willful or |
|---|
| 114 | 114 | | 84knowing act. Damages may also include attorneys’ fees and costs. |
|---|
| 115 | 115 | | 85 (b) The attorney general may bring an action in the name of the commonwealth pursuant |
|---|
| 116 | 116 | | 86to the procedures set forth in chapter 93A upon any violation or suspected violation of this |
|---|
| 117 | 117 | | 87chapter. Damages pursuant to any said action shall be no less than $5,000 per violation or actual |
|---|
| 118 | 118 | | 88damages suffered, whichever is greater, or up to three but not less than two times such amount if |
|---|
| 119 | 119 | | 89the court finds that the violation was a willful or knowing act. |
|---|
| 120 | 120 | | 90 Section 4. Construction. 6 of 6 |
|---|
| 121 | 121 | | 91 (a) Nothing in this chapter shall be construed to impact the admission or discovery of |
|---|
| 122 | 122 | | 92biometric identifiers and biometric information in any action of any kind in any court, or before |
|---|
| 123 | 123 | | 93any tribunal, board, or agency. |
|---|
| 124 | 124 | | 94 (b) Nothing in this chapter shall be construed to conflict with the federal Health Insurance |
|---|
| 125 | 125 | | 95Portability and Accountability Act of 1996 and the rules promulgated under said Act. |
|---|