On May 9, 2024, Senate Bill 25 for an Act Establishing the Massachusetts Data Privacy Protection Act was reported from the Massachusetts State Senate Committee on Advanced Information Technology, the Internet and Cybersecurity. In particular, the bill was accompanied by Senate Bill 2770, which was subsequently reported favorably on the same date by the Senate Committee on Ways and Means.

What is the scope of the bill?

'Covered entity' is defined as 'any entity or any person, other than an individual acting in a non-commercial context, that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data.'

However, the bill provides that 'covered entity' does not include, among others:

• government agencies or service providers to government agencies that exclusively and solely process information provided by government entities; and
• any entity or person that meets the following criteria for the period of the three preceding calendar years:
  • average annual gross revenues during the period did not exceed $20 million;
  • did not annually collect or process the covered data of more than 25,000 individuals during the period, other than for the purpose of initiating, rendering, billing for, finalizing, completing, or otherwise collecting payment for a requested service or product, so long as all covered data for such purpose was deleted or de-identified within 90 days; and
  • no component of its revenue comes from transferring covered data during any year.

What data subject rights are provided under the bill?

Data subject rights provided under the bill include the right to access, rectification, deletion, and data portability. Rights must be exercised free of charge the first two times they are exercised, after which a reasonable fee may be charged. Covered entities may not permit the exercise of data subject rights where they cannot reasonably verify the identity of the individual making the request, or require access to or correction of another individual's sensitive covered data.

Notably, the bill elaborates on 'advanced data rights,' including providing individuals with clear and conspicuous, easy-to-execute means to withdraw consent, at a minimum, accessible in the same or substantially similar location as a privacy policy.

Individuals are also provided with 'advanced data rights' including the right to opt out of covered data transfers, targeted advertising, and profiling.

Covered entities are also prohibited from retaliating against an individual for exercising rights under the bill.

What legal bases for processing personal data are provided under the bill?

The bill stipulates that the request for consent must be provided in a clear and conspicuous standalone disclosure made through the primary medium used to offer the entity's product or service, including a description of the processing purpose for which the individual's consent is sought. The option to refuse consent must also be at least as prominent as the option to accept, and take the same number of steps or fewer to refuse as the option to accept. The bill provides that consent must be displayed at or before the point of collection, accompanied by a privacy policy.

Regarding the privacy policy, the bill outlines requirements for the provision of a publicly available privacy policy, with minimum contents.

What other obligations and provisions are provided under the bill?

Service providers under the bill must adhere to the instructions of covered entities and only collect, process, and transfer service provider data to the extent necessary and proportionate to provide a service requested by the covered entity, pursuant to a written contract. The bill in setting out the required contents of written contracts between covered entities and service providers notes that such requirements also apply to contracts between service providers and subprocessors.

Covered entities generally must establish, implement, and maintain reasonable policies, and practices to ensure Privacy by Design.

Further, the bill details specific provisions including a prohibition on targeted advertising to minors, data broker registration, and privacy protection for location information derived from electronic devices.

On enforcement, the bill provides for a private right of action regarding a violation of its provisions. The Massachusetts Attorney General is also provided with the authority to bring an action against violating parties of the bill.

You can read the bill here and track its progress here.