Legislature Advances Data Privacy Bill

The Massachusetts Data Privacy Act received a favorable report yesterday by the Massachusetts Legislature’s Joint Committee on Advanced Information Technology, the Internet and Cyber Security. 

With this bill, the Massachusetts legislature has the opportunity to pass the strongest comprehensive consumer privacy law nationwide. Earlier this year, MASSPIRG and the Electronic Privacy Information Center (EPIC) released a scorecard report which gave the bill’s predecessor – the Massachusetts Data Protection and Privacy Act – an A grade for how well it would protect consumers’ personal data privacy and personal security. The newly released Massachusetts Data Privacy Act would receive the same nation-leading grade. 

Too often when we go online our personal data is being collected in ways far outside what’s necessary to deliver the service we’re expecting to get. For example, the fast-food chain Tim Hortons was accused by Canadian authorities in 2022 of using its mobile app to harvest users’ location data 24/7, even when the app was closed. According to a Mozilla Foundation investigation last year, all 25 major car brands may collect surprisingly intimate data from customers, including in some cases geolocation, health diagnoses, and genetic information using your car’s onboard computers and companion apps.

These practices put your personal security at risk. The more data a company collects, and the more other companies share it with, the more likely it is that your information will be exposed in a breach or a hack and end up in the wrong hands. This can make you more vulnerable to becoming the victim of identity theft or hyper-targeted scams, or even cause you to end up on more robocall lists. 

The Massachusetts Data Privacy Act’s strongest provisions will protect consumers from these abuses and more. These include: 

• Minimizes the data collected: Prohibits companies from  collecting more data than is necessary for delivering the service a consumer is expecting to get. The bill also  puts limits on how companies can use sensitive information such as health data and precise geolocation data, making it less likely a consumer’s information will end up in the wrong hands and bring data collection in line with what consumers are expecting.    
• Improves enforcement by allowing a private right of action. Enables consumers to hold companies that violate their rights accountable in court, increasing the cost of violations and more effectively deterring harmful corporate practices from happening in the first place.  
• Limits targeted advertising. Prohibits companies from using sensitive data for targeted advertising. The online advertising industry is responsible for sharing consumer’s personal data widely to hundreds of actors, making this prohibition crucial for limiting the risks of sensitive information ending up exposed in a breach or a hack.

Massachusetts has previously been a leader on data privacy and security. Chapter 93H is the most comprehensive state data security law in the United States. Passed in August 2007, the legislation set strong data security standards for entities that handle personal information on Massachusetts residents. 

The bill now moves to the Committee on Ways and Means. 

By passing the Massachusetts Data Privacy Act, Massachusetts will continue to be a leader in protecting consumers’ online lives, giving Bay Staters the protections they deserve.