Massachusetts Lawmakers Eyeing Bill to Protect Consumers’ Online Information

Man and woman sitting in front of screens in a dark office room.

A newly proposed bill would give Massachusetts residents greater control over their online personal information and add the state to a handful of others that have already enacted similar legislation.

The legislation sets limits on the sale of personal data by businesses, similar to established law in California, Colorado and Virginia, all in the absence of related federal law. The bill, called the Massachusetts Information Privacy and Security Act, has moved out of an IT and cybersecurity-focused committee by unanimous consent and now heads to the statehouse for debate. It’s not clear when it will be taken up for consideration.

The bill would require businesses to:

  • Get permission from a consumer before selling their personal information, such as geolocation, biometric or racial data, and when selling the personal data of children under 16 years of age.
  • Ensure internet users have the right to delete and correct the personal information a company maintains about them.
  • Provide easy-to-understand privacy notices that specify how personal information is being collected and sold and how residents can opt out of such sale.
  • Conduct regular risk assessments for the sale of personal information and minimize the amount of personal information collected and retained.

The legislation would also allow the Massachusetts attorney general’s office to levy penalties of up to $7,500 per violation and require entities that buy and sell online data to register with the attorney general’s office.

Senator Barry Finegold (D), Senate co-chair of the committee, praised the bill’s advancement. “Online privacy and security issues are only going to get more important, and we need to take proactive measures to ensure new technologies are used responsibly,” he said. “In the absence of federal action, we can enact meaningful reforms in the Commonwealth and help clarify the rules of the road for businesses.”

Federal legislation currently in committee would establish a national data privacy policy that would give consumers and businesses a uniform set of rules and regulations to shield personal information from misuse. The Information Transparency and Personal Data Control Act, proposed by Suzan DelBene (D-WA), aims to give consumers control over how businesses are sharing or selling their personal information–spanning identifiers to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, social security number and religion. The bill was initially introduced in 2018 in a previous session of Congress but did not come to floor vote.

Potential Implications for MSSPs

MSSPs and cybersecurity firms that work with data that involves Massachusetts residents may want to take note: Massachusetts has a long history of enacting legislation to protect consumer privacy. In 2019, lawmakers amended its breach notification law dating to 2007, adding new measures to cover information required in breach notifications, timing of notifications and credit monitoring services offered to the state’s residents affected by a breach. The new law would add to and stiffen those parameters.

All 50 states in the U.S., the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted data breach legislation requiring both public and private sector entities to notify individuals whose personally identifiable information (PII) may have been compromised in a security breach.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.