A newly proposed bill would give Massachusetts residents greater control over their online personal information and add the state to a handful of others that have already enacted similar legislation.
The legislation sets limits on the sale of personal data by businesses, similar to established law in California, Colorado and Virginia, all in the absence of related federal law. The bill, called the Massachusetts Information Privacy and Security Act, has moved out of an IT and cybersecurity-focused committee by unanimous consent and now heads to the statehouse for debate. It’s not clear when it will be taken up for consideration.
The bill would require businesses to:
- Get permission from a consumer before selling their personal information, such as geolocation, biometric or racial data, and when selling the personal data of children under 16 years of age.
- Ensure internet users have the right to delete and correct the personal information a company maintains about them.
- Provide easy-to-understand privacy notices that specify how personal information is being collected and sold and how residents can opt out of such sale.
- Conduct regular risk assessments for the sale of personal information and minimize the amount of personal information collected and retained.
The legislation would also allow the Massachusetts attorney general’s office to levy penalties of up to $7,500 per violation and require entities that buy and sell online data to register with the attorney general’s office.
Senator Barry Finegold (D), Senate co-chair of the committee, praised the bill’s advancement. “Online privacy and security issues are only going to get more important, and we need to take proactive measures to ensure new technologies are used responsibly,” he said. “In the absence of federal action, we can enact meaningful reforms in the Commonwealth and help clarify the rules of the road for businesses.”
Potential Implications for MSSPs
MSSPs and cybersecurity firms that work with data that involves Massachusetts residents may want to take note: Massachusetts has a long history of enacting legislation to protect consumer privacy. In 2019, lawmakers amended its breach notification law dating to 2007, adding new measures to cover information required in breach notifications, timing of notifications and credit monitoring services offered to the state’s residents affected by a breach. The new law would add to and stiffen those parameters.
All 50 states in the U.S., the District of Columbia, Puerto Rico and the U.S. Virgin Islands, have enacted data breach legislation requiring both public and private sector entities to notify individuals whose personally identifiable information (PII) may have been compromised in a security breach.