Laws & Statutes MA MA-H-96
H-96
MA · State · USA
MA
USA
● Pending
Proposed Effective Date
2025-01-17
An Act to provide accountability in the use of biometric recognition technology and comprehensive enforcement
Regulates the collection, storage, and processing of biometric data and biometric recognition technology in Massachusetts. Imposes duties of loyalty, care, and confidentiality on any private person or entity that handles biometric data, including consent requirements, a ban on biometric data sales, data security obligations, and anti-discrimination protections for users who withhold consent. Prohibits the use of biometric data for consequential automated decisions (employment, housing, credit, etc.) and bans the operation of biometric recognition technology equipment in any place open to the general public. Enforcement is through the Attorney General under chapter 93A, with violations of the decision-making and surveillance restrictions declared per se unfair or deceptive acts. Government entities, law enforcement, and intelligence agencies are excluded from coverage.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-02-27 committee referral Referred to the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity
2025-02-27 chamber passage Senate concurred
2025-03-24 other Hearing scheduled for 04/09/2025 from 01:00 PM-05:00 PM in A-1
2025-07-30 other Reporting date extended to Wednesday, November 12, 2025
2025-11-17 other Accompanied a new draft, see H4746
Mapped Requirements
D-01 Automated Processing Rights & Data Controls CP-01 Deceptive & Manipulative AI Conduct H-01 Human Oversight of Automated Decisions S-02 Prohibited Conduct & Output Restrictions
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Regulates the collection, storage, and processing of biometric data and biometric recognition technology in Massachusetts. Imposes duties of loyalty, care, and confidentiality on any private person or entity that handles biometric data, including consent requirements, a ban on biometric data sales, data security obligations, and anti-discrimination protections for users who withhold consent. Prohibits the use of biometric data for consequential automated decisions (employment, housing, credit, etc.) and bans the operation of biometric recognition technology equipment in any place open to the general public. Enforcement is through the Attorney General under chapter 93A, with violations of the decision-making and surveillance restrictions declared per se unfair or deceptive acts. Government entities, law enforcement, and intelligence agencies are excluded from coverage.

Enforcement & Penalties
Enforcement Authority
The Attorney General may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter. Section 4(c) declares violations of the decision-making and public surveillance provisions to be per se unfair or deceptive acts under chapter 93A. Additionally, chapter 93A section 9 independently provides a private right of action for consumers injured by unfair or deceptive acts, though this bill does not itself create a standalone private right of action. The AG may also promulgate rules and regulations interpreting the duties of loyalty provisions.
Penalties
Enforcement is through chapter 93A, section 4, which provides the Attorney General with authority to seek injunctive relief, civil penalties up to $5,000 per violation, and restitution. Section 4(c) of the bill declares violations of Section 4 to be per se unfair or deceptive acts under chapter 93A, which may independently enable consumer suits under 93A § 9 (up to treble damages and attorney fees). The bill itself does not specify independent statutory damages.
Who Is Covered
"Covered entity" , Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.
Compliance Obligations 12 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Ch. 110I, § 2(c)(i)
Plain Language
Covered entities may not process or transfer biometric data in any manner the end user has not consented to. Consent must be freely given, specific, informed, and unambiguous — general terms of service that bundle biometric data processing with unrelated information do not qualify. Passive actions (hovering, muting, pausing, closing content) and consent obtained through abusive trade practices are also insufficient. This is an affirmative opt-in consent requirement before any biometric data processing can occur.
Statutory Text
(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user;
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Ch. 110I, § 2(a)
Plain Language
Covered entities owe a duty of loyalty to end users: they may not process biometric data or design biometric recognition technology in ways that conflict with the end user's best interests. This is a broad fiduciary-style obligation that goes beyond data minimization — it requires affirmatively evaluating whether each processing activity serves the end user's interests. The Attorney General may promulgate rules and regulations interpreting this provision.
Statutory Text
(a) A covered entity shall be prohibited from taking any actions with respect to processing biometric data or designing biometric recognition technologies that conflict with an end user's best interests.
D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · Biometrics
Ch. 110I, § 2(c)(ii)-(iv)
Plain Language
Covered entities face three interrelated restrictions on biometric data transfers: (1) an absolute ban on selling biometric data to third parties; (2) a prohibition on disclosing biometric data to anyone except consistent with the duties of loyalty, care, and confidentiality; and (3) a requirement that any permitted disclosure be governed by a contract imposing on the recipient the same fiduciary duties the covered entity owes to the end user. In practice, this means any third-party data sharing requires both a lawful basis consistent with end-user interests and a downstream contractual pass-through of the full duty framework.
Statutory Text
(c) A covered entity shall not: (ii) engage in the sale of biometric data to a third party; (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.
Other · Deployer · Biometrics
Ch. 110I, § 2(b)
Plain Language
Covered entities must secure biometric data at a level at least as protective as their security for other confidential and sensitive data, and must not engage in harmful data practices — defined as processing or transferring data in ways that cause or are likely to cause financial, physical, reputational, or privacy injury. This sets a floor-not-ceiling standard: biometric data security must be at least as strong as the entity's existing security for its most sensitive data categories.
Statutory Text
(b) A covered entity shall be required to secure biometric data from unauthorized access in a reasonable manner that is the same as or more protective than the manner in which the covered entity secures other confidential and sensitive data and shall be prohibited from engaging in harmful data practices.
Other · Deployer · Biometrics
Ch. 110I, § 2(d)
Plain Language
Covered entities must take reasonable steps — including regular audits — to verify that any third party receiving biometric data is actually complying with the contractual duties of care, loyalty, and confidentiality required under Section 2(c). This goes beyond merely requiring a contract: the covered entity must actively monitor and audit the downstream recipient's data security and data practices on an ongoing basis. Note that the provision references 'online service provider' — likely a drafting inconsistency with 'covered entity' used elsewhere.
Statutory Text
(d) A covered entity shall take reasonable steps to ensure that the practices of any person to whom the online service provider discloses or sells, or with whom the online service provider shares, biometric data fulfill the duties of care, loyalty, and confidentiality assumed by the person under the contract described in subparagraph (c), including by auditing, on a regular basis, the data security and data practices of any such person.
D-01 Automated Processing Rights & Data Controls · D-01.3 · Deployer · Biometrics
Ch. 110I, § 2(e)
Plain Language
Covered entities may not retaliate against end users who refuse to consent to biometric data processing. Retaliation includes denying goods or services, differential pricing, degraded service quality, or even suggesting that the user will receive worse terms. This ensures the consent requirement is meaningful — users cannot be economically coerced into providing biometric data consent.
Statutory Text
(e) A covered entity shall not discriminate against a consumer because of the withheld consent under this title, including, but not limited to: (i) denying goods or services to the end user; (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end user; (iv) suggesting that the end user will receive a different price or rate for goods or services or a different level or quality of goods or services.
CP-01 Deceptive & Manipulative AI Conduct · Deployer · Biometrics
Ch. 110I, § 3(a)
Plain Language
Covered entities must not engage in deceptive, unfair, or abusive practices with respect to biometric data. 'Deceptive' incorporates the existing chapter 93A deceptive acts standard. 'Unfair' follows the FTC Act three-part test: substantial injury, not reasonably avoidable, and not outweighed by countervailing benefits. 'Abusive' adds a CFPB-style prohibition on materially interfering with end users' ability to understand biometric data terms or taking unreasonable advantage of information asymmetries, user vulnerability, or reasonable reliance on the covered entity. Courts are directed to follow FTC and federal court interpretations of Section 5(a)(1) of the FTC Act.
Statutory Text
(a) A covered entity shall not: (i) engage in a deceptive data practice; (ii) engage in an unfair data practice; or (iii) engage in an abusive trade practice.
H-01 Human Oversight of Automated Decisions · Deployer · BiometricsAutomated Decisionmaking
Ch. 110I, § 4(a)
Plain Language
Covered entities are categorically prohibited from using biometric data as an input to any decision that produces legal or similarly significant effects on end users. This is not a 'disclose and proceed' or 'human-in-the-loop' requirement — it is an absolute ban. The scope of covered decisions is broad and includes denial or degradation of financial services, housing, insurance, education, criminal justice, employment, healthcare, and access to basic necessities. This is stricter than most automated decision statutes, which typically require bias testing or human review rather than an outright prohibition on the use of a data type.
Statutory Text
(a) Covered entities shall not use biometric data to help make decisions that produce legal effects or similarly significant effects concerning end users. Decisions that include legal effects or similarly significant effects concerning end users include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.
S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics
Ch. 110I, § 4(b)
Plain Language
Covered entities may not operate, install, or commission biometric recognition technology equipment in any place open to the general public — whether licensed or unlicensed. This is a blanket prohibition on public-facing biometric surveillance, covering retail stores, restaurants, stadiums, transit hubs, and any other venue that accepts or solicits public patronage. Unlike many jurisdictions that limit only real-time facial recognition, this ban covers all biometric recognition technology, including fingerprint scanners, voice recognition, and gait analysis, in any public-facing physical space. There is no exception for law enforcement (law enforcement is already excluded from the covered entity definition).
Statutory Text
(b) Covered entities may not operate, install, or commission the operation or installation of equipment incorporating biometric recognition technology in any place, whether licensed or unlicensed, which is open to and accepts or solicits the patronage of the general public.
Other · Biometrics
Ch. 110I, § 4(c)
Plain Language
This provision declares that violations of the decision-making and public surveillance prohibitions in Section 4 are per se unfair or deceptive acts under Massachusetts chapter 93A. This means a plaintiff or the AG does not need to independently prove that the conduct is unfair or deceptive — violation of Section 4 automatically satisfies that element. This is an enforcement hook, not a new substantive obligation.
Statutory Text
(c) The legislature finds that the practices covered by this section are matters vitally affecting the public interest for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a. A violation of this section is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a.
Other · Biometrics
Ch. 110I, § 5
Plain Language
This savings clause confirms that compliance with this chapter does not excuse compliance with other applicable state or federal privacy laws. It creates no new obligation — it merely clarifies that this chapter is additive to existing law.
Statutory Text
This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information.
Other · Biometrics
Ch. 110I, § 6
Plain Language
The Attorney General has authority to bring enforcement actions under chapter 93A section 4 to remedy violations of the entire chapter. This authorizes AG-initiated enforcement, including injunctive relief and civil penalties available under 93A. This is an enforcement provision, not a new substantive compliance obligation.
Statutory Text
The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.