Laws & Statutes MA MA-H-96
H-96
MA · State · USA
MA
USA
● Pre-filed
Proposed Effective Date
2025-01-17
An Act to provide accountability in the use of biometric recognition technology and comprehensive enforcement
Regulates the collection, storage, and processing of biometric data by private entities in Massachusetts, imposing duties of loyalty, care, and confidentiality on covered entities. Prohibits the use of biometric data for consequential automated decisions and bans the operation of biometric recognition technology in places open to the public. Requires affirmative, specific, informed consent for processing biometric data and prohibits sale of such data to third parties. Covered entities exclude federal, state, and local government, law enforcement, national security, and intelligence agencies. Enforcement is through the attorney general under Mass. Gen. Laws ch. 93A, § 4; violations of the decision-making and public surveillance provisions are declared per se unfair or deceptive trade practices.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-02-27 committee referral Referred to the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity
2025-02-27 chamber passage Senate concurred
2025-03-24 other Hearing scheduled for 04/09/2025 from 01:00 PM-05:00 PM in A-1
2025-07-30 other Reporting date extended to Wednesday, November 12, 2025
2025-11-17 other Accompanied a new draft, see H4746
Mapped Requirements
D-01 Automated Processing Rights & Data Controls CP-01 Deceptive & Manipulative AI Conduct H-01 Human Oversight of Automated Decisions S-02 Prohibited Conduct & Output Restrictions
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Regulates the collection, storage, and processing of biometric data by private entities in Massachusetts, imposing duties of loyalty, care, and confidentiality on covered entities. Prohibits the use of biometric data for consequential automated decisions and bans the operation of biometric recognition technology in places open to the public. Requires affirmative, specific, informed consent for processing biometric data and prohibits sale of such data to third parties. Covered entities exclude federal, state, and local government, law enforcement, national security, and intelligence agencies. Enforcement is through the attorney general under Mass. Gen. Laws ch. 93A, § 4; violations of the decision-making and public surveillance provisions are declared per se unfair or deceptive trade practices.

Enforcement & Penalties
Enforcement Authority
Attorney general enforcement under Mass. Gen. Laws ch. 93A, § 4. The attorney general may bring an action to remedy violations of this chapter and for other relief that may be appropriate. Section 4(c) declares violations of the decision-making and public surveillance restrictions to be unfair or deceptive acts under ch. 93A, enabling AG enforcement. No private right of action is explicitly created by this chapter, though ch. 93A § 9 independently provides a private right of action for violations of ch. 93A — that is an existing enforcement mechanism, not one created by this bill. The AG may also promulgate rules and regulations interpreting the duty of loyalty provisions.
Penalties
Enforcement is via ch. 93A, § 4, which provides the attorney general with authority to seek injunctive relief, civil penalties up to $5,000 per violation, and restitution. Section 4(c) expressly declares violations of the decision-making and public surveillance restrictions to be per se unfair or deceptive acts under ch. 93A. Remedies available under ch. 93A § 4 include civil penalties, injunctive relief, and costs of investigation and litigation including reasonable attorney's fees. Because violations are declared per se unfair or deceptive, no proof of actual harm is required for AG enforcement actions.
Who Is Covered
"Covered entity" , Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.
Compliance Obligations 10 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Ch. 110I, § 2(c)(i)
Plain Language
Covered entities may not process or transfer biometric data in any manner that the end user has not affirmatively consented to. Consent must be freely given, specific, informed, and unambiguous — a general terms-of-service acceptance is explicitly insufficient. Consent obtained through abusive trade practices is void. Passive actions such as hovering, muting, pausing, or closing content do not constitute consent. This effectively requires opt-in consent before any biometric data processing, with the scope of processing limited to the narrowly defined purpose stated in the consent.
Statutory Text
(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user;
D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · Biometrics
Ch. 110I, § 2(a)
Plain Language
Covered entities owe a broad duty of loyalty to end users: they may not take any action in processing biometric data or designing biometric recognition technology that conflicts with an end user's best interests. This is a fiduciary-style obligation that goes beyond mere consent requirements — even if the end user consents, the covered entity cannot act contrary to the user's interests. The attorney general has rulemaking authority to interpret this provision further.
Statutory Text
(a) A covered entity shall be prohibited from taking any actions with respect to processing biometric data or designing biometric recognition technologies that conflict with an end user's best interests.
Other · Biometrics
Ch. 110I, § 2(b)
Plain Language
Covered entities must secure biometric data from unauthorized access using security measures at least as protective as those applied to other confidential and sensitive data. Additionally, covered entities are prohibited from engaging in harmful data practices — defined as processing or transferring biometric data in a manner that causes or is likely to cause financial, physical, or reputational injury, highly offensive intrusion upon privacy, or other substantial injury to an individual. The security obligation sets a floor, not a ceiling: the entity's existing security posture for other sensitive data is the minimum benchmark.
Statutory Text
(b) A covered entity shall be required to secure biometric data from unauthorized access in a reasonable manner that is the same as or more protective than the manner in which the covered entity secures other confidential and sensitive data and shall be prohibited from engaging in harmful data practices.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Ch. 110I, § 2(c)(ii)-(iv)
Plain Language
Covered entities face three interlocking restrictions on biometric data transfers: (1) sale of biometric data to third parties is categorically prohibited; (2) disclosure to any other person or entity is only permitted if consistent with the duties of loyalty, care, and confidentiality; and (3) any person receiving biometric data must enter into a contract imposing the same fiduciary-style duties toward the end user. Together these provisions mean biometric data may never be sold and may only be shared under contractual safeguards that extend the full suite of end-user protections to the recipient.
Statutory Text
(c) A covered entity shall not: (ii) engage in the sale of biometric data to a third party; (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.
Other · Biometrics
Ch. 110I, § 2(d)
Plain Language
When a covered entity shares biometric data with a third party, the covered entity must take reasonable steps to verify that the recipient actually complies with the contractual duties of care, loyalty, and confidentiality — including regular audits of the recipient's data security and data practices. This creates an ongoing vendor oversight obligation, not a one-time contractual formality. Note the statute uses 'online service provider' in this subsection, which appears to be a drafting inconsistency with the rest of the chapter, which uses 'covered entity.'
Statutory Text
(d) A covered entity shall take reasonable steps to ensure that the practices of any person to whom the online service provider discloses or sells, or with whom the online service provider shares, biometric data fulfill the duties of care, loyalty, and confidentiality assumed by the person under the contract described in subparagraph (c), including by auditing, on a regular basis, the data security and data practices of any such person.
Other · Biometrics
Ch. 110I, § 2(e)
Plain Language
Covered entities may not retaliate against or discriminate against end users who refuse to consent to biometric data processing. Prohibited retaliatory actions include denying goods or services, charging different prices, providing inferior service quality, or even suggesting that the user will face differential treatment. This ensures that consent is genuinely voluntary — end users cannot be economically pressured into providing biometric data.
Statutory Text
(e) A covered entity shall not discriminate against a consumer because of the withheld consent under this title, including, but not limited to: (i) denying goods or services to the end user; (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end user; (iv) suggesting that the end user will receive a different price or rate for goods or services or a different level or quality of goods or services.
CP-01 Deceptive & Manipulative AI Conduct · Deployer · Biometrics
Ch. 110I, § 3(a)-(b)
Plain Language
Covered entities must not engage in deceptive, unfair, or abusive biometric data practices. Deceptive practices are those that constitute deception under Mass. ch. 93A. Unfair practices are those causing substantial, non-avoidable injury to end users not outweighed by countervailing benefits. Abusive practices include interfering with users' ability to understand terms of biometric data agreements or exploiting users' lack of understanding, inability to protect their interests, or reasonable reliance on the covered entity. Courts must interpret these standards following FTC Act § 5(a)(1) precedent. The 'abusive' category — drawn from CFPB-style authority rather than traditional UDAP law — is noteworthy and may capture practices that are not technically deceptive or unfair but exploit power imbalances.
Statutory Text
(a) A covered entity shall not: (i) engage in a deceptive data practice; (ii) engage in an unfair data practice; or (iii) engage in an abusive trade practice. (b) It is the intent of the legislature that in construing paragraph (a) of this section in actions unfair and deceptive trade practices, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.
H-01 Human Oversight of Automated Decisions · Deployer · BiometricsAutomated Decisionmaking
Ch. 110I, § 4(a)
Plain Language
Covered entities are categorically prohibited from using biometric data to make or assist in making decisions that produce legal effects or similarly significant effects on end users. This is a blanket ban — not a requirement for human oversight or impact assessment — covering a broad range of consequential decisions including financial services, housing, insurance, education, criminal justice, employment, healthcare, and access to basic necessities. Unlike most automated decision-making statutes that require safeguards, this provision prohibits the use of biometric data in such decisions entirely.
Statutory Text
(a) Covered entities shall not use biometric data to help make decisions that produce legal effects or similarly significant effects concerning end users. Decisions that include legal effects or similarly significant effects concerning end users include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.
S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics
Ch. 110I, § 4(b)-(c)
Plain Language
Covered entities may not operate, install, or commission the installation of biometric recognition technology equipment in any place open to and soliciting the patronage of the general public — whether the place is licensed or unlicensed. This is a total ban on public-facing biometric surveillance by private covered entities. The legislature declares any violation of this provision a per se unfair or deceptive trade practice under ch. 93A, meaning the attorney general does not need to independently establish unfairness or deceptiveness in an enforcement action. Government entities, law enforcement, and intelligence agencies are excluded from the definition of covered entity and thus not subject to this ban.
Statutory Text
(b) Covered entities may not operate, install, or commission the operation or installation of equipment incorporating biometric recognition technology in any place, whether licensed or unlicensed, which is open to and accepts or solicits the patronage of the general public. (c) The legislature finds that the practices covered by this section are matters vitally affecting the public interest for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a. A violation of this section is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a.
Other · Biometrics
Ch. 110I, § 5
Plain Language
This chapter does not preempt or supplant existing state or federal personal information protection and privacy laws. Covered entities must continue to comply with all applicable data protection laws (e.g., HIPAA, state data breach notification laws) in addition to this chapter's requirements.
Statutory Text
This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information.