Regulon — MA-HB-103 · MA HB 103 (Neural Data Privacy)

WHAT THIS BILL REGULATES · 4 REQUIREMENT TYPES

How Is This Bill Enforced

Enforcement Authority

Attorney General enforcement under Chapter 93A. Private right of action for any individual alleging a violation against a covered entity, service provider, or third party that is a large data holder. No pre-suit administrative complaint or mandatory arbitration may be required.

Private Right of Action

Private right of action for any individual alleging a violation against a covered entity, service provider, or third party that is a large data holder.

Penalties

Private action: actual damages or $5,000, whichever is higher (via Chapter 93A). Court may also award liquidated damages of not less than 0.15% of annual global revenue or $15,000 per violation, whichever is greater; punitive damages; injunctive relief; and reasonable attorney's fees and costs to any prevailing plaintiff. AG action: civil penalty of not less than 0.15% of annual global revenue or $15,000 per violation (whichever greater), and not more than 4% of annual global revenue or $20,000,000 (whichever greater) per action involving multiple violations. Court may suspend or prohibit entity from operating in the commonwealth for flagrant, willful, and repeat violations. AG also recovers reasonable costs, attorneys' fees, and expert fees.

Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.

Statutory Text

Analysis & Obligations

Ch. 93N § 1

Definitions

(a)(1)–(35) As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings: (1) "authentication", the process of verifying an individual or entity for security purposes. (2) "chapter", this chapter of the General Laws, as from time to time may be amended, and any regulations promulgated under said chapter. (3) "collect" and "collection", buying, renting, licensing, gathering, obtaining, receiving, accessing, or otherwise acquiring covered data by any means. (4) "consent", a clear affirmative act signifying an individual's freely given, specific, informed, and unambiguous agreement to allow the processing of specific categories of personal information relating to the individual for a narrowly defined particular purpose... (5) "control"... (6) "covered data"... (7) "covered entity"... (8) "covered high-impact social media company"... (9) "dark pattern or deceptive design"... (10) "de-identified data"... (11) "derived data"... (12) "device"... (13) "homepage"... (14) "individual"... (15) "knowledge"... (16) "large data holder"... (17) "material"... (18) "minor"... (19) "neural data"... (20) "OCABR"... (21) "precise geolocation information"... (22) "process"... (23) "processing purpose"... (24) "profiling"... (25) "publicly available information"... (26) "reasonably understandable"... (27) "sensitive covered data"... (28) "service provider"... (29) "service provider data"... (30) "targeted advertising"... (31) "third party"... (32) "third party data"... (33) "transfer"... (34) "unique identifier"... (35) "widely distributed media"...

Section 1 establishes the definitional framework for the entire chapter. The most consequential definition is neural data — information generated by measuring the activity of an individual's central or peripheral nervous system, expressly excluding inferences from non-neural information. Neural data is categorized as sensitive covered data, which triggers heightened protections throughout the bill. The section also defines the entities subject to the chapter: covered entities (data controllers), service providers (data processors), large data holders (entities with ≥$200M revenue and ≥2M individuals' data), and covered high-impact social media companies ($3B+ revenue, 300M+ monthly users). The tiered knowledge standard for minor status is notable — ranging from constructive knowledge for social media companies to actual knowledge for smaller entities.

Ch. 93N § 2

Sensitive Covered Data

Deployer

(a)(1) 1 A covered entity or service provider shall not: (1) collect or process sensitive covered data, except where such collection or processing is strictly necessary to provide or maintain a specific product or service requested by the individual to whom the covered data pertains.

(a)(2) 2 transfer an individual's sensitive covered data to a third party, unless: (i) the transfer is made pursuant to the consent of the individual, given before each specific transfer takes place; (ii) the transfer is necessary to comply with a legal obligation imposed by federal law, so long as such obligation preexisted the collection and previous notice of such obligation was provided to the individual to whom the data pertains; (iii) the transfer is necessary to prevent an individual from imminent injury where the covered entity believes in good faith that the individual is at risk of death, serious physical injury, or serious health risk;

(a)(3) 3 process sensitive covered data for the purposes of targeted advertising.

Section 2 imposes strict limitations on the collection, processing, and transfer of sensitive covered data — which includes all neural data. Covered entities and service providers may collect or process sensitive covered data only where strictly necessary to provide or maintain a specific product or service requested by the individual. Transfers to third parties require per-transfer affirmative consent, with narrow exceptions for legal compliance and imminent-injury scenarios. The section categorically prohibits processing sensitive covered data for targeted advertising.

Compliance actions 3 items

Covered entities and service providers must not collect or process sensitive covered data (including neural data) unless such collection or processing is strictly necessary to provide or maintain a specific product or service requested by the individual.

D-01.4

Covered entities and service providers must not transfer an individual's sensitive covered data (including neural data) to a third party unless the individual provides affirmative consent before each specific transfer, or the transfer falls within narrow exceptions for federal legal obligations or imminent injury.

D-01.8

Covered entities and service providers must not process sensitive covered data (including neural data) for the purposes of targeted advertising.

D-01.5

Ch. 93N § 3

Data Subject Rights

Deployer

(a)(1)–(4) 4 A covered entity shall provide an individual, after receiving a verified request from the individual, with the right to: (1) access: (i) in a human-readable format that a reasonable individual can understand and download from the internet and transmit freely, the covered data (except covered data in a back-up or archival system) of the individual making the request that is collected, processed, or transferred by the covered entity or any service provider of the covered entity within the 12 months preceding the request; (ii) the categories of any third party or service provider, if applicable, and an option for consumers to obtain the names of any such third party as well as and the categories of any service providers to whom the covered entity has transferred the covered data of the individual, as well as the categories of sources from which the covered data was collected; and (2) correct any verifiable substantial inaccuracy or substantially incomplete information with respect to the covered data of the individual that is processed by the covered entity and instruct the covered entity to make reasonable efforts to notify all third parties or service providers to which the covered entity transferred such covered data of the corrected information; (3) delete covered data of the individual that is processed by the covered entity and instruct the covered entity to make reasonable efforts to notify all third parties or service provider to which the covered entity transferred such covered data of the individual's deletion request; and (4) to the extent technically feasible, export to the individual or directly to another entity the covered data of the individual that is processed by the covered entity, including inferences linked or reasonably linkable to the individual but not including other derived data, without licensing restrictions that limit such transfers in: (i) a human-readable format that a reasonable individual can understand and download from the internet and transmit freely; and (ii) a portable, structured, interoperable, and machine-readable format.

(b)–(l) 4 A covered entity may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a right described in subsection (a) through: (1) the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or (2) the use of any dark pattern or deceptive design. (c) Subject to subsections (d) and (e), each request under subsection (a) shall be completed within 45 days of such request from an individual, unless it is demonstrably impracticable or impracticably costly to verify such individual's request. (d) A response period set forth in this subsection may be extended once by 20 additional days when reasonably necessary... (e) A covered entity: (1) shall provide an individual with the opportunity to exercise each of the rights described in subsection (a) and with respect to: (i) the first two times that an individual exercises any right described in subsection (a) in any 12-month period, shall allow the individual to exercise such right free of charge... (f) A covered entity may not permit an individual to exercise a right described in subsection (a), in whole or in part, if the covered entity: (1) cannot reasonably verify that the individual making the request to exercise the right is the individual whose covered data is the subject of the request... (g) If a covered entity cannot reasonably verify that a request to exercise a right described in subsection (a) is made by the individual whose covered data is the subject of the request, the covered entity: (1) may request that the individual making the request to exercise the right provide any additional information necessary for the sole purpose of verifying the identity of the individual; and (2) may not process or transfer such additional information for any other purpose. (h) A covered entity may decline, with adequate explanation to the individual, to comply with a request to exercise a right described in subsection (a), in whole or in part, that would: (1) require the covered entity to retain any covered data collected for a single, one-time transaction... (i) A covered entity may decline, with adequate explanation to the individual, to comply with a request for deletion pursuant to paragraph (3) of subsection (a) if such request: (1) unreasonably interferes with the provision of products or services... (j) In a circumstance that would allow a denial pursuant to this section, a covered entity shall partially comply with the remainder of the request if it is possible and not unduly burdensome to do so. (k) The receipt of a large number of verified requests, on its own, may not be considered to render compliance with a request demonstrably impracticable. (l) A covered entity shall facilitate the ability of individuals to make requests under subsection (a) in any language in which the covered entity provides a product or service...

Section 3 establishes a comprehensive set of individual data rights: access (in human-readable and machine-readable formats), correction, deletion, and data portability. Requests must be fulfilled within 45 days, extendable by 20 days for complex requests. The first two exercises per 12-month period must be free of charge. The section also provides extensive exceptions allowing covered entities to decline requests — including for trade secrets, fraud prevention, professional ethical obligations, and where compliance would be impracticable. Covered entities must facilitate requests in all languages in which they offer products and ensure accessibility for individuals with disabilities.

Compliance actions 1 item

Covered entities must, upon verified request, provide individuals with the right to (1) access their covered data in human-readable and machine-readable formats, (2) correct inaccuracies and notify downstream recipients, (3) delete their covered data and notify downstream recipients, and (4) export their data portably — all within 45 days (extendable by 20 days), free of charge for the first two requests per year, and without using dark patterns or deceptive design to impede exercise of these rights.

D-01.1

Ch. 93N § 4

Consent Practices

Deployer

(a)(1)–(9) 5 The requirements of this chapter with respect to a request for consent from a covered entity or service provider to an individual are the following: (1) The request for consent shall be provided to the individual in a clear and conspicuous standalone disclosure made through the primary medium used to offer the covered entity's product or service... (2) The request includes a description of the processing purpose for which the individual's consent is sought by: (i) clearly stating the specific categories of covered data that the covered entity shall collect, process, and transfer necessary to effectuate the processing purpose; and (ii) including a prominent heading and is reasonably understandable so that an individual can identify and understand the processing purpose for which consent is sought and the covered data to be collected, processed, or transferred by the covered entity for such processing purpose; (3) The request clearly explains the individual's applicable rights related to consent; (4) The request is made in a manner reasonably accessible to and usable by individuals with disabilities; (5) The request is made available to the individual in each covered language in which the covered entity provides a product or service for which authorization is sought; (6) The option to refuse consent shall be at least as prominent as the option to accept, and the option to refuse consent shall take the same number of steps or fewer as the option to accept; (7) Processing or transferring any covered data collected pursuant to consent for a different processing purpose than that for which consent was obtained shall require consent for the subsequent processing purpose; (8) The request for consent must be displayed at or before the point of collection; and (9) The request must be accompanied by a copy of the covered entity's or service provider's privacy policy...

(b)–(c) 5 A covered entity shall not infer that an individual has provided consent to a practice from the inaction of the individual or the individual's continued use of a service or product provided by the covered entity. (c) A covered entity shall not obtain or attempt to obtain the consent of an individual through: (1) the use of any false, fictitious, fraudulent, or materially misleading statement or representation; (2) the use of any dark pattern or deceptive design; or (3) conditioning or limiting access to an individual's account.

Section 4 prescribes detailed requirements for how covered entities must obtain consent. Consent requests must be clear and conspicuous standalone disclosures, must specify the processing purpose and data categories, must explain the individual's rights, must be accessible and multilingual, and must present the option to refuse consent at least as prominently as the option to accept. Consent may not be inferred from inaction or continued use, and may not be obtained through dark patterns, misrepresentation, or by conditioning account access.

Compliance actions 1 item

Covered entities must obtain consent through clear, conspicuous standalone disclosures that specify processing purposes and data categories, present the option to refuse at least as prominently as the option to accept, and must not infer consent from inaction, use dark patterns, or condition account access on consent.

CP-01.3

Ch. 93N § 5

Privacy by Design

Deployer

(a)(1)–(5) 6 A covered entity or service provider shall establish, implement, and maintain reasonable policies, practices, and procedures that reflect the role of the covered entity or service provider in the collection, processing, and transferring of covered data and that: (1) consider applicable federal and state laws, rules, or regulations related to covered data the covered entity or service provider collects, processes, or transfers; (2) identify, assess, and mitigate privacy risks related to minors; (3) mitigate privacy risks related to the products and services of the covered entity or the service provider, including in the design, development, and implementation of such products and services, considering the role of the covered entity or service provider and the information available to it; (4) evaluate the length of time that covered data shall be retained and circumstances under which covered data shall be deleted, de-identified, or otherwise modified with respect to the purposes for which it was collected or processed and the sensitivity of the covered data; and (5) implement reasonable training and safeguards within the covered entity and service provider to promote compliance with all privacy laws applicable to covered data the covered entity collects, processes, or transfers or covered data the service provider collects, processes, or transfers on behalf of the covered entity and mitigate privacy risks taking into account the role of the covered entity or service provider and the information available to it.

(b)(1)–(5) 6 The policies, practices, and procedures established by a covered entity or service provider under subsection (a), shall correspond with, as applicable: (1) the size of the covered entity or the service provider and the nature, scope, and complexity of the activities engaged in by the covered entity or service provider... (2) the sensitivity of the covered data collected, processed, or transferred by the covered entity or service provider; (3) the volume of covered data collected, processed, or transferred by the covered entity or service provider; (4) the number of individuals and devices to which the covered data collected, processed, or transferred by the covered entity or service provider relates; and (5) the cost of implementing such policies, practices, and procedures in relation to the risks and nature of the covered data.

Section 5 requires covered entities and service providers to establish, implement, and maintain reasonable privacy policies, practices, and procedures — a privacy-by-design obligation. These must address applicable law, minor-specific privacy risks, product lifecycle privacy risks, data retention evaluation, and employee training. The program must be scaled proportionally to the entity's size, data sensitivity, data volume, number of affected individuals, and implementation costs.

Compliance actions 1 item

Covered entities and service providers must establish, implement, and maintain reasonable privacy policies, practices, and procedures addressing applicable law, minor-specific risks, product lifecycle privacy risks, data retention, and employee training — scaled proportionally to entity size, data sensitivity, data volume, number of individuals affected, and implementation costs.

G-01.1

Ch. 93N § 6

Pricing

Deployer

(a)–(c) 7 A covered entity may not retaliate against an individual for: (1) exercising any of the rights guaranteed by this chapter, or any regulations promulgated under this chapter; or (2) refusing to agree to collection or processing of covered data for a separate product or service, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services. (b) Nothing in subsection (a) shall be construed to: (1) prohibit the relation of the price of a service or the level of service provided to an individual to the provision, by the individual, of financial information that is necessarily collected and processed only for the purpose of initiating, rendering, billing for, or collecting payment for a service or product requested by the individual; (2) prohibit a covered entity from offering a different price, rate, level, quality or selection of goods or services to an individual, including offering goods or services for no fee, if the offering is in connection with an individual's voluntary participation in a bona fide loyalty, rewards, premium features, discount or club card program... (3)–(6)... (c) Notwithstanding the provisions in this section, no covered entity may offer different types of pricing that are unjust, unreasonable, coercive, or usurious in nature.

Section 6 prohibits covered entities from retaliating against individuals for exercising rights under the chapter or for refusing data collection for unrelated products — including through price discrimination, service denial, or service degradation. The section carves out bona fide loyalty programs, financial incentives for market research, and situations where data collection is strictly necessary for the product. A blanket prohibition bars unjust, unreasonable, coercive, or usurious pricing regardless of the carve-outs.

Compliance actions 1 item

Covered entities must not retaliate against individuals for exercising privacy rights or refusing data collection, including by denying services, charging different prices, or degrading service quality. No pricing that is unjust, unreasonable, coercive, or usurious is permitted.

CP-01

Ch. 93N § 7

Civil Rights Protections

Deployer

(a)–(b) 8 A covered entity or a service provider may not collect, process, or transfer covered data or publicly available data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services (i.e., has a disparate impact) on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, disability, genetic information, neural data, pregnancy or a condition related to said pregnancy including, but not limited to, lactation or the need to express breast milk for a nursing child, ancestry or status as a veteran, or any other basis protected by chapter 151B. (b) This subsection shall not apply to: (1) the collection, processing, or transfer of covered data for the purpose of: (i) covered entity's or a service provider's self-testing to prevent or mitigate unlawful discrimination; or (ii) diversifying an applicant, participant, or customer pool; or (2) any private club or group not open to the public, as described in section 201(e) of the Civil Rights Act of 1964, 42 U.S.C. section 2000a(e).

(c) 8 Whenever the Attorney General obtains information that a covered entity or service provider may have collected, processed, or transferred covered data in violation of subsection (a), the Attorney General shall initiate enforcement actions relating to such violation in accordance with section 12 of this chapter. (1) Not later than 3 years after the date of enactment of this chapter, and annually no later than December 31 of each year thereafter, the Attorney General shall submit to the joint committee on ways and means, the joint committee on racial equity, civil rights, and inclusion, and the joint committee on advanced information technology, the internet and cybersecurity a report that includes a summary of the enforcement actions taken under this subsection.

Section 7 prohibits covered entities and service providers from collecting, processing, or transferring covered data or publicly available data in a manner that discriminates in or makes unavailable the equal enjoyment of goods or services on the basis of protected characteristics — expressly including neural data as a protected basis. The section incorporates a disparate impact standard. Exceptions exist for self-testing to prevent discrimination and for diversifying applicant pools. The Attorney General must initiate enforcement upon receiving information of a violation and must submit annual enforcement reports to legislative committees beginning three years after enactment.

Compliance actions 1 item

Covered entities and service providers must not collect, process, or transfer covered data (including neural data) in a manner that has a disparate impact on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, disability, genetic information, neural data, pregnancy, ancestry, veteran status, or any other basis protected by Chapter 151B. Exceptions apply for self-testing to prevent discrimination and for diversifying applicant pools.

H-02

Ch. 93N § 8

Deployer

(a)–(c) 9 Each covered entity or service provider shall make publicly available, in a clear and conspicuous location on its homepage, a reasonably understandable and not misleading privacy policy that provides a detailed and accurate representation of the data collection, processing, and transfer activities of the covered entity or service provider. (b) The privacy policy must be provided in a manner that is reasonably accessible to and usable by individuals with disabilities... (c) The privacy policy must include, at a minimum: (1) The identity and the contact information of: (i) the covered entity or service provider to which the privacy policy applies... (ii) any other entity within the same corporate structure... (2) the categories of covered data the covered entity or service provider collects or processes; (3) the processing purposes for each category of covered data... (4) whether the covered entity or service provider transfers covered data and, if so, each category of service provider and third party to which the covered entity or service provider transfers covered data... (5) The length of time the covered entity or service provider intends to retain each category of covered data... (6) A prominent, clear, and reasonably understandable description of how an individual can exercise the rights described in this chapter; (7) A general description of the covered entity's or service provider's data security practices; and (8) The effective date of the privacy policy.

(d)–(e) 9 If a covered entity or service provider makes a material change to its privacy policy or practices, the covered entity or service provider shall notify each individual affected by such material change before implementing the material change with respect to any prospectively collected covered data and provide a reasonable opportunity for each individual to withdraw consent to any further materially different collection, processing, or transfer of previously collected covered data under the changed policy. (e) A covered entity or service provider shall take all reasonable electronic measures to provide direct notification regarding material changes to the privacy policy to each affected individual...

(g)–(j) 10 Each large data holder shall retain copies of previous versions of its privacy policy for at least 10 years beginning after the date of enactment of this chapter and publish them on its website. Such large data holder shall make publicly available, in a clear, conspicuous, and readily accessible manner, a log describing the date and nature of each material change to its privacy policy over the past 10 years... (h) In addition to the privacy policy required under subsection (a), a large data holder that is a covered entity shall provide a short form notice of no more than 500 words in length that includes the main features of their data practices. (i) Each covered entity or service provider that collects, processes, or transfers biometric data shall provide a separate privacy policy detailing the collection, processing, and transfer of such biometric data... (j) Each covered entity or service provider that collects, processes, or transfers specific precise geolocation information shall provide a separate privacy policy detailing the collection, processing, and transfer of such precise geolocation information...

Section 8 mandates that every covered entity and service provider publish a detailed, accessible, and not misleading privacy policy on its homepage. The policy must enumerate the entity's identity and contact information, data categories collected, processing purposes, third-party recipients, retention periods, individual rights descriptions, data security practices, and effective date. Material changes require advance notice and an opportunity to withdraw consent. Large data holders must maintain a 10-year archive of prior policies, a public change log, and provide a 500-word short-form notice. Separate privacy policies are required for biometric data and precise geolocation information.

Compliance actions 2 items

Covered entities and service providers must publish a detailed, accessible, reasonably understandable privacy policy on their homepage covering data categories, processing purposes, third-party transfers, retention periods, individual rights, data security practices, and effective date. Material changes require advance notice to affected individuals and an opportunity to withdraw consent.

G-01.3

Large data holders must retain and publish prior privacy policy versions for at least 10 years with a public change log, and must provide a short-form notice of no more than 500 words. Entities collecting biometric data or precise geolocation information must each maintain a separate privacy policy for those data types.

G-01.3

Ch. 93N § 9

Advanced Data Rights

Deployer

(a)–(b) 11 A covered entity or service provider shall provide an individual with a clear and conspicuous, easy-to-execute means to withdraw consent. Those means shall be at least as easy to execute by an individual as the means to provide consent and shall, at a minimum, be accessible in the same or a substantially similar location as the privacy policies required by section 8. (b) A covered entity or service provider shall provide an individual with a clear and conspicuous, easy-to-execute means to opt out of covered data transfers. Those means shall be at least as easy to execute by an individual as the means to provide consent and shall, at a minimum, be accessible in the same or a substantially similar location as the privacy policies required by section 8.

(c)–(d) 12 Right to opt out of profiling. A covered entity or service provider that engages in profiling in furtherance of automated decisions that produce legal or similarly significant effects on an individual shall: (1) provide such individual with a clear and conspicuous means to opt out of such profiling; and (2) allow an individual to object to such profiling through an opt out mechanism, at a minimum, accessible in the same or a substantially similar location as the privacy policies required by section 9. (d) A covered entity or service provider that receives an opt out notification pursuant to this section shall abide by such opt out designations in a commercially reasonable timeframe. Such covered entity or service provider shall notify any other person that directed the covered entity or service provider to either serve, deliver, or otherwise process targeted advertisements or to engage in profiling in furtherance of automated decisions of the individual's opt out decision within a commercially reasonable timeframe.

(e)–(i) 11 A covered entity or service provider may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of any individual right under this section through: (1) the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or (2) the use of a dark pattern or deceptive design. (f) A covered entity shall notify third parties who had access to an individual's covered data when the individual exercises any of the rights established in this section. The third party shall comply with the request to opt out of sale or data transfer forwarded to them from a covered entity... (g) A covered entity that communicates an individual's opt out request to a third party or service provider pursuant to this section shall not be liable under this chapter if the third party or service provider receiving the opt-out request violates the restrictions set forth in this chapter; provided, however, that at the time of communicating the opt-out request, the covered entity does not know or should not reasonably know that the third party or service provider intends to commit such a violation. (h) If an individual decides to opt out of the processing of the individual's covered data for the purposes specified in subsections (b), (c), or (d) and such decision conflicts with the individual's existing, voluntary participation in a covered entity's bona fide loyalty, rewards, premium features, discounts or club card program, the covered entity shall comply with the individual's opt out preference signal but may notify the individual of the conflict... (i) A covered entity or service provider shall not require an individual to create an account for the purposes of exercising any right under this chapter.

Section 9 establishes advanced opt-out rights beyond the basic data subject rights in Section 3. Individuals must be provided with clear, easy-to-execute means to withdraw consent, opt out of data transfers, and opt out of profiling in furtherance of automated decisions that produce legal or similarly significant effects. Covered entities must honor opt-out designations in a commercially reasonable timeframe and propagate them to third parties. The section prohibits conditioning these rights through misrepresentation or dark patterns, and requires covered entities not to require account creation for rights exercise.

Compliance actions 2 items

Covered entities and service providers must provide individuals with clear, conspicuous, easy-to-execute means to withdraw consent and to opt out of covered data transfers, at least as easy as the means to provide consent, and accessible near the privacy policy. Opt-out requests must be propagated to third parties, and no account creation may be required to exercise these rights.

D-01.3

Covered entities and service providers that engage in profiling for automated decisions producing legal or similarly significant effects must provide individuals with a clear, conspicuous opt-out mechanism and must honor opt-out designations in a commercially reasonable timeframe, including notifying downstream profiling and advertising partners of the individual's opt-out decision.

D-01.3

Ch. 93N § 10

Service Providers

Deployer

(a)(1)–(8) 13 A service provider: (1) shall adhere to the instructions of a covered entity and only collect, process, and transfer service provider data to the extent necessary and proportionate to provide a service requested by the covered entity, as set out in the contract required by subsection (b)... (2) may not collect, process, or transfer service provider data if the service provider has actual knowledge that a covered entity violated this chapter with respect to such data; (3) shall assist a covered entity in responding to a request made by an individual under this chapter... (4) may engage another service provider for purposes of processing service provider data on behalf of a covered entity only after providing that covered entity with notice and pursuant to a written contract... (5) shall, upon the reasonable request of the covered entity, make available to the covered entity information necessary to demonstrate the compliance of the service provider... (6) shall, at the covered entity's direction, delete or return all covered data to the covered entity as requested at the end of the provision of services... (7) shall develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security and confidentiality of covered data... (8) shall allow and cooperate with reasonable assessments by the covered entity or the covered entity's designated assessor...

(b)(1)–(4) 13 A person or entity may only act as a service provider pursuant to a written contract between the covered entity and the service provider... if the contract: (1) sets forth the data processing procedures of the service provider with respect to collection, processing, or transfer performed on behalf of the covered entity or service provider; (2) clearly sets forth: (i) instructions for collecting, processing, or transferring data; (ii) the nature and purpose of collecting, processing, or transferring; (iii) the type of data subject to collecting, processing, or transferring; (iv) the duration of processing; and (v) the rights and obligations of both parties, including a method by which the service provider shall notify the covered entity of material changes to its privacy practices; (3) does not relieve a covered entity or a service provider of any requirement or liability imposed on such covered entity or service provider under this chapter; and (4) prohibits: (i) collecting, processing, or transferring covered data in contravention to subsection (a); and (ii) combining service provider data with covered data which the service provider receives from or on behalf of another person or persons or collects from the interaction of the service provider with an individual...

(c)–(f) 13 Each service provider shall retain copies of previous contracts entered into in compliance with this subsection with each covered entity to which it provides requested products or services. (d) The classification of a person or entity as a covered entity or as a service provider and the relationship between covered entities and service providers are regulated by the following provisions: (1) Determining whether a person is acting as a covered entity or service provider with respect to a specific processing of covered data is a fact-based determination... (2) A person or entity that is not limited in its processing of covered data pursuant to the instructions of a covered entity, or that fails to adhere to such instructions, is a covered entity and not a service provider... (3) A covered entity that transfers covered data to a service provider... in compliance with the requirements of this chapter, is not liable for a violation of this chapter by the service provider... (4) A covered entity or service provider that receives covered data in compliance with the requirements of this chapter is not in violation of this chapter as a result of a violation by a covered entity or service provider from which such data was received. (e) A third party: (1) shall not process third party data for a processing purpose other than the processing purpose for which (i) the individual gave consent... or (ii) the covered entity made a disclosure pursuant to their privacy policy... (f) Solely for the purposes of this section, the requirements for service providers to contract with, assist, and follow the instructions of covered entities shall be read to include requirements to contract with, assist, and follow the instructions of a government entity if the service provider is providing a service to a government entity.

Section 10 governs the relationship between covered entities and service providers. Service providers must adhere to covered entity instructions, assist with individual rights requests, maintain data security safeguards, and allow compliance assessments. All service provider relationships must be governed by written contracts specifying processing procedures, data types, processing purposes, duration, and mutual obligations. The section establishes fact-based determination of covered entity vs. service provider status, liability protections for good-faith data transfers, and restrictions on third-party data use.

Compliance actions 1 item

Covered entities must engage service providers only under written contracts specifying processing instructions, data types, purposes, duration, and mutual obligations. Service providers must adhere to covered entity instructions, assist with individual rights requests, maintain security safeguards, allow compliance assessments, delete or return data upon termination, and retain copies of all service provider contracts.

G-01.3

Ch. 93N § 11

Enforcement

(a)–(k) A violation of this chapter constitutes an injury to that individual and shall be deemed an unfair or deceptive act or practice in the conduct of trade or commerce under chapter 93A, provided that if the court finds for any petitioner, subject to section 9, paragraph (3) ofsuch chapter, recovery under such chapter shall be in the amount of actual damages or $5,000, whichever is higher. (b) Private right of action. Any individual alleging a violation of this chapter by a covered entity, service provider, or third party that is a large data holder may bring a civil action in the superior court or any court of competent jurisdiction. (c) An individual protected by this chapter may not be required, as a condition of service or otherwise, to file an administrative complaint with the attorney general or to accept mandatory arbitration of a claim under this chapter. (d) The civil action shall be directed to the covered entity, service provider, and third-parties alleged to have committed the violation. (e) In a civil action in which the plaintiff prevails, the court may award: (1) liquidated damages of not less than 0.15% of the annual global revenue of the covered entity or $15,000 per violation, whichever is greater; (2) punitive damages; and (3) any other relief, including but not limited to an injunction, that the court deems to be appropriate. (f) In addition to any relief awarded pursuant to the previous paragraph, the court shall award reasonable attorney's fees and costs to any prevailing plaintiff. (g) The Attorney General may bring an action pursuant to section 4 of chapter 93A against a covered entity, service provider, or third party to remedy violations of this chapter and for other relief, including but not limited to an injunction, that may be appropriate, subject to the following: (1) If the court finds that the defendant has employed any method, act, or practice which they knew or should have known to be in violation of this chapter, the court may require the defendant to pay to the commonwealth a civil penalty of: (i) not less than 0.15% of the annual global revenue or $15,000, whichever is greater, per violation; and (ii) not more than 4% of the annual global revenue of the covered entity, service provider, or third-party or $20,000,000, whichever is greater, per action if such action includes multiple violations to multiple individuals; (2) If the court finds that a defendant has engaged in flagrant, willful and repeat violations of this chapter, the court may issue an order to suspend or prohibit a covered entity, service provider, or third party from operating in the commonwealth or collecting, processing, and transferring covered data and any other relief, including but not limited to an injunction, that the court deems to be appropriate. (3) In addition to any penalty or relief awarded under this subsection, a defendant violating this chapter shall also be liable to the commonwealth for the reasonable costs of investigation and litigation of such violation, including reasonable attorneys' fees and reasonable expert fees. (h) When calculating awards and civil penalties in all the actions in this section, the court shall consider: (1) the number of affected individuals; (2) the severity of the violation or noncompliance; (3) the risks caused by the violation or noncompliance; (4) whether the violation or noncompliance was part of a pattern of noncompliance and violations and not an isolated instance; (5) whether the violation or noncompliance was willful and not the result of error; (6) the precautions taken by the defendant to prevent a violation; (7) the number of administrative actions, lawsuits, settlements, and consent-decrees under this chapter involving the defendant; (8) the number of administrative actions, lawsuits, settlements, and consent-decrees involving the defendant in other states and at the federal level in issues involving information privacy; and (9) the international record of the defendant when it comes to information privacy issues. (i) It is a violation of this chapter for a covered entity or anyone else acting on behalf of a covered entity to retaliate against an individual who makes a good-faith complaint that there has been a failure to comply with any part of this chapter. (1) An injured individual by a violation of the previous paragraph may bring a civil action for monetary damages and injunctive relief in any court of competent jurisdiction. (j) Any provision of a contract or agreement of any kind, including a covered entity's terms of service or a privacy policy, including the short-form privacy notice required under section 8 subsection (h) that purports to waive or limit in any way an individual's rights under this chapter, including but not limited to any right to a remedy or means of enforcement shall be deemed contrary to public policy and shall be void and unenforceable. (k) No private or government action brought pursuant to this chapter shall preclude any other action under this chapter.

Section 11 establishes the enforcement framework. Violations are deemed unfair or deceptive acts under Chapter 93A with a statutory floor of $5,000 or actual damages (whichever is higher). A private right of action exists against large data holders, with liquidated damages of at least 0.15% of annual global revenue or $15,000 per violation (whichever is greater), plus punitive damages, injunctive relief, and mandatory attorney's fees. The Attorney General may bring actions with civil penalties up to 4% of annual global revenue or $20 million per multi-violation action. Courts may suspend or prohibit entities from operating in Massachusetts for flagrant, willful, repeat violations. Contractual waivers of rights under the chapter are void. Mandatory arbitration clauses and requirements to file administrative complaints may not be imposed.

Ch. 93N § 12

Information Non-applicability

(a)(1)–(5), (b) This chapter shall not apply to only the following specific types of information: (1) personal information captured from a patient by a health care provider or health care facility or biometric information collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, insurance, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996, or to X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used exclusively to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening; (2) nonpublic personal information that is processed by a financial institution subject to, and in compliance with, the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., as amended from time to time; (3) personal information regulated by the federal Family Educational Rights and Privacy Act, 20 U.S.C. 1232g et seq., as amended from time to time; (4) individuals sharing their personal contact information such as email addresses with other individuals in the workplace, or other social, political, or similar settings where the purpose of the information is to facilitate communication among such individuals, provided that this chapter shall cover any processing of such contact information beyond interpersonal communication; or (5) covered entities' publication of entity-based member or employee contact information where such publication is intended to allow members of the public to contact such member or employee in the ordinary course of the entity's operations. (b) For the purpose of this section, the burden of proving that information is exempt from the provisions of this chapter shall be upon the party claiming the exemption.

Section 12 carves out specific categories of information from the chapter's coverage: HIPAA-covered patient information and medical imaging, Gramm-Leach-Bliley-regulated financial information, FERPA-regulated educational records, personal contact information shared for interpersonal communication, and entity-published employee contact information. The burden of proving an exemption falls on the party claiming it.

Ch. 93N § 13

Implementation

(a)–(c) The Attorney General shall adopt rules and regulations for the implementation, administration, and enforcement of this chapter and may from time to time amend or repeal said regulations. The rules and regulations shall include but are not limited to: (1) establishing or adopting baseline technical requirements that determine if a given dataset has been or can be considered sufficiently de-identified; (2) establishing reasonable policies, practices, and procedures that satisfy the requirements set forward in Section 5; (3) establishing a nonexclusive list of practices that constitute deceptive designs or dark patterns or otherwise violate the requirements set forward in Section 4. (b) The Attorney General may: (1) gather facts and information applicable to the Attorney General's obligation to enforce this chapter and ensure its compliance, consistent with the provisions of section 4 of chapter 93A; (2) conduct investigations for possible violations of this chapter; and (3) refer cases for civil enforcement or criminal prosecution to the appropriate federal, state, or local authorities. (c) The Attorney General shall, within one year after the effective date of chapter, create an official internet website that outlines the provisions of this chapter and provides individuals with a form or other mechanism to report violations of this chapter to the Office of the Attorney General. The Attorney General shall update the website at least annually. The website shall include statistics on the Attorney General's enforcement actions undertaken under this chapter, broken down by fiscal year, including but not limited to: (1) number of complaints received; (2) number of open investigations; (3) number of closed investigations; and (4) a summary of case dispositions in which a violation of this chapter occurred.

Section 13 directs the Attorney General to adopt implementing regulations covering de-identification technical standards, privacy-by-design policies and procedures, and dark pattern definitions. The Attorney General is also authorized to investigate violations, refer cases for enforcement, and must create a public website within one year of enactment for violation reporting and enforcement statistics.

Ch. 93N § 14

Authorized Agents

Deployer

(a)–(e) 14 An individual may designate another person to serve as the individual's authorized agent to exercise the individual's rights under section 3, to withdraw consent under section 9, or opt out of the processing of such individual's covered data for one or more of the purposes specified in section 9. (b) An individual may designate an authorized agent as provided in subsection (a) by technological means, including, but not limited to, an Internet link or a browser setting, browser extension or global device setting that indicates the individual's intent to opt out processing for one or more of the purposes specified in section 9. (c) A covered entity or service provider shall comply with a request received from an authorized agent if the covered entity or service provider is able to verify the identity of the individual and the authorized agent's authority to act on such individual's behalf by the same means and subject to the same restrictions as a covered entity under section 3(g). (d) In the case of covered data concerning an individual known to be a child as defined by the Children's Online Privacy Protection Act, 15 U.S.C. 6501, the parent or legal guardian of such child may exercise the rights provided under this chapter on the child's behalf. (e) In the case of covered data concerning an individual subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the individual may exercise the rights provided under this chapter on the individual's behalf.

Section 14 permits individuals to designate authorized agents — including by technological means such as browser settings or extensions — to exercise data subject rights and opt-out rights on their behalf. Covered entities must honor authorized agent requests subject to identity verification. Parents or legal guardians may exercise rights on behalf of children (as defined by COPPA), and guardians or conservators may exercise rights on behalf of individuals under protective arrangements.

Compliance actions 1 item

Covered entities and service providers must honor verified requests from authorized agents — including those designated via browser settings, extensions, or global device settings — to exercise data subject rights, withdraw consent, or opt out of data processing on an individual's behalf.

D-01.3

Ch. 93N § 15

Severability and Relationship to Other Laws

(a)–(b) Should any provision of this chapter or part hereof be held under any circumstances in any court of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the validity or enforceability of any other provision of this or other parts of this chapter. (b) Nothing in this chapter shall diminish any individual's rights or obligations under chapters 66A, 93A, 93H, or under sections 1B or 3B of chapter 214.

Section 15 is a standard severability clause ensuring that invalidation of any provision does not affect the remainder of the chapter, and a savings clause preserving individual rights under existing Massachusetts privacy and consumer protection statutes (Chapters 66A, 93A, 93H, and sections 1B and 3B of Chapter 214).

SECTION 2

Effective Date

This Act shall take effect 1 year after enactment.

The act takes effect one year after enactment, providing a compliance runway for covered entities and service providers.

Data Controls Data sale restrictions · deidentification

7 items

D-01.4