WHAT THIS BILL REGULATES · 1 REQUIREMENT TYPE
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(a) As used in this section the following terms shall, unless the context clearly requires otherwise, have the following meanings: ''Automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a)'', a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a). "Automated decision system impact assessmentAutomated decision system impact assessment"Automated decision system impact assessment", a study evaluating an automated decision system and the automated decision system's development process, including the design and training data of the automated decision system, for impacts on accuracy, fairness, bias, discrimination, privacy, and security that includes, at a minimum: (A) a detailed description of the automated decision system, its design, its training, data, and its purpose; (B) an assessment of the relative benefits and costs of the automated decision system in light of its purpose, taking into account relevant factors, including (i) data minimization practices; (ii) the duration for which personal information and the results of the automated decision system are stored; (iii) what information about the automated decision system is available to consumers; (iv) the extent to which consumers have access to the results of the automated decision system and may correct or object to its results; and (v) the recipients of the results of the automated decision system; (C) an assessment of the risks posed by the automated decision system to the privacy or security of personal information of consumers and the risks that the automated decision system may result in or contribute to inaccurate, unfair, biased or discriminatory decisions impacting consumers; and (D) the measures the covered entity will employ to minimize the risks described in clause (C), including technological and physical safeguards.G.L. c. 93, § 115(a)", a study evaluating an automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) and the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a)'s development process, including the design and training data of the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a), for impacts on accuracy, fairness, bias, discrimination, privacy, and security that includes, at a minimum: (A) a detailed description of the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a), its design, its training, data, and its purpose; (B) an assessment of the relative benefits and costs of the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) in light of its purpose, taking into account relevant factors, including (i) data minimization practices; (ii) the duration for which personal informationPersonal information"Personal information", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.G.L. c. 93, § 115(a) and the results of the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) are stored; (iii) what information about the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) is available to consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); (iv) the extent to which consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a) have access to the results of the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) and may correct or object to its results; and (v) the recipients of the results of the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a); (C) an assessment of the risks posed by the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) to the privacy or security of personal information of consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a) and the risks that the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) may result in or contribute to inaccurate, unfair, biased or discriminatory decisions impacting consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); and (D) the measures the covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) will employ to minimize the risks described in clause (C), including technological and physical safeguards. "OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a)", officeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) of consumerConsumer"Consumer", an individual.G.L. c. 93, § 115(a) affairs and business regulation. "ConsumerConsumer"Consumer", an individual.G.L. c. 93, § 115(a)", an individual. "Covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a)" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal informationPersonal information"Personal information", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.G.L. c. 93, § 115(a) on more than: (i) 1,000,000 consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); or (ii) 1,000,000 consumerConsumer"Consumer", an individual.G.L. c. 93, § 115(a) devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal informationPersonal information"Personal information", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.G.L. c. 93, § 115(a) concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information. "Data protection impact assessmentData protection impact assessment"Data protection impact assessment", a study evaluating the extent to which an information system protects the privacy and security of personal information the system processes.G.L. c. 93, § 115(a)", a study evaluating the extent to which an information systemInformation system"Information system", (A) means a process, automated or not, that involves personal information, such as the collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, sharing, disclosure, dissemination, combination, restriction, erasure, or destruction of personal information; and (B) does not include automated decision systems.G.L. c. 93, § 115(a) protects the privacy and security of personal informationPersonal information"Personal information", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.G.L. c. 93, § 115(a) the system processes. "High-risk automated decision systemHigh-risk automated decision system"High-risk automated decision system", an automated decision system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the automated decision system, poses a significant risk: (i) to the privacy or security of personal information of consumers; or (ii) of resulting in or contributing to inaccurate, unfair, biased, or discriminatory decisions impacting consumers; (B) makes decisions, or facilitates human decision making, based on systematic and extensive evaluations of consumers, including attempts to analyze or predict sensitive aspects of their lives, such as their work performance, economic situation, health, personal preferences, interests, behavior, location, or movements, that: (i) alter legal rights of consumers; or (ii) otherwise significantly impact consumers; (C) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (D) systematically monitors a large, publicly accessible physical place; or (E) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a)", an automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a) that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the automated decision systemAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a), poses a significant risk: (i) to the privacy or security of personal information of consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); or (ii) of resulting in or contributing to inaccurate, unfair, biased, or discriminatory decisions impacting consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); (B) makes decisions, or facilitates human decision making, based on systematic and extensive evaluations of consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a), including attempts to analyze or predict sensitive aspects of their lives, such as their work performance, economic situation, health, personal preferences, interests, behavior, location, or movements, that: (i) alter legal rights of consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); or (ii) otherwise significantly impact consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); (C) involves the personal information of a significant number of consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a) regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (D) systematically monitors a large, publicly accessible physical place; or (E) meets any other criteria established by the OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) in regulations issued pursuant to this section. "High-risk information systemHigh-risk information system"High-risk information system", an information system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the information system, poses a significant risk to the privacy or security of personal information of consumers; (B) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (C) systematically monitors a large, publicly accessible physical place; or (D) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a)", an information systemInformation system"Information system", (A) means a process, automated or not, that involves personal information, such as the collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, sharing, disclosure, dissemination, combination, restriction, erasure, or destruction of personal information; and (B) does not include automated decision systems.G.L. c. 93, § 115(a) that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the information systemInformation system"Information system", (A) means a process, automated or not, that involves personal information, such as the collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, sharing, disclosure, dissemination, combination, restriction, erasure, or destruction of personal information; and (B) does not include automated decision systems.G.L. c. 93, § 115(a), poses a significant risk to the privacy or security of personal information of consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a); (B) involves the personal information of a significant number of consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a) regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (C) systematically monitors a large, publicly accessible physical place; or (D) meets any other criteria established by the OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) in regulations issued pursuant to this section. "Information systemInformation system"Information system", (A) means a process, automated or not, that involves personal information, such as the collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, sharing, disclosure, dissemination, combination, restriction, erasure, or destruction of personal information; and (B) does not include automated decision systems.G.L. c. 93, § 115(a)", (A) means a process, automated or not, that involves personal informationPersonal information"Personal information", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.G.L. c. 93, § 115(a), such as the collection, recording, organization, structuring, storage, alteration, retrieval, consultation, useUse"Use", the actions of a person, partnership, or corporation in using information, including actions to use, process, or access information.G.L. c. 93, § 115(a), sharing, disclosure, dissemination, combination, restriction, erasure, or destruction of personal informationPersonal information"Personal information", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.G.L. c. 93, § 115(a); and (B) does not include automated decision systemsAutomated decision system"Automated decision system", a computational process, including one derived from machine learning, statistics, or other data processing or artificial intelligence techniques, that makes a decision or facilitates human decision making, that impacts consumers.G.L. c. 93, § 115(a). "Personal informationPersonal information"Personal information", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.G.L. c. 93, § 115(a)", any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumerConsumer"Consumer", an individual.G.L. c. 93, § 115(a) or consumerConsumer"Consumer", an individual.G.L. c. 93, § 115(a) device. "StoreStore"Store", (A) means the actions of a person, partnership, or corporation to retain information; and (B) includes actions to store, collect, assemble, possess, control, or maintain information.G.L. c. 93, § 115(a)", (A) means the actions of a person, partnership, or corporation to retain information; and (B) includes actions to storeStore"Store", (A) means the actions of a person, partnership, or corporation to retain information; and (B) includes actions to store, collect, assemble, possess, control, or maintain information.G.L. c. 93, § 115(a), collect, assemble, possess, control, or maintain information. "UseUse"Use", the actions of a person, partnership, or corporation in using information, including actions to use, process, or access information.G.L. c. 93, § 115(a)", the actions of a person, partnership, or corporation in using information, including actions to useUse"Use", the actions of a person, partnership, or corporation in using information, including actions to use, process, or access information.G.L. c. 93, § 115(a), process, or access information.
Subsection (a) establishes the definitional framework for the bill. It defines covered entity using a tripartite size threshold — $50M annual revenue, control of data on 1M+ consumers or devices, or status as a data broker — ensuring the bill applies only to large-scale commercial data processors. The automated decision system definition is broad, covering any computational process derived from ML, statistics, or AI that makes or facilitates decisions impacting consumers. The high-risk subcategory is triggered by significant privacy/security risk, profiling of sensitive life aspects, processing of protected-class data at scale, or systematic monitoring of public spaces. Notably, the Office retains open-ended authority to designate additional criteria for high-risk classification via regulation.
(b) 1 A covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) shall not: (1) violate a regulation promulgated under subsection (c); or (2) knowingly provide substantial assistance to any person, partnership, or corporation whose actions violate subsection (c).
(d) 1 It shall be unlawful for any covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) to commit the acts prohibited in subsection (b), regardless of specific agreements between entities or consumersConsumer"Consumer", an individual.G.L. c. 93, § 115(a).
Subsection (b) establishes the operative prohibition: covered entities may not violate regulations promulgated under subsection (c), nor may they knowingly provide substantial assistance to others whose actions violate those regulations. The substantial-assistance prong creates secondary liability for entities that facilitate non-compliant conduct by others. Subsection (d) reinforces that the prohibition applies regardless of any contractual arrangement between the covered entity and consumers.
(c)(1)(A)–(B) 2 Not later than 2 years after the date of enactment of this section, the OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) shall promulgate regulations, that: (A) require each covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) to conduct automated decision system impact assessmentsAutomated decision system impact assessment"Automated decision system impact assessment", a study evaluating an automated decision system and the automated decision system's development process, including the design and training data of the automated decision system, for impacts on accuracy, fairness, bias, discrimination, privacy, and security that includes, at a minimum: (A) a detailed description of the automated decision system, its design, its training, data, and its purpose; (B) an assessment of the relative benefits and costs of the automated decision system in light of its purpose, taking into account relevant factors, including (i) data minimization practices; (ii) the duration for which personal information and the results of the automated decision system are stored; (iii) what information about the automated decision system is available to consumers; (iv) the extent to which consumers have access to the results of the automated decision system and may correct or object to its results; and (v) the recipients of the results of the automated decision system; (C) an assessment of the risks posed by the automated decision system to the privacy or security of personal information of consumers and the risks that the automated decision system may result in or contribute to inaccurate, unfair, biased or discriminatory decisions impacting consumers; and (D) the measures the covered entity will employ to minimize the risks described in clause (C), including technological and physical safeguards.G.L. c. 93, § 115(a) of (i) existing high-risk automated decision systemsHigh-risk automated decision system"High-risk automated decision system", an automated decision system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the automated decision system, poses a significant risk: (i) to the privacy or security of personal information of consumers; or (ii) of resulting in or contributing to inaccurate, unfair, biased, or discriminatory decisions impacting consumers; (B) makes decisions, or facilitates human decision making, based on systematic and extensive evaluations of consumers, including attempts to analyze or predict sensitive aspects of their lives, such as their work performance, economic situation, health, personal preferences, interests, behavior, location, or movements, that: (i) alter legal rights of consumers; or (ii) otherwise significantly impact consumers; (C) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (D) systematically monitors a large, publicly accessible physical place; or (E) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a), as frequently as the OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) determines is necessary; and (ii) new high-risk automated decision systemsHigh-risk automated decision system"High-risk automated decision system", an automated decision system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the automated decision system, poses a significant risk: (i) to the privacy or security of personal information of consumers; or (ii) of resulting in or contributing to inaccurate, unfair, biased, or discriminatory decisions impacting consumers; (B) makes decisions, or facilitates human decision making, based on systematic and extensive evaluations of consumers, including attempts to analyze or predict sensitive aspects of their lives, such as their work performance, economic situation, health, personal preferences, interests, behavior, location, or movements, that: (i) alter legal rights of consumers; or (ii) otherwise significantly impact consumers; (C) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (D) systematically monitors a large, publicly accessible physical place; or (E) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a), prior to implementation, provided that a covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) may evaluate similar high-risk automated decision systemsHigh-risk automated decision system"High-risk automated decision system", an automated decision system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the automated decision system, poses a significant risk: (i) to the privacy or security of personal information of consumers; or (ii) of resulting in or contributing to inaccurate, unfair, biased, or discriminatory decisions impacting consumers; (B) makes decisions, or facilitates human decision making, based on systematic and extensive evaluations of consumers, including attempts to analyze or predict sensitive aspects of their lives, such as their work performance, economic situation, health, personal preferences, interests, behavior, location, or movements, that: (i) alter legal rights of consumers; or (ii) otherwise significantly impact consumers; (C) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (D) systematically monitors a large, publicly accessible physical place; or (E) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a) that present similar risks in a single assessment; (B) require each covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) to conduct data protection impact assessmentsData protection impact assessment"Data protection impact assessment", a study evaluating the extent to which an information system protects the privacy and security of personal information the system processes.G.L. c. 93, § 115(a) of (i) existing high-risk information systemsHigh-risk information system"High-risk information system", an information system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the information system, poses a significant risk to the privacy or security of personal information of consumers; (B) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (C) systematically monitors a large, publicly accessible physical place; or (D) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a), as frequently as the OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) determines is necessary; and (ii) new high-risk information systemsHigh-risk information system"High-risk information system", an information system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the information system, poses a significant risk to the privacy or security of personal information of consumers; (B) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (C) systematically monitors a large, publicly accessible physical place; or (D) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a), prior to implementation; provided that a covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) may evaluate similar high-risk information systemsHigh-risk information system"High-risk information system", an information system that: (A) taking into account the novelty of the technology used and the nature, scope, context, and purpose of the information system, poses a significant risk to the privacy or security of personal information of consumers; (B) involves the personal information of a significant number of consumers regarding race, color, national origin, political opinions, religion, trade union membership, genetic data, biometric data, health, gender, gender identity, sexuality, sexual orientation, criminal convictions, or arrests; (C) systematically monitors a large, publicly accessible physical place; or (D) meets any other criteria established by the Office in regulations issued pursuant to this section.G.L. c. 93, § 115(a) that present similar risks in a single assessment;
(c)(1)(C) 3 require each covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) to conduct the impact assessments under clauses (A) and (B), if reasonably possible, in consultation with external third parties, including independent auditors and independent technology experts;
(c)(1)(D) 4 and (D) require each covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) to reasonably address in a timely manner the results of the impact assessments under clauses (A) and (B).
(c)(2) The impact assessments under clauses (A) and (B) of paragraph 1 may be made public by the covered entityCovered entity"Covered entity" any person, partnership, or corporation that: (A) had greater than $50,000,000 in average annual gross receipts for the 3-taxable-year period preceding the most recent fiscal year, as determined in accordance with paragraphs (2) and (3) of section 448(c) of the Internal Revenue Code of 1986; (B) possesses or controls personal information on more than: (i) 1,000,000 consumers; or (ii) 1,000,000 consumer devices; (C) is substantially owned, operated, or controlled by a person, partnership, or corporation that meets the requirements under subparagraph (A) or (B); or (D) is a data broker or other commercial entity that, as a substantial part of its business, collects, assembles, or maintains personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.G.L. c. 93, § 115(a) at its sole discretion.
Subsection (c) is the bill's core operative provision. It directs the Office to promulgate regulations within two years requiring covered entities to conduct two types of impact assessments: automated decision system impact assessments for high-risk automated decision systems and data protection impact assessments for high-risk information systems. Both existing and new systems are covered, with new systems requiring pre-implementation assessment. The bill permits batching of similar systems in a single assessment. Impact assessments must be conducted, where reasonably possible, in consultation with external third parties including independent auditors and technology experts. Covered entities must timely address assessment findings. Publication of assessments is at the covered entity's sole discretion — there is no mandatory public disclosure.
(e)(1) A violation of subsection (b) shall be an unfair or deceptive act or practice under chapter 93A.
(e)(2)(A) The OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) shall enforce this section in the same manner, by the same means, and with the same jurisdiction, powers, and duties provided to it pursuant to chapter 24A or any other general or special law. The OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) may impose civil penalties or fines for a violation of subsection (b). The OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) may refer any violation of this section to the attorney general.
(e)(2)(A)(i)–(iii) Except as provided in clause (iii), the attorney general, before initiating a civil action under paragraph (1), shall provide written notification to the OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) that the attorney general intends to bring such civil action. (ii) The notification required under clause (i) shall include a copy of the complaint to be filed to initiate the civil action. (iii) If it is not feasible for the attorney general to provide the notification required under clause (i) before initiating a civil action under paragraph (1), the attorney general shall notify the OfficeOffice"Office", office of consumer affairs and business regulation.G.L. c. 93, § 115(a) immediately upon instituting the civil action.
(d) Any person who is aggrieved as a result of a violation of this section, or the attorney general, may bring an action for recovery of actual damages or $100,000 per violation, whichever is greater, and other relief, including injunctive relief, civil penalties and attorney's fees as provided by chapter 93A.
Subsection (e) establishes the enforcement framework. Violations are deemed unfair or deceptive acts under Chapter 93A, giving the bill the full weight of Massachusetts' consumer protection enforcement apparatus. The Office enforces using its existing Chapter 24A powers, may impose civil penalties or fines, and may refer violations to the Attorney General. The Attorney General must provide written notice to the Office before initiating civil actions except where infeasible. Any aggrieved person may bring a private action for the greater of actual damages or $100,000 per violation, plus injunctive relief, civil penalties, and attorney's fees under Chapter 93A.