Regulon — MA-HB-4746 · MA HB 4746 (Consumer Data Privacy)

WHAT THIS BILL REGULATES · 4 REQUIREMENT TYPES

How Is This Bill Enforced

Enforcement Authority

Attorney general has exclusive enforcement authority against controllers and processors that are not large data holders. Violations constitute unfair or deceptive trade practices under chapter 93A. For large data holders, private enforcement under chapter 93A sections 9 and 11 is not displaced. The AG must create a consumer complaint mechanism. No pre-suit cure period.

Private Right of Action

No private right of action. Enforcement is exclusive to the designated authority.

Penalties

Civil penalties up to $5,000 per violation. Injunctive relief, declaratory relief, restitution, disgorgement of profits, punitive damages, and reasonable attorney's fees and costs are available. For flagrant, willful, and repeated violations the court may suspend or prohibit the defendant from operating in Massachusetts. For non-large-data-holder entities, enforcement is exclusive to the AG; for large data holders, the statute preserves chapter 93A sections 9 and 11 remedies.

Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.

Statutory Text

Analysis & Obligations

Ch. 93M § 1

Definitions

As used in this chapter, unless the context otherwise requires: [all definitions in Section 1]

Section 1 establishes the definitional framework for the entire chapter. Key defined terms include Controller, Processor, Large data holder, Consumer, Personal data, Sensitive data, Affirmative Consent, Targeted advertising, Profiling, and Dark pattern. The definitions are broad — personal data encompasses derived data and unique identifiers, and sensitive data includes neural data, consumer health and wellness data, and minor data. The affirmative consent definition is unusually detailed, requiring stand-alone disclosures, language parity, and equal prominence for the option to refuse.

Ch. 93M § 2

Applicability

The provisions of this chapter apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that during the preceding calendar year: (a) Collected or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, so long as all personal data collected or processed for such purpose was deleted or de-identified within 90 days, except when necessary to investigate fraud or as consistent with a business's return policy; (b) derived gross revenue from the sale of personal data; or (c) collected or processed sensitive data.

Section 2 defines the applicability thresholds for the chapter. The law applies to persons conducting business in Massachusetts or targeting Massachusetts residents that, in the preceding calendar year, collected or processed personal data of at least 100,000 consumers (excluding payment-only data deleted within 90 days), derived gross revenue from data sales, or collected or processed sensitive data. The sensitive data trigger is notably uncapped — any entity that collects or processes any sensitive data is covered regardless of volume or revenue.

Ch. 93M § 3

Scope and exemptions

(a)–(c) The provisions of this chapter, except for the provisions of paragraph (4) of subsection (a) of section 6, do not apply to: (1) any Federal, State, Tribal, territorial, or local government entity such as a body, authority, board, bureau, commission, district or agency of the Commonwealth or of any political subdivision of the Commonwealth; (2) a nonprofit organization established to detect and prevent fraudulent acts in connection with insurance that is operating solely for that purpose; (3) a national securities association registered pursuant to section 15A of the Securities Exchange Act of 1934 and the rules and implementing regulations promulgated thereunder; (4) a registered futures association designated pursuant to section 17 of the Commodity Exchange Act and the rules and implementing regulations promulgated thereunder; (5) a bank, credit union or any affiliate or subsidiary thereof that: (A) is only and directly engaged in financial activities as described in 12 USC 1843(k); (B) is regulated and examined by the division of banks or an applicable federal bank regulatory agency; and (C) has established a program to comply with all applicable requirements established by the commissioner of banks or the applicable federal bank regulatory agency concerning personal data; or (6) an agent, broker-dealer, investment adviser or investment adviser representative, as defined in section 401 of chapter 110A, who is regulated by the secretary of the commonwealth or the United States Securities and Exchange Commission. (b) The following information and data is exempt from the provisions of this chapter: [paragraphs (1)–(15) listing HIPAA data, GLBA data, FCRA data, FERPA data, employee data, etc.] (c) Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent pursuant to this chapter.

Section 3 exempts certain entities and data types from the chapter's coverage. Government entities, certain financial institutions, insurance fraud nonprofits, and registered securities associations are exempt at the entity level — except that the prohibition on sale of precise geolocation data applies to all entities. Extensive data-level exemptions track federal statutes including HIPAA, GLBA, FCRA, FERPA, and the Farm Credit Act. Employee and contractor data in the employment context is also exempt. COPPA-compliant verifiable parental consent is deemed sufficient under this chapter.

Ch. 93M § 4

Consumer rights

Deployer

(a)(1)–(5) 1 A consumer shall have the right to: (1) Confirm whether or not a controller is collecting or processing the consumer's personal data and access such personal data, including, but not limited to, any inferences about the consumer derived from such personal data; (2) obtain from a controller a list of specific third parties, other than natural persons, to which the controller has transferred either (i) the consumer's personal data; or (ii) any personal data; (3) correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data, and instruct a controller or processor to make reasonable efforts to notify all third parties or processors to which the controller has transferred such personal data of such corrections; (4) delete personal data provided by, or obtained about, the consumer, including personal data the consumer provided to the controller, personal data the controller obtained from another source, and derived data and instruct a controller or processor to make reasonable efforts to notify all third parties or processors to which the controller has transferred such personal data of such deletion request; (5) obtain a copy of the consumer's personal data collected or processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;

(a)(6) 2 opt out of the collection and processing of the consumer's personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

(b)–(c) 1 A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with section 5 of this act to exercise the rights of such consumer specified in this section on behalf of the consumer. In the case of personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child's behalf. In the case of personal data concerning a consumer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer's behalf. (c) Except as otherwise provided in this chapter, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to said sections as follows: (1) A controller shall respond to the consumer without undue delay, but not later than 45 days after receipt of the request. The controller may extend the response period by 20 additional days when reasonably necessary, considering the complexity and number of the consumer's requests, provided the controller informs the consumer of any such extension within the initial 45-day response period and of the reason for the extension. (2) If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision. (3) Information provided in response to a consumer request shall be provided by a controller, free of charge, not less than twice per consumer during any twelve-month period. If requests from a consumer are manifestly unfounded, excessive or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request. (4) If a controller is unable to authenticate a request to exercise any of the rights afforded under paragraphs (1) to (5), inclusive, of subsection (a) of this section using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until such consumer provides additional information reasonably necessary to authenticate such consumer and such consumer's request to exercise such right or rights, provided that any such information may not be used for any purposes other than the authentication of such consumer. A controller shall not require authentication to exercise an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable and documented belief that such request is fraudulent. (5) A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to paragraph (4) of subsection (a) of this section by deleting the consumer's personal data retained by the controller and retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to this chapter.

(d) 3 A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.

(e)–(f) 4 A controller may not condition, effectively condition, attempt to condition, or attempt to effectively condition the exercise of a right described in this section through— (1) the use of any false, fictitious, fraudulent, or materially misleading statement or representation; or (2) the use of dark patterns. (f) A controller or processor may not collect, process, or transfer personal data in a manner that discriminates against an individual or class of individuals, or otherwise makes unavailable the equal enjoyment of goods or services, on the basis of an individual's or class of individuals' actual or perceived race, color, sex, sexual orientation, gender identity, disability, religion, genetic information, pregnancy or condition related to pregnancy, status as a veteran, ancestry or national origin, or any other basis protected by chapter 151B.

Section 4 establishes the core consumer rights: confirmation and access (including inferences), third-party recipient lists, correction with downstream notification, deletion with downstream notification, portability, and opt-out rights for targeted advertising, data sales, and profiling for solely automated consequential decisions. Controllers must respond within 45 days (extendable by 20 days), provide at least two free responses per year, and establish an appeal process with a 60-day decision window. Controllers may not condition rights exercise through dark patterns or misleading statements, and may not discriminate or retaliate against consumers who exercise rights. A nondiscrimination provision prohibits processing personal data in a manner that discriminates on the basis of protected characteristics.

Compliance actions 4 items

Controllers must honor consumer rights to confirm and access personal data (including inferences), obtain third-party recipient lists, correct inaccuracies with downstream notification, delete personal data with downstream notification, and obtain a portable copy — responding within 45 days (extendable by 20 days) and providing at least two free responses per 12-month period.

D-01.1

Controllers must allow consumers to opt out of collection and processing of personal data for targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

D-01.3

Controllers must establish a conspicuously available appeal process for consumers whose data rights requests are denied, respond in writing within 60 days with a substantive explanation, and provide a mechanism to contact the attorney general if the appeal is denied.

H-01.5

Controllers and processors must not collect, process, or transfer personal data in a manner that discriminates on the basis of race, color, sex, sexual orientation, gender identity, disability, religion, genetic information, pregnancy, veteran status, ancestry, national origin, or any other basis protected by chapter 151B, and must not use dark patterns or deceptive practices to condition the exercise of consumer rights.

H-02

Ch. 93M § 5

Authorized agent

A consumer may designate another person to serve as the consumer's authorized agent, and act on such consumer's behalf, to exercise rights specified in subsection (a) of section 4 of this act. A controller shall comply with a request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on such consumer's behalf.

Section 5 permits consumers to designate an authorized agent to exercise their data rights. Controllers must comply with agent requests where the controller can verify both the consumer's identity and the agent's authority with commercially reasonable effort.

Ch. 93M § 6

Actions of controllers

Deployer

(a)(1)–(3) 5 A controller shall: (1) limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains, including any routine administrative, operational, or account-servicing activity, such as billing, shipping, delivery, storage, accounting, or sending communications; (2) not process or transfer personal data concerning a consumer in a manner that is inconsistent with the reasonable expectations of the consumer; (3) not collect, process, or transfer sensitive data concerning a consumer except when such collection, processing, or transfer is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the sensitive data pertains;

(a)(4)–(6) 6 not sell: (i) precise geolocation data regarding a consumer; or (ii) sensitive data other than precise geolocation data regarding a consumer without obtaining the consumer's affirmative consent; (5) establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue, including disposing of personal data in accordance with a retention schedule that requires the deletion of personal data when the data is required to be deleted by law or is no longer necessary for the purpose for which the data was collected, processed, or transferred; (6) not transfer or sell sensitive data concerning a consumer without obtaining the consumer's affirmative consent, or, in the case of the collection or processing of personal data concerning a known child, without collecting or processing such data in accordance with COPPA;

(a)(7)–(9) 7 provide an effective mechanism for a consumer to revoke the consumer's affirmative consent under this chapter that is at least as easy as the mechanism by which the consumer provided the consumer's affirmative consent and, upon revocation of such affirmative consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request; (8) not collect or process the personal data of a consumer for purposes of targeted advertising or first-party advertising, or sell the consumer's personal data, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is a minor; and (9) not discriminate or retaliate against a consumer for exercising any of the consumer rights contained in this chapter, or for refusing to agree to the collection or processing of personal data for a separate product or service, including denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.

(c) 8 A controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: (1) The categories of personal data collected and processed by the controller, including a separate list of categories of sensitive data collected and processed by the controller, described in a level of detail that provides consumers a meaningful understanding of the type of personal data collected or processed; (2) the purpose for collecting and processing each category of personal data the controller collects or processes described in a way that gives consumers a meaningful understanding of how each category of their personal data will be used; (3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request; (4) the categories of personal data that the controller transfers to third parties, if any, and the purposes for those transfers; (5) the categories of third parties, if any, to which the controller transfers personal data; (6) The length of time the controller intends to retain each category of personal data, or, if it is not possible to identify the length of time, the criteria used to determine the length of time the controller intends to retain categories of personal data; and (7) an active electronic mail address or other online mechanism that the consumer may use to contact the controller. The privacy notice shall be provided directly to consumers and made available online to the general public. If a controller makes a material change to its privacy notice, the controller shall notify each consumer affected by the material change before implementing the material change with respect to prospectively collected personal data and provide a reasonable opportunity for each consumer to withdraw consent.

(d)–(e) 9 If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such sales or processing, as well as the manner in which a consumer may exercise the right to opt out of such sales or processing. (e) A controller shall establish, and shall describe in a privacy notice, not less than two secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include: (1) Providing a clear and conspicuous link on the controller's Internet web site to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising, the sale of the consumer's personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer; and (2) Not later than 18 months after the effective date of this chapter, allowing a consumer to opt out of any collection or processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale.

Section 6 imposes the bill's core affirmative obligations on controllers. Controllers must practice data minimization, limit processing to consumer expectations, restrict sensitive data to strict necessity, prohibit sale of precise geolocation data outright and other sensitive data without affirmative consent, maintain data security practices, provide a consent revocation mechanism (with 15-day processing deadline), prohibit targeted advertising, first-party advertising, and data sales for known minors, and refrain from discrimination or retaliation. Controllers must publish detailed privacy notices with enumerated content requirements and provide direct notification of material changes. Controllers must provide at least two mechanisms for rights exercise including a clear opt-out link and, within 18 months, support for opt-out preference signals. The opt-out signal must override conflicting controller-specific settings.

Compliance actions 5 items

Controllers must limit collection of personal data to what is reasonably necessary and proportionate to provide the requested product or service, must not process data inconsistent with consumer expectations, and must not collect or process sensitive data unless strictly necessary to provide the requested product or service.

D-01.4

Controllers must not sell precise geolocation data, must not sell or transfer other sensitive data without affirmative consent (or COPPA compliance for children), and must establish and maintain reasonable administrative, technical, and physical data security practices including a retention schedule requiring deletion when data is no longer necessary.

D-01.5

Controllers must provide an effective consent revocation mechanism at least as easy as the consent mechanism, cease processing within 15 days of revocation, must not use minor personal data for targeted or first-party advertising or sales when the controller knows or willfully disregards the consumer is a minor, and must not discriminate or retaliate against consumers exercising their data rights.

D-01.6

Controllers must publish a clear and meaningful privacy notice — provided directly to consumers and publicly online — that discloses categories of personal and sensitive data collected, processing purposes per category, how to exercise consumer rights, categories of third-party data transfers, retention periods, and contact information, and must notify consumers before implementing material changes.

D-01.1

Controllers must provide at least two secure mechanisms for consumers to exercise data rights, including a clear opt-out link on their website and, within 18 months of the effective date, support for consumer-initiated opt-out preference signals for targeted advertising and data sales. The opt-out signal overrides conflicting controller-specific settings.

D-01.3

Ch. 93M § 7

Responsibilities of processors and controllers

Deployer

(a)–(b) 10 A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations under this chapter. Such assistance shall include: (1) taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests; (2) taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor, in order to meet the controller's obligations; and (3) providing necessary information to enable the controller to conduct and document data protection assessments. (b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be written, binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties including a method by which the processor shall notify the covered entity of material changes to its privacy practices. The processor shall adhere to the instructions of the controller and only process and transfer the data it receives from the controller to the extent necessary to provide a service requested by the controller, as set out in the contract. The contract shall also require that the processor: (1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (2) at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter; (4) after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the contractual and statutory or regulatory obligations of the processor with respect to the personal data; (5) be prohibited from combining personal data that the processor receives from or on behalf of a controller with personal data that the processor receives from or on behalf of another person or collects from the interaction of the processor with an individual; and (6) allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments.

(c) 10 A processor shall establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data that are consistent with chapter 93H and appropriate to the volume and nature of the personal data at issue.

(e)–(f) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person who is not limited in such person's processing of personal data pursuant to a controller's instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under this chapter. (f) A processor shall not process or transfer personal data on the behalf of a controller if the processor has actual knowledge that the controller has violated this chapter with respect to such personal data.

Section 7 establishes the processor-controller contractual and operational relationship. Processors must adhere to controller instructions and assist with consumer rights fulfillment, security obligations, and data protection assessments. Controller-processor contracts must be written and specify processing instructions, purpose, data types, duration, and mutual obligations. Processors must maintain confidentiality, delete or return data at service end, demonstrate compliance, use subcontractors only under written contracts, and not combine data across controllers. Processors must maintain their own data security practices. A processor that begins determining processing purposes becomes a controller subject to enforcement.

Compliance actions 1 item

Controllers must execute written contracts with processors specifying processing instructions, purpose, data types, duration, and obligations. Processors must maintain confidentiality, assist with consumer rights and security obligations, support data protection assessments, delete or return data at service end, not combine data across controllers, cooperate with compliance assessments, and maintain their own data security practices consistent with chapter 93H.

G-01.3

Ch. 93M § 8

Data Protection Assessments

Deployer

(a) 11 A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment for each of the controller's processing activities that presents such heightened risk of harm to a consumer. For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes: (1) The collection or processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of: (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (ii) financial, physical or reputational injury to consumers, (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (iv) other substantial injury to consumers; (4) the collection or processing of sensitive data; and (5) the collection or processing of personal information collected via a consumer's use of a product or service predominantly used by minors.

(b) 11 Data protection assessments conducted pursuant to subsection (a) of this section shall identify the categories of personal data collected, the purposes for collecting such personal data, whether personal data is being transferred and identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that are employed by the controller to reduce such risks. The controller shall factor into any such data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

(c) 12 No later than 30 days after completing a data protection assessment under this section, a controller shall submit a report of the data protection assessment or evaluation to the attorney general. The report must include a summary of the data protection assessment and the controller shall make the summary publicly available in a place that is easily accessible to consumers. Controllers may redact trade secrets or other confidential or proprietary information from the report. The attorney general may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general. The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in this chapter. To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection.

(f) 13 A controller shall review and update the data protection assessment as often as appropriate considering the type, amount, and sensitivity of personal data collected or processed and level of risk presented by the processing, throughout the processing activity's lifecycle in order to: (1) monitor for harm caused by the processing and adjust safeguards accordingly; and (2) ensure that data protection and privacy are considered as the controller makes new decisions with respect to the processing.

Section 8 requires controllers to conduct and document data protection assessments before engaging in processing that presents a heightened risk of harm. Covered activities include targeted advertising, data sales, profiling with foreseeable risks of unfair treatment or injury, sensitive data processing, and processing data from products predominantly used by minors. Assessments must identify categories of data collected, weigh benefits against consumer risks, and factor in de-identification and consumer expectations. Assessments must be filed with the attorney general within 30 days, and summaries must be publicly posted. The AG may demand full assessments in investigations. Assessments must be reviewed and updated throughout the processing lifecycle. The first assessments must be completed within one year of the effective date.

Compliance actions 3 items

Controllers must conduct and document a data protection assessment before engaging in targeted advertising, data sales, profiling with foreseeable consumer harm risks, sensitive data processing, or processing data from products predominantly used by minors. Assessments must identify data categories, processing purposes, weigh benefits against consumer risks, and account for de-identification and consumer expectations.

H-02.3

Controllers must submit data protection assessment reports to the attorney general within 30 days of completion, make a summary publicly available in an easily accessible location, and produce full assessments to the AG upon request during investigations. Trade secrets may be redacted; attorney-client privilege is preserved.

H-02.4

Controllers must review and update data protection assessments throughout the processing lifecycle as appropriate given the type, amount, and sensitivity of data and risk level, to monitor for harm and adjust safeguards.

H-02.8

Ch. 93M § 9

De-identified data

Deployer

(a)–(d) 14 Any controller in possession of de-identified data shall: (1) Take technical measures to ensure that the data cannot be associated with an individual; (2) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and (3) contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter. (b) Nothing in this chapter shall be construed to: (1) Require a controller or processor to re-identify de-identified data; or (2) maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data. (c) Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller: (1) is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; and (2) does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; (d) A controller that transfers de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

Section 9 imposes safeguards on controllers possessing de-identified data: they must implement technical measures to prevent re-identification, publicly commit to maintaining the data in de-identified form, and contractually bind recipients. Controllers need not re-identify data to comply with consumer rights requests, and controllers that cannot reasonably associate a request with personal data are excused from compliance for that data. Controllers transferring de-identified data must monitor recipient compliance and address breaches.

Compliance actions 1 item

Controllers in possession of de-identified data must implement technical re-identification safeguards, publicly commit not to re-identify the data, contractually bind recipients to the same obligations, and monitor downstream compliance with those contractual commitments.

D-01.4

Ch. 93M § 10

Limitations

(a)–(f) Nothing in this chapter shall be construed to restrict a controller's or processor's ability to: (1) Comply with federal, state or municipal ordinances or regulations; (2) comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities, except as prohibited by another law, including, but not limited to, section 115 of chapter 93; (3) cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; (4) investigate, establish, exercise, prepare for or defend legal claims; (5) provide, maintain, improve, or update a product or service specifically requested by the consumer; (6) perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (7) take steps at the request of a consumer prior to entering into a contract; (8) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis; (9) prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity targeted at or involving the controller or processor or its services, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (10) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest; (11) assist another controller, processor or third party with any of the obligations under this chapter; (12) process personal data for reasons of public interest in the area of public health, community health or population health; (13) ensure the data security and integrity of personal data; (14) effectuate a product recall; (15) conduct medical research in compliance with applicable CFR; (16) publish entity-based member or employee contact information; (17) process personal data to become de-identified data; or (18) provide information or feedback to the consumer. (b) The obligations imposed on controllers or processors under this chapter shall not apply where compliance would violate an evidentiary privilege.(c) A controller or processor that discloses personal data to a processor or third-party controller in accordance with this chapter shall not be deemed to have violated said sections if the processor or third-party controller that receives and processes such personal data violates said sections, provided, at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. (d) Nothing in this chapter shall be construed to: (1) Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution or Article 16 of the Massachusetts Declaration of Rights; (2) apply to any person's collection or processing of personal data in the course of such person's purely personal or household activities; or (3) for private schools approved under section 1 of chapter 76 and private institutions of higher education, require deletion of personal data that would unreasonably interfere with the provision of education services. (e) Personal data collected or processed by a controller pursuant to this section may be collected or processed to the extent that such collection and processing is: (1) Reasonably necessary and proportionate to the purposes listed in this section; (2) limited to what is necessary in relation to the specific purposes; and (3) compliant with subsection (f) of section 4. (f) If a controller collects or processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such collection or processing qualifies for the exemption.

Section 10 enumerates exceptions to the chapter's obligations. Controllers and processors may process data for law enforcement cooperation, legal claims, regulatory compliance, security incident prevention, public interest research (with IRB oversight), public health processing, product recalls, medical research, and other specified purposes. The section preserves evidentiary privileges, exempts purely personal or household activities, and protects private schools from deletion mandates that would unreasonably interfere with education. Data processed under these exceptions must still meet proportionality and security requirements and comply with the nondiscrimination provision.

Ch. 93M § 11

Rulemaking

(a) The attorney general may promulgate rules and regulations to implement this Act, including, but not limited to, rules and regulations that: (1) establish or adopt baseline technical requirements that determine if a given dataset has been or can be considered sufficiently de-identified; (2) establish reasonable administrative, technical and physical data security practices that satisfy the requirements set forward in paragraph (5) of subsection (a) of section 6; (3) establish a nonexclusive list of practices that constitute dark patterns or otherwise violate the requirements of this chapter regarding a consumer's affirmative consent; and (4) establish a nonexclusive list of data collection, processing, and transfer practices that constitute unfair or deceptive practices in trade or commerce.

Section 11 authorizes the attorney general to promulgate rules and regulations to implement the chapter, including technical de-identification standards, data security baselines, a dark patterns list, and a list of unfair or deceptive data practices. This is a delegation of authority, not an affirmative compliance obligation on regulated entities.

Ch. 93M § 12

Enforcement

(a)–(b) A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. Notwithstanding sections 9 and 11 of said chapter 93A, the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a controller or processor that is a large data holder that violates this chapter or a regulation adopted under this chapter to: (1) enjoin an act or practice that is in violation of this chapter or a regulation adopted under this chapter, including an order that an entity retrieve any personal data transferred in such violation; (2) enforce compliance with this chapter or a regulation adopted under this chapter, including seeking declaratory relief; (3) obtain damages, including punitive damages, restitution of any money or property obtained directly or indirectly by any such violation, and disgorgement of any profits, assets, property, or data obtained directly or indirectly by any such violation on behalf of the residents of the commonwealth; (4) impose civil penalties in an amount not more than $5,000 per violation; (5) obtain investigative costs, reasonable attorney's fees and other litigation costs, including, but not limited to, expert fees, reasonably incurred; and (6) obtain any such other and further relief as the court may deem proper. (b) If the court finds that a defendant has engaged in flagrant, willful, and repeated violations of this chapter in an action brought by the attorney general pursuant to subsection (a) of this section, the court may issue an order to suspend or prohibit the defendant from operating in the commonwealth in addition to any other remedies under subsection (a) of this section.

(d)–(f) Any provision of a contract or agreement of any kind, including but not limited to a controller's terms of service or a privacy policy that purports to waive or limit in any way an individual's rights under this chapter, including but not limited to any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. (e) The attorney general shall create, maintain and monitor a mechanism for consumers to report potential violations of this chapter. (f) The attorney general shall issue an annual report to the clerks of the house and senate, the speaker of the house, the senate president, and the house and senate chairs of the joint committee on advanced information technology, the Internet and cybersecurity in a manner consistent with the requirements of section 11 of chapter 12, provided, however, that such report shall only relate to the enforcement of this chapter and its regulations.

Section 12 establishes the enforcement framework. Violations constitute unfair or deceptive trade practices under chapter 93A. The attorney general has exclusive enforcement authority against non-large-data-holder controllers and processors, notwithstanding sections 9 and 11 of chapter 93A — effectively barring private actions against smaller entities. For large data holders, chapter 93A private remedies are preserved. The AG may obtain injunctive relief, damages (including punitive), restitution, disgorgement, civil penalties up to $5,000 per violation, and attorney's fees. For flagrant, willful, and repeated violations, the court may suspend or prohibit the defendant from operating in Massachusetts. Contractual waivers of consumer rights are void. The AG must maintain a consumer complaint mechanism and issue annual enforcement reports.

Ch. 93M § 13

Relationship to Other Laws

Nothing in this chapter shall diminish any individual's rights or obligations under any other chapter or under any regulations promulgated thereunder.

Section 13 is a savings clause preserving existing rights and obligations under other chapters and regulations. It creates no new compliance obligation.

Ch. 93M § 14

Location Information of Non-Residents

Deployer

(a)–(b) 15 With respect to precise geolocation data that reveals that an individual or a device that identifies or is linked or reasonably linkable to 1 or more individuals is presently or was previously in the Commonwealth of Massachusetts: (1) an individual shall have the same rights, privileges, and protections as a consumer under this chapter for all such precise geolocation data; and (2) a controller shall treat such precise geolocation data in the same manner as it would the precise geolocation data of a consumer under this chapter. (b) Subsection (a) does not apply to the extent that an individual is acting as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency, but only if the individual's precise geolocation data is collected, processed, or transferred solely in relation to that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.

Section 14 extends the chapter's precise geolocation data protections to non-residents whose location data reveals they are or were present in Massachusetts. Non-resident individuals receive the same rights as consumers for such geolocation data, and controllers must treat the data identically. The employee-context exemption applies.

Compliance actions 1 item

Controllers must extend all chapter protections for precise geolocation data to non-residents whose geolocation data reveals they are or were present in Massachusetts, treating such data identically to that of Massachusetts consumers.

D-01.4

Ch. 93M § 15

Mergers, Acquisitions, and Bankruptcies

Deployer

(a)–(c) 16 A controller may transfer personal data to a third party in the context of a merger, acquisition, bankruptcy or similar transaction when the third party assumes control, in whole or in part, of the controller's assets, only if the controller, in a reasonable time prior to the transfer, provides an affected consumer with: (1) notice describing the transfer, including the name of the entity receiving the consumer's personal data and the applicable privacy policies of such entity; and (2) a reasonable opportunity to withdraw previously provided consent related to the consumer's personal data or otherwise exercise the rights guaranteed by this chapter. (b) In any transaction involving the transfer of genetic, neural, or biometric data, the reasonable opportunity under paragraph (2) of subsection (a) shall be no shorter than 60 days. (c) Nothing in this section shall be construed to diminish the requirements of paragraph (6) of subsection (a) of section 6.

Section 15 requires controllers to provide affected consumers with notice and a reasonable opportunity to withdraw consent or exercise their rights before transferring personal data to a third party in a merger, acquisition, or bankruptcy. For transfers involving genetic, neural, or biometric data, the withdrawal window must be at least 60 days.

Compliance actions 1 item

Controllers must, before transferring personal data in a merger, acquisition, or bankruptcy, provide affected consumers with notice identifying the receiving entity and its privacy policies and a reasonable opportunity to withdraw consent or exercise rights. For genetic, neural, or biometric data transfers, the withdrawal window must be at least 60 days.

D-01

Ch. 93M § 16

Browser Privacy Settings

Developer

17 By January 1, 2027, a person shall not develop or maintain a browser that does not include a setting that enables a consumer to send an opt-out preference signal, as described in section 6(e)(2), to controllers or processors that the consumer interacts with through the browser.

Section 16 imposes a standalone obligation on browser developers: by January 1, 2027, no person may develop or maintain a browser that does not include a setting enabling consumers to send an opt-out preference signal to controllers and processors. This is a product-design mandate directed at browser manufacturers, distinct from the controller-facing opt-out signal obligation in Section 6(e)(2).

Compliance actions 1 item

Browser developers must, by January 1, 2027, include in every browser a setting that enables consumers to send an opt-out preference signal to controllers and processors the consumer interacts with through the browser.

—

SECTION 2

Effective date

SECTION 1 shall take effect 180 days after enactment.

Section 2 of the enacting bill provides that Chapter 93M takes effect 180 days after enactment. This is a timing provision, not an independent compliance obligation.

SECTION 3

Data protection assessment deadline

The first data protection assessments required by section 8 of the Massachusetts Consumer Data Privacy Act shall be completed no later than the first anniversary of the effective date of this Act.

Section 3 of the enacting bill sets a deadline for the first data protection assessments: they must be completed no later than one year after the effective date. This provision qualifies the Section 8 assessment obligation but does not create an independent compliance duty.

Data Controls Data sale restrictions · deidentification

10 items

D-01.1

D-01.3

D-01.4

D-01.5

D-01.6

D-01.1

D-01.3

D-01.4

D-01

Human Oversight Decision review · appeal pathways

5 items

H-01.5

H-02

H-02.3

H-02.4

H-02.8

Governance Risk management · accountability programs

1 item

G-01.3

—

Other

1 item

—

Beginning Jan 1, 2027 Browser developers must, by January 1, 2027, include in every browser a setting that enables consumers to send an opt-out preference signal to controllers and processors the consumer interacts with through the browser.

Passage Likelihood

Medium

Status Introduced

Chamber No passage

Committee Passed

Majority party (No data)

Bipartisan No

Prior session None

Legislative History

2025-11-17 Reported from the committee on Advanced Information Technology, the Internet and Cybersecurity

2025-11-17 New draft of H78, H80, H86, H96, H103 and H104

2025-11-17 Bill reported favorably by committee and referred to the committee on House Ways and Means

Sources

Full Text ↗

Entry Last Reviewed

2026-05-20

AI generated