WHAT THIS BILL REGULATES · 3 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(a) As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:— "AgencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.Ch. 110I, § 1(a)", any agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.Ch. 110I, § 1(a), executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof. "Abusive trade practiceAbusive trade practice"Abusive trade practice", any conduct by a covered entity that 1) materially interferes with the ability of an end user to understand a term or condition of the agreement between covered entities and end users relating to biometric recognition technology or biometric data or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entity's product or service that uses biometric recognition technology; or b) The inability of the end user to protect their interests in selecting or using a covered entity's product or service; or c) The reasonable reliance by the end user on a covered entity's representation to act in the interests of the end user.Ch. 110I, § 1(a)", any conduct by a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) that 1) materially interferes with the ability of an end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) to understand a term or condition of the agreement between covered entities and end usersEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) relating to biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.Ch. 110I, § 1(a) or biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a)'s product or service that uses biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.Ch. 110I, § 1(a); or b) The inability of the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) to protect their interests in selecting or using a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a)'s product or service; or c) The reasonable reliance by the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) on a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a)'s representation to act in the interests of the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a). "Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a)" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a), tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.Ch. 110I, § 1(a). Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening. "Biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.Ch. 110I, § 1(a)", Technology that (i) analyzes biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a); (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual. "ConsentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.Ch. 110I, § 1(a)", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) processing along with other, unrelated information, does not constitute consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.Ch. 110I, § 1(a). Hovering over, muting, pausing, or closing a given piece of content does not constitute consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.Ch. 110I, § 1(a). Likewise, agreement obtained through use of an abusive trade practiceAbusive trade practice"Abusive trade practice", any conduct by a covered entity that 1) materially interferes with the ability of an end user to understand a term or condition of the agreement between covered entities and end users relating to biometric recognition technology or biometric data or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entity's product or service that uses biometric recognition technology; or b) The inability of the end user to protect their interests in selecting or using a covered entity's product or service; or c) The reasonable reliance by the end user on a covered entity's representation to act in the interests of the end user.Ch. 110I, § 1(a) does not constitute consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.Ch. 110I, § 1(a). "ControllerController"Controller", Any covered entity that, alone or jointly with others, determines the purposes and means of processing biometric data.Ch. 110I, § 1(a)", Any covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) that, alone or jointly with others, determines the purposes and means of processing biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a). "Covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a)", Any personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a), including corporate affiliates, that collects, stores, or processes biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a); provided, that the federal government or any state or local government, law enforcement agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.Ch. 110I, § 1(a), national security agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.Ch. 110I, § 1(a) or intelligence agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.Ch. 110I, § 1(a) shall not be covered entities. "DataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a)", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics. "Deceptive data practiceDeceptive data practice"Deceptive data practice", Any act or practice involving the processing or transfer of covered data in a manner that constitutes a deceptive act or practice as described in section 2 of chapter 93A.Ch. 110I, § 1(a)", Any act or practice involving the processing or transfer of covered dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a) in a manner that constitutes a deceptive act or practice as described in section 2 of chapter 93A. "ElectronicElectronic"Electronic", Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.Ch. 110I, § 1(a)", Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities. "EncryptedEncrypted"Encrypted", Data that has been transformed according to procedures outlined in 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii) into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.Ch. 110I, § 1(a)", DataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a) that has been transformed according to procedures outlined in 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii) into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation. "End userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a)", An individual providing biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) to a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a). "Harmful data practiceHarmful data practice"Harmful data practice", The processing or transfer of covered data in a manner that causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2) physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the individual's private affairs or concerns, where such intrusion would be highly offensive to a reasonable person; or (3) other substantial injury to an individual.Ch. 110I, § 1(a)", The processing or transfer of covered dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a) in a manner that causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2) physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the individual's private affairs or concerns, where such intrusion would be highly offensive to a reasonable personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a); or (3) other substantial injury to an individual. "Legal effectLegal effect"Legal effect", An effect that changes an entity or persons' legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies.Ch. 110I, § 1(a)", An effect that changes an entity or personsPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a)' legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies. "PersonPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a)", A natural personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a), corporation, association, partnership or other legal entity. "Personal informationPersonal information"Personal information", For purposes of this section, "personal information" means biometric data.Ch. 110I, § 1(a)", For purposes of this section, "personal informationPersonal information"Personal information", For purposes of this section, "personal information" means biometric data.Ch. 110I, § 1(a)" means biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a). "Unfair data practiceUnfair data practice"Unfair data practice", The processing or transfer of covered data in a manner that causes or is likely to cause substantial injury to end users which is not reasonably avoidable by end users themselves and not outweighed by countervailing benefits to end users.Ch. 110I, § 1(a)", The processing or transfer of covered dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a) in a manner that causes or is likely to cause substantial injury to end usersEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) which is not reasonably avoidable by end usersEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) themselves and not outweighed by countervailing benefits to end usersEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a).
Section 1 establishes the defined terms for the chapter. The definition of biometric data is broad, encompassing fingerprints, retina and iris patterns, voiceprints, DNA sequences, facial characteristics, face geometry, gait, handwriting, keystroke dynamics, and mouse movements — but carved out are mere photographs, writing samples, demographic data, HIPAA-protected health data, and diagnostic imaging. Consent is defined restrictively: it must be freely given, specific, informed, and unambiguous; bundled general terms of use and passive interactions do not qualify. Covered entity encompasses any private person or entity that collects, stores, or processes biometric data, but expressly excludes government at all levels.
(a) 1 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) shall be prohibited from taking any actions with respect to processing biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) or designing biometric recognition technologies that conflict with an end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a)'s best interests.
(b) 2 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) shall be required to secure biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) from unauthorized access in a reasonable manner that is the same as or more protective than the manner in which the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) secures other confidential and sensitive dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a) and shall be prohibited from engaging in harmful data practicesHarmful data practice"Harmful data practice", The processing or transfer of covered data in a manner that causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2) physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the individual's private affairs or concerns, where such intrusion would be highly offensive to a reasonable person; or (3) other substantial injury to an individual.Ch. 110I, § 1(a).
(c) 3 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) shall not: (i) process or transfer biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) in any manner not consented to by the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a); (ii) engage in the sale of biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) to a third party; (iii) disclose biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) with any other personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) with any other personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) unless that personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) enters into a contract with the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) that imposes on the personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) the same duties of care, loyalty, and confidentiality toward the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) as are imposed on the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) under this subsection.
(d) 4 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) shall take reasonable steps to ensure that the practices of any personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) to whom the online service provider discloses or sells, or with whom the online service provider shares, biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) fulfill the duties of care, loyalty, and confidentiality assumed by the personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) under the contract described in subparagraph (c), including by auditing, on a regular basis, the dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a) security and dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.Ch. 110I, § 1(a) practices of any such personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a).
(e) 5 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) shall not discriminate against a consumer because of the withheld consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which he or she, or his or her legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.Ch. 110I, § 1(a) under this title, including, but not limited to: (i) denying goods or services to the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a); (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a); (iv) suggesting that the end userEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) will receive a different price or rate for goods or services or a different level or quality of goods or services.
Section 2 imposes a suite of fiduciary-style duties on covered entities handling biometric data. Subsection (a) creates a broad duty of loyalty — covered entities must not take any action with respect to processing biometric data or designing biometric recognition technologies that conflicts with the end user's best interests. Subsection (b) requires covered entities to secure biometric data at least as protectively as they secure other confidential data and prohibits harmful data practices.
Subsection (c) establishes four specific prohibitions: processing without consent, sale of biometric data, unauthorized disclosure, and disclosure without a downstream contract imposing equivalent duties. Subsection (d) requires ongoing auditing of downstream recipients. Subsection (e) prohibits discrimination against end users who withhold consent, including through pricing, service quality, or service denial.
(a) 6 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.Ch. 110I, § 1(a) shall not: (i) engage in a deceptive data practiceDeceptive data practice"Deceptive data practice", Any act or practice involving the processing or transfer of covered data in a manner that constitutes a deceptive act or practice as described in section 2 of chapter 93A.Ch. 110I, § 1(a); (ii) engage in an unfair data practiceUnfair data practice"Unfair data practice", The processing or transfer of covered data in a manner that causes or is likely to cause substantial injury to end users which is not reasonably avoidable by end users themselves and not outweighed by countervailing benefits to end users.Ch. 110I, § 1(a); or (iii) engage in an abusive trade practiceAbusive trade practice"Abusive trade practice", any conduct by a covered entity that 1) materially interferes with the ability of an end user to understand a term or condition of the agreement between covered entities and end users relating to biometric recognition technology or biometric data or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entity's product or service that uses biometric recognition technology; or b) The inability of the end user to protect their interests in selecting or using a covered entity's product or service; or c) The reasonable reliance by the end user on a covered entity's representation to act in the interests of the end user.Ch. 110I, § 1(a).
(b) It is the intent of the legislature that in construing paragraph (a) of this section in actions unfair and deceptive trade practices, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.
(c) The attorney general may make rules and regulations interpreting the provisions of subsection 2(a) of this chapter.
Section 3 prohibits covered entities from engaging in deceptive, unfair, or abusive biometric data practices as defined in Section 1. Subsection (b) directs courts to interpret these prohibitions using FTC and federal court interpretations of FTC Act § 5(a)(1), providing a body of established precedent as an interpretive guide. Subsection (c) grants the Attorney General rulemaking authority to interpret the duty of loyalty in Section 2(a).
(a) 7 Covered entities shall not use biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.Ch. 110I, § 1(a) to help make decisions that produce legal effectsLegal effect"Legal effect", An effect that changes an entity or persons' legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies.Ch. 110I, § 1(a) or similarly significant effects concerning end usersEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a). Decisions that include legal effectsLegal effect"Legal effect", An effect that changes an entity or persons' legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies.Ch. 110I, § 1(a) or similarly significant effects concerning end usersEnd user"End user", An individual providing biometric data to a covered entity.Ch. 110I, § 1(a) include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.
(b) 8 Covered entities may not operate, install, or commission the operation or installation of equipment incorporating biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.Ch. 110I, § 1(a) in any place, whether licensed or unlicensed, which is open to and accepts or solicits the patronage of the general public.
(c) The legislature finds that the practices covered by this section are matters vitally affecting the public interest for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a. A violation of this section is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a.
Section 4 imposes two categorical prohibitions. Subsection (a) bans the use of biometric data in any decision that produces a legal effect or similarly significant effect on end users, with an expansive illustrative list covering financial services, housing, insurance, education, criminal justice, employment, healthcare, and basic necessities. Subsection (b) bans the operation, installation, or commissioning of biometric recognition technology equipment in any place open to the general public — a sweeping public-surveillance prohibition.
Subsection (c) declares violations of this section to be per se unfair or deceptive acts under chapter 93A, removing any need for an independent unfairness or deceptiveness finding and opening the door to private enforcement under 93A §§ 9 and 11.
This chapter does not relieve a personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) or agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.Ch. 110I, § 1(a) from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal informationPersonal information"Personal information", For purposes of this section, "personal information" means biometric data.Ch. 110I, § 1(a).
Section 5 is a savings clause providing that the new chapter does not relieve any person or agency from the duty to comply with other applicable state or federal law regarding personal information protection and privacy. This creates no new obligation.
The attorney general may bring an action pursuant to section 4 of chapter 93A against a personPerson"Person", A natural person, corporation, association, partnership or other legal entity.Ch. 110I, § 1(a) or otherwise to remedy violations of this chapter and for other relief that may be appropriate.
Section 6 grants the Attorney General enforcement authority under chapter 93A, section 4, to bring actions to remedy violations of the chapter and to seek other appropriate relief. The bill does not create an explicit standalone private right of action, but Section 4(c)'s declaration that violations of the decision-making and surveillance restrictions are per se unfair or deceptive acts under chapter 93A may independently support private enforcement under 93A §§ 9 and 11.