Laws & Statutes MA MA-S-36
S-36
MA · State · USA
MA
USA
● Pre-filed
Proposed Effective Date
2025-01-16
Massachusetts Senate No. 36 — An Act to provide accountability in the use of biometric recognition technology and comprehensive enforcement
Regulates any person (including corporate affiliates) that collects, stores, or processes biometric data in Massachusetts, excluding government entities, law enforcement, and intelligence agencies. Imposes duties of loyalty, care, and confidentiality on covered entities regarding biometric data — prohibiting processing or transfer without consent, sale of biometric data, and discrimination against users who withhold consent. Prohibits use of biometric data for consequential decision-making and bans operation of biometric recognition technology in places open to the general public. Violations of Section 4 are declared per se violations of chapter 93A, enforceable by the attorney general. The bill contains no express private right of action, though the chapter 93A designation may enable private suits indirectly.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-02-27 committee referral Referred to the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity
2025-02-27 chamber passage House concurred
2025-03-24 other Hearing scheduled for 04/09/2025 from 01:00 PM-05:00 PM in A-1
2025-05-12 other Accompanied S43
Mapped Requirements
D-01 Automated Processing Rights & Data Controls CP-01 Deceptive & Manipulative AI Conduct S-02 Prohibited Conduct & Output Restrictions
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Regulates any person (including corporate affiliates) that collects, stores, or processes biometric data in Massachusetts, excluding government entities, law enforcement, and intelligence agencies. Imposes duties of loyalty, care, and confidentiality on covered entities regarding biometric data — prohibiting processing or transfer without consent, sale of biometric data, and discrimination against users who withhold consent. Prohibits use of biometric data for consequential decision-making and bans operation of biometric recognition technology in places open to the general public. Violations of Section 4 are declared per se violations of chapter 93A, enforceable by the attorney general. The bill contains no express private right of action, though the chapter 93A designation may enable private suits indirectly.

Enforcement & Penalties
Enforcement Authority
Attorney general enforcement. The attorney general may bring an action pursuant to section 4 of chapter 93A against a person to remedy violations of the chapter and for other relief that may be appropriate. Section 4(c) declares violations of Section 4 to be unfair or deceptive acts under chapter 93A, which independently enables private suits under chapter 93A § 9 and § 11, though the bill itself does not explicitly create a standalone private right of action. The attorney general also has rulemaking authority to interpret the duty of loyalty provisions under Section 2(a).
Penalties
Enforcement is through chapter 93A, section 4, which provides for injunctive relief, civil penalties up to $5,000 per violation, and other appropriate relief as determined by the court. Section 4(c) declares violations of Section 4 to be per se unfair or deceptive acts under chapter 93A, which may independently enable private actions under chapter 93A §§ 9 and 11 — providing actual damages or $25 minimum, treble damages for willful or knowing violations, and attorney's fees. No standalone statutory damages minimum is specified in this bill.
Who Is Covered
"Covered entity" , Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.
Compliance Obligations 9 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Chapter 110I, Section 2(c)(i)-(iii)
Plain Language
Covered entities may not process, transfer, sell, or disclose biometric data without the end user's freely given, specific, informed, and unambiguous consent for a narrowly defined purpose. General terms-of-service acceptance is insufficient — consent must be purpose-specific and obtained through a clear affirmative action. Sale of biometric data to third parties is categorically prohibited. Any third-party recipient must be bound by contract to the same duties of care, loyalty, and confidentiality that apply to the covered entity itself. Consent obtained via abusive trade practices is void.
Statutory Text
(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user; (ii) engage in the sale of biometric data to a third party; (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.
Other · Deployer · Biometrics
Chapter 110I, Section 2(a)
Plain Language
Covered entities owe a duty of loyalty to end users: they may not take any action in processing biometric data or designing biometric recognition technology that conflicts with the end user's best interests. This is a broad fiduciary-style obligation with no enumerated safe harbors — the attorney general has rulemaking authority under Section 3(c) to interpret its scope. Compliance requires evaluating whether each design and processing decision serves end users rather than the covered entity's own interests at the end user's expense.
Statutory Text
(a) A covered entity shall be prohibited from taking any actions with respect to processing biometric data or designing biometric recognition technologies that conflict with an end user's best interests.
Other · Deployer · Biometrics
Chapter 110I, Section 2(b)
Plain Language
Covered entities must secure biometric data from unauthorized access at a level of protection that is at least as strong as the security applied to their other confidential and sensitive data. They are also categorically prohibited from engaging in harmful data practices — defined as processing or transfer of data that causes or is likely to cause financial, physical, or reputational injury, highly offensive intrusion upon seclusion, or other substantial injury. The security floor is the entity's own existing security standard for sensitive data — if the entity has weak general security, this provision still requires reasonable protection.
Statutory Text
(b) A covered entity shall be required to secure biometric data from unauthorized access in a reasonable manner that is the same as or more protective than the manner in which the covered entity secures other confidential and sensitive data and shall be prohibited from engaging in harmful data practices.
Other · Deployer · Biometrics
Chapter 110I, Section 2(d)
Plain Language
When a covered entity shares biometric data with a third party, it must take reasonable steps — including regular audits of data security and data practices — to verify that the third party is actually fulfilling the contractual duties of care, loyalty, and confidentiality required under Section 2(c). This is a continuing obligation, not a one-time diligence exercise at the time of contracting. Note: the text refers to 'online service provider' which appears to be a drafting error — the operative term elsewhere is 'covered entity.'
Statutory Text
(d) A covered entity shall take reasonable steps to ensure that the practices of any person to whom the online service provider discloses or sells, or with whom the online service provider shares, biometric data fulfill the duties of care, loyalty, and confidentiality assumed by the person under the contract described in subparagraph (c), including by auditing, on a regular basis, the data security and data practices of any such person.
D-01 Automated Processing Rights & Data Controls · D-01.3 · Deployer · Biometrics
Chapter 110I, Section 2(e)
Plain Language
Covered entities may not retaliate against or discriminate against end users who withhold consent to biometric data processing. Discrimination includes denying goods or services, charging different prices, degrading service quality, or even suggesting that the user will receive worse treatment. This anti-discrimination provision ensures that the consent right under Section 2(c) is meaningful — users cannot be punished for exercising it.
Statutory Text
(e) A covered entity shall not discriminate against a consumer because of the withheld consent under this title, including, but not limited to: (i) denying goods or services to the end user; (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end user; (iv) suggesting that the end user will receive a different price or rate for goods or services or a different level or quality of goods or services.
CP-01 Deceptive & Manipulative AI Conduct · Deployer · Biometrics
Chapter 110I, Section 3(a)-(b)
Plain Language
Covered entities are prohibited from engaging in deceptive, unfair, or abusive data practices related to biometric data. Deceptive practices are defined by reference to chapter 93A. Unfair practices use the standard FTC three-part test: substantial injury, not reasonably avoidable by users, and not outweighed by countervailing benefits. The 'abusive' category — modeled on the CFPB's authority — adds a prohibition on conduct that materially interferes with user understanding of terms or takes unreasonable advantage of information asymmetries, user inability to protect their own interests, or user reliance on the covered entity. Courts are directed to follow FTC and federal court interpretations of Section 5 of the FTC Act.
Statutory Text
(a) A covered entity shall not: (i) engage in a deceptive data practice; (ii) engage in an unfair data practice; or (iii) engage in an abusive trade practice. (b) It is the intent of the legislature that in construing paragraph (a) of this section in actions unfair and deceptive trade practices, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.
D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · BiometricsAutomated Decisionmaking
Chapter 110I, Section 4(a)
Plain Language
Covered entities are categorically prohibited from using biometric data to help make decisions that produce legal effects or similarly significant effects on end users. This is not a requirement for human review or bias testing — it is an outright ban. The scope of 'similarly significant effects' is illustrated by a non-exhaustive list including financial services, housing, insurance, education, criminal justice, employment, healthcare, and access to basic necessities. This effectively prohibits using biometric recognition technology for consequential automated decision-making across all major life domains.
Statutory Text
(a) Covered entities shall not use biometric data to help make decisions that produce legal effects or similarly significant effects concerning end users. Decisions that include legal effects or similarly significant effects concerning end users include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.
S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics
Chapter 110I, Section 4(b)-(c)
Plain Language
Covered entities may not operate, install, or commission the installation of any equipment incorporating biometric recognition technology in any place open to and accepting the general public — whether licensed or unlicensed. This is a categorical ban on public-facing biometric recognition, covering retail stores, restaurants, entertainment venues, transportation hubs, and any other publicly accessible space. The legislature has declared that any violation of this section is per se an unfair or deceptive act under chapter 93A, meaning the attorney general can pursue enforcement under 93A § 4 and private parties may be able to pursue claims under 93A §§ 9 and 11 without needing to independently prove unfairness or deception.
Statutory Text
(b) Covered entities may not operate, install, or commission the operation or installation of equipment incorporating biometric recognition technology in any place, whether licensed or unlicensed, which is open to and accepts or solicits the patronage of the general public. (c) The legislature finds that the practices covered by this section are matters vitally affecting the public interest for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a. A violation of this section is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a.
Other · Biometrics
Chapter 110I, Section 5
Plain Language
This savings clause confirms that compliance with Chapter 110I does not excuse covered entities or agencies from their existing obligations under other state and federal privacy laws — such as HIPAA, the Massachusetts data breach notification law, or other applicable privacy frameworks. It creates no new obligation.
Statutory Text
This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information.