Laws & Statutes MA MA-S-36
S-36
MA · State · USA
MA
USA
● Pre-filed
Proposed Effective Date
2025-01-16
An Act to provide accountability in the use of biometric recognition technology and comprehensive enforcement
Regulates the collection, processing, and use of biometric data and biometric recognition technology in Massachusetts. Covered entities — any person that collects, stores, or processes biometric data, excluding government entities — owe duties of loyalty, care, and confidentiality to end users, including prohibitions on processing without consent, selling biometric data, and engaging in deceptive, unfair, or abusive data practices. The bill categorically prohibits using biometric data in decisions producing legal or similarly significant effects (employment, housing, credit, healthcare, etc.) and prohibits operating biometric recognition technology in any place open to the general public. Enforcement is through the attorney general under Massachusetts chapter 93A; violations of the decision-making and surveillance restrictions are declared per se unfair or deceptive acts. The bill does not create an explicit private right of action, though the 93A framework may provide indirect private enforcement.
Passage Likelihood
Low
Chamber No passage
Committee No action
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-02-27 committee referral Referred to the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity
2025-02-27 chamber passage House concurred
2025-03-24 other Hearing scheduled for 04/09/2025 from 01:00 PM-05:00 PM in A-1
2025-05-12 other Accompanied S43
Mapped Requirements
D-01 Automated Processing Rights & Data Controls CP-01 Deceptive & Manipulative AI Conduct S-02 Prohibited Conduct & Output Restrictions
Official Sources
Full Text
Entry Last Reviewed
2026-04-01
AI generated
Summary

Regulates the collection, processing, and use of biometric data and biometric recognition technology in Massachusetts. Covered entities — any person that collects, stores, or processes biometric data, excluding government entities — owe duties of loyalty, care, and confidentiality to end users, including prohibitions on processing without consent, selling biometric data, and engaging in deceptive, unfair, or abusive data practices. The bill categorically prohibits using biometric data in decisions producing legal or similarly significant effects (employment, housing, credit, healthcare, etc.) and prohibits operating biometric recognition technology in any place open to the general public. Enforcement is through the attorney general under Massachusetts chapter 93A; violations of the decision-making and surveillance restrictions are declared per se unfair or deceptive acts. The bill does not create an explicit private right of action, though the 93A framework may provide indirect private enforcement.

Enforcement & Penalties
Enforcement Authority
The attorney general may bring an action pursuant to section 4 of chapter 93A against a person to remedy violations of this chapter and for other relief that may be appropriate. The attorney general may also make rules and regulations interpreting the duties of loyalty provisions. Section 4(c) declares violations of the decision-making and public surveillance restrictions to be per se unfair or deceptive acts under chapter 93A. Massachusetts chapter 93A section 9 provides a private right of action for consumers harmed by unfair or deceptive acts, but this bill does not itself create an independent private right of action — any private enforcement would flow through the existing 93A framework.
Penalties
Enforcement is through chapter 93A section 4, which provides the attorney general with authority to seek injunctive relief, civil penalties up to $5,000 per violation, and other appropriate relief. Section 4(c) of this bill declares violations of the decision-making and surveillance restrictions to be per se unfair or deceptive acts under 93A, meaning treble damages may be available to private plaintiffs under 93A section 9 or 11 if they can establish standing under that existing framework. The bill itself does not specify independent statutory damages.
Who Is Covered
"Covered entity" , Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.
Compliance Obligations 11 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Chapter 110I, § 2(c)(i)-(ii)
Plain Language
Covered entities may not process or transfer biometric data in any manner not consented to by the end user. Sale of biometric data to third parties is categorically prohibited. Disclosure to third parties is permitted only if consistent with the duties of loyalty, care, and confidentiality, and only if the recipient enters a contract imposing the same duties toward the end user. Consent must be freely given, specific, informed, and unambiguous — bundled consent in general terms of use is expressly insufficient, and consent obtained through abusive trade practices is void.
Statutory Text
(c) A covered entity shall not: (i) process or transfer biometric data in any manner not consented to by the end user; (ii) engage in the sale of biometric data to a third party; (iii) disclose biometric data with any other person or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric data with any other person unless that person enters into a contract with the covered entity that imposes on the person the same duties of care, loyalty, and confidentiality toward the end user as are imposed on the covered entity under this subsection.
Other · Deployer · Biometrics
Chapter 110I, § 2(a)
Plain Language
Covered entities owe a duty of loyalty to end users: they may not take any action in processing biometric data or designing biometric recognition technology that conflicts with the end user's best interests. This is an overarching fiduciary-style standard that applies to all activities involving biometric data, supplementing the more specific prohibitions in Section 2(b)-(e). The attorney general may make rules and regulations interpreting this provision.
Statutory Text
(a) A covered entity shall be prohibited from taking any actions with respect to processing biometric data or designing biometric recognition technologies that conflict with an end user's best interests.
Other · Deployer · Biometrics
Chapter 110I, § 2(b)
Plain Language
Covered entities must secure biometric data from unauthorized access at a level equal to or greater than the security they apply to other confidential and sensitive data. They are also prohibited from engaging in harmful data practices — meaning processing or transferring biometric data in a way that causes or is likely to cause financial, physical, or reputational injury, highly offensive intrusions on privacy, or other substantial injury to individuals. This sets a floor-plus-ceiling approach: the security floor is whatever the entity already uses for its most sensitive data, and the entity must also avoid affirmatively harmful processing.
Statutory Text
(b) A covered entity shall be required to secure biometric data from unauthorized access in a reasonable manner that is the same as or more protective than the manner in which the covered entity secures other confidential and sensitive data and shall be prohibited from engaging in harmful data practices.
Other · Deployer · Biometrics
Chapter 110I, § 2(d)
Plain Language
When a covered entity discloses or shares biometric data with a third party, it must take reasonable steps — including regular audits — to ensure the recipient is actually complying with the contractual duties of care, loyalty, and confidentiality. This creates an ongoing downstream oversight obligation, not merely a one-time contractual flow-down. The entity must proactively verify that its data recipients' security and data practices match what was promised in the contract.
Statutory Text
(d) A covered entity shall take reasonable steps to ensure that the practices of any person to whom the online service provider discloses or sells, or with whom the online service provider shares, biometric data fulfill the duties of care, loyalty, and confidentiality assumed by the person under the contract described in subparagraph (c), including by auditing, on a regular basis, the data security and data practices of any such person.
Other · Deployer · Biometrics
Chapter 110I, § 2(e)
Plain Language
Covered entities may not retaliate against consumers who refuse to consent to biometric data collection or processing. Prohibited discrimination includes denying goods or services, charging different prices, providing degraded service, or even suggesting that the consumer will face different pricing or quality. This ensures that consent remains truly voluntary — a consumer who withholds biometric data consent must receive the same goods, services, prices, and quality as a consumer who consents.
Statutory Text
(e) A covered entity shall not discriminate against a consumer because of the withheld consent under this title, including, but not limited to: (i) denying goods or services to the end user; (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end user; (iv) suggesting that the end user will receive a different price or rate for goods or services or a different level or quality of goods or services.
CP-01 Deceptive & Manipulative AI Conduct · Deployer · Biometrics
Chapter 110I, § 3(a)-(b)
Plain Language
Covered entities are prohibited from engaging in deceptive, unfair, or abusive data practices with respect to biometric data. 'Deceptive' incorporates existing 93A standards; 'unfair' follows the FTC Act three-part test (substantial injury, not reasonably avoidable, not outweighed by benefits); 'abusive' adds a CFPB-style prohibition on materially interfering with end users' understanding of biometric data terms or taking unreasonable advantage of knowledge asymmetries, inability to protect interests, or reasonable reliance. Courts are directed to follow FTC and federal court interpretations of FTC Act section 5(a)(1).
Statutory Text
(a) A covered entity shall not: (i) engage in a deceptive data practice; (ii) engage in an unfair data practice; or (iii) engage in an abusive trade practice. (b) It is the intent of the legislature that in construing paragraph (a) of this section in actions unfair and deceptive trade practices, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.
D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · BiometricsAutomated Decisionmaking
Chapter 110I, § 4(a)
Plain Language
Covered entities are categorically prohibited from using biometric data to inform or contribute to any decision that produces legal effects or similarly significant effects on end users. The bill provides a non-exhaustive list of covered decisions: financial/lending services, housing, insurance, educational enrollment, criminal justice, employment, healthcare, and access to basic necessities. This is not a 'use with safeguards' provision — it is a flat prohibition on using biometric data in consequential decision-making, with no exceptions for consent, bias mitigation, or human oversight.
Statutory Text
(a) Covered entities shall not use biometric data to help make decisions that produce legal effects or similarly significant effects concerning end users. Decisions that include legal effects or similarly significant effects concerning end users include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.
S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics
Chapter 110I, § 4(b)
Plain Language
Covered entities may not operate, install, or commission the installation of biometric recognition technology in any place that is open to and solicits the patronage of the general public — whether the place is licensed or unlicensed. This is a sweeping prohibition on public-facing biometric surveillance covering retail stores, restaurants, entertainment venues, transit hubs, and any other publicly accessible space. Unlike many jurisdictions that restrict only real-time facial recognition, this provision covers all biometric recognition technology (fingerprints, voiceprints, gait analysis, etc.) and applies to both private and public-facing commercial locations.
Statutory Text
(b) Covered entities may not operate, install, or commission the operation or installation of equipment incorporating biometric recognition technology in any place, whether licensed or unlicensed, which is open to and accepts or solicits the patronage of the general public.
Other · Biometrics
Chapter 110I, § 4(c)
Plain Language
This provision declares that any violation of Section 4 (the prohibitions on biometric data in consequential decisions and public surveillance) constitutes a per se unfair or deceptive act under Massachusetts chapter 93A. This eliminates the need to independently prove the violation meets the 93A unfairness standard — the violation itself is sufficient. It is a legislative finding and enforcement hook rather than an independent compliance obligation.
Statutory Text
(c) The legislature finds that the practices covered by this section are matters vitally affecting the public interest for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a. A violation of this section is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a.
Other · Biometrics
Chapter 110I, § 5
Plain Language
This savings clause confirms that the new biometric data chapter does not displace or preempt any existing state or federal privacy law. Entities must continue to comply with all other applicable privacy requirements (e.g., HIPAA, state data breach notification laws, existing 93A obligations). This creates no new affirmative obligation.
Statutory Text
This chapter does not relieve a person or agency from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal information.
Other · Biometrics
Chapter 110I, § 6
Plain Language
The attorney general is authorized to bring enforcement actions under chapter 93A section 4 against any person who violates this chapter. This grants the AG enforcement authority but does not create a new affirmative compliance obligation for covered entities.
Statutory Text
The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.