Regulon — MA-S-43 · MA S 43 (Biometric Information Privacy Act)

2025-02-27 committee referral Referred to the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity

2025-02-27 chamber passage House concurred

2025-03-24 Hearing scheduled for 04/09/2025 from 01:00 PM-05:00 PM in A-1 Hearing scheduled for 04/09/2025 from 01:00 PM-05:00 PM in A-1

2025-05-12 committee referral Bill reported favorably by committee as changed and referred to the committee on Senate Ways and Means

2025-05-12 Accompanied by S36 Accompanied by S36

Summary

Modeled closely on the Illinois Biometric Information Privacy Act (BIPA), this bill would require private entities to obtain written informed consent before collecting biometric identifiers or biometric information, provide written notice of collection purpose and retention period, and maintain a written retention and destruction policy. Private entities are prohibited from selling or profiting from biometric data and may only disclose it under enumerated exceptions (consent, financial transaction completion, legal requirement, or court order). Commercial establishments are categorically prohibited from using biometric identifiers to identify individuals. Enforcement is available through both a private right of action and Attorney General action under chapter 93A, with a $5,000 per violation statutory minimum and enhanced damages for willful or knowing violations.

Enforcement & Penalties

Enforcement Authority

Private right of action under chapter 93A procedures for any person aggrieved by a violation. The Attorney General may also bring an action in the name of the commonwealth under chapter 93A procedures upon any violation or suspected violation. No cure period is specified.

Penalties

Greater of $5,000 per violation or actual damages suffered. If the court finds the violation was willful or knowing, damages may be up to three but not less than two times the base amount. Attorneys' fees and costs may also be awarded. Statutory damages do not require proof of actual monetary harm — aggrievement by a violation is sufficient. The same damages framework applies to both private actions and Attorney General enforcement actions.

Who Is Covered

"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.

Compliance Obligations 6 obligations · click obligation ID to open requirement page

D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics

Chapter 93M, § 2(b)(1)-(3)

Plain Language

Before collecting, capturing, purchasing, or otherwise obtaining any biometric identifier or biometric information, a private entity must provide the individual (or their authorized representative) with written notice that biometric data is being collected or stored, written notice of the specific purpose and retention period, and obtain the individual's informed written consent. Consent may be obtained electronically. This is a pre-collection requirement — all three elements must be satisfied before any biometric data is obtained. Broad carve-outs exist for HIPAA-covered healthcare data, medical imaging, organ transplant data, and demographic data.

Statutory Text

(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives written consent executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative. Written consent may be obtained by electronic means.

D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics

Chapter 93M, § 2(a)

Plain Language

Any private entity that possesses biometric identifiers or biometric information must develop and make available a written policy establishing a retention schedule and guidelines for permanently destroying the data. Destruction must occur when the original collection purpose has been satisfied or within one year of the individual's last interaction with the entity, whichever comes first. The entity must comply with its own retention and destruction schedule unless a valid court order, warrant, or subpoena requires otherwise. This creates both a documentation obligation (written policy) and a data minimization obligation (mandatory destruction on schedule).

Statutory Text

(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the person from whom biometric information is to be collected or was collected, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 1 year of the individual's last interaction with the private entity, whichever occurs first. Absent a valid order, warrant, or subpoena issued by a court of competent jurisdiction or a local or federal governmental agency, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

D-01 Automated Processing Rights & Data Controls · D-01.5 · Deployer · Biometrics

Chapter 93M, § 2(c)

Plain Language

Private entities are categorically prohibited from selling, leasing, trading, or otherwise profiting from any person's biometric identifier or biometric information. There are no exceptions — this is an absolute prohibition. Unlike the disclosure restriction in § 2(d), which allows disclosure with consent or under legal compulsion, the commercialization prohibition has no carve-outs whatsoever.

Statutory Text

(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics

Chapter 93M, § 2(d)(1)-(4)

Plain Language

Private entities may not disclose, redisclose, or otherwise disseminate biometric identifiers or biometric information unless one of four enumerated exceptions applies: (1) the individual or their authorized representative provides written consent; (2) the disclosure completes a financial transaction the individual requested or authorized; (3) the disclosure is required by law; or (4) the disclosure is required by a valid warrant or subpoena. Outside these four exceptions, any disclosure is prohibited. Note that the consent exception requires written consent specifically, consistent with the chapter's overall consent standard.

Statutory Text

(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative provides written consent to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

Other · Deployer · Biometrics

Chapter 93M, § 2(e)(1)-(2)

Plain Language

Private entities must apply two concurrent security standards to biometric data: (1) the reasonable standard of care within their industry, and (2) at least the same level of protection they apply to other confidential and sensitive information such as SSNs, account numbers, and PINs. The second standard creates an internal parity floor — if the entity already protects financial data with encryption and access controls, it must apply equivalent or greater protections to biometric data. Both standards must be met simultaneously.

Statutory Text

(e) A private entity in possession of a biometric identifier or biometric information shall: (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics

Chapter 93M, § 2(f)

Plain Language

Commercial establishments — defined as places of entertainment, retail stores, and food and drink establishments — are categorically prohibited from using biometric identifiers or biometric information to identify persons or customers. This is an absolute prohibition with no exceptions: no consent mechanism can cure it, and it applies regardless of purpose. This effectively bans facial recognition and similar biometric identification technologies in retail, entertainment, and food service settings.

Statutory Text

(f) No commercial establishment shall use a person's or a customer's biometric identifier or biometric information to identify them.