Laws & Statutes MA MA-S-43
S-43
MA · State · USA
MA
USA
● Pre-filed
Proposed Effective Date
2025-01-17
Massachusetts Senate No. 43 — An Act to protect personal biometric data (Chapter 93M, Biometric Information Privacy Act)
Modeled closely on the Illinois BIPA, this bill would create a new Chapter 93M in the Massachusetts General Laws governing the collection, retention, disclosure, and destruction of biometric identifiers and biometric information by private entities. Private entities must provide written notice and obtain informed written consent before collecting biometric identifiers, must develop and publish a written retention and destruction policy, and are prohibited from selling or profiting from biometric data. Commercial establishments are categorically prohibited from using biometric identifiers to identify persons or customers. Enforcement is available both through a private right of action and by the attorney general, with a $5,000 per-violation statutory minimum and treble damages for willful or knowing violations, following Chapter 93A procedures.
Passage Likelihood
Medium
Chamber No passage
Committee Passed
Majority party Yes
Bipartisan No
Prior session None
Legislative History
2025-02-27 committee referral Referred to the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity
2025-02-27 chamber passage House concurred
2025-05-12 committee referral Bill reported favorably by committee as changed and referred to the committee on Senate Ways and Means
Mapped Requirements
D-01 Automated Processing Rights & Data Controls G-01 AI Governance Program & Documentation S-02 Prohibited Conduct & Output Restrictions
Official Sources
Full Text
Entry Last Reviewed
2026-03-28
AI generated
Summary

Modeled closely on the Illinois BIPA, this bill would create a new Chapter 93M in the Massachusetts General Laws governing the collection, retention, disclosure, and destruction of biometric identifiers and biometric information by private entities. Private entities must provide written notice and obtain informed written consent before collecting biometric identifiers, must develop and publish a written retention and destruction policy, and are prohibited from selling or profiting from biometric data. Commercial establishments are categorically prohibited from using biometric identifiers to identify persons or customers. Enforcement is available both through a private right of action and by the attorney general, with a $5,000 per-violation statutory minimum and treble damages for willful or knowing violations, following Chapter 93A procedures.

Enforcement & Penalties
Enforcement Authority
Private right of action pursuant to the procedures set forth in Chapter 93A. Any person aggrieved by a violation may bring a cause of action. The attorney general may also bring an action in the name of the commonwealth upon any violation or suspected violation. No cure period or safe harbor is specified.
Penalties
Greater of $5,000 per violation or actual damages suffered. If the court finds the violation was willful or knowing, damages may be up to three but not less than two times that amount. Damages may also include attorneys' fees and costs. The $5,000 statutory minimum does not require proof of actual monetary harm.
Who Is Covered
"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.
Compliance Obligations 6 obligations · click obligation ID to open requirement page
D-01 Automated Processing Rights & Data Controls · D-01.8 · Deployer · Biometrics
Ch. 93M § 2(b)(1)-(3)
Plain Language
Before collecting, capturing, purchasing, or otherwise obtaining any biometric identifier or biometric information, a private entity must provide the individual (or their legally authorized representative) with written notice that biometric data is being collected, written notice of the specific purpose and duration of the collection and use, and must obtain informed written consent. Electronic consent is permitted. This is an affirmative opt-in requirement — collection without prior written notice and consent is prohibited regardless of the source of the data.
Statutory Text
(b) No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives written consent executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative. Written consent may be obtained by electronic means.
G-01 AI Governance Program & Documentation · G-01.3 · Deployer · Biometrics
Ch. 93M § 2(a)
Plain Language
Any private entity that possesses biometric identifiers or biometric information must create a written retention and destruction policy and make it available to the individuals whose data was collected. The policy must establish a schedule for permanently destroying biometric data when the original purpose for collection has been satisfied or within one year of the individual's last interaction with the entity, whichever comes first. The entity must then follow its own policy — the only exception is a valid court order, warrant, subpoena, or governmental agency request. This is both a policy-creation obligation and an ongoing compliance obligation to adhere to the policy once created.
Statutory Text
(a) A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the person from whom biometric information is to be collected or was collected, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 1 year of the individual's last interaction with the private entity, whichever occurs first. Absent a valid order, warrant, or subpoena issued by a court of competent jurisdiction or a local or federal governmental agency, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Ch. 93M § 2(c)
Plain Language
Private entities are categorically prohibited from selling, leasing, trading, or otherwise profiting from biometric identifiers or biometric information. This is an absolute prohibition with no consent override — even with the individual's written consent, a private entity may not monetize biometric data. This effectively prevents commercial data brokerage of biometric information and limits permissible uses to the original stated purpose.
Statutory Text
(c) No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.
D-01 Automated Processing Rights & Data Controls · D-01.4 · Deployer · Biometrics
Ch. 93M § 2(d)(1)-(4)
Plain Language
Private entities may not disclose, redisclose, or disseminate biometric identifiers or biometric information to third parties except in four narrow circumstances: (1) the individual provides written consent; (2) the disclosure completes a financial transaction the individual requested or authorized; (3) the disclosure is required by applicable law or ordinance; or (4) the disclosure is required by a valid warrant or subpoena. Outside these four exceptions, all sharing is prohibited. Note that redisclosure by downstream recipients is also covered — the prohibition runs to any entity in possession of the data, not just the original collector.
Statutory Text
(d) No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative provides written consent to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Other · Biometrics
Ch. 93M § 2(e)(1)-(2)
Plain Language
Private entities must protect biometric identifiers and biometric information with at least the reasonable standard of care for their industry, and must store, transmit, and protect biometric data at least as securely as they protect other confidential and sensitive information (such as SSNs, account numbers, and PINs). This creates a dual security floor: the entity must meet both the industry standard and its own internal standard for other sensitive data — whichever is higher effectively governs.
Statutory Text
(e) A private entity in possession of a biometric identifier or biometric information shall: (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.
S-02 Prohibited Conduct & Output Restrictions · S-02.2 · Deployer · Biometrics
Ch. 93M § 2(f)
Plain Language
Commercial establishments — defined as places of entertainment, retail stores, and food and drink establishments — are categorically prohibited from using biometric identifiers or biometric information to identify any person or customer. This is an absolute prohibition with no consent override. It effectively bars facial recognition, fingerprint identification, and similar biometric identification technologies in brick-and-mortar retail, entertainment, and food-service contexts, regardless of whether the customer consents.
Statutory Text
(f) No commercial establishment shall use a person's or a customer's biometric identifier or biometric information to identify them.