WHAT THIS BILL REGULATES · 3 REQUIREMENT TYPES
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
(a) As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings:— ''AgencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.G.L. c. 110I, § 1(a)'' , any agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.G.L. c. 110I, § 1(a), executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof. "Abusive trade practiceAbusive trade practice"Abusive trade practice", any conduct by a covered entity that 1) materially interferes with the ability of an end user to understand a term or condition of the agreement between covered entities and end users relating to biometric recognition technology or biometric data or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entity's product or service that uses biometric recognition technology; or b) The inability of the end user to protect their interests in selecting or using a covered entity's product or service; or c) The reasonable reliance by the end user on a covered entity's representation to act in the interests of the end user.G.L. c. 110I, § 1(a)" , any conduct by a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) that 1) materially interferes with the ability of an end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) to understand a term or condition of the agreement between covered entities and end usersEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) relating to biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.G.L. c. 110I, § 1(a) or biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a)'s product or service that uses biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.G.L. c. 110I, § 1(a); or b) The inability of the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) to protect their interests in selecting or using a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a)'s product or service; or c) The reasonable reliance by the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) on a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a)'s representation to act in the interests of the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a). "Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a)" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a), tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.G.L. c. 110I, § 1(a). Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening. "Biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.G.L. c. 110I, § 1(a)" , Technology that (i) analyzes biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a); (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual. "ConsentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.G.L. c. 110I, § 1(a)" , any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, by a personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) processing along with other, unrelated information, does not constitute consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.G.L. c. 110I, § 1(a). Hovering over, muting, pausing, or closing a given piece of content does not constitute consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.G.L. c. 110I, § 1(a). Likewise, agreement obtained through use of an abusive trade practiceAbusive trade practice"Abusive trade practice", any conduct by a covered entity that 1) materially interferes with the ability of an end user to understand a term or condition of the agreement between covered entities and end users relating to biometric recognition technology or biometric data or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entity's product or service that uses biometric recognition technology; or b) The inability of the end user to protect their interests in selecting or using a covered entity's product or service; or c) The reasonable reliance by the end user on a covered entity's representation to act in the interests of the end user.G.L. c. 110I, § 1(a) does not constitute consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.G.L. c. 110I, § 1(a). "ControllerController"Controller", Any covered entity that, alone or jointly with others, determines the purposes and means of processing biometric data.G.L. c. 110I, § 1(a)" , Any covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) that, alone or jointly with others, determines the purposes and means of processing biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a). "Covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a)" , Any personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a), including corporate affiliates, that collects, stores, or processes biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a); provided, that the federal government or any state or local government, law enforcement agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.G.L. c. 110I, § 1(a), national security agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.G.L. c. 110I, § 1(a) or intelligence agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.G.L. c. 110I, § 1(a) shall not be covered entities. "DataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a)" , Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics. "Deceptive data practiceDeceptive data practice"Deceptive data practice", Any act or practice involving the processing or transfer of covered data in a manner that constitutes a deceptive act or practice as described in section 2 of chapter 93A.G.L. c. 110I, § 1(a)" , Any act or practice involving the processing or transfer of covered dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a) in a manner that constitutes a deceptive act or practice as described in section 2 of chapter 93A. "ElectronicElectronic"Electronic", Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities.G.L. c. 110I, § 1(a)" , Relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities. "EncryptedEncrypted"Encrypted", Data that has been transformed according to procedures outlined in 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii) into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.G.L. c. 110I, § 1(a)" , DataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a) that has been transformed according to procedures outlined in 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii) into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation. "End userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a)" , An individual providing biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) to a covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a). "Harmful data practiceHarmful data practice"Harmful data practice", The processing or transfer of covered data in a manner that causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2) physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the individual's private affairs or concerns, where such intrusion would be highly offensive to a reasonable person; or (3) other substantial injury to an individual.G.L. c. 110I, § 1(a)" , The processing or transfer of covered dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a) in a manner that causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2) physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the individual's private affairs or concerns, where such intrusion would be highly offensive to a reasonable personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a); or (3) other substantial injury to an individual. "Legal effectLegal effect"Legal effect", An effect that changes an entity or person's legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies.G.L. c. 110I, § 1(a)" , An effect that changes an entity or personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a)'s legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies. "PersonPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a)" , A natural personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a), corporation, association, partnership or other legal entity. "Personal informationPersonal information"Personal information", For purposes of this section, "personal information" means biometric data.G.L. c. 110I, § 1(a)" , For purposes of this section, "personal informationPersonal information"Personal information", For purposes of this section, "personal information" means biometric data.G.L. c. 110I, § 1(a)" means biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a). "Unfair data practiceUnfair data practice"Unfair data practice", The processing or transfer of covered data in a manner that causes or is likely to cause substantial injury to end users which is not reasonably avoidable by end users themselves and not outweighed by countervailing benefits to end users.G.L. c. 110I, § 1(a)" , The processing or transfer of covered dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a) in a manner that causes or is likely to cause substantial injury to end usersEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) which is not reasonably avoidable by end usersEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) themselves and not outweighed by countervailing benefits to end usersEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a).
Section 1 establishes the definitions governing the new Chapter 110I. Key features include a broad definition of biometric data covering fingerprints, face geometry, voiceprints, DNA sequences, gait, keystroke dynamics, and mouse movements — with carve-outs for healthcare data protected under HIPAA, medical imaging, organ/tissue donations, and mere photographs. The consent definition is notably strict: it requires freely given, specific, informed, and unambiguous agreement for a narrowly defined purpose and expressly excludes bundled terms-of-use acceptance, passive interactions, and agreement obtained through abusive trade practices. Government entities, law enforcement, and intelligence agencies are carved out of the covered entity definition entirely.
(a) 1 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) shall be prohibited from taking any actions with respect to processing biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) or designing biometric recognition technologies that conflict with an end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a)'s best interests.
(b) 2 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) shall be required to secure biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) from unauthorized access in a reasonable manner that is the same as or more protective than the manner in which the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) secures other confidential and sensitive dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a) and shall be prohibited from engaging in harmful data practicesHarmful data practice"Harmful data practice", The processing or transfer of covered data in a manner that causes or is likely to cause: (1) financial, physical, or reputational injury to an individual; (2) physical or other highly offensive intrusion upon the solitude or seclusion of an individual or the individual's private affairs or concerns, where such intrusion would be highly offensive to a reasonable person; or (3) other substantial injury to an individual.G.L. c. 110I, § 1(a).
(c) 3 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) shall not: (i) process or transfer biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) in any manner not consented to by the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a); (ii) engage in the sale of biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) to a third party; (iii) disclose biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) with any other personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) or entity except as consistent with the duties of loyalty, care, and confidentiality under subsections 2(a), 2(b) and 2(c)(i) and 2(c)(ii), respectively; or (iv) disclose or share biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) with any other personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) unless that personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) enters into a contract with the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) that imposes on the personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) the same duties of care, loyalty, and confidentiality toward the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) as are imposed on the covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) under this subsection.
(d) 4 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) shall take reasonable steps to ensure that the practices of any personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) to whom the online service provider discloses or sells, or with whom the online service provider shares, biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) fulfill the duties of care, loyalty, and confidentiality assumed by the personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) under the contract described in subparagraph (c), including by auditing, on a regular basis, the dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a) security and dataData"Data", Any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics.G.L. c. 110I, § 1(a) practices of any such personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a).
(e) 5 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) shall not discriminate against a consumer because of the withheld consentConsent"Consent", any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, by a person who has power of attorney or is acting as a conservator for the consumer, such as by a statement or by a clear affirmative action, signifies agreement to the processing of biometric data relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use or similar document that contains descriptions of biometric data processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of an abusive trade practice does not constitute consent.G.L. c. 110I, § 1(a) under this title, including, but not limited to: (i) denying goods or services to the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a); (ii) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (iii) providing a different level or quality of goods or services to the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a); (iv) suggesting that the end userEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) will receive a different price or rate for goods or services or a different level or quality of goods or services.
Section 2 imposes a fiduciary-like framework on covered entities handling biometric data. Subsection (a) establishes a broad duty of loyalty — covered entities may not take any action in processing biometric data or designing biometric recognition technologies that conflicts with the end user's best interests. Subsection (b) requires data security at a level at least equal to how the entity protects its other confidential data and prohibits harmful data practices.
Subsection (c) creates granular data-processing restrictions: no processing beyond what the end user consented to, no sale to third parties, no disclosure except consistent with the loyalty and care duties, and downstream recipients must be contractually bound to the same duties. Subsection (d) imposes an ongoing auditing obligation — the covered entity must regularly audit downstream data recipients' security and practices. Subsection (e) prohibits discrimination against end users who withhold consent.
(a) 6 A covered entityCovered entity"Covered entity", Any person, including corporate affiliates, that collects, stores, or processes biometric data; provided, that the federal government or any state or local government, law enforcement agency, national security agency or intelligence agency shall not be covered entities.G.L. c. 110I, § 1(a) shall not: (i) engage in a deceptive data practiceDeceptive data practice"Deceptive data practice", Any act or practice involving the processing or transfer of covered data in a manner that constitutes a deceptive act or practice as described in section 2 of chapter 93A.G.L. c. 110I, § 1(a); (ii) engage in an unfair data practiceUnfair data practice"Unfair data practice", The processing or transfer of covered data in a manner that causes or is likely to cause substantial injury to end users which is not reasonably avoidable by end users themselves and not outweighed by countervailing benefits to end users.G.L. c. 110I, § 1(a); or (iii) engage in an abusive trade practiceAbusive trade practice"Abusive trade practice", any conduct by a covered entity that 1) materially interferes with the ability of an end user to understand a term or condition of the agreement between covered entities and end users relating to biometric recognition technology or biometric data or 2) takes unreasonable advantage of: a) A lack of understanding on the part of the end user of the material risks, costs, or conditions of the covered entity's product or service that uses biometric recognition technology; or b) The inability of the end user to protect their interests in selecting or using a covered entity's product or service; or c) The reasonable reliance by the end user on a covered entity's representation to act in the interests of the end user.G.L. c. 110I, § 1(a).
(b) It is the intent of the legislature that in construing paragraph (a) of this section in actions unfair and deceptive trade practices, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.
(c) The attorney general may make rules and regulations interpreting the provisions of subsection 2(a) of this chapter.
Section 3 prohibits covered entities from engaging in deceptive, unfair, or abusive data practices with respect to biometric data — incorporating by reference the FTC Act § 5(a)(1) interpretive framework. Subsection (b) is an interpretive direction to courts. Subsection (c) grants the attorney general rulemaking authority to interpret the duty of loyalty in Section 2(a).
(a) 7 Covered entities shall not use biometric dataBiometric data"Biometric data" means information that pertains to measurable biological or behavioral characteristics of an individual that can be used singularly, or in combination with each other, or with other information, for verification, recognition, or identification of an individual. Examples include but are not limited to fingerprints, retina and iris patterns, voiceprints, D.N.A. sequences, facial characteristics and face geometry, gait, handwriting, keystroke dynamics, and mouse movements. Biometric data does not include writing samples, written signatures, mere photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric data does not include donated organs, tissues, parts of the human body, blood, or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants obtained or stored by a federally designated organ procurement agency. Biometric data does not include information captured from a patient by a health care provider or health care facility, or collected, processed, used, or stored exclusively for medical education or research, public health or epidemiological purposes, health care treatment, health insurance, payment, or operations, so long as such information is protected under the federal Health Insurance Portability and Accountability Act of 1996 and applicable federal and state laws and regulations. Biometric data does not include information captured from an X-ray, roentgen process, computed tomography, M.R.I., P.E.T. scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 110I, § 1(a) to help make decisions that produce legal effectsLegal effect"Legal effect", An effect that changes an entity or person's legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies.G.L. c. 110I, § 1(a) or similarly significant effects concerning end usersEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a). Decisions that include legal effectsLegal effect"Legal effect", An effect that changes an entity or person's legal duties, liabilities, obligations, benefits owed, protections granted by law, or ability to utilize legal remedies.G.L. c. 110I, § 1(a) or similarly significant effects concerning end usersEnd user"End user", An individual providing biometric data to a covered entity.G.L. c. 110I, § 1(a) include, without limitation, denial or degradation of consequential services or support, such as financial or lending services, housing, insurance, educational enrollment, criminal justice, employment opportunities, health care services, and access to basic necessities, such as food and water.
(b) 8 Covered entities may not operate, install, or commission the operation or installation of equipment incorporating biometric recognition technologyBiometric recognition technology"Biometric recognition technology", Technology that (i) analyzes biometric data; (ii) is used to assign a unique, persistent identifier; or (iii) is used for the unique personal identification of a specific individual.G.L. c. 110I, § 1(a) in any place, whether licensed or unlicensed, which is open to and accepts or solicits the patronage of the general public.
(c) The legislature finds that the practices covered by this section are matters vitally affecting the public interest for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a. A violation of this section is not reasonable in relation to the development and preservation of business and is an unfair or deceptive act in trade or commerce and an unfair method of competition for the purpose of applying the Massachusetts Consumer Protection law, chapter 93a.
Section 4 contains the bill's two most consequential prohibitions. Subsection (a) flatly bans covered entities from using biometric data to help make decisions that produce legal effects or similarly significant effects on end users — a sweeping prohibition covering financial services, housing, insurance, education, criminal justice, employment, healthcare, and access to basic necessities. Subsection (b) bans the operation or installation of biometric recognition technology in any place open to the general public, with no law enforcement exception (government entities are already excluded from the covered entity definition). Subsection (c) declares violations of this section to be per se unfair or deceptive acts under Chapter 93A.
This chapter does not relieve a personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) or agencyAgency"Agency", any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or any of its branches, or of any political subdivision thereof.G.L. c. 110I, § 1(a) from the duty to comply with requirements of any applicable general or special law or federal law regarding the protection and privacy of personal informationPersonal information"Personal information", For purposes of this section, "personal information" means biometric data.G.L. c. 110I, § 1(a).
Section 5 is a savings clause providing that this chapter does not relieve any person or agency from the duty to comply with other applicable state, special, or federal laws regarding the protection and privacy of personal information. This creates no new obligation.
The attorney general may bring an action pursuant to section 4 of chapter 93A against a personPerson"Person", A natural person, corporation, association, partnership or other legal entity.G.L. c. 110I, § 1(a) or otherwise to remedy violations of this chapter and for other relief that may be appropriate.
Section 6 vests enforcement authority in the attorney general, who may bring an action under Chapter 93A, Section 4 to remedy violations of the chapter. This is a government-initiated enforcement mechanism — the bill does not create an independent private right of action, though Chapter 93A Section 9 separately permits private actions for unfair or deceptive trade practices, which could encompass violations declared per se unfair under Section 4(c).