WHAT THIS BILL REGULATES · 1 REQUIREMENT TYPE
How Is This Bill Enforced
Verbatim statutory text on the left; plain-language analysis and a per-section checklist on the right. Numbered markers cross-link to the matching checklist row.
As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following meanings: "Biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1" means a physiological or biological characteristic that is used by or on behalf of a private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening. "Biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 used to identify an individual. Biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 does not include information derived from items or procedures excluded under the definition of biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1. "Commercial EstablishmentCommercial Establishment"Commercial Establishment" means a place of entertainment, a retail store, or a food and drink establishment.G.L. c. 93M, § 1" means a place of entertainment, a retail store, or a food and drink establishment. "Confidential and sensitive informationConfidential and sensitive information"Confidential and sensitive information" means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver's license number, or a social security number.G.L. c. 93M, § 1" means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive informationConfidential and sensitive information"Confidential and sensitive information" means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver's license number, or a social security number.G.L. c. 93M, § 1 include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver's license number, or a social security number. "Private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1" means any individual, partnership, corporation, limited liability company, association, or other group, however organized. "Written consentWritten consent"Written consent" means informed written consent.G.L. c. 93M, § 1" means informed written consentWritten consent"Written consent" means informed written consent.G.L. c. 93M, § 1.
Section 1 establishes the core defined terms for the Biometric Information Privacy Act. The definition of biometric identifier is broad, encompassing retina or iris scans, fingerprints, voiceprints, gait patterns, and hand or face geometry. Notable carve-outs exclude photographs, writing samples, demographic data, HIPAA-covered health data, and medical imaging. The private entity definition covers any organizational form, including individuals.
(a) 1 A private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1 in possession of biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 must develop a written policy, made available to the person from whom biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 is to be collected or was collected, establishing a retention schedule and guidelines for permanently destroying biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 and biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 1 year of the individual's last interaction with the private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1, whichever occurs first. Absent a valid order, warrant, or subpoena issued by a court of competent jurisdiction or a local or federal governmental agency, a private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1 in possession of biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 must comply with its established retention schedule and destruction guidelines.
(b)(1)–(3) 2 No private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1 may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 is being collected, stored, and used; and (3) receives written consentWritten consent"Written consent" means informed written consent.G.L. c. 93M, § 1 executed by the subject of the biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 or the subject's legally authorized representative. Written consentWritten consent"Written consent" means informed written consent.G.L. c. 93M, § 1 may be obtained by electronic means.
(c) 3 No private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1 in possession of a biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1.
(d)(1)–(4) 4 No private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1 in possession of a biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 unless: (1) the subject of the biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 or the subject's legally authorized representative provides written consentWritten consent"Written consent" means informed written consent.G.L. c. 93M, § 1 to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or the biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by state or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
(e)(1)–(2) 5 A private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1 in possession of a biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 shall: (1) store, transmit, and protect from disclosure all biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 and biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 using the reasonable standard of care within the private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1's industry; and (2) store, transmit, and protect from disclosure all biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 and biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 in a manner that is the same as or more protective than the manner in which the private entityPrivate entity"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized.G.L. c. 93M, § 1 stores, transmits, and protects other confidential and sensitive informationConfidential and sensitive information"Confidential and sensitive information" means personal information that can be used to uniquely identify an individual or an individual's account or property. Examples of confidential and sensitive information include, but are not limited to, a genetic marker, genetic testing information, a unique identifier number to locate an account or property, an account number, a PIN number, a pass code, a driver's license number, or a social security number.G.L. c. 93M, § 1.
(f) 6 No commercial establishmentCommercial Establishment"Commercial Establishment" means a place of entertainment, a retail store, or a food and drink establishment.G.L. c. 93M, § 1 shall use a person's or a customer's biometric identifierBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 or biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 to identify them.
Section 2 is the operative core of the bill, imposing six distinct obligations on private entities regarding biometric data. Subsection (a) requires a written retention and destruction policy. Subsection (b) imposes a pre-collection notice-and-consent regime requiring written notice of the fact of collection, the purpose and duration, and affirmative written consent. Subsection (c) categorically prohibits sale or profiting from biometric data. Subsection (d) restricts disclosure to four enumerated exceptions. Subsection (e) mandates industry-standard security protections. Subsection (f) prohibits commercial establishments from using biometric identifiers for customer identification.
The notice-and-consent requirements in subsection (b) closely track Illinois BIPA § 15(b), requiring both written notice and informed written consent before any collection occurs. The prohibition on sale in subsection (c) is absolute with no exceptions.
(a) Any person aggrieved by a violation of this chapter shall have a cause of action pursuant to the procedures set forth in chapter 93A. Damages pursuant to any said action shall be no less than $5,000 per violation or actual damages suffered, whichever is greater, or up to three but not less than two times such amount if the court finds that the violation was a willful or knowing act. Damages may also include attorneys' fees and costs.
(b) The attorney general may bring an action in the name of the commonwealth pursuant to the procedures set forth in chapter 93A upon any violation or suspected violation of this chapter. Damages pursuant to any said action shall be no less than $5,000 per violation or actual damages suffered, whichever is greater, or up to three but not less than two times such amount if the court finds that the violation was a willful or knowing act.
Section 3 establishes the enforcement framework. Subsection (a) creates a private right of action for any person aggrieved by a violation, operating through Chapter 93A procedures. Statutory damages are set at no less than $5,000 per violation or actual damages, whichever is greater, with a multiplier of two to three times for willful or knowing violations. Attorneys' fees and costs are available. Subsection (b) grants the attorney general parallel enforcement authority under Chapter 93A with the same damages framework.
The Chapter 93A referral is significant — it imports an established body of consumer protection procedural law, including the demand letter requirement for private actions, into the biometric privacy context.
(a) Nothing in this chapter shall be construed to impact the admission or discovery of biometric identifiersBiometric identifier"Biometric identifier" means a physiological or biological characteristic that is used by or on behalf of a private entity, singly or in combination, to identify, or assist in identifying, an individual, including, but not limited to a retina or iris scan, fingerprint, voiceprint, pattern of gait or movement, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs or tissues or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996. Biometric identifiers do not include an X-ray, roentgen process, computed tomography, MRI, PET scan, mammography, or other image or film of the human anatomy used to diagnose, prognose, or treat an illness or other medical condition or to further validate scientific testing or screening.G.L. c. 93M, § 1 and biometric informationBiometric information"Biometric information" means any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Biometric information does not include information derived from items or procedures excluded under the definition of biometric identifiers.G.L. c. 93M, § 1 in any action of any kind in any court, or before any tribunal, board, or agency.
(b) Nothing in this chapter shall be construed to conflict with the federal Health Insurance Portability and Accountability Act of 1996 and the rules promulgated under said Act.
Section 4 contains two savings clauses. Subsection (a) preserves the admissibility and discoverability of biometric identifiers and biometric information in legal proceedings. Subsection (b) provides that the chapter shall not be construed to conflict with HIPAA, reinforcing the HIPAA carve-out in the biometric identifier definition.