A bill that would grant Massachusetts residents what supporters describe as fundamental internet privacy rights — including greater control over their personal information — is making its way through the Statehouse.
The bill, which would set standards for how companies can collect and sell personal information, was unanimously approved by the Legislature’s Committee on Advanced Information Technology this week.
Supporters say the bill builds on similar efforts in Colorado, Virginia, and California and would help modernize Massachusetts’ laws for the digital age. Critics warn a state-by-state patchwork of regulations could unfairly burden businesses trying to comply with the laws.
“Online privacy and security issues are only going to get more important,” said Democratic state Sen. Barry Finegold, Senate chair of the committee. “In the absence of federal action, we can enact meaningful reforms in the commonwealth and help clarify the rules of the road for businesses.”
An Associated Press poll last year found most Americans don’t believe their personal information is secure online.
One change the bill would make would be to let Massachusetts residents opt out of the sale of personal information.
[ Read: State vs. Federal Privacy Laws: The Battle for Consumer Data Protection ]
The bill would require companies obtain consent for most sales of sensitive information — such as geolocation, biometric or racial data — and when selling the personal information of children under 16.
It would also give internet users the right to delete and correct the personal information a company maintains about them.
Under the proposed law, companies would be required to provide easy-to-understand privacy notices that specify how personal information is being collected and sold and how residents can opt out. Businesses would have to conduct regular risk assessments for high-risk practices such as the sale of personal information and minimize the amount of personal information collected and retained.
The legislation would also allow the attorney general’s office to impose penalties of up to $7,500 per violation, ensure the state’s privacy laws adapt with the times and require those who buy and sell internet data register with the attorney general’s office.
Setting rules for the internet on a state-by-state basis makes little sense according to Chris Gilrein of TechNet, a technology industry group.
“It’s not the internet of Massachusetts or the internet of New Hampshire or Connecticut. Ultimately, a federal privacy law is the only way to end the costly patchwork of state laws,” Gilrein said in a statement. “A federal law would give consumers assurances their data is protected no matter where they live while offering businesses, especially small businesses, certainty about their responsibilities.”
In the absence of a federal standard, businesses will face an expensive task of trying to comply with each new state law, Gilrein said.
Supporters said the Massachusetts bill would help the attorney general’s office ensure that the enforcement of the law aligns with similar laws in other states while protecting small businesses and minimizing excessive burdens to comply with the law.
“The public is demanding that government act to protect their personal information from being shared without their knowledge and consent,” said Democratic Rep. Linda Dean Campbell, the House chair of the committee.
A handful of other states have passed data privacy laws.
The California Consumer Privacy Act of 2018 also aimed to give individuals more control over personal information collected by businesses including the right to know what information is being collected and how it is used, the right to delete personal information and the right to opt-out of the sale of their personal information.
The California Department of Justice began notifying businesses found not in compliance with the data privacy law in July 2020.
In its first year of enforcement, 75% of businesses acted to come into compliance within 30 days, as required by the law, according to California Attorney General Rob Bonta. The remaining businesses were still in the 30-day period or under investigation.
Last month, Bonta announced an investigation of business loyalty programs that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information. He found businesses failed to notify consumers how they’re using the information for the financial benefit of the business, as required by the law.
“We may not always realize it, but these brick and mortar stores are collecting our data – and they’re finding new ways to profit from it,” he said.
Last year Democratic Colorado Gov. Jared Polis signed a similar bill giving people the right to access and delete personal information. Colorado’s law, which also enables people to opt out of having their data tracked, profiled and sold, takes effect in 2023.
The Massachusetts bill must still be approved by the House and Senate and signed by Republican Gov. Charlie Baker before becoming law.