Security Experts:

Connect with us

Hi, what are you looking for?



Massachusetts Lawmakers Weighing Online Data Privacy Bill

A bill that would grant Massachusetts residents what supporters describe as fundamental internet privacy rights — including greater control over their personal information — is making its way through the Statehouse.

A bill that would grant Massachusetts residents what supporters describe as fundamental internet privacy rights — including greater control over their personal information — is making its way through the Statehouse.

The bill, which would set standards for how companies can collect and sell personal information, was unanimously approved by the Legislature’s Committee on Advanced Information Technology this week.

Supporters say the bill builds on similar efforts in Colorado, Virginia, and California and would help modernize Massachusetts’ laws for the digital age. Critics warn a state-by-state patchwork of regulations could unfairly burden businesses trying to comply with the laws.

“Online privacy and security issues are only going to get more important,” said Democratic state Sen. Barry Finegold, Senate chair of the committee. “In the absence of federal action, we can enact meaningful reforms in the commonwealth and help clarify the rules of the road for businesses.”

An Associated Press poll last year found most Americans don’t believe their personal information is secure online.

One change the bill would make would be to let Massachusetts residents opt out of the sale of personal information.

[ ReadState vs. Federal Privacy Laws: The Battle for Consumer Data Protection ]

The bill would require companies obtain consent for most sales of sensitive information — such as geolocation, biometric or racial data — and when selling the personal information of children under 16.

It would also give internet users the right to delete and correct the personal information a company maintains about them.

Under the proposed law, companies would be required to provide easy-to-understand privacy notices that specify how personal information is being collected and sold and how residents can opt out. Businesses would have to conduct regular risk assessments for high-risk practices such as the sale of personal information and minimize the amount of personal information collected and retained.

The legislation would also allow the attorney general’s office to impose penalties of up to $7,500 per violation, ensure the state’s privacy laws adapt with the times and require those who buy and sell internet data register with the attorney general’s office.

Setting rules for the internet on a state-by-state basis makes little sense according to Chris Gilrein of TechNet, a technology industry group.

“It’s not the internet of Massachusetts or the internet of New Hampshire or Connecticut. Ultimately, a federal privacy law is the only way to end the costly patchwork of state laws,” Gilrein said in a statement. “A federal law would give consumers assurances their data is protected no matter where they live while offering businesses, especially small businesses, certainty about their responsibilities.”

In the absence of a federal standard, businesses will face an expensive task of trying to comply with each new state law, Gilrein said.

Supporters said the Massachusetts bill would help the attorney general’s office ensure that the enforcement of the law aligns with similar laws in other states while protecting small businesses and minimizing excessive burdens to comply with the law.

“The public is demanding that government act to protect their personal information from being shared without their knowledge and consent,” said Democratic Rep. Linda Dean Campbell, the House chair of the committee.

A handful of other states have passed data privacy laws.

The California Consumer Privacy Act of 2018 also aimed to give individuals more control over personal information collected by businesses including the right to know what information is being collected and how it is used, the right to delete personal information and the right to opt-out of the sale of their personal information.

The California Department of Justice began notifying businesses found not in compliance with the data privacy law in July 2020.

In its first year of enforcement, 75% of businesses acted to come into compliance within 30 days, as required by the law, according to California Attorney General Rob Bonta. The remaining businesses were still in the 30-day period or under investigation.

Last month, Bonta announced an investigation of business loyalty programs that offer financial incentives, such as discounts, free items, or other rewards, in exchange for personal information. He found businesses failed to notify consumers how they’re using the information for the financial benefit of the business, as required by the law.

“We may not always realize it, but these brick and mortar stores are collecting our data – and they’re finding new ways to profit from it,” he said.

Last year Democratic Colorado Gov. Jared Polis signed a similar bill giving people the right to access and delete personal information. Colorado’s law, which also enables people to opt out of having their data tracked, profiled and sold, takes effect in 2023.

The Massachusetts bill must still be approved by the House and Senate and signed by Republican Gov. Charlie Baker before becoming law.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Less than a week after patching critical security defects affecting multiple enterprise-facing products, VMware is warning that one of the flaws is being exploited...

Application Security

Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to...