Massachusetts Legislature Advances Data-Privacy Bill


Source-site

 

The Massachusetts Statehouse in Boston. The Mipsa bill passed a bipartisan vote with no objections from the state legislature’s joint committee.

Massachusetts is a step closer to becoming the next U.S. state to bring in strict consumer-privacy laws after its legislature advanced a bill lawmakers hope could serve as a model for future federal legislation.

The Massachusetts Information Privacy and Security Act, or Mipsa, sets out registration requirements for data brokers, includes opt-outs for residents on data collection and consent for data to be sold, and gives the attorney general’s office the power to investigate complaints and fine organizations that breach the rules.

The law passed a bipartisan vote with no objections from the state legislature’s Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on Feb. 1. Mipsa now moves to full readings in the state legislature.

It is the latest development in a string of privacy bills from state legislatures in recent years that seek to consolidate a patchwork of individual privacy rules in the absence of a federal bill. Some states, including California, Colorado and Virginia have passed laws, but other efforts in states such as Washington have failed to gain purchase.

Massachusetts state

Sen. Barry Finegold,

a Democrat representing Andover who co-chairs the committee, said that Mipsa draws inspiration from other states’ laws. Elements of the bill are also designed to work with those laws, for instance, on areas such as opting out of data collection by websites, which previously would have only applied to California residents.

The bill also looks further afield at foreign rules, such as the European Union’s General Data Protection Regulation. Several principles for data processing, for instance, align either directly or in spirit with the GDPR, permitting companies to only collect information for specific purposes and proportionately to that need.

“We hope this could be a model where, if there ever is federal legislation, that they could adopt something like this,” Mr. Finegold said.

Mipsa also contains provisions for a limited private right of action, which has proved controversial in other states’ efforts to pass privacy laws amid fears that companies could be bombarded with lawsuits. Individuals will be able to sue data brokers, companies with more than $25 million in annual revenue or those that process the information of 100,000 or more residents, for damages of up to $500 per person or actual damages, whichever is the greater number.

However, companies can escape damages if they demonstrate compliance with accepted cybersecurity standards, such as those produced by the U.S. Commerce Department’s National Institute of Standards and Technology, or don’t have a history of data breaches.

“We want to give people the opportunity to cure this. So if you make a mistake, once is understandable, but if you make it twice, then you know there is going to be a consequence to it,” Mr. Finegold said.

The joint committee worked with business groups to balance the law with concerns from companies, he said, particularly in areas such as the private right of action. The committee also consulted privacy advocates, including the American Civil Liberties Union, on how to strengthen protections while still allowing apps such as maps to function without being invasive.

“Overall, we believe that this bill includes good and reasonable provisions, especially compared with some other bills that are being filed across the country, but it remains a work in progress,” said

Carol Rose,

executive director of the ACLU’s Massachusetts branch.

Ms. Rose warned against placing the burden of data protection on individual residents to opt out of data-collection practices under Mipsa.

“A 21st-century data-privacy law should provide baseline protections for data privacy as a rule, not an exception,” she said, “rather than putting the burden on ordinary people to individually protect their data, website by website, app by app.”

Mr. Finegold’s committee, formed in 2021, is looking at other areas where it might consider action on cybersecurity issues, he said, such as rules on reporting cybersecurity incidents, which have stalled on a federal level.

“This is mile one,” he said. “We have the metaverse coming, we have a lot of other things coming, and what we really wanted to do is lay a good foundation.”