Since Massachusetts becoming a trailblazer among states with the passage of privacy legislation in 2007 and subsequent regulations, Massachusetts’ own privacy laws have been passed by those of other states, most notably California. The proposed Massachusetts Information Privacy and Security Act (“MIPSA”) would bring Massachusetts back to the forefront of state regulation of privacy and data security.
The 65 page long bill would, among other things, give Massachusetts residents the right to opt out of having their personal information sold and having advertising targeted to them, and would create a right to limit how companies can use and share things like location data, biometric data and racial data, the committee said. Opt-in consent would be required to sell the personal information of people 16 or younger. Massachusetts residents would also get the right to access, delete, correct or transport personal information that companies collect and maintain about them.
Many of the bill’s requirements on businesses would apply only if an entity either has global revenue of at least $25 million per year, processes personal information of at least 100,000 Massachusetts residents, or is a data broker that collects and sells sensitive or personal information of at least 10,000 Massachusetts residents. Massachusetts business should not panic, as they will have time to come into compliance: as currently written, the law would not go into effect until 18 months after its passage.
And the bill is far from becoming law: it still needs to clear additional committees, and both branches of the Legislature, and then be signed by Governor Baker. But after many years of moving back in the pack, it looks like Massachusetts is trying to regain its place as leader in privacy and security regulation.