Three Data Privacy Bills Introduced in Massachusetts Statehouse

Three Data Privacy Bills Introduced in Massachusetts Statehouse
<span class="bsf-rt-reading-time"><span class="bsf-rt-display-label" prefix="Reading Time"></span> <span class="bsf-rt-display-time" reading_time="2"></span> <span class="bsf-rt-display-postfix" postfix="mins"></span></span><!-- .bsf-rt-reading-time -->

Three competing consumer privacy bills are making their way through the Massachusetts State House, the Massachusetts Data Privacy Protection Act (MDPPA), the Massachusetts Information Privacy and Security Act (MISPA), and the Internet Bill of Rights, which were introduced earlier last month.

While MIPSA was first introduced during last year's session, MDPPA is a brand new bill that includes a right to action/data civil rights based on the American Data Privacy Protection act, which was introduced last year at the federal level.

The law, if passed, will apply to companies that meet the following prerequisites:

  1. Average annual gross revenues during the preceding three calendar years exceeded $20 million; or
  2. Collected or processed an annual average of more than 75,000 individuals' covered data during the preceding three calendar years;
  3. Part of revenue derived from transferring data.

According to JDSupra, the bill will codify a consumer's right to: "access data collected, processed or transferred, right to access information about third parties to which the covered entity transferred personal data, the right to correct inaccurate personal data, the right to delete personal data, the right to obtain personal data in a portable format; the right to opt-out of covered data transfers; and the right to opt-out of targeted advertising."

MIPSA also includes language giving consumers some of these same rights to action.

Other parts of MDPPA include the prohibition of targeted advertising to minors and data broker registration.

The Internet Bill of Rights is more akin to the General Data Protection Regulation (GDPR), Europe's privacy law.

It should be noted that MIPSA also includes language reminiscent of the GDPR, explicitly allowing entities to process data only if there is a "lawful basis," which could come in the form of consent or a contract.

If any of the three are passed through the State House and signed into law, they would be one of the most comprehensive data privacy laws at the state level in the country.

Throughout this year we will bring you more information about all three bills to see how they compare and differ.