New committee advances data privacy proposal
BOSTON (State House News Service) – A year after its creation, the Joint Committee on Advanced Information Technology, Internet and Cybersecurity released what it says is the first “comprehensive data privacy legislation.” to move forward on Beacon Hill, seeking to give residents better tools to protect themselves and their data online.
If the bill (S 46/H 142, redrafted) that the committee has dubbed the Massachusetts Information Privacy and Security Act (MIPSA) becomes law, Massachusetts will join Colorado, Virginia and California in modernizing the laws on Internet and data privacy to better align with the ubiquitous role the Internet plays in modern life.
Privacy laws have been a popular target for statehouse reforms across the country in recent years. In 2018, comprehensive privacy bills were proposed in two states, but that number has risen to at least 23 in 2021, according to the International Association of Privacy Professionals. The issue has taken on new relevance as society emerges from the COVID-19 pandemic, with things like digital vaccination verification becoming commonplace.
“Online privacy and security issues will only grow in importance, and we need to take proactive steps to ensure new technologies are used responsibly. In the absence of federal action, we can enact meaningful reforms in the Commonwealth and help clear the rules of the road for business,” said Senator Barry Finegold, co-chair of the committee in the Senate. “MIPSA is an important step in the right direction: the bill affirms fundamental privacy principles and develops an adaptable and sustainable regulatory framework.
The bill would give Massachusetts residents the right to opt out of the sale of their personal information and targeted advertising, and create a right to limit how companies can use and share things like location data, data biometrics and racial data, the committee said. . Voluntary consent would be required to sell the personal information of persons 16 years of age or younger.
Residents would also have the right to access, delete, correct or port personal information that companies collect and maintain about them.
At a hearing in October, the committee heard from critics of state-level data privacy bills who said the matter was best left to the federal government. A TechNet official told the committee that “the last thing we really want is a patchwork of 50 different standards that would result in an unequal distribution of rights as well as significant compliance costs.”
Rep. Linda Dean Campbell, House co-chair of the committee, and Finegold both referenced their desire to see Congress act on data and privacy issues, but said the state could and should act between- time.
“The public demands that the government take action to prevent their personal information from being shared without their knowledge and consent. This legislation begins the process of putting laws in place to protect the public,” Campbell said. “There is no doubt that more needs to be done at the state and federal level.”
Companies should provide “clear, easy-to-understand privacy notices that detail how personal information is collected, used and sold, and how residents can exercise their opt-out rights,” the committee said. The bill would also require companies to minimize the amount of personal information collected and retained by requiring that such information be processed only for one of five qualifying reasons.
Many requirements of the Enterprise Bill would only apply if an entity has worldwide revenue of at least $25 million per year, processes the personal information of at least 100,000 Massachusetts residents, or is a data broker that collects and sells sensitive or personal information of at least less than 10,000 Bay State residents. The committee said the bill’s requirements are meant to be tailored “to the size, scope and conduct of a business to minimize operational impacts on small businesses.”
As the committee wrote, MIPSA would be enshrined in general statutes as Chapter 93M and the attorney general’s office would be granted investigative, regulatory, and enforcement powers. The committee said the AG Office’s Data Privacy and Security Division “would be better equipped to ensure that companies respect residents’ right to privacy and adhere to the fundamental privacy principles enshrined in the chapter 93M”.
The committee said its MIPSA legislation was accompanied by a Data Privacy Bill (H 136) introduced by Rep. David Rogers, a Data Broker Registration Bill (S 50) tabled by Finegold and a Biometrics Bill (S 220) tabled by Senator Mark. Montigny. The committee voted 12-0 with five members not weighing in to move MIPSA forward.
Last week, the committee also released reports supporting revised legislation (S 60/H 119) to establish a commission on the use of automated decision-making technology by Massachusetts government agencies and a proposed law (H 126) creating a commission on blockchain technology. and cryptocurrency.
“Both of these technologies are advancing at a rapid pace, and the committee looks forward to hearing from more experts in these areas,” the committee wrote in a press release. “Going forward, the committee will remain focused on advancing legislation regarding data use, data privacy and data security in the public and private sectors.”
Joint committee bill endorsements send those proposals with favorable recommendations, but bills must authorize other committees, and both branches of the Legislative Assembly, to be forwarded to Governor Charlie Baker. Branch chiefs, who wield great control over the legislative agenda, have so far not mentioned the data privacy bill among their top priorities.