Digital Policy Alert logo

United States of America: Introduction of Massachusetts bill including data protection measures

Policy overview

Description

Introduction of Massachusetts bill including data protection measures

House Docket 2664 is introduced in the Massachusetts House of Representatives, aiming to establish the "Massachusetts information privacy act". The Bill regulates any business that processes personal data with at least 10 million dollars of annual revenue or that yearly processes the personal information of at least 10'000 individuals. The Bill introduces the rights of data access, correction, portability, and deletion. Moreover, the Bill requires obtaining the consent of consumers before collecting and processing their personal data and limits the processing practices as concerns biometric and location data. Finally, the Act establishes the "Massachusetts information privacy commission", which has the power to conduct investigations, conduct adjudicatory proceedings, promulgate regulations regarding the subjects of the Act and refer cases for prosecution to the federal or local authorities.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Data protection regulation
Regulated Economic Activity
cross-cutting, cross-cutting, cross-cutting
Implementation Level
subnational
Government Branch
legislature
Government Body
parliament

Complete timeline of this policy change

Hide details
2021-02-18
under deliberation

House Docket 2664 is introduced in the Massachusetts House of Representatives, aiming to establish …

Key regulatory dimensions

Regulated subjects

The businesses, government agencies or individuals affected by this policy or regulatory change.
producer / supplier
1
Type Private organisation
Economic activity cross-cutting
Category All

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.
personal data (all forms): storage (any form)
Regulatory tool
Creation of enforcement authority
Private right of action
Sanctions
Civil penalty
Regulated subjects
1
personal data (all forms): data processing
Regulatory tool
Creation of enforcement authority
User consent: Opt-in requirement
Private right of action
Sanctions
Civil penalty
Regulated subjects
1
personal data (all forms): data collection
Regulatory tool
Creation of enforcement authority
User consent: Opt-in requirement
Private right of action
Sanctions
Civil penalty
Regulated subjects
1
personal data (all forms): transfer (any destination)
Regulatory tool
Creation of enforcement authority
Private right of action
Sanctions
Civil penalty
Regulated subjects
1
personal data: biometric: data processing
Regulatory tool
Creation of enforcement authority
Purpose/processing limitation
User notification requirement
User consent: Opt-in requirement
Private right of action
Sanctions
Civil penalty
Regulated subjects
1
consumer data: location: data processing
Regulatory tool
Creation of enforcement authority
Purpose/processing limitation
User notification requirement
User consent: Opt-in requirement
Private right of action
Sanctions
Civil penalty
Regulated subjects
1

Policy change by business practice

The detailed activities within the scope of this policy or regulatory change.

personal data (all forms): storage (any form)

personal data (all forms): data processing

personal data (all forms): data collection

personal data (all forms): transfer (any destination)

personal data: biometric: data processing

consumer data: location: data processing