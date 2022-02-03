BOSTON (State House News Service) – One year after it was created, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity this week released what it says is the first “comprehensive data privacy legislation” to advance on Beacon Hill, seeking to give residents better tools to protect themselves and their data online.

If the bill (S 46/H 142, redrafted) that the committee has dubbed the Massachusetts Information Privacy and Security Act (MIPSA) becomes law, Massachusetts would join Colorado, Virginia and California in modernizing internet and data privacy laws to better align with the ubiquitous role the internet plays in modern life.

Privacy laws have been a popular target for reforms at state houses across the country in recent years. In 2018, comprehensive privacy bills were proposed in two states but that number swelled to at least 23 in 2021, according to the International Association of Privacy Professionals. The issue has taken on new relevance as society emerges from the COVID-19 pandemic with things like digital vaccination verification becoming commonplace.

“Online privacy and security issues are only going to get more important, and we need to take proactive measures to ensure new technologies are used responsibly. In the absence of federal action, we can enact meaningful reforms in the Commonwealth and help clarify the rules of the road for businesses,” Sen. Barry Finegold, the Senate co-chair of the committee, said. “MIPSA is an important step in the right direction: the bill affirms foundational privacy principles and develops an adaptable, enduring regulatory framework.”

The bill would give Massachusetts residents the right to opt out of having their personal information sold and having advertising targeted to them, and creates a right to limit how companies can use and share things like location data, biometric data and racial data, the committee said. Opt-in consent would be required to sell the personal information of people 16 or younger.

Residents would also get the right to access, delete, correct or transport personal information that companies collect and maintain about them.

At a hearing in October, the committee heard from critics of state-level data privacy bills who said the issue is best left to the federal government. An official from TechNet told the committee that the “last thing that we really want is a patchwork of 50 different standards that would result in uneven distribution of rights as well as severe compliance costs.”

Rep. Linda Dean Campbell, the committee’s House co-chair, and Finegold both referenced their desire to see Congress act on data and privacy issues, but said the state could and should act in the meantime.

“The public is demanding that government act to protect their personal information from being shared without their knowledge and consent. This legislation begins the process of putting laws in place to protect the public,” Campbell said. “There is no doubt that more needs to be done at both the state and the federal level.”

Businesses would have to provide “clear, easy-to-understand privacy notices that specify how personal information is being collected, used, and sold, and how residents can exercise their rights to opt out,” the committee said. The bill would also direct businesses to minimize the amount of personal information collected and retained by requiring that information only be processed for one of five allowable reasons.

Many of the bill’s requirements on businesses would apply only if an entity either has global revenue of at least $25 million per year, processes personal information of at least 100,000 Massachusetts residents, or is a data broker that collects and sells sensitive or personal information of at least 10,000 Bay State residents. The committee said the bill’s requirements are meant to be tailored “to a company’s size, scope, and conduct in order to minimize operational impacts on small businesses.”

As written by the committee, MIPSA would be enshrined in the General Laws as Chapter 93M and the attorney general’s office would be granted investigatory, regulatory and enforcement authority. The committee said that the AG’s office’s Data Privacy and Security Division “would be further equipped to ensure that companies respect residents’ privacy rights and adhere to the foundational privacy principles enshrined in Chapter 93M.”

The committee said its MIPSA legislation was accompanied by a data privacy bill (H 136) filed by Rep. David Rogers, a data broker registration bill (S 50) filed by Finegold and a biometric data bill (S 220) filed by Sen. Mark Montigny. The committee voted 12-0 with five members not weighing in to advance MIPSA.

Last week, the committee also gave favorable reports to redrafted legislation (S 60/H 119) to establish a commission on the use of automated decision-making technology by Massachusetts government agencies and to a bill (H 126) creating a commission on blockchain technology and cryptocurrency.

“Both of these technologies are moving ahead at a rapid pace, and the committee looks forward to hearing from more experts in these areas,” the committee wrote in a press release. “Going forward, the committee will remain focused on advancing legislation regarding data use, data privacy, and data security in both the public and private sectors.”

Endorsements of bills from joint committees send those proposals along with favorable recommendations but the bills need to clear other committees, and both branches of the Legislature, to make it to Gov. Charlie Baker. Branch leaders, who exercise great control over the legislative agenda, have so far this session not mentioned the data privacy bill as among their top priorities.