Mass. Senate Could Soon Pass Maryland-Like Comprehensive Privacy Bill
Even without a private right of action, a Massachusetts comprehensive privacy bill nearing a Senate floor vote could still be the strongest of about 20 states with such laws, Electronic Privacy Information Center (EPIC) Deputy Director Caitriona Fitzgerald said in an interview Friday. While legislators previously cut the right for individuals to sue -- limiting enforcement authority to the Massachusetts’ attorney general -- they kept data minimization requirements like those from Maryland’s privacy law.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The updated version (S-2608) of the proposed Massachusetts Data Privacy Act is set to appear on the Senate floor on Sept. 25, said a spokesperson for co-sponsor Sen. Michael Moore (D) on Thursday (see 250918007). The bill cleared the Ways and Means Committee that day and has so far seen more movement than alternative comprehensive privacy bills in the state this year (see 2505130041). However, there’s still a lot of time left, as the state’s two-year legislative session doesn’t end until July 31, 2026.
Jordan Francis, policy counsel for the Future of Privacy Forum, noted in an email that the new “draft is now much closer to the Maryland Online Data Privacy Act (MODPA), whereas before it was modeled on the American Data Privacy & Protection Act (ADPPA), a 2022 federal bill.”
Fitzgerald commended the Massachusetts Senate for “combining the best consumer protections from privacy laws already passed in other states” and making its bill “one of the strongest -- if not the strongest -- in the country, while … avoiding new compliance obligations for businesses.” The EPIC official said she is “really optimistic” about Senate passage Thursday.
“Most importantly, [S-2608] places really strong protections on sensitive data,” including Maryland-like requirements banning the sale of sensitive data and saying that companies may only collect and process data if it’s “strictly necessary,” said Fitzgerald.
One change is that the data minimization restriction for non-sensitive data now only applies to data collection, whereas the previous version also covered processing, noted Fitzgerald. It means that “as long as you have a reasonably necessary reason to collect it, then you can process it for whatever purposes you put in your privacy policies,” she said. Covering processing in addition to collection would be a stronger policy, said the consumer advocate, but the current version is the same as Maryland’s privacy law, and she understands the need for compromise.
It's always disappointing to lose a PRA, which EPIC sees as “the best way to encourage companies to comply with these laws,” said Fitzgerald. “That being said, Massachusetts [AGs] have a long history of being strong consumer advocates and good on privacy,” so EPIC is hopeful that the proposed law would be strongly enforced. She said the consumer privacy group also appreciates that the legislation would authorize an AG rulemaking to implement the bill, if it’s enacted.
Francis highlighted how S-2608 “includes a broad definition of ‘decisions that produce legal or similarly significant effects concerning the consumer,’ including decisions that result in ‘access to’ the listed goods and services, not just the provision or denial of them.”
Also, “like the ADPPA, the bill requires affirmative consent to ‘transfer’ a consumer's sensitive data” and “the definition of ‘sensitive data’ is broad and includes some uncommon categories (e.g., government-issued identifiers and neural data).”
In addition, the FPF official noted how S-2608 “is significantly slimmed down from the prior draft,” which had additionally included a location shield proposal and data broker registration and deletion rules. “The new draft focuses entirely on comprehensive consumer privacy.”
Those cuts didn’t surprise Fitzgerald, as they trimmed the bill to what other states’ comprehensive privacy laws are like, she said. The legislature could craft a separate data broker bill, while S-2608 still restricts companies from selling location data of Massachusetts residents, she added.
Consumer Reports is pleased to see “such a strong piece of legislation” advance, emailed Matt Schwartz, CR policy analyst. "The bill includes protections, such as the ban on sale of sensitive data and data minimization provisions, from some of the strongest state privacy laws already on the books. At the same time, we know that substantive enforcement mechanisms are necessary to ensure that these protections are complied with in practice, so we are hopeful that some version of the private right of action can be restored to the legislation.”