Mass. Senate Unanimously Passes Privacy Bill With Data Minimization
A company complying with Maryland’s data minimization standard would be in compliance with a similar measure proposed in a Massachusetts comprehensive privacy bill that’s moving quickly toward passage, said Massachusetts Sen. Michael Moore (D) on the floor Thursday. However, Moore also said he’s fine with Massachusetts being an “outlier” among the 20 states with privacy laws.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The Massachusetts Senate voted 40-0 to pass S-2608 after wading through roughly 60 amendments on Thursday. The comprehensive privacy bill will also need approval from the House, though that body is weighing other privacy bills, too. The state’s two-year legislative session doesn’t end until July 31, 2026.
Consumer privacy advocates say that S-2608, featuring a Maryland-like data minimization standard, could be one of the strongest privacy laws in the nation if passed by the full legislature and signed by Democratic Gov. Maura Healey (see 2509190026). That’s despite senators removing a private right of action from a previous draft earlier this month (see 2509180071).
Many of Thursday’s amendments, floated by senators from both sides of the aisle, were rejected or voluntarily withdrawn by their sponsors after caucuses. However, the Senate, in voice votes, adopted a handful of amendments on various subjects, including a location shield to protect out-of-state women coming to Massachusetts for reproductive health care.
"Any company that follows Maryland's data minimization standard will be in compliance with our standard and vice versa,” Moore said on the floor. Maryland’s law takes effect Oct.1. The private sector keeps asking for consistency among state privacy laws, said Moore: They’ll have that with the Massachusetts bill if they comply with California and Maryland laws, the senator added.
At the same time, Moore condemned data brokers who he said have “run to the Trump DOJ” asking to preempt Maryland’s and other states’ privacy regulations, including the yet-to-be-passed Massachusetts bill. Multiple groups asked DOJ to intervene in a response to a request for information about state laws that might burden interstate commerce (see 2509220061).
"I know this bill does not follow the industry model pushed through many other states,” and that “the industry has told us that we will be an outlier,” said Moore. “I accept that if it means providing real protections for our constituents.”
Senate Majority Leader Cynthia Creem (D), a co-sponsor, said the “critical legislation positions our commonwealth to have among the strongest frameworks for consumer privacy in the nation and sets a clear standard that personal data belongs to the individual, not the corporation.” S-2608 contains "transparent, accessible and enforceable" consumer rights and "strong data minimization provisions.” Also, it gives broad enforcement authority to the AG. "This law will have teeth, not just promises."
Creem highlighted that the bill includes carve outs for small businesses "and focuses compliance obligations on entity processing data at scale." She also noted exemptions for health care and financial data covered by federal laws. By enacting S-2608, she said, “Massachusetts will affirm your data belongs to you.”
Senate Minority Leader Bruce Tarr said there’s no disagreement about the need to protect data privacy. However, the chamber’s top Republican said Massachusetts should "do it in a way that does not disrupt commerce.” Tarr said this can be done while still offering “a reasonable quantum of protection.”
Senators adopted Tarr’s proposed amendments that allow collected information to be transferred and processed internally by the company that collected it, and to clarify that nothing in the bill would inhibit access to a child’s data by its parent or guardian. But the Senate rejected several other edits proposed by the Republican leader.
Other Senate-adopted amendments included a location shield akin to a previous proposal by Creem (see 2505130041). Also, senators accepted an amendment by Sen. Becca Rausch (D) to add a right to cure for the first six months of the law being in effect. The Senate adopted another Rausch amendment that she said would ensure that data controllers and processors don’t sell sensitive data.
In addition, the Senate agreed to an amendment by Sen. Dylan Fernandes (D) that would require controllers to notify users about a merger or acquisition and allow them to opt out of automatically transferring their personal data to the new owner.
Also, the Senate agreed to more vaguely described amendments related to “affiliates” and “opting out of targeted advertising.”