Mass. House Privacy Bill Advances With Limited Private Right of Action

The bill differs from a Senate-passed proposal by including a limited private right of action (PRA). Among other noteworthy features, the House bill contains somewhat different language on data minimization and adds a California-like requirement for browsers to support universal opt-out signals.

Consumer privacy advocates praised H-4746 on Tuesday. Caitriona Fitzgerald, Electronic Privacy Information Center deputy director, told Privacy Daily that she hopes “the House takes up the bill very early in the new year.” The chamber’s last formal sessions for 2025 are this week, she noted. Before it hits the floor, the bill still must go through the House Ways and Means Committee, which could amend it, she said.

The fresh bill by the Advanced IT Committee’s House Chair Tricia Farley-Bouvier (D) and many cosponsors replaces several previous proposals for comprehensive bills (H-78, H-80 and H-104), plus narrower privacy measures on location (H-86), biometric (H-96) and neural (H-103) data.

Previously, the Massachusetts Senate voted 40-0 on Sept. 25 to pass that chamber’s version of a comprehensive privacy bill (see 2509250048). Like the House bill, S-2619 is pending before the House Ways and Means Committee.

While earlier drafts of Massachusetts' privacy legislation would have allowed individuals to sue, neither H-4746 nor S-2619 would contain a full PRA. Instead, both assign enforcement authority to the attorney general. However, while the Senate version lacks a PRA, the House bill would provide a limited one that “can be brought against large data holders only,” said Fitzgerald. “However, it is under the [Massachusetts] Consumer Protection statute, so consumers must show a loss of ‘money or property, real or personal,’ which can be extremely difficult in privacy cases.”

The bill's exact enforcement language says "the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a controller or processor that is a large data holder that violates this chapter or a regulation adopted under this chapter."

The House and Senate bills have data-minimization requirements based on Maryland’s privacy law. But there are some notable differences in wording.

For example, under the Senate bill, a controller must “limit the collection of personal data to what is reasonably necessary to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”

H-4746 would expand on that, saying a controller must “limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains, including any routine administrative, operational, or account-servicing activity, such as billing, shipping, delivery, storage, accounting, or sending communications.”

Also, the Senate bill would say that unless controllers get opt-in consent, they may “not process personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer.”

But the House bill would say controllers may “not process or transfer personal data concerning a consumer in a manner that is inconsistent with the reasonable expectations of the consumer.”

The two bills identically state that controllers may “not collect, process or transfer sensitive data concerning a consumer except when such collection, processing or transfer is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the sensitive data pertains.”

But they diverge once more on what sensitive data may be sold. The Senate bill would broadly state that a controller may “not sell sensitive data.” However, the House bill limits the prohibition to precise geolocation data. As for other types of sensitive data, the controller could sell it if it first obtains “the consumer’s affirmative consent.”

In addition, the House bill would add union membership and status as a veteran or military service member as forms of sensitive data.

Meanwhile, in an apparent nod to California’s recently enacted AB-566 (see 2510080054), H-4746 would require web browsers to “include a setting that enables a consumer to send an opt-out preference signal ... to controllers or processors that the consumer interacts with through the browser.”

Fitzgerald, a consumer advocate, said both approaches to data minimization are "very strong, but the House’s limitation that processing of non-sensitive personal data must be consistent with the reasonable expectations of the consumer is stronger.” On the other hand, “the Senate bans the sale of all sensitive data, so they both have their strengths,” the EPIC official said.

Fitzgerald also said that the House bill has a stronger definition of "affirmative consent" and a narrower exemption for publicly available information. She added that H-4746 has “a strong data security rule that requires companies to delete personal data when it is no longer necessary for the purpose for which it was collected.”

Consumer Reports is “excited to see” H-4746 advance, emailed Matt Schwartz, a policy analyst. “The bill builds on many of the protections included in the Senate version, particularly with its inclusion of a limited private right of action for violations by extremely large businesses.” The consumer advocacy group hopes the bill’s PRA and data-minimization requirements “will be preserved moving forward, as they are critical to ensuring that businesses are held accountable for their use of consumers' personal information."