Massachusetts Introduces Comprehensive Data Privacy Legislation
Earlier this month, the Massachusetts Legislature’s Joint Committee on Advanced Information Technology, the Internet, and Cybersecurity advanced the Massachusetts Information Privacy and Security Act (“MIPSA“) out of committee. If MIPSA passes, Massachusetts would join California, Colorado, and Virginia as states that have passed state-level data privacy laws in the absence of a comprehensive federal law.
MIPSA applies to businesses operating in Massachusetts that earn $25 million or more in gross global annual revenues, process the personal information of at least 100,000 individuals, or are data brokers that collect and sell sensitive or personal information of at least 10,000 individuals. Data brokers would be required to register with the Commonwealth. Where an entity does not otherwise meet these criteria, it may voluntarily certify to the state Attorney General that it is in compliance MIPSA.
Some of the additional requirements found in MIPSA include:
- Providing privacy notices to customers on how their personal information is used;
- Mandating risk assessments to determine potential exposure to high-risk business practices; and
- Limiting the use of personal information for a specific purpose.
For Massachusetts residents, the bill would provide a right to opt-out of targeted advertising and the sale of an individual’s personal information, allow individuals to have access to and correct personal information, and establish a private right of action for security breaches. The bill also provides for enforcement powers for state agencies and the Attorney General’s Office.
Protected health information under HIPAA is exempt as is certain data, information, and health records created under HIPAA and Massachusetts state law. Exempt data also includes data collected, processed, or regulated with respect to clinical trials, the Health Care Quality Improvement Act of 1986, the Patient Safety and Quality Improvement Act, FCRA, Driver’s Privacy Protection Act, FERPA, the Farm Credit Act, GLBA, COPPA, the Massachusetts Health Insurance Connector and Preferred Provider Arrangements.
MIPSA also exempts personal information collected and processed in the context of an individual acting as a job applicant to, an employee of, or an agent or independent contractor of a controller, processor, or third-party including emergency contact information and information used to administer benefits for another person relating to the individual. Additionally, information collected and used in the course of an individual acting in a commercial context is exempt.