Massachusetts proposes a new data privacy law

Did you know that in our dear Commonwealth of Massachusetts it is illegal to scare a pigeon and that roosters are not allowed in bakeries? Always the lawyer, I ask: but what about hens? Can they go into bakeries? Delicious fresh bread aside, Massachusetts has some weird laws. Fortunately, they just proposed one that seems to make a lot more sense – a consumer data privacy bill which was filed on January 11, 2019. While this bill is not yet law, so many states are proposing bills that would affect your Privacy Policies that we thought that doing a series on them would be kind of fun (“fun” as defined by a lawyer so don’t get too excited here). In the absence of a federal law, many states are proposing their own, including New Jersey, New York and Massachusetts. While the viability of a state patchwork of laws versus a comprehensive federal law is a discussion to be left for another day, it is good to see that at least some states are hearing what the consumer are putting down, which is a desperate need for privacy in a world where there is very little. So what is this proposed bill all about? Here are some highlights.

  1. The proposed bill actually includes biometric information, which includes an individual’s physiological, biological or behavioral characteristics that can be used to identify someone. Think of iris scans, fingerprint scans, voice recordings, gain patterns and health data. It is interesting to note that the Illinois Biometric Information Privacy Act, which protects similar types of data, has been getting a lot of attention in the courts as of late. I wonder if Massachusetts listened to us folks in Illinois as well when we decided that this information needs to be protected?
  2. A business would be subject to this bill if it:
    1. Is organized or operated for a profit;
    2. Collects the personal information of Massachusetts consumers; and
    3. Has annual gross revenues in excess of $10,000,000 or derives 50% or more of its annual revenues from third party disclosure of the personal information of consumers.
  3. A “consumer” is defined as a natural person (real person like you or me, not a company) who resides in Massachusetts.
  4. It defines personal information as any information relating to an identified or identifiable consumer. This means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or that consumer’s device.
  5. It has quite a few notice requirements that must be met at or before the point of collection, which are as follows:
    1. The categories of personal information that you will collect about that consumer;
    2. The business purposes for which the categories of personal information will be used;
    3. The categories of third parties to whom the information will be disclosed;
    4. The business purpose for the third party disclosure; and
    5. A list of consumer rights.
  6. Under the bill, the consumer has a few rights such as the right to request a copy of the consumer’s personal information, the right to request the deletion of the consumer’s information and the right to request opt-out of third party disclosure. While these rights are pretty watered down from what the EU’s General Data Protection Regulation offers, it is clear that the legislature is attempting to get closer to the European standard for privacy, which is a good start.
  7. The bill also provides for some requirements for your Privacy Policy. You probably don’t even need to read this part because we got you. For your reading pleasure only, your Privacy Policy would have to include the following:
    1. The categories of personal information you collect about consumers;
    2. The business purposes for which the information is used;
    3. The categories of third parties with who you disclose personal information;
    4. The business purpose for the third party disclosure; and
    5. A list of the consumer’s rights.
  8. Under this bill, you would be required to train all individuals responsible for handling consumer inquiries about your business’s privacy practices or your compliance with this bill. Training would have to include the requirements of the bill and how to direct consumers to exercise their rights.
  9. The bill would require you to provide a clear and conspicuous link on the home page of your website titled “Do Not Share My Personal Information.” This link would direct to a page that enables a consumer to opt-out of the third party disclosure of their information. You cannot ask the consumer to create an account to exercise this right.
  10. Lastly, a business cannot discriminate against a consumer because the consumer exercised any of their rights. This section prohibits act such as:
    1. Denying goods or services to the consumer;
    2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
    3. Providing a different level or quality of goods or services to the consumer; or
    4. Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.
  11. Finally, the bill would allow individuals to sue and damages would include an amount not more than $750 per consumer per incident or actual damages, whichever is greater, cheap ol’ things such as attorney’s fees and any other damages the court wants to impose. This could lead to some hefty fines in a class action.

That’s about the gist of it. We will keep you updated with whether or not this bill actually becomes a law and will update your Privacy Policy in the case that it does. We will also keep you updated with laws that other states propose and, if we may dream, maybe there’s even a federal law on the horizon. My hens and I are now driving over to Massachusetts to see if we can get into a bakery.

 

2019-02-15T17:13:34+00:00February 15th, 2019|New Law|0 Comments

About the Author:

Leave A Comment