WeVote

Bill

Bill

S 301

Chuck Bryant

2025-2026 Regular Session Introduced by Sean Bennett and 3 co-sponsors

Establishes a comprehensive Massachusetts data privacy law (Chapter 93M) governing collection, processing, sale, de-identification, and protection of personal data.

Introduced and adopted
0
WeVote Research Nonpartisan
Bill Summary · S 301

Summary — S.301 (Massachusetts Information Privacy and Security Act)

Note on materials provided
- The materials you supplied contain conflicting metadata. At the top S.301 is described as “Provides a religious exemption for the requirement to have a photograph taken for a driver's license or learner's permit.” However, the full bill text attached (Senate Docket No. 2355 / S.301, filed 1/17/2025) is titled “An Act advancing the economic development of the commonwealth through comprehensive data privacy” and would establish the “Massachusetts Information Privacy and Security Act” (new chapter 93M). This summary describes the actual bill text in the docketed S.301 (chapter 93M). Where procedural metadata conflicts (sponsors, committees), those inconsistencies are noted below.

Purpose and intent
- Establish a comprehensive state data-privacy and security law (the “Massachusetts Information Privacy and Security Act”) to govern collection, processing, sale, de‑identification, and protection of personal information and to promote economic development by providing clearer privacy rules for businesses and stronger privacy rights for residents.

Key provisions (based on available text)
- Codification: Creates new Chapter 93M in the Massachusetts General Laws titled the “Massachusetts Information Privacy and Security Act.”
- Definitions: Provides detailed statutory definitions for core concepts including:
- “Affiliate,” “Controller,” “Covered entity,” “Business associate,” “Child” (under 13), and “Data broker.”
- “Biometric information” with explicit exclusions (digital/physical photographs, audio/video recordings, and derivatives that are not used for identification).
- “Consent” defined as a clear, affirmative, informed and unambiguous act; expressly excludes acceptance via broad terms of use, passive UI actions (hovering, pausing), or consent obtained via dark patterns or misleading statements.
- “Dark pattern” defined as user-interface design intended to subvert reasonable decision-making.
- “De-identified information” and “De-identification” with specific technical, organizational and contractual safeguards (including no re-identification, public commitment to de-identify, and contractual obligations for recipients).
- “Data broker” thresholds and carve-outs (e.g., thresholds for number of individuals and revenue share, and certain directory/public-information activities excluded).
- Request mechanisms: Establishes “designated methods” for individuals to submit privacy requests (mail, email, web portal, phone, etc.) — text truncated but indicates rights/processing mechanisms are included.
- Scope and exclusions: The definitions indicate attention to healthcare-covered entities (references to 45 C.F.R. 160.103) and carve-outs for specific services (directory assistance, business-related public info).

Who would be affected
- Residents of Massachusetts (individual privacy rights and protections).
- Entities that collect/process personal information: controllers, processors, data brokers, affiliates, and recipients of de-identified data.
- Certain regulated sectors (healthcare covered entities/business associates) are referenced for scope/exclusion considerations.
- Businesses that use biometric data, sell data, or rely on consumer data practices would face compliance obligations.

Procedural status and timeline (from provided actions)
- Filed in Senate / Docketed: 1/17/2025 (Senate Docket No. 2355; bill No. 301).
- Introduced in Senate: 1/29/2025.
- Referred to Committee on Economic Development and Emerging Technologies (2/27/2025) per the bill text cover sheet.
- Additional procedural entries provided are inconsistent (also list Referral to Transportation and to Armed Services), and sponsors listed in metadata differ from the bill’s presenter (Barry R. Finegold is listed in the docket). Please verify with the official legislative clerk for the authoritative referral and sponsors.
- Hearing (per actions): scheduled/rescheduled for 11/13/2025 (hybrid/virtual noted).

Potential impacts and considerations
- Creates a comprehensive regulatory framework likely to impose compliance costs (policy, technical, contractual) on businesses that collect or sell personal data, while providing clearer consumer rights.
- Data broker thresholds and de-identification requirements could materially affect companies whose business model is the sale/aggregation of personal information.
- The law’s detailed consent and anti–dark-pattern provisions may change digital UI/consent practices.
- The bill frames privacy as an economic-development tool; implementation details (enforcement, penalties, preemption vs. sectoral laws) will determine practical impact—those sections were not included in the excerpt provided.

If you want, I can:
- Pull and summarize additional sections if you can provide the remainder of the bill text (enforcement, consumer rights, exemptions, penalties, effective dates).
- Verify sponsors/committee referrals and produce an updated procedural timeline from the official legislature site.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.