WeVote

Bill

Bill

S 36

Polling Locations

2025-2026 Regular Session Introduced by Chip Campsen

Massachusetts bills private biometric tech: strict informed consent, anti-abuse safeguards, data security with encryption, and consumer protections for biometric data.

Referred to Subcommittee: Campsen (ch), Johnson, Kimbrell, Devine, Blackmon, Sutton, Zell
0
WeVote Research Nonpartisan
Bill Summary · S 36

Summary — S.36 (Draft / Chapter 110I): Regulation of Biometric Recognition Technology

Note on source material: the bill package includes conflicting metadata (an initial title referencing labeling of mifepristone/misoprostol) but the bill text introduced by Senator Dylan A. Fernandes and printed as Senate No. 36 adds a new Chapter 110I concerning biometric recognition technology. This summary is based on the chapter text provided. Because portions of the text are truncated and some legislative metadata appear inconsistent, readers should consult the enrolled statute or the legislature’s official website for the final, authoritative language.

Main purpose

To create statutory rules and accountability for private-sector use of biometric recognition technology and biometric data, define unlawful or abusive practices, and establish standards for informed consent, data handling, and consumer protections.

Key provisions (as appears in the text)

  • Adds a new Chapter 110I to the Massachusetts General Laws titled “Regulation of biometric recognition technology.”
  • Comprehensive definitions:
    • “Biometric data” — measurable biological/behavioral characteristics used for identification (examples: fingerprints, retina/iris patterns, voiceprints, DNA sequences, facial characteristics/geometry, gait, handwriting dynamics, keystroke/mouse movement). Explicitly excludes items such as simple photographs, written signatures, demographic descriptors, certain medical images, and some transplant-related biological materials.
    • “Biometric recognition technology” — technology that analyzes biometric data, assigns unique persistent identifiers, or performs unique personal identification.
    • “Covered entity” — any person or corporate affiliate that collects, stores, or processes biometric data (federal/state/local governments, law enforcement, national security or intelligence agencies are excluded).
    • “Controller,” “end user,” “consent,” “encrypted,” and other technical/privacy terms are defined. Consent must be freely given, specific, informed, and unambiguous; broad terms of use or passive actions (hovering, pausing) do not qualify.
  • Consumer-protection concepts:
    • Defines “abusive trade practice,” “deceptive data practice,” “harmful data practice,” and “unfair data practice” in the biometric context (e.g., interfering with users’ ability to understand terms, taking unreasonable advantage of users’ lack of understanding, or causing financial/physical/reputational harm).
  • Data security standard reference:
    • Encryption is defined by reference to federal standard language (45 C.F.R. §164.312) and may be further specified by the Department of Consumer Affairs and Business Regulation.
  • Exemptions:
    • HIPAA-protected health-care uses, certain medical imaging, and federally regulated organ procurement materials are excluded from the biometric-data definition.

Who is affected

  • Private companies, app developers, vendors, and any non-governmental entities that collect, store, or process biometric data in Massachusetts.
  • Individuals (end users) whose biometric data are collected — stronger consent and transparency rights.
  • Government and law enforcement agencies appear excluded from the “covered entity” definition in the provided text.

Procedural / timeline highlights (from the provided record)

  • Introduced: January 8, 2025.
  • Committee referrals, hearings, and multiple procedural entries are listed; records show passage in both chambers and delivery to the governor with entries dated January–February 2025, including “SIGNED CHAP.7” and “APPROVAL MEMO.1.” Because these records are internally inconsistent and duplicated, verify final enactment status on the legislature’s website or the Secretary of the Commonwealth.

Potential impact and implementation notes

  • Would require businesses to obtain narrow, informed consent for biometric processing, avoid deceptive/abusive practices, and likely adopt stronger data security (encryption) and transparency measures.
  • Companies may need to revise terms of service, consent flows, marketing, and technical safeguards to comply.
  • Exclusion of government and law enforcement from the bill’s coverage narrows its reach to private-sector actors; enforcement provisions and penalties are not included in the excerpt provided and should be reviewed in the full text.

For the definitive requirements, enforcement mechanisms, and any amendments, consult the final enacted chapter text or the official legislative record.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.