WeVote

Bill

Bill

S 187

Prohibits the sale of certain products that contain regulated perfluoroalkyl and polyfluoroalkyl substances; and provides penalties for violations

2025 Regular Session Introduced by Cordell Cleare and 21 co-sponsors

Massachusetts adds biometric indicators to 93H, making biometrics protected data that triggers breach notices and enforcement when exposed.

REFERRED TO CODES
0
WeVote Research Nonpartisan
Bill Summary · S 187

Summary — S.187 (2025) — “An Act relative to protecting biometric information under the security breach law”

Note: The bill packet you provided included an initial title about PFAS-containing products, but the statutory text and docket information pertain to amendments to Massachusetts General Laws chapter 93H (the state security-breach / data-breach law) to add biometric data as a protected category. This summary is based on the actual bill text and actions.

Purpose and intent

To expand Massachusetts’ security breach notification law (G.L. c. 93H) to explicitly define “biometric indicator” and to make biometric indicators a type of personal information that, if compromised in a security breach, triggers the law’s notice and enforcement provisions. The intent is to ensure individuals are notified and relevant protections apply when biometric identifiers are exposed.

Key provisions

  • Adds a new statutory definition of “biometric indicator” to chapter 93H:
    • Defined broadly as “any unique biological attribute or measurement that can be used to authenticate the identity of an individual,” and expressly gives examples including fingerprints, genetic information, iris or retina patterns, voice recognition, facial characteristics, and hand geometry.
  • Amends the enumerated list of protected personal information in section 1 of chapter 93H to include biometric indicators as a distinct category (added as subsection (d)).
  • Otherwise relies on the existing structure, duties, and penalties of chapter 93H — i.e., entities required to provide notice to affected individuals (and state authorities where applicable) when unencrypted or unsecured protected information is acquired or reasonably believed to be acquired by an unauthorized person.

Who would be affected

  • Any person or entity subject to G.L. c. 93H that maintains personal information in the Commonwealth — commonly businesses, state and local agencies, service providers, and other organizations that collect or store consumer data.
  • Individuals whose biometric identifiers are collected, stored, or used by those entities (e.g., customers, employees, students, patients).
  • Sectors likely to see increased compliance obligations include technology vendors that use biometric authentication, healthcare providers and labs (genetic data), employers using fingerprint/timekeeping systems, financial services using biometrics for authentication, educational institutions, and cloud/service providers.

Practical effect and compliance implications

  • Breach notification obligations already in chapter 93H will now explicitly apply when biometric information is involved. That likely increases the number of incidents requiring notification.
  • Entities that collect or store biometric data may need to:
    • Reassess data inventories and identify biometric data holdings;
    • Strengthen technical and organizational safeguards (encryption, access controls, retention limits);
    • Update breach response plans and notification templates to cover biometric indicators;
    • Consider data minimization and legal basis for collecting biometric identifiers.
  • The bill does not create a separate private right of action or new penalties in the text shown; enforcement and penalties would proceed under existing chapter 93H provisions and any applicable consumer-protection statutes.

Legislative status and timeline (as of provided record)

  • Introduced: January 22, 2025 (printed as 187A on January 30, 2025).
  • Referred to committees: Environmental Conservation; Consumer Protection and Professional Licensure; Committee on Finance at various steps.
  • Senate actions:
    • Advanced to third reading (May 1, 2025).
    • Passed Senate and delivered to the House/Assembly (May 21, 2025).
    • Referred to Codes (May 22, 2025).
  • Further hearings scheduled/rescheduled for fall 2025 (hearing initially scheduled Oct 1, 2025; records indicate rescheduling and virtual location changes).
  • Cross-references: similar measures filed in prior sessions (e.g., S.140 of 2023–24) and related/companion measures listed in the docket.

Notes and context

  • The bill’s core change is limited and targeted: a definitional insertion and addition of biometric indicators to the list of protected personal information. It does not, in the text provided, create new substantive privacy rights or express new civil remedies beyond the existing breach-notification framework.
  • Because biometric data is immutable (cannot be reset like a password), regulators and affected parties commonly treat compromises of biometric identifiers as higher-risk — the amendment aligns Massachusetts’ notification law to reflect that policy concern.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.