Relates to a refugee resettlement program
Massachusetts Data Privacy Act establishes a comprehensive framework requiring affirmative consent, strict data-use rules, contextual advertising limits, and robust authentication
Massachusetts Data Privacy Act establishes a comprehensive framework requiring affirmative consent, strict data-use rules, contextual advertising limits, and robust authentication
Status: Referred to Governmental Operations (see “Procedural notes” below)
Introduced/Filing date (per available text): May 9–12, 2025; Legislative actions show activity through Sept. 2025.
Note: The provided bill metadata contains inconsistent titles and dates (references to a “TEACH Act” and a refugee resettlement title). The actual bill text excerpt inserted into S.2516 is an omnibus Massachusetts data privacy measure titled the “Massachusetts Data Privacy Act” (new Chapter 93M). Verify the official legislative website for the definitive version and status.
Purpose
- Establish a comprehensive state data-privacy framework for residents and persons present in Massachusetts by defining key terms, setting consent standards, and regulating certain processing and advertising practices.
Key provisions (from the provided excerpt)
- Creation of Chapter 93M, “Massachusetts Data Privacy Act,” with detailed definitions and baseline rules.
- Definitions: precise statutory definitions for terms such as “affiliate,” “controller,” “consumer,” “biometric data,” “closed-loop referral system (CLRS),” “collect,” “contextual advertising,” and others. Notable specifics:
- “Affiliate” includes entities with >50% ownership or equivalent control.
- “Biometric data” covers automated measurements (fingerprint, voiceprint, gait, iris), but explicitly excludes ordinary photographs or audio/video unless processed to identify an individual.
- “Closed-Loop Referral System (CLRS)” defined for social care referral platforms that store and share social-care information and track referral activity.
- Strong affirmative consent standard: “Affirmative Consent” must be a clear, freely given, specific, informed, revocable authorization provided in a clear, stand‑alone disclosure prior to processing. Requirements include:
- Clear description of processing purpose and categories of personal data;
- Distinguishment between necessary processing and other purposes;
- Accessibility for disabled users and availability in each language the product/service is offered;
- Refusal option must be at least as prominent and no harder to select than acceptance; and
- Consent cannot be inferred from inaction or continued use; consent obtained via dark patterns, misleading statements, or buried in broad terms is invalid.
- Contextual advertising carve-out: controllers may show contextual ads that do not vary by recipient identity. Allowed limited data uses include device technical specs, approximate location (radius no smaller than 10 miles or area representing at least ~5,000 users — precise geolocation disallowed), and language preference — provided no profiling or identity inference occurs.
- Authentication requirement: controllers must “authenticate” requests to exercise consumer rights using reasonable means.
Who would be affected
- Consumers: individuals who reside in or are present in Massachusetts (protected by the statute).
- Businesses/controllers: entities that determine purposes and means of personal data processing and offer products/services to Massachusetts residents.
- Advertisers, ad technology firms, data brokers, social-care platforms (esp. CLRS), and entities handling biometric or sensitive data.
- Regulated entities under HIPAA and COPPA — several definitions reference HIPAA/COPPA to coordinate applicability or carve-outs.
Procedural status & timeline (from provided actions)
- Multiple committee referrals and actions listed (Advanced IT committee report, Social Services, Judiciary, Governmental Operations). Records show the bill was printed as 2516A, reported favorably by committee, ordered to third reading, passed the Senate (June 13, 2025 entries), and subsequently the Assembly received/delivered copies. Later entries show a committee recommendation with amendment and substitution by a new draft (S2608) on Sept. 18–25, 2025.
- Given conflicting metadata and duplicated entries, consult the official Massachusetts legislature site for the current enrolled text and status.
Potential impacts and considerations
- Would impose stricter consent and transparency obligations on businesses serving Massachusetts residents, likely increasing compliance costs (privacy notices, consent flows, localization, accessibility, authentication mechanisms).
- Limits on targeted/identity-based advertising could affect ad revenues and ad-tech practices; offers a clear path for contextual ads.
- Interplay with federal laws (HIPAA, COPPA) is explicitly referenced; full enforcement mechanisms, private right of action, and penalties are not included in the excerpt — review full text to assess enforcement and exemptions.
- Special provisions for social-care CLRS suggest regulation of data-sharing platforms used by social service providers.
Recommendation
- Review the complete bill text (full Chapter 93M) and the most recent substituted draft (S2608) on the Massachusetts legislative website to confirm enforcement provisions, timelines for compliance, and any amendments adopted.
Compiled from official sources — confirm details with the bill’s official record.
Sign in to ask a question.