WeVote

Bill

Bill

S 29

Relates to the reporting of lyme and tick-borne disease infection after death

2025 Regular Session Introduced by Pete Harckham and 3 co-sponsors

Establishes a statewide framework (Chapter 93M) to govern collection, use, and transfer of Massachusetts residents’ personal data with defined thresholds, protections, and consent

REFERRED TO HEALTH
0
WeVote Research Nonpartisan
Bill Summary · S 29

Summary — S.29 (2025) — "An Act to establish the Massachusetts Data Privacy Protection Act"

Important note on sources and metadata
- The bill text excerpt provided is titled "An Act to establish the Massachusetts Data Privacy Act" (creates Chapter 93M of the Massachusetts General Laws). Other supplied metadata (title about Lyme disease; a list of U.S. Senate sponsors) appears inconsistent with the Massachusetts bill text. This summary is based on the Massachusetts bill text excerpt (Chapter 93M) and the legislative action timeline provided.

Overview / Purpose
- S.29 proposes a Massachusetts Data Privacy Protection Act (new Chapter 93M). Its primary purpose is to establish a statewide framework for the collection, use, and transfer of consumers’ personal data (“covered data”), define required legal concepts (consent, biometric data, dark patterns, data broker, covered entity), and set thresholds and exemptions for entities subject to the law.

Key definitions and thresholds (specifics from the text excerpt)
- “Covered data”: information (including derived data, inferences, persistent identifiers) that identifies or is reasonably linkable to an individual or their device; excludes de‑identified data and publicly available information.
- “Covered entity”: any non‑individual determining purposes/means of data processing. Exclusions include government agencies and entities meeting all three conditions over the prior 3 years:
- Average annual gross revenues ≤ $20,000,000; and
- On average, did not annually collect/process covered data of more than 25,000 individuals (with limited exceptions for payment-related processing that is deleted within 90 days); and
- No component of revenue comes from transferring covered data.
- “Covered high‑impact social media company”: platform with ≥ $3,000,000,000 annual revenue, ≥ 300,000,000 monthly active users for at least 3 of the prior 12 months, and primarily used to access/share user‑generated content.
- “Biometric data”: data derived from processing unique biological/physiological characteristics (e.g., fingerprints, iris scans, voiceprints), with certain narrow exclusions (e.g., ordinary photos or recordings not used to identify an individual).
- “Consent”: requires a clear, affirmative, freely given, specific, informed, and unambiguous action; the bill explicitly disallows consent by broad terms of use, passive interactions, or agreements produced via dark patterns or deceptive design.
- “Dark pattern or deceptive design”: defined as user interfaces intended or having the substantial effect of impairing reasonable individual decision‑making.

What the bill would do (based on excerpt)
- Create statutory definitions and structure for a statewide privacy law (Chapter 93M) to govern data collection and processing.
- Set numeric thresholds to determine which entities are regulated and to identify particularly large social media companies subject to stricter rules.
- Establish standards for valid consent and prohibit deceptive design practices that undermine informed consent.
- Define sensitive categories (e.g., biometric data) and limit uses/processing of such data.

Who would be affected
- Businesses and organizations that collect, process, or transfer covered data of Massachusetts residents—subject to revenue/volume exemptions.
- Large platforms meeting the “covered high‑impact social media company” thresholds would be specifically identified for heightened attention.
- Consumers in Massachusetts, who would gain legal clarity on consent standards and protections against dark patterns and certain biometric uses.

Legislative status and timeline (selected)
- Introduced in Massachusetts Senate: 2025‑01‑07.
- Referred to committee (Advanced Information Technology, the Internet and Cybersecurity / Health) and advanced through readings.
- Passed Senate: 2025‑02‑24; delivered to the Assembly and referred to Health (multiple entries indicate committee referrals and scheduling).
- Hearing scheduled (per record): 2025‑04‑09, 1:00–5:00 PM.
- The excerpt is only the start of a longer bill (64 pages in the version header); full provisions (consumer rights, enforcement mechanisms, penalties, private right of action, preemption, effective dates, rulemaking authority) are not included in the excerpt reviewed here.

Implications and next steps
- If enacted, S.29 would align Massachusetts more closely with other state privacy laws by setting statewide definitions, thresholds, and consumer protections; however, the full operational impact depends on later sections (rights, enforcement, exemptions, compliance timelines).
- Review the complete bill text (full Chapter 93M) and amendments (including any S.2516 draft referenced) for provisions on consumer rights (access, deletion, portability, opt‑out), security duties, regulatory enforcement, penalties, and implementation timelines.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.