WeVote

Bill

Bill

S 43

SC Public Expression Protection Act

2025-2026 Regular Session Introduced by Chip Campsen

Massachusetts BIPA creates rules for private entities handling biometric data: notice, consent, retention limits, security, and restricted disclosure; with a private right to sue.

Referred to Committee on Judiciary
0
WeVote Research Nonpartisan
Bill Summary · S 43

Summary — S.43 (2025): Biometric Information Privacy Act (Chapter 93M)

Note: The docket metadata for S.43 includes inconsistencies (a title referencing a “shoreline hardening plan” and a sponsors list that appears to contain federal senators). The bill text attached, however, is a Massachusetts “Biometric Information Privacy Act” (to be enacted as Chapter 93M). This summary focuses on the bill text provided.

Purpose

Establish statewide rules governing the collection, use, retention, disclosure, protection, and destruction of biometric identifiers and biometric information by private entities. The bill aims to protect individuals’ biometric privacy and create a private right of action for violations.

Key definitions

  • Biometric identifier: physiological or biological traits used to identify a person (examples listed: retina/iris scan, fingerprint, voiceprint, gait, hand or face geometry).
  • Biometric information: any information derived from a biometric identifier used to identify an individual.
  • Exclusions: writing samples/signatures, photographs, demographic data, tattoos, ordinary physical descriptions, donated organs/tissues, biological samples used for valid scientific testing/screening, and HIPAA-covered health care treatment/payment/operations data; also excludes many medical imaging modalities used for diagnosis/treatment.
  • Private entity: any individual or organized group (company, association, etc.).
  • Commercial establishment: place of entertainment, retail store, or food/drink establishment.
  • Written consent: informed written consent (electronic consent permitted).

Major requirements and prohibitions

  • Written policy: Private entities must maintain a written retention/destruction policy, publicly available to the subject, that destroys biometric data when the initial purpose is satisfied or within 1 year of the individual’s last interaction (whichever comes first). Data must be destroyed except where a valid court/local/federal order, warrant, or subpoena requires retention.
  • Prior notice & consent: Collection/receipt of biometric identifiers or information is prohibited unless the entity (1) gives written notice that biometric data is being collected, (2) discloses the specific purpose and retention term in writing, and (3) obtains written informed consent from the subject (or authorized representative).
  • No profiteering: Entities may not sell, lease, trade, or otherwise profit from a person’s biometric data.
  • Restrictions on disclosure: Disclosure is allowed only with subject consent, to complete a requested financial transaction, where required by law/ordinance, or pursuant to a valid warrant/subpoena.
  • Security standard: Entities must protect biometric data using the industry’s reasonable standard of care and at least the same protections used for other confidential and sensitive information.
  • Commercial establishments: Prohibited from using biometric identifiers/information to identify customers.

Enforcement & remedies

  • Private right of action: Individuals aggrieved by violations may bring an action under procedures set out in Chapter 93A (Massachusetts consumer protection statute). The bill text (partially truncated) sets a damages floor of at least $5,000 per violation or actual damages, whichever is greater, with provisions for enhanced damages described but truncated in the provided text.

Who is affected

  • Affected: Private entities operating in Massachusetts that collect, store, process, or use biometric identifiers/information (e.g., technology vendors, employers, retailers, app providers). Consumers and customers in Massachusetts are protected.
  • Not (explicitly) affected: Uses and data covered by specified exclusions (certain medical imaging and HIPAA-covered treatment/payment/operations).

Legislative and procedural status (as provided)

  • Introduced in Senate: 2025-01-09; read twice and referred to Committee on the Judiciary (recorded actions are inconsistent across entries).
  • Referred to various committees in the record (Advanced Information Technology, Internet & Cybersecurity; Environmental Conservation; Senate Ways & Means).
  • Hearing scheduled: 2025-04-09 (per record).
  • Reported favorably by committee (as changed) and referred to Senate Ways & Means: 2025-05-12.
  • Accompanied by S.36; replaces SD 2204 and references prior-session bills (S.6741, S.1859, S.4178).

Potential impacts

  • Compliance costs for businesses (policy development, secure storage, consent mechanisms, data-destruction procedures).
  • Increased liability risk (statutory damages per violation).
  • Likely reduction in some consumer-identification biometric uses (especially in retail/commercial settings).
  • Exceptions for law enforcement and health-related legal processes are limited to warrants/subpoenas or statutory requirements; HIPAA-covered health uses are largely excluded.

If you’d like, I can prepare a one-page compliance checklist for businesses affected by this bill or draft a plain-language notice and consent template consistent with its requirements.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.