WeVote

Bill

Bill

S 33

Voter Registration and Voting

2025-2026 Regular Session Introduced by Larry Grooms

The bill would establish a Massachusetts-wide consumer data privacy framework (Chapter 93M) to govern how controllers process residents’ personal data, including sensitive and biom

Scrivener's error corrected
0
WeVote Research Nonpartisan
Bill Summary · S 33

Summary — S.33 (Senate Docket No. 2520) — "Massachusetts Consumer Privacy Act"

Note: the packet provided contains conflicting metadata. The title at the top references a temporary commission on COVID-19 nursing home deaths, but the full bill text attached (Senate Docket No. 2520 / S.33, filed 1/17/2025) is an act entitled the “Comprehensive Massachusetts Consumer Data Privacy Act” and would add a new Chapter 93M to the General Laws. This summary treats the operative bill text (Chapter 93M) as the subject.

Purpose and intent

S.33 would create a statewide consumer privacy statute — titled the Massachusetts Consumer Privacy Act — by inserting a new Chapter 93M into the General Laws. Its stated purpose (from the available text) is to define key terms and the legal framework that would underpin consumer data protections in Massachusetts, aligning state law with contemporary data-privacy concepts (e.g., biometric data, de‑identification, dark patterns, geofencing, and sensitive health data).

Key provisions (based on available text)

The provided text is the opening portion of the Chapter and focuses on definitions that structure the statute. Key defined concepts include:

  • Core actors and scope

    • “Consumer”: a Massachusetts resident (excludes individuals acting in a commercial/employment role).
    • “Controller”: an entity that determines purposes and means of processing personal data.
    • “Affiliate”, “covered entity”, and “business associate” (HIPAA-aligned).
  • Data categories and sensitive data

    • “Biometric data”: automatic biological measurements used to identify individuals (with certain exclusions).
    • “Consumer Health Data”: personal data used to identify a consumer’s physical or mental health condition, explicitly including gender-affirming and reproductive/sexual health data.
    • “Gender-affirming health data” and related definitions reference existing state law.
  • Privacy concepts and protections

    • “Consent”: requires a clear, affirmative, informed act; excludes consent via dark patterns or buried terms.
    • “Dark pattern”: defined as UI designed to substantially subvert user autonomy; direct reference to FTC usage.
    • “De‑identified data”: criteria for when data is no longer reasonably linkable to an individual, including contractual and public commitments not to re-identify.
    • “Geofence”: defines virtual boundary technologies that detect location.
    • “Decisions that produce legal or similarly significant effects”: examples include lending, housing, employment, healthcare access, etc.
    • Special concerns for minors: “Heightened risk of harm to minors” defined to capture unfair, injurious, or privacy‑intrusive processing.

Who would be affected

  • Controllers and processors operating in Massachusetts that handle personal data of Massachusetts residents would be governed once the full statutory rights and obligations (beyond definitions) are implemented. This likely includes businesses, online services, and possibly some non‑profits or public entities, subject to specific carve-outs that may appear later in the full text.
  • Consumers (Massachusetts residents) would be the beneficiaries of rights (the definitions suggest the statute contemplates consumer rights such as consent, data access/portability, opt‑out, and protections for sensitive categories).
  • Entities subject to HIPAA/COPPA are explicitly referenced; the bill recognizes intersections with existing federal privacy regimes.

Procedural status and timeline

  • Introduced: January 8, 2025 (filed 1/17/2025 as Senate Docket No. 2520).
  • Referred: recorded referrals to committees (Health; Advanced Information Technology, the Internet and Cybersecurity; Homeland Security and Governmental Affairs are listed in the metadata).
  • Hearing: a hearing was scheduled for April 9, 2025 (per the legislative actions list).
  • A new draft accompanied the bill on 2025-05-12 (S.2516), indicating ongoing revision.

Notes, limitations, and discrepancies

  • The provided bill text is truncated and only covers definitions (Section 1). The full bill likely includes substantive consumer rights, controller obligations, enforcement mechanisms, penalties, and exemptions — these are not in the excerpt and therefore are not summarized here.
  • Metadata contains conflicting titles and sponsor lists (including federal senators and multiple entries). The official legislative caption within the text names William J. Driscoll, Jr. as presenter. Users should consult the official legislative docket (Massachusetts Legislature website) for the authoritative bill text, sponsor list, and current status.

If you want, I can:
- Pull and summarize the subsequent sections (consumer rights, controller obligations, enforcement) if you supply the remainder of the text or authorize me to retrieve the official bill file.
- Prepare a short comparison of this draft to other state or federal privacy laws (e.g., CCPA, VCDPA, proposed federal bills).

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.