Massachusetts bill follows latest Privacy Law standards

Massachusetts Bill Follows Latest Privacy Law Standards

Last month, the Massachusetts Senate passed a privacy bill with amendments. The Massachusetts Data Privacy Act (MDPA) in many ways seems to follow the new wave of US state privacy laws such as the Maryland Online Data Privacy Act (MODPA) which came into effect on October 1^st, although in other ways the provisions are unique. Elements of the law build upon the state laws that have come into effect in 2025 while adding additional rights and processing limitations.

1. Middle-of-the-road scope

Maryland, Delaware, and New Hampshire’s laws set some of the lowest thresholds for organizations: deriving 20% of gross revenue from sale while processing 10,000 consumers’ personal information or otherwise processing 35,000 consumers’ personal information without reaching the 20% of gross revenue from selling personal information. States such as Virginia had set the old standard at 100,000 consumers’ personal information or 25,000 consumers with 50% of gross revenue from sale.

Massachusetts’ scope is safely in the middle between the old and the new standard while also incorporating a new angle. The bill would apply to organizations processing any amount of reproductive or sexual health data of consumers; 20,000 consumers’ personal data if 30% of the organization’s revenue is from the sale of personal data; or 60,000 consumers’ personal data.

2. New data subject rights specific to profiling

The MA bill would provide Massachusetts consumers with the same rights as most of the existing consumer laws: to confirm processing; obtain a list of third parties; correct personal data; delete personal data; obtain a copy; opt out of sale, targeted advertising, and profiling; and revoke consent.

New rights that the bill provides include rights to question the results of profiling, to be informed of the reason why profiling resulted in the decision made, to be informed about what actions the consumer could have taken to secure a different decision and how to do so in the future, and to review the personal data used for profiling. These do align with the proposed regulation out of California on automated decision-making technology which would require providing an explanation of the profiling process and how profiling is used in decision-making. Both of these proposals may be read as attempts to regulate the use of artificial intelligence.

The list of consumer rights provided in Massachusetts, however, is noticeably missing the right to limit the use and disclosure of sensitive information and the requirement for websites to honor universal opt-out mechanisms which have appeared in most of the laws that have come into effect most recently.

3. Data processing limitations for sensitive data

Instead of providing a right to consumers to limit the use of sensitive data, the Massachusetts bill establishes strict standards for organizations using sensitive data at all. In this way, it follows the precedent set by MODPA, which requires prior opt-in consent for processing sensitive personal data, limits collection and processing to what is strictly necessary or requested by the consumer, and prohibits any other use or collection of sensitive data, especially selling.

The MDPA similarly limits all collection, processing, and transferring of sensitive data to what is strictly necessary or related to a service requested by the consumer. It requires affirmative consent for the transfer of sensitive data. It also specifically prohibits the sale of precise geolocation data separately from the prohibition of selling sensitive data.

As the Massachusetts bill appears fairly standard while restricting processing in relatively new ways, some are already calling it a strong bill that doesn’t place unnecessary burdens on applicable organizations. Massachusetts lawmakers have historically shown a willingness to implement and enforce information security protections and contributed to the drafting of laws such as the Children’s Online Privacy Protection Act, so adding privacy protections for consumers at the state-level is no surprise.

Privacy Ref will continue to watch the bill for further amendments and update our products such as the US Law Framework should the bill become law. While we are still waiting on the possibility of a federal, comprehensive, privacy law, states have stepped up to protect their citizens and regulations and updates are coming in regularly.