This post was written by Christopher Escobedo Hart, Partner, Co-Chair, Privacy & Data Security Practice, Foley Hoag.
Get ready: there’s a good chance that comprehensive data privacy legislation is coming to the Commonwealth. If your business is not already compliant with the European Union’s or UK’s General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA), then you might have some work to do.
Proposals for general data protection legislation are not new to Massachusetts; but, following global and national trends, the current iteration being entertained at the State House (sponsored by the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity) has momentum and a good chance of making it to a floor vote, at least as of this writing.
For those entities that are already GDPR and, to some extent, CCPA compliant, the provisions of the proposed legislation are largely familiar. But for entities that have had the luck or luxury of avoiding the need to comply with such comprehensive laws, the Massachusetts Information Privacy and Security Act (MIPSA) may be something of a shock to the system. As entities doing business in Massachusetts know, while the Commonwealth maintains a robust law concerning data breach notification, and a first-of-its-kind statewide data security regulation, these are ultimately very narrow laws. The data breach law only applies in the event of a data breach; the Massachusetts regulations apply if an entity processes information of a Massachusetts resident, but the information that triggers the regulation is limited to the kind of information likely to lead to identity theft if stolen (such as Social Security numbers and bank account information).
MIPSA is something different, and assuming it applies (there are scope thresholds in the current bill), it will require entities to create comprehensive data governance plans that go far beyond limited security measure and potential breach notification. It also appears more robust than two other recent comprehensive state privacy laws, passed in Virginia and Colorado and coming into effect in 2023.
The following outlines some of what the bill covers and discusses some possible implications.
1. Scope. The bill borrows from both the CCPA and the GDPR in its scope of application. If an entity does business in the Commonwealth the law will apply, even if the entity is not located in the Commonwealth, so long as the entity is offering goods or services to, or monitoring the behavior of, residents of the Commonwealth. However, the law will only apply to such an entity if it has annual global revenues exceeding $25M per year; determines the processing of at least 100,000 individuals; or is a data broker.
While the territorial scope is broad, the law is crafted to exclude smaller entities that might not have the resources to implement comprehensive data governance or compliance protocols.
2. Personal Information
Following an important global trend, the law defines personal information broadly, to include any information that “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual.” This broad definition (which excludes de-identified or publicly available information) is meant to sweep information that goes far beyond Social Security numbers and bank account numbers, but can include cookies, IP addresses, or purchase orders combined with other information that could lead to a person being identified.
3. Sensitive Information
Also following recent trends, the bill identifies eight categories of personal information as “sensitive,” thus requiring special protection in various circumstances. These eight categories include
- Racial, ethnic, religious, or citizenship and immigration information;
- Biometric information;
- Mental or physical diagnoses or treatments;
- Sex life or sexual orientation;
- Specific geolocation information;
- Information from a child (defined as a minor under the age of 13);
- Philosophical beliefs and union membership; and
- Social Security number and financial account information
4. Controllers and Processors
The bill carves the world up into “controllers” and “processors,” as does the GDPR and as is the trend in global data protection laws. Controllers are the entities that direct the processing of information. Processors are the entities that process information (that is, store, transmit, analyze, or otherwise use personal information) based on the controller’s instructions. Entities can be controllers without ever storing or even viewing personal information. Based on the kind of entity one is (and one can be both at the same time for any given data set), different obligations will apply.
5. Lawful Basis for Processing
Like the GDPR, but unlike the CCPA, MIPSA is not a mere notice statute. Entities are not allowed to process information merely by providing notice. Instead, they must have a lawful basis to process personal information. That lawful basis can be based on consent, contract, or legitimate or vital interests, among other things.
6. Privacy rights
Under MIPSA, individuals have affirmative privacy rights that entities must, with certain exceptions, honor. Those include the right to notice, deletion, portability of their personal data, access to and knowledge of what personal information is being processed about them, correction of personal information, the ability to place limitations on the use and disclosure of sensitive data, and the ability to opt out of the sale of their personal data (discussed further below).
Similar to the CCPA, the “sale” of information includes any kind of sharing or disclosure of personal information to a third party (one that is not a service provider), which is done for some kind of compensation. If entities sell information, they must give individuals the right to opt-out of such sale and may not discriminate against individuals who choose to do so.
8. Risk Assessments
If an entity believes that certain data processing poses a “high risk of harm” to an individual, then the entity must carry out a risk assessment before any processing takes place. The requirement to carry out such an assessment includes if the processing will involve sensitive information, the sale of personal information, or “a systematic and extensive evaluation of personal aspects relating to individuals that is based on automated processing,” in most circumstances. The assessment must then lead to the implementation of processes sufficient to mitigate such risks. Importantly, the Attorney General has the right to have any risk assessment disclosed to it pursuant to a civil investigative demand (which functions like a subpoena).
9. Data Brokers
Similar to legislation first introduced in Vermont and later recapitulated in California, “data brokers,” or entities that buy and sell data (whether or not they have a personal relationship with the individual, something unique to MIPSA) must register their status as a data broker with the Commonwealth. Data Brokers must allow individuals to exercise their right to opt out of the sale of their personal information and to limit the use and disclosure of sensitive information.
10. Right of Action
Individuals have a private right of action in the event of a data breach. The Attorney General maintains broad and comprehensive enforcement power relating to the bill’s provisions.
As a matter of interpretation, the bill allows entities that are in compliance with more stringent data protection laws to claim reliance on those laws in the event of a conflict.
12. Data Breach Amendments
The bill aims to amend the Massachusetts Data Breach statute to expand the meaning of personal information encompassed by that statute, and to change the responsible entities to “controllers” and “processors,” among other things.
This is a summary; it merely scratches the surface of significant provisions within the bill, which contains much more by way of substance and nuance. While there is still plenty of time for the bill to be amended, if passed in this form or close to it, the law would be the most comprehensive and robust data protection law in the United States.
As a practical matter, for entities already in compliance with the GDPR and CCPA, there may be little to do to be in compliance with MIPSA. For those entities that are not, if the law passes, there will be quite a bit of preparation to do to come into compliance, including building the internal resources necessary to carry out and maintain such comprehensive data protection measures.