(BOSTON 5/13/2025) — This week, Senate Committee on Advanced Information Technology, the Internet, and Cybersecurity chair Senator Michael Moore and vice chair Senator Pavel Payano announced that a wide-ranging bill granting consumers new rights over their personal data had been reported favorably out of Committee. The Massachusetts Data Privacy Act (MDPA) establishes baseline data minimization standards, offers stronger protections for sensitive personal information and prohibits the sale of sensitive data including that of minors, creates privacy-by-design policies, regulates data brokers, and more. The MDPA will ensure greater accountability of companies and grant user data privacy protections to those present in Massachusetts and residents of the state. This bill embodies the legislative recommendations of Attorneys General throughout the Northeast, and beyond, including Massachusetts, Connecticut, Maine, Vermont, and Maryland.
The Committee also advanced S.197, known as the Location Shield Act, which notably has a bipartisan supermajority of support in the Senate. This location data specific privacy bill establishes data minimization standards for location data and prohibits its sale. The bill also prohibits the transfer of location data to government entities without a warrant or subpoena, unless exigent circumstances exist. The Chair extends his gratitude to Vice Chair Payano for discharging the Location Shield Act to the Committee.
“With so much of our lives happening online, it can be hard to know who is collecting your data, how much they know about you, and what they’re doing with that information,” said Senator Michael Moore (D-Millbury). “The Massachusetts Data Privacy Act gives everyday Bay Staters the right to better control their data and grants them the ability to simply say no when it comes to invasive data collection practices. Further, it protects users’ most sensitive data from being sold or being used for targeted advertising, including information on race, sexual orientation, religious beliefs, and whether one has been a victim of a crime. I’m also thrilled that the Location Shield Act prohibits the sale of location data, something the FTC has repeatedly found leads to harmful outcomes for our constituent’s privacy, and prevents government agencies from buying their way around constitutional warrant requirements for our data. These bills will bring accountability to invasive tech companies, and I look forward to continuing the conversation about digital consumer protections as this legislation makes its way through the State House.”
"I was proud to discharge the Location Shield Act from committee, because no one should have to worry about their phone tracking them without permission,” said Senator Pavel Payano (D-Lawrence). “This bill takes a major step toward protecting our privacy and preventing the sale and misuse of personal location data, especially for those most at risk, like survivors of abuse, patients, and vulnerable communities.”
The MDPA represents the strongest ever data protections offered to Bay Staters and reflects the most up-to-date bipartisan federal consensus model on this issue. It also provides a variety of meaningful enforcement mechanisms, including empowering the Massachusetts Attorney General to enforce the law under its own terms and as a violation of the Commonwealth’s consumer protection law, Chapter 93A, as well as empowering individual users to bring claims on their own behalf through a private right of action.
Key highlights include:
Establishing Data Minimization Standards
Some websites, apps, products, and services are data vacuums, indiscriminately sucking up any information on the user that they can get. The Massachusetts Data Privacy Act would establish strong baseline data minimization standards by requiring data holders to collect and possess no more user information than is reasonably necessary for the function of their product or service. The bill states that covered entities are also required to establish, implement, and maintain reasonable policies that broadly identify, assess, and mitigate privacy risks, reflecting these companies’ and organizations’ pivotal responsibilities in ensuring private information that users share with them is kept safe.
Creates More Restrictive Standards for Sensitive Covered Data and Targeted Advertising
Many types of user data is particularly sensitive and is expected to be held in confidence by the service it is shared with. The MDPA establishes standards that ban the use of specific types of sensitive data for the purposes of targeted advertising.
The bill defines sensitive data to include:
Precise geolocation information
Biometric or genetic information
Health information
Private messages, contact books, and calendar entries
The data of individuals under the age of 18
Government-issued identifiers
Any data that reveals an individual’s:
Race, color, ethnicity, or national origin
Sex or gender identity, or sexual orientation
Religious beliefs
Citizenship or immigration status
Military service
Status as a victim of a crime
These regulations wholly ban entities from engaging in targeted advertising to minors, and make it illegal for entities to sell a user’s covered sensitive data.
Outlines Acceptable Consent Practices
Sometimes, services will use sneaky language or deceptive design to trick a user into consenting to invasive data collection or data sharing. This legislation specifies that covered entities must issue clear and conspicuous requests for consent to collect and possess a user’s data in easily understandable language. This request must also explain the user’s applicable rights. Notably, the bill states that entities cannot infer consent via inaction; for example, a user clicking out of the consent request without confirming privacy choices cannot be interpreted as consent to collect or possess that user’s data.
The bill specifies that requests for consent must be displayed at or before the point of data collection, and must include a description of what information will be collected and the purpose of its collection.
Additional Privacy Protections
Further data privacy protections included in the Massachusetts Data Privacy Act include:
Privacy policy notice requirements
Data broker registration with the Office of Consumer Affairs and Business Regulation
Clarification of the Attorney General’s regulatory authority
Bans on the commercial sale of location information
The Senate Committee on Advanced Information Technology, the Internet, and Cybersecurity’s action on the Massachusetts Data Privacy Act and several related bills comes in the wake of increasing concerns about what sensitive personal data is being collected by online services and who is accessing it. In an era of increasing federal surveillance on protesters, political opponents, and immigrants, data privacy protections are more important than ever. Recent revelations of contracts data brokers have signed with ICE – who within the last six months have also been subject to a FTC complaint and then hacked by a Russian cybercriminal, high-profile arrests in Worcester, Medford, and Boston, and senior White House advisors discussing the suspension of habeus corpus have pushed the issue to the forefront of policy conversations and urge rapid action.
Along with the Massachusetts Data Privacy Act and the Location Shield Act, three additional bills were reported favorably out of the Senate Committee on Advanced Information Technology, the Internet, and Cybersecurity this week. The bills include:
S.43 – An Act to protect personal biometric data
S.47 – An Act relative to surveillance pricing in grocery stores
S.49 – An Act relative to cybersecurity and artificial intelligence
Having been approved by the Senate Committee on Advanced Information Technology, the Internet, and Cybersecurity, the bills now will move forward to the Senate Committee on Ways and Means for further review.
###