Massachusetts Information Privacy and Security Act Passes State Legislators

Written By Haley Metteauer

On February 14, 2022, the Massachusetts Information Privacy and Security Act (“Bill S.46” or "Act") advanced to the committee on Advanced Information Technology, the Internet, and Cybersecurity, accompanied by a new draft bill, Bill S.2687.

Bill S.46 Provisions

Bill S.46 applies to entities conducting business in the state of Massachusetts, or offering goods or services targeting or monitoring the behavior of Massachusetts residents, and

  • has an annual global gross review of 25,000 million dollars or more;

  • has the intent and the means for processing the personal information of 100,000 consumers or more; or

  • is a data processor—a person or entity that engages in the processing of a consumer’s personal information on behalf of a “covered entity.”

Under the provisions of Bill S.46, consumers have the right to

  • access their personal information that was collected and processed by the covered entity;

  • receive information on the use of their personal information, including

    • information on where the information was obtained from;

    • to whom it was shared, distributed, or disclosed;

    • the purpose of the processing of their personal information; and

    • the period of retention of the personal information.  

  • obtain a copy of the personal information retained by the covered entity;

  • request that the covered entity stop collecting, correct mistakes contained within, or delete inaccuracies in their personal information;

  • receive sufficient notice of the means of personal information collection and the risks associated with said collection in the privacy policy of a covered entity;

  • after the age of 13, issue a grant or denial of the covered entity’s ability to collect their personal information, with an annual opportunity to amend this decision;

In addition, consumers have special protections with regard to the protection of “sensitive personal information.” These additional protections include the right to limit the use and disclosure of their sensitive personal information to purposes necessary to perform the services or provide the requested goods.  

The Attorney General ("AG") will be tasked with enforcement of Bill S.46 and has the power to commence a civil investigation when there is “reasonable cause” to believe that a covered entity has, is, or is about to engage in actions which would violate the Act. If the AG determines that a violating action is present, the AG may grant the covered entity an opportunity to cure the violation within 30 days. However, failure to comply with this opportunity to cure or denial of an opportunity to cure will permit the AG to issue a temporary restraining order, a preliminary injunction, or a permanent injunction to restrain the violations and seek civil penalties of up to $7,500 per violation for the covered entity.

Considerations for Covered Entities

Covered entities should consider a review of the Act's provisions and compared the against their organization’s policies and procedures to ensure that they are best prepared for future compliance efforts.

Haley Metteauer
Previous

California Privacy Protection Agency Likely Will Not Meet Privacy Regulation Deadlines
Next

Florida Privacy House Bill Unanimously Passes First Committee