ARTICLE
21 April 2025

Massachusetts To Consider Adopting A Comprehensive State Consumer Privacy Law (Again)

FH
Foley Hoag LLP

Contributor

Foley Hoag LLP logo
Foley Hoag provides innovative, strategic legal services to public, private and government clients. We have premier capabilities in the life sciences, healthcare, technology, energy, professional services and private funds fields, and in cross-border disputes. The diverse experiences of our lawyers contribute to the exceptional senior-level service we deliver to clients.
Explore Firm Details
After years of proposed state privacy legislation, Massachusetts lawmakers are poised to once again consider enacting a comprehensive state consumer privacy law in the Commonwealth this legislative session.
United States Massachusetts Privacy
Daniel T. Carlston
Your Author LinkedIn Connections

After years of proposed state privacy legislation, Massachusetts lawmakers are poised to once again consider enacting a comprehensive state consumer privacy law in the Commonwealth this legislative session. At a hearing of the Joint Committee on Advanced Information Technology, Internet and Cybersecurity on April 9, 2025, Massachusetts lawmakers heard from different stakeholders on several introduced bills, including comprehensive consumer data privacy legislation. At the heart of the discussion were three variations of a comprehensive consumer privacy bill: H.78 (An Act establishing the Massachusetts consumer data privacy act); H.80/S.33 (An Act establishing the Comprehensive Massachusetts Consumer Data Privacy Act); and H.104/S.29/S.45 (An Act establishing the Massachusetts Data Privacy Act)1.

These laws differ from each other in several key respects, as summarized below:

H.78 H.80/S.33 H.104/S.29/S.45
Applicable entities Persons conducting business in MA or targeting products or services to MA residents, that:
  • (1) annually control or process the personal data of at least 25,000 consumers, excluding for the sole purpose of completing a payment transaction; or
  • (2) derive revenue from the sale of personal data.
 Persons conducting business in MA or targeting products or services to MA residents, that:
  • (1) annually control or process the personal data of at least 100,000 consumers, excluding for the sole purpose of completing a payment transaction; or
  • (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data.
 Entities operating commercially in MA that:
  • (1) exceed $20 million in revenue; or
  • (2) collect or process personal information of at least 25,000 individuals (excluding for purposes related to billing or payment processing).
Entity-Level Exemptions Only government entities exempt from compliance.
  • State government entities, or persons who have entered contracts with such entity while processing consumer health data on behalf of such entity;
  • Higher education institutions;
  • National securities associations; and
  • Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA).
  • Government agencies;
  • Entities below certain annual gross revenue and processing thresholds who do not derive revenue from transferring covered data;
  • National securities associations;
  • Nonprofits established to detect and prevent insurance fraud.
Data-Level Exemptions Thirteen enumerated categories of information.
Includes data subject to or regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), GLBA, Family Educational Rights and Privacy Act (FERPA), and certain credit and employment-related information.		 Fifteen enumerated categories of information.
Includes data subject to or regulated by HIPAA, GLBA, FERPA, and certain health, credit, emergency contact, and employment-related information.		 Five enumerated categories of information.
Includes information covered by HIPAA, GLBA, FERPA, and certain personal contact and employment-related information.
Data Minimization Controllers may only collect or process personal data to the extent reasonably necessary and proportionate to purposes specifically defined in that section. Personal data collection is limited to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
 Cannot collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to carry out one of thirteen enumerated purposes.
Definition of Sensitive Data Generally same as H.80, as well as:
  • Data revealing color, national origin, status as pregnant, philosophical beliefs or union membership, military service, or income level or indebtedness;
  • Genetic or biometric data;
  • Government-issued identifiers (including Social Security numbers, passport numbers, or driver's license numbers) that are not required by law to be publicly displayed;
  • A consumer's online activities "over time and across websites, online applications, or mobile applications that do not share common branding";
  • Account names, passwords, and related credential and account access information.
 Personal data that includes:
  • Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status;
  • Genetic or biometric data for the purpose of uniquely identifying an individual;
  • Personal data collected from a known child;
  • Precise geolocation data;
  • Transgender/nonbinary status;
  • Consumer health data, including but not limited to gender-affirming health data and reproductive or sexual health data; or
  • Crime victim status.
 Generally same as H.78 and H.80, as well as data revealing an individual's:
  • Sex or gender identity;
  • Past, present or future mental or physical health condition, disability, diagnosis or treatment, including pregnancy and cosmetic treatment;
  • Government-issued identifiers not required by law to be publicly displayed (including the same list as H.78, as well as military ID numbers and state-issued ID card numbers);
  • Financial account number or credit or debit card number, or information describing or revealing income level/bank account balances;
  • Certain data regarding private communications, and other information regarding the transmission of such communications;
  • Certain types of media/information maintained for an individual's private use; or
  • Photographs, films, video recordings, or similar mediums showing naked or undergarment-clad private areas of an individual.
  • Specifically identifies that the use or purchase of contraceptives and birth control is included in covered data concerning an individual's sexual orientation, sex life or reproductive health.
Collection, Processing, Transfer, or Sale of Sensitive Data Prohibited except when strictly necessary to provide or maintain a specific product or service requested by the consumer.
Ban on sale of all sensitive data.		 Processing of sensitive data concerning a consumer prohibited without obtaining consumer's consent. Transfer of sensitive data prohibited without an individual's consent.
Processing of sensitive data for targeted advertising prohibited.
Enforcement AG has enforcement and rulemaking authority.
Private right of action, applicable only to entities that are not "small businesses" (below $20 million annual gross revenue + under annual limits on data collection, processing, and transfer).		 AG exclusive enforcement authority.
60-day cure period for violations.		 AG has enforcement and rulemaking authority.
Private right of action, applicable only to "large data holder covered entities" (annual gross revenues of $200 million or more, + meeting minimum annual thresholds for data collection, processing, and transfer).
Damages Not less than $15,000 per individual per violation. Not defined by the Act. $15,000 or not less than 0.15% of the covered entity's annual global revenue, whichever is greater, per violation.
Effective Date 180 days after enactment. July 1, 2026. One year after enactment.

A key point of contention during the Joint Committee hearing was the growing "patchwork" of state consumer privacy laws in the absence of comprehensive federal legislation. H.80/S.33 is modeled after legislation adopted in Connecticut, Rhode Island, New Hampshire, and 15 other states, while H.78 and H.104/S.29/S.45 feature several provisions which stand out from other state privacy legislation (most notably, a private right of action for injured consumers in addition to AG enforcement).

At the hearing, advocates for the approach taken by H.80/S.33, including representatives of industries likely to be subject to the regulations, argued that passing a law that closely resembles other state laws, particularly in New England, ensures consistency and clear expectations for consumers and for businesses operating across state lines. They also argued that the private right of action found in other bills would be onerous on small businesses and lead to frivolous litigation. Conversely, supporters of H.78, including several non-profit advocacy groups and nonpartisan research centers, argued that Massachusetts consumers may have differing ideas on privacy than other neighboring states, and that small businesses would be protected from liability by the bill's built-in carveouts.

Other key bills discussed during the Joint Committee hearing include: H.86/S.197 (focused on stopping the sale of location data); H.99 and S.47 (concerning grocery store surveillance pricing); and H.103 (protections for neural data and use of neurotechnology).

The Joint Committee will have until June 8, 2025, to decide whether to advance any of the data privacy bills discussed. Follow our Privacy & Data Security team for updates on this key legislative initiative.

Footnote

1. Another bill, S.301 (An Act advancing the economic development of the commonwealth through comprehensive data privacy), is progressing through the Senate and was referred to the Joint Committee on Economic Development and Emerging Technologies on February 27, 2025.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Daniel T. Carlston
Daniel T. Carlston
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More