After years of proposed state privacy legislation, Massachusetts lawmakers are poised to once again consider enacting a comprehensive state consumer privacy law in the Commonwealth this legislative session. At a hearing of the Joint Committee on Advanced Information Technology, Internet and Cybersecurity on April 9, 2025, Massachusetts lawmakers heard from different stakeholders on several introduced bills, including comprehensive consumer data privacy legislation. At the heart of the discussion were three variations of a comprehensive consumer privacy bill: H.78 (An Act establishing the Massachusetts consumer data privacy act); H.80/S.33 (An Act establishing the Comprehensive Massachusetts Consumer Data Privacy Act); and H.104/S.29/S.45 (An Act establishing the Massachusetts Data Privacy Act)1.
These laws differ from each other in several key respects, as summarized below:
H.78 | H.80/S.33 | H.104/S.29/S.45 | |
---|---|---|---|
Applicable entities | Persons conducting business in MA or targeting
products or services to MA residents, that:
|
Persons conducting business in MA or targeting
products or services to MA residents, that:
|
Entities operating commercially in MA that:
|
Entity-Level Exemptions | Only government entities exempt from
compliance. |
|
|
Data-Level Exemptions | Thirteen enumerated categories of
information. Includes data subject to or regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), GLBA, Family Educational Rights and Privacy Act (FERPA), and certain credit and employment-related information. |
Fifteen enumerated categories of
information. Includes data subject to or regulated by HIPAA, GLBA, FERPA, and certain health, credit, emergency contact, and employment-related information. |
Five enumerated categories of information. Includes information covered by HIPAA, GLBA, FERPA, and certain personal contact and employment-related information. |
Data Minimization | Controllers may only collect or process personal data to the extent reasonably necessary and proportionate to purposes specifically defined in that section. | Personal data collection is limited to what is
adequate, relevant, and reasonably necessary in relation to the
purposes for which such data is processed, as disclosed to the
consumer. |
Cannot collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to carry out one of thirteen enumerated purposes. |
Definition of Sensitive Data | Generally same as H.80, as well as:
|
Personal data that includes:
|
Generally same as H.78 and H.80, as well as data
revealing an individual's:
|
Collection, Processing, Transfer, or Sale of Sensitive Data | Prohibited except when strictly necessary to
provide or maintain a specific product or service requested by the
consumer. Ban on sale of all sensitive data. |
Processing of sensitive data concerning a consumer prohibited without obtaining consumer's consent. | Transfer of sensitive data prohibited without an
individual's consent. Processing of sensitive data for targeted advertising prohibited. |
Enforcement | AG has enforcement and rulemaking authority. Private right of action, applicable only to entities that are not "small businesses" (below $20 million annual gross revenue + under annual limits on data collection, processing, and transfer). |
AG exclusive enforcement authority. 60-day cure period for violations. |
AG has enforcement and rulemaking authority. Private right of action, applicable only to "large data holder covered entities" (annual gross revenues of $200 million or more, + meeting minimum annual thresholds for data collection, processing, and transfer). |
Damages | Not less than $15,000 per individual per violation. | Not defined by the Act. | $15,000 or not less than 0.15% of the covered entity's annual global revenue, whichever is greater, per violation. |
Effective Date | 180 days after enactment. | July 1, 2026. | One year after enactment. |
A key point of contention during the Joint Committee hearing was the growing "patchwork" of state consumer privacy laws in the absence of comprehensive federal legislation. H.80/S.33 is modeled after legislation adopted in Connecticut, Rhode Island, New Hampshire, and 15 other states, while H.78 and H.104/S.29/S.45 feature several provisions which stand out from other state privacy legislation (most notably, a private right of action for injured consumers in addition to AG enforcement).
At the hearing, advocates for the approach taken by H.80/S.33, including representatives of industries likely to be subject to the regulations, argued that passing a law that closely resembles other state laws, particularly in New England, ensures consistency and clear expectations for consumers and for businesses operating across state lines. They also argued that the private right of action found in other bills would be onerous on small businesses and lead to frivolous litigation. Conversely, supporters of H.78, including several non-profit advocacy groups and nonpartisan research centers, argued that Massachusetts consumers may have differing ideas on privacy than other neighboring states, and that small businesses would be protected from liability by the bill's built-in carveouts.
Other key bills discussed during the Joint Committee hearing include: H.86/S.197 (focused on stopping the sale of location data); H.99 and S.47 (concerning grocery store surveillance pricing); and H.103 (protections for neural data and use of neurotechnology).
The Joint Committee will have until June 8, 2025, to decide whether to advance any of the data privacy bills discussed. Follow our Privacy & Data Security team for updates on this key legislative initiative.
Footnote
1. Another bill, S.301 (An Act advancing the economic development of the commonwealth through comprehensive data privacy), is progressing through the Senate and was referred to the Joint Committee on Economic Development and Emerging Technologies on February 27, 2025.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.