ARTICLE
27 May 2025

State Comprehensive Privacy Law Update – May 19, 2025

W
WilmerHale

Contributor

WilmerHale logo
WilmerHale provides legal representation across a comprehensive range of practice areas critical to the success of its clients. With a staunch commitment to public service, the firm is a leader in pro bono representation. WilmerHale is 1,000 lawyers strong with 12 offices in the United States, Europe and Asia.
Explore Firm Details
While most state legislatures are wrapping up their legislative sessions with little fanfare, Massachusetts appears to just be getting started.
United States Privacy
Kirk J. Nahra,Ali A. Jessani,Maury Riggan
+2 Authors
 Your Author LinkedIn Connections

While most state legislatures are wrapping up their legislative sessions with little fanfare, Massachusetts appears to just be getting started. On May 12, 2025, the Bay State introduced the Massachusetts Data Privacy Act (S 2516), a 70-page bill that combined provisions from bills previously introduced this session (S 29, S 45, and S 33) along with new requirements and language. This bill covers a lot of ground. It applies to all businesses that collect or process the personal data of 25,000 or more Massachusetts consumers or derive "valuable consideration" from the sale of personal data (without any thresholds for the value of revenue or consideration), effectively bringing all data brokers that process Massachusetts consumer data into scope. S. 2516 also introduces a broad definition of "sensitive data" that includes an individual's driving behavior and browsing data collected by cookies and other web tracking technology. It requires separate privacy policies for precise geolocation data and biometric data and prohibits targeting ads to minors. The Massachusetts bill proposes several pages of data broker regulations similar to existing standalone data broker laws in California and Vermont, additionally imposing a responsibility on data brokers to ensure the brokered data is used by users for a "legitimate and legal purpose." Significantly, it also establishes a private right of action.

In other parts of the country, state legislatures continue to conduct business as usual. On May 2, 2025, New York also introduced a new bill, New York's Privacy Act (A 8158), as a companion bill to S 3044, and referred it to the Consumer Affairs and Protection Committee. There were also a number of bills that failed to pass after several state legislatures closed in the past two weeks. In South Carolina, H 3401 failed to progress through the House Committee on Judiciary and the Vermont Data Privacy and Online Surveillance Act (H 208) and the Vermont Data Privacy Act (S 71) failed to pass before the states' legislature closed on May 8 and 9, respectively.

This blog post summarizes the most notable updates with regard to state comprehensive privacy law proposals. Please follow the WilmerHale Privacy and Cybersecurity Blog to stay up to date on these developments and others.

NEW PROPOSALS

Unless otherwise noted, all the newly introduced comprehensive privacy bills share some common features, such as the creation of consumer privacy rights and requirements for privacy notice. The consumer privacy rights proposed in these bills typically include the right to confirm whether a controller is processing a consumer's personal information; the rights to access, correct, or delete personal information; and the right to data portability. Although it may be phrased differently, these bills typically create a right to opt-out of the processing of personal information for purposes of selling data or targeted advertising. These introduced bills also require controllers to provide consumers with information (often via a privacy notice) that includes the categories of personal information processed; the purposes for the data processing; a description of how to exercise data rights; and information regarding any data that is sold to third parties.

The summaries below detail additional key components found in the newly introduced bills:

Massachusetts

Comprehensive Massachusetts Consumer Data Privacy Act

  1. Bill Title: Comprehensive Massachusetts Consumer Data Privacy Act (33)
  2. Date of Introduction: May 12, 2025
  3. Current Status: As of May 15, 2025 S. 33 accompanied a new draft, S. 2516, detailed below (5/12/2025)

[WH note: This bill was introduced as the companion bill to H 80 (previously HB 4073), which was profiled in the February 7th update].

Massachusetts Data Privacy Act

  1. Bill Title: Massachusetts Data Privacy Act (2516)
  2. Date of Introduction: May 12, 2025
  3. Current Status: As of May 15, 2025, S. 2516 was reported favorably by the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity, and referred to the Committee on Senate Ways and Means (5/12/2025)
  4. Key Provisions

[WH note: This bill was drafted and sponsored by the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity, which considered S 29, S 45, and S 33 (i.e. other comprehensive privacy bills currently with the Senate), and issued a redraft that combined provisions from these bills in addition to new requirements].

  • Applies to persons that conduct business in Massachusetts or produce products or services that are targeted to residents of the State and during a calendar year that: (1) collect or process personal data of at least 25,000 consumers, excluding personal data used for completing payment transactions; or (2) derive revenue or other "valuable consideration" from the sale of personal data.
  • Exempts data collected, processed, or maintained in the course of an individual applying to, employed by, or acting as an agent or contractor to a controller, processor, or third party.
  • Defines "sale" to include exchange of personal data for other valuable consideration as well as monetary consideration
  • Proposes an extensive list for what is considered "sensitive data," including precise geolocation information; all covered data of a minor; "any information that describes or reveals the past, present or future" mental health, physical health, or healthcare condition; reproductive or sexual health data; calendar information, phone or text logs; "philosophical beliefs;" an individual's driving behavior; and "information identifying an individual's online activities over time and across websites, online applications, or mobile applications."
  • Imposes requirements on processors, such as requiring that a contract govern the processor's execution of data processing activities on behalf of the controller.
  • Requires the privacy notice to "describe any collection, processing, selling, or sharing of personal data for training or use" or AI and also include information for an active email address or other online contact information for consumers to use to contact the controller.
  • Controllers must "clearly and conspicuously disclose" the manner in which consumers may opt out of processing for purposes of sale of personal data or targeted advertising, if the controller performs such processing.
  • Prohibits controllers from selling sensitive data or transferring sensitive data without affirmative consent.
  • Prohibits controllers from targeting ads to minors using their personal data.
  • Requires separate privacy policies if a controller collects, processes, or transfers biometric data or precise geolocation information.
    • The end of the bill contains additional provisions for the Location Privacy Policy, including the requirement to obtain discrete consent for each purpose for collecting the data prior to collecting or processing that data.
  • Requires controllers to respond to opt-out preference signals within 18 months after the effective date of the law.
  • Necessitates data protection assessments prior to any data processing that presents a heightened risk of harm to a consumer, which includes the collection or processing of data for targeted advertising, the sale of personal data, collection or processing of sensitive data, and "a physical or other intrusion upon the solitude or seclusion... of consumers."
    • These assessments must be submitted to the Massachusetts Attorney General ("AG") within 30 days of completion.
  • Grants enforcement and rulemaking authority to the AG, who may impose civil penalties not less than $15,000 per individual per violation.
  • Establishes a private right of action, stating that "a violation of this chapter or a regulation adopted... with respect to the personal data of a consumer constitutes an injury to that consumer."
    • An injured consumer may bring a civil action against the party allegedly in violation, provided that it is not a small business as defined by the statute.
  • Brings any alleged violations of the law or regulations into the scope of Massachusetts' unfair or deceptive practice consumer protection law.
  • Establishes several requirements for data brokers, similar to data broker laws in states like California and Vermont. These requirements include:
    • Annual registration with the Office of Consumer Affairs and Business Regulation (OCABR).
    • The establishment of an accessible deletion mechanism for consumers by January 1, 2027. The statute states that "OCABR shall either partner with the California Privacy Protection Agency to make available California's accessible deletion mechanism to Massachusetts consumers... or establish [another] mechanism."
    • "Data broker credentialing," which requires data brokers to "maintain reasonable procedures designed to ensure that the brokered personal data it discloses is used for a legitimate and legal purpose." A data broker shall make reasonable efforts to verify the identity of new users and withhold the transfer of personal data if there are "reasonable grounds" to believe the data will not be used for a legitimate and legal purpose
  • Establishes a staggered implementation timeline, from 6 months to one year after the law's enactment.

New York

  1. Bill Title: New York Privacy Act (A 8158)
  2. Date of Introduction: May 2, 2025
  3. Current Status: As of May 15, 2025, A 8158 has been referred to the Consumer Affairs and Protection Committee (5/2/2025).

[WH note: This bill was introduced as the companion bill to S 3044, which was profiled in the February 7th update].

UPDATES ON EXISTING PROPOSALS

Bills that Failed to Pass

  • South Carolina's H 3401 failed to progress through the House Committee on Judiciary, where it was referred in January, before the legislature closed on May 8, 2025.
  • Vermont's legislature closed on May 9, 2025, ending the run for the Vermont Data Privacy and Online Surveillance Act (H 208) and the Vermont Data Privacy Act (S 71), which had passed out of the Senate once the bill language was replaced by the text in another introduced bill, S 93.

* Unless otherwise noted in the new bill proposal summaries above, the following entities and data types are typically exempted from compliance with these comprehensive privacy laws: government entities; higher education institutions; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and the Driver's Privacy Protection Act (DPPA); and certain employment-related information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Kirk J. Nahra
Kirk J. Nahra
Photo of Ali A. Jessani
Ali A. Jessani
Photo of Amy Olivero
Amy Olivero
Photo of Maury Riggan
Maury Riggan
Photo of Tolu Ojuola
Tolu Ojuola
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More