Polsinelli PC
What law(s) specifically govern personal data / information?
Massachusetts does not have a comprehensive law governing personal data. However, §1B of Chapter 214 of Title I of Part III of the Mass. Gen. Laws establishes a general right to privacy by providing that “[a] person shall have a right against unreasonable, substantial or serious interference with his privacy.” In addition, the Standards for the Protection of Personal Information of Residents of the Commonwealth under §17.00 of Title 201 of the Code of Massachusetts Regulations includes requirements for safeguarding personal data. Massachusetts has sector-specific statutory privacy rules related to health and employment data, as well as a broad prohibition against unfair or deceptive practices in Chapter 93A of Title XVI of Part I of the Mass. Gen. Laws, also known as the Consumer Protection Act, which is often applicable to practices involving personal data. In addition, Massachusetts has a wiretapping statute that makes it illegal to intercept wire and oral communications.
What are the key data protection principles in this jurisdiction?:
Massachusetts does not have a comprehensive law governing personal data, so key principles do not apply across the board to all Massachusetts data privacy laws. However, some laws, as described below, provide Massachusetts residents with certain rights and protections. For example, students in Massachusetts are afforded the rights of confidentiality, inspection, amendment, and destruction of student records.
What is the supervisory authority / regulator in charge of data protection?
The Massachusetts Attorney General has the primary responsibility to enforce most privacy and data security laws, including the data breach notification law.
The Massachusetts Division of Insurance has the responsibility to enforce the state’s insurance information privacy protections law.
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
N/A.
What are the key data subject rights under the data protection laws of this jurisdiction?
The right to be notified if a data subject’s personal information is subject to a data breach.
With regards to student records, students in Massachusetts have the right of confidentiality, inspection, amendment, and destruction of student records. If a student is under the age of 14, the rights described apply to the student’s parents. For those students aged 14 through 17, the rights above may apply to the student or parent. For students 18 and older, the students have the exclusive right to control their records.
Massachusetts residents also have the rights of inspection and amendment of credit reports.
Is there a requirement to appoint a data protection officer (or equivalent)?
No.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes. The data protection and security laws of Massachusetts broadly apply to Massachusetts residents. Therefore, any entity (regardless of location) that maintains personal information of Massachusetts residents is subject to these laws.
Does this jurisdiction have any specific data breach notification requirements?
Every person owning or licensing personal information about a Massachusetts resident must develop, implement, and maintain a comprehensive information security program based on the size and type of the business, the amount of resources available to the business, the amount of data stored, and the need for security and confidentiality. One of the requirements to this program is designating one or more employees to maintain the program.
What restrictions apply to the international transfer of personal data / information?
None.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes. Massachusetts’ data breach notification law applies to any Massachusetts resident whose information was subject to unauthorized access or use by an unauthorized person.
The law applies to any person or agency that owns or licenses data that includes personal information and any person or agency who maintains (but does not own or license) personal information.
Notice must be provided to the impacted individuals, the Massachusetts Attorney General, and the Director of the Office of Consumer Affairs and Business Regulation
Notification must be made as soon as practicable and without unreasonable delay following discovery of the breach.
What rules specifically deal with marketing?
Yes. Entities (including individual persons) cannot call a person for marketing and sales solicitation purposes if that person is listed on the state’s do-not-call directory.
Massachusetts’ breach notification law and data disposal standards also apply to the marketing sector.
Do different rules apply to business-to-business and business-to-consumer marketing?
Given the context of these laws, the law would seem to apply to both situations.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
No.
What rules specifically deal with cookies?
No.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Noncompliant organisations may be subject to sanctions and penalties from state agencies.
Under certain laws, like those that apply to student records and those listed on the state’s do-not-call registry, residents have a private cause of action to enforce their rights.
Under Massachusetts’ do-not-call regulation, residents may recover actual monetary damages or up to USD $5,000, whichever is greater.
Under Massachusetts’ data disposal requirements, a civil fine may be levied by the Attorney General of not more than USD $100 per data subject affected, to a maximum of USD $50,000 for each instance of improper disposal.
Under Massachusetts’ Consumer Protection Act, the Attorney General may impose a civil penalty of up to USD $5,000 for each violation when there is reason to believe a business is engaging in unfair or deceptive acts. The Attorney General can also take action to restrain and enjoin the use of such methods or practices.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
While there are not any unique factors that make Massachusetts’ laws different from other states, a multinational business will need to ensure that it complies with the laws of Massachusetts if it collects, uses, or maintains personal information of Massachusetts residents.
What upcoming data protection developments should multinational organisations be aware of?
A comprehensive data protection law has been introduced in the Massachusetts Senate. It provides consumers with extensive rights regarding their personal information and ensures businesses are accountable for the data they collect and maintain. It provides rights similar to the CCPA, while also providing consumers with a right of rectification, right of restriction (i.e., limit processing), and right to control disclosure of personal information. Businesses will have heightened standards for the processing of sensitive personal information and must have separate privacy policies for precises geolocation and biometric data. It also introduces data broker regulations and establishes a private right of action.