The following law(s) specifically govern personal data / information:
While Massachusetts has breach notification and industry specific laws that govern personal data, Massachusetts does not have a comprehensive law governing personal data.
The key data protection principles in this jurisdiction are:
Massachusetts does not have a comprehensive law governing personal data, so key principles do not apply across the board to all Massachusetts data privacy laws. However, some laws, as described below, provide Massachusetts residents with certain rights and protections. For example, students in Massachusetts are afforded the rights of confidentiality, inspection, amendment, and destruction of student records.
The supervisory authority / regulator in charge of data protection is:
The Massachusetts Attorney General has the primary responsibility to enforce most privacy and data security laws, including the data breach notification law.
The Massachusetts Division of Insurance has the responsibility to enforce the state’s insurance information privacy protections law.
Is there a requirement to register with a supervisory authority / regulator?
Is there a requirement to notify the supervisory authority / regulator?
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
The right to be notified if a data subject’s personal information is subject to a data breach.
With regards to student records, students in Massachusetts have the right of confidentiality, inspection, amendment, and destruction of student records. If a student is under the age of 14, the rights described apply to the student’s parents. For those students aged 14 through 17, the rights above may apply to the student or parent. For students 18 and older, the students have the exclusive right to control their records.
Massachusetts residents also have the rights of inspection and amendment of credit reports.
Is there a requirement to appoint a data protection officer (or equivalent)?
Every person owning or licensing personal information about a Massachusetts resident must develop, implement, and maintain a comprehensive information security program based on the size and type of the business, the amount of resources available to the business, the amount of data stored, and the need for security and confidentiality. One of the requirements to this program is designating one or more employees to maintain the program.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Does this jurisdiction have any specific data breach notification requirements?
Yes. Massachusetts’ data breach notification law applies to any Massachusetts resident whose information was subject to unauthorized access or use by an unauthorized person.
The law applies to any person or agency that owns or licenses data that includes personal information and any person or agency who maintains (but does not own or license) personal information.
Notice must be provided to the impacted individuals, the Massachusetts Attorney General, and the Director of the Office of Consumer Affairs and Business Regulation
Notification must be made as soon as practicable and without unreasonable delay following discovery of the breach.
The following restrictions apply to the international transfer of personal data / information:
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes. The data protection and security laws of Massachusetts broadly apply to Massachusetts residents. Therefore, any entity (regardless of location) that maintains personal information of Massachusetts residents is subject to these laws.
The following rules specifically deal with marketing:
Yes. Entities (including individual persons) cannot call a person for marketing and sales solicitation purposes if that person is listed on the state’s do-not-call directory.
Massachusetts’ breach notification law and data disposal standards also apply to the marketing sector.
Do different rules apply to business-to-business and business-to-consumer marketing?
Given the context of these laws, the law would seem to apply to both situations.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
No special rules.
The following rules specifically deal with cookies:
No special rules.
The consequences of non compliance with data protections laws (including marketing laws) are:
Noncompliant organizations may be subject to sanctions and penalties from state agencies.
Under certain laws, like those that apply to student records and those listed on the state’s do-not-call registry, residents have a private cause of action to enforce their rights.
Under Massachusetts’ do-not-call regulation, residents may recover actual monetary damages or up to $5,000, whichever is greater.
Under Massachusetts’ data disposal requirements, a civil fine may be levied by the Attorney General of not more than $100 per data subject affected, to a maximum of $50,000 for each instances of improper disposal.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there: Multinational organisations should be aware of the following upcoming data protection developments:
While there are not any unique factors that make Massachusetts’ laws different from other states, a multinational business will need to ensure that it complies with the laws of Massachusetts if it collects, uses, or maintains personal information of Massachusetts residents.
Multinational organisations should be aware of the following upcoming data protection developments:
A comprehensive data protection law has been introduced in the Massachusetts Senate. It provides consumers with extensive rights regarding their personal information and ensures businesses are accountable for the data they collect and maintain. It provides rights similar to the CCPA, while also providing consumers with a right of rectification, right of restriction (i.e., limit processing), and right to control disclosure of personal information. Under the current version of the law all individuals will have the right to consent before their personal information is collected and processed. Businesses will have heightened standards for the processing of sensitive Personal information. As of now, the law does not provide exemptions.