Massachusetts has three general privacy statutes: Mass. Gen. L. ch. 93H, 93I and 214, § 1B, as well as regulations under 201 Code of Massachusetts Regulations 17.

Note: “Personal information” is defined and protected under Mass. Gen. L. ch. 93H (“Security Breaches”), ch 93I (“Disposition and Destruction of Records”) and 201 Code of Massachusetts Regulations 17, as well as Mass. Gen. L. ch. 214, § 1B (“Right of Privacy”).  

Under ch. 93H, § 2, “The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for the protection of personal information set forth in the federal regulations by which the person is regulated.”

Under ch. 214, § 1B, “A person shall have a right against unreasonable, substantial or serious interference with his privacy.” This statute permits a plaintiff to bring a claim for damages for invasion of privacy.
 

Ch. 93H protects the “personal information” of a Massachusetts resident.

Note: “Personal Information” is defined as:

• A person’s first name and last name (or first initial and last name) plus any one of the following:
  • Social Security number;
  • Driver’s license number (or other state-issued ID card number); or
  • A financial account number, or credit or debit card number, with or without any required security code, access code or PIN that would allow account access.

Any person or agency that holds “personal information” is subject to the Massachusetts privacy obligations.

Note: Per ch. 93H, § 3(a), “A person or agency that maintains or stores, but does not own or license data that includes personal information about a resident of the commonwealth” has obligations to report security breaches or unauthorized use of personal information.

The collection of personal information is regulated on a case-by-case basis.

Note: How the collection of personal information is regulated varies on a case-by-case basis; it is usually regulated by the Office of the Attorney General or the Office of Consumer Affairs and Business Regulation.

The use and disclosure of personal information are regulated on a case-by-case basis.
 

Note: The use and disclosure of personal information are regulated on a case-by-case basis, usually by the Office of the Attorney General or the Office of Consumer Affairs and Business Regulation.

Mass. Gen. L. ch. 93H and 93I regulate security and storage and data retention.

Note: Per ch. 93H, § 1(a), “Breach of Security” is defined as: “An unauthorized acquisition or unauthorized use of personal information of Massachusetts residents that creates a substantial risk of identity theft or fraud against a Massachusetts resident.”  

Those holding personal information are required to: (1) Designate employees to manage the program, (2) identify internal and external risks, (3) develop security policies for employees, including off-site access to information, (4) impose disciplinary measures for violations, (5) prevent terminated employees access, (6) require third-party compliance certification, (7) request only necessary information, (8) conduct routine data inventories, (9) create procedures for limiting physical access, (10) monitor and update their security program, (11) audit annually, (12) document responsive actions, (13) establish secure user authentication, (14) impose user-based restrictions on access to files containing personal information, (15) encrypt all transmitted files containing personal information, (16) encrypt all laptops and portable devices, (17) monitor systems for unauthorized access, (18) have “reasonably up-to-date” firewall protection, (19) have a “reasonably up-to-date” operating system, and (20) have “reasonably up-to-date” virus and “malware” protection set to receive the most current security updates on a regular basis.
 

Massachusetts does not provide data subjects with rights to access or correction of privately held personal data.

Note: Massachusetts does not provide data subjects with rights to access or correction of privately held personal data.

Government data is subject to the Massachusetts Fair Information Practices Act, ch. 66A, which does impose obligations to correct certain data.

Health records containing personal data are governed by statutes and regulations, including Mass. Gen. L. ch. 111, § 70, 70E, and 243 Code of Massachusetts Regulations 2.07.

N/A

Yes.

Mass. Gen L. ch. 93H sets forth two sets of data breach reporting requirements depending upon whether Social Security numbers are included in a data breach. The general notification provision, Mass. Gen. L. ch. 93H, § 3, requires an entity that “maintains or stores but does not own or license data that includes personal information” to report a data breach “to the owner or licensor” of the data. Entities that do “own or license” personal data are required to report data breaches “as soon as practicable and without unreasonable delay” to the affected individuals, the Attorney General and the Office of Consumer Affairs and Business Regulation. Upon receipt of such notice, the Office of Consumer Affairs and Business Regulation may designate additional agencies – such as consumer credit reporting agencies – who must also receive notice. The breach notification to the Attorney General requires not only information about the breach, but also information about the data security practices of the entity, such as whether the entity maintains a written information security program and the steps it has taken relating to the incident.  

Where a breach also involves Social Security numbers, and notice under Mass. Gen. L. ch. 93H, § 3 is required, in addition to the obligations set out above, the entity must provide credit monitoring services for affected individuals for at least 18 months (unless the entity experiencing the breach is a credit reporting agency, in which case the period is at least 42 months).
 

There are two regulators: the Office of the Attorney General and the Office of Consumer Affairs and Business Regulation, that regulate personal privacy.

Note: The Office of the Attorney General and the Office of Consumer Affairs and Business Regulation are the primary regulators of personal privacy in Massachusetts. In 2020, Massachusetts Attorney General Maura Healey announced the creation of a Data Privacy and Security Division within her office, with the stated goal of “protect[ing] consumers from the surge of threats to the privacy and security of their data in an ever-changing digital economy.”

Consequences of a privacy breach may include injunctive relief and civil penalties.

Note: The Office of the Attorney General has the authority to enforce statutes and may bring an action under Chapter 93A to remedy violations of the statute and/or seek injunctive relief. There are civil penalties of up to USD $5,000 per violation. The breaching party may also be responsible for the costs of the investigation, including attorneys’ fees.   

Nothing in the statutes authorizes a private right of action, but conversely, such actions are not expressly forbidden under state law.

The Office of the Attorney General regulates electronic marketing on a case-by-case basis.

Note: In April 2017, a digital advertising company that was hired to use mobile geofencing technology to target women entering reproductive health facilities has been prohibited from doing so in Massachusetts pursuant to a settlement announced by Attorney General Maura Healey.

The settlement resolved allegations that advertising practices would violate consumer protection laws in Massachusetts by tracking a consumer’s physical location near or within medical facilities, disclosing that location to third-party advertisers, and targeting the consumer with potentially unwanted advertising based on inferences about his or her private, sensitive, and intimate medical or physical condition, all without the consumer’s knowing consent.

The settlement assured that the advertiser would not use geofencing technology at or near Massachusetts healthcare facilities to infer the health status, medical condition, or medical treatment of any individual. 
 

The modifications regarding breach notifications involving Social Security numbers went into effect on April 10, 2019: https://malegislature.gov/Laws/SessionLaws/Acts/2018/Chapter444.

Several Massachusetts cities (Boston, Springfield, Worcester and Somerville) prohibit the use of facial recognition technology by their city governments.