April 21, 2025

Massachusetts to Consider Adopting a Comprehensive State Consumer Privacy Law (Again)

Foley Hoag LLP - Security, Privacy and the Law

+ Follow Contact

Send

Embed

Foley Hoag LLP - Security, Privacy and the Law

After years of proposed state privacy legislation, Massachusetts lawmakers are poised to once again consider enacting a comprehensive state consumer privacy law in the Commonwealth this legislative session. At a hearing of the Joint Committee on Advanced Information Technology, Internet and Cybersecurity on April 9, 2025, Massachusetts lawmakers heard from different stakeholders on several introduced bills, including comprehensive consumer data privacy legislation. At the heart of the discussion were three variations of a comprehensive consumer privacy bill: H.78 (An Act establishing the Massachusetts consumer data privacy act); H.80/S.33 (An Act establishing the Comprehensive Massachusetts Consumer Data Privacy Act); and H.104/S.29/S.45 (An Act establishing the Massachusetts Data Privacy Act)¹.

These laws differ from each other in several key respects, as summarized below:

	H.78	H.80/S.33	H.104/S.29/S.45
Applicable entities	Persons conducting business in MA or targeting products or services to MA residents, that: (1) annually control or process the personal data of at least 25,000 consumers, excluding for the sole purpose of completing a payment transaction; or (2) derive revenue from the sale of personal data.	Persons conducting business in MA or targeting products or services to MA residents, that: (1) annually control or process the personal data of at least 100,000 consumers, excluding for the sole purpose of completing a payment transaction; or (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data.	Entities operating commercially in MA that: (1) exceed $20 million in revenue; or (2) collect or process personal information of at least 25,000 individuals (excluding for purposes related to billing or payment processing).
Entity-Level Exemptions	Only government entities exempt from compliance.	State government entities, or persons who have entered contracts with such entity while processing consumer health data on behalf of such entity; Higher education institutions; National securities associations; and Financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA).	Government agencies; Entities below certain annual gross revenue and processing thresholds who do not derive revenue from transferring covered data; National securities associations; Nonprofits established to detect and prevent insurance fraud.
Data-Level Exemptions	Thirteen enumerated categories of information. Includes data subject to or regulated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), GLBA, Family Educational Rights and Privacy Act (FERPA), and certain credit and employment-related information.	Fifteen enumerated categories of information. Includes data subject to or regulated by HIPAA, GLBA, FERPA, and certain health, credit, emergency contact, and employment-related information.	Five enumerated categories of information. Includes information covered by HIPAA, GLBA, FERPA, and certain personal contact and employment-related information.
Data Minimization	Controllers may only collect or process personal data to the extent reasonably necessary and proportionate to purposes specifically defined in that section.	Personal data collection is limited to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.	Cannot collect, process, or transfer covered data unless the collection, processing, or transfer is limited to what is reasonably necessary and proportionate to carry out one of thirteen enumerated purposes.
Definition of Sensitive Data	Generally same as H.80, as well as: Data revealing color, national origin, status as pregnant, philosophical beliefs or union membership, military service, or income level or indebtedness; Genetic or biometric data; Government-issued identifiers (including Social Security numbers, passport numbers, or driver's license numbers) that are not required by law to be publicly displayed; A consumer’s online activities “over time and across websites, online applications, or mobile applications that do not share common branding”; Account names, passwords, and related credential and account access information.	Personal data that includes: Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; Genetic or biometric data for the purpose of uniquely identifying an individual; Personal data collected from a known child; Precise geolocation data; Transgender/nonbinary status; Consumer health data, including but not limited to gender-affirming health data and reproductive or sexual health data; or Crime victim status.	Generally same as H.78 and H.80, as well as data revealing an individual’s: Sex or gender identity; Past, present or future mental or physical health condition, disability, diagnosis or treatment, including pregnancy and cosmetic treatment; Government-issued identifiers not required by law to be publicly displayed (including the same list as H.78, as well as military ID numbers and state-issued ID card numbers); Financial account number or credit or debit card number, or information describing or revealing income level/bank account balances; Certain data regarding private communications, and other information regarding the transmission of such communications; Certain types of media/information maintained for an individual's private use; or Photographs, films, video recordings, or similar mediums showing naked or undergarment-clad private areas of an individual. Specifically identifies that the use or purchase of contraceptives and birth control is included in covered data concerning an individual’s sexual orientation, sex life or reproductive health.
Collection, Processing, Transfer, or Sale of Sensitive Data	Prohibited except when strictly necessary to provide or maintain a specific product or service requested by the consumer. Ban on sale of all sensitive data.	Processing of sensitive data concerning a consumer prohibited without obtaining consumer's consent.	Transfer of sensitive data prohibited without an individual's consent. Processing of sensitive data for targeted advertising prohibited.
Enforcement	AG has enforcement and rulemaking authority. Private right of action, applicable only to entities that are not “small businesses” (below $20 million annual gross revenue + under annual limits on data collection, processing, and transfer).	AG exclusive enforcement authority. 60-day cure period for violations.	AG has enforcement and rulemaking authority. Private right of action, applicable only to “large data holder covered entities” (annual gross revenues of $200 million or more, + meeting minimum annual thresholds for data collection, processing, and transfer).
Damages	Not less than $15,000 per individual per violation.	Not defined by the Act.	$15,000 or not less than 0.15% of the covered entity’s annual global revenue, whichever is greater, per violation.
Effective Date	180 days after enactment.	July 1, 2026.	One year after enactment.

A key point of contention during the Joint Committee hearing was the growing “patchwork” of state consumer privacy laws in the absence of comprehensive federal legislation. H.80/S.33 is modeled after legislation adopted in Connecticut, Rhode Island, New Hampshire, and 15 other states, while H.78 and H.104/S.29/S.45 feature several provisions which stand out from other state privacy legislation (most notably, a private right of action for injured consumers in addition to AG enforcement).

At the hearing, advocates for the approach taken by H.80/S.33, including representatives of industries likely to be subject to the regulations, argued that passing a law that closely resembles other state laws, particularly in New England, ensures consistency and clear expectations for consumers and for businesses operating across state lines. They also argued that the private right of action found in other bills would be onerous on small businesses and lead to frivolous litigation. Conversely, supporters of H.78, including several non-profit advocacy groups and nonpartisan research centers, argued that Massachusetts consumers may have differing ideas on privacy than other neighboring states, and that small businesses would be protected from liability by the bill’s built-in carveouts.

Other key bills discussed during the Joint Committee hearing include: H.86/S.197 (focused on stopping the sale of location data); H.99 and S.47 (concerning grocery store surveillance pricing); and H.103 (protections for neural data and use of neurotechnology).

The Joint Committee will have until June 8, 2025, to decide whether to advance any of the data privacy bills discussed.

¹ Another bill, S.301 (An Act advancing the economic development of the commonwealth through comprehensive data privacy), is progressing through the Senate and was referred to the Joint Committee on Economic Development and Emerging Technologies on February 27, 2025.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

Written by:

Foley Hoag LLP - Security, Privacy and the Law

Contact + Follow

Daniel Carlston

+ Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

Consumer Privacy Rights

+ Follow

Data Collection

+ Follow

Data Privacy

+ Follow

Enforcement

+ Follow

Government Agencies

+ Follow

Privacy Laws

+ Follow

Proposed Legislation

+ Follow

Regulatory Agenda

+ Follow

Regulatory Requirements

+ Follow

State Privacy Laws

+ Follow

Administrative Agency

+ Follow

Consumer Protection

+ Follow

Privacy

+ Follow

less

Foley Hoag LLP - Security, Privacy and the Law on:

Massachusetts to Consider Adopting a Comprehensive State Consumer Privacy Law (Again)

Latest Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

Foley Hoag LLP - Security, Privacy and the Law on:

"My best business intelligence, in one easy email…"