Massachusetts state Senator Cynthia Creem has introduced a consumer data privacy bill, SD 341, that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric Information Privacy Act (BIPA), consumers may not be required to demonstrate or have suffered monetary or property losses in order to seek damages for an alleged violation. Any violation of the proposed new law could be grounds for a valid private action.

The proposed bill is the latest signal that state legislatures are going to be increasingly active in regulating data protection issues. California’s new California Consumer Privacy Act (CCPA) is considered an expansion of privacy-related regulation beyond any existing federal or state law. Although the CCPA will not go into effect until January 2020, businesses are busy implementing compliance policies and procedures, including making plans now to ensure they can adequately and accurately respond to consumers’ requests regarding the type and nature of personal information they may possess on California residents. The Massachusetts bill appears to have many of the same characteristics as the CCPA, but its private right of action provision would be a boon for the plaintiff’s bar. Like Illinois’ BIPA and the Telephone Consumer Protection Act (TCPA), which have spawned scores of class action lawsuits, SD 341 does not require proof of actual damages. It states that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff can receive the greater of $750 “per consumer incident” or actual damages and can also receive attorneys’ fees.

In addition to creating a plaintiff-friendly private right of action, SD 341 would impose new compliance obligations on all businesses that collect Massachusetts consumers’ personal information and that meet one of two revenue-related thresholds. Like the CCPA, SD 341 would grant Massachusetts consumers certain rights with respect to their personal data, including:

  • A right to notice “at or before the point of collection” of the personal information that will be collected and disclosed and the purpose of such collection or disclosure;
  • A right to request a copy of collected personal information; and
  • A right to request deletion of collected personal information.

Additionally, consumers would have the right to demand that covered businesses not disclose their information to third parties – in other words, with limited exceptions, consumers would be able to opt out of any transfers of their personal information by a business to other businesses that are not service providers. Covered businesses also would be required to implement mechanisms to collect and respond to consumer rights requests and would be prohibited from denying goods or services, charging different prices or rates, or otherwise discriminating against consumers who exercise these rights.

Implications

If SD 341 is enacted, it would not take effect until January 2023 after related rule-making is conducted by the Massachusetts attorney general. This timeline would give businesses an opportunity to create and implement compliance strategies and prepare for the onslaught of private litigation that would likely ensue. Whether or not SD 341 is adopted in Massachusetts, this bill is consistent with the recent trend toward states’ adoption of broad generally applicable data protection regimes. Until a generally applicable federal law is enacted, there is likely to be considerable state-level action in this direction. Rather than responding piecemeal to each new law that is passed state by state, businesses should consider developing robust privacy programs that cover current and likely future state, federal and even international requirements in order to limit costs and mitigate future risk.