The Massachusetts House unanimously approved a consumer data privacy bill Thursday evening that privacy and civil liberties advocates have been pushing for for years.
It would prevent large companies from collecting data beyond what’s needed for their services, and introduces much more stringent protections for minors. It also bans them from selling anyone’s sensitive data — including precise geolocation data.
The Senate passed its own version of the bill unanimously last year, teeing the legislation up to become law before the legislative session ends at the end of July.
It’s been a top priority for groups who especially want to stop companies from selling precise geolocation data, which they warn poses a legal risk for people seeking abortions or gender-affirming care in Massachusetts, as well as immigrants.
Before a House vote Thursday, some lawmakers argued that data collection practices are widespread, and current privacy policies are inadequate to address them.
“I don’t know if you’ve ever read these terms and conditions that go on for page after page,” said state Rep. David M. Rogers, a Democrat from Cambridge. “Ninety-nine point nine percent of the public has no idea what they’re agreeing to.”
“Imagine someone hired a private investigator to track your every move. They learn about where you like to eat breakfast in the morning, what your favorite snacks are, what your go-to shows after a late night of work are,” said state Rep. Andres X. Vargas, a Democrat from Haverhill. “What kinds of medications you take. Any changes in your diet, even your immigration status. They collect pictures of you and your family over long periods of time.”
“All of this information is being collected every day,” he continued. “Then, this PI is allowed to turn around and sell all of this information about you to anyone willing to pay — from huge corporations paying thousands of dollars to target you with ads, to one individual stranger who, with $15, can access all your personal information.”
On top of data sales, the bill would limit what kinds of data companies can collect in the first place to information that’s “reasonably necessary” for their services.
“In the simplest forms, we are fighting against overcollection,” state Rep. Tricia Farley-Bouvier, House chair of the Committee on Advanced Information Technology, the Internet and Cybersecurity, said on the House floor. “Businesses should not collect data simply because they might find infinite future uses of it.”
One key difference between the House and Senate’s versions of the bill is how it would be enforced. Both let the attorney general’s office take companies to court for problems with compliance.
But advocates point to one provision in the House’s bill that they say is key: a “private right to action” against the largest companies. That means, if companies that collect more than two million residents’ data every year and don’t obey the new limits, consumers in Massachusetts whose data has been illegally collected or sold can take the companies to court themselves.
“If the AG’s office takes on a case against Meta or Google, that’s those three attorneys — or whatever it is — in the privacy division’s life for seven years. They’re not going to have time to do anything else,” said Caitriona Fitzgerald, deputy director at the Washington, D.C.–based Electronic Privacy Information Center, or EPIC, who supports the bill. “So that private right of action is really important both to ensure individuals can enforce their rights and also to kind of motivate that compliance by companies.”
The bill wouldn’t completely ban the sale of location data, just “precise” data within 1,750 feet.
“Companies do not need to know our precise location in order to target us with ads. This bill still allows them to know that I’m in the Greater Boston area,” Fitzgerald said. “This is protecting us from companies knowing exactly where we live, and that we drive to work every day.”
Lawmakers will have to try to hash out differences between the versions before they can send it to Gov. Maura Healey by the end of next month.
“Data privacy is the underpinning of all future tech bills. We have to do data privacy first,” Farley-Bouvier told reporters.
GBH News’ Katie Lannan contributed reporting.
