The Massachusetts Data Privacy Act S.2608

1. Great news. Having my data force-collected, sold, and then lost in data breaches is infuriating. Looking forward to the passage of this bill, and the follow on when we can hold these corporations accountable.
   Thanks, as always, for your support!

2. On the whole, I appreciate the intent of this bill. My concern is there’s no specification of protecting one’s DOB or SSN. Also there are no definitions for “reasonably necessary” and “strictly necessary.” My guess is that corporations interpretations of these terms and private citizens interpretations are vastly different.

   1. You make a good and salient point.

   2. I agree with Ms. Abelman.

   3. Strongly agree that a lack of specific protections for social security numbers and date of birth severely weakens this bill.

      This bill seems like a good start and is sorely needed and overdue, but could use significant strengthening if it is truly going to serve its intended purpose.

3. Was there any attempt to coordinate or align these provisions with what other states (especially CA) are doing/have done in this regard or with what the EU has done? Are we going to have a patchwork of 50 different sets of laws covering data privacy that companies are expected to adhere to?

   1. I agree, lining up our data privacy laws with what’s already being done in other states is a good idea.

   2. I strongly agree. In particular, many companies already comply with GDPR, which is pretty strong. If this new bill is a subset of that, it would make it much easier to comply with, while still giving good protections.

4. This is good news, overall, but of course the devil is in the details.

   The specific detail that concerns me is what methods are considered consent. I am concerned that “we can share your data” is a specific consent, and not the default result of clicking on the easiest-to-see, largest button labeled “just take me to your website.”

   GDPR has meant there are more international sites giving me buttons to click through, but when I’m at work and just trying to get a task done, it isn’t always clear what I’m signing over when I take the shortcut of clicking on a button labeled, essentially, “yeah, fine, cookies, whatever, I’m in a hurry.”

   As always, thank you so much, Will for keeping us informed and being open to comments!

5. If there was the Internet when the founding fathers were drafting the Constitution, today we would have privacy, fake news etc. protection, instead we still have guns that were important for personal protection in those days. Today the proliferation of guns is a detriment to society, but we cannot get rid of them because have become part of our culture, unlike in other countries. We desperately need personal protection in the invasive aspects of the Internet, more than guns.
   So, yes, data privacy and security are extremely important and I hope the Commonwealth can lead the country in such effort.

6. I’ve been spending a few months each year in Vienna, where every website lets you simply click “reject all.” No need to dance around the fine print of mass data privacy. I rarely get junk mail there, but once I’m back in the US, the spam suddenly increases. In Vienna, you don’t have to “unflip the switch” to reject—it’s straightforward. In the US, it only gives the illusion of control, since you still end up having to accept “essential” cookies.

   1. Cookies are important but not the only key to privacy. Websites know things about you when you register and interact with them and can still monitor your behavior. They know what page you came from and where you went to when you leave. They can aggregate your interactions and if they release data to other sites, it is possible for them to identify you enough to send ads your way and otherwise monetize you.

7. Thanks for informing us. Agree with above that definitions are needed regarding ‘strictly necessary’ and other terms. In addition, I would like to see companies obliged to put the details in plain English in the first paragraph or provide a hyperlink to the section detailing what they collect and what they do with it, not 4 pages in by which time many people have given up and just clicked through. The burden for clarity should be with the provider not the consumer.
   Overall I applaud this bill and your support for it.

8. Thank you for sharing this important update. I’m glad to see the Senate taking action on data privacy—it’s long overdue. In a time when personal information is constantly collected and shared, having strong, enforceable protections at the state level is essential. I appreciate your leadership on this issue and your openness to constituent feedback. I fully support this bill and hope it passes with broad bipartisan backing.

9. I am happy that data security and privacy are a being prioritized. My thoughts/concerns:
   – how will this law be enforced and what would the penalties be? Proponents of third party enforcement may point to many instances when companies ignore laws or pay a fine that is much lower than the money they make by abusing the law. Can the law cost law-breaking companies as much as lawsuits could?
   – how can this law lead to multi-state cooperation? Partnering with states like CA, NY and NE states would potentially give the laws more bite
   – There needs to be very specific “opt-in” requirements that allow companies to gather and share personal info, rather than lengthy and (maybe useless?) opt-out options. Also ways to at least try get companies to completely erase your info rather than to just stop contacting you and still probably selling it. I have no idea how you’d ever be able to check to make sure corporations are obeying these laws, but that seems like a pretty important thing for more internet savvy people to figure out and include in this or future bills
   – follow up bills and AG regulations should be put on a fast track for next year, not put off until we see how it goes. I think we can guess how it will go based on how it’s already gone. I don’t know how to get ahead of predatory data mining and the loss of privacy, but I hope we at least try

   Thank you for supporting this bill

10. Good news!

    Can this be or is this already connected to and integrated with the existing structure of 201 CMR 17.00: Standards for the protection of personal information? As there is a request in the comments above regarding SSN and DOB; those standards already define personal information for the state of Massachusetts.

    California’s opt-out permission has been of great benefit, and it is welcome here!

11. As strict as possible. People are more important than companies. I’m tired of finding ads on one platform for something I looked up on another platform. I’m pretty tech-savvy, but this still happens to me.

12. Thanks Will. Such a critical issue! A couple of quick thoughts. How does this interface with current MA law around financial data security – passed around 2008? I know my office promulgated regs around 2009? Second, enforcement is a big issue. I would argue that the law itself can be enforced under 93A as it is a law aimed at the protection of consumers. Restricting enforcement to the AG was the way the original 93A was written. But the office soon became overwhelmed – or so I heard – and the private right of action was added. There’s been tons of litigation around data privacy. There are numerous separate state and piecemeal federal laws. I don’t see the need to restrict enforcement to just thevAG. I could argue that without this restriction the act could be enforced under 93A with a private right of action. So in some ways it could be seen as taking away a right that consumers would have had under 93A .

13. I would like any data collection to be opt in rather than opt out.

14. I agree completely with this bill!!!

15. As welcomed as this piece of legislation is, I’m concerned with vague language of the document. Depending on the users point of it can be stretched to unimageable interpretations. Also, young/non-adult users need more/stronger protections than is offered in the piece of legislation.

16. I am a privacy professional, attended years of discussion by states over a model privacy law for states to adopt, and recognized by a number of national privacy organizations.

    This bill may be worse than nothing.

    It’s hard to know where to begin but I would single out three things that have already surfaced in the comments.
    1 – All personal data is sensitive data. As AI and cloud computing explodes with almost a $trillion of investment, we need to address data brokerage explicitly instead of arguing about special cases like sensitive data or minors. A small business exemption is also a huge problem because, for example, my tax accountant small business chooses to use software in the cloud operated by one of the largest data brokers in the world.
    2 – Compare the law you propose to CA, VT, and any others. How is this different and why? Explain very thoroughly how this kind of law will impact various business interests. What could be the unintended consequences as other states react to the lack of any significant federal regulation of privacy, AI, data brokerage, health records access?
    3 – A private right of action is a fundamental consumer right. What is the impact of passing state laws that deny that and how will MA react to federal privacy laws that depend on our weakened and politicized federal regulators for enforcement?

    1. Very important points. Also wonder if you can be tracked more freely when you are outside of MA. And given how DOJ is vacuuming up voter and SS data, any disclosure of what people do on the Web can be included in their dossiers. Just the fact that you visit certain websites be used to build a circumstantial case against you (especially if you are an immigrant) should they choose to. Do you visit Kos or Breitbart, Bluesky or X, Alternet or Fox News … Are you on Medicaid, SSD, housing assistance … etc. There’s no end to how you can be harassed by a determined adversary. Rejecting cookies won’t save you from that.

       1. Love the start … Need this bill! Agree for the need to address the data brokers.

17. I would like to know what the penalties are. Possibly include criminal violations, with jail time. Maybe we can bag Musk if he makes a transgression.

18. I believe that if the commonwealth does this the law it should closely follow the rules in the EU for the GDPR. The main thing is that who the data is about, owns the data vs the holder of the data owning the data. Currently in the USA the holder of data on people owns the information and can for the most part use it as they want with it. If Massachusetts adopts laws that are close to the EU law, then citizens have way more say about data about themselves. Things like revenge porn, false information, and spammy use of our data become legally much easier to control. And business can not complain that Massachusetts has different rules than anywhere else because we are following the EU system that effects 500 million people. I also would like to see similar penalties that the EU has for violations, especially for entities that have expertise in having to follow these rules. Facebook, Google, and large organizations often make a correct calculation the penalty for not follow the rules is affordable. In the EU, frequent violators have been hit with 5% of world wide revenue for repeats for not following their rules. I personally think that after the second or third offense, percentage of income based penalties are more meaningful that just statutory fines.

    1. I like your idea, daniel.

       Will, daniel makes a good point. Is it practicable to adopt the EU system?

19. One thing that concerns me: we need to protect data about/belonging to minors without requiring websites to ask, and store, their users’ ages or dates of birth.

    Collecting that data would be a significant burden on small websites and businesses, and it would be counter to the purpose of this legislation. The organization Netchoice has done useful advocacy work about this—if you haven’t already been talked to them, please do.

20. Mirror EU rules as much as possible. Just do not understand why we have to take partial and state-only rules and see how it goes and then evolve. Good time to be bold Senate; every member of the Senate and House as well as every smartphone carrying citizen is personally familiar, annoyed, and burdened with the daily intrusion into thrir personal lives by data collectors and aggregators that literally dog our every click on the internet. Why cannot broad consensus be quickly gained for strong EU type rules and sanctions when almost all citizens are obviously bothered?? If there is substantial opposition to this kind of reform Will can you highlight the opposition so we know who they are?

21. In agreement with the proposed legislation…conditional on some coordination across states (ala the inoculation initiative of MA, NY, and other states).

    Some questions:
    Impact on ‘free’ web services like search?
    Impact of doing business across different regulatory environments?

22. Agreed. While I agree with a lot of the bill, I am very concerned that this is a trojan horse to just get everyone in MA to not be allowed to use the interent websites without identifying themselves with name and date of birth to prove they are a minor or not. Cannot have this forced privacy violation. Any website that is asking my age is storing that information and identifying me. I have had my data breached about 10 times at least. Will not use internet in MA if forced to identify self and age, under the guise of protecting of children. I dont care what the EU or anyone else is doing. They are also putting people in jail for tweets.

    1. This may only be a problem where “adult content” is being dispensed. I wouldn’t think that every site would have to ask every from a given state visitor how old they are. You can always lie about your age, but if they ask for proof, forget it. Years ago Facebook wanted me to upload an image of my driver’s license to prove who I was. So I deleted my account (which they didn’t make easy) and was happier for it.

23. This is good news. at the same time, how is the audit of the legislature that 71% of MA voters want and VOTED FOR? seems like the legislature is trying to hide crooked activities. and for more proof – Sept 1, 2026 has just been made the primary day in MA – before Labor Day, in the summer when voters are on vacation. Now why would the legislature NOT want citizens voting? oh, right. becuase we want to audit and see where the money is going. and pols wonder why voters don’t respect them.

24. I strongly support this law.

25. I welcome this bill. Pie in the sky:
    -Require a default of requiring people to opt in.
    -Some repercussions for text spamming that actually impact those who do this.
    -Have a website like the Do Not Call List where people can report companies with proof in snapshot form of nonconforming to the rules.
    -Make it more than “the price of doing business” as punishment for consistently ignoring the rules.

26. I worry more about the government having access to all this information than I do about private businesses. I would like to see a prohibition on sharing information gathered for business purposes with government entities.
    I hope that as consumers we won’t lose access to services we want like maps, search and AI because Mass. regulations are too stringent.

27. Can’t we just follow word for word California’s law known as CCPA?

    It works well. Also worth noting MA residents can file data privacy requests under CCPA. Due to almost every company having a major presence in California you can file a request under CCPA and companies are required to comply. The only downside is you need to take legal action it can be difficult to file in a CA court due to distance. Honestly though the best course of action is to work with federal delegations and push for national legislation. The advantage of federal legislation is FTC could take over enforcement and people would have access to federal courts to resolve issues.

    1. Not holding my breath for federal legislation!

    2. Speaking as someone who has been on both ends of the CCPA, i.e., as both someone at a company responsible for abiding by it and someone who has leveraged it as a consumer, I don’t actually think it’s a particularly good law, and in some ways I think the proposed MA law is better.
       Regarding, “Also worth noting MA residents can file data privacy requests under CCPA. Due to almost every company having a major presence in California you can file a request under CCPA and companies are required to comply,” that’s simply not true. No company anywhere in the U.S. is required to follow the provisions of the CCPA for people who reside outside California. Heck, even businesses _in California_ are not required to follow its provisions for people who reside outside California.
       Some companies _choose_ to follow the CCPA for people outside California because it’s easier for them to do that than to distinguish, or because they think it’s a bad look to give residents in different states different privacy rights. But, as I and others have experienced first-hand, other companies ask what state you live in and if you tell them you live outside California they refuse to afford you the rights guaranteed to California residents.

28. This spill does many good things, but I am worried that it will be more symbolic than real, especially if it relies on enforcement from the AG’s office.

    I don’t think it’s quite correct to say that there is no privacy law that has a private right of enforcement. Here in Massachusetts, the wiretap law is a privacy law, and that has a private right of enforcement that has worked well. The AG’s office has already indicated that they are unlikely to have the resources or time to do significant enforcement themselves, so I think this is an appropriate context for there to be a private right of enforcement such as that coming out of Sen. Jehlen’s office.

    1. As for whether it makes sense to wait for the legislation to “bed down” before adding a private right of action: Both you and I know that leadership picks only a few topics each two-year session to do a big bill on. Blessedly, this may turn out to be the year for the Senate to tackle commercial privacy. But that also means that they are very unlikely to take up the matter again in two, or four, or even six years’ time, when there are and will be so many other matters clamoring for scarce floor time. It’s best to include a private right of action now. Whatever the House passes may well be weaker than what the Senate passes, and it makes best strategic sense to give the Senate plenty of negotiating room in conference.

29. Hi Will,
    I’m glad you posted about this, but I’m disappointed that the senate announced the scheduled date to vote on the bill only a week in advance, giving constituents only a week to comment on it. Furthermore, although your text above is dated September 18, this was actually posted and emailed about on September 20, giving us, your constituents, only five days to comment, two of which are over a weekend and two of which are Rosh Hashanah, one of the most important Jewish holidays of the year.
    Having said that, speaking as a cybersecurity/privacy professional who took the time to read the entire proposed law and not just the summary of it posted above, I think it’s a step in the right direction but I have some serious concerns that I believe need to be addressed before the law is passed. They’re too long to include in full here, so I’ve published them on my blog at https://blog.kamens.us/2025/09/22/thoughts-on-the-proposed-massachusetts-data-privacy-act-s-2608/ . I encourage you and others to read my comments. I will summarize them here by listing the section headers from my blog posting:

    – Exempting credit reporting agencies is terrible but at least to some extent understandable
    – Excluding “reputation” reporting agencies is terrible and not at all understandable
    – Small businesses should not be excluded from this law
    – Controllers need to be required to delete request authentication data
    – Notifications about privacy policy changes should be explicitly required to say specifically what the changes are
    – Relying on IP address for determining location is unacceptable
    – Data protection assessments must be repeated periodically

    I am happy to discuss any of these concerns with you personally if you would like; you know how to reach me.
    I am also happy to serve as a resource to you in your staff in the future about planned legislation related to cybersecurity and privacy.
    Thanks.

    1. Thank you, Jonathan.
       I do appreciate your careful and informed review. This bill starts a process. The House will need to consider it and will benefit from the feedback that we’ve shaken loose. Then we’ll have to negotiate a final bill. Finally, the Attorney General will address many concerns by regulation.

30. Sen. Brownsberger,
    I’m somewhat surprised that you advocate a wait and see approach to inclusion of a private right of action in S.2608 until AG Campbell has had time to get experience trying to enforce it, because I read in a recent email from Indivisible that “Attorney General Andrea Campbell strongly supports a private right of action because her office will never have sufficient resources to enforce the law alone.” Is Indivisible incorrect about this, or do you think AG Campbell is mistaken in taking this position now?

    1. I agree that the AG cannot stay ahead of all of the violations. But I believe it is responsible to make sure we have the benefits of a few years of experience in refining rules through a single litigator (the AG) before we open it up to multiple litigators (thousands of other lawyers). Otherwise we may have too much legal confusion.

31. This effort seems focused on consumer rights and for-profit companies.

    Data brokers, which pose even more threat than individual companies, were not mentioned.

    Also not covered are citizen rights and surveillance by states/municipalities? Cities, towns and the Commonwealth are putting surveillance cameras everywhere and increasing using drones for surveillance.

    In my view, municipalities:
    1) Overuse the technology;
    2) Give data access to too many people;
    3) Have weak oversight mechanisms;
    4) Have IT staff without sufficient training and resources to manage the equipment and data.

    1. Hi Kendra!

       If you read the text of the proposed law you will see that it does cover data brokers. In fact, arguably it primarily covers data brokers.

       I agree with you about surveillance overreach, as well as about how the third-party companies hired by state and local governments are causing problems that are not anticipated or addressed by those governments (e.g., Flock). I would like to see this addressed as well, but it’s a very different problem and I think needs to be addressed with a different law.

       1. Thanks Jonathan. When I posted the comment, I had only read the Fact Sheet linked at the top of the post.

          I just scanned the legislation and missed where it addresses data brokers like Acxiom and the many others that traffic in consumer data. I’ll do more reading on the legislation to try to suss that out.

          1. Hi, Kendra! The legislation doesn’t specifically mention data brokers, because it doesn’t need to. It applies to companies that transmit, store, process, and/or sell personal information, which describes every company in the data broker industry.

32. Will, I, too, am concerned about the data already illegally collected by Trump/Musk re SS and DOB information. In addition, there are amendments, some of which will be helpful and others that will gut the intent of the bill.

33. Hi Will,

    I appreciate that the legislature is taking this up, though I have real concerns about this being a small band-aid instead of real consumer protection.

    A law based on Europe’s GDPR is the right approach–most tech vendors already know how to comply with this. Enforcement and liability are key components. Currently most tech companies walk away from breaches and violations with little impact to their bottom line. There’s not enough incentive for companies to really secure their systems.

34. Without having had a chance to look into this much, I’m very wary of it.

    You say that it goes deeper than GDPR; presumably then, GDPR compliance won’t be enough. Since that (and a handful of others) is the gold standard, online providers will have essentially three choices:

    – Vet and certify their products for use within Massachusetts. This will require legal, product-definition, and engineering work. It’ll be a lot
    – Deal with the fact that they’ll be out of compliance
    – Not offer their products in Massachusetts

    I suspect many will pick the last option. We already see that in e.g. Prosper. It’s not anything nefarious: companies simply have limited resources, and need to make business decisions about what to do, and at what else’s cost.

    Massachusetts simple isn’t a big enough market to be able to throw this kind of weight around. Europe is; California may be, though even then I’m not sure; we’re not.

    I would prefer we just ditto GDPR.

35. I am for a comprehensive and well thought out Data Privacy Act.

    In this process of legislation, full public access to legislative committee meetings on this topic, and most other topics will support our democracy.

Comments are closed.