Next week, the Senate will vote on a general data privacy bill for Massachusetts. I’m very pleased to support this bill. The summary immediately below is reposted from the Senate Press Room. I repost it here to allow constituent comments and also to add a comment of my own. I look forward to hearing your comments and questions.
September 18, 2025
The Massachusetts Data Privacy Act lays out one of the strongest legislative plans for consumer data protection in the United States which safeguards personal privacy and civil liberties for Massachusetts consumers.
An Act establishing the Massachusetts Data Privacy Act, S.2608, would protect people in Massachusetts from the exploitation of their precise GPS location, health care information, and biometric data such as face or fingerprint scans. It also guarantees stepped-up protections for minors and allows people to opt out of being targeted by advertisers based on their personal data.
In addition to limits on what big companies can do with personal data, the bill places strong limits on what personal information can be collected in the first place.
The legislation goes even further for young people, creating a stricter threshold to protect the data of minors. The bill also limits the compliance burden on Massachusetts small businesses by focusing only on larger-scale entities that deal with the personal data of thousands of people per year.
The details of the legislation are below.
Creates Extensive New Consumer Protections
Guarantees the Consumer’s Right to Know. Specifies that people have a right to know if their personal data is being collected, allows them to see what data was collected, and allows them to find out who their data has been shared with.
Gives Control to Consumers. Empowers people in Massachusetts with control over their personal data through new guaranteed rights to correct inaccurate data, delete personal information, and opt out of having their personal data sold to others.
Creates Strong Enforcement Powers. Gives the Attorney General broad regulatory authority to enforce the provisions of the Massachusetts Data Privacy Act.
Limits the Collection of Personal Data
Curtails Data Collection. Constrains companies’ unfettered collection of personal data by limiting them to only collecting what is reasonably necessary in order to provide their product or service. For certain sensitive types of data, including biometrics, precise GPS location, and healthcare data, businesses could only collect the information if it is strictly necessary.
Protects Sensitive Personal Information
Bans Sensitive Data Sales. Prohibits any kind of entity, including businesses and nonprofits, from selling off a person’s sensitive data. Protected categories of sensitive data include precise geolocation; health care information; biometric data, such as face and fingerprint scans; citizenship or immigration status; information revealing someone’s sex life, and any information about a person’s race, color, ethnicity, religion, sexual orientation, gender identity, or national origin; and information that pertains to a child.
Limits Data Transfers. Limits entities from transferring sensitive data unless they first obtain the consumer’s affirmative consent.
Gives People Rights Over Targeted Ads
Creates Opt-Out Rights for Targeted Advertising. Gives consumers the right to opt out of having their personal data collected or processed for the purpose of targeted advertising or for sale to third parties.
Enhances Specific Protections for Minors
Bans the Sale of Young People’s Data. Prohibits all entities from selling minors’ personal data.
Blocks Targeted Ads for Minors. Prohibits companies from collecting or processing a young person’s personal information for the purposes of targeting ads.
WB Comments: This is a strong bill that minimizes the data that companies can collect and limits transfer of data. It sets up the Attorney General with authority to regulate and the power to enforce. I’ve heard from a few people urging that we allow private parties the power to sue companies under the new law — “third-party enforcement.” The bill does not include third-party enforcement and I do not support adding it at this time. As we get started with this new law, we need the AG to develop regulations and then to gain the litigation experience necessary to identify and clarify ambiguous or impractical rules. Perhaps in a few years, it will make sense to allow third party enforcement. My understanding is that so far no other state that has passed a privacy law has included third-party enforcement.
Great news. Having my data force-collected, sold, and then lost in data breaches is infuriating. Looking forward to the passage of this bill, and the follow on when we can hold these corporations accountable.
Thanks, as always, for your support!
On the whole, I appreciate the intent of this bill. My concern is there’s no specification of protecting one’s DOB or SSN. Also there are no definitions for “reasonably necessary” and “strictly necessary.” My guess is that corporations interpretations of these terms and private citizens interpretations are vastly different.
You make a good and salient point.
Was there any attempt to coordinate or align these provisions with what other states (especially CA) are doing/have done in this regard or with what the EU has done? Are we going to have a patchwork of 50 different sets of laws covering data privacy that companies are expected to adhere to?
This is good news, overall, but of course the devil is in the details.
The specific detail that concerns me is what methods are considered consent. I am concerned that “we can share your data” is a specific consent, and not the default result of clicking on the easiest-to-see, largest button labeled “just take me to your website.”
GDPR has meant there are more international sites giving me buttons to click through, but when I’m at work and just trying to get a task done, it isn’t always clear what I’m signing over when I take the shortcut of clicking on a button labeled, essentially, “yeah, fine, cookies, whatever, I’m in a hurry.”
As always, thank you so much, Will for keeping us informed and being open to comments!
If there was the Internet when the founding fathers were drafting the Constitution, today we would have privacy, fake news etc. protection, instead we still have guns that were important for personal protection in those days. Today the proliferation of guns is a detriment to society, but we cannot get rid of them because have become part of our culture, unlike in other countries. We desperately need personal protection in the invasive aspects of the Internet, more than guns.
So, yes, data privacy and security are extremely important and I hope the Commonwealth can lead the country in such effort.
I’ve been spending a few months each year in Vienna, where every website lets you simply click “reject all.” No need to dance around the fine print of mass data privacy. I rarely get junk mail there, but once I’m back in the US, the spam suddenly increases. In Vienna, you don’t have to “unflip the switch” to reject—it’s straightforward. In the US, it only gives the illusion of control, since you still end up having to accept “essential” cookies.
Thanks for informing us. Agree with above that definitions are needed regarding ‘strictly necessary’ and other terms. In addition, I would like to see companies obliged to put the details in plain English in the first paragraph or provide a hyperlink to the section detailing what they collect and what they do with it, not 4 pages in by which time many people have given up and just clicked through. The burden for clarity should be with the provider not the consumer.
Overall I applaud this bill and your support for it.
Thank you for sharing this important update. I’m glad to see the Senate taking action on data privacy—it’s long overdue. In a time when personal information is constantly collected and shared, having strong, enforceable protections at the state level is essential. I appreciate your leadership on this issue and your openness to constituent feedback. I fully support this bill and hope it passes with broad bipartisan backing.
I am happy that data security and privacy are a being prioritized. My thoughts/concerns:
– how will this law be enforced and what would the penalties be? Proponents of third party enforcement may point to many instances when companies ignore laws or pay a fine that is much lower than the money they make by abusing the law. Can the law cost law-breaking companies as much as lawsuits could?
– how can this law lead to multi-state cooperation? Partnering with states like CA, NY and NE states would potentially give the laws more bite
– There needs to be very specific “opt-in” requirements that allow companies to gather and share personal info, rather than lengthy and (maybe useless?) opt-out options. Also ways to at least try get companies to completely erase your info rather than to just stop contacting you and still probably selling it. I have no idea how you’d ever be able to check to make sure corporations are obeying these laws, but that seems like a pretty important thing for more internet savvy people to figure out and include in this or future bills
– follow up bills and AG regulations should be put on a fast track for next year, not put off until we see how it goes. I think we can guess how it will go based on how it’s already gone. I don’t know how to get ahead of predatory data mining and the loss of privacy, but I hope we at least try
Thank you for supporting this bill
Good news!
Can this be or is this already connected to and integrated with the existing structure of 201 CMR 17.00: Standards for the protection of personal information? As there is a request in the comments above regarding SSN and DOB; those standards already define personal information for the state of Massachusetts.
California’s opt-out permission has been of great benefit, and it is welcome here!
As strict as possible. People are more important than companies. I’m tired of finding ads on one platform for something I looked up on another platform. I’m pretty tech-savvy, but this still happens to me.
Thanks Will. Such a critical issue! A couple of quick thoughts. How does this interface with current MA law around financial data security – passed around 2008? I know my office promulgated regs around 2009? Second, enforcement is a big issue. I would argue that the law itself can be enforced under 93A as it is a law aimed at the protection of consumers. Restricting enforcement to the AG was the way the original 93A was written. But the office soon became overwhelmed – or so I heard – and the private right of action was added. There’s been tons of litigation around data privacy. There are numerous separate state and piecemeal federal laws. I don’t see the need to restrict enforcement to just thevAG. I could argue that without this restriction the act could be enforced under 93A with a private right of action. So in some ways it could be seen as taking away a right that consumers would have had under 93A .
I would like any data collection to be opt in rather than opt out.
I agree completely with this bill!!!
As welcomed as this piece of legislation is, I’m concerned with vague language of the document. Depending on the users point of it can be stretched to unimageable interpretations. Also, young/non-adult users need more/stronger protections than is offered in the piece of legislation.
I am a privacy professional, attended years of discussion by states over a model privacy law for states to adopt, and recognized by a number of national privacy organizations.
This bill may be worse than nothing.
It’s hard to know where to begin but I would single out three things that have already surfaced in the comments.
1 – All personal data is sensitive data. As AI and cloud computing explodes with almost a $trillion of investment, we need to address data brokerage explicitly instead of arguing about special cases like sensitive data or minors. A small business exemption is also a huge problem because, for example, my tax accountant small business chooses to use software in the cloud operated by one of the largest data brokers in the world.
2 – Compare the law you propose to CA, VT, and any others. How is this different and why? Explain very thoroughly how this kind of law will impact various business interests. What could be the unintended consequences as other states react to the lack of any significant federal regulation of privacy, AI, data brokerage, health records access?
3 – A private right of action is a fundamental consumer right. What is the impact of passing state laws that deny that and how will MA react to federal privacy laws that depend on our weakened and politicized federal regulators for enforcement?
I would like to know what the penalties are. Possibly include criminal violations, with jail time. Maybe we can bag Musk if he makes a transgression.
I believe that if the commonwealth does this the law it should closely follow the rules in the EU for the GDPR. The main thing is that who the data is about, owns the data vs the holder of the data owning the data. Currently in the USA the holder of data on people owns the information and can for the most part use it as they want with it. If Massachusetts adopts laws that are close to the EU law, then citizens have way more say about data about themselves. Things like revenge porn, false information, and spammy use of our data become legally much easier to control. And business can not complain that Massachusetts has different rules than anywhere else because we are following the EU system that effects 500 million people. I also would like to see similar penalties that the EU has for violations, especially for entities that have expertise in having to follow these rules. Facebook, Google, and large organizations often make a correct calculation the penalty for not follow the rules is affordable. In the EU, frequent violators have been hit with 5% of world wide revenue for repeats for not following their rules. I personally think that after the second or third offense, percentage of income based penalties are more meaningful that just statutory fines.