Massachusetts state lawmakers on Tuesday advanced a digital privacy bill that would give residents more control over their online personal information. The legislation could spark a debate over digital privacy rights and alter how businesses use and profit from such data.
The legislation, called the Massachusetts Information Privacy and Security Act, passed through a joint committee focused on information technology and cybersecurity with bipartisan support by a 12-0 margin, with five members abstaining from voting. The bill will now likely go to the joint Ways and Means Committee, but it is unclear when it might be taken up for consideration.
In its current form, the bill is one of the more robust pieces of privacy legislation to come before state lawmakers in recent years, supporters said. It’s modeled after privacy legislation that passed in California, Virginia, and Colorado. Others, however, noted the legislation is a weaker version of a previous privacy bill, the Massachusetts Information Privacy Act, which had stronger provisions to protect user data from being used adversely by companies, they said.
As the debate plays out on Beacon Hill, the legislative language will be examined carefully, and parsed through line by line, as technology companies assess how it could affect their business.
The momentum to pass a digital privacy bill in Massachusetts also comes as public sentiment turns against tech giants, such as Facebook, for profiting off user data. Unlike In Europe, where there is a comprehensive federal digital privacy law, in the US the personal data of Americans is protected only by some state laws and a patchwork of federal laws, such as HIPAA.
Senator Barry Finegold, a Democrat and cochair of the joint Senate IT committee, praised the bill’s advancement.
“Online privacy and security issues are only going to get more important, and we need to take proactive measures to ensure new technologies are used responsibly,” he said in a statement. “In the absence of federal action, we can enact meaningful reforms in the Commonwealth and help clarify the rules of the road for businesses.”
The bill, filed by Senate majority leader Cindy Creem and Representative Andy Vargas, both Democrats, has provisions in it that would affect how businesses accessdata generated by customers in Massachusetts.
Companies would have to provide customers with “easy-to-understand” notices about how their personal information — such as age and gender — is being collected, used, and sold. They would also need to detail how people could opt-out of sharing such information.
Additionally, companies would need to ask a customer’s permission for most sales of sensitive information, such as precise geolocation, biometric, or racial information.
Moreover, the bill would allow the state attorney general to levy up to $7,500 in fines for each violation, depending on the size of the company and scope of the infraction.
“The public is demanding that government act to protect their personal information from being shared without their knowledge and consent,” Rep. Linda Dean Campbell, a Democrat and cochair of the IT committee, said in a statement.
Kade Crockford, director of the technology for the liberty program at the ACLU of Massachusetts, said she is pleased lawmakers are tackling data privacy. “We conduct so much of our lives online,” she said in a statement, “but that does not mean we should have to forfeit control over our personal data or permit it to be sold to the highest bidder.”
But as the bill progresses, Crockford said, lawmakers must keep provisions in place requiring companies “to obtain consent before collecting unlimited information about us, prohibit the current free-for-all market of sensitive information like our location and biometric data, and allow Massachusetts residents to have their day in court if companies violate the law.”
Woodrow Hartzog, a professor of law and computer science at Northeastern University, said the current bill “has actually gutted some of the soul” of the Massachusetts Information Privacy Act. He said that earlier legislation was far better in putting “substantive limits” on the type of data that companies could collect and sell, whereas the new bill relies far more on users choosing what information companies get access to.
“Real privacy data legislation would protect people regardless of what they choose, and consent to,” he said. “This legislation doesn’t seem to offer that… It’s just going to allow business as usual.”