Massachusetts Consumer Privacy Law

Primary law

Chapter 93H defines a breach of security as the unauthorized acquisition or use of unencrypted data (or encrypted data plus the key) that compromises personal information and creates a substantial risk of identity theft or fraud against a Massachusetts resident.

''Breach of security'', the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth.

See Mass. Gen. Laws ch. 93H, § 1(a).

Regulation

201 CMR 17.00 applies to all persons that own or license personal information about a Massachusetts resident, with no revenue, size, or in-state-presence threshold.

201 CMR 17.00 applies to all persons that own or license personal information about a resident of the Commonwealth.

See 201 CMR 17.01(2).

Primary law

Chapter 93I sets minimum disposal standards: paper records containing personal information must be redacted, burned, pulverized, or shredded, and electronic media destroyed or erased, so the information cannot practicably be read or reconstructed.

When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information: (a) paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed; (b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed.

See Mass. Gen. Laws ch. 93I, § 2.

Primary law

Chapter 93A declares unfair methods of competition and unfair or deceptive acts or practices in trade or commerce unlawful, supplying the enforcement backbone for Massachusetts privacy and data-security matters.

Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful.

See Mass. Gen. Laws ch. 93A, § 2(a).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches privacy and data-security practices nationwide.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

The Gramm-Leach-Bliley Act prohibits a financial institution from disclosing nonpublic personal information to a nonaffiliated third party unless it has provided the consumer the required privacy notice.

Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.

See 15 U.S.C. § 6802(a).

Primary law

HIPAA gives individuals a right to adequate notice of a covered entity's uses and disclosures of their protected health information and of their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520(a)(1).

Primary law

COPPA makes it unlawful for an operator of a child-directed website or online service, or any operator with actual knowledge it is collecting personal information from a child, to collect that information in violation of the FTC's implementing regulations.

It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b).

See 15 U.S.C. § 6502(a)(1).

Primary law · 2025-09-25

The Senate-engrossed MCDPA would give consumers the right to opt out of collection and processing for targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions with legal or similarly significant effects.

opt out of the collection and processing of the consumer’s personal data for purposes of: (A) targeted advertising; (B) the sale of personal data; or (C) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 4(a) (not enacted; in conference).

Primary law · 2026-06-04

The House-passed MCDPA text would likewise give consumers an opt-out of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions with significant effects.

opt out of the collection and processing of the consumer’s personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 4(a) (not enacted; in conference).

Primary law · 2025-09-25

The Senate version would apply to persons that in the preceding calendar year processed personal data of at least 60,000 consumers (payment-only data excluded), or 20,000 consumers with at least 20 percent of revenue from data sales, or any reproductive or sexual health data.

This chapter shall apply to persons that during the preceding calendar year: (i) collected or processed the personal data of not less than 60,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; (ii) collected or processed the personal data of not less than 20,000 consumers and derived not less than 20 per cent of its gross revenue from the sale of personal data; or (iii) collected, processed or transferred reproductive or sexual health data of consumers.

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 2 (not enacted; in conference).

Primary law · 2026-06-04

The House version's applicability triggers would be 100,000 consumers' personal data, or $100,000 in revenue from data sales, or — with no consumer-count floor — any collection or processing of sensitive data.

This chapter shall apply to persons that conduct business in the commonwealth and produce products or provide services that are targeted to residents of the commonwealth and that, during the preceding calendar year: (i) collected or processed the personal data of not less than 100,000 consumers; provided, however, that said personal data shall not include personal data controlled or processed solely for the purpose of completing a payment transaction; (ii) derived gross revenue of not less than $100,000 from the sale of personal data; or (iii) collected or processed sensitive data; provided, however, that sensitive data shall not include personal data controlled or processed solely for the purpose of completing a payment transaction.

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 2 (not enacted; in conference).

Primary law · 2025-09-25

The Senate version would flatly ban the sale of sensitive data, and the ban would reach controllers and processors even when they otherwise fall within the chapter's exemptions.

Notwithstanding this subsection, a controller or processor who would otherwise be subject to this chapter under section 2 shall not sell sensitive data.

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 3(a) (not enacted; in conference).

Primary law · 2026-06-04

The House version would ban selling precise geolocation data collected or processed in the commonwealth regardless of the individual's residency, and affirmative consent could not cure the ban.

sell: (A) precise geolocation data of any individual or consumer collected or processed within the commonwealth, regardless of the residency of the individual or consumer; provided, that precise geolocation data shall not be sold even with the affirmative consent of an individual or consumer

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 7(a) (not enacted; in conference).

Primary law · 2026-06-04

Under the House version, sensitive data other than precise geolocation data could be sold only with the consumer's affirmative consent — a consent regime rather than the Senate's flat ban.

sensitive data other than precise geolocation data without obtaining the consumer’s affirmative consent

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 7(a) (not enacted; in conference).

Primary law · 2025-09-25

The Senate version's data-minimization rule would limit collection to what is reasonably necessary to provide or maintain a specific product or service the consumer requested.

limit the collection of personal data to what is reasonably necessary to provide or maintain a specific product or service requested by the consumer to whom the data pertains

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 5(a) (not enacted; in conference).

Primary law · 2026-06-04

The House version's data-minimization rule would limit collection to what is reasonably necessary and proportionate to the purposes disclosed to the consumer.

limit the collection of personal data to what is reasonably necessary and proportionate in relation to the purposes for which the personal data is collected or processed, as disclosed to the consumer; provided, that such purposes shall be consistent with the reasonable expectations of the consumer

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 6 (not enacted; in conference).

Primary law · 2025-09-25

The Senate version would bar targeted advertising to, and sale of the personal data of, a consumer the controller knows or should have known is a minor — a constructive-knowledge standard.

not collect or process the personal data of a consumer for purposes of targeted advertising or sell the consumer’s personal data under circumstances where a controller knows or should have known that the consumer is a minor

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 5(a) (not enacted; in conference).

Primary law · 2026-06-04

The House version's minors rule would apply where the controller has actual knowledge of minor status or willfully disregards it — a narrower knowledge standard than the Senate's.

collect or process the personal data of a consumer for purposes of targeted advertising or sell the consumer’s personal data under circumstances where a controller has actual knowledge or willfully disregards that the consumer is a minor

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 7(a) (not enacted; in conference).

Primary law · 2026-06-04

Under the House version, a violation would constitute an unfair or deceptive trade practice under chapter 93A, and the Attorney General's exclusive enforcement authority would except large data holders — leaving them exposed to private c. 93A actions.

A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. (2) Notwithstanding sections 9 and 11 of chapter 93A, the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a large data holder that violates this chapter

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 14(a) (not enacted; in conference).

Primary law · 2026-06-04

The House version would define a large data holder as a controller or processor that in the most recent calendar year handled the personal data of more than 2,000,000 consumers or the sensitive data of more than 200,000 consumers.

“Large data holder”, a controller or processor that in the most recent calendar year collected, processed or sold the: (i) personal data of more than 2,000,000 consumers; provided, however, that said personal data shall not include personal data collected and processed solely for the purpose of initiating, rendering, billing for, finalizing, completing or otherwise collecting payment for a requested product or service; or (ii) sensitive data of more than 200,000 consumers.

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 1 (not enacted; in conference).

Primary law · 2025-09-25

Under the Senate version, a violation would constitute an unfair or deceptive trade practice under chapter 93A, but the Attorney General would have exclusive authority to sue — no private right of action.

A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. Notwithstanding sections 9 and 11 of said chapter 93A, the attorney general shall have exclusive authority to bring a civil action against a controller or processor that violates this chapter

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(b) (not enacted; in conference).

Primary law

Chapter 93H directs the Department of Consumer Affairs and Business Regulation to adopt safeguards regulations for any person that owns or licenses personal information about a Massachusetts resident — the statutory hook for 201 CMR 17.00.

The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated.

See Mass. Gen. Laws ch. 93H, § 2(a).

Regulation

Every person that owns or licenses personal information about a Massachusetts resident must develop, implement, and maintain a written comprehensive information security program with administrative, technical, and physical safeguards appropriate to the business's size, resources, data volume, and confidentiality needs.

develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information.

See 201 CMR 17.03(1).

Regulation

A business that electronically stores or transmits Massachusetts residents' personal information must include in its WISP a computer security system with enumerated minimum elements, to the extent technically feasible.

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

See 201 CMR 17.04.

Regulation

The computer-security requirements include encryption of personal information transmitted across public networks and of personal information transmitted wirelessly.

Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

See 201 CMR 17.04(3).

Regulation

The computer-security requirements include encryption of all personal information stored on laptops or other portable devices.

Encryption of all personal information stored on laptops or other portable devices

See 201 CMR 17.04(5).

Regulation

Every person that owns or licenses personal information about a Massachusetts resident has been required to be in full compliance with 201 CMR 17.00 since March 1, 2010.

Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

See 201 CMR 17.05(1).

Regulation

The WISP must include a risk assessment that identifies reasonably foreseeable internal and external risks across electronic and paper records and evaluates and improves the existing safeguards.

Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks

See 201 CMR 17.03(2)(b).

Regulation

The WISP's scope must be reviewed at least annually, and whenever a material change in business practices may implicate the security or integrity of records containing personal information.

Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.

See 201 CMR 17.03(2)(i).

Primary law

Improper disposal of records containing personal information carries a civil fine of up to $100 per affected data subject, capped at $50,000 for each instance of improper disposal.

Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal.

See Mass. Gen. Laws ch. 93I, § 2.

Primary law

The breach notice to the Attorney General and the Director of Consumer Affairs and Business Regulation must state whether the business maintains a written information security program.

The notice to be provided to the attorney general and said director, and consumer reporting agencies or state agencies if any, shall include, but not be limited to: (i) the nature of the breach of security or unauthorized acquisition or use; (ii) the number of residents of the commonwealth affected by such incident at the time of notification; (iii) the name and address of the person or agency that experienced the breach of security; (iv) name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security; (v) the type of person or agency reporting the breach of security; (vi) the person responsible for the breach of security, if known; (vii) the type of personal information compromised, including, but not limited to, social security number, driver's license number, financial account number, credit or debit card number or other data; (viii) whether the person or agency maintains a written information security program; and (ix) any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program.

See Mass. Gen. Laws ch. 93H, § 3(b).

Primary law

Chapter 93A makes unfair or deceptive acts or practices unlawful and directs courts to follow FTC and federal-court constructions of FTC Act § 5 — the basis for treating a misleading privacy policy as a deceptive practice.

It is the intent of the legislature that in construing paragraph (a) of this section in actions brought under sections four, nine and eleven, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended.

See Mass. Gen. Laws ch. 93A, § 2(b).

Primary law

Section 5 of the FTC Act declares unfair or deceptive acts or practices unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

A HIPAA covered entity must give individuals a notice describing the uses and disclosures of their protected health information and their rights and the entity's legal duties.

an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information

See 45 C.F.R. § 164.520.

Primary law · 2025-09-25

The Senate version would require controllers to provide consumers a reasonably accessible, understandable, clear, meaningful and not misleading privacy notice with enumerated contents.

A controller shall provide consumers with a reasonably accessible, understandable, clear, meaningful and not misleading privacy notice that includes: (i) the categories of personal data collected and processed by the controller, including a separate list of categories of sensitive data collected and processed by the controller, described in a level of detail that provides consumers with a meaningful understanding of the type of personal data collected or processed; (ii) the purpose for collecting and processing each category of personal data the controller collects or processes described in a way that gives consumers a meaningful understanding of how each category of their personal data will be used; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller transfers to third parties, if any, and the purposes for those transfers; (v) the categories of third parties, if any, to which the controller transfers personal data; (vi) an active electronic mail address or other online mechanism that the consumer may use to contact the controller for privacy and data security inquiries; (vii) information identifying the controller, including any business name under which the controller registered with the secretary of the commonwealth and any assumed business name that the controller uses in the commonwealth; (viii) a clear and conspicuous description of any processing of personal data in which the controller engages for the purposes of targeted advertising, sale of personal data to third parties or profiling the consumer in furtherance of decisions that produce legal or similarly significant effects concerning the consumer and a procedure by which the consumer may opt out of this type of processing; (ix) a general description of the controller’s data security practices; and (x) the effective date of the privacy notice.

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 5(c) (not enacted; in conference).

Primary law · 2026-06-04

The House version would require controllers to provide consumers a reasonably accessible, clear and not misleading privacy notice with enumerated contents.

A controller shall provide consumers with a reasonably accessible, clear and not misleading privacy notice that shall include: (i) the categories of personal data collected and processed by the controller, including a separate list of categories of sensitive data collected and processed by the controller, described in a level of detail that provides consumers with an understanding of the type of personal data collected or processed; (ii) the purpose for collecting and processing each category of personal data the controller collects or processes described in a way that gives consumers an understanding of how each category of their personal data will be used; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller sells to third parties, if any, and the purposes for those sales; (v) the categories of third parties, if any, to which the controller sells personal data; (vi) the length of time the controller intends to retain each category of personal data, or, if it is not possible to identify the length of time, the criteria used to determine the length of time the controller intends to retain categories of personal data; and (vii) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 8(a) (not enacted; in conference).

Regulation

A covered business must take reasonable steps to select and retain service providers capable of maintaining appropriate security measures for personal information.

Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00 and any applicable federal regulations

See 201 CMR 17.03(2)(f)1.

Regulation

A covered business must require its service providers by contract to implement and maintain appropriate security measures for personal information.

Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information

See 201 CMR 17.03(2)(f)2.

Regulation

A service provider is any person permitted access to personal information through its provision of services directly to a person subject to 201 CMR 17.00.

Service Provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to 201 CMR 17.00.

See 201 CMR 17.02.

Primary law

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4.

Primary law

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract

See 45 C.F.R. § 164.504.

Primary law · 2025-09-25

The Senate version would require a written, binding contract to govern a processor's data processing on a controller's behalf — the data-processing-agreement mandate Massachusetts law currently lacks.

A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be in writing, binding and shall include, but not be limited to, clearly set forth instructions for processing data and protecting the confidentiality of the data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties including a method by which the processor shall notify the controller of material changes to its privacy practices. The processor shall adhere to the instructions of the controller and only process and transfer the data it receives from the controller to the extent necessary to provide a service requested by the controller, as set out in the contract. The contract shall also require that the processor: (i) ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (ii) at the controller’s direction, delete or return all personal data to the controller as requested, unless retention of the personal data is required by law; (iii) upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter; (iv) after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the contractual, statutory and regulatory obligations of the processor with respect to personal data

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 6(b) (not enacted; in conference).

Primary law

An owner or licensor of data including a resident's personal information must notify the Attorney General, the Director of Consumer Affairs and Business Regulation, and the resident as soon as practicable and without unreasonable delay after learning of a breach of security or unauthorized acquisition or use.

A person or agency that owns or licenses data that includes personal information about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the attorney general, the director of consumer affairs and business regulation and to such resident, in accordance with this chapter.

See Mass. Gen. Laws ch. 93H, § 3(b).

Primary law

Breach notice may not be delayed on the ground that the total number of affected residents is not yet ascertained — Massachusetts requires rolling, supplemental notification.

A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained.

See Mass. Gen. Laws ch. 93H, § 3(b).

Primary law

Personal information under c. 93H is a resident's name combined with a Social Security number, driver's license or state ID number, or a financial-account or payment-card number permitting account access.

''Personal information'' a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account

See Mass. Gen. Laws ch. 93H, § 1(a).

Primary law

The consumer-facing notice must cover police-report rights, security freezes at no charge, and mitigation services — but must not include the nature of the breach or the number of residents affected.

The notice to be provided to the resident shall include, but shall not be limited to: (i) the resident's right to obtain a police report; (ii) how a resident may request a security freeze and the necessary information to be provided when requesting the security freeze; (iii) that there shall be no charge for a security freeze; and (iv) mitigation services to be provided pursuant to this chapter; provided, however, that said notice shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach of security or unauthorized access or use.

See Mass. Gen. Laws ch. 93H, § 3(b).

Primary law

A breach involving Social Security numbers obligates the business to offer affected residents free credit monitoring for at least 18 months — at least 42 months when the breached entity is a consumer reporting agency.

the person shall contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months; provided, however, that if the person that has experienced a breach of security is a consumer reporting agency, then said consumer reporting agency shall contract with a third party to offer each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to such resident for a period of not less than 42 months

See Mass. Gen. Laws ch. 93H, § 3A(a).

Primary law

A breached business may not condition the offer of credit monitoring on the resident waiving the right to a private action.

A person that experienced a breach of security shall not require a resident to waive the resident's right to a private right of action as a condition of the offer of credit monitoring services.

See Mass. Gen. Laws ch. 93H, § 3A(b).

Primary law

Breach notice may be delayed only when a law enforcement agency determines notice would impede a criminal investigation and notifies the Attorney General in writing.

notice may be delayed if a law enforcement agency determines that provision of such notice may impede a criminal investigation and has notified the attorney general, in writing, thereof and informs the person or agency of such determination.

See Mass. Gen. Laws ch. 93H, § 4.

Primary law

A business following federal breach-response procedures is deemed compliant with c. 93H only if it notifies affected residents under those procedures and still notifies the Massachusetts Attorney General and the Director of Consumer Affairs and Business Regulation without unreasonable delay.

a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach

See Mass. Gen. Laws ch. 93H, § 5.

Primary law

Chapter 93H's enforcement section authorizes the Attorney General to bring an action under c. 93A, § 4 to remedy violations; it creates no private right of action.

The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.

See Mass. Gen. Laws ch. 93H, § 6.

Primary law

A consumer suing under c. 93A, § 9 must first mail or deliver a written demand for relief, identifying the claimant and describing the practice and injury, at least thirty days before filing.

At least thirty days prior to the filing of any such action, a written demand for relief, identifying the claimant and reasonably describing the unfair or deceptive act or practice relied upon and the injury suffered, shall be mailed or delivered to any prospective respondent.

See Mass. Gen. Laws ch. 93A, § 9(3).

Primary law

A prevailing § 9 plaintiff recovers actual damages or $25, whichever is greater, doubled or trebled for willful or knowing violations or a bad-faith refusal to grant relief on demand.

recovery shall be in the amount of actual damages or twenty-five dollars, whichever is greater; or up to three but not less than two times such amount if the court finds that the use or employment of the act or practice was a willful or knowing violation of said section two or that the refusal to grant relief upon demand was made in bad faith with knowledge or reason to know that the act or practice complained of violated said section two

See Mass. Gen. Laws ch. 93A, § 9(3).

Primary law

Business-to-business c. 93A claims under § 11 require that the unfair or deceptive conduct occurred primarily and substantially within Massachusetts.

No action shall be brought or maintained under this section unless the actions and transactions constituting the alleged unfair method of competition or the unfair or deceptive act or practice occurred primarily and substantially within the commonwealth.

See Mass. Gen. Laws ch. 93A, § 11.

Primary law

Massachusetts gives every person a statutory right against unreasonable, substantial or serious interference with privacy, enforceable in equity with damages.

A person shall have a right against unreasonable, substantial or serious interference with his privacy. The superior court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages.

See Mass. Gen. Laws ch. 214, § 1B.

Primary law

The wiretap act defines interception as secretly hearing or recording the contents of any wire or oral communication without prior authority from all parties — Massachusetts's all-party-consent rule.

The term ''interception'' means to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication

See Mass. Gen. Laws ch. 272, § 99(B)(4).

Primary law

An aggrieved person whose communications are unlawfully intercepted has a civil action for actual damages with a liquidated floor of $100 per day of violation or $1,000, whichever is higher, plus punitive damages and attorney's fees.

Any aggrieved person whose oral or wire communications were intercepted, disclosed or used except as permitted or authorized by this section or whose personal or property interests or privacy were violated by means of an interception except as permitted or authorized by this section shall have a civil cause of action against any person who so intercepts, discloses or uses such communications or who so violates his personal, property or privacy interest, and shall be entitled to recover from any such person— 1. actual damages but not less than liquidated damages computed at the rate of $100 per day for each day of violation or $1000, whichever is higher; 2. punitive damages; and 3. a reasonable attorney's fee and other litigation disbursements reasonably incurred.

See Mass. Gen. Laws ch. 272, § 99(Q).

Primary law · 2026-06-04

Under the House MCDPA text, a violation would be an unfair or deceptive trade practice under chapter 93A, and the Attorney General's exclusive-enforcement authority would except large data holders — opening a private c. 93A path against them if enacted.

A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. (2) Notwithstanding sections 9 and 11 of chapter 93A, the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a large data holder that violates this chapter

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 14(a) (not enacted; in conference).

Primary law

Chapter 93H's enforcement section sends the Attorney General to c. 93A, § 4 for remedies against violators — a routing provision, not an express per se unfair-practice declaration.

The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate.

See Mass. Gen. Laws ch. 93H, § 6.

Primary law

In an Attorney General action under c. 93A, § 4, the court may issue restraining orders and injunctions and order restoration of money or property acquired through the unlawful practice.

Said court may issue temporary restraining orders or preliminary or permanent injunctions and make such other orders or judgments as may be necessary to restore to any person who has suffered any ascertainable loss by reason of the use or employment of such unlawful method, act or practice any moneys or property, real or personal, which may have been acquired by means of such method, act, or practice.

See Mass. Gen. Laws ch. 93A, § 4.

Primary law

Where a person knew or should have known the practice violated c. 93A, § 2, the court may impose a civil penalty of up to $5,000 per violation plus the reasonable costs of investigation and litigation, including attorney's fees.

If the court finds that a person has employed any method, act or practice which he knew or should have known to be in violation of said section two, the court may require such person to pay to the commonwealth a civil penalty of not more than five thousand dollars for each such violation and also may require the said person to pay the reasonable costs of investigation and litigation of such violation, including reasonable attorneys' fees.

See Mass. Gen. Laws ch. 93A, § 4.

Primary law

Improper disposal of records containing personal information is punishable by a civil fine of up to $100 per data subject, capped at $50,000 per instance, recoverable by the Attorney General.

Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal. The attorney general may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties.

See Mass. Gen. Laws ch. 93I, § 2.

Primary law · 2025-09-25

The Senate version would make a violation an unfair or deceptive trade practice under chapter 93A and give the Attorney General exclusive authority to bring civil actions — no private right of action.

A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. Notwithstanding sections 9 and 11 of said chapter 93A, the attorney general shall have exclusive authority to bring a civil action against a controller or processor that violates this chapter

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(b) (not enacted; in conference).

Primary law · 2025-09-25

The Senate version would authorize the Attorney General to seek civil penalties of up to $5,000 per violation in its enforcement actions.

impose civil penalties in an amount not more than $5,000 per violation

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(b)(iv) (not enacted; in conference).

Primary law · 2025-09-25

The Senate version would require the Attorney General to issue a pre-suit notice of violation and allow a 60-day cure period before filing, unless cure is impossible or immediate enforcement is required.

Prior to initiating any action for a violation of any provision of this chapter, the attorney general shall issue a notice of violation to the controller unless the attorney general determines that a cure is not possible or an alleged violation requires immediate enforcement. If the controller fails to cure such violation not more than 60 days after receipt of the notice of violation, the attorney general may bring an action pursuant to this section.

See S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(d) (not enacted; in conference).

Primary law · 2026-06-04

The House version would give the Attorney General exclusive authority to sue any controller or processor other than a large data holder — the carve-out that creates its limited private right of action.

Notwithstanding sections 9 and 11 of chapter 93A, the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a large data holder that violates this chapter

See H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 14(a) (not enacted; in conference).