# Massachusetts Consumer Privacy Law[^about] Massachusetts has no comprehensive consumer-privacy act in force. Breach notification (c. 93H), the 201 CMR 17.00 written-information-security-program rule, data destruction (c. 93I), and c. 93A govern today, while the Massachusetts Consumer Data Privacy Act sits in conference committee. ## Which privacy laws apply to your business in Massachusetts? {#which-privacy-laws-apply} **Short answer.** There is no comprehensive Massachusetts consumer-privacy law in force. What governs today is a prescriptive sectoral stack: c. 93H requires notice of a *breach of security* — the unauthorized acquisition or use of unencrypted personal information that creates a substantial risk of identity theft or fraud against a resident [^q1-93h-breach-def]; 201 CMR 17.00, the regulation issued under c. 93H, applies to all persons that own or license personal information about a Massachusetts resident and requires a written information security program [^q1-cmr17-scope]; c. 93I sets minimum standards for destroying records that contain personal information [^q1-93i-disposal]; and c. 93A declares unfair or deceptive acts or practices in trade or commerce unlawful, supplying the enforcement backbone for all of it [^q1-93a-udap]. Massachusetts residents currently have no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of its sale, and businesses face no state notice-at-collection, consent, or data-protection-assessment duties. That may change soon: the Massachusetts Consumer Data Privacy Act has passed both chambers in differing versions and, as of June 12, 2026, is before a conference committee — the next question covers exactly where it stands and what each version would require. Until a merged bill is enacted, none of its duties is law. Two more Massachusetts statutes belong on the map. The wiretap act, c. 272, § 99 — an all-party-consent statute with a severe civil remedy — matters for chat widgets and other person-to-person communication capture, though the Supreme Judicial Court took ordinary browsing-activity tracking outside it in 2024; and c. 214, § 1B gives residents a general right against unreasonable, substantial or serious interference with privacy. Both are developed in the consumer-lawsuit question below. The rest of a Massachusetts-facing program rides the federal overlay. Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide [^q1-fed-ftc5]; the Gramm-Leach-Bliley Act bars a financial institution from disclosing nonpublic personal information to nonaffiliated third parties without the required consumer notice [^q1-fed-glba]; HIPAA gives individuals a right to notice of how a covered entity uses and discloses their protected health information [^q1-fed-hipaa]; and COPPA makes it unlawful for child-directed online services — or any operator with actual knowledge it is collecting a child's data — to collect children's personal information in violation of the FTC's rules [^q1-fed-coppa]. None of those is a Massachusetts statute, but together with the c. 93H stack they shape what a compliant program looks like today — and a program built to this stack upgrades rather than restarts if the pending comprehensive act becomes law. ## Is Massachusetts about to adopt a comprehensive consumer privacy law? {#pending-data-privacy-act} **Short answer.** Quite possibly, but it is not law yet. As of June 12, 2026, the Massachusetts Consumer Data Privacy Act is in conference-committee reconciliation: the Senate passed its version, S.2619, 40 to 0 on September 25, 2025; the House passed S.2619 as amended — substituting its own text, published as H.5479 — 146 to 0 on June 4, 2026; and on June 11, 2026 the Senate non-concurred in the House amendment, so a conference committee is forming (the Senate has named conferees; the House had not yet appointed its conferees as of this review). Both versions would insert a new chapter 93M giving consumers rights to access, correct, delete, and port their personal data and to opt out of targeted advertising, the sale of personal data, and profiling that feeds significant automated decisions [^q2-s2619-rights] [^q2-h5479-rights]. None of those duties applies today, and no effective date exists until a merged bill passes both chambers and is signed. The two versions agree on the architecture — controller and processor duties, sensitive-data protections, data-protection assessments, recognition of an opt-out preference signal, and Attorney General enforcement through c. 93A — but they differ in both directions, and the differences are the conference agenda. Neither chamber's text is uniformly stricter. Where the Senate text is stricter. The Senate version flatly bans the sale of sensitive data — its exemption section provides that a controller or processor who would otherwise be covered shall not sell sensitive data, so the ban follows entities even into the exemptions [^q2-s2619-sensitive-sale-ban]. Its data-minimization rule ties collection to what is reasonably necessary to provide or maintain a specific product or service the consumer requested [^q2-s2619-minimization], where the House rule ties collection to disclosed purposes consistent with the consumer's reasonable expectations [^q2-h5479-minimization]. And its minors rule bars targeted advertising to, and sales of the data of, a consumer the controller knows or should have known is a minor — a constructive-knowledge standard [^q2-s2619-minors] — where the House requires actual knowledge or willful disregard [^q2-h5479-minors]. Where the House text goes further. The House version adds a consent-proof ban on selling precise geolocation data collected or processed in the commonwealth, regardless of the individual's residency — consent cannot cure it [^q2-h5479-geolocation] — while allowing other sensitive data to be sold with the consumer's affirmative consent [^q2-h5479-sensitive-consent]. Its applicability section is also broader: alongside a 100,000-consumer trigger and a revenue-from-sales trigger, it reaches any covered business that collected or processed sensitive data at all, with no consumer-count floor [^q2-h5479-thresholds] — compared with the Senate's thresholds of 60,000 consumers, or 20,000 consumers plus a sales-revenue share, or any handling of reproductive or sexual health data [^q2-s2619-thresholds]. And the House version opens a private right of action against the largest companies: a violation would constitute an unfair or deceptive trade practice under c. 93A, and the Attorney General's otherwise-exclusive enforcement authority carves out *large data holders* [^q2-h5479-pra] — controllers or processors handling the personal data of more than 2,000,000 consumers or the sensitive data of more than 200,000 consumers [^q2-h5479-large-data-holder]. The Senate version has no private action at all: the Attorney General would have exclusive authority across the board [^q2-s2619-enforcement]. > [!NOTE] > **Practice note.** > > Do not build to either version yet, and do not rely on any circulating effective date — each engrossed text carries its own date, and the conference committee will pick the final one along with the final sensitive-data-sale rule, applicability thresholds, and private-right-of-action scope. What is safe to do now is gap-assess against the duties both versions share — data inventories, a rights-request intake channel, opt-out plumbing for targeted advertising and sales (including an opt-out preference signal), processor contracts, and data-protection assessments — because that common core appears in both engrossed texts [^q2-s2619-rights] [^q2-h5479-rights]. ## Does your business need a written information security program (WISP) in Massachusetts? {#written-security-program} **Short answer.** Yes, if you own or license personal information about even one Massachusetts resident. Under 201 CMR 17.00 — the regulation the Office of Consumer Affairs and Business Regulation adopted under c. 93H, § 2 [^q3-93h-2-hook] — every such person must develop, implement, and maintain a comprehensive information security program, written in one or more readily accessible parts, with administrative, technical, and physical safeguards [^q3-cmr17-wisp-duty]. Businesses that store or transmit the data electronically must also build a computer-system security layer that, to the extent technically feasible, covers authentication, access controls, monitoring, firewalls, patching, malware protection, and training [^q3-cmr17-computer-security] — including encryption of personal information in transit over public networks or wireless connections [^q3-cmr17-encryption-transit] and on laptops and portable devices [^q3-cmr17-encryption-portable]. Full compliance with 201 CMR 17.00 has been required since March 1, 2010 [^q3-cmr17-deadline], and the regulation remains the center of a Massachusetts compliance program. The mandatory program elements go well beyond a policy document: designating one or more employees to run the program, a documented risk assessment that identifies and evaluates reasonably foreseeable internal and external risks across electronic and paper records [^q3-cmr17-risk-assessment], employee training and discipline, cutting off terminated employees' access, service-provider oversight (covered in the vendor question below), physical access restrictions, regular monitoring, and a review of the program at least annually or whenever a material business change implicates the security of records [^q3-cmr17-annual-review]. The required safeguards scale with the size, scope, and type of business, available resources, and the amount of stored data — the rule is risk-calibrated, not one-size-fits-all [^q3-cmr17-wisp-duty]. The program's end-of-life duty comes from a separate statute: when records containing personal information are disposed of, c. 93I requires that paper be redacted, burned, pulverized, or shredded and that electronic media be destroyed or erased so the data cannot practicably be read or reconstructed, on pain of civil fines of up to $100 per data subject, capped at $50,000 per instance of improper disposal [^q3-93i-fine]. > [!NOTE] > **Practice note.** > > Keep the WISP current and provable, not just written. The breach-notification statute requires the regulator-facing breach notice to disclose whether the business maintains a written information security program [^q3-93h-3b-wisp-item] — so a missing or stale WISP surfaces automatically in the worst possible moment. Re-run the risk assessment and document the annual review [^q3-cmr17-annual-review]. ## What must your Massachusetts privacy policy contain? {#privacy-policy-contents} **Short answer.** No Massachusetts statute requires a general-audience commercial website to post a privacy policy or fixes its contents today. The enforceable rule is that whatever you publish must be true: a policy that misstates how you collect, use, share, or secure data is a deceptive practice under c. 93A, § 2 — which is construed in line with FTC interpretations [^q4-93a-deception] — and under Section 5 of the FTC Act [^q4-fed-ftc5]. Where a sectoral regime applies, that regime supplies the contents: a HIPAA covered entity, for example, must give individuals notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^q4-fed-hipaa-notice]. This is the prong the pending Massachusetts Consumer Data Privacy Act would change most visibly. Both engrossed versions would mandate a consumer-facing privacy notice with prescribed contents. The Senate text requires a reasonably accessible, understandable, clear, meaningful and not misleading notice enumerating, among other items, the categories of personal data collected (with a separate list of sensitive-data categories), the purposes of processing, how consumers exercise and appeal rights, the categories of third parties receiving data, a privacy contact channel, a description of any targeted advertising, sales, or significant profiling with the opt-out procedure, and the notice's effective date [^q4-s2619-notice]. The House text requires a reasonably accessible, clear and not misleading notice with a similar enumeration that adds retention periods for each category of personal data, or the criteria used to determine them [^q4-h5479-notice]. Neither requirement is law while the bill sits in conference, so do not treat any circulating notice checklist as binding yet. A practical drafting approach for today: build the policy from the federal and sectoral overlay where it applies (GLBA privacy notices, the HIPAA notice of privacy practices, a COPPA notice for child-directed services), describe actual practices accurately — categories collected, purposes, sharing, retention, choices — and then honor every statement, because consistency between the statement and the conduct is the obligation Massachusetts and federal regulators can already enforce [^q4-93a-deception]. A policy drafted to the both-versions common core of the pending act will also need little surgery if the conference report becomes law. ## What must your contracts with vendors say in Massachusetts? {#vendor-contracts} **Short answer.** Massachusetts already imposes a real vendor-contract duty — through the security regulation, not an omnibus privacy act. Under 201 CMR 17.03(2)(f), every business covered by the WISP rule must oversee its service providers by taking reasonable steps to select and retain providers capable of maintaining appropriate security measures [^q5-cmr17-vendor-select], and by requiring those providers by contract to implement and maintain such measures for personal information [^q5-cmr17-vendor]. A *service provider* is any person permitted access to personal information through services provided directly to a covered business [^q5-cmr17-sp-def]. That security flow-down is narrower than the data-processing agreements comprehensive-statute states require — Massachusetts law today does not prescribe processing-instruction clauses, audit rights, deletion-or-return duties, or subprocessor controls. Sectoral regimes fill part of that gap: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract [^q5-fed-glba], and HIPAA requires a business-associate agreement before protected health information is shared [^q5-fed-hipaa-baa]. The pending act would close the rest of the gap. Both engrossed MCDPA versions would require a written, binding controller-processor contract governing processing on the controller's behalf — the Senate text, for example, requires the contract to set out processing instructions, confidentiality protections, the nature, purpose, and duration of processing, and both parties' rights and obligations, with downstream duties for subcontractors, deletion or return of data, and compliance demonstrations [^q5-s2619-processor]. A prudent move now is to draft vendor terms to that fuller template — the 201 CMR 17.00 security clause is already mandatory, and the rest becomes mandatory if the conference report is enacted [^q5-cmr17-vendor]. ## When must you notify people of a data breach in Massachusetts? {#breach-notification} **Short answer.** As soon as practicable and without unreasonable delay — there is no fixed day-count. A business that owns or licenses data including a resident's personal information must notify the Attorney General, the Director of Consumer Affairs and Business Regulation, and the affected resident when it knows or has reason to know of a breach of security, or that personal information was acquired or used by an unauthorized person or for an unauthorized purpose [^q6-93h-notice-duty]. Notice cannot wait for a complete headcount: it may not be delayed on the ground that the total number of affected residents is not yet ascertained [^q6-93h-rolling]. *Personal information* means a resident's name combined with a Social Security number, driver's license or state ID number, or a financial-account or payment-card number that would permit account access [^q6-93h-pi-def]. Massachusetts inverts the consumer-notice rule most states follow. The notice to the resident must cover the right to obtain a police report, how to request a security freeze at no charge, and the mitigation services offered — but it must *not* describe the nature of the breach or the number of residents affected; those details go to the regulators instead [^q6-93h-consumer-contents]. The regulator-facing notice has its own content list, including whether the business maintains a written information security program (see the WISP question above). Two further duties round out the response plan. If the breach involves Social Security numbers, the business must contract with a third party to offer affected residents free credit monitoring for at least 18 months — at least 42 months if the breached business is a consumer reporting agency [^q6-93h-credit-monitoring] — and it may not condition that offer on the resident waiving the right to sue [^q6-93h-no-waiver]. Notice may be delayed only when law enforcement determines, in writing to the Attorney General, that it would impede a criminal investigation [^q6-93h-le-delay]. A business that follows breach-response procedures under federal law is deemed compliant — but only if it still notifies the Massachusetts Attorney General and the Director of Consumer Affairs and Business Regulation without unreasonable delay [^q6-93h-federal-procedures]. ## Can a consumer sue your business in Massachusetts over privacy? {#consumer-lawsuit} **Short answer.** Not under the breach statute itself — c. 93H's enforcement section gives the Attorney General an action under c. 93A, § 4 and creates no private right [^q7-93h-enforcement]. But Massachusetts consumers have a powerful general-purpose vehicle: c. 93A, § 9 lets a person injured by an unfair or deceptive practice sue after first mailing a written demand for relief at least thirty days before filing [^q7-93a9-demand], and recover actual damages or $25, whichever is greater — doubled or trebled if the violation was willful or knowing or the response to the demand was made in bad faith — plus attorney's fees [^q7-93a9-damages]. Businesses suing other businesses use § 11, which requires that the conduct have occurred primarily and substantially within the commonwealth [^q7-93a11-instate]. Data-breach and tracking suits in Massachusetts therefore typically ride c. 93A — deceptive privacy-policy statements or unfair data-security failures — where the plaintiff must still show injury and causation, and the 30-day demand letter is a precondition for most consumer suits [^q7-93a9-demand]. Alongside it sits the privacy statute, c. 214, § 1B, which gives a person a right against unreasonable, substantial or serious interference with privacy, enforceable in equity with damages [^q7-214-1b]. The statute with the harshest remedy is the wiretap act, c. 272, § 99 — but after 2024 its online reach is narrower than the plaintiffs' bar once hoped. The act prohibits secretly hearing or recording the contents of any wire or oral communication unless all parties have authorized it [^q7-9999-interception], and it gives any aggrieved person a civil action with liquidated damages of $100 per day of violation or $1,000, whichever is higher, plus punitive damages and fees [^q7-9999-remedy]. In October 2024, the Supreme Judicial Court held in *Vita v. New England Baptist Hospital* that ordinary website browsing activity — URLs visited, clicks, scrolling shared with third-party analytics and advertising tools — is not the kind of person-to-person conversation or messaging the act unambiguously protects, resolving the ambiguity against coverage under the rule of lenity. *Vita* did not, however, bless capturing the contents of person-to-person communications: chat widgets, messaging features, and similar exchanges remain the live § 99 exposure, with that $100-per-day-or-$1,000 floor attached [^q7-9999-remedy]. If the House MCDPA text prevails in conference, the largest companies would face one more private door: a chapter 93M violation would be an unfair or deceptive practice under c. 93A, and the Attorney General's exclusive-enforcement clause would except *large data holders* — so consumers could bring ordinary c. 93A actions, demand letter and all, against businesses at that scale [^q7-h5479-pra]. The Senate text would keep enforcement exclusively with the Attorney General. Neither version is law. > [!NOTE] > **Practice note.** > > Treat chat widgets, support messaging, and any tool that records the contents of customer conversations as the highest-risk tracking surface in Massachusetts. Browsing-activity analytics fell out of the wiretap act in 2024, but the statute still prohibits secretly recording the contents of wire or oral communications without all-party authority [^q7-9999-interception], and its civil remedy carries a $1,000 minimum per aggrieved person plus punitive damages and fees [^q7-9999-remedy]. Obtain clear consent before any communication-content capture runs, and expect c. 93A § 9 demand letters as the routine opening move in tracking disputes [^q7-93a9-demand]. ## How is privacy law enforced in Massachusetts? {#ag-enforcement} **Short answer.** By the Attorney General, through c. 93A. The breach statute routes enforcement there expressly: under c. 93H, § 6, the Attorney General may bring an action pursuant to section 4 of chapter 93A, or otherwise, to remedy violations [^q8-93h-route] — a remedies pathway, not a declaration that every c. 93H violation is automatically an unfair or deceptive practice. Through § 4, a court may issue restraining orders and injunctions and order restoration of money or property to those who suffered ascertainable loss [^q8-93a4-injunction], and it may impose a civil penalty of up to $5,000 per violation, plus investigation and litigation costs, where the business knew or should have known the conduct violated § 2 [^q8-93a4-penalty]. Improper data disposal carries its own fines under c. 93I — up to $100 per data subject, capped at $50,000 per instance — recoverable by the Attorney General [^q8-93i-fine]. In practice the Attorney General's office actively enforces this stack — c. 93H notification duties, 201 CMR 17.00 program duties, and c. 93A unfairness theories — in data-security matters, so the framework above is a live enforcement risk rather than a paper one. One nuance worth getting right: because § 6 routes the Attorney General to c. 93A § 4 *remedies* rather than declaring a c. 93H violation a per se unfair or deceptive act, whether a consumer can build a private § 9 claim on a bare breach-notification violation is not settled by the statutory text — injury and causation do the work in private breach suits [^q8-93h-route]. Both pending MCDPA versions, by contrast, contain an express bridge: a violation of the new chapter would constitute an unfair or deceptive trade practice for purposes of chapter 93A, with the Attorney General's authority exclusive across the board in the Senate text [^q8-s2619-enforcement] — which would also authorize civil penalties of up to $5,000 per violation [^q8-s2619-penalty] — and exclusive except as to large data holders in the House text [^q8-h5479-enforcement]. The Senate text would also require a pre-suit notice of violation with a 60-day cure window before the Attorney General files, unless cure is impossible or immediate enforcement is required [^q8-s2619-cure]; the House text has no cure provision — another item on the conference table. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-12. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Massachusetts. This article synthesizes Massachusetts primary law and is not legal advice from a Massachusetts-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^q1-93h-breach-def]: **Mass. Gen. Laws ch. 93H, § 1** — "''Breach of security'', the unauthorized acquisition or unauthorized use of unencrypted data or, encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information, maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth." *Mass. Gen. Laws ch. 93H, § 1(a).* [^q1-cmr17-scope]: **201 CMR 17.01(2)** — "201 CMR 17.00 applies to all persons that own or license personal information about a resident of the Commonwealth." *201 CMR 17.01(2).* [^q1-93i-disposal]: **Mass. Gen. Laws ch. 93I, § 2** — "When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information: (a) paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed; (b) electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed." *Mass. Gen. Laws ch. 93I, § 2.* [^q1-93a-udap]: **Mass. Gen. Laws ch. 93A, § 2** — "Unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared unlawful." *Mass. Gen. Laws ch. 93A, § 2(a).* [^q1-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q1-fed-glba]: **GLBA — Disclosure of nonpublic personal information** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* [^q1-fed-hipaa]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* [^q1-fed-coppa]: **COPPA — Collection of children's personal information** — "It is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under subsection (b)." *15 U.S.C. § 6502(a)(1).* [^q2-s2619-rights]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "opt out of the collection and processing of the consumer’s personal data for purposes of: (A) targeted advertising; (B) the sale of personal data; or (C) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer." *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 4(a) (not enacted; in conference).* [^q2-h5479-rights]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "opt out of the collection and processing of the consumer’s personal data for purposes of: (i) targeted advertising; (ii) the sale of personal data; or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer." *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 4(a) (not enacted; in conference).* [^q2-s2619-sensitive-sale-ban]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "Notwithstanding this subsection, a controller or processor who would otherwise be subject to this chapter under section 2 shall not sell sensitive data." *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 3(a) (not enacted; in conference).* [^q2-s2619-minimization]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "limit the collection of personal data to what is reasonably necessary to provide or maintain a specific product or service requested by the consumer to whom the data pertains" *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 5(a) (not enacted; in conference).* [^q2-h5479-minimization]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "limit the collection of personal data to what is reasonably necessary and proportionate in relation to the purposes for which the personal data is collected or processed, as disclosed to the consumer; provided, that such purposes shall be consistent with the reasonable expectations of the consumer" *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 6 (not enacted; in conference).* [^q2-s2619-minors]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "not collect or process the personal data of a consumer for purposes of targeted advertising or sell the consumer’s personal data under circumstances where a controller knows or should have known that the consumer is a minor" *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 5(a) (not enacted; in conference).* [^q2-h5479-minors]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "collect or process the personal data of a consumer for purposes of targeted advertising or sell the consumer’s personal data under circumstances where a controller has actual knowledge or willfully disregards that the consumer is a minor" *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 7(a) (not enacted; in conference).* [^q2-h5479-geolocation]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "sell: (A) precise geolocation data of any individual or consumer collected or processed within the commonwealth, regardless of the residency of the individual or consumer; provided, that precise geolocation data shall not be sold even with the affirmative consent of an individual or consumer" *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 7(a) (not enacted; in conference).* [^q2-h5479-sensitive-consent]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "sensitive data other than precise geolocation data without obtaining the consumer’s affirmative consent" *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 7(a) (not enacted; in conference).* [^q2-h5479-thresholds]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "This chapter shall apply to persons that conduct business in the commonwealth and produce products or provide services that are targeted to residents of the commonwealth and that, during the preceding calendar year: (i) collected or processed the personal data of not less than 100,000 consumers; provided, however, that said personal data shall not include personal data controlled or processed solely for the purpose of completing a payment transaction; (ii) derived gross revenue of not less than $100,000 from the sale of personal data; or (iii) collected or processed sensitive data; provided, however, that sensitive data shall not include personal data controlled or processed solely for the purpose of completing a payment transaction." *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 2 (not enacted; in conference).* [^q2-s2619-thresholds]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "This chapter shall apply to persons that during the preceding calendar year: (i) collected or processed the personal data of not less than 60,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; (ii) collected or processed the personal data of not less than 20,000 consumers and derived not less than 20 per cent of its gross revenue from the sale of personal data; or (iii) collected, processed or transferred reproductive or sexual health data of consumers." *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 2 (not enacted; in conference).* [^q2-h5479-pra]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. (2) Notwithstanding sections 9 and 11 of chapter 93A, the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a large data holder that violates this chapter" *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 14(a) (not enacted; in conference).* [^q2-h5479-large-data-holder]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "‘Large data holder’, a controller or processor that in the most recent calendar year collected, processed or sold the: (i) personal data of more than 2,000,000 consumers; provided, however, that said personal data shall not include personal data collected and processed solely for the purpose of initiating, rendering, billing for, finalizing, completing or otherwise collecting payment for a requested product or service; or (ii) sensitive data of more than 200,000 consumers." *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 1 (not enacted; in conference).* [^q2-s2619-enforcement]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. Notwithstanding sections 9 and 11 of said chapter 93A, the attorney general shall have exclusive authority to bring a civil action against a controller or processor that violates this chapter" *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(b) (not enacted; in conference).* [^q3-93h-2-hook]: **Mass. Gen. Laws ch. 93H, § 2** — "The department of consumer affairs and business regulation shall adopt regulations relative to any person that owns or licenses personal information about a resident of the commonwealth. Such regulations shall be designed to safeguard the personal information of residents of the commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated." *Mass. Gen. Laws ch. 93H, § 2(a).* [^q3-cmr17-wisp-duty]: **201 CMR 17.03(1)** — "develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to: (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information." *201 CMR 17.03(1).* [^q3-cmr17-computer-security]: **201 CMR 17.04** — "Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:" *201 CMR 17.04.* [^q3-cmr17-encryption-transit]: **201 CMR 17.04(3)** — "Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly." *201 CMR 17.04(3).* [^q3-cmr17-encryption-portable]: **201 CMR 17.04(5)** — "Encryption of all personal information stored on laptops or other portable devices" *201 CMR 17.04(5).* [^q3-cmr17-deadline]: **201 CMR 17.05** — "Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010." *201 CMR 17.05(1).* [^q3-cmr17-risk-assessment]: **201 CMR 17.03(2)(b)** — "Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks" *201 CMR 17.03(2)(b).* [^q3-cmr17-annual-review]: **201 CMR 17.03(2)(i)** — "Reviewing the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information." *201 CMR 17.03(2)(i).* [^q3-93i-fine]: **Mass. Gen. Laws ch. 93I, § 2** — "Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal." *Mass. Gen. Laws ch. 93I, § 2.* [^q3-93h-3b-wisp-item]: **Mass. Gen. Laws ch. 93H, § 3** — "The notice to be provided to the attorney general and said director, and consumer reporting agencies or state agencies if any, shall include, but not be limited to: (i) the nature of the breach of security or unauthorized acquisition or use; (ii) the number of residents of the commonwealth affected by such incident at the time of notification; (iii) the name and address of the person or agency that experienced the breach of security; (iv) name and title of the person or agency reporting the breach of security, and their relationship to the person or agency that experienced the breach of security; (v) the type of person or agency reporting the breach of security; (vi) the person responsible for the breach of security, if known; (vii) the type of personal information compromised, including, but not limited to, social security number, driver's license number, financial account number, credit or debit card number or other data; (viii) whether the person or agency maintains a written information security program; and (ix) any steps the person or agency has taken or plans to take relating to the incident, including updating the written information security program." *Mass. Gen. Laws ch. 93H, § 3(b).* [^q4-93a-deception]: **Mass. Gen. Laws ch. 93A, § 2** — "It is the intent of the legislature that in construing paragraph (a) of this section in actions brought under sections four, nine and eleven, the courts will be guided by the interpretations given by the Federal Trade Commission and the Federal Courts to section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)), as from time to time amended." *Mass. Gen. Laws ch. 93A, § 2(b).* [^q4-fed-ftc5]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^q4-fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520.* [^q4-s2619-notice]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "A controller shall provide consumers with a reasonably accessible, understandable, clear, meaningful and not misleading privacy notice that includes: (i) the categories of personal data collected and processed by the controller, including a separate list of categories of sensitive data collected and processed by the controller, described in a level of detail that provides consumers with a meaningful understanding of the type of personal data collected or processed; (ii) the purpose for collecting and processing each category of personal data the controller collects or processes described in a way that gives consumers a meaningful understanding of how each category of their personal data will be used; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller transfers to third parties, if any, and the purposes for those transfers; (v) the categories of third parties, if any, to which the controller transfers personal data; (vi) an active electronic mail address or other online mechanism that the consumer may use to contact the controller for privacy and data security inquiries; (vii) information identifying the controller, including any business name under which the controller registered with the secretary of the commonwealth and any assumed business name that the controller uses in the commonwealth; (viii) a clear and conspicuous description of any processing of personal data in which the controller engages for the purposes of targeted advertising, sale of personal data to third parties or profiling the consumer in furtherance of decisions that produce legal or similarly significant effects concerning the consumer and a procedure by which the consumer may opt out of this type of processing; (ix) a general description of the controller’s data security practices; and (x) the effective date of the privacy notice." *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 5(c) (not enacted; in conference).* [^q4-h5479-notice]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "A controller shall provide consumers with a reasonably accessible, clear and not misleading privacy notice that shall include: (i) the categories of personal data collected and processed by the controller, including a separate list of categories of sensitive data collected and processed by the controller, described in a level of detail that provides consumers with an understanding of the type of personal data collected or processed; (ii) the purpose for collecting and processing each category of personal data the controller collects or processes described in a way that gives consumers an understanding of how each category of their personal data will be used; (iii) how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request; (iv) the categories of personal data that the controller sells to third parties, if any, and the purposes for those sales; (v) the categories of third parties, if any, to which the controller sells personal data; (vi) the length of time the controller intends to retain each category of personal data, or, if it is not possible to identify the length of time, the criteria used to determine the length of time the controller intends to retain categories of personal data; and (vii) an active electronic mail address or other online mechanism that the consumer may use to contact the controller." *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 8(a) (not enacted; in conference).* [^q5-cmr17-vendor-select]: **201 CMR 17.03(2)(f)1.** — "Taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with 201 CMR 17.00 and any applicable federal regulations" *201 CMR 17.03(2)(f)1.* [^q5-cmr17-vendor]: **201 CMR 17.03(2)(f)2.** — "Requiring such third-party service providers by contract to implement and maintain such appropriate security measures for personal information" *201 CMR 17.03(2)(f)2.* [^q5-cmr17-sp-def]: **201 CMR 17.02** — "Service Provider, any person that receives, stores, maintains, processes, or otherwise is permitted access to personal information through its provision of services directly to a person that is subject to 201 CMR 17.00." *201 CMR 17.02.* [^q5-fed-glba]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4.* [^q5-fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract" *45 C.F.R. § 164.504.* [^q5-s2619-processor]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be in writing, binding and shall include, but not be limited to, clearly set forth instructions for processing data and protecting the confidentiality of the data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties including a method by which the processor shall notify the controller of material changes to its privacy practices. The processor shall adhere to the instructions of the controller and only process and transfer the data it receives from the controller to the extent necessary to provide a service requested by the controller, as set out in the contract. The contract shall also require that the processor: (i) ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (ii) at the controller’s direction, delete or return all personal data to the controller as requested, unless retention of the personal data is required by law; (iii) upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter; (iv) after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the contractual, statutory and regulatory obligations of the processor with respect to personal data" *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 6(b) (not enacted; in conference).* [^q6-93h-notice-duty]: **Mass. Gen. Laws ch. 93H, § 3** — "A person or agency that owns or licenses data that includes personal information about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay, when such person or agency (1) knows or has reason to know of a breach of security or (2) when the person or agency knows or has reason to know that the personal information of such resident was acquired or used by an unauthorized person or used for an unauthorized purpose, to the attorney general, the director of consumer affairs and business regulation and to such resident, in accordance with this chapter." *Mass. Gen. Laws ch. 93H, § 3(b).* [^q6-93h-rolling]: **Mass. Gen. Laws ch. 93H, § 3** — "A notice provided pursuant to this section shall not be delayed on grounds that the total number of residents affected is not yet ascertained." *Mass. Gen. Laws ch. 93H, § 3(b).* [^q6-93h-pi-def]: **Mass. Gen. Laws ch. 93H, § 1** — "''Personal information'' a resident's first name and last name or first initial and last name in combination with any 1 or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account" *Mass. Gen. Laws ch. 93H, § 1(a).* [^q6-93h-consumer-contents]: **Mass. Gen. Laws ch. 93H, § 3** — "The notice to be provided to the resident shall include, but shall not be limited to: (i) the resident's right to obtain a police report; (ii) how a resident may request a security freeze and the necessary information to be provided when requesting the security freeze; (iii) that there shall be no charge for a security freeze; and (iv) mitigation services to be provided pursuant to this chapter; provided, however, that said notice shall not include the nature of the breach of security or unauthorized acquisition or use, or the number of residents of the commonwealth affected by said breach of security or unauthorized access or use." *Mass. Gen. Laws ch. 93H, § 3(b).* [^q6-93h-credit-monitoring]: **Mass. Gen. Laws ch. 93H, § 3A** — "the person shall contract with a third party to offer to each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to said resident for a period of not less than 18 months; provided, however, that if the person that has experienced a breach of security is a consumer reporting agency, then said consumer reporting agency shall contract with a third party to offer each resident whose social security number was disclosed in the breach of security or is reasonably believed to have been disclosed in the breach of security, credit monitoring services at no cost to such resident for a period of not less than 42 months" *Mass. Gen. Laws ch. 93H, § 3A(a).* [^q6-93h-no-waiver]: **Mass. Gen. Laws ch. 93H, § 3A** — "A person that experienced a breach of security shall not require a resident to waive the resident's right to a private right of action as a condition of the offer of credit monitoring services." *Mass. Gen. Laws ch. 93H, § 3A(b).* [^q6-93h-le-delay]: **Mass. Gen. Laws ch. 93H, § 4** — "notice may be delayed if a law enforcement agency determines that provision of such notice may impede a criminal investigation and has notified the attorney general, in writing, thereof and informs the person or agency of such determination." *Mass. Gen. Laws ch. 93H, § 4.* [^q6-93h-federal-procedures]: **Mass. Gen. Laws ch. 93H, § 5** — "a person who maintains procedures for responding to a breach of security pursuant to federal laws, rules, regulations, guidance, or guidelines, is deemed to be in compliance with this chapter if the person notifies affected Massachusetts residents in accordance with the maintained or required procedures when a breach occurs; provided further that the person also notifies the attorney general and the director of the office of consumer affairs and business regulation of the breach as soon as practicable and without unreasonable delay following the breach" *Mass. Gen. Laws ch. 93H, § 5.* [^q7-93h-enforcement]: **Mass. Gen. Laws ch. 93H, § 6** — "The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate." *Mass. Gen. Laws ch. 93H, § 6.* [^q7-93a9-demand]: **Mass. Gen. Laws ch. 93A, § 9** — "At least thirty days prior to the filing of any such action, a written demand for relief, identifying the claimant and reasonably describing the unfair or deceptive act or practice relied upon and the injury suffered, shall be mailed or delivered to any prospective respondent." *Mass. Gen. Laws ch. 93A, § 9(3).* [^q7-93a9-damages]: **Mass. Gen. Laws ch. 93A, § 9** — "recovery shall be in the amount of actual damages or twenty-five dollars, whichever is greater; or up to three but not less than two times such amount if the court finds that the use or employment of the act or practice was a willful or knowing violation of said section two or that the refusal to grant relief upon demand was made in bad faith with knowledge or reason to know that the act or practice complained of violated said section two" *Mass. Gen. Laws ch. 93A, § 9(3).* [^q7-93a11-instate]: **Mass. Gen. Laws ch. 93A, § 11** — "No action shall be brought or maintained under this section unless the actions and transactions constituting the alleged unfair method of competition or the unfair or deceptive act or practice occurred primarily and substantially within the commonwealth." *Mass. Gen. Laws ch. 93A, § 11.* [^q7-214-1b]: **Mass. Gen. Laws ch. 214, § 1B** — "A person shall have a right against unreasonable, substantial or serious interference with his privacy. The superior court shall have jurisdiction in equity to enforce such right and in connection therewith to award damages." *Mass. Gen. Laws ch. 214, § 1B.* [^q7-9999-interception]: **Mass. Gen. Laws ch. 272, § 99** — "The term ''interception'' means to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication" *Mass. Gen. Laws ch. 272, § 99(B)(4).* [^q7-9999-remedy]: **Mass. Gen. Laws ch. 272, § 99** — "Any aggrieved person whose oral or wire communications were intercepted, disclosed or used except as permitted or authorized by this section or whose personal or property interests or privacy were violated by means of an interception except as permitted or authorized by this section shall have a civil cause of action against any person who so intercepts, discloses or uses such communications or who so violates his personal, property or privacy interest, and shall be entitled to recover from any such person— 1. actual damages but not less than liquidated damages computed at the rate of $100 per day for each day of violation or $1000, whichever is higher; 2. punitive damages; and 3. a reasonable attorney's fee and other litigation disbursements reasonably incurred." *Mass. Gen. Laws ch. 272, § 99(Q).* [^q7-h5479-pra]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. (2) Notwithstanding sections 9 and 11 of chapter 93A, the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a large data holder that violates this chapter" *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 14(a) (not enacted; in conference).* [^q8-93h-route]: **Mass. Gen. Laws ch. 93H, § 6** — "The attorney general may bring an action pursuant to section 4 of chapter 93A against a person or otherwise to remedy violations of this chapter and for other relief that may be appropriate." *Mass. Gen. Laws ch. 93H, § 6.* [^q8-93a4-injunction]: **Mass. Gen. Laws ch. 93A, § 4** — "Said court may issue temporary restraining orders or preliminary or permanent injunctions and make such other orders or judgments as may be necessary to restore to any person who has suffered any ascertainable loss by reason of the use or employment of such unlawful method, act or practice any moneys or property, real or personal, which may have been acquired by means of such method, act, or practice." *Mass. Gen. Laws ch. 93A, § 4.* [^q8-93a4-penalty]: **Mass. Gen. Laws ch. 93A, § 4** — "If the court finds that a person has employed any method, act or practice which he knew or should have known to be in violation of said section two, the court may require such person to pay to the commonwealth a civil penalty of not more than five thousand dollars for each such violation and also may require the said person to pay the reasonable costs of investigation and litigation of such violation, including reasonable attorneys' fees." *Mass. Gen. Laws ch. 93A, § 4.* [^q8-93i-fine]: **Mass. Gen. Laws ch. 93I, § 2** — "Any agency or person who violates the provisions of this chapter shall be subject to a civil fine of not more than $100 per data subject affected, provided said fine shall not exceed $50,000 for each instance of improper disposal. The attorney general may file a civil action in the superior or district court in the name of the commonwealth to recover such penalties." *Mass. Gen. Laws ch. 93I, § 2.* [^q8-s2619-enforcement]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "A violation of this chapter shall constitute an unfair or deceptive trade practice for purposes of chapter 93A. Notwithstanding sections 9 and 11 of said chapter 93A, the attorney general shall have exclusive authority to bring a civil action against a controller or processor that violates this chapter" *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(b) (not enacted; in conference).* [^q8-s2619-penalty]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "impose civil penalties in an amount not more than $5,000 per violation" *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(b)(iv) (not enacted; in conference).* [^q8-h5479-enforcement]: **H.5479 — House-passed text of S.2619 as amended (in conference)** — "Notwithstanding sections 9 and 11 of chapter 93A, the attorney general shall have exclusive authority to bring a civil action against any controller or processor other than a large data holder that violates this chapter" *H.5479, 194th Gen. Court (Mass. 2026), proposed ch. 93M, § 14(a) (not enacted; in conference).* [^q8-s2619-cure]: **S.2619 — Massachusetts Data Privacy Act (Senate text, in conference)** — "Prior to initiating any action for a violation of any provision of this chapter, the attorney general shall issue a notice of violation to the controller unless the attorney general determines that a cure is not possible or an alleged violation requires immediate enforcement. If the controller fails to cure such violation not more than 60 days after receipt of the notice of violation, the attorney general may bring an action pursuant to this section." *S.2619, 194th Gen. Court (Mass. 2025), proposed ch. 93M, § 10(d) (not enacted; in conference).*