Have you ever been bombarded with intrusive personalized ads or had your identity stolen? Earlier this week, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity voted 12-0 to advance the Massachusetts Information Privacy and Security Act (MIPSA), which aims to address these and other issues arising from companies compiling and selling massive amounts of sensitive information, with little oversight.
To become law, the bill now needs a vote from the full legislature and to be signed by the governor. Bipartisan support from the committee is a promising sign, said Sen. Barry Finegold, who represents Tewksbury and chairs the joint committee with Rep. Linda Dean Campbell of Methuen. The committee was established last year and identified data privacy legislation as a top priority for this session.
MIPSA marks the first time that comprehensive data privacy legislation has advanced out of committee in Massachusetts. Finegold has had a longtime interest in the topic, however. In fact, he was recently in Tewksbury speaking at a cybersecurity summit organized by Select Board member James Mackey.
“We have the opportunity to pass thoughtful, consensus legislation that provides important privacy protections for our residents,” said Finegold. “Online privacy and security issues are only going to get more important, and we need to take proactive measures to ensure new technologies are used responsibly.”
If it becomes law, MIPSA will add Massachusetts to the list of states that have affirmed foundational privacy principles for residents, including greater control over how personal information is used.
Colorado, Virginia and California have similar laws.
The bill establishes standards for how companies can collect, use, retain and sell personal information. Residents would be able to opt-out of having their information sold; the bill also requires that companies obtain opt-in consent for most sales of sensitive information, such as precise geolocation, biometric or racial data, and when selling the personal information of children under 16.
To address privacy and security issues, MIPSA would give residents:
● The right to opt out of the sale of personal information and targeted advertising.
● The right to limit how companies use and disclose sensitive information.
● The right to access, delete, correct and transport personal information that a company maintains.
MIPSA would require companies to:
● Provide clear, easy-to-understand privacy notices that specify how personal information is being collected, used and sold, and how residents can exercise their rights to opt out.
● Conduct regular risk assessments for processes involved in the sale of personal information. These assessments are meant to push companies to adopt better privacy and security controls.
● Minimize the amount of personal information that may be collected and retained.
The law would give the Attorney General’s Data Privacy and Security Division new investigatory, regulatory and enforcement authority to ensure that companies respect residents’ privacy rights and adhere to the new rules. MIPSA tailors compliance requirements to a company’s size and scope of data collection to minimize the impact on small businesses.
“In the absence of federal action, we can enact meaningful reforms in the Commonwealth and help clarify the rules of the road for businesses,” said Finegold. “MIPSA is an important step in the right direction: The bill affirms foundational privacy principles and develops an adaptable, enduring regulatory framework. I look forward to continuing to work in a collaborative manner on this pivotal legislation.”
Here is the full legislation.