Massachusetts is one of the many states considering enacting a state-level privacy law. On October 13, 2021, the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity, conducted a virtual public hearing during which it considered, among other things, an Act establishing the Massachusetts Information Privacy Act ("MIPA"), which was introduced as S.46 in the State Senate and as H.142 in the State House. Read on to learn more about the MIPA's scope and its impact if adopted on Massachusetts privacy litigation going forward.

Summary

  1. Similar to other state privacy laws, like the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"); the Virginia Consumer Data Protection Act ("CDPA"); and the Colorado Privacy Act ("CPA"), MIPA would also apply to data qualifying as "personal information," with exceptions.
  2. MIPA will affect certain business entities that conduct business in Massachusetts. It will also affect entities that qualify as "data processors" and certain third parties. These business entities will have, among other things, duties of care, loyalty and confidentiality.
  3. As with other privacy laws, individuals would be granted, among other things, the right of access, correction, data portability, deletion; the right to know; and the right to limit disclosures of personal information.
  4. MIPA would be enforceable by the Massachusetts Information Privacy Commission ("MIPC"), a five-person commission that will have authority to conduct audits, investigate potential/alleged MIPA violations, rulemaking authority and enforcement authority.
  5. MIPA as currently draft contains a broad private right of action with liquidated damages of not less than 0.15 percent of the annual global revenue of the covered entity or $15,000 per violation, whichever is greater.

What Data is Affected?

MIPA would apply to "personal information," which is information about an individual that is captured during a "covered interaction" and that may directly or indirectly, alone or in combination with other data points, be linked to an individual, household or device, regardless of whether a covered entity holds such additional information (e.g., name, data in a government-issued ID, vehicle license plate numbers, gender, etc.). It also applies to "sensitive data," which MIPA treats as a subset of personal information (e.g., data regarding race/ethnicity, location data, biometric information, medical and health information, financial data, information revealing political or religious opinions or beliefs, etc.).

An "individual" is a natural person who is a resident of Massachusetts, or who is located in the state. A "covered interaction" means the instance when a covered entity provides an individual or its household information regarding the covered entity's products or services and collects data about that individual (e.g., targeted advertising, offering a membership, setting up an account, etc.).

As with other data privacy laws, certain types of data are exempted from MIPA. For example, MIPA does not apply to certain data maintained according to the Health Insurance Portability and Accountability Act of 1996.

What Entities Would be Affected and What Duties Would They Have?

If passed, MIPA will apply to "covered entities," which are:

  1. Entities that conduct business in Massachusetts and that process personal information by itself or through a data processor; and
  2. Have earned/received $10 million or more in annual revenue through 300 or more transactions, or process/maintain the personal information of 10,000 unique individuals in a calendar year.

MIPA would also apply to "data processors," which are persons or entities that process personal information on behalf of a covered entity; and "third parties," which are persons or governmental entities that are not covered entities or data processors.

MIPA will impose certain obligations, such as, among other things:

  1. Duty of Care - A duty to reasonably safeguard the personal information of individuals;
  2. Duty of Loyalty - A duty not to use individuals' personal information, or any information derived from that, in a manner that is (or reasonably foreseeable to be) detrimental to the individual or that would be unexpected or highly offensive to a reasonable individual; and
  3. Duty of Confidentiality - A covered entity or data processor shall not disclose or share individuals' personal information with other parties, with exceptions.

What Rights Would Individuals Have?

Individuals would be granted rights under MIPA that are reminiscent of those available to consumers under other privacy laws, such as the:

  1. Rights of access, correction, data portability, and deletion;
  2. Right to know what data about them will be collected or processed;
  3. Right to consent to such collection and processing; and
  4. Right to limit the disclosure of personal information.

MIPA would require covered entities and data processors to provide meaningful notice regarding, among other things, what data will be collected or processed about the individual, at or before the point of sale, subscription, sign up, or account creation.

Enforcement Risk

MIPA would be enforced by a new entity, the Massachusetts Information Privacy Commission ("MIPC"), which will have authority to conduct audits, investigate potential/alleged MIPA violations, rulemaking authority and enforcement authority, including the ability to impose civil administrative penalties. The MIPC will consist of five commissioners, including: (i) one commissioner appointed by the Governor; (ii) one commissioner appointed by the Secretary of the Commonwealth (the Secretary will also designate the Chair of the MIPC); (iii) one commissioner appointed by the Attorney General; and (iv) two commissioners appointed by a majority vote of the Governor, Attorney General and the Secretary of the Commonwealth.

Litigation Risk

MIPA if enacted as currently drafted would materially reshape data privacy litigations going forward. MIPA has a private right of action, whereby "[a]ny individual alleging a violation of this chapter or a regulation promulgated under this chapter may bring a civil action in any court of competent jurisdiction." It also specifies that a plaintiff seeking relief under the civil remedy is not required to file an administrative complaint with the MIPC as a condition precedent to filing suit. MIPA contains other extremely plaintiff-friendly provisions as it also explicitly prohibits arbitration of claims and "[a] violation of this chapter or a regulation promulgated under this chapter regarding an individual's personal information constitutes a rebuttable presumption of harm to that individual."

For any litigation involving alleging violation of the MIPA in which a plaintiff prevails, a court can award:

  1. Liquidated damages of not less than 0.15% of the annual global revenue of the covered entity or $15,000 per violation, whichever is greater;
  2. Punitive damages; and
  3. Any other relief, including but not limited to an injunction that the court deems to be appropriate.

Moreover, the MIPA also provides for the award of reasonable attorney's fees and costs to any prevailing plaintiff. Suffice to say, MIPA is already sending shockwaves as the bill would have consequences if enacted that would far surpass the impact of other state privacy laws (such as the CCPA and BIPA) and make Massachusetts the go-to jurisdiction for the class action plaintiffs bar. For more on this, stay tuned. CPW will be there to keep you in the loop.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.