The Massachusetts Information Privacy and Security Act (MIPSA) continues to advance through the state legislative process, and is now before the full legislature. While the Act has several hurdles to clear before becoming law, its notable for two reasons. First, the comprehensive nature of the MIPSA exemplifies the direction state data protection laws are heading in the absence of a comprehensive federal consumer data protection law. Second, given the borderless nature of e-commerce, the most robust state consumer data protection law will likely become the de facto national consumer data protection law, and the MIPSA may take that title. This post highlights significant portions of the current version of the Act.

Who is protected? 

The MIPSA protects the personal information of Massachusetts residents.

Who is subject to the MIPSA?

The Act applies to an entity that has annual global gross revenue in excess of 25 million dollars; determines the purposes and means of processing of the personal information of not less than 100,000 individuals; or is a data broker. In addition, the entity conducts business in the state, or if not physically present in the state, processes personal information in the context of offering of goods or services targeted at state residents or monitors the in-state behavior of residents. Where an entity does not otherwise meet these criteria, it may voluntarily certify to the state Attorney General that it is in compliance with and agrees to be bound by the MIPSA.

Are any entities exempt?

Massachusetts state agencies and government bodies, national securities associations and registered futures associations are exempt.

What data is protected?

MIPSA applies to the personal information of a Massachusetts resident, which is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable individual. Personal information does not include de-identified information or publicly available information. For the limited purposes of a sale, personal information also includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable household.

Does the Act include special protections for Sensitive Information?

The Act carves out heightened protections for sensitive information. These include the right to notice of collection and use, and the right to limit use and disclosure to purposes necessary to perform the services or provide the goods requested, and for other controller internal uses as authorized by the Act.

Sensitive information is personal information that reveals an individual’s racial or ethnic origin, religious beliefs, philosophical beliefs, union membership, citizenship, or immigration status. It also includes biometric information or genetic information that is processed for the purpose of uniquely identifying an individual; personal information concerning a resident’s mental or physical health diagnosis or treatment, sex life or sexual orientation; specific geolocation information; personal information from a child; a Social Security Number, driver’s license number, military identification number, passport number, or state-issued identification card number; and a financial account number, credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to an individual’s financial account.

Is any personal information exempt from the Act?

Protected health information under HIPAA is exempt as is certain data, information, and health records created under HIPAA and Massachusetts state law. Exempt data also includes data collected, processed, or regulated with respect to clinical trials, the Health Care Quality Improvement Act of 1986, the Patient Safety and Quality Improvement Act, FCRA, Driver’s Privacy Protection Act, FERPA, the Farm Credit Act, GLBA, COPPA, the Massachusetts Health Insurance Connector and Preferred Provider Arrangements.

Does the MIPSA apply to employee personal information or information collected in the B2B context?

The Act also exempts personal information collected and processed in the context of an individual acting as a job applicant to, an employee of, or an agent or independent contractor of a controller, processor, or third-party including emergency contact information and information used to administer benefits for another person relating to the individual.

Information collected and used in the course of an individual acting in a commercial context is exempt.

What are the controller’s obligations under the MIPSA?

The Act creates an affirmative obligation to implement appropriate technical and organizational safeguards to ensure the security of the information. In addition, the controller must have a lawful basis to process the personal information. Processing must be done in a fair and transparent manner, which includes providing appropriate privacy notices at or before the point of collection. The controller must collect personal information for an identified and legitimate purpose and processing should be limited to what is necessary to achieve the purpose. The information must be accurate and retained only as long as necessary to achieve the purpose for which it was collected. For processing that may involve a high risk of harm to individuals, the controller may be obligated to conduct a risk assessment. When engaging a processor, the controller must enter into a data processing agreement with the processor that contains mandated provisions designed to ensure the privacy and security of personal information.

What rights do protected individuals have?

Massachusetts residents have the right to know, access, port, delete and correct their personal information, subject to certain limitations. The Act also provides for the right to opt out of the sale of personal information and limit the use and disclosure of sensitive information in particular with respect to targeted advertising. The data controller is prohibited from discriminating against the individual for exercising any of these rights.

Can my organization be sued for violations of the law?

The MIPSA does not include a private cause of action for violations of the Act. However, the proposed bill also amends the state data breach notification law to provide residents with a private right of action where their personal information was subject to a data breach resulting from the entity’s failure to implement reasonable safeguards.

How will the law be enforced?

The state Attorney General is authorized to commence a civil investigation when there is reasonable cause to believe an entity has engaged in, is engaging in, or is about to engage in a violation of the Act. After notice, the entity will have 30 days to cure the violation. In the event the entity fails to cure, the Attorney General may seek a temporary restraining order, preliminary injunction, or permanent injunction to restrain any violations r and may seek civil penalties of up to $7,500 for each violation.

Next steps?

The MIPSA sets a high bar for data protection practices. Whether enacted in whole or part, the Act provides a road map for where data protection laws are headed. Many of the 2022 proposed state laws follow or surpass the protections introduced by the CCPA. Preparing to meet each more comprehensive law will require continued data mapping, ongoing evaluation and development of written information security programs, heightened scrutiny of vendor relationships and agreements, risk assessments, and updated employee data protection and security awareness training.

We will continue monitor the progress of this bill.