The Massachusetts Senate is scheduled to vote, on September 25, 2025, on the “Massachusetts Data Privacy Act”, a.k.a. S.2608. This was apparently put on the Senate’s schedule just a week before the scheduled vote, on September 18. Personally, I don’t think a week is enough time to allow for feedback from the public about a bill this important, feedback which might prompt some senators to decide changes are needed to the bill, but maybe that’s just me.
Despite the short time-frame and skepticism that anyone in the senate is going to listen to feedback, I’ve taken time to read the bill cover-to-cover, as it were, and write down some concerns.
Overall I think this bill is a step in the right direction, but I also think there are serious problems in it that should be addressed. Here are my concerns in the order they appear in the bill, which, just to be clear, is not the same as how important I think they are.
Exempting credit reporting agencies is terrible but at least to some extent understandable
The act as currently proposed exempts “any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living collected, processed or transferred by a consumer reporting agency, furnisher or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act.” In other words, the credit reporting agencies, which have notoriously poor security and privacy practices and have been directly responsible for some of the worst data breaches of personal information in history, are given an unqualified free pass by this law to continue their poor privacy and security practices.
I suspect this exemption was put into the law because if it hadn’t been then the credit reporting agencies would have sued to have the law overturned as an infringement on the federal Fair Credit Reporting Act, and federal courts would be likely to side with them, thus running the risk of causing the whole law to be ruled invalid by federal courts.
I can therefore see the logic behind this exemption, if that is indeed why it’s there. Nevertheless, it is disappointing that this law will do nothing to rein in the credit reporting agencies.
(Incidentally, the word “furnisher” used in the excerpt from the law quoted above is not used anywhere else in the law and is not defined. This is a problem.)
Excluding “reputation” reporting agencies is terrible and not at all understandable
Leaving aside the unfortunate but understandable exclusion of credit reporting agencies from the law, what the heck is the law talking about when it refers to consumer reporting agencies that collect information and issue ratings about “character, general reputation, personal characteristics or mode of living”? Like seriously, wtf?
The last time I checked, we were still living the United States, not China. We should not have companies doing that, and if we do have companies doing that, they should not be excluded from this law. I mean, come on.
Small businesses should not be excluded from this law
I 100% disagree with this law entirely exempting small businesses from all its provisions. Here’s an illustration of one of the many reasons why…
Over the years, my daughter has repeatedly received calls or texts on her cell phone from small businesses attempting to reach me. This is because there is some data broker somewhere out there in the world who has decided that my daughter’s cell phone number is mine, and small businesses who use that data broker to do lookups—often ignoring the phone number which I’ve already given them which is my correct number!—end up calling or texting my daughter instead of me.
Every time this has happened, I have asked the business that did it, “Can you please tell me where you got this information from so I can get it corrected?” Every single one of them has refused.
Businesses, regardless of their size, should not be allowed to buy bad data from bad data brokers and then use that bad data in a way that harms their customers, and then refuse to help the customer get the bad data corrected at its source. This should be, literally, illegal.
“Enforcing this law on small businesses will be too much of a burden” is nonsense. I’ve worked for many small tech startups over the years which collected personal data about their users, and in many of those jobs I was the person responsible for handling requests from users about their data, and handling such requests was never, ever a significant burden. Even if this law is passed without any exemptions for small businesses, the number of people who will go through the effort to exercise their rights under this law will be minuscule. But the people who want to exercise those rights should be allowed to regardless of the size of the businesses involved.
If the legislature nevertheless insists on exempting small business, then the thresholds for exemption should be at least an order of magnitude smaller.
Alternatively or in addition, consider exempting small businesses from some, but not all, provisions of the law, with nuance, rather than broadly exempting them from all provisions. For example (again, these are examples, I am not saying these are all the provisions I think should exempt small businesses):
- I don’t think small businesses need to have this provision enforced on them: “A consumer shall have the right to… obtain a copy of the consumer’s personal data collected or processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.”
- I think some of the requirements about how controllers need to accept requests from consumers under this law can be loosened for small businesses. A small business can, for example, be expected to simply take such requests over the phone or via email rather than requiring them to have a website which provides a “secure method” for submitting such requests.
Controllers need to be required to delete request authentication data
Regarding Section 4, subsection (c), paragraph (4), “If a controller is unable to authenticate a request… until the consumer provides additional information reasonably necessary to authenticate the consumer and the consumer’s request to exercise such right; provided, however, that any such information may not be used for any purposes other than the authentication of such consumer.” The law should explicitly state that any information provided by a consumer for the sole purpose of authenticating a request to exercise a right provided under this law, must be entirely deleted by the controller not later than 30 days after the information was provided, including not persisting for longer than that in system backups. This is necessary because you absolutely, positively do not want to let controllers, e.g., collect images of people’s driver’s licenses for “authentication purposes” and then just let them sit around forever; we have seen that result in huge data breaches many times. Experience has proven over and over that if the law doesn’t require data deletion (and sometimes even when it does) businesses will not bother to implement it. This absolutely needs to be required from the get-go.
Notifications about privacy policy changes should be explicitly required to say specifically what the changes are
Regarding Section 5, subsection (c), paragraph (2)(B), “If a controller makes a material change to its privacy notice…” the law should state explicitly that just telling the consumer, “Hey, we changed our privacy policy, go read the new one at this URL,” is not sufficient. Instead, controllers should be explicitly required by this law to tell the user specifically what has changed when they notify consumers that the policy is changing.
Relying on IP address for determining location is unacceptable
There are several problems with section 5, subsection (e), paragraph (ii), specifically with, “provided further, that for purposes of this subsection, the use of an internet protocol address to estimate the consumer’s location shall be considered sufficient to reasonably determine residency.”
First, even when a consumer isn’t doing anything to obfuscate their IP address, IP addresses do not accurately reflect people’s locations.
Ignoring that, however, consumers who use VPNs to protect their privacy and security should not be blocked from exercising their rights under this law. A controller absolutely should not be allowed to tell a user, “Sorry, you can’t exercise your rights because I can’t tell from your VPN IP address whether you live in Massachusetts.”
And finally, I should be able to exercise my rights under this law even when I’m traveling. If my primary residence is in Massachusetts, then I should not have to wait until I am back within the borders of Massachusetts to be able to submit a request which is my right under this law.
The proposed law needs to be changed to indicate that while an IP address geolocated to Massachusetts may be used by a controller to positively establish Massachusetts residency for the purpose of confirming that this law applies to the consumer, a controller should not be allowed to use the fact that the consumer’s IP address could not be geolocated to Massachusetts as grounds for preventing them from exercising their rights. In that case, the controller must either (a) take the user at their word that they are a Massachusetts resident unless they have legitimate reason to believe otherwise, and/or (b) provide the consumers with reasonable alternative means of proving Massachusetts residency.
Data protection assessments must be repeated periodically
Section 7 says nothing about how often data protection assessments (DPAs) must be redone. Controllers should be required to redo each DPA at least annually, or whenever there are material changes, to the processing assessed in the DPA, whichever is sooner. A single DPA done at some indeterminate point in the past should not give controllers carte blanche to do whatever processing they need forever. Companies that collect and process personal information rarely go a whole year without making significant changes to their collection and processing.
Furthermore, this section should say that failure to maintain timely DPAs may be taken into account in enforcement actions by the AG.
