In September, I wrote about the consumer privacy bill proposed by the Massachusetts Senate, S.2608. As of a few days ago, the Massachusetts House has now released its version of the bill, H.4746. Here are my thoughts on the House bill and how it compares to the Senate version.
Overall, H.4746 is a much better bill than S.2608. I still have some concerns, outlined below, but overall it’s a strong bill which would provide strong protections to consumers even if enacted without addressing any of my concerns. The Electronic Privacy Information Center (EPIC) agrees.
How the House bill stacks up regarding my concerns with the Senate bill
Here’s a brief breakdown of the concerns I expressed about the Senate bill, and whether/how the House bill addresses them:
Exempting credit reporting agencies
Unsurprisingly, the House bill preserves this exemption. I know that, as I noted before, this is probably necessary to avoid the law being challenged based on preemption by the Fair Credit Reporting Act, but I still don’t like it or think it’s good for consumers.
Small businesses should not be excluded from this law
This is the one area in which the House version goes in the wrong direction. Not only does it preserve the exemption from small businesses, it enlarges it, exempting businesses which process data for less than 100,000 consumers, vs. the Senate version drawing the line at 60,000. Please see my previous explanation for why I disagree with this exemption.
Controllers need to be required to delete request authentication data
The House bill fixes this by introducing a general requirement for controllers and processors to delete personal data promptly when it is no longer needed. The bill does not specifically link this requirement to data collected for authentication purposes, but it is clearly applicable there.
Notifications about privacy policy changes should be explicitly required to say specifically what the changes are
The House bill has the same deficiency here as the Senate version. I would like to see this spelled out explicitly, but if not, I hope this will be addressed in the regulations the Attorney General’s office puts in place.
Amendment needed
Specifically, the bill should state explicitly that just telling the consumer, “Hey, we changed our privacy policy, go read the new one at this URL,” is not sufficient. Instead, controllers should be explicitly required by this law to tell the user specifically what has changed when they notify consumers that the policy is changing.
Relying on IP address for determining location is unacceptable
The House bill continues to suffer from this malady which I described previously. In particular, regarding the automated targeted-advertising opt-out signal that will be required to be built into web browsers and that controllers will be required to obey, the bill says that “the use of an internet protocol address to estimate the consumer’s location shall be considered sufficient to reasonably determine residency.” It’s not sufficient, for the reasons I explained before.
Lawmakers need to do better here. Users should not have to stop using one privacy tool (VPNs) to be able to take advantage of another privacy tool (automated targeted advertising opt-out).
Amendment needed
As I said before, the bill needs to be changed to indicate that while an IP address geolocated to Massachusetts may be relied upon by a controller to establish Massachusetts residency, a controller cannot use the fact that the consumer’s IP address could not be geolocated to Massachusetts as grounds for preventing them from exercising their rights. In that case, the controller must either (a) take the consumer at their word that they are a Massachusetts resident unless they have legitimate reason to believe otherwise, and/or (b) provide the consumer with reasonable alternative means of proving Massachusetts residency.
Data protection assessments must be repeated periodically
The House bill addresses this issue partially but not fully. The House language requires controllers to review and update DPAs “as often as appropriate” and lists a number of considerations for how that is to be determined. This is a loophole big enough to drive a truck through. Theoretically this could be addressed in regulations promulgated by the Attorney General, but I would prefer to see it addressed explicitly in the bill.
Amendment needed
The bill should specify a ceiling for how often Data Privacy Assessments need to be reviewed and revalidated by controllers. The typical requirement for stuff like this would be annually, or sooner when there are material changes to the controller’s data collection or processing activities.
New concerns with the House bill
Wording error in the bill?
Section 10, Subsection (a), Paragraph (10)(i) of the proposed bill reads in part (emphasis added), “…whether the deletion of personal data requested by a consumer under section 4, subsection (a), paragraph (4) is likely to provide substantial benefits that do not exclusively accrue to the controller.”
Amendment needed
I am not certain, but I think the word “provide” there is erroneous. I think it would make more sense to say “prevent” or “preclude”, perhaps?
Right of private action has been restored, but only partially
The House bill restores the right of private action, which was removed from the Senate bill. I.e., the House bill allows consumers to sue controllers under Chapter 93a (the unfair and deceptive trade practices law) for violating the data privacy act.
However, this right of private action is restored only for controllers who are large data holders, i.e., companies that have more than $200 million in annual revenue and process data for more than two million people.
In my opinion, it is misguided and wrong to block a private right of action for smaller controllers. I understand that they are trying to protect small businesses from being overwhelmed by spurious lawsuits over their data collection practices, but this is not a realistic problem to worry about. Filing lawsuits costs time and money. Even small claims court has a filing fee of at least $40. These are more than sufficient to prevent brigades of spurious lawsuits. Processing personal data is a privilege, not a right; if a company wants to do it, then they should be prepared to defend their practices in court if needed.
Amendment needed
The right of private action under Chapter 93a should be fully included. Anyone should be able to sue any controller for violating its terms.
Data deletion requirements don’t address backups
The bill requires controllers to delete a consumer’s personal information upon request and to delete any personal data no longer needed to perform the purpose for which it was originally collected. Does this requirement apply to the controller’s system and database backups? That is, are they required to delete the pertinent data from backups as well?
That’s actually mostly a rhetorical question, because the answer is no, it is absolutely not practical for controllers to be required to purge the data for a particular consumer from their backups.
There are limited cases in which it is possible, e.g., if the controller is deleting an entire dataset that is no longer needed, and the dataset has self-contained backups that can be deleted as a unit. But in all other cases, where the data the controller is required to delete is intermixed with other data in the backups, it is simply not feasible to expect the data to be removed from the backups.
The fact that this is not addressed in the act puts controllers at risk of facing legal action for violating the act for not removing data from backups, when expecting them to have done that is unreasonable.
On the other hand, if the controller is allowed to keep consumers’ personal information in backups even after they’ve asked for it to be deleted, then there’s a risk that those backups and the consumers’ data in them could be stolen in a data breach. This is concerning since allowing consumers to minimize that risk is one of the reasons why privacy laws exist in the first place.
The bill needs to address both of these concerns.
Amendment needed
The bill should exempt data stored in backups from data deletion requirements, but at the same time, it should explicitly state that controllers are required to: (a) assess how long backups need to be preserved to ensure business continuity and have data retention policies and processes in place to delete backups that are no longer needed for that purpose; and (b) securely encrypt backups and use other industry best practices as appropriate to keep them secure.
The legal exposure to controllers for not removing consumer data from backups is too great to leave this issue to be addressed only in the Attorney General’s regulations. It needs to be addressed explicitly in the bill.
Thoughts about the privacy bill and ALPR
Automatic License Plate Recognition, a.k.a. ALPR, has been in the news a lot recently both due to it being abused in various ways by state and federal law enforcement, and due to the fact that ALPR mass surveillance is an outrageous privacy violation which should not exist at all. [example, example, example, and example, just to name a few]
A bill currently making its way through the current legislative session, H.3755 (“An act establishing driver privacy protections”), would strictly curtail what local and state law enforcement personnel and agencies are permitted to do with ALPR and automated toll-collection data, and would further require said data to be deleted in a timely fashion “except in connection with a specific criminal investigation based on articulable facts linking the data to a crime.” When this bill was filed many of the ALPR abuses we know of now had not yet come to light; the sponsors of this bill were impressively forward-thinking.
H.3755 is a great bill, but it’s not enough.
No law enforcement agency collects ALPR data on their own. They all contract out the work to private industry. And in our flawed capitalist system, when data like this are collected by private companies, it’s pretty much guaranteed they will at some point be misused by that entity, or that the entity will fail to handle the data as required by their contracts with their customers (e.g., deleting it on time), or that there will be a data breach. It’s not a question of if something like this is going to happen, it’s a question of when.
This is where the privacy act comes in. I believe that since license plate numbers would be considered “sensitive data” under the act, any private company collecting ALPR data would be subject to the act to the extent that they allow any of the above to occur. This would provide robust incentives for ALPR companies to adequately protect their data, delete it when required, and not sell it in violation of the law.
In short, the privacy bill and the ALPR bill, if they were both passed, would provide far more robust privacy protections for ALPR data than either bill would if passed on its own. Therefore, I hope the legislature passes strong versions of both bills as soon as possible.
(To be clear, I don’t think ALPR mass surveillance should exist at all in any form. I think it is a huge, mass privacy violation and should be entirely illegal. However, I acknowledge that making it so would be a heavy lift, and as long as that’s not going to happen, I’d really like to see both the privacy bill and the ALPR bill passed.)
