Omnibus Data Privacy Bill Would Give Consumers More Control Over Personal Data
In a sign that the branches are aligning, House Democrats this week advanced an omnibus data privacy bill that would give consumers more control over how their personal information is collected and distributed.
The legislation also blocks the sale of precise geolocation data, installs specific protections for minors and requires entities to conduct data protection assessments.
The House side of the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity on Monday shipped its redraft of the Massachusetts Consumer Data Privacy Act (H 4746) to the House Ways and Means Committee. The proposal cleared the AITIC panel on a 9-0 vote.
The Senate unanimously passed its data privacy package on Sept. 25.
The House and Senate bills both seek to install data minimization standards, which restrict the collection, processing or transfer of consumer data to what is necessary to deliver goods or services. Echoing the Senate bill, House committee members want to curtail the handling of sensitive data, including gender-affirming health data and reproductive or sexual health data that could offer insights into people seeking abortion care.
“This bill features critical protections banning the sale of precise location information,” ACLU of Massachusetts Executive Director Carol Rose said. “Allowing anyone with a credit card to purchase this revealing data makes every one of us vulnerable to exploitation, harassment or violence, including seniors, children, people seeking abortion and gender-affirming care, survivors of domestic abuse, veterans, and law enforcement.”
Both bills give consumers the right to correct or delete personal information or opt out of their data being collected, but the House version specifies that data holders or “controllers” must respond to consumer requests within 45 days.
Under the House bill, data controllers cannot discriminate or retaliate against consumers who exercise their privacy rights, such as denying them products or services, charging different prices or rates, or providing a different level of quality of goods or services. Controllers must also carry out data protection assessments for “high-risk processing” activities that pose a “heightened risk of harm to a consumer,” and submit those reports to Attorney General Andrea Campbell’s office, according to a committee summary.
Unlike the Senate bill, consumers under the House bill would gain a private right of action. The AG’s office would also have the authority to enforce the proposed law and establish requirements dealing with de-identifying data sets, setting “reasonable” data security practices, and creating a “nonexclusive list of practices that constitute dark patterns or otherwise violate the requirements of this chapter,” according to the summary.
Rep. Tricia Farley-Bouvier of Pittsfield is the House chair of the information technology committee.
“I feel very strongly the more I learn about this issue, that location shield — and that is the shielding of precise location — is very important as part of a larger data privacy bill,” Farley-Bouvier told the News Service in June. “Without protections of all of our data, including a long list of sensitive data, not just location, we are not protecting people enough. It is my goal to pass comprehensive data protections that’s inclusive of precise location data.”
