With SD341, Massachusetts Joins States Considering CCPA-like Data Privacy Laws
Massachusetts is the latest state to consider copying the California Consumer Privacy Act (CCPA). MA Senator and Democrat Cynthia Stone Creeme proposed SD341, An Act Relative to Consumer Data Privacy. The privacy bill has three cosponsors in addition to the Senator.
If adopted, SD 341 would permit consumers to request a business provide a copy of their personal information, request deletion of their personal information, and opt out of certain third-party disclosures.
The bill allows the Attorney General to seek a civil penalty of up to $2,500 for each violation and $7,500 for each intentional violation. Consumers can also file a lawsuit seeking statutory damages of up to $750 per consumer per incident or actual damages, whichever is greater.
The proposed date for it to go into effect is January 1, 2023. The nearly four year implementation period would be almost twice the period for the CCPA, which was originally set to be enforced by the California Attorney General starting January 1, 2020 and is now expect to be enforced about six months later – around July 1 of next year.
In addition to the longer implementation period, there are a few other big differences between SD 341 and the new California privacy law:
– The Massachusetts privacy bill has a broader private right of action. It applies to all violations of the law, providing a broad enforcement mechanism for consumers. The CCPA private right of action is limited to data breaches for the failure to implement and maintain reasonable security practices.
– There is no thirty day cure provision for enforcement by the Massachusetts Attorney General in SD341. This is a major difference with the CCPA, which only permits an enforcement action with a civil penalty if the AG has notified the business of the alleged noncompliance and it fails to correct the alleged violation.
– The MA bill uses “Do Not Share My Personal Information” for its opt-out rather than California’s “Do Not Sell My Personal Information”. There has been a lot of discussion around the breadth of the term “sale” in the CCPA as well as its interaction with the definition of valuable consideration. This appears to be an attempt
– It applies to all for-profit businesses that collect Massachusetts consumers’ personal information with annual gross revenue of more than $10 million. It does not contain the CCPA threshold involving the collection of personal information on 50,000 people or devices annually, which has been controversial given its potential reach for many small businesses operating online.
– SD 341 excludes employee data. The CCPA is silent or ambiguous on the topic of employee data, and as a result it is currently expected to apply to it unless it is amended or the Attorney General decides to exclude it as part of its rulemaking process.
Other aspects of the law similar to CCPA:
– Disclosures required about the collection and sharing of personal information, as well as the law’s rights.
– Businesses are not allowed to discriminate against consumers for their exercise of their rights.
– Exclusions of data covered by other laws, such as HIPAA, HiTECH, GLBA, and the Driver’s Privacy Protection Act.
– Authorizes the Attorney General to issue rules and procedures concerning implementation of the law. These regulations are required on or before July 1, 2022.
There is no indication as yet whether SD 341 will get momentum in Massachusetts. Other states which are considering privacy bills based in part off the CCPA include:
New Mexico Consumer Information Privacy Act – SB 176 (similar to CCPA)
New York Right to Know Act – Senate Bill 224 (right to access)
Washington (State) Privacy Act – SB 5376 (a mix of GDPR and CCPA).