October 19, 2020

Volume X, Number 293

October 19, 2020

Subscribe to Latest Legal News and Analysis

The Massachusetts Legislature Hits the Pause Button on Comprehensive Consumer Data Privacy

Massachusetts consumers and businesses now know that the Commonwealth will likely not be the next jurisdiction to adopt sweeping consumer data privacy legislation. Earlier this week, the Joint Committee on Consumer Protection and Professional Licensure took action to table a comprehensive consumer data privacy bill until a future legislative session.

Massachusetts Consumer Data Privacy Introduced and Debated in 2019

Last year, Massachusetts state senators introduced a consumer data privacy bill with a broad private right of action. The proposed law, An Act Relative to Consumer Data Privacy (S.120), would have permitted any consumer to bring a lawsuit against any violating business or service provider, regardless of actual losses. S.120 was referred to the Joint Committee on Consumer Protection and Professional Licensure, which held a hearing in October 2019. During that hearing, speakers from a variety of industries urged caution, asking lawmakers to slow down and consider the bill’s potential pitfalls and unintended consequences. Among these concerns was the possibility that S.120 would bring a wave of new class action litigation. Speakers asked legislators to exercise restraint and give the bill due consideration in light of the immense risks of hastily-crafted language. While some commenters proposed amendments, none spoke in favor of passing the bill as currently drafted, and others strenuously argued that the bill should not pass.

The Joint Committee Tables Consumer Data Privacy

Following public hearing, the Joint Committee was faced with the responsibility of reporting out S.120 to the full legislative body with a Favorable (Ought to Pass) or Unfavorable (Ought Not to Pass) Report. However, on February 5, 2020, the Joint Committee took a third path, issuing a Study Order on S.120.

A study order authorizes the Joint Committee to sit during recess and study S.120 and, if appropriate, file a report of findings. However, for the vast majority of bills sent to a study order, no further committee activity takes place. For this reason, many observers view a study order as a procedural mechanism to table a bill until a future legislative session.

The Future of Consumer Data Privacy in Massachusetts

The future of comprehensive consumer data privacy in Massachusetts is now more uncertain. One thing is clear: a new data privacy law will almost certainly not be coming to Massachusetts in the current legislative term. However, a comprehensive consumer data privacy law may be introduced and passed in the next legislative term, and before the U.S. Congress passes any federal legislation on the issue. The current legislative term comes to an end at the close of this year, and sponsors may introduce new legislation at the start of the new term in January 2021.

Massachusetts state legislators can be expected to monitor the progress and implementation of other consumer privacy legislation across the country and try to incorporate those lessons into any future version of S.120 that may be introduced in the 2021-2022 term. One of the main criticisms of S.120 was that it was modeled on an early version of the California Consumer Privacy Act (CCPA) and did not reflect amendments and regulations that were ultimately adopted in California to remedy the ambiguities and overbreadth of that early draft language. A new version of S.120 introduced in a future legislative term would be expected to reflect revisions implemented in California and public comments on S.120, among other developments in consumer data privacy law between January 2019, when S.120 was first introduced, and January 2021.

Despite yesterday’s action by the Joint Committee on Consumer Protection and Professional Licensure to issue a Study Order on S.120, Massachusetts businesses should be careful not to assume that consumer data privacy laws do not yet apply to their operations. Consumer data privacy laws from jurisdictions other than Massachusetts, like CCPA that became effective in January of this year, can extend to organizations deemed to be “doing business” within the applicable jurisdiction. Massachusetts businesses should regularly consult with legal counsel and privacy professionals to evaluate their legal obligations and compliance programs.

©2020 Pierce Atwood LLP. All rights reserved.National Law Review, Volume X, Number 38

TRENDING LEGAL ANALYSIS


About this Author

Peter J. Guffin data and privacy lawyer Pierce Atwood
Partner

As chair of Pierce Atwood’s Privacy & Data Security practice, Peter Guffin combines extensive experience in intellectual property, information technology, privacy and data protection law, with a practical appreciation of the business and legal imperatives that can determine a client's success.

Areas of focus include:

  • Information Privacy and Cybersecurity
  • Breach Preparedness, Response, Investigation, and Communication
  • Risk Management, Governance, and Compliance

Peter represents businesses and organizations across a...

(207) 791-1199
Melanie Conroy Commercial Litigation Attorney Pierce Atwood Law Firm
Counsel

Melanie Conroy focuses her practice on class action defense and complex commercial litigation. She has represented clients in connection with internal, government, and regulatory investigations, and has counseled boards of directors, board committees, and senior management on a broad range of matters, including securities, corporate governance, disclosure, and regulatory issues.

Melanie represents businesses and organizations across a wide range of industries, including life sciences, financial services, insurance, private equity, real estate, energy, media, consumer electronics, and retail apparel. Melanie regularly appears in state and federal trial courts, and is experienced in private arbitration and mediation.

617-488-8119