Proposed Massachusetts Consumer Data Privacy Law Takes Lessons From Illinois’ Biometric Law
After Illinois passed its Biometric Information Privacy Act in 2008 (“BIPA”), other states have begun enacting legislation regulating business activities relating to biometric information. Texas and Washington were next, followed by California in 2018. Now, Massachusetts has proposed legislation regulating the use of a consumer’s personal and biometric information.
Bill SD.341, “an Act relative to consumer data privacy,” draws much of its language from the California Consumer Privacy Act of 2018 (“CCPA”), and also has some parallels to BIPA. However, there are several differences between the Bill and BIPA worth noting.
The Massachusetts Bill Would Insulate Companies From Certain BIPA-like Lawsuits.
One of the key differences between the Bill and BIPA (and CCPA), is that the Bill expressly carves out an exception for businesses that collect or disclose their employees’ personal information, “so long as the business is collecting or disclosing such information within the scope of its role as an employer.” This carveout would protect Massachusetts employers from the types of lawsuits that have exploded in Illinois, where employees have filed hundreds of BIPA class actions against their employers based on their employers’ collection, storage, use, and disclosure of employee fingerprints for timekeeping purposes.
Earlier this year, the Illinois legislature proposed an amendment to stem these lawsuits, but the measure failed.
The Massachusetts Bill Includes Statutory Fines & Penalties.
Like BIPA, the Bill creates a private right of action for consumers who have “suffered a violation.” Unlike BIPA, the Massachusetts legislature had the foresight to explain in the statute exactly what it means to have “suffered a violation.” The Massachusetts Bill makes clear that a simple violation of the Bill constitutes an injury in fact, and that a consumer need not suffer actual monetary or property loss in order to bring an action for a violation. This will likely help Massachusetts avoid the type of litigation Illinois has experienced regarding what gives a consumer standing under BIPA, which we covered here, here, and here.
The Bill also provides for statutory liquidated damages like BIPA. Similar to the statutory damages provided under CCPA, the Bill allows consumers to recover statutory damages up to $750 “per incident” or actual damages, whichever is greater. If a court decides to award statutory damages, the Bill lists several factors the court should consider in awarding them, making it somewhat more equitably minded than BIPA’s bright line of $1,000 for negligent violations and $5,000 for willful or reckless violations.
Massachusetts Would Regulate More Information Than BIPA.
Another difference between the Bill and BIPA is the type of information that would be protected and regulated. While the Bill also regulates biometric information such as fingerprints, iris and retina scans, and face and hand imagery, its definition of biometric information also includes “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA,” as well as “keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”
In contrast, BIPA’s definitions of biometric identifier and biometric information are narrower because they do not include “behavioral characteristics” or “keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.” And, while BIPA does not protect anything beyond biometric identifiers or information, the Bill also protects consumers’ “personal information,” which is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” As a result, the Massachusetts Bill would apply to more business activities than BIPA.
The Massachusetts Bill’s Notice Requirements Are Different From BIPA’s.
Because the Bill would apply to companies that collect consumer “personal information,” and not just biometric data such as fingerprints or retina scans, it is important for companies to closely consider whether their activities bring them within the Bill’s scope, such that they would be obligated to comply with the Bill’s various notice requirements, which are somewhat different than BIPA’s.
For instance, similarly to BIPA, the Bill would require a company collecting and disclosing biometric and personal information to notify consumers at or before the point of collection of:
the categories of personal information it will collect,
the business purposes for which the personal information will be used,
the categories of third parties with whom the business will disclose personal information, and
the business purpose for the third party disclosure.
However, the Bill would also require companies to inform consumers that they have a right to request a copy of their personal information, the deletion of their personal information, and to opt out of third-party disclosure, which is something BIPA does not require. Much like CCPA, the Bill provides consumers the right to request information about how the company is using their personal information. Companies would be required to respond to such a request within 45 days. And, companies would need to make it easy for consumers to request information by providing at least two methods to submit requests, including a link on the company’s home page if it has a website.
If passed, Bill SD.341 will take effect on January 1, 2023. There is still plenty of time for the Massachusetts legislature to make additional changes to the Bill. Nevertheless, businesses in Massachusetts and other states should be mindful of pending privacy legislation like Senate Bill SD.341 that could impose additional obligations on companies that collect and use personal and biometric information.