Data Privacy / State Law (Pending)

MDPA

An Act establishing the Massachusetts data privacy act

Massachusetts Specific Featured Framework

Pending Massachusetts comprehensive privacy law establishing consumer rights to know, access, correct, delete, and opt-out of data sales. Includes complete ban on sale of sensitive data and minors data.

Executive Summary

MDPA (S.2608/H.4746) creates comprehensive privacy rights for Massachusetts residents including right to know, delete, correct, and opt-out. Bans sale of sensitive data (location, health, biometrics, minors data). Applies to entities with $20M+ revenue OR 75K+ MA residents data OR 50%+ revenue from data sales. Enforced exclusively by Massachusetts Attorney General with civil penalties up to $5,000 per violation. If enacted, effective January 1, 2027 (Section 1) and June 1, 2027 (Section 2).

Comprehensive Documentation

Massachusetts Data Privacy Act (MDPA)

LEGISLATIVE STATUS: PENDING

IMPORTANT: As of November 20, 2025, MDPA has NOT been enacted into law.

Current Status:

  • Senate Vote: September 25, 2025 - PASSED UNANIMOUSLY (40-0)

  • Senate Committee: September 18, 2025 - Reported favorably by Ways and Means

  • House Committee: November 17, 2025 - Reported favorably as H.4746

  • House Floor Vote: PENDING

  • Governor Signature: PENDING (Governor Maura Healey)


Proposed Effective Dates (if enacted):
  • Section 1: January 1, 2027

  • Section 2: June 1, 2027


Official Bill Information

Bill Numbers:

  • Senate: S.2608 (as amended, S.2619) - 194th General Court

  • House: H.4746


Official Sources:
  • Senate Bill: https://malegislature.gov/Bills/194/S2608

  • House Bill: https://malegislature.gov/Bills/194/H4746

  • Senate Passage Press Release: https://malegislature.gov/PressRoom/Detail?pressReleaseId=256


Overview

If enacted, MDPA would establish comprehensive privacy protections for Massachusetts residents, creating consumer rights to control personal data and imposing strict obligations on businesses collecting or processing personal information. Massachusetts would join California, Colorado, Connecticut, and Virginia with comprehensive state privacy legislation.

MDPA builds upon and complements existing Massachusetts privacy framework:

  • M.G.L. Chapter 93H (Data Breach Notification Law)

  • 201 CMR 17.00 (Data Security Standards)

  • M.G.L. Chapter 93A (Consumer Protection Act)


Who Must Comply: Covered Entities

A "covered entity" means any for-profit or nonprofit entity that:

  1. Owns or licenses personal information about Massachusetts residents, AND

  2. Meets at least ONE threshold:


Financial/Data Volume Thresholds


  • Revenue Threshold: Average annual gross revenues exceeding $20,000,000 (for 3 preceding calendar years), OR

  • Data Volume Threshold: Collects or processes personal information of 75,000 or more Massachusetts residents or households (during preceding calendar year), OR

  • Revenue Dependency: Derives more than 50% of revenue from transferring or selling covered data


Exemptions


  • State or local government agencies

  • Courts of Massachusetts

  • Entities covered under federal HIPAA (defined using 45 C.F.R. 160.103)

  • Business associates and healthcare entities subject to federal privacy standards

  • Individuals acting in a non-commercial context


Core Consumer Rights

MDPA establishes five fundamental consumer rights:

1. Right to Know


  • Right to know whether personal data is being collected

  • Right to know what data is collected

  • Right to know with whom data is shared


2. Right to Access


  • Right to access collected personal data

  • Right to obtain copies of personal data

  • Right to learn who personal data has been shared with


3. Right to Correct


  • Right to correct inaccurate personal data

  • Covered entities must maintain correction procedures


4. Right to Delete


  • Right to request deletion of personal information

  • Covered entities must provide deletion capability


5. Right to Opt-Out


  • Right to opt out of personal data collection and processing for targeted advertising

  • Right to opt out of sale of personal data to third parties

  • Right to revoke opt-out consent

  • Opt-Out Preference Signal Compliance: Covered entities must honor consumer opt-out preference signals (even if conflicts with existing privacy settings)


Data Collection Limitations

General Standard: "Reasonably Necessary"


Covered entities can only collect personal data that is "reasonably necessary" to provide their product or service.

Sensitive Data Standard: "Strictly Necessary"


For sensitive covered data, collection is permitted ONLY when "strictly necessary" to provide or maintain a specific product or service requested by the consumer.

Sensitive Data Categories (Protected)

MDPA provides enhanced protections for sensitive data, including:

  1. Precise geolocation data

  2. Health care information

  3. Biometric data (face scans, fingerprint scans)

  4. Citizenship or immigration status

  5. Information about sex life

  6. Race, color, ethnicity, religion

  7. Sexual orientation

  8. Gender identity

  9. National origin

  10. Information pertaining to a child/minor


Absolute Prohibitions

Ban on Sale of Sensitive Data


  • No entity (including businesses and nonprofits) may sell sensitive covered data

  • Applies to all entities regardless of size


Ban on Sale of Minors' Data


  • Absolute prohibition on selling personal data of minors/children

  • Broader than general sensitive data sales ban


Targeted Advertising for Minors


  • Prohibition on using minors' personal data for targeted advertising

  • More protective standard for young people


Location Information Protections

MDPA incorporates Location Shield Act provisions (originally proposed as Chapter 93N):

Location Information Definition


  • Information derived from a device revealing present or past geographical location

  • Precision to identify street-level location within 1,850 feet or less

  • Applies to Massachusetts residents AND anyone visiting Massachusetts


Location Data Requirements


  1. Ban on Sale: Cannot sell location information (classified as sensitive data)

  2. Strict Necessity Standard: Can only collect if strictly necessary

  3. Location Privacy Policy: Must provide clear, conspicuous policy describing:

- Permissible purposes for collection/processing/disclosure
- Data processing and transfer activities
- Clear, understandable language
  1. Affirmative Consent: Must obtain explicit consent before collection

  2. Advance Notice: Must provide 20+ business days notice of policy changes


Special Location Protections


  • Protects reproductive health privacy - prohibits location tracking for those seeking reproductive health care

  • Protects LGBTQ+ and religious freedom - prevents location tracking that could reveal sensitive beliefs or community participation


Transparency Requirements

Covered entities MUST provide consumers with:

  1. Clear and Conspicuous Descriptions of:

- Any processing for targeted advertising
- Any sale of personal data to third parties
- Any profiling of consumers

  1. Opt-Out Procedures:

- Procedure by which consumers may opt out
- Manner in which consumers may exercise opt-out rights

  1. Privacy Policies:

- Accessible privacy policies
- Plain language explanations
- Regular updates when practices change

Service Provider/Processor Obligations

Covered entities may engage service providers/processors ONLY under written contracts that:

  1. Set forth data processing procedures (collection, processing, transfer)

  2. Define rights and obligations of both parties

  3. Include notification method for service provider to notify covered entity of material privacy practice changes

  4. Do NOT relieve either party of obligations under the Act


Service Provider Restrictions


  • May only collect/process/transfer data as instructed by covered entity

  • May only process data "to the extent necessary and proportionate" to provide services

  • Must cease processing if they have actual knowledge covered entity violated the Act

  • Must assist covered entity in responding to consumer requests


Enforcement

Enforcement Authority

Massachusetts Attorney General (exclusive enforcement)

Specifically: Privacy & Responsible Technology Division (PRTD)

  • Website: https://www.mass.gov/data-privacy-and-security-division

  • Phone: (617) 727-2200


Enforcement Powers

The MDPA grants the Attorney General:

  • Broad regulatory authority to create regulations implementing the Act

  • Authority to enforce the Act's provisions

  • Authority to conduct investigations

  • Authority to bring civil enforcement actions


Enforcement Process

  1. Notice Requirement:

- Attorney General must issue notice of violation to the controller
- Exception: When cure is not possible or violation requires immediate enforcement

  1. Cure Period:

- Controller has 60 days after receipt of notice to cure violation
- Failure to cure allows Attorney General to initiate enforcement action

Penalties and Remedies

Civil Penalties:

  • Not more than $5,000 per violation

  • Multiple violations can result in escalating penalties


Additional Remedies Available:
  • Actual damages (including emotional distress)

  • Restitution

  • Disgorgement of profits

  • Investigative costs

  • Reasonable attorney's fees

  • Punitive damages

  • Injunctive relief


Records Retention for Enforcement


  • Covered entities must maintain records of rejected consumer requests for at least 24 months

  • Must provide copies of records to Attorney General upon request


No Private Right of Action


MDPA enforcement is exclusively through the Attorney General's office. No private right of action for individuals.

Relationship to Other Massachusetts Privacy Laws

MDPA integrates with and builds upon existing Massachusetts privacy framework:

M.G.L. Chapter 214, Section 1B


  • Provides constitutional right to privacy protection

  • MDPA supplements this established privacy right


M.G.L. Chapter 93H (Data Breach Notification Law)


  • Requires notification "as soon as practicable and without unreasonable delay"

  • MDPA complements breach notification requirements

  • Both overseen by Massachusetts Attorney General


201 CMR 17.00 (Data Security Standards)


Complementary Framework:
  • 201 CMR 17.00 establishes security standards (HOW to protect data)

  • MDPA establishes use restrictions and consumer rights (WHAT entities can do with data)

  • Both apply to Massachusetts residents' personal information

  • MDPA builds on security foundation already required by 201 CMR 17.00


M.G.L. Chapter 93A (Unfair/Deceptive Trade Practices)


  • MDPA violations can be enforced under Chapter 93A's consumer protection framework

  • Allows Attorney General to seek injunctive relief and civil penalties


Comparison to Other Privacy Laws

Similarities to CCPA (California Consumer Privacy Act)


  • Consumer rights to know, delete, correct

  • Opt-out of sale of data

  • Restrictions on collection (necessity test)

  • Enhanced protections for minors

  • State Attorney General enforcement


Massachusetts MDPA Distinctions from CCPA


  • Stricter "strictly necessary" standard for sensitive data (CCPA uses "reasonably necessary" even for sensitive data)

  • Broader sensitive data category

  • Complete ban on sale of sensitive data (CCPA allows with disclosure)

  • Complete ban on sale of minors' data (CCPA has CPRA amendments addressing this)

  • Includes state-specific provisions (references to Massachusetts existing law framework)

  • Location Shield Act integration (comprehensive location data protections)


Similarities to GDPR (European)


  • Data subject rights to access, rectification, erasure

  • Purpose limitation and data minimization principles

  • Processing grounds for lawful activity

  • Enhanced protections for children

  • Data processor contractual requirements

  • Supervisory authority enforcement


Massachusetts MDPA Distinctions from GDPR


  • MDPA has financial/data volume thresholds; GDPR applies broadly

  • MDPA enforcement by AG only; GDPR has data protection authorities and private rights of action

  • GDPR more prescriptive; MDPA grants AG rulemaking authority

  • GDPR applies to all personal data; MDPA focuses on "covered data"

  • MDPA has no explicit consent mechanism like GDPR


Massachusetts-Specific Advantages

  1. Comprehensive Framework: Integrates seamlessly with existing MA privacy laws

  2. Bipartisan Support: Senate passed unanimously 40-0

  3. Enhanced Minor Protections: Strongest minor data protection provisions in the U.S.

  4. Location Privacy: Incorporates comprehensive location data protections

  5. Reproductive Health Privacy: Specific protections for those seeking reproductive health care

  6. Attorney General Enforcement: Experienced AG Privacy & Responsible Technology Division

  7. Business Thresholds: Protects small businesses through reasonable thresholds


Compliance Preparation (if enacted)

Organizations should prepare for MDPA compliance:

Immediate Actions


  1. Inventory Personal Data: Identify all MA resident personal data collected

  2. Classify Sensitive Data: Identify health, location, biometric, minors' data

  3. Review Third-Party Contracts: Ensure service provider agreements comply

  4. Assess Thresholds: Determine if entity meets covered entity thresholds

  5. Document Data Flows: Map how data is collected, processed, shared, sold


Pre-Implementation (Before January 1, 2027)


  1. Develop Privacy Policies: Create or update privacy policies

  2. Implement Consumer Rights Infrastructure:

- Access request mechanisms
- Deletion procedures
- Correction processes
- Opt-out systems
  1. Stop Prohibited Practices:

- Cease sale of sensitive data
- Cease sale of minors' data
- Cease targeted advertising to minors
  1. Train Employees: Educate workforce on MDPA requirements

  2. Establish Location Privacy Policy: If collecting location data

  3. Implement Opt-Out Preference Signals: Honor browser-based opt-out signals


Post-Implementation (After January 1, 2027)


  1. Maintain Compliance Records: Keep 24+ months of consumer request records

  2. Monitor AG Guidance: Follow Attorney General rulemaking and guidance

  3. Conduct Annual Reviews: Review and update privacy practices

  4. Respond to Consumer Requests: Process requests within required timeframes

  5. Prepare for Enforcement: Maintain documentation for AG inquiries


Summary Table: MDPA Overview


















ElementDetails
------------------
Official NameAn Act establishing the Massachusetts data privacy act
Bill NumbersS.2608 (Senate), H.4746 (House)
Legislature194th General Court of Massachusetts
Senate StatusPassed unanimously 40-0 (Sept 25, 2025)
House StatusCommittee reported favorably (Nov 17, 2025)
Current StatusPENDING - Not yet enacted
Effective Dates (if enacted)Section 1: Jan 1, 2027; Section 2: June 1, 2027
Covered Entities$20M+ annual revenue OR 75K+ MA residents' data OR 50%+ revenue from data sales
Consumer RightsKnow, Delete, Correct, Opt-Out (of sale/targeted ads), Access
Sensitive DataLocation, health, biometrics, immigration status, protected characteristics, minors' data
BansSale of sensitive data; Sale of minors' data; Targeted ads for minors
EnforcementMassachusetts Attorney General (Privacy & Responsible Technology Division)
PenaltiesUp to $5,000 per violation, actual damages, restitution, punitive damages
Private Right of ActionNo - AG enforcement only
Unique FeaturesStrict "strictly necessary" standard for sensitive data; Complete bans on minor data sales; Location Shield Act integration; Reproductive health privacy protections

Official Government Contact

Massachusetts Attorney General - Privacy & Responsible Technology Division:

  • Website: https://www.mass.gov/data-privacy-and-security-division

  • Phone: (617) 727-2200

  • Address: 250 Washington St., 2nd floor, Boston, MA 02108-4619


Legislative Updates:
  • Massachusetts Legislature: https://malegislature.gov/Bills/194/S2608

  • Bill History: https://malegislature.gov/Bills/194/S2608/BillHistory

Applicable Industries

All IndustriesTechnology and SoftwareHealthcareFinancial ServicesRetail and E-commerceEducationTelecommunicationsMedia and EntertainmentProfessional ServicesReal EstateManufacturingGovernment Contractors

Company Size

Applies to covered entities meeting thresholds: $20M+ revenue OR 75K+ MA residents data OR 50%+ revenue from data sales. Small businesses below thresholds are exempt.

Effective Date

1/1/2027

Penalties for Non-Compliance

If enacted: Civil penalties up to $5,000 per violation. Additional remedies: actual damages, emotional distress damages, restitution, disgorgement of profits, investigative costs, attorney fees, punitive damages, injunctive relief. 60-day cure period before enforcement.

Massachusetts-Specific Requirements

MDPA is PENDING LEGISLATION. Passed Massachusetts Senate unanimously 40-0 on September 25, 2025. Currently awaiting House approval and Governor Maura Healey signature. If enacted, Massachusetts will join California, Colorado, Connecticut, and Virginia with comprehensive state privacy law. MDPA builds upon existing MA frameworks (201 CMR 17.00, M.G.L. c. 93H) and provides enhanced consumer rights for Massachusetts residents and visitors.

For Massachusetts Companies

This is a Massachusetts-specific regulation that applies to companies operating in or serving residents of Massachusetts. All relevant Massachusetts companies must comply.

Applicable Massachusetts Industries

All Industries
Technology and SoftwareHealthcareFinancial ServicesRetail and E-commerceEducation
Telecommunications
Media and Entertainment
Professional Services
Real Estate
Manufacturing
Government Contractors
View MA Compliance OverviewBrowse by Industry

Official Resources

Primary Source

https://malegislature.gov/Bills/194/S2608

Additional Official Sources

Enforcement Agency

Massachusetts Attorney General - Privacy & Responsible Technology Division (if enacted)