The Massachusetts Information Privacy and Security Act (MIPSA) continues to move through the state’s legislative process and is now before the entire legislature. Although the law has several hurdles to clear before it becomes law, it is notable for two reasons. First, the comprehensive nature of MIPSA illustrates the direction that state data protection laws are heading in the absence of a comprehensive federal consumer data protection law. Second, given the borderless nature of e-commerce, the strongest national consumer data protection law is likely to become the de facto national consumer data protection law, and MIPSA could take that title. This article highlights important parts of the current version of the law.
Who is protected?
MIPSA protects the personal information of Massachusetts residents.
Who is subject to MIPSA?
The law applies to an entity whose aggregate annual revenue exceeds $25 million; determines the purposes and means of processing the personal information of at least 100,000 individuals; or is a data broker. In addition, the entity conducts business in the state or, if it is not physically present in the state, processes personal information in connection with the provision of goods or services to residents of the State or monitors the behavior of residents in the State. Where an entity does not meet these criteria, it may voluntarily certify to the state attorney general that it is in compliance with and agrees to be bound by MIPSA.
Are certain entities exempt?
Massachusetts state government agencies and agencies, national securities associations, and registered futures associations are exempt.
What data is protected?
MIPSA applies to personal information of a Massachusetts resident, which is defined as information that identifies, relates to, describes, is reasonably likely to be associated with, or could reasonably be linked, directly or indirectly, to an identified individual. or identifiable. Personal information does not include anonymized information or publicly available information. For the limited purposes of a sale, personal information also includes information that identifies, relates to, describes, is reasonably likely to be associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable household.
Does the law include special protections for sensitive information?
The law provides enhanced protections for sensitive information. These include the right to notice of collection and use, and the right to limit use and disclosure to those purposes necessary to perform the services or provide the requested goods, and for other authorized internal Controller uses. by the law.
Sensitive information is personal information that reveals an individual’s racial or ethnic origin, religious beliefs, philosophical beliefs, trade union membership, citizenship or immigration status. This also includes biometric information or genetic information that is processed for the purpose of uniquely identifying an individual; personal information regarding a resident’s mental or physical health diagnosis or treatment, sex life or sexual orientation; specific geolocation information; a child’s personal information; a social security number, driver’s license number, military ID number, passport number, or government-issued identification card number; and a financial account number, credit or debit card number, with or without a required security code, access code, personal identification number or password, which would allow access to the financial account of an individual.
Is personal information exempt from the Act?
Health information protected under HIPAA is exempt, as are certain health data, information, and records created under HIPAA and the State of Massachusetts. Exempt data also includes data collected, processed or regulated in relation to clinical trials, the Health Care Quality Improvement Act of 1986, the Patient Safety and Quality Improvement Act , FCRA, Driver Privacy Act, FERPA, Farm Credit Act, GLBA, COPPA, Massachusetts Health Insurance Connector, and Preferred Provider Agreements.
Does MIPSA apply to employee personal information or information collected in the B2B context?
The law also exempts personal information collected and processed in the context of an individual acting as a job applicant, employee, or agent or independent contractor of a controller, processor, or third party. , including emergency contact information and information used to administer the benefits of another person related to the individual.
Information collected and used in connection with an individual acting in a commercial context is exempt.
What are the controller’s obligations under MIPSA?
The law creates a positive obligation to implement appropriate technical and organizational safeguards to ensure information security. In addition, the controller must have a legal basis to process the personal information. Processing must be carried out in a fair and transparent manner, which includes providing appropriate privacy notices at or before the point of collection. The controller must collect personal information for an identified and legitimate purpose and the processing must be limited to what is necessary to achieve the purpose. Information must be accurate and kept only as long as necessary to fulfill the purpose for which it was collected. For processing likely to involve a high risk of harm to individuals, the controller may be required to carry out a risk assessment. When engaging a processor, the controller must enter into a data processing agreement with the processor containing mandatory provisions designed to ensure the confidentiality and security of personal information.
What are the rights of protected persons?
Massachusetts residents have the right to know, access, transfer, delete and correct their personal information, subject to certain limitations. The law also provides the right to object to the sale of personal information and to limit the use and disclosure of sensitive information, including with respect to targeted advertising. The data controller is prohibited from discriminating against the individual for the exercise of any of these rights.
Can my organization be sued for breaking the law?
MIPSA does not include a private cause of action for violation of law. However, the bill also amends the state’s data breach notification law to provide residents with a private right of action when their personal information has been subject to a data breach resulting from the the entity’s inability to implement reasonable safeguards.
How will the law be enforced?
The State Attorney General is authorized to initiate a civil investigation when there is reasonable cause to believe that an entity has engaged, is engaging, or is about to engage in a breach of the law. After notice, the entity will have 30 days to remedy the violation. In the event the entity fails to remedy, the Attorney General may seek a temporary restraining order, preliminary injunction, or permanent injunction to prevent any violation r and may seek civil penalties of up to $7,500 $ for each violation.
MIPSA sets the bar high for data protection practices. Whether enacted in whole or in part, the law provides a roadmap for where data protection laws go. Many state laws proposed in 2022 follow or exceed the protections introduced by the CCPA. Preparing to comply with each more comprehensive law will require ongoing data mapping, ongoing evaluation and development of written information security programs, thorough review of vendor relationships and agreements, risk assessments, and up-to-date training on employee data protection and security awareness.
We will continue to monitor the progress of this bill.
© 2022 Jackson LewisNational Law Review, Volume XII, Number 46