By Tim Rollins
Massachusetts Can Help Usher in a New Era of Privacy Protection in the US
With the rapid growth of facial recognition, social, media and targeted advertising, consumers around the world are not just feeling exposed but cynical about the state of privacy. The few Massachusetts laws addressing consumer data privacy rights are extremely limited. The Massachusetts Information Privacy Act (MIPA, Bill S.46), combines best practices from other jurisdictions like California, Illinois, and the EU to protect people’s privacy, safety, and financial security in the digital world. When passed, this bill could revolutionize data-privacy legislation in the United States.
Technologies that combine facial recognition, sensors, and GPS to extract intimate data from faces, voices, and whereabouts that are highly susceptible to misuse and harm, are on the radar. MIPA combines the core duties and rights with specific conduct prohibitions. Organizations that collect, store, process and use customer data, will be imposed with formidable duties of confidentiality, care, and loyalty.
Introduced by Sen. Cynthia Stone Creem (D) in March 2021, MIPA would create a new agency, the Massachusetts Information Privacy Commission, with enforcement and regulatory authority and impose prohibitions and specific protections on collection and processing of biometric or location information (including a requirement for handwritten consent) and electronic monitoring of employees. The bill also requires organizations to create a policy establishing guidelines for retaining and destroying biometric identifiers. Failure to follow suit would result in fines of more than $5,000 per violation.
What You Need to Know
- Duty of confidentiality: Organizations would be prohibited from selling customer data without ensuring that the recipient of their data is contractually bound to the same duties of confidentiality, care, and loyalty.
- Duty of care: Organizations will be obligated to better protect data against unauthorized access by hackers and snoops.
- Duty of loyalty: Organizations will be required to not use personal data or information derived from personal data in ways that: (1) benefit themselves to the detriment of an individual, (2) result in reasonably foreseeable and material physical or financial harm to an individual, or (3) would be unexpected and highly offensive to a reasonable individual.
Expert Analysis from Travis Brennan, Chair, Privacy and Data Security Practice, Stradling Law
MIPA is significant in the evolution of US privacy law for at least a couple of reasons.
First, MIPA is the latest example of how biometric data is now firmly ensconced as a “special category” of personal information deserving of heightened protection under state privacy laws. For example, in California, biometric data recently joined the short list of data points that may trigger a business’s obligation to notify impacted individuals and law enforcement if they are compromised as a result of a security breach. With these and other changes in California law, Illinois’ BIPA, newly enacted comprehensive privacy legislation in Virginia and Colorado, and now the potential enactment of MIPA, all U.S. businesses should ensure they have effective policies and processes in place to avoid, or at least minimize, the collection and retention of biometric data and other categories of sensitive personal information.
Second, MIPA takes a bold step beyond America’s traditional “notice and choice” framework of protecting privacy rights by imposing affirmative duties of confidentiality, care and loyalty on businesses vis a vis consumers. Traditionally, U.S. corporations have only owed these types of duties to their shareholders. This “fiduciary duty” paradigm of privacy regulation has appeared in some privacy bills introduced at the federal level, but none of those bills appear close to passage in either house of Congress, let alone becoming law. If MIPA is enacted, it will set a new benchmark that may cause more policy makers to rethink the philosophical underpinnings of US privacy law, in a way that could have profound implications for consumers and regulated businesses.
Data Privacy Tip
Link your data management engine with multiple privacy, legal and business regulatory obligations to substantiate your decisions based on rich, contextual data insights. Ask us how!