By Mr. Barrios, a petition (accompanied by bill,
Senate, No. 160) of Jarrett T. Barrios, William N.
Brownsberger, Mark C. Montigny, Brian A. Joyce and other
members of the General Court for legislation to establish
the protection of personal information protection. Consumer
Protection and Professional Licensure. |
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
SECTION 1. Chapter 24A of the General Laws is hereby amended by adding the following 3 sections:-
Section 6. In the course of administering chapter 66B, the office shall:
(1) engage in a public awareness campaign publicizing a data subject’s rights under said chapter 66B, including the posting of the new law on the office’s webpage and undertaking any other methods reasonably calculated to inform a data subject of his new legal rights under said chapter 66B;
(2) inform a commercial entity doing business in the commonwealth of it’s duties under said chapter 66B; and
(3) establish a procedure by which a data subject can easily and promptly register a complaint about a commercial entity’s or third party’s failure to comply with said chapter 66B.
Section 7. (a) If the office finds that a commercial entity or third party violated chapter 66B, it shall levy a fine of not more than $5,000 per violation. The office shall determine the amount of this fine by considering:
(1) the egregiousness of the violation;
(2) the party’s past violations of chapter 66B;
(3) the threat that the violation poses to the integrity and security of a data subject’s personal data; and
(4) the effect the violation has on this act’s ability to ensure a data subject’s privacy.
(b) The office may refer any perceived material violation of this act to the attorney
general’s office for further investigation.
Section 8. The office may promulgate regulations to assist in the administration of its duties chapter 66B which shall be promulgate pursuant to the procedures for regulations not requiring hearings as set forth in section 3 of chapter 30A.
SECTION 2. Title X of the General Laws is hereby amended by striking out the title and inserting in place thereof the following title:-
PUBLIC RECORDS AND PERSONAL DATA.
SECTION 3. The General Laws are hereby amended by inserting after chapter 66A the following chapter:-
CHAPTER 66B.
PERSONAL INFORMATION PROTECTION.
Section 1. As used in this chapter, the following words shall have the following meanings unless the context clearly requires otherwise:
(a) “Commercial entity”, an entity that collects information in the course of its commercial dealings, including, but not limited to associations, businesses, charitable organizations, clubs, government entities, professional practices and unions.
(b) “Data collection program”, a program by which a commercial entity collects personal data and creates a system of records so that personal data can be retrieved by using the data subject’s identity.
(c) “Data subject”, an individual to whom personal data refers; provided, however, that “data subject” shall not include corporations, corporate trusts, partnerships, limited partnerships, trusts or other similar entities.
(d) “Office”, the officer of consumer affairs and business regulation.
(e) “Opt out”, to cease participation in a data collection program without incurring any unreasonable discrimination or disruption in service and receiving the same quality of service as before.
(f) “Personal data”, information that a commercial entity or third party can associate with a particular individual because the information contains a name, description, unique number or identifying mark, including, but not limited to, zip code, phone number, address or social security number.
(g) “Processor”, the third party that obtains personal data to perform a contracted business function for a commercial entity, including, but not limited to, processing a payment, administering a warranty and evaluating customer credit.
(h) “Public records”, all books, papers, maps, photographs, recorded tapes, financial statements, statistical tabulations, or other documentary materials or data, regardless of physical form or characteristics, made or received by an officer or employee of an agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose; provided, however, that “public records” shall not include the exceptions to that term as set forth in clause Twenty-sixth of section 7 of chapter 4.
(i) “Third-party”, an entity that obtains personal data from a commercial entity, including, but not limited to, an association, business, charitable organization, club, governmental body, institution, professional practice and union.
Section 2. A data subject may opt out of a commercial entity’s data collection program at any time and without charge.
Section 3. A data subject who believes a commercial entity or third party has violated this chapter may seek redress by any of the following: (i) the commercial entity’s grievance procedures as established pursuant to clause (6) of subsection (b) of section 4; (ii) the office’s complaint registering procedure established in subsection (c) of section 6 of chapter 24A; or (iii) an independent cause of action in the district or superior court department of the trial court.
Section 4. (a) A commercial entity that collects personal data shall, at the point of data collection, conspicuously post a written privacy policy that complies with this chapter which shall clearly and simply:
(1) identify the purposes for which the commercial entity collects personal data;
(2) limit itself to only collecting personal data necessary to serve the purposes the commercial entity has set forth pursuant to clause (1);
(3) commit itself to retaining personal data for only as long as necessary to serve the purposes the commercial entity as set forth pursuant to clause (1);
(4) detail the circumstances in which the commercial entity may distribute personal data to third parties;
(5) detail how the commercial entity ensures the accuracy and security of personal data;
(6) state that, upon a data subject’s request, the commercial entity shall allow the data subject access to the commercial entity’s store of that data subject’s personal data;
(7) establish a method for a data subject to correct erroneous information;
(8) inform a data subject, in conspicuous and bold font, that he may opt out of the commercial entity’s data collection program at any time and free of charge;
(9) detail the procedure by which a data subject may opt out of the data collection program; and
(10) provide a data subject with further resources that provide information about more specific aspects of the commercial entity’s information collection policies and procedures.
(b) A commercial entity that collects personal data shall:
(1) designate an individual immediately responsible for ensuring compliance with this chapter;
(2) inform all individuals who have a role in the design, development, operation or maintenance of the data collection program of: (i) the requirements of this chapter; and (ii) each regulation the promulgated by the office pursuant to section 8 of chapter 24A;
(3) limit its use of personal data to those uses necessary to serve the purposes the commercial entity has set forth pursuant to subsection (a);
(4) establish a procedure by which a data subject may opt out of a commercial entity’s data collection program at any time and free of charge and a commercial entity shall ensure that this procedure does not require the data subject to perform overly-burdensome tasks to opt out of the data collection program;
(5) take all reasonable steps to ensure the security and accuracy of the personal data it collects and retains; provided, however, that a commercial entity shall take reasonable precautions to protect personal data from fire, theft, flood, natural disaster, unintended dissemination or other physical threat; and
(6) establish a reasonably simple procedure by which a data subject can file a grievance with the individual responsible for ensuring the commercial entity’s compliance with this chapter.
(c) A commercial entity that collects personal data shall not obtain a public record pursuant to its data collection program for the purpose of obtaining the personal data that the public record contains.
(d) Notwithstanding any general or special law to the contrary, a commercial entity that collects personal data shall not divulge such data to a third party that is not acting as a processor.
Section 5. A processor who obtains personal data from a commercial entity shall only keep the personal data for as long as it reasonably takes to accomplish its processing task.
Section 6. To assist the office in enforcing this chapter, a trial court:-
(1) shall recognize a violation of this act as a per se deceptive trade practice under chapter 93A;
(2) may impose such equitable relief as it finds reasonably necessary to accomplish the objectives of this chapter, including an injunction and specific performance;
(3) shall not preclude other grounds for recovery that a data subject may have against a commercial entity or third party;
(4) shall resolve all ambiguity in favor of protecting a consumer’s privacy; and
(5) shall not recognize a cause of action under this chapter after 3 years from the date of an alleged violation.
SECTION 4. Section 1 of chapter 161A of the General Laws, as appearing in the 2002 Official Edition, is hereby amended by inserting after the definition of “Capital investment program” the following 2 definitions:-
“Data collection program”, a program by which a commercial entity collects personal data and creates a system of records so that personal data can be retrieved by using the data subject’s identity.
“Data subject”, an individual to whom personal data refers; provided, however, that “data subject” shall not include a corporation, corporate trust, partnership, limited partnership, trust, or other similar entity.
SECTION 5. Said section 1 of said chapter 161, as so appearing, is hereby further amended by inserting after the definition of “Passenger miles” the following 2 definitions:-
“Personal data”, information that a commercial entity or third party can associate with a particular individual because the information contains a name, description, unique number or identifying mark, including, but not limited to, zip code, phone number, address or social security number.
“Processor”, the third party that obtains personal data to perform a contracted business function for a commercial entity, including, but not limited to, processing a payment, administering a warranty and evaluating customer credit.
SECTION 6. Said section 1 of said chapter 161, as so appearing, is hereby further amended by inserting after the definition of “Rider” the following definition:-
“Ridership data”, information that details the time and location at which a rider utilized the authority’s services.
SECTION 7. Said section 1 of said chapter 161, as so appearing, is hereby further amended by adding the following definition:-
“Third-party”, an entity that obtains personal data from a commercial entity, including, but not limited to, an association, business, charitable organization, club, governmental body, institution, professional practice and union.
SECTION 8. Said chapter 161A of the General Laws is hereby amended by adding the following 2 sections:-
Section 49. Personal data collected by the authority shall not be linked, or capable of becoming linked, to ridership data for a passenger.
Section 50. Notwithstanding any general or special law to the contrary, the authority shall not share personal data with a third party that is serving as a processor.
SECTION 9. Within 120 days after the effective date of this act, a commercial entity shall mail a copy of the privacy policy the commercial entity shall post pursuant to subsection (a) of section 4 to a data subject for which the commercial entity has a physical or electronic mailing address.
SECTION 10. The director of consumer affairs and business regulation shall monitor and evaluate the enforcement and effectiveness of chapter 66B of the General Laws. The director shall file a report with the appropriate committees of the general court concerning it’s their evaluation not later than 2 years after the effective date of said chapter 66B.
