If you are not an AIM member - Consider joining. AIM Members receive access to all our premium content online.
If you're an AIM member please login to your AIM account to view this post:
By Sam Larson
Vice President, Government Affairs
Associated Industries of Massachusetts is working with members of a legislative conference committee to develop a final data-privacy bill the protects consumers without harming business.
The Massachusetts House of Representatives unanimously passed a measure last week that establishes limits on corporate data collection, restricts the sale of sensitive personal information, and grants consumers new rights to control their digital footprints.
The House should be commended for addressing the complex issue of data privacy, but AIM remains extremely concerned that the bill, institutes a “private right of action” that will allow individuals to sue businesses for perceived violations of data privacy. While the text of the statute purports to limit the private right of action to “large data holders,” the mere existence of a private right of action will generate thousands of lawsuits against business of all sizes, significantly impacting the business community in the Commonwealth without benefiting consumers.
No other state with a comprehensive privacy law has a private right of action. Other states have developed a bipartisan consensus to vest enforcement authority with attorneys general.
The state Sente passed its own data-privacy bill in September, that does not contain a private right of action. The Senate bill contains a stricter data minimization standard than the House bill, which limits how all businesses can use data. The Conference Committee will now attempt to iron out differences between the two chambers.
If the House bill becomes law, any business sued for a data privacy violation will need to affirmatively demonstrate that it does not meet the large data holder threshold. In practice, a business that cannot quickly and conclusively prove it falls below those thresholds faces immediate exposure to private litigation, regardless of the merits of the underlying claim.
“Businesses will bear the burden of proving that they’re not large data holders and will likely settle because it is cheaper than litigating,” said Brooke Thomson, President and CEO of AIM.
The substance of the bill would require affirmative consent before sensitive information can be sold or shared, ban the sale of precise geolocation data, create special protections for minors, and authorize enforcement by the attorney general and, in some cases, private individuals. The bill would apply to companies that control or process personal data on at least 100,000 consumers (60,000 consumers in the Senate bill) and includes a carveout designed to shield loyalty programs from some enforcement provisions.
Please contact me at slarson@aimnet.org if you have questions or comments on the proposed data-privacy legislation.
