Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)


Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

  • The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
  • Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
  • The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
  • Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.


, , ,

12 Responses to Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)

  1. DLanphear December 7, 2009 at 12:49 pm #

    If this applies to anyone who receives personal information or otherwise accesses personal information, what does this mean about online social networks? I can access a lot of personal information about my Massachusetts friends via facebook, etc. could a lawsuit be brought against an individual if their facebook is compromised and their friends data breached?

    • Doug Cornelius December 7, 2009 at 2:02 pm #

      The definition of “personal information” is the key to your question. Facebook clearly collects lots of personal information, but not the “Personal Information” defined under Massachusetts law:

      Personal information, a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

      Since Facebook does not collect SSNs or financial account info, I don’t think the kind of breach you mention is covered under the law.

  2. JParent December 18, 2009 at 10:34 am #

    Does it apply to law firms?

    • Doug Cornelius December 18, 2009 at 10:46 am #


      If you have a Massachusetts client’s name and their social security number, then you are subject to this law. If you get a W-9 or tax filings or other filings through email and those filings have a Massachusetts client’s name and their social security number, then that means your laptop and blackberry need to be encrypted. Your document systems need to be secure and you need proper protocols in place.

      • JParent December 18, 2009 at 10:51 am #

        Thank you.

  3. Anonymous February 16, 2010 at 1:51 pm #

    Are other states following MA’s lead? If so, how do I find out which states?

  4. Stacy March 23, 2010 at 4:27 pm #

    Hi. Just wondering if this law went into effect on March 1, 2010 or if it was extended again.



  1. Massachusetts Amends Strict Data Privacy Law (Again) | Compliance Building - February 3, 2010

    […] UPDATE: Another revision was published on November 5, 2009. See: Massachusetts Amends Its Strict Data Privacy Law (Yet, Again) […]

  2. National Data Privacy Laws Move Forward | Compliance Building - November 29, 2010

    […] last week’s further revisions to the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)], people are wondering if the federal government is going to step into the space and create a […]

  3. Data Accountability and Trust Act Passed by House | Compliance Building - December 17, 2010

    […] This bill would preempt any state laws in the area, wiping out the Massachusetts Data Privacy Law [Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)]. […]

  4. Massachusetts Data Security Regulations Final Amendments Released | InfoLawGroup - September 6, 2012

    […] Here is the final version of the Regulations.  Doug Cornelius has a great analysis here.  The effective date of the regulations is still March 1, 2010. Tweet Like Email LinkedIn […]