Massachusetts Amends Its Strict Data Privacy Law (Yet, Again)


Massachusetts has revised its data privacy regulations one more time. The revised regulations are less demanding that the original version released over a year ago. But this law is the strictest in the country and will be the de facto law of the land for many companies.

Office of Consumer Affairs and Business Regulation released a press release announcing that revised regulations have been filed with the Secretary of State and published on the OCABR website.

Fortunately, Gabriel M. Helmer of Foley Hoag’s Security & Privacy practice produced a redline showing the changes.

There are very few changes to the regulations that were released in August:

  • The Massachusetts Data Privacy regulations apply to anyone who “stores” personal information, in addition to those who receive, maintain, process, or otherwise have access to personal information.
  • Service Providers include anyone who “stores” personal information through their provision of services to anyone is subject to the regulations, in addition to those who receive, maintain, process, or otherwise are permitted access to personal information.
  • The U.S. Postal Service is no longer expressly excluded from the definition of “Service Providers.”
  • Service Provider agreements entered into before March 1, 2010 do not have to be amended to comply with these regulations until March 1, 2012.

The effective date is still March 1, 2010.

The regulations apply to personal information of Massachusetts residents. The reach of the regulations is not limited to businesses in Massachusetts.