惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
月光博客
月光博客
T
Threat Research - Cisco Blogs
小众软件
小众软件
有赞技术团队
有赞技术团队
酷 壳 – CoolShell
酷 壳 – CoolShell
Apple Machine Learning Research
Apple Machine Learning Research
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
T
Tailwind CSS Blog
Cisco Talos Blog
Cisco Talos Blog
V
V2EX
博客园 - 【当耐特】
C
Cybersecurity and Infrastructure Security Agency CISA
Hugging Face - Blog
Hugging Face - Blog
The Cloudflare Blog
The Last Watchdog
The Last Watchdog
Simon Willison's Weblog
Simon Willison's Weblog
T
Threatpost
S
Secure Thoughts
O
OpenAI News
P
Proofpoint News Feed
S
SegmentFault 最新的问题
Forbes - Security
Forbes - Security
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Last Week in AI
Last Week in AI
宝玉的分享
宝玉的分享
Scott Helme
Scott Helme
T
Tenable Blog
A
Arctic Wolf
L
LINUX DO - 热门话题
爱范儿
爱范儿
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
www.infosecurity-magazine.com
www.infosecurity-magazine.com
V
Visual Studio Blog
Hacker News: Ask HN
Hacker News: Ask HN
Hacker News - Newest:
Hacker News - Newest: "LLM"
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Know Your Adversary
Know Your Adversary
博客园_首页
雷峰网
雷峰网
IT之家
IT之家
PCI Perspectives
PCI Perspectives
L
LINUX DO - 最新话题
H
Heimdal Security Blog

Privacy Ref

Welome to Privacy Ref Academy CIPP/US Training at The Florida Bar Annual Meeting Certificate in Data Privacy and Protection Univ. of Technology, Jamaica, and Privacy Ref launch Data Privacy Training Initiative The need to verify Policy Compliance Privacy Ref named one of the Best Data Privacy Service Providers in the U.S. Thoughts after the IAPP GPS Personal Privacy Tips Bring AI into the Privacy Program in 2025
Massachusetts bill follows latest Privacy Law standards
Lizzy Hill · 2025-10-04 · via Privacy Ref

Massachusetts Bill Follows Latest Privacy Law Standards

Last month, the Massachusetts Senate passed a privacy bill with amendments. The Massachusetts Data Privacy Act (MDPA) in many ways seems to follow the new wave of US state privacy laws such as the Maryland Online Data Privacy Act (MODPA) which came into effect on October 1st, although in other ways the provisions are unique. Elements of the law build upon the state laws that have come into effect in 2025 while adding additional rights and processing limitations.

1. Middle-of-the-road scope

Maryland, Delaware, and New Hampshire’s laws set some of the lowest thresholds for organizations: deriving 20% of gross revenue from sale while processing 10,000 consumers’ personal information or otherwise processing 35,000 consumers’ personal information without reaching the 20% of gross revenue from selling personal information. States such as Virginia had set the old standard at 100,000 consumers’ personal information or 25,000 consumers with 50% of gross revenue from sale.

Massachusetts’ scope is safely in the middle between the old and the new standard while also incorporating a new angle. The bill would apply to organizations processing any amount of reproductive or sexual health data of consumers; 20,000 consumers’ personal data if 30% of the organization’s revenue is from the sale of personal data; or 60,000 consumers’ personal data.

2. New data subject rights specific to profiling

The MA bill would provide Massachusetts consumers with the same rights as most of the existing consumer laws: to confirm processing; obtain a list of third parties; correct personal data; delete personal data; obtain a copy; opt out of sale, targeted advertising, and profiling; and revoke consent.

New rights that the bill provides include rights to question the results of profiling, to be informed of the reason why profiling resulted in the decision made, to be informed about what actions the consumer could have taken to secure a different decision and how to do so in the future, and to review the personal data used for profiling. These do align with the proposed regulation out of California on automated decision-making technology which would require providing an explanation of the profiling process and how profiling is used in decision-making. Both of these proposals may be read as attempts to regulate the use of artificial intelligence.

The list of consumer rights provided in Massachusetts, however, is noticeably missing the right to limit the use and disclosure of sensitive information and the requirement for websites to honor universal opt-out mechanisms which have appeared in most of the laws that have come into effect most recently.

3. Data processing limitations for sensitive data

Instead of providing a right to consumers to limit the use of sensitive data, the Massachusetts bill establishes strict standards for organizations using sensitive data at all. In this way, it follows the precedent set by MODPA, which requires prior opt-in consent for processing sensitive personal data, limits collection and processing to what is strictly necessary or requested by the consumer, and prohibits any other use or collection of sensitive data, especially selling.

The MDPA similarly limits all collection, processing, and transferring of sensitive data to what is strictly necessary or related to a service requested by the consumer. It requires affirmative consent for the transfer of sensitive data. It also specifically prohibits the sale of precise geolocation data separately from the prohibition of selling sensitive data.

As the Massachusetts bill appears fairly standard while restricting processing in relatively new ways, some are already calling it a strong bill that doesn’t place unnecessary burdens on applicable organizations. Massachusetts lawmakers have historically shown a willingness to implement and enforce information security protections and contributed to the drafting of laws such as the Children’s Online Privacy Protection Act, so adding privacy protections for consumers at the state-level is no surprise.

Privacy Ref will continue to watch the bill for further amendments and update our products such as the US Law Framework should the bill become law. While we are still waiting on the possibility of a federal, comprehensive, privacy law, states have stepped up to protect their citizens and regulations and updates are coming in regularly.