惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

WordPress大学
WordPress大学
Microsoft Security Blog
Microsoft Security Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
V
Visual Studio Blog
宝玉的分享
宝玉的分享
IT之家
IT之家
人人都是产品经理
人人都是产品经理
T
The Blog of Author Tim Ferriss
I
InfoQ
B
Blog RSS Feed
T
Threatpost
博客园_首页
M
MIT News - Artificial intelligence
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Know Your Adversary
Know Your Adversary
U
Unit 42
Engineering at Meta
Engineering at Meta
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
Scott Helme
Scott Helme
T
Tor Project blog
有赞技术团队
有赞技术团队
AWS News Blog
AWS News Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Last Week in AI
Last Week in AI
S
Schneier on Security
Vercel News
Vercel News
博客园 - Franky
C
Cybersecurity and Infrastructure Security Agency CISA
L
LINUX DO - 热门话题
NISL@THU
NISL@THU
L
LangChain Blog
爱范儿
爱范儿
Google DeepMind News
Google DeepMind News
The GitHub Blog
The GitHub Blog
雷峰网
雷峰网
Latest news
Latest news
C
CXSECURITY Database RSS Feed - CXSecurity.com
Hugging Face - Blog
Hugging Face - Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
www.infosecurity-magazine.com
www.infosecurity-magazine.com
G
GRAHAM CLULEY
S
Security Affairs
A
About on SuperTechFans
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
大猫的无限游戏
大猫的无限游戏
W
WeLiveSecurity
Cisco Talos Blog
Cisco Talos Blog
罗磊的独立博客

Privacy Ref

Welome to Privacy Ref Academy CIPP/US Training at The Florida Bar Annual Meeting Certificate in Data Privacy and Protection Univ. of Technology, Jamaica, and Privacy Ref launch Data Privacy Training Initiative The need to verify Policy Compliance Privacy Ref named one of the Best Data Privacy Service Providers in the U.S. Thoughts after the IAPP GPS Personal Privacy Tips Bring AI into the Privacy Program in 2025
Massachusetts bill follows latest Privacy Law standards
Lizzy Hill · 2025-10-04 · via Privacy Ref

Massachusetts Bill Follows Latest Privacy Law Standards

Last month, the Massachusetts Senate passed a privacy bill with amendments. The Massachusetts Data Privacy Act (MDPA) in many ways seems to follow the new wave of US state privacy laws such as the Maryland Online Data Privacy Act (MODPA) which came into effect on October 1st, although in other ways the provisions are unique. Elements of the law build upon the state laws that have come into effect in 2025 while adding additional rights and processing limitations.

1. Middle-of-the-road scope

Maryland, Delaware, and New Hampshire’s laws set some of the lowest thresholds for organizations: deriving 20% of gross revenue from sale while processing 10,000 consumers’ personal information or otherwise processing 35,000 consumers’ personal information without reaching the 20% of gross revenue from selling personal information. States such as Virginia had set the old standard at 100,000 consumers’ personal information or 25,000 consumers with 50% of gross revenue from sale.

Massachusetts’ scope is safely in the middle between the old and the new standard while also incorporating a new angle. The bill would apply to organizations processing any amount of reproductive or sexual health data of consumers; 20,000 consumers’ personal data if 30% of the organization’s revenue is from the sale of personal data; or 60,000 consumers’ personal data.

2. New data subject rights specific to profiling

The MA bill would provide Massachusetts consumers with the same rights as most of the existing consumer laws: to confirm processing; obtain a list of third parties; correct personal data; delete personal data; obtain a copy; opt out of sale, targeted advertising, and profiling; and revoke consent.

New rights that the bill provides include rights to question the results of profiling, to be informed of the reason why profiling resulted in the decision made, to be informed about what actions the consumer could have taken to secure a different decision and how to do so in the future, and to review the personal data used for profiling. These do align with the proposed regulation out of California on automated decision-making technology which would require providing an explanation of the profiling process and how profiling is used in decision-making. Both of these proposals may be read as attempts to regulate the use of artificial intelligence.

The list of consumer rights provided in Massachusetts, however, is noticeably missing the right to limit the use and disclosure of sensitive information and the requirement for websites to honor universal opt-out mechanisms which have appeared in most of the laws that have come into effect most recently.

3. Data processing limitations for sensitive data

Instead of providing a right to consumers to limit the use of sensitive data, the Massachusetts bill establishes strict standards for organizations using sensitive data at all. In this way, it follows the precedent set by MODPA, which requires prior opt-in consent for processing sensitive personal data, limits collection and processing to what is strictly necessary or requested by the consumer, and prohibits any other use or collection of sensitive data, especially selling.

The MDPA similarly limits all collection, processing, and transferring of sensitive data to what is strictly necessary or related to a service requested by the consumer. It requires affirmative consent for the transfer of sensitive data. It also specifically prohibits the sale of precise geolocation data separately from the prohibition of selling sensitive data.

As the Massachusetts bill appears fairly standard while restricting processing in relatively new ways, some are already calling it a strong bill that doesn’t place unnecessary burdens on applicable organizations. Massachusetts lawmakers have historically shown a willingness to implement and enforce information security protections and contributed to the drafting of laws such as the Children’s Online Privacy Protection Act, so adding privacy protections for consumers at the state-level is no surprise.

Privacy Ref will continue to watch the bill for further amendments and update our products such as the US Law Framework should the bill become law. While we are still waiting on the possibility of a federal, comprehensive, privacy law, states have stepped up to protect their citizens and regulations and updates are coming in regularly.