BOSTON — Lawmakers and civil rights leaders want to add Massachusetts to the growing list of states that are strengthening internet privacy protections for residents, as companies mine personal data for profit.
“We’ve all had the experience of being creeped out by an ad, right?” Caitriona Fitzgerald, deputy director of the Electronic Privacy Information Center, said. “A lot of people think our phones must be listening to us because the ads are so creepy. The reality is even creepier. They don’t need to listen to us to know what we’re seeing and thinking because that’s how much data they’re collecting on us.”
Fitzgerald said companies track what websites internet users visit, whose cellphones are often near each other and what each of them are searching for, what people buy online and in stores, health and geolocation data, and more.
“Advertising giants then use this data to create profiles about us, put us into categories like anxiety disorders, or heavy purchasers of pregnancy test kits, all to target us with more ads,” she said, testifying at a Joint Committee on Economic Development and Emerging Technologies hearing Thursday morning.
Advocates have said this issue has become even more important in light of the Dobbs Supreme Court decision, which repealed the constitutional right to an abortion, and women in states with more restrictive policies have begun traveling to other states for reproductive health care. These activists say geolocation data can be weaponized to target those seeking abortions, as well as to track religious minorities, divulge people’s sexual identity and violate other civil liberties.
A Sen. Barry Finegold and Rep. Dan Carey bill dubbed the “Massachusetts Information Privacy and Security Act” (S 227 / H 60) has failed to gain traction in previous sessions, and seeks to create a broad, all-encompassing policy to better protect residents from predatory data brokers.
The bill would enable residents to opt out of targeted ads and the sale of their personal information; require companies to obtain opt-in consent before collecting sensitive information, such as health, geolocation or biometric data; establish heightened privacy protections for children under 16; and give residents the right to access and delete personal information that a company maintains.
It would additionally require companies to follow stricter privacy and security standards, including requiring privacy notices and disclosures about how they use personal information, conducting regular risk assessments and specifying that companies may only collect personal information for specific purposes directly related to the product they are delivering to customers.
Finegold and Carey’s bill would also grant additional powers to the attorney general’s office. Data brokers would have to register with the AGO and disclose their privacy protocols, and the bill scales civil penalties for violations of the law based on the company’s size and misconduct, tasks the attorney general with issuing regulations to ensure that the state’s privacy laws stay up to date, and establishes a targeted private right of action for security breaches of companies that do not have cybersecurity protections.
Fitzgerald said she and other data privacy organizations support the language in the bill that authorizes private right to action.
“It’s really proven to be the only meaningful enforcement mechanism,” she said at a Joint Committee on Advanced Information Technology, the Internet and Cybersecurity hearing later on Thursday, during which people testified on Carey’s House version of the same bill.
“Unfortunately, businesses know that the resources of the attorney general’s offices are limited, and they’re only going to be able to bring a few cases a year. So having that kind of threat of private action hanging over their heads forces compliance in a way that government enforcement does not,” she said. “It scares them more into compliance, and if you’re complying with the law, then it shouldn’t be an issue.”
Kade Crockford, director of the ACLU of Massachusetts’ Technology for Liberty program, said geolocation metadata is particularly sensitive, and in need of regulation.
“Nine times out of ten, more than that, it does not lie. It tells exactly the truth of what’s going on,” Crockford said. “If my cellphone goes to a church basement every Thursday night for two hours, where Alcoholics Anonymous meetings happen, you can be damn sure that’s because I am in Alcoholics Anonymous, and I am seeking recovery treatment.”
Rep. Tricia Farley-Bouvier, co-chair of the AITIC committee, asked Crockford if life insurance companies could buy that data, to which Crockford responded “yeah, that’s right.”
“This is troubling,” Farley-Bouvier replied.
The chair said she understood why life insurance companies may need to access data such as someone’s age and if they’re a smoker. But allowing companies to track whether someone goes to meetings in a church basement every week, “might not be what we want to do,” Farley-Bouvier said.
Luke Dillon, president of the Life Insurance Association of Massachusetts, was one of several representatives of a variety of industries who opposed the bills on Thursday.
Dillon advocated for life insurance businesses’ having a carve-out in the legislation.
“It’s important to distinguish the financial services and the life insurance industry from other unregulated businesses which these bills seek to address. The life insurance industry is already highly regulated,” he said.
Similarly, a representative of the auto dealer industry said car dealers’ use of personal data is already regulated by the Federal Trade Commission.
“We’re very confident in the way that we collect data and utilize it, that it’s well-protected right now,” said Robert O’Koniewski, executive vice president and general counsel for the Massachusetts State Automobile Dealers Association.
He continued, “There have been a number of states, I believe we’re up to a dozen now, that have passed legislation in this arena. Every one of them has some form of a carve-out related to dealers and their activities — there’s a very limited carve-out in this legislation.”
Farley-Bouvier later said she “didn’t understand until recently” the “unbelievable amount of data that the car collects on me.”
Fitzgerald responded that the bill would still allow cars to collect data, such as the speed a driver travels at and other metrics necessary for its operation, but would make dealers delete the information after it was collected, only collect what is necessary, and stop them from selling it to brokers.
“This is about so much more than avoiding creepy ads,” Fitzgerald said. “Commercial surveillance systems fuel algorithms that dictate what we’re seeing online, shaping our entire information ecosystem. It’s used to train AI. It’s used to determine the interest rates on mortgages and credit cards and decide who gets jobs and that perpetuates systemic inequities in our society. Privacy is really necessary for the healthy functioning of our democracy.”