In January 2023, companion bills on “An act protecting reproductive health access, LGBTQ lives, religious liberty and freedom of movement by banning the sale of cell phone location information” were proposed in the Massachusetts House of Representatives (H357) and in the Senate (S148). This proposed legislation is also known as the Massachusetts Location Shield Act.
If passed, the act will present challenges for businesses collecting mobile device location information from individuals located in Massachusetts. Beyond banning data sales, the proposed act would impose stringent requirements for the collection, use and disclosure of location information. These requirements include obtaining an individual’s affirmative opt-in consent for collecting location information, restrictions on disclosure of data to third parties, and providing detailed privacy notices to individuals. Violations of the proposed legislation may result in significant liability given the proposal’s private right of action.
Background
According to its sponsors, the proposed act aims to strengthen the protections for consumer location data in response to public concerns about the potential for collection and sharing of such data without consumers’ permission or knowledge. The Supreme Court’s ruling in the Dobbs Decision, which overturned Roe v. Wade and Casey v. Planned Parenthood and eliminated the constitutional right to an abortion, heightened such concerns. For more background on these concerns, see Tech Companies Need to Prepare for the Data Privacy Implications of Dobbs v. Jackson Women’s Health Organization and States Look to Strengthen Protections for Consumer Health Data Post-Dobbs.
Key Requirements
Scope and Applicability
This act, should it pass, would apply to “covered entities”, a term that includes any individual or legal entity. Unlike most of the current comprehensive state privacy laws, the current draft of the act would not establish either a minimum number of data subjects or revenue threshold that companies must meet in order to fall within the act’s scope, and may therefore cover a much wider range of businesses.
Covered Data
The proposed legislation takes a broad view of “location information”, defining it as:
“information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of the technological method used, that pertains to or directly or indirectly reveals the present or past geographical location of an individual or device within the Commonwealth of Massachusetts with sufficient precision to identify street-level location information within a range of 1,850 feet or less.”
This definition would include, but would not be limited to, IP addresses, Global Positioning System (GPS) coordinates and cell-site location information.
Permissible Purposes
The proposed act would prohibit a covered entity from collecting or processing location information except if the processing serves a “permissible purpose”, a term that would include:
- providing a product or service to an individual to whom the location information pertains when that individual requested the provision of such product or service;
- initiating, managing, executing or completing a financial or commercial transaction or fulfilling an order for specific products or services requested by an individual; and
- complying with legal obligations or responding to communications reporting an imminent threat to human life.
Prohibition on Data Sales and Other Restrictions
Should the act pass, it would bar covered entities from:
- selling, renting, trading or leasing location information to third parties. Unlike other consumer state privacy laws (which make data sales subject to opt-in or opt-out requirements), the prohibition on data sales found in the proposed legislation is absolute. Moreover, the proposed act does not define “sale”, leaving ambiguity as to the scope of the prohibition;
- disclosing an individual’s location information to third parties (a term that does not include service providers), unless such disclosure is (i) necessary to carry out the permissible purpose for which the information was collected, or (ii) requested by the individual to whom the location data pertains;
- collecting more precise location information than necessary for the permissible purpose;
- retaining location information for longer than necessary to carry out the permissible purpose; and
- deriving or inferring from location information any data that is not necessary to carry out a permissible purpose.
Consent Requirements
Under the proposed legislation, covered entities would be required to obtain opt-in consent from individuals prior to collecting or processing their location information and to provide them with a detailed “Location Privacy Policy”. Covered entities would be required to include in this policy information regarding permissible purposes for collecting, processing or disclosing location information, type of location information collected, data disclosures, and retention periods. It is unclear if the proposed legislation will mandate a separate policy from a company’s existing privacy policy.
Covered entities would also be required to provide individuals with a clear, conspicuous and simple means to opt out of the processing of their location information for targeted advertising.
Consent provided by a consumer would expire after the earlier of (i) one year; (ii) when the initial purpose for processing has been satisfied; or (iii) when an individual revokes consent. Following this period, the covered entity would be required to either renew consent pursuant to the initial consent requirements or permanently destroy all location information in its possession.
Non-Discrimination
The proposed legislation would prohibit covered entities from taking any adverse action against individuals for refusing to provide location information. Adverse actions would include, but would not be limited to, refusing to provide goods or services, charging the individual different prices or rates for the service or providing the individual with a lower level of service quality.
Reporting Obligations
The proposed legislation would impose reporting obligations. Specifically, covered entities would be required to provide to the Massachusetts Attorney General annual reports that detail aggregate information relating to all warrants seeking location information that were received by the covered entity and, if known, its service providers or other third parties in the prior calendar year.
Enforcement
The Massachusetts Attorney General’s office would be empowered to enforce the act. The Attorney General’s office would also be tasked with adopting and implementing regulations for the act.
Significantly, the proposed legislation includes a private right of action for consumers to sue companies for failing to comply with its requirements. One of the few state laws that contains a private right of action — the Illinois Biometric Information Privacy Act or BIPA — has led to significant litigation since its enactment, which suggests that businesses that would be subject to the proposed legislation may find themselves subject to significant risk of expensive legal claims and litigation.
Outlook
The proposed legislation is undergoing committee hearings and its next steps in the legislative process are currently unknown.
In the event that the act survives the legislative process, and any subsequent judicial review, it will take effect one year from the day on which it passes. Covered businesses which already collect location information will also have an additional six months to comply with the act.
Given the broad reach of the proposal, its stringent provisions and its private right of action, businesses that collect location information should closely monitor the trajectory of the proposed legislation.
The post Massachusetts Proposes Sweeping Requirements for Processing Mobile Device Location Data appeared first on Data, Privacy & Cybersecurity Insights.