Today, technology has far outpaced privacy law. Data brokers and tech corporations are free to do almost anything they want with our personal information, including selling our cellphone location data on the open market. These practices endanger all of us, but especially vulnerable communities like immigrants, protesters, and people seeking and providing reproductive and gender-affirming healthcare.

The Massachusetts Consumer Data Privacy Act (H. 4746) flips the script, giving all Massachusetts residents robust privacy rights in the digital age. Specifically, it bans the sale of our precise geolocation data and creates statutory limits on data collection and processing, ending the "anything goes" era of corporate surveillance once and for all.

Take action now to urge your state representative to support strong, enforceable privacy law.

Digital Fourth supports H. 4746 and we are eager to see a comprehensive data privacy act passed in MA this legislative session. After our careful review of the bill, there are four important amendments needed to ensure it is as protective and effective as possible. We include these proposed changes in the letter you'll send to your representative, and below:

1. THRESHOLDS TO SUE: “EITHER/OR”, NOT “BOTH/AND”

Our first recommendation is to change H.4746’s language relating to the ability of private individuals to sue corporations that violate H.4746’s privacy rules. The bill sets high thresholds for a private right of action in the bill, limiting it to corporations that have both over $200m in gross annual revenue and data on two million consumers. This dual barrier will enable certain companies that are collecting a lot of data, like phone apps, to slide under the radar.

• It would prevent private enforcement against companies like Flock Safety, which has a gross annual revenue of $285 million, but which doesn’t transfer the data of over 2 million consumers. Continuous collection of ALPR data enables determination of where people live and work; Flock shares its AI predictive analytic tool which determines "patterns of driving" and labels vehicles as potentially involved in narco-trafficking, leading to wrongful arrests of U.S. citizens.

• Penlink, which is providing ICE and CBP with the geolocation information for cell phones across entire neighborhoods, also fails to meet the threshold because it has a gross annual revenue of only $36 million.

Therefore, we’re suggesting that the threshold be that private individuals could sue corporations that meet either of these thresholds.

2. PROTECT THE PRIVACY OF PEOPLE’S “PHILOSOPHICAL BELIEFS”

The federal government is investigating people to see if they pose a national security risk on the basis of their social media posts, communications or web searches. The President's NSPM-7 memorandum declares philosophical beliefs like "anti-Americanism, anti-capitalism, and anti-Christianity; support for the overthrow of the United States Government; extremism on migration, race, and gender; and hostility towards those who hold traditional American views on family, religion, and morality", as views that justify investigation of Americans by a Joint Terrorism Task Force (JTTF). Attorney General Bondi just ordered the FBI's JTTFs to prioritize the investigation of Americans with these beliefs. A simple fix can protect the beliefs that we express in social media and communications, by including “philosophical beliefs” in the definition of sensitive data, as is already done in California’s Consumer Data Privacy Act

3. IMPROVE PROTECTION OF CHILDREN'S DATA

The Senate bill, S. 2619, says that data controllers are liable for mishandling “personal data of a consumer that a controller knows, or should have known, is a minor”. H.4746 changes this to “personal data of a consumer that a controller knows, or willfully disregards, is a minor." That’s a significant weakening of the standard. It will be very hard for people suing a data controller to prove that the data controller “willfully disregarded” that the person whose data they mishandled was a minor. The Senate language is significantly better.

4. YOUR “GENETIC DATA” SHOULD NOT JUST INCLUDE YOUR DNA

The definition of sensitive data in the Senate bill includes "(iii) genetic, neural or biometric data” and “information derived therefrom." This means that not only your DNA profile itself, but interpretive data, such as what 23andMe interprets your DNA profile to mean in terms of susceptibility to diseases or your inferred relationship to another person, would be classed as sensitive data. Similarly, not only the data "net" of your facial features created by facial recognition, but the fact that your face is interpreted as a 95% match to a criminal suspect, ought to qualify as sensitive data. So, we think that it is important to protect all data derived from cataloging the expression of our RNA and protein and this should be accomplished by changing “genetic data” to “genomic data” (please see https://www.law.cornell.edu/cfr/text/28/202.224), and including the Senate’s phrase “information derived therefrom."

Drafted legislative text for the amendments can be found here.