ARTICLE
23 June 2026

One Step Closer To A Massachusetts Data Privacy Law: Comparing The Current House And Senate Bills

FH
Foley Hoag LLP

Contributor

Foley Hoag LLP logo
Foley Hoag provides innovative, strategic legal services to public, private and government clients. We have premier capabilities in the life sciences, healthcare, technology, energy, professional services and private funds fields, and in cross-border disputes. The diverse experiences of our lawyers contribute to the exceptional senior-level service we deliver to clients.
Explore Firm Details
Massachusetts lawmakers are advancing comprehensive data privacy legislation after years of debate, with the House and Senate working to reconcile two competing bills that differ significantly on enforcement mechanisms, private rights of action...
United States Privacy
Colin J. Zick,Daniel T. Carlston, and Ariel Chen
Your Author LinkedIn Connections
Colin J. Zick’s articles from Foley Hoag LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • with readers working within the Accounting & Consultancy, Insurance and Oil & Gas industries

Massachusetts lawmakers are working to pass a long-awaited comprehensive data privacy law in the current legislative session. After years of debating and tabling different versions of Massachusetts-specific data privacy legislation, debates that we previously covered in 2025, the Commonwealth now appears poised to join the twenty other U.S. states with comprehensive consumer privacy laws. 

The Massachusetts House of Representatives unanimously passed its privacy bill, H.5479, on June 4, 2026. This bill is an amended version of the proposed bill advanced by the Senate last year (S.2619, An Act establishing the Massachusetts Data Privacy Act). Over the remainder of the legislative session, the House and Senate will work to reconcile the differences between these two versions. 

H.5479 differs from the earlier S.2619 in several key respects:

  • Enforcement and Private Right of Action:
    • S.2619 provided for exclusive enforcement by the Attorney General, with no private right of action
    • H.5479 creates a new “large data holder” category (entities processing data of 2+ million consumers or sensitive data of 200,000+ consumers) that would be subject to private lawsuits alleging violations of the Act and enforcement actions by the Attorney General. 
  • Cure Period: 
    • S.2619 included a 60-day cure period for violations to provide some leeway as companies come into compliance. This right to cure would sunset in June 2027.
    • H.5479 eliminates the right to cure entirely.
  • Sensitive Data Sales: 
    • S.2619 included an outright ban on the sale of all sensitive data
    • H.5479 allows the sale of sensitive data (except precise geolocation data) with affirmative consumer consent. 

Below is a side-by-side comparison of the key features of (and differences between) the House and Senate bills:

Provision H.5479 (June 2026) S.2619 (September 2025)
Applicability Persons conducting business in Massachusetts and producing products/providing services targeting Massachusetts residents that in the year prior:
  1. Collected/processed data of ≥100,000 consumers;
  2. Derived gross revenue of ≥$100,000 from personal data sales;
  3. Collected/processed any sensitive data
 Persons that in the prior year:
  1. Collected/processed data of ≥60,000 consumers;
  2. Collected/processed personal data of ≥20,000 and derived 20% gross revenue from personal data sales;
  3. Collected/processed/transferred reproductive/sexual health data
Private Right of Action Private right of action against large data holders via 93A; no private right of action for non-large data holders (exclusive AG enforcement) “Large data holder” is defined as a controller or processor that in the most recent calendar year collected, processed, or sold: (1) personal data of more than two million consumers (excluding personal data collected and processed solely for billing); or (2) sensitive data of more than 200,000 consumers. No private right of action —only AG has enforcement powers
Data Minimization Collection of personal data should be “reasonably necessary and proportionate … consistent with the reasonable expectation of the consumer,” evaluated by a four-factor balancing test. Collection of personal data should be “reasonably necessary to provide or maintain a specific product or service.”
Sensitive Data — Definition
  • Data revealing certain types of information about a consumer (including race, nationality, immigration status, religious beliefs, sex life, sexual orientation, status as transgender/non-binary, union membership, status as crime victim, veteran status)
  • Data revealing certain health data (including gender-affirming, reproductive, or sexual health data)
  • “Consumer health and wellness data”
  • Genetic, neural, and biometric data; personal data of a minor; precise geolocation data; government-issued ID; account names, passwords, and usernames that are not publicly available
  • Data revealing certain types of information about a consumer (including race, color, ethnicity, national origin, citizenship or immigration status, religion, sex life, sexual orientation, status as transgender or non-binary, status as a crime victim) (unlike H.5479, does not include union membership or veteran status)
  • Data revealing certain health data (including gender-affirming, reproductive or sexual health data)
  • “Data collected by wellness devices”
  • Precise geolocation, account or device log-in credentials or access codes; personal data of a known minor; government-issued ID
Sensitive Data — Sale Total ban on sale of precise geolocation data; other sensitive data requires affirmative consent Total ban on all sensitive data sales
Sensitive Data — Processing Requires affirmative consent “Strictly necessary” standard. Processing must be essential (not optional), strictly tied to a specific purpose, and targeted and limited in scope.
Consent Framework “Affirmative consent” = clear, freely given, specific, informed, and unambiguous. Exceptions: Same as S.2619, with the addition of:
  1. Agreement obtained through false, fraudulent, or materially misleading statements or representations.
 “Affirmative consent” = clear, freely given, specific, informed, and unambiguous, in response to a specific request from a controller. Exceptions:
  1. Acceptance of broad terms of use or similar documents with personal data processing descriptions with other, unrelated information;
  2. Hovering over, muting, pausing, or closing content;
  3. Agreement obtained using dark patterns.
AG Rulemaking Mandatory (“shall”) with six enumerated areas:
  1. Technical standards for sufficiently de-identified data;
  2. Reasonable data security practices;
  3. A non-exclusive list of dark patterns;
  4. A non-exclusive list of unfair or deceptive practices in trade or commerce;
  5. The frequency for reviewing and updating data protection assessments; and
  6. Privacy notice requirements.
The AG’s rules would be due to be published by May 1, 2027.		 Permissive (“may”) — open-ended scope.
Data Protection Assessments Conduct and document assessments for controller processing activities that present heightened risk of consumer harm. To be disclosed to AG upon request when relevant to an AG investigation. Compliance deferred: shall not be requested by the AG before July 1, 2028. Conduct and document assessments for controller processing activities that present heightened risk of consumer harm. To be disclosed to AG upon request. Data protection assessments obtained by the AG are confidential and exempt from the MA Public Records Law.
Non-Resident Jurisdiction Ban on sale of precise geolocation data collected or processes within Massachusetts (regardless of residency) Ban on sale of precise geolocation data collected within Massachusetts (regardless of residency)
Entity Exemptions Government entities, insurance fraud detection and prevention nonprofits, registered national securities and futures associations, banks/credit unions, educational nonprofits, blood banks, broker-dealers/investment advisers, HIPAA covered entities or business associates Government entities, insurance fraud detection and prevention nonprofits, registered national securities and futures associations, banks/credit unions, broker-dealers/investment advisers; HIPAA covered entities or business associates that processed the data of ≤60,000 consumers
M&A Notice Requirements Controller transferring personal data as part of a merger, acquisition, bankruptcy, or similar transaction must provide notice to consumers in a reasonable time prior to the disclosure/transfer. Affected consumers must be given a reasonable opportunity to withdraw affirmative consent. Opportunity to withdraw must be no less than 60 days for genetic, neural, or biometric data. Controller acquiring personal data as part of a merger, acquisition, bankruptcy, or similar transaction must provide notice to consumers following the acquisition.  
Consumer Rights Appeal Process A controller must establish a conspicuously available process for a consumer to appeal following a refusal to act on a consumer rights request. Upon an appeal, the controller must provide a written response to the consumer within 60 days. A controller must establish a conspicuously available process for a consumer to appeal following a refusal to act on a consumer rights request. Upon an appeal, the controller must provide a written response to the consumer within 60 days.
Data Broker Report Requirement Directs the Office of Consumer Affairs and Business Regulation to conduct a study and issue a report on how best to regulate data brokers in Massachusetts. Report and any proposed legislation due not later than July 1, 2027. None
Civil Penalties Up to $5,000 per violation Up to $5,000 per violation
Effective Date July 1, 2027 January 1, 2027 (applicability thresholds under §2 take effect June 1, 2027)

Next Steps:

The legislature has appointed a three-member House-Senate conference committee. If the conference committee can work out these differences, the compromise legislation will be sent to both branches for final approval before moving to Governor Healey. 

Though significant work remains before these bills become law, businesses should begin to prepare now by taking the following steps:

  1. Determine whether your business meets the applicability thresholds under either proposed bill:
    1. Determine the number of Massachusetts consumers whose data you collect or process (excluding data used solely for completing payment transactions);
    2. Evaluate revenue derived from the sale of personal data; and
    3. Identify whether you collect or process sensitive data as defined by the bills.
  2. Review or implement data minimization practices.
  3. Establish at least two secure and reliable means for consumers to submit rights requests, as well as a consumer appeal process. Both bills require a written response to the consumer within sixty days of receiving an appeal of a refusal to act on a consumer rights request.

To view Foley Hoag's State AG Insights blog click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Colin J. Zick
Colin J. Zick
Photo of Daniel T. Carlston
Daniel T. Carlston
Photo of Ariel Chen
Ariel Chen
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More