On February 2, 2022, the Massachusetts Legislature’s Joint Committee on Advanced Information Technology, the Internet and Cybersecurity released a new draft of a bill designed to provide mechanisms for how personal information is used and to control how companies use such information.  This 65-page bill, known as the “Massachusetts Information Privacy and Security Act” or “MIPSA”, would be the first major piece of legislation related to data privacy passed since the Legislature updated the data breach legislation in 2019.

For companies, some of the new laws in MIPSA include:

• Providing privacy notices to customers on how their personal information is used;

• Mandating risk assessments to determine potential exposure to high-risk business practices; and

• Limiting the use of personal information for a specific purpose.

For individuals, the bill would provide a right to opt-out of targeted advertising and the sale of an individual’s personal information, allow individuals to have access to and correct personal information and establish a private right of action for security breaches.

The bill contains many other provisions that have the goal of protecting consumers’ and residents’ information, establishing mandates on businesses and providing enforcement powers for state agencies and the Attorney General’s Office.