Privacy law in Massachusetts

There is no comprehensive consumer privacy law in Massachusetts yet. House Bill 104, the Massachusetts Data Privacy Act (MDPA), was filed in January 2025 and is currently moving through the legislature — but it has not been signed into law. If passed, it would give Massachusetts residents broad rights over their personal data, including the right to access, delete, correct, and export their data, as well as strong protections against data brokers. In the meantime, Massachusetts residents are protected by existing breach notification law and sector-specific federal statutes.

What protections do exist in Massachusetts

Massachusetts Data Security Law

Massachusetts requires businesses that own or license personal information about Massachusetts residents to notify affected residents and the Attorney General of a security breach involving that data. Businesses must also implement and maintain a written information security program (WISP) that contains reasonable administrative, technical, and physical safeguards to protect residents' personal information. (Mass. Gen. Laws ch. 93H)

Massachusetts Fair Information Practices Act

Massachusetts law governing the collection, maintenance, and dissemination of personal data by state agencies. It gives individuals the right to inspect and correct records held about them by government agencies and restricts how agencies may share personal data. (Mass. Gen. Laws ch. 66A)

Massachusetts Right of Privacy

Massachusetts recognizes a statutory right of privacy, protecting individuals from unreasonable, substantial, or serious interference with their privacy. Courts have interpreted this broadly to cover various invasions of personal privacy, including some forms of unauthorized data collection. (Mass. Gen. Laws ch. 214, § 1B)

Massachusetts Consumer Protection Act

Massachusetts prohibits unfair or deceptive acts or practices in trade or commerce. The Attorney General and private individuals can bring actions under this law, which may encompass deceptive data collection and privacy violations by businesses. (Mass. Gen. Laws ch. 93A)

Federal protections that apply to Massachusetts residents

Even without a state comprehensive privacy law, federal protections apply to Massachusetts residents. The FTC's Section 5 authority prohibits unfair or deceptive data practices by businesses. HIPAA protects health and medical information held by covered health care providers and insurers. COPPA requires parental consent before websites collect personal data from children under 13. The Gramm-Leach-Bliley Act governs how financial institutions handle personal financial data.

What’s happening in the Massachusetts legislature

Several privacy bills have been introduced in Massachusetts. None has passed into law yet, but they signal where consumer privacy legislation in the state may be heading.

H. 104 — Massachusetts Data Privacy Act

House Bill 104 would establish the Massachusetts Data Privacy Act (Chapter 93M), giving Massachusetts residents comprehensive rights to access, correct, delete, and export their personal data held by covered businesses, and would impose strict limits on data brokers. The bill also includes a companion chapter (Chapter 93N) specifically protecting precise location information derived from electronic devices. Status: in committee. Read the bill text.

How Optery helps Massachusetts residents

Data brokers collect and sell personal information about almost every American adult — home addresses, phone numbers, family relationships, employment history. They do this regardless of whether your state has a comprehensive privacy law. Optery scans over 200 data brokers to find where your information is exposed, then submits removal requests on your behalf and tracks compliance. Our service works for every US resident, not just those in states with strong privacy statutes.

See which data brokers have your information →