3. Proposed Massachusetts Law Allowing Up to $750 per Consumer for Online Privacy Violations Seen As Troublesome by Law Firm
A proposed online privacy bill sitting in committee in the Massachusetts Legislature was described this week by a key law firm as setting a high bar for a so-called “private right of action.” The bill, (S.120) introduced by the Democratic majority leader of the Massachusetts Senate, Cynthia Stone Creem, (who represents three of the wealthiest suburbs of Boston) would allow $750 per person, plus attorney’s fees and costs, for a privacy-law violation, no matter whether it is unintentional.
Silicon Valley companies are fighting in California to reduce or eliminate the opportunity of individuals — acting alone or represented in a class action — from suing over privacy violations on the grounds that it would impose unreasonable defense costs on them. At the same time, California’s attorney general is warning that he may not have enough staff to effectively enforce the California Consumer Privacy Act if only he and other regulators are permitted to commence litigation. At the same time, industry lobbyists in Washington, D.C., are trying to make sure a “private right of action” is not included in federal law. Thus a conflict with Massachusetts law, if enacted, could emerge.
“Based on these key provisions, it is difficult to overstate the magnitude of class-action litigation risk the proposed law may create for businesses collecting data from Massachusetts consumers,” write three attorneys with the Portland, Maine-based law firm of Pierce Atwood LLP. As proposed, they write, S.120 would apply to for-profit businesses that collect personal information from Massachusetts consumers if they either have annual gross revenues over $10 million or derive more than 50% of annual revenues from third-party disclosures of consumer information. It defines personal information as “any information relating to an identified or identifiable consumer” and any other information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” It includes “DNA, palm and vein patterns, voice recordings, keystroke rhythms, gait patterns, and sleep, health or exercise data that contains identifying information,” write attorneys Peter G. Guffin, Don Frederico, and Melanie A. Conroy.
Collectively, the authors say this definition of personal information is broader than even the strict the Illinois Biometric Information Privacy Act, (BIPA) which becomes effective Jan. 1, 2020, on the same date as the California Consumer Privacy Act. (CCPA). It provides exceptions for things like clinical trials, news-gathering protected by the First Amendment, aggregated information from which individual consumer identities have been removed (and can’t be re-identified or linked to an individual), and compliance with legal proceedings and obligations.
For More: https://www.pierceatwood.com/update/massachusetts-consumer-data-privacy-bill-could-dramatically-expand-class-action-litigation