Massachusetts has a better consumer privacy framework than most people who live here realize. The state’s data privacy law — not the most recent legislation, but the existing framework built up over the past fifteen years — includes some provisions that are genuinely stronger than the California law that tends to get all the coverage.
The most important is the data security requirement. Massachusetts 201 CMR 17.00, the Standards for the Protection of Personal Information of Residents of the Commonwealth, requires any company that holds personal information about Massachusetts residents to maintain a written information security program — a WISP — with specific required elements. The standard is not just a notification requirement; it’s a security practice requirement, and it applies to any business that holds this information regardless of where the business is located.
This is more meaningful than a right-to-know or right-to-delete provision, which are the features that privacy advocates usually lead with, because it governs the baseline handling of data rather than individual remediation after something has already gone wrong. A right to delete your data from a company that has already had a breach is less valuable than a requirement that the company not have the breach in the first place.
The gaps: enforcement is inconsistent, the AG’s office is resource-constrained, and the private right of action is limited. The law doesn’t cover the full range of data practices that modern consumers are actually exposed to. It was written for a different era of data collection.
But the underlying logic — that security is a prior obligation, not an afterthought — is the right logic, and it’s worth noting that Massachusetts arrived at it earlier and more clearly than most other states. The newer comprehensive privacy bills moving through the legislature are more ambitious; whether they’ll be better in practice will depend on enforcement, which is where privacy law in the US consistently falls short.
Doug Alexander 