House Speaker Ron Mariano speaks at a press conference on October 27, 2025. (Chris Lisinski/CommonWealth Beacon)

THE HOUSE IS taking steps to join the Senate in a crusade for stronger data privacy in Massachusetts. While giving more “teeth” to consumers by letting them take large data collectors to court, the bill the House passed unanimously on Thursday would also allow some sensitive data to be sold if the consumer agrees.

In its redraft of a bill approved by the Senate eight months ago, House lawmakers signed off on frameworks to limit collection and sale of private data, ensure consumers have a right to know about what data is being collected, opt-out of some data collection, and have their data deleted on request.

“Without exaggeration, we are living through the largest unregulated extraction of information in the history of civilization,” said Rep. Tricia Farley-Bouvier, of Pittsfield, on the House floor.

Farley-Bouvier — the House chair on the Joint Committee on Advanced Information Technology, the Internet and Cybersecurity — said “the foundation of this bill rests on a simple but powerful premise: Your personal data belongs to you, not to big tech companies, not to a data broker operating off a bot farm somewhere, not to an algorithm that has decided, based on your location history and spending patterns, what kind of person you are and what you deserve. Your data belongs to you.”

House Speaker Ron Mariano and House Ways and Means Chair Aaron Michlewitz said in a statement that the bill establishes “common-sense safeguards for sensitive data, strengthens transparency, and promotes accountability for entities that profit from personal information.”

Both the House bill and the Senate bill, which passed unanimously in September, require entities, including major tech platforms such as Meta, to limit the collection of personal data to what is reasonably necessary to provide or maintain the specific product or service that the customer wants. “Personal data” would be defined as any private information that is linked or reasonably linkable to an identifiable person.

Consumers must be given a clear opportunity to opt out of data that would be collected and processed for targeted advertising or automated profiling that could limit a person’s access to financial services, housing, insurance, education, criminal justice, employment, health care, or essential goods and services.

The Senate’s proposal was so strict and distinct from how most states treat data privacy — by covering a large number of businesses that may collect user data and restricting what data can be collected or sold — that small businesses and tech companies alike pushed back on the bill last fall. The House version allows more data to be shared or potentially sold, which itself has prompted some indignation from data privacy advocates.

One of the divisions between the two versions involves how data collectors treat “sensitive information,” a step beyond personal data which includes things like government-issued identifiers; health information; biometric data or genetic information; a consumer’s race, color, ethnicity, religion, national origin, citizenship or immigration status; precise geolocation data; and personal data of minors.

The Senate would outright prohibit companies from collecting, processing, or transferring sensitive data unless it is “strictly necessary” to provide a specific service requested by the customer. For instance, location data would likely be necessary to use a fitness app that monitors distance. But that app would not necessarily need to know the immigration status of the user.

Selling sensitive data at all is barred under the Senate bill. Data controllers could transfer, but not sell, sensitive data if the person gave affirmative consent.

The House completely bans the sale of precise geolocation data but would allow the sale of all other sensitive data if the user gives consent. The location shielding would cover those visiting Massachusetts as well as its residents.

“Protecting location data is paramount if the rights in Massachusetts to reproductive health care equity are to be upheld,” said Rep. Kate Lipper-Garabedian of Melrose. Data brokers have tracked interstate visits to Planned Parenthood locations in Massachusetts, she noted, and then provided that data to an anti-abortion campaign. Now, she said, the Trump administration is purchasing location data for immigration enforcement.

“One’s personal location data should never be monetized by a private for-profit company working in concert with the dystopian government to undermine our constitutional right to due process,” Lipper-Garabedian said.

Both chambers’ data privacy bills prohibit selling the personal data of a person that they know or should know — or in the House version, “willfully disregards” — is a minor. It would also be illegal to serve targeted advertisements to minors.

Broadly, any company that collects personal data would be covered under either bill, with the House and Senate both moving to exempt government entities, insurance fraud nonprofits, and banks.

The Senate bill would cover companies that collect data from at least 60,000 people, collect data from at least 20,000 people and make more than a fifth of their revenue from selling that information, or collect data about users’ reproductive or sexual health.

The House bill covers companies that collect the personal data of at least 100,000 consumers and make at least $100,000 from the sale of the data. It excludes educational nonprofits, including higher educational institutions, and nonprofits that oversee blood banks or transfusion centers.

“Some small businesses have been led to believe by big corporations that there is a trade-off between enshrining our data privacy rights in law, protecting consumers, and holding big tech accountable, and that that would somehow mean it will make it harder for small businesses to function,” said Rep. Andy Vargas of Haverhill. “Let me confidently tell you that under the bill today that is patently false.”

The 100,000-user threshold is high, and the data captured, he said, is personal data, “not credit card information processing, not any data that is used in the normal day-to-day transactions by most businesses.”

The House bill creates a new opportunity for users and the attorney general’s office to sue large companies directly for damages or enforcement if they violate the law, which covers companies that collect the personal data of more than 2 million consumers or the sensitive data of more than 200,000 consumers. The attorney general’s office alone would have the right to bring civil suits against smaller companies.

“We want to be clear that we want to protect the small businesses, the local businesses,” Farley-Bouvier told reporters on Thursday. “But it’s that big tech industry that we want to give more teeth to on the enforcement.”

Following the House bill’s passage, a small group of members from both chambers will work to sort out differences between the bills and land on a final single version to send to Gov. Maura Healey.

In a separate bill, the House last month introduced a new potential avenue for massive swaths of sensitive data to fall into tech companies’ laps. In its version of a bill banning cellphone use by students during the school day, the House included a provision banning social media accounts for children 13 and younger, and requiring 14- and 15-year-olds to have a parent or guardian’s permission to sign up for an account.

The Senate version of the bill included no such policy.

The House’s addition of social media restrictions to the cell phone bill, along with proposed legislation from Healey on social media use for young people, set off a firestorm of criticism from free-speech and LGBTQ+ advocates worried about the collection of biometric or identifying information that platforms would need to verify ages.

A gathering of members from both the House and Senate met on Thursday, as the House passed its data privacy bill, to set up a schedule for reconciling the differences between the two cellphone-ban bills.

Asked how the data privacy bill fits into the landscape of technology legislation including social media regulation and artificial intelligence in campaigns, Farley-Bouvier said, “Data privacy is the underpinning of all future tech bills. We have to do data privacy first.”

Jennifer Smith writes for CommonWealth Beacon and co-hosts its weekly podcast, The Codcast. Her areas of focus include housing, social issues, courts and the law, and politics and elections. A California...