Did you know that right now in Massachusetts, private companies can sell and trade your cell phone location information, showing where you’ve been in the past and where you are right now? Did you know that anyone can buy that information from shadowy, unregulated entities—potentially even stalkers? Or that Massachusetts consumer privacy law hasn’t been meaningfully updated since 2007 when Massachusetts enacted a data breach law, despite the fact that some of the most powerful corporations on earth make billions of dollars off of collecting as much information about you as possible, and then monetizing that information? For far too long, Massachusetts residents have been subject to corporate surveillance shenanigans without any regulation or control. Time’s up.

The ACLU of Massachusetts is part of a growing coalition calling on the state legislature to take bold action to protect our privacy and give ordinary people control over how corporations access and use their information.

Current information privacy laws in Massachusetts predate today’s technologies and therefore fail to protect our rights in the digital age. A comprehensive 21st century digital privacy law establishing robust consumer rights in the Commonwealth is long overdue. Other states, like California and Virginia, have taken the lead and already passed privacy laws. Thankfully, lawmakers in our state have filed what is arguably the best consumer privacy and digital rights legislation anywhere in the country.

The Massachusetts Information Privacy Act (MIPA), filed by Representatives Rogers (D-24th Middlesex) and Vargas (D-3rd Essex) in the House and Senator Creem (D- First Middlesex and Norfolk) in the Senate, blends the best approaches from other states and jurisdictions, including similar laws passed in California, Illinois, and the European Union.

Why do we need a consumer privacy law? First off, Congress has failed to act to protect our privacy at the federal level. Given the dysfunction in Washington, it is highly unlikely that we will see movement on this important issue in the coming years. This week, the Senate couldn’t even agree to fund the federal government; consensus on something as complex as omnibus digital privacy law seems like distant proposition.

But in the face of federal inaction, private corporations are far from inert. It seems like every day there’s another story about corporations misusing and abusing our data. The following examples just scratch the surface of the problem:

• Dating Apps: If you use a dating app, you may be incredibly candid with intimate details about your life because you want to match with the most compatible romantic prospect. But far too often, companies take advantage of this trove of sensitive information by sharing it with other companies—even without your knowledge or informed consent. For example, a January 2021 Norwegian Consumer Council report found that OkCupid was sharing users’ location and information about their sexual desires, alcohol use, political views, and ethnicity with third parties, while Tinder was sharing users’ location, age, gender, and partner preference.
• Ride-Sharing Apps: Researchers from George Washington University in Washington D.C. analyzed pricing algorithms by crossing more than 100 million ride-sharing trips in Chicago with census data. They discovered that ride-sharing companies charged a higher price per mile for a trip if the pick-up point or destination was a neighborhood with a higher proportion of people of color than for those with predominantly white residents.
• Religious Apps: A 2020 Vice Motherboard investigation revealed that the U.S. military has purchased the location data of users of Muslim prayer and dating apps like MuslimPro.
• Reproductive Health: According to a 2016 Rewire article, geolocation data was used to target visitors to 140 abortion clinics with ads for anti-abortion pregnancy counseling services.
• Cell Phone Location Data: According to a 2019 Vice Motherboard investigation, AT&T, T-Mobile, and Sprint have all sold customers’ locations and personal information to third-party companies, with the information eventually falling into the hands of bail bonds firms and bounty hunters.
• Healthcare: Patients waiting for emergency room medical care in Philadelphia were targeted with ads for personal injury lawyers, according to a 2018 NPR article. The advertisers identified their location using geofences that collected information from their phones using Wi-Fi, cell data, and GPS technology.
• LGBTQIA+ Dating Apps: In 2018, Buzzfeed discovered that the Grindr LGBTQIA+ dating app was sharing its users’ HIV status and personal information with third parties.

We shouldn’t have to decide between using modern technology and exposing our sensitive information to unknown actors, who may use it to harm us. Instead, we must pass comprehensive consumer privacy and non-discrimination law, to ensure we are able to make use of technology while also remaining secure and in control of our personal lives.

MIPA establishes an all-inclusive approach to information privacy that targets the flow of our personal information from us to private companies we deal with and from those private companies to third parties. To prevent and redress the violations of privacy described above and more, MIPA will impact you in the following ways:

• Companies will owe you the fiduciary duties of care, loyalty, and confidentiality. This means that companies will be prohibited using your personal information, or information derived from your personal information, in any way that:
  • (i) benefits themselves to your detriment;
  • (ii) results in reasonably foreseeable and material physical or financial harm to you; or
  • (iii) would be unexpected and highly offensive to a reasonable individual like you.
• You will have the right to know how corporations will use your information before you provide consent to such use;
• You will have the privacy rights of access, correction, data portability, and deletion of your personal information;
• Your location data will be secure, as MIPA prohibits companies from selling and trading it, including to government agencies (absent a warrant);
• Companies will be prohibited from collecting and processing your biometric information unless you provide handwritten, informed consent;
• You will be safe from digital discrimination if you belong to a protected class, and companies will be prohibited from targeting you with ads on the basis of your belonging to such a class;

In order to enforce these and other requirements in the law, MIPA creates a new agency, the Massachusetts Information Privacy Commission, with enforcement and regulatory authority. It also institutes a private right of action, with GDPR-magnitude minimum and maximum fines, so that you can sue if corporations misuse your information.

Privacy is fundamentally about how much control we have over our personal information and our private affairs. If we lose our privacy, we lose control over our lives. Please join us in the fight for digital privacy in Massachusetts. After all, privacy cannot protect itself.