Related, General Motors got hit with a $12.75M fine for reselling OnStar location data last month: https://ccpa.world/enforcement/gm-onstar-smart-driver
(https://epic.org/press-release-massachusetts-senate-unanimou...)
I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself
It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93.
It'll have teeth but probably not to the effect that you hope.
This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations.
As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket).
Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption.
even if its only retained until buffer refresh, its still given away.
if its read frombuffer space and transformed into a persistent structure, its a gift that indefinately keeps giving.
There is no fine nor imprisonment for failing to follow the law.
In the current environment, tech companies have to bribe 50 states plus the federal legislature in order to block privacy bills. If you have federal preemption, then you just have to bribe Congress, because states can't pass ANY privacy laws whatsoever. And we already know the feds do not want a privacy law: the entire legality of the federal surveillance apparatus hinges on the fact that buying your data from third parties does not trip constitutional scrutiny. Preemption freezes the requirements in time so they will always be a few steps behind the TLAs[0].
The ideal is that every sovereign entity passes their own privacy law that applies to their territory, with a private right of action, and adtech companies are forced to adopt a "50 states legal" posture. This is, deliberately, a ratchet: it's easy for any state to require a higher standard but hard to get every state to reduce it, so privacy laws cannot be walked back in secret.
[0] Three Letter Agencies: CIA, FBI, NSA
The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG.
The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back.