- Massachusetts privacy law passed the House 146-0, banning companies from selling users’ precise location data without consent.
- The Massachusetts privacy law covers any company processing data on more than 100,000 state residents or visitors.
- Biometric data, health records, immigration status, and sexual orientation are all classified as sensitive data requiring explicit consent.
- With no federal privacy law in sight, states like Massachusetts continue filling the void left by Congress.
- Massachusetts privacy law passed the House 146-0, banning companies from selling users’ precise location data without consent.
- The Massachusetts privacy law covers any company processing data on more than 100,000 state residents or visitors.
- Biometric data, health records, immigration status, and sexual orientation are all classified as sensitive data requiring explicit consent.
- With no federal privacy law in sight, states like Massachusetts continue filling the void left by Congress.
Table of Contents
Massachusetts Privacy Law: What Just Passed and Why It Matters
The Massachusetts privacy law just cleared one of its biggest hurdles. This past Thursday, the state’s House of Representatives passed the Consumer Data Privacy Act in a unanimous 146-0 vote — a striking show of cross-party consensus in an era when bipartisan agreement on tech regulation is rare. The Senate had already voted unanimously in favour of its own version back in September. Now the two chambers will reconcile their bills, and the combined legislation heads to the state governor’s office, where it’s widely expected to be signed into law.
When it does get signed, the Massachusetts privacy law will place the state alongside a growing club of U.S. states — including California, Virginia, Colorado, and Texas — that have decided they can’t wait for Washington to act. The United States remains one of the only major democracies without a comprehensive federal privacy framework, leaving individual states to patch together their own rules. Massachusetts, however, is going further than most on one particularly sensitive issue: the sale of precise location data.
The Location Data Problem Is Bigger Than Most People Realise
The data broker industry has operated in a legal grey zone for years. The mechanics are straightforward and troubling: app developers collect precise GPS-level location data from their users, often through permissions granted for unrelated features. They then sell that data to brokers, who repackage it and sell it on to anyone willing to pay — advertisers, political campaigns, insurance companies, and, as has been well-documented, government agencies and law enforcement. The government’s longstanding position is that it doesn’t need a warrant to buy data that’s commercially available on the open market, a loophole that’s been used to track protesters, immigrants, and journalists.
What makes the Massachusetts privacy law particularly aggressive is how it defines the ban’s reach. By applying the location data prohibition to both state residents and visitors, the law effectively creates a blanket ban on selling location data tied to anyone physically present in Massachusetts — not just people who happen to live there. For a state that includes Boston, a major tech and biotech hub, and draws millions of tourists and business travellers annually, that’s a significant geographic footprint to cover.
The Biden administration made a serious push to restrict the sale of Americans’ sensitive data at the federal level, coming close to finalising rules that would have limited data brokers’ ability to sell information to foreign adversaries. The Trump administration reversed course on those efforts, leaving the regulatory field wide open. State legislatures have since moved to fill that gap themselves, and the Massachusetts privacy law is now one of the most assertive examples of that trend.
What the Law Actually Requires — and Who It Hits
The Massachusetts privacy law applies to any company that handles the personal data of more than 100,000 consumers. That threshold is deliberately designed to exempt small businesses while catching the companies that actually move the needle on data collection. In practice, it means Silicon Valley’s biggest names — Google, Meta, Amazon, Apple — are squarely in scope, as are the hundreds of mid-sized ad tech firms and location data startups that have built businesses on the back of user data.
Under the Massachusetts privacy law, companies can’t sell or share what the legislation classes as “sensitive” data without the user’s explicit consent. That list is broader than some other state frameworks. It includes:
- Precise geolocation data
- Biometrics — fingerprints, facial recognition data, voice prints
- Health data and genetic information
- Religious beliefs and practices
- Immigration status
- Sexual orientation and gender identity
Residents also get real, actionable rights under the Massachusetts privacy law: the ability to access what data a company holds on them, correct inaccuracies, and request deletion. These are rights that Europeans have had under GDPR since 2018 and that Californians have had under the CCPA since 2020. Massachusetts residents are late to the party, but the version of rights they’re getting is in some respects stronger than what came before.
A Rare Show of Bipartisan Unity on Tech Policy
The 146-0 House vote is worth pausing on. Privacy legislation at the state level frequently runs into industry lobbying that splinters support and bogs down bills in committee. The tech industry has spent heavily fighting state privacy bills in recent years. For Massachusetts lawmakers to clear the House without a single dissenting vote signals either unusually strong constituent pressure, unusually weak industry opposition, or both.
According to local reporting from WBUR and the Lynn Journal, lawmakers worked deliberately across party lines, operating under a shared belief that privacy is a fundamental right — not a partisan issue. That framing matters, and it helps explain why the Massachusetts privacy law moved so smoothly through the chamber. Privacy has historically been one of the few tech policy areas where left and right can find common ground, precisely because the harms cut across demographics. Stalkers use location data. Anti-abortion states have used location data to track people travelling for healthcare. Foreign intelligence services buy data about military personnel. When you lay out who gets hurt, the politics tend to simplify.
Advocates Are Calling It a Win — With Caveats
The reception from privacy advocates has been broadly positive. Evan Greer, director of the digital rights group Fight for the Future, said the Massachusetts privacy law “took a major step toward cracking down on Big Tech’s surveillance abuses.” The ACLU praised the bill as positioning Massachusetts as a “leader in protecting personal privacy and curbing digital surveillance.”
That said, no state privacy law is a complete solution. Enforcement is always the real test — state attorneys general have limited resources, and the companies most likely to push back are the ones with the deepest legal budgets. California’s CCPA has been in effect for years and data brokers still operate with relative freedom because enforcement actions have been slow and penalties modest. The Massachusetts privacy law will need real enforcement muscle built into its implementation if it’s going to do what it promises on paper.
There’s also the preemption question. If Congress ever does pass a federal privacy law — something that’s been attempted and stalled repeatedly, most recently with the American Data Privacy and Protection Act — it could override state rules like the Massachusetts privacy law. Industry groups have historically pushed for federal laws precisely because a single national standard is easier to comply with than a patchwork of 50 state frameworks. Whether that’s a feature or a bug depends entirely on how strong the federal law turns out to be.
For now, Massachusetts has done what Congress hasn’t: drawn a clear line on location data. With the bill heading to the governor’s desk, the question shifts from whether the law will pass to how quickly companies will adapt — and how hard they’ll fight the rules once enforcement actually begins.
Source: TechCrunch
Frequently Asked Questions
What does the Massachusetts privacy law actually ban?
The law prohibits companies from selling or sharing sensitive personal data — including precise geolocation, biometrics, health data, genetic information, religion, immigration status, and sexual orientation — without a user’s explicit consent. The location data ban applies to both residents and visitors across the state.
Which companies does the Massachusetts Consumer Data Privacy Act apply to?
The law applies to companies that handle or process the personal data of more than 100,000 consumers. That scope means it captures both large Silicon Valley technology titans and mid-sized startups that collect and monetise user data in Massachusetts.
Has the Massachusetts governor signed the bill into law yet?
Not yet. As of the House vote, the bills passed by the House and Senate need to be reconciled in a combined version before being sent to the governor’s office. The governor is expected to sign it, though an exact timeline hasn’t been confirmed.
Why is precise location data considered so sensitive?
Precise location data can reveal where someone lives, worships, receives medical care, or spends time — details that can be exploited by stalkers, advertisers, or government agencies. Data brokers have long purchased this data from app developers and resold it with few restrictions.
