Massachusetts Data Privacy Laws: Security Rules & Consumer Rights (2026)

Massachusetts takes a sectoral approach to data privacy. Rather than a single comprehensive privacy statute like those in California or Connecticut, the Commonwealth protects personal data through a combination of strict data security regulations, aggressive breach notification requirements, and a powerful consumer protection enforcement framework.

This guide covers every major Massachusetts data privacy law currently in effect, the pending comprehensive privacy legislation, and the technical requirements that businesses handling Massachusetts residents' data must follow.

Massachusetts Data Security Regulations (201 CMR 17.00)

201 CMR 17.00 is the foundation of Massachusetts data privacy law. Effective since March 1, 2010, it is one of the most detailed data security regulations in the United States. The regulation was promulgated under the authority of Mass. Gen. Laws ch. 93H by the Office of Consumer Affairs and Business Regulation.

Who Must Comply

Every person, business, or entity that owns or licenses personal information about a resident of Massachusetts must comply with 201 CMR 17.00. This applies regardless of where the business is located. A company in Texas that stores the personal data of a single Massachusetts resident is subject to these regulations.

Personal information under the regulation means a Massachusetts resident's first name and last name (or first initial and last name) combined with any one of the following:

• Social Security number
• Driver's license number or state-issued identification number
• Financial account number, credit card number, or debit card number (with or without any security code, access code, or password that would permit access to the account)

Publicly available information lawfully obtained from federal, state, or local government records is excluded from the definition.

The Written Information Security Program (WISP) Requirement

The most significant requirement under 201 CMR 17.00 is the Written Information Security Program, commonly called a WISP. Under Section 17.03, every covered entity must develop, implement, maintain, and monitor a comprehensive, written information security program.

The WISP must be appropriate for the size and scope of the organization, the resources available, the amount of stored data, and the need for security and confidentiality. At a minimum, the WISP must include:

• Designation of one or more employees responsible for maintaining the program
• Identification and assessment of reasonably foreseeable internal and external risks
• Employee security policies covering terminated employees and their access
• Disciplinary measures for violations of WISP rules
• Prevention of terminated employees from accessing personal information
• Oversight of third-party service providers by requiring them to maintain appropriate security measures
• Reasonable restrictions on physical access to records containing personal information
• Regular monitoring to ensure the WISP is operating effectively
• Annual review and updates when business practices change
• Documentation of responsive actions taken after a breach

The regulation does not prescribe a single template. A small business with limited data may have a shorter WISP than a large financial institution. However, every entity must have a written plan that addresses each element listed above.

Computer System Security Requirements (Section 17.04)

Section 17.04 sets specific technical requirements for any computer system that stores or transmits personal information. These requirements include:

Secure user authentication protocols. Organizations must use a reasonably secure method of assigning and selecting passwords or use unique identifier technologies such as biometrics or token devices. Passwords must be kept in a location or format that does not compromise security. Access must be restricted to active users and active user accounts only. Access must be blocked after multiple unsuccessful login attempts.

Access control measures. Access to records containing personal information must be restricted to those who need the information to perform their job duties. Each person with access must have a unique login credential. Default vendor-supplied passwords must be changed.

Encryption of data in transit. All records and files containing personal information that travel across public networks must be encrypted. All personal information transmitted wirelessly must be encrypted.

Encryption of portable devices. All personal information stored on laptops or other portable devices must be encrypted.

Firewall protection. Systems connected to the Internet that contain personal information must have reasonably up-to-date firewall protection and operating system security patches.

Malware protection. Reasonably up-to-date system security software with malware protection must be installed. The software must be set to receive current security updates on a regular basis.

Monitoring. Organizations must have reasonable monitoring in place to detect unauthorized use of or access to personal information.

Employee training. Employees must be educated and trained on the proper use of the computer security system and the importance of personal information security.

Data Breach Notification Law (Chapter 93H)

Mass. Gen. Laws ch. 93H establishes Massachusetts' data breach notification requirements. The law was originally enacted in 2007 and significantly strengthened by Chapter 444 of the Acts of 2018, effective April 10, 2019.

What Constitutes a Breach

Under Section 1, a breach of security is the unauthorized acquisition or unauthorized use of unencrypted data, or encrypted electronic data together with the confidential process or key, that creates a substantial risk of identity theft or fraud against a Massachusetts resident.

A good-faith but unauthorized acquisition of personal information by an employee or agent for lawful business purposes is not a breach, unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.

Encrypted data is defined as data transformed using an algorithm with 128-bit or higher key strength, making it unreadable without the confidential process or key.

Notification Requirements

Under Section 3, when a breach occurs, the entity that owns or licenses the data must notify three parties as soon as practicable and without unreasonable delay:

1. The Attorney General
2. The Director of the Office of Consumer Affairs and Business Regulation
3. Each affected Massachusetts resident

Entities that do not own the data but maintain it on behalf of another entity must notify the data owner as soon as practicable.

Required Content of Notifications

Notice to the Attorney General and Director must include:

• The nature of the breach of security or unauthorized use
• The number of Massachusetts residents affected
• The name and address of the entity that experienced the breach
• The name and title of the person reporting the breach
• Whether the entity maintains a Written Information Security Program (WISP)
• The type of personal information compromised (SSN, driver's license, financial account)
• Whether the entity is the owner or licensor of the affected data
• The name of the parent or affiliated corporation, if applicable

Notice to affected residents must include the consumer's right to file a police report, information about security freezes, and credit monitoring details. Notably, the consumer notice must not include the nature of the breach or the number of residents affected.

Credit Monitoring Requirements

Under Section 3A, if a breach involves Social Security numbers, the entity must provide affected residents with free credit monitoring services for at least 18 months through a third-party vendor. Consumer reporting agencies must offer credit monitoring for at least 42 months.

The law prohibits entities from requiring residents to waive their right to bring a private lawsuit as a condition of receiving credit monitoring services. Agreements between the entity and the monitoring vendor cannot include reciprocal arrangements for services in place of payment or fees.

Enforcement Through Chapter 93A

Chapter 93H, Section 6 provides that the Attorney General may bring an enforcement action under Section 4 of Chapter 93A, the Massachusetts consumer protection law. This is a critical feature of the Massachusetts framework.

How Chapter 93A Works

Chapter 93A prohibits unfair or deceptive practices in trade or commerce. It does not define specific prohibited practices. Instead, the Attorney General interprets what constitutes an unfair or deceptive practice, and courts evaluate each case on its facts.

The Attorney General can investigate potential violations through civil investigative demands, bring civil enforcement actions, and seek injunctive relief and civil penalties. When a violation of Chapter 93H is proven, it is treated as a per se violation of Chapter 93A.

Private Right of Action

Chapter 93A also provides a private right of action for consumers. To bring a claim, the consumer must first send a demand letter to the business, which then has 30 days to respond with a reasonable settlement offer.

If the case proceeds to court, damages can include:

• Compensatory damages
• Up to treble (triple) damages if the defendant willfully and knowingly violated the law or acted in bad faith
• Reasonable attorney's fees and costs

This treble damages provision makes Massachusetts one of the most consequential states for data privacy enforcement. A company that suffers a breach due to inadequate security practices and fails to notify affected residents properly faces potential liability of three times the actual damages, plus the plaintiffs' legal fees.

The AG's Privacy Enforcement Division

The Massachusetts Attorney General maintains a dedicated Privacy & Responsible Technology Division that investigates violations of Chapter 93A, Chapter 93H, and 201 CMR 17.00. The division can pursue injunctive relief and civil penalties against companies that violate data security laws.

The AG's office also publishes annual data breach notification reports that document every breach reported to the office during the year.

The Massachusetts Data Privacy Act (Pending Legislation)

On September 25, 2025, the Massachusetts Senate unanimously passed the Massachusetts Data Privacy Act (S.2608) on a bipartisan vote of 40-0. As of March 2026, the bill awaits action in the House of Representatives and has not been signed into law.

What the Bill Would Do

If enacted, the Massachusetts Data Privacy Act would establish comprehensive consumer data privacy rights similar to laws already in effect in states like California, Connecticut, and Colorado. Key provisions include:

Consumer rights. Massachusetts residents would gain the right to know what personal data is collected about them, access their collected data, correct inaccurate information, delete personal information, and opt out of targeted advertising and data sales.

Sensitive data ban. The bill would prohibit any entity from selling sensitive personal data, including health care information, biometric identifiers (face scans, fingerprints), precise geolocation data, religious affiliation, immigration status, sexual orientation, gender identity, race, and ethnicity.

Minor protections. The sale of minors' personal data would be banned entirely. Companies would be prohibited from collecting or processing a young person's personal information for the purposes of targeted advertising.

Data minimization. Companies would be required to limit data collection to what is reasonably necessary for providing the service. Stricter standards would apply to sensitive data, where collection must be strictly necessary.

Enforcement. The Attorney General would receive broad regulatory authority to enforce the law. Any violation would be treated as an unfair or deceptive trade practice under Chapter 93A.

Effective dates. Most provisions would take effect January 1, 2027, with additional sections following on June 1, 2027.

Senate President Karen Spilka described the legislation as providing "some of the best data privacy protections in the country." The bill received endorsements from the ACLU of Massachusetts, Planned Parenthood, Massachusetts AFL-CIO, and the Electronic Privacy Information Center (EPIC).

Additional Privacy Protections

Attorney General Regulation 940 CMR 27.00

940 CMR 27.00 is a separate regulation issued by the Attorney General under the authority of Chapter 93H. It establishes the AG's own internal standards for safeguarding personal information and serves as a model for the type of WISP that the AG's office expects covered entities to maintain.

The regulation requires identification and assessment of internal and external risks, reasonable monitoring of systems, and review and update of the security program at least annually or whenever there is a material change in practices.

Wiretap Law (Chapter 272, Section 99)

Mass. Gen. Laws ch. 272, Section 99 makes Massachusetts a two-party consent state for the interception of wire and oral communications. The term "interception" includes secretly hearing or recording any communication without the prior consent of all parties.

This law intersects with data privacy in several important ways. Employers who monitor employee communications (emails, phone calls, instant messages) without the knowledge and consent of all parties may violate Section 99. Call recording by businesses requires the consent of all parties on the line. Violation of the wiretap statute is a criminal offense punishable by up to 5 years in state prison, a fine of up to $10,000, or both. Civil remedies are also available.

Right of Privacy (Chapter 214, Section 1B)

Mass. Gen. Laws ch. 214, Section 1B establishes a general right of privacy for Massachusetts residents. A person has the right against unreasonable, substantial, or serious interference with their privacy. This statute has been used in data privacy litigation where no other specific statute applies.

Student Data Privacy

Massachusetts protects student data through both federal and state law. The Massachusetts Student Records Regulations (603 CMR 23.00) work alongside FERPA to prohibit schools from disclosing personally identifiable information from student records without written parental consent.

State law further requires each school district to designate a student data manager and develop a detailed privacy and security policy for the protection of covered information, including security breach planning and notification procedures.

Specific Massachusetts statutes governing student records include:

• Mass. Gen. Laws ch. 71, Section 34D (student records authorization for regulations)
• Mass. Gen. Laws ch. 71, Section 34E (inspection of student records)
• Mass. Gen. Laws ch. 71, Section 37H (rights of non-custodial parents)
• Mass. Gen. Laws ch. 71, Section 87 (removal of certain information from student records)

Right to Repair and Vehicle Data

Massachusetts voters approved a ballot initiative in 2020 amending the state's Right to Repair law. The Data Access Law requires vehicles sold in Massachusetts that use telematics systems to provide an open-access platform that makes vehicle-generated mechanical data available to owners and authorized repair facilities through a mobile application.

The law has faced legal challenges from automakers. As of early 2026, the Alliance for Automotive Innovation appealed a federal district court ruling to the First Circuit Court of Appeals, and the court may issue a decision before the end of 2026. Some automakers have disabled telematics in Massachusetts vehicles rather than comply, and NHTSA has warned that open telematics mandates could create cybersecurity risks.

How Massachusetts Compares to Other States

Massachusetts stands out in the national data privacy landscape for the strength of its data security regulations and enforcement mechanisms, even without a comprehensive privacy law.

Feature	Massachusetts	California (CCPA/CPRA)	Connecticut (CTDPA)
Comprehensive privacy law	Pending (S.2608)	Yes (2020/2023)	Yes (2023)
Written security program required	Yes (WISP)	Yes (reasonable security)	No specific requirement
Specific technical requirements	Yes (201 CMR 17.04)	No (general standard)	No
Breach notification	Yes (93H)	Yes	Yes
Credit monitoring after SSN breach	18 months required	Not required	Not required
Private right of action	Yes (93A, treble damages)	Limited (data breaches only)	No
Two-party consent wiretap	Yes	Yes	Yes

The 201 CMR 17.00 requirement for specific technical controls (encryption standards, firewall requirements, access controls) makes Massachusetts more prescriptive than most states, which use a general "reasonable security" standard.

Penalties Summary

Violation	Authority	Potential Penalty
Failure to maintain WISP	AG via 93A	Civil penalties per violation
Failure to notify of breach	AG via 93A	Civil penalties + injunctive relief
Unfair/deceptive data practices	AG or private plaintiff via 93A	Up to treble damages + attorney fees
Wiretap violation (272 s.99)	Criminal + civil	Up to 5 years prison, $10,000 fine
Failure to provide credit monitoring	AG via 93A	Civil penalties per violation

More Massachusetts Laws

• Massachusetts Whistleblower Laws
• Massachusetts Lemon Laws
• Massachusetts Hit and Run Laws
• Massachusetts Child Support Laws
• Massachusetts Dog Bite Laws
• Massachusetts Car Seat Laws
• Massachusetts Sexting Laws
• Massachusetts Recording Laws