Massachusetts
Massachusetts Data Privacy Laws: Security Rules & Consumer Rights (2026)
Massachusetts data privacy law operates through 201 CMR 17.00, which requires a Written Information Security Program, M.G.L. c. 93H breach notification, and M.G.L. c. 93A enforcement. No comprehensive consumer privacy law is in effect; the Massachusetts Data Privacy Act (S.2608) passed the Senate but remains pending in the House as of May 2026.
Massachusetts takes a sectoral approach to data privacy. The Commonwealth protects personal information through a combination of strict data security regulations, an aggressive breach notification law, a powerful consumer protection enforcement framework, and targeted sectoral statutes covering students, employees, and vehicle data. No single comprehensive consumer privacy law is yet in force.
That picture is changing. The Massachusetts Senate unanimously passed the Massachusetts Data Privacy Act on September 25, 2025, and the bill awaits action in the House. If enacted, Massachusetts residents would gain rights to access, correct, and delete their data, and companies would face strict limits on selling sensitive information.
This guide covers every major Massachusetts data privacy law currently in effect, the pending legislation, the enforcement record, and what businesses and residents need to know right now.
The Legal Framework at a Glance
Massachusetts data privacy law rests on four pillars: the data security regulation (201 CMR 17.00), the breach notification law (M.G.L. c. 93H), the records disposal law (M.G.L. c. 93I), and the consumer protection law (M.G.L. c. 93A). Each plays a distinct role, and violations of the first three are channeled through the fourth for enforcement.
The state also has sectoral statutes covering student records, vehicle telematics, employee wiretap rights, and nonconsensual intimate images. Federal law adds overlapping requirements through HIPAA, GLBA, FCRA, COPPA, and the FTC Act.
201 CMR 17.00: The Data Security Regulation
201 CMR 17.00 is the foundation of Massachusetts data privacy compliance. Effective since March 1, 2010, it is one of the most technically prescriptive data security regulations in the United States. The Office of Consumer Affairs and Business Regulation (OCABR) promulgated it under the authority of M.G.L. c. 93H.
Who Must Comply
Every person, business, or entity that owns or licenses personal information about a Massachusetts resident must comply, regardless of the entity's physical location. A company headquartered in California that stores the name and Social Security number of even one Massachusetts resident is fully subject to 201 CMR 17.00.
Personal information under the regulation means a Massachusetts resident's first name and last name (or first initial and last name) combined with any one of the following:
- Social Security number
- Driver's license number or state-issued identification card number
- Financial account number, credit card number, or debit card number (with or without any security code, access code, or password that would permit access to the account)
Publicly available information lawfully obtained from government records is excluded.
The Written Information Security Program (WISP)
The most significant requirement under 201 CMR 17.00 is the Written Information Security Program. Under Section 17.03, every covered entity must develop, implement, maintain, and monitor a comprehensive written security program. The WISP must be appropriately scaled to the organization's size, resources, and data volume. At a minimum, it must address:
- Designation of one or more employees responsible for the program
- Identification and assessment of reasonably foreseeable internal and external risks
- Employee security policies, including procedures for terminated employees
- Disciplinary measures for WISP violations
- Oversight of third-party service providers
- Reasonable restrictions on physical access to records
- Regular monitoring, annual review, and updates when business practices change
- Documentation of responsive actions taken after a breach
A one-person business with a small customer list may have a shorter WISP than a hospital network, but every covered entity needs a written plan that addresses every element above.
Technical Requirements (Section 17.04)
Section 17.04 imposes specific technical controls on any computer system that stores or transmits personal information:
Authentication. Organizations must use a reasonably secure method for assigning passwords or use unique identifier technologies such as biometrics or token devices. Systems must block access after multiple unsuccessful login attempts. Default vendor-supplied passwords must be changed.
Access control. Access to personal information must be restricted to employees who need it to perform their job. Each user must have a unique login credential.
Encryption in transit. All records containing personal information transmitted across public networks or wirelessly must be encrypted.
Encryption at rest on portable devices. Personal information stored on laptops and other portable devices must be encrypted.
Firewall and patch management. Systems connected to the internet that contain personal information must run reasonably up-to-date firewall protection and operating system security patches.
Malware protection. Systems must have up-to-date security software with malware protection set to receive regular updates.
Monitoring. Organizations must maintain reasonable monitoring to detect unauthorized access to personal information.
Employee training. Employees must be educated on the proper use of the computer security system and the importance of personal information security.
These requirements make Massachusetts significantly more prescriptive than most states, which use a general "reasonable security" standard without specifying encryption thresholds, firewall requirements, or authentication controls.
Chapter 93H: Data Breach Notification
M.G.L. c. 93H establishes Massachusetts' data breach notification requirements. The law was originally enacted in 2007 and significantly strengthened by Chapter 444 of the Acts of 2018, effective April 10, 2019.
What Qualifies as a Breach
Under Section 1, a breach of security is the unauthorized acquisition or unauthorized use of unencrypted data, or encrypted data together with the confidential process or key, that creates a substantial risk of identity theft or fraud against a Massachusetts resident.
A good-faith but unauthorized acquisition of personal information by an employee for lawful business purposes is not a breach, unless the information is used in an unauthorized manner or subject to further unauthorized disclosure.
Encrypted data is defined as data transformed using an algorithm with a 128-bit or higher key strength.
Who Must Be Notified
Under Section 3, when a breach occurs, the entity that owns or licenses the data must notify three parties as soon as practicable and without unreasonable delay:
- The Attorney General
- The Director of the Office of Consumer Affairs and Business Regulation
- Each affected Massachusetts resident
Entities that maintain data on behalf of another entity must notify the data owner promptly so the owner can fulfill its notification obligations.
Required Notice Content
Notice to the Attorney General and OCABR Director must include:
- The nature of the breach and the type of personal information compromised
- The number of Massachusetts residents affected
- The name and address of the breached entity
- Whether the entity maintains a WISP
- Whether the entity is the owner or a licensee of the data
- The name of any parent or affiliated corporation
Notice to affected residents must include the right to file a police report, information about security freezes, and credit monitoring details. Importantly, the resident notice must not state the nature of the breach or the number of affected residents.
Credit Monitoring Requirement
Under Section 3A, when a breach involves Social Security numbers, the entity must provide affected residents with 18 months of free credit monitoring through a third-party vendor. Consumer reporting agencies must offer 42 months. The law prohibits requiring residents to waive their right to sue as a condition of receiving monitoring services.
Chapter 93I: Records Disposal
M.G.L. c. 93I completes the data lifecycle framework. When personal information is no longer needed, covered entities must dispose of it properly. Paper records must be redacted, burned, pulverized, or shredded. Electronic and non-paper media must be destroyed or erased so the information cannot practicably be read or reconstructed.
Third-party disposal vendors must implement and monitor compliance policies that prohibit unauthorized access during collection, transportation, and disposal. Civil fines run up to $100 per affected data subject, capped at $50,000 per instance of improper disposal.
Enforcement: Chapter 93A and the Attorney General
M.G.L. c. 93H, Section 6 routes enforcement through M.G.L. c. 93A, the Massachusetts consumer protection law. A proven violation of Chapter 93H is treated as a per se violation of Chapter 93A.
What the AG Can Do
The Attorney General can investigate through civil investigative demands, bring civil enforcement actions, seek injunctive relief, and seek civil penalties. Under Chapter 93A, civil penalties run up to $5,000 per violation. When violations are willful or in bad faith, the AG can also seek multiple damages.
Private Right of Action
Chapter 93A provides consumers with a private right of action. Before filing suit, a consumer must send a 30-day demand letter. If the case goes to court and the defendant willfully and knowingly violated the law, damages can be trebled. The prevailing plaintiff recovers reasonable attorney fees and costs. This treble damages provision makes Massachusetts one of the highest-stakes states for data privacy litigation.
Real Enforcement Actions
Peabody Properties (August 2025). AG Andrea Campbell secured a $795,000 settlement against Peabody Properties, Inc., a Braintree-based property management company. Between November 2019 and September 2021, Peabody experienced five separate phishing-based intrusions that exposed Social Security numbers, driver's license data, and bank account information of nearly 14,000 Massachusetts residents. The AG found Peabody unlawfully delayed notifying the Attorney General and affected residents, with the first two incidents unreported for nearly seven months. The consent judgment requires multi-factor authentication, phishing protection, vulnerability management, and three years of regulatory oversight.
Earnest Operations (2025). AG Campbell reached a $2.5 million settlement with a student loan lender for using AI models that created disparate harm to Black, Hispanic, and non-citizen applicants, in violation of consumer protection and data privacy laws.
AG AI Advisory (April 2024). On April 16, 2024, AG Campbell issued a formal advisory confirming that Massachusetts consumer protection, civil rights, and data privacy laws apply to artificial intelligence systems. Developers, deployers, and users of AI are subject to existing Massachusetts law.
The AG's Privacy and Data Security Division
The AG maintains a dedicated Data Privacy and Security Division that investigates violations of Chapter 93A, Chapter 93H, and 201 CMR 17.00. The division publishes annual data breach notification reports documenting every breach reported to the office.
Pending Comprehensive Privacy Legislation
Massachusetts Data Privacy Act (S.2608)
On September 25, 2025, the Massachusetts Senate unanimously passed the Massachusetts Data Privacy Act on a 40-0 bipartisan vote. As of May 2026, the bill is pending action in the House of Representatives and has not been signed into law. Massachusetts residents currently have no rights under this bill.
If enacted, S.2608 would establish:
Consumer rights. The right to know what personal data is collected, access collected data, correct inaccurate information, delete personal data, and opt out of targeted advertising and data sales.
Sensitive data protections. A ban on selling health care information, biometric identifiers, precise geolocation data, religious affiliation, immigration status, sexual orientation, gender identity, race, and ethnicity.
Minor protections. A full ban on selling any personal data of minors. A prohibition on collecting minors' data for targeted advertising.
Data minimization. Collection limited to what is reasonably necessary to provide the service. Sensitive data collection must be strictly necessary.
Enforcement. Violations treated as unfair or deceptive practices under Chapter 93A, with the Attorney General as the primary enforcement authority.
Proposed effective dates. Most provisions would take effect January 1, 2027. Additional sections would follow June 1, 2027.
The bill received endorsements from the ACLU of Massachusetts, Planned Parenthood Advocacy Fund of Massachusetts, Massachusetts AFL-CIO, and the Electronic Privacy Information Center. Senate President Karen Spilka described it as providing "some of the best data privacy protections in the country."
Massachusetts Biometric Privacy Act (S.43)
S.43, "An Act to protect personal biometric data," was reported favorably by the Advanced Information Technology, the Internet and Cybersecurity committee and referred to the Senate Committee on Ways and Means in May 2025. If enacted, the bill would require written consent before collecting biometric identifiers (fingerprints, facial scans, voice prints), prohibit selling biometric data, and allow private plaintiffs to sue for at least $5,000 per violation. The bill remains in committee as of May 2026.
Additional Privacy Protections
Nonconsensual Intimate Images and Deepfakes
Governor Healey signed An Act to Prevent Abuse and Exploitation on June 20, 2024, making Massachusetts the 49th state to prohibit nonconsensual sharing of intimate images. The law covers authentic images and computer-generated "deepfakes" that purport to depict a real person in a sexually explicit manner. It also expands the criminal harassment statute and broadens the definition of abuse under Chapter 209A to include coercive control.
Right of Privacy (Chapter 214, Section 1B)
M.G.L. c. 214, Section 1B establishes a general right of privacy for Massachusetts residents. A person has the right against unreasonable, substantial, or serious interference with their privacy. Courts have applied this statute in data privacy disputes where no other specific statute applies.
Wiretap Law (Chapter 272, Section 99)
M.G.L. c. 272, Section 99 makes Massachusetts a two-party consent state. Recording a phone call, intercepting an email, or monitoring employee communications without the consent of all parties is a criminal offense punishable by up to 5 years in state prison, a fine of up to $10,000, or both. Civil remedies are also available. Businesses that record customer service calls must disclose the recording to all parties and obtain consent.
Student Data Privacy (603 CMR 23.00)
The Massachusetts Student Records Regulations operate alongside FERPA to protect student data. School districts must designate a student data manager and maintain a privacy and security policy addressing data breach planning and notification. Relevant statutes include M.G.L. c. 71, Sections 34D, 34E, 37H, and 87.
Right to Repair and Vehicle Data
Massachusetts voters approved a ballot initiative in 2020 requiring vehicles sold in Massachusetts that use telematics systems to provide an open-access platform making vehicle-generated mechanical data available to owners and independent repair facilities. Automakers challenged the law in federal court. As of early 2026, the matter is before the First Circuit on appeal from a federal district court ruling.
Federal Overlay
Several federal laws create data privacy obligations for Massachusetts residents and businesses independent of state law.
TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025). Criminalizes the knowing publication or threatened publication of nonconsensual intimate images, including AI-generated deepfakes. The criminal provisions took effect immediately. As of May 19, 2026, covered platforms must maintain a notice-and-removal process and remove reported images within 48 hours. The FTC enforces platform compliance and may seek civil penalties of up to $53,088 per violation.
HIPAA. Covered entities and business associates handling protected health information of Massachusetts residents must comply with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. HIPAA-regulated entities are generally exempt from state privacy law requirements.
GLBA. Financial institutions, including banks, insurance companies, and mortgage brokers, must comply with the Gramm-Leach-Bliley Act's Safeguards Rule, which requires a written information security program similar in structure to Massachusetts' WISP requirement.
FCRA / FACTA. Consumer reporting agencies and users of consumer reports must comply with the Fair Credit Reporting Act, including the FACTA Disposal Rule requiring proper destruction of consumer report information.
COPPA. Operators of websites and online services directed to children under 13 must obtain verifiable parental consent before collecting personal information.
FTC Act Section 5. The FTC's authority to prohibit unfair or deceptive practices applies to all businesses regardless of whether a specific privacy statute covers them.
American Privacy Rights Act (APRA). The bipartisan federal privacy bill introduced in 2024 did not pass the 118th Congress and had not been reintroduced in the 119th Congress as of May 2026. No federal comprehensive consumer privacy law is in effect.
How Massachusetts Compares to Other States
Massachusetts stands out for the strength of its data security requirements and enforcement mechanism, even without a comprehensive privacy law.
| Feature | Massachusetts | California (CCPA/CPRA) | Connecticut (CTDPA) |
|---|---|---|---|
| Comprehensive privacy law | Pending (S.2608) | Yes (2020/2023) | Yes (2023) |
| Mandatory written security program | Yes (WISP) | Reasonable security standard | No specific requirement |
| Specific technical controls | Yes (201 CMR 17.04) | No | No |
| Breach notification | Yes (c. 93H) | Yes | Yes |
| Credit monitoring after SSN breach | 18 months required | Not required | Not required |
| Private right of action | Yes (c. 93A, treble damages) | Limited (breaches only) | No |
| Two-party consent recording law | Yes (c. 272 s.99) | Yes | Yes |
The 201 CMR 17.00 technical controls (specific encryption standards, firewall requirements, access controls) make Massachusetts more prescriptive than most states, which use a general "reasonable security" standard.
Penalty Structure
| Violation | Enforcement Vehicle | Maximum Penalty |
|---|---|---|
| Failure to maintain WISP | AG via c. 93A | $5,000 per violation |
| Delayed or inadequate breach notification | AG via c. 93A | $5,000 per violation plus injunctive relief |
| Improper records disposal (c. 93I) | AG civil action | $100 per affected resident, max $50,000 per incident |
| Willful unfair/deceptive data practices | Private plaintiff via c. 93A | Up to treble damages plus attorney fees |
| Wiretap violation (c. 272 s.99) | Criminal prosecution | Up to 5 years prison, $10,000 fine |
| TAKE IT DOWN Act platform violation | FTC enforcement | $53,088 per violation |
Practical Compliance Steps for Businesses
Businesses that collect personal information about Massachusetts residents should take the following steps now, regardless of whether S.2608 ever becomes law:
Audit your data. Identify every location where you store name-plus-SSN, name-plus-driver's license, or name-plus-financial account number. Any database, spreadsheet, or paper file containing that combination is in scope for 201 CMR 17.00.
Write and maintain a WISP. The WISP must be a written document, not a general intention. It must address every element in Section 17.03. Update it annually and whenever your business practices change.
Meet the technical controls. Ensure that all data crossing public networks is encrypted, all portable devices storing personal information are encrypted, multi-factor authentication is deployed, and access is limited to those who need the data.
Know your breach notification timeline. Massachusetts requires notification "as soon as practicable and without unreasonable delay." The Peabody Properties settlement confirmed that seven months is not acceptable. Legal counsel typically advises notification within 30 days of confirmation, and sooner if the breach involves Social Security numbers.
Vet your vendors. Your WISP must address third-party service providers. Require contracts that obligate vendors to maintain appropriate security measures and to notify you immediately if a breach occurs.
Prepare for S.2608. Even before S.2608 becomes law, its likely passage makes now the right time to build data inventories, draft consumer request procedures, and assess your sensitive data practices.
How Massachusetts Residents Exercise Their Privacy Rights
Under current law, Massachusetts residents have the following avenues:
Request your data security audit results. If you suspect a business has your personal information, you can contact it and ask whether it has a WISP in place and whether it has suffered a breach affecting your data.
File a breach notification complaint. If a business that suffered a breach affecting you failed to notify you promptly, you can file a complaint with the Attorney General's office and the Office of Consumer Affairs and Business Regulation.
File a Chapter 93A demand letter. You can send a 30-day demand letter to a business you believe violated your data privacy rights under Chapter 93H or 201 CMR 17.00. If the business does not respond with a reasonable offer, you may file suit in Superior Court.
Place a credit freeze. If your financial account information or Social Security number was compromised, you can place a security freeze with each major credit bureau at no cost under federal law.
Contact the AG. The Data Privacy and Security Division accepts complaints and investigates violations.
More Massachusetts Laws
- Massachusetts AI Meeting Recording Laws
- Massachusetts Alimony Laws
- Massachusetts At-Will Employment Laws
- Massachusetts Car Accident Laws
- Massachusetts Car Seat Laws
- Massachusetts Child Custody Laws
- Massachusetts Child Support Laws
- Massachusetts Common Law Marriage Laws
- Massachusetts Deepfake Laws
- Massachusetts Divorce Laws
- Massachusetts Dog Bite Laws
- Massachusetts Emancipation Laws
- Massachusetts Expungement Laws
- Massachusetts Hit and Run Laws
- Massachusetts Landlord-Tenant Laws
- Massachusetts Lemon Laws
Frequently Asked Questions
Does Massachusetts have a comprehensive data privacy law?
No. Massachusetts does not have a comprehensive consumer data privacy law in effect as of May 2026. The Massachusetts Data Privacy Act (S.2608) passed the Senate 40-0 on September 25, 2025, and is pending action in the House of Representatives. Until it is signed into law, Massachusetts residents do not have statutory rights to access, correct, or delete their personal data. The state protects personal information through sectoral laws: 201 CMR 17.00 (data security), Chapter 93H (breach notification), Chapter 93I (records disposal), and Chapter 93A (consumer protection enforcement).
What is a WISP and who needs one in Massachusetts?
A WISP is a Written Information Security Program required by 201 CMR 17.00. Every person or business that owns or licenses personal information about a Massachusetts resident must maintain one, regardless of where the business is located. The WISP must be a written document addressing risk assessment, employee policies, third-party vendor oversight, physical access controls, and regular review and updates. The AG and OCABR inspect the WISP when a breach is reported. Not having one, or having one that fails to address the required elements, is itself a violation subject to penalties under Chapter 93A.
What are Massachusetts' data breach notification requirements?
Under Chapter 93H, a business must notify the Attorney General, the Office of Consumer Affairs and Business Regulation, and each affected Massachusetts resident as soon as practicable and without unreasonable delay after discovering a breach. The Peabody Properties settlement (August 2025, $795,000) confirmed that delays of several months are unlawful. If Social Security numbers were compromised, the entity must also provide 18 months of free credit monitoring. Notice to residents must describe their right to file a police report and information about credit freezes.
What are the penalties for violating Massachusetts data privacy laws?
Violations of 201 CMR 17.00 and Chapter 93H are enforced through Chapter 93A at up to $5,000 per violation. The AG can also seek injunctive relief. Private plaintiffs who prove a willful violation can recover treble damages plus attorney fees. For improper records disposal under Chapter 93I, the civil fine is up to $100 per affected data subject, capped at $50,000 per incident. Wiretap violations under Chapter 272, Section 99 carry criminal penalties of up to 5 years in state prison and a $10,000 fine.
Does 201 CMR 17.00 apply to businesses outside Massachusetts?
Yes. Any business that owns or licenses personal information about a Massachusetts resident must comply, regardless of where the business is located. A company in another state that stores the name and Social Security number of one Massachusetts resident must maintain a WISP and meet all technical controls in Section 17.04, including encryption of data in transit and at rest on portable devices, access controls, firewall protection, and employee training.
What does the TAKE IT DOWN Act mean for Massachusetts residents?
The TAKE IT DOWN Act (Pub. L. 119-12), signed May 19, 2025, is a federal law that criminalizes the knowing publication of nonconsensual intimate images, including AI-generated deepfakes. As of May 19, 2026, covered online platforms must maintain a notice-and-removal process and take down reported images within 48 hours. The FTC enforces the platform obligations and may seek civil penalties of $53,088 per violation. Massachusetts residents who are victims of nonconsensual intimate images can use the federal law alongside the Massachusetts state law signed by Governor Healey in June 2024.
What rights will Massachusetts residents gain under S.2608 if it becomes law?
If the Massachusetts Data Privacy Act (S.2608) is signed into law, residents would gain the right to know what personal data is collected about them, access that data, correct inaccuracies, request deletion, and opt out of targeted advertising and data sales. The bill would also ban the sale of sensitive data categories including health information, biometric identifiers, precise geolocation, religious affiliation, immigration status, sexual orientation, and race. Sale of any personal data of minors would be fully prohibited. Most provisions would take effect January 1, 2027.
How do I report a data breach or privacy violation in Massachusetts?
You can file a complaint directly with the Massachusetts Attorney General's Data Privacy and Security Division at mass.gov. You can also contact the Office of Consumer Affairs and Business Regulation, which receives breach notifications. If a business that suffered a breach affecting you failed to notify you, or if you believe a company is violating your data rights under Chapter 93A, you can send a 30-day written demand letter before filing suit in Superior Court. For wiretap violations, contact the AG's Criminal Bureau.
Sources and References
- 201 CMR 17.00: Standards for the Protection of Personal Information(mass.gov).gov
- Mass. Gen. Laws ch. 93H - Security Breaches(malegislature.gov).gov
- Chapter 93H, Section 3 - Duty to Report Known Security Breach(malegislature.gov).gov
- Chapter 93H, Section 3A - Credit Monitoring Requirements(malegislature.gov).gov
- Chapter 93H, Section 1 - Definitions(malegislature.gov).gov
- Requirements for Data Breach Notifications(mass.gov).gov
- Chapter 93A - Consumer Protection Act(malegislature.gov).gov
- 201 CMR 17.04 - Computer System Security Requirements(law.cornell.edu)
- Massachusetts Data Privacy Act S.2608 - Fact Sheet(malegislature.gov).gov
- Senate Passes the Massachusetts Data Privacy Act(malegislature.gov).gov
- AG Data Privacy and Security Division(mass.gov).gov
- Massachusetts Law About Privacy(mass.gov).gov
- 940 CMR 27.00: Safeguard of Personal Information(mass.gov).gov
- Mass. Gen. Laws ch. 272, Section 99 - Wiretap Statute(malegislature.gov).gov
- Massachusetts Student Records Regulations 603 CMR 23.00(doe.mass.edu).gov
- Guidance Regarding K-12 Schools Obligations to Protect Students(mass.gov).gov
- Reporting Data Breaches to the Attorney General(mass.gov).gov
- Chapter 93H, Section 6 - Enforcement(malegislature.gov).gov
- Mass. Gen. Laws ch. 214, Section 1B - Right of Privacy(mass.gov).gov
- Data Breach Notification Reports(mass.gov).gov
- M.G.L. Chapter 93I: Dispositions and Destruction of Records(malegislature.gov).gov
- AG Campbell Reaches $795,000 Settlement with Peabody Properties for Data Security and Breach Notification Failures (August 2025)(mass.gov).gov
- AG Campbell Announces $2.5 Million Settlement with Earnest Operations for AI-Driven Consumer Protection Violations(mass.gov).gov
- Governor Healey Signs Bill Banning Revenge Porn and Deepfakes (June 20, 2024)(mass.gov).gov
- FTC: Take It Down Act Enforcement Starts Now (May 2026)(ftc.gov).gov
- Congressional Research Service: The TAKE IT DOWN Act(congress.gov).gov
- 603 CMR 23.00: Student Records Regulations, Massachusetts Department of Elementary and Secondary Education(doe.mass.edu)
- S.43 (SD2204): An Act to Protect Personal Biometric Data, Massachusetts 194th General Court(malegislature.gov).gov