Massachusetts Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Massachusetts takes data security seriously, but it has not yet enacted a dedicated biometric privacy law. Unlike Illinois, which passed the Biometric Information Privacy Act (BIPA) in 2008, or Texas, which enacted its Capture or Use of Biometric Identifier Act (CUBI), Massachusetts currently relies on a combination of general data security regulations and consumer protection statutes to address biometric data.

That may change soon. The Massachusetts Data Privacy Act passed the state Senate unanimously in September 2025, and it includes robust protections for biometric information. Until that bill becomes law, businesses operating in Massachusetts must navigate the existing legal framework carefully.

For a broader overview of the state's privacy landscape, see the parent guide to Massachusetts Data Privacy Laws.

Current Legal Framework for Biometric Data

Massachusetts protects biometric data through several existing laws rather than a single biometric-specific statute. Each law covers a different aspect of data handling, from security requirements to breach notification to consumer protection enforcement.

201 CMR 17.00: Data Security Regulation

The Standards for the Protection of Personal Information (201 CMR 17.00) is the backbone of Massachusetts data security law. Issued by the Office of Consumer Affairs and Business Regulation, it requires every person or business that owns or licenses personal information about a Massachusetts resident to develop, implement, and maintain a comprehensive written information security program (WISP).

The regulation applies to biometric data indirectly. While the definition of "personal information" under 201 CMR 17.00 focuses on names combined with Social Security numbers, driver's license numbers, or financial account numbers, the regulation specifically references biometric technologies as an acceptable authentication method. Any business using fingerprint scanners, facial recognition, or other biometric identifiers for system access must protect those systems under the WISP requirement.

Key obligations under 201 CMR 17.00 include:

• Designating one or more employees to maintain the information security program
• Identifying and assessing reasonably foreseeable internal and external risks to personal information
• Developing security policies for employee access to records containing personal information
• Restricting physical access to records containing personal information
• Requiring encryption of all transmitted records and files containing personal information across public networks or wirelessly
• Monitoring the security program and documenting responsive actions taken in connection with any breach

Violations of 201 CMR 17.00 are enforceable through Chapter 93A, the state consumer protection statute.

Chapter 93H: Breach Notification

The Massachusetts breach notification law (Mass. Gen. Laws ch. 93H) requires businesses to notify affected residents, the Attorney General, and the Director of Consumer Affairs and Business Regulation when a breach of security compromises personal information.

Under Section 1 of Chapter 93H, encryption is defined as "the transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key." This sets a concrete technical standard that applies to any personal information a business stores or transmits.

The current definition of "personal information" in Chapter 93H covers a resident's name combined with Social Security numbers, driver's license numbers, and financial account numbers. While biometric identifiers are not explicitly listed in the current statutory definition, businesses that use biometric data alongside other personal information must still comply with the notification requirements if a breach compromises any covered data elements.

Under Section 3 of Chapter 93H, breach notifications must be sent "as soon as practicable and without unreasonable delay" and must include:

• The nature of the breach or unauthorized acquisition
• The number of Massachusetts residents affected
• The types of personal information compromised
• Steps the organization has taken or plans to take in response
• Information about the resident's right to obtain a police report and place a security freeze

Chapter 93A: Consumer Protection Enforcement

Chapter 93A of the Massachusetts General Laws prohibits unfair or deceptive acts or practices in trade or commerce. This statute serves as the primary enforcement tool for data security violations in Massachusetts, including those involving biometric data.

The law provides two enforcement paths. The Attorney General can bring actions under Section 4 to restrain violations and impose civil penalties. Individual consumers can also bring private lawsuits under Section 9.

What makes Chapter 93A particularly powerful for biometric data cases is the damages structure:

• A court may award treble (triple) damages if the defendant willfully or knowingly violated the law, or if the defendant refused to grant relief in bad faith
• Attorney's fees are recoverable by prevailing plaintiffs, making it one of the few Massachusetts statutes that shifts fee-shifting to the plaintiff's advantage
• Before filing suit, a consumer must send a 30-day demand letter to the business, giving it an opportunity to make a reasonable settlement offer

The Massachusetts Attorney General has used Chapter 93A to pursue data breach enforcement actions aggressively. In recent years, the AG's office has reached settlements in excess of $795,000 against companies that failed to protect personal information as required by 201 CMR 17.00.

For businesses collecting biometric data from Massachusetts residents, this means that any failure to secure that data properly could trigger a Chapter 93A action with treble damages exposure.

The Massachusetts Data Privacy Act: Pending Biometric Protections

The most significant development in Massachusetts biometric privacy law is the Massachusetts Data Privacy Act (MDPA), originally filed as S.2608 and reprinted as S.2619 after amendments. The Massachusetts Senate passed the bill unanimously (40-0) on September 25, 2025.

How the MDPA Would Classify Biometric Data

The MDPA designates biometric data, specifically face scans and fingerprints, as sensitive personal data. This classification triggers the highest level of protection under the proposed law.

For regular personal data, businesses would only be allowed to collect what is "reasonably necessary" to provide their product or service. For biometric data and other sensitive categories, the standard is stricter: collection is permitted only when it is "strictly necessary" to provide the product or service.

Key Biometric Provisions in the MDPA

If enacted, the MDPA would establish these rules for biometric data:

• Ban on sale: Businesses and nonprofits would be prohibited from selling biometric data
• Strictly necessary collection: Biometric data collection would be allowed only when strictly necessary to deliver a product or service
• Consumer consent for transfers: Transferring biometric data to third parties would require explicit consumer consent
• Right to access: Consumers could request to know what biometric data a business has collected about them
• Right to delete: Consumers could request deletion of their biometric data
• Right to correct: Consumers could request correction of inaccurate biometric data

Enforcement Under the MDPA

The bill gives the Massachusetts Attorney General broad regulatory authority to enforce its provisions. The MDPA also includes enhanced protections for minors, including a complete ban on selling children's personal data and prohibiting targeted advertising directed at minors based on their biometric or other sensitive data.

Current Status

As of March 2026, the MDPA has passed the Senate and been referred to the Massachusetts House of Representatives. The House has not yet taken action on the bill. The legislation was filed during the 194th General Court session (2025-2026).

Standalone Biometric Bill: Proposed Chapter 93M

In addition to the MDPA, Massachusetts legislators have introduced a standalone biometric privacy bill that would create Chapter 93M of the General Laws. Originally filed as H.63/HD.3053 by Representative Dylan Fernandes, this bill would establish protections similar to Illinois BIPA but with some notable differences.

The proposed Chapter 93M would define "biometric information" as measurable biological or behavioral characteristics used for verification, recognition, or identification, including:

• Fingerprints
• Retina and iris patterns
• Voiceprints
• Facial characteristics and face geometry
• Gait, handwriting, and keystroke dynamics

The bill would require handwritten, non-electronic consent before collecting biometric data for identification purposes. Consent would expire after three years or when the original purpose is fulfilled, whichever comes first. The bill would also prohibit monetizing biometric information entirely.

On penalties, the proposed Chapter 93M would allow individuals to sue with a rebuttable presumption of harm, meaning plaintiffs would not need to prove actual damages. For intentional or reckless violations, penalties could reach 0.5% of annual global revenue or $5,000 per violation, whichever is greater. For negligent conduct, the floor would be 0.1% of global revenue or $1,000 per violation.

This standalone bill has not advanced as far as the MDPA, but it signals the legislative direction Massachusetts is heading on biometric privacy.

Practical Compliance Guidance

Businesses that collect or use biometric data from Massachusetts residents should take these steps under current law:

Written Information Security Program: Under 201 CMR 17.00, any business handling personal information of Massachusetts residents must maintain a WISP. If your business uses biometric authentication systems, those systems must be covered by the WISP.

Encryption: All biometric data transmitted across public networks or stored electronically should be encrypted using 128-bit or higher algorithms, consistent with the Chapter 93H standard.

Breach Response Plan: Prepare a notification plan that meets the "as soon as practicable and without unreasonable delay" standard under Chapter 93H Section 3. Include the Attorney General and the Office of Consumer Affairs and Business Regulation in your notification procedures.

Monitor Legislative Developments: The MDPA could become law during the current legislative session. Businesses should plan for the "strictly necessary" collection standard and the ban on selling biometric data. Building consent mechanisms now will ease the transition if the law passes.

Limit Collection: Even without a dedicated biometric statute, the Chapter 93A treble damages exposure creates strong incentives to minimize biometric data collection. Collect only what you need, retain it only as long as necessary, and document your justification for collection.

More Massachusetts Laws

• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Data Privacy Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws
• Massachusetts Recording Laws

Sources and References

This article references Massachusetts statutes, regulations, and official government publications. For the full text of 201 CMR 17.00, visit the Massachusetts Office of Consumer Affairs. For Chapter 93H and Chapter 93A, visit the Massachusetts Legislature website. For updates on the Massachusetts Data Privacy Act, see the S.2608 bill page.

This article provides general legal information about Massachusetts biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Massachusetts government sources.