[HN Gopher] Massachusetts bans sale of precise location data in ...
___________________________________________________________________
Massachusetts bans sale of precise location data in new privacy
rights bill
Author : 01-_-
Score : 304 points
Date : 2026-06-08 17:07 UTC (10 hours ago)
(HTM) web link (techcrunch.com)
(TXT) w3m dump (techcrunch.com)
| mc32 wrote:
| This is good and all States should adopt some. Eventually I'd
| like to see one at the federal level that supersedes state level
| ones so that we don't have to deal the the mess that is taxation
| across 50 states. A nice uniform privacy bill at the Fed level
| would be nice.
| yndoendo wrote:
| This seems more symbolic since I don't see were the law has any
| teeth.
|
| There is no fine nor imprisonment for failing to follow the
| law.
| kmeisthax wrote:
| No, we specifically DO NOT want uniformity. We want a minimum
| that states can go beyond.
|
| In the current environment, tech companies have to bribe 50
| states plus the federal legislature in order to block privacy
| bills. If you have federal preemption, then you just have to
| bribe Congress, because states can't pass ANY privacy laws
| whatsoever. And we already know the feds do not want a privacy
| law: the entire legality of the federal surveillance apparatus
| hinges on the fact that buying your data from third parties
| does not trip constitutional scrutiny. Preemption freezes the
| requirements in time so they will always be a few steps behind
| the TLAs[0].
|
| The ideal is that every sovereign entity passes their own
| privacy law that applies to their territory, with a private
| right of action, and adtech companies are forced to adopt a "50
| states legal" posture. This is, deliberately, a ratchet: it's
| easy for any state to require a higher standard but hard to get
| every state to reduce it, so privacy laws cannot be walked back
| in secret.
|
| [0] Three Letter Agencies: CIA, FBI, NSA
| ldoughty wrote:
| Will this have reach and teeth though?
|
| I can imagine loopholes to this... nothing stops facebook/google
| from buying this data from companies not in Massachusetts? and
| facebook/google don't have to give advertisers the location
| information but can still use that information when determining
| the advertisement to return, right? In theory the big silicon
| valley "targets" of this bill don't actually have a huge
| incentive to give this data away, do they? They just need to be
| able to read/access it, which I don't think this law stops?
| Assuming the data broker is not doing business in Massachusetts
| itself
| fultonn wrote:
| _> Will this have reach and teeth though?_
|
| It'll have reach because MA has a long-arm statute and there's
| a rich history of applying that statute in the context of
| Chapter 93.
|
| It'll have teeth but probably not to the effect that you hope.
|
| This statute was written such that only the Attorney General
| can bring action; see Section 10(b). This diverges from a long
| history in the Commonwealth of allowing private individuals to
| bring civil suits for most types of Chapter 93 violations.
|
| As a result, I anticipate that the most impactful change will
| be in the quantity and frequency of political donations to Mass
| AG candidates (and in the case of contested primaries their
| aligned block of candidates up and down ticket).
|
| Consumer protection laws should always provide for a private
| cause of action. Otherwise they just function as a mechanism
| for legalized corruption.
| mindslight wrote:
| I don't disagree with the thrust of your criticism of the
| dynamic (especially long term). But there is a legitimate
| concern that the first test cases to hit the courts need to
| be quite unsympathetic egregious violators rather than
| surveillance dynamics that have been thoroughly normalized
| for decades. If people start bringing private suits against
| neighbors that have deployed Amazon surveillance cameras,
| "credit bureaus", private investigators, big tech
| surveillance companies directly (eg Google, and especially
| with weak legal arguments), it is likely to set some poor
| precedents and create political pushback.
| fultonn wrote:
| Section 2 already limits applicability to persons
| collecting or processing data on not less than 60,000
| consumers, so suits brought against neighbors would be
| (rightfully) dismissed.
|
| The concern about poor precedent stemming from poor cases
| has some rational sense, but we have the benefit of
| experience. Empirically it just hasn't tended to play out
| like that in the case of consumer protection statutes in
| MA. One reason this doesn't happen in practice might be the
| limited bandwidth of the appellate process. The SJC could
| (and likely would) prioritize answering questions about the
| statute in the context of cases brought by the AG.
|
| The longevity pro-consumer laws in MA provides some good
| empirical data that cuts against the concern about push-
| back.
| kmeisthax wrote:
| Couldn't this be mitigated by, say, having the private
| right of action not start until a few years into the
| applicability of the law?
| rolph wrote:
| once you allow someone to read data, it has been given away.
|
| even if its only retained until buffer refresh, its still given
| away.
|
| if its read frombuffer space and transformed into a persistent
| structure, its a gift that indefinately keeps giving.
| ldoughty wrote:
| but if facebook/google are the buyers, they do not violate
| this law... the law seems to focus on the sale & giving of
| this data... not the reception. This means that they just
| need a non-Massachusetts based data broker to sell them the
| data, and then they can store that data to make advertisement
| decisions (so long as they do not forward it along)
| bee_rider wrote:
| The intent of the law is probably to prevent the data from
| being sold*, so if the big Silicon Valley ad companies aren't
| selling it, they are already complying with the law, right? The
| goal isn't to destroy companies that are already not doing the
| thing.
|
| * to the extent to which MA can do that... I mean it's one
| state, so we should judge it's accomplishments by that
| standard. One possibility could be that the rest of them get
| their act together, or at least, every state that engineers are
| willing to live in does.
| josefritzishere wrote:
| This is very exciting.
| like_any_other wrote:
| A good first step, but the harm is already done when the data is
| _gathered_. Stalking should be illegal even if you don 't sell
| the information you gathered, I don't want Toyota or GM or Google
| knowing where I've been either, not just their "partners", and
| it's long past the time the EULA loophole was closed. Contracts
| exist to serve society, not the other way around.
| john_strinlai wrote:
| still waiting for _any_ of the many existing privacy bills,
| worldwide, to start doing meaningful enforcement.
| Cider9986 wrote:
| We need private right of action. That's the big thing holding
| up the sweeping Mass privacy law. The house supports a private
| right to action and the senate only wants the attorney general
| enforcing the law.
| throwaway85825 wrote:
| California already has a million toothless laws. Anything
| without a private right of action may as well not exist.
| analog31 wrote:
| Indeed, and I think possession of the information should be
| what's actionable.
| post_break wrote:
| Does this include vehicle data? That's a big one. Your new car
| selling you out constantly.
| stronglikedan wrote:
| I've been driving connected cars for a decade and I haven't
| felt sold out yet. What am I missing?
| criddell wrote:
| I bought a car earlier this year and it took about a week
| before I started getting car warranty junk mail for the new
| car.
| cogogo wrote:
| I always thought that is from companies that get their
| hands on registration data. Or I could be wrong and it is
| the dealer itself selling it on not the manufacturer.
| Loughla wrote:
| Pretty sure it's registration data. Anything public is
| now used for junk. We transferred a piece of property
| this year and have been getting constant spam for
| realtors to sell it for us. We bought a used car from an
| individual and started getting spam for warranties once
| we registered it and got plates.
| chaps wrote:
| Are you asking for articles that show how connected car data
| is being sold left and right?
| wmf wrote:
| Tail risk. Only <1% of people get punished by their car's
| data. IMO that's still too much.
| post_break wrote:
| Your driving habits, and everyone around you are impacting
| car insurance for example.
| ezfe wrote:
| This is not straightforwardly true. Many people say that
| Toyota sells their data to insurance companies, but they do
| not unless you *affirmatively* opt in.
|
| If you read the lawsuits and allegations carefully, they
| all say that they were tricked into opting in (NOT that
| they weren't opted in). If you review the setup process you
| see that the claim is outlandish and likely someone else
| did setup for them or they "forgot."
|
| Toyota makes you affirmatively click a "yes" or "no" (or
| maybe it says "Accept" / "Reject" or whatever) for
| Insurance sharing when setting up a profile.
| tencentshill wrote:
| Are you in the US? Currently if you are in the US and not
| native-born, you're at very direct risk. That data is how ICE
| builds their enforcement leads. It's still often wrong, so
| they might break down your door and arrest you at gunpoint
| anyways.
| deathanatos wrote:
| * Massachusetts' RMV AFAICT resells one's data, resulting in
| new car purchasers receiving a huge amount of fraud in their
| mail. It can be difficult to distinguish what is a legitimate
| correspondence from the dealership vs. what isn't, as the
| fraud mail does not clearly identify itself. (And in fact,
| _that 's_ the tell.)
|
| * My Subaru runs ads for Sirius XM. (Ad, on the infotainment
| screen. While the car's in motion.) I did not pay for my car
| to run ads, obviously, and obviously that was never mentioned
| by the dealer, ever, before or after purchase.
| danesparza wrote:
| Feels like the word 'sale' may actually turn into a loophole. It
| should have probably been worded to use 'exchange' or 'transfer'
| instead. But this is progress.
| Cider9986 wrote:
| Yeah, we need data minimization. As long as it's collected it
| is a liability for consumers, turn it into a liability for
| businesses to incentive them to collect as little as possible.
| bobro wrote:
| https://malegislature.gov/Bills/194/S2619/BillHistory
|
| SECTION 1. The General Laws are hereby amended by inserting
| after chapter 93L the following chapter:-
|
| Chapter 93M. Massachusetts Data Privacy Act
|
| Section 1. As used in this chapter, the following words shall
| have the following meanings unless the context otherwise
| requires:
|
| ...
|
| "Sale of personal data", the transfer of personal data in
| exchange for monetary or other valuable consideration by the
| controller to a third party; provided, however, that "sale of
| personal data" shall not include: (i) the disclosure of
| personal data to a processor that processes the personal data
| on behalf of the controller if limited to the purposes of the
| processing; (ii) the disclosure of personal data to a third
| party for purposes of providing a product or service
| affirmatively requested by the consumer; (iii) the disclosure
| or transfer of personal data to an affiliate of the controller;
| (iv) the disclosure of personal data with the consumer's
| affirmative consent, where the consumer affirmatively directs
| the controller to disclose the personal data or intentionally
| uses the controller to interact with a third party; (v) the
| disclosure or transfer of personal data to a third party as an
| asset that is part of a merger, acquisition, bankruptcy or
| other transaction or a proposed merger, acquisition, bankruptcy
| or other transaction, in which the third party assumes control
| of all or part of the controller's assets; or (vi) the
| disclosure of personal data that the consumer: (A)
| intentionally made available to the general public via a
| channel of mass media; and (B) did not restrict to a specific
| audience.
| jboggan wrote:
| California very quietly passed AB-1542 last week which includes
| precise location data, health data, SSNs, etc. I expect many
| states to follow suit.
|
| Related, General Motors got hit with a $12.75M fine for reselling
| OnStar location data last month:
| https://ccpa.world/enforcement/gm-onstar-smart-driver
| yencabulator wrote:
| > I expect many states to follow suit.
|
| More importantly, many companies will follow California rules
| even outside California. My car was built to California
| emissions spec at a time when very few states had stricter
| rules.
|
| (The one major exception seems to be the "sell my data" opt-out
| and such privacy rules, that industry is sleazy enough that
| they'll go through extra trouble to keep screwing over non-CA
| residents.)
| jboggan wrote:
| Well, CT and VT passed their own version of the California
| DROP system last week and there are 5 other states in play
| for the current 2026 legislative sessions. I think it will be
| a slow patchwork for more states to take similar action, but
| it is coming.
|
| I will note that many "data brokers" will just honor non-
| California residents' requests as if they were California
| residents and subject to the CCPA, simply because they would
| rather remove a potentially litigious consumer from their
| databases. Given the relatively low potential revenue for a
| single consumer's data it just doesn't make sense to hold on
| to information for the kind of person who currently goes out
| of their way to make that kind of request.
|
| At the same time, many data brokers do go out of their way to
| deny as many privacy requests as possible. Given that the
| CPPA/CalPrivacy is starting audits very soon I don't see this
| as a winning strategy for them in the long run.
| themafia wrote:
| Watching "The Price is Right" made California a mythical
| place for me as a child in the Midwest. All the cars being
| given away, they were sure to mention, followed "California
| emissions standards!"
|
| No surprise. I ended up moving here.
| nullc wrote:
| The FTC settlement with GM allows GM to sell precise location
| as long as it's anonymized by attaching it to anonymous
| identifiers rather than personal info. It also allows non-
| precise location (e.g. zipcode/census-block) attached to
| identifying information.
|
| Apparently no one at the FTC is smart enough to realize if Bob
| and anonid both move through the same sequence of approximate
| locations that the anonid is Bob. Or maybe they aren't that
| ignorant and just wanted to look like they were doing their job
| while protecting the surveillance status quo.
| throwaway85825 wrote:
| The government measures success in column inches.
| dylan604 wrote:
| Selling anonymized precise location of a car that spends
| ~half the day at a residential location sure will make it
| impossible to de-anonymize that data.
|
| The FTC under this administration that just doesn't care
| about people and only care about helping corporations.
| gnerd00 wrote:
| it's out of Committee in the House and passed a House vote..
| not done yet
| Cider9986 wrote:
| this is the bill we need to pass in the house instead of them
| trying to age-(identity)gate social media.
|
| (https://epic.org/press-release-massachusetts-senate-unanimou...)
| throwaway85825 wrote:
| Only data that does not exist cannot be misused.
| themafia wrote:
| A moment of high drama in the courtroom:
|
| "Did you notice anything odd about the defendants vehicle?"
|
| "Yes."
|
| "What was that?"
|
| "He had disabled his GPS and telemetry systems."
| timeninja wrote:
| Massachusetts allows the use of Cellebrite software.
|
| In which case "precise location data" is moot.
| hoppyhoppy2 wrote:
| Sure, if the cops seize your phone from you and try to suck out
| its data, then they clearly already know your precise location.
| But in some situations you would've been able to avoid getting
| your phone sucked out by the cops if they hadn't been able to
| purchase precise location data about where you were in the
| hours/days/weeks leading up to that.
| ezfe wrote:
| What is your point here? That's not what this law is about.
| loeg wrote:
| Does this criminalize Strava?
| markerz wrote:
| If Strava is sharing or reselling users GPS locations to third
| parties without user consent, yes.
| ezfe wrote:
| Why would it?
| nxy wrote:
| Thank god if this is true! If not and this is just a "coverup"..
| Wouldn't be the first time.
| m463 wrote:
| later in the article it said not only selling, but sharing.
|
| important because "sharing" is much more prevalent than "selling"
| data.
|
| that said, I wonder how "precise location", and
| statistics/algorithms will combine?
|
| for example, what if someone moves from zipcode 1 to zipcode 2?
| would that work out to a more precise position?
___________________________________________________________________
(page generated 2026-06-09 04:01 UTC)