[ldoughty]

Will this have reach and teeth though?

I can imagine loopholes to this... nothing stops facebook/google from buying this data from companies not in Massachusetts? and facebook/google don't have to give advertisers the location information but can still use that information when determining the advertisement to return, right? In theory the big silicon valley "targets" of this bill don't actually have a huge incentive to give this data away, do they? They just need to be able to read/access it, which I don't think this law stops? Assuming the data broker is not doing business in Massachusetts itself

[fultonn]

> Will this have reach and teeth though?

It'll have reach because MA has a long-arm statute and there's a rich history of applying that statute in the context of Chapter 93.

It'll have teeth but probably not to the effect that you hope.

This statute was written such that only the Attorney General can bring action; see Section 10(b). This diverges from a long history in the Commonwealth of allowing private individuals to bring civil suits for most types of Chapter 93 violations.

As a result, I anticipate that the most impactful change will be in the quantity and frequency of political donations to Mass AG candidates (and in the case of contested primaries their aligned block of candidates up and down ticket).

Consumer protection laws should always provide for a private cause of action. Otherwise they just function as a mechanism for legalized corruption.

[mindslight]

I don't disagree with the thrust of your criticism of the dynamic (especially long term). But there is a legitimate concern that the first test cases to hit the courts need to be quite unsympathetic egregious violators rather than surveillance dynamics that have been thoroughly normalized for decades. If people start bringing private suits against neighbors that have deployed Amazon surveillance cameras, "credit bureaus", private investigators, big tech surveillance companies directly (eg Google, and especially with weak legal arguments), it is likely to set some poor precedents and create political pushback.

[fultonn]

Section 2 already limits applicability to persons collecting or processing data on not less than 60,000 consumers, so suits brought against neighbors would be (rightfully) dismissed.

The concern about poor precedent stemming from poor cases has some rational sense, but we have the benefit of experience. Empirically it just hasn't tended to play out like that in the case of consumer protection statutes in MA. One reason this doesn't happen in practice might be the limited bandwidth of the appellate process. The SJC could (and likely would) prioritize answering questions about the statute in the context of cases brought by the AG.

The longevity pro-consumer laws in MA provides some good empirical data that cuts against the concern about push-back.

[mindslight]

I'll admit my examples were pretty weak.

What I see is this bill, while a fantastic development, is still just addressing the tip of an iceberg on an industry that has been festering for many decades now (I mean, the "Fair" Credit Reporting Act - aka regulatory capture by the early digital surveillance industry - was passed in 1970). So "pushback" doesn't necessarily mean this law being undone, but rather it ending up as the full amount of privacy we can expect rather than first step of a hopeful trend.

For example look at how many more rights the GDPR grants. If a GDPR-analog were on the table in the US, the entire surveillance industry would balk. And these days the surveillance industry is basically the bulk of our "economy" (ie stock market valuations). And given the way "our" government works, I wouldn't be terribly hopeful about the individual liberty side prevailing over entrenched interests. Which is why I'm making an argument for more of a gradual shift.

Now having said that, perhaps it makes more sense for each bit of legislation to bite off fewer rights (as I'd say this legislation does), while including a private right of action so that the rights it does grant are maximally enforced. Having glaring violations of the law-as-written just sit there unaddressed is certainly its own powerful momentum-killer.

[kmeisthax]

Couldn't this be mitigated by, say, having the private right of action not start until a few years into the applicability of the law?

[rolph]

once you allow someone to read data, it has been given away.

even if its only retained until buffer refresh, its still given away.

if its read frombuffer space and transformed into a persistent structure, its a gift that indefinately keeps giving.

[ldoughty]

but if facebook/google are the buyers, they do not violate this law... the law seems to focus on the sale & giving of this data... not the reception. This means that they just need a non-Massachusetts based data broker to sell them the data, and then they can store that data to make advertisement decisions (so long as they do not forward it along)

[bee_rider]

The intent of the law is probably to prevent the data from being sold*, so if the big Silicon Valley ad companies aren’t selling it, they are already complying with the law, right? The goal isn’t to destroy companies that are already not doing the thing.

* to the extent to which MA can do that… I mean it’s one state, so we should judge it’s accomplishments by that standard. One possibility could be that the rest of them get their act together, or at least, every state that engineers are willing to live in does.