Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ensure that my company is compliant with expanding privacy protections in Massachusetts? What are the requirements?

Massachusetts Privacy Protections Compliance Requirements

To ensure compliance with expanding privacy protections in Massachusetts, companies must adhere to the following requirements:

  1. Registration Requirements: Any person that owns or licenses personal information about a resident of Massachusetts must register with the Department of Labor Standards and be granted a certificate of registration. The regulations shall be designed to safeguard the personal information of residents of the Commonwealth and shall be consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person is regulated. The objectives of the regulations shall be to insure the security and confidentiality of customer information in a manner fully consistent with industry standards; protect against anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer. [1.2][5.1]
  2. Record-keeping Requirements: Professional Employer Organizations (PEOs) must maintain records and materials related to the commencement, termination, or administration of PEO services rendered, client records provided to the PEO for the administration of PEO services, and financial records relating to a PEO agreement, PEO services, or a PEO relationship. These records must be retained for three years after the termination of the PEO agreement or the covered employee’s employment with the client, whichever occurs first. In any cause of action brought by an employee where the PEO has been notified thereof in any administrative or judicial proceeding, such PEO shall retain records required to be kept under 454 CMR 30.13(2) that are relevant to such action until the final disposition thereof. [1.1]
  3. Invasion of Personal Privacy: Agencies must consider whether disclosure of personal data will constitute an invasion of personal privacy. Disclosure without the consent of the data subject in the following situations is usually not an invasion of personal privacy unless the disclosure would clearly violate standards of ordinary decency: (a) Disclosure of routine correspondence including without limitation applications for benefits under government programs; (b) Disclosure of complaints where disclosure is accompanied by a statement as to whether any findings have been made on the complaint and what those findings are. Disclosure without the consent of the data subject which is not authorized by statute or regulation in the following situation usually is an invasion of personal privacy: (a) Disclosure of the resume of or evaluative materials on an applicant for employment. [3.1]
  4. Application Requirements for PEOs: Any person providing professional employer services or soliciting clients, or advertising such services in the Commonwealth shall submit to the department a completed application for PEO registration, pay the required registration fee and provide all required information on a form prescribed by the director. Applicants applying for an initial PEO Registration shall submit the following information with their initial application: the name or names under which the PEO conducts business or will conduct business, the address of the principal place of business of the PEO and the address of each office it maintains in the Commonwealth, all mailing addresses of the PEO, a statement of ownership, the taxpayer or employer identification number of the PEO, a list by jurisdiction of each name under which the PEO has operated in the preceding five years, a statement of management, a financial statement setting forth the financial condition of the PEO or PEO group, a list of clients, and such other information as the director may reasonably require. Each PEO or collectively each PEO group shall maintain positive working capital necessary to meet its financial obligations to provide professional employer services, and shall submit a surety bond in the amount of $250,000 payable to “The people of the Commonwealth” along with the initial application for registration and filed with the Department of Labor Standards. [1.3]
  5. Public Disclosure: The department shall, on an annual basis, make available to the public on its website at a list of businesses who have received a certificate of registration for the operation of a PEO pursuant to 454 CMR 30.10. Such lists shall contain, at a minimum, the name which has been registered, the PEO’s address, telephone number, and the registration number assigned by the department. Additionally, if the department or the Office of the Attorney General takes any action against anyone operating a PEO, or against any client employer subject to 454 CMR 30.00, then the action and any penalty imposed may be disclosed to the public. [1.4]

Therefore, to ensure compliance with expanding privacy protections in Massachusetts, companies must register with the Department of Labor Standards, maintain proper record-keeping, consider whether disclosure of personal data will constitute an invasion of personal privacy, adhere to application requirements for PEOs, and ensure that the allocation of rights, duties, and obligations under a professional employer agreement does not obligate a PEO to be licensed, certified, or registered in any profession requiring such credentials.

Source(s):
Jurisdiction

Massachusetts