Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I sell personal information without obtaining consent in Massachusetts? What are the requirements?

Based on the context documents, it is not legal to sell personal information without obtaining consent in Massachusetts. The following requirements must be met to protect personal information:

Requirements for Protecting Personal Information

  • Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to ([3.1]):
  • the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program;
  • the amount of resources available to such person;
  • the amount of stored data; and
  • the need for security and confidentiality of both consumer and employee information.
  • The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated ([3.1]).
  • A Holder shall not collect or maintain more personal data than reasonably necessary for the performance of the holder’s legally authorized functions ([2.2]).
  • A Holder shall not allow any individual, agency, or entity not employed by the Holder or under contract or agreement with the Holder to have access to personal data unless such access is authorized by statute or by regulations which are consistent with the purposes of M.G.L. c. 66A; or approved by the data subject, unless the data subject is not entitled to access ([2.2]).
  • A Holder shall permit authorized employees of the Department to have access to personal data for the performance of legally authorized duties and responsibilities and shall disseminate personal data to the Department upon its request ([2.2]).
  • Any Holder served with a subpoena or other judicial or administrative order directing it to disclose a data subject’s personal data shall, unless otherwise prohibited by law or judicial order, immediately give notice to the data subject. Such notice, where possible, shall include a copy of the subpoena or order, except where the data subject himself requests the order or is otherwise obviously aware of its existence. The holder, wherever legally and practically possible, shall allow the data subject adequate time to attempt to secure a court order to quash the subpoena or order ([2.2]).
  • The Attorney General shall develop, implement, maintain, and monitor a Written Information Security Program (WISP) designed to safeguard the personal information of residents of the commonwealth contained in the records of the Attorney General. The Attorney General’s WISP shall be separate from 940 CMR 27.00 in order to facilitate periodic review and updating of the program. Like 940 CMR 27.00, the WISP shall be read consistently with the safeguards for protection of personal information of a similar character set forth in other state or federal laws and regulations applicable to the AGO and already in place, including but not limited to the Fair Information Practices Act, M.G.L. c. 66A, § 1; the Criminal Offender Record Information Act, M.G.L. c. 6, § 172, et seq. ; and 940 CMR 11.00. The Attorney General’s WISP shall be available for public inspection, except to ([5.1]).

Therefore, it is important to obtain written consent from individuals before collecting and using their personal information. The written consent should include an explanation of how the requested data will be used and held, the identity of persons, entities or agencies who will receive or hold the data, and an assurance that all holders will keep the data confidential. The consent should also offer to answer any inquiries concerning the data, indicating the data subject’s right to object in accordance with 760 CMR 8.05, and any legal requirements to provide the requested data and any legal or administrative consequences arising from a decision to withhold the data [2.1].

In summary, selling personal information without obtaining consent is not legal in Massachusetts. Written consent must be obtained from individuals before collecting and using their personal information. The consent should include an explanation of how the requested data will be used and held, the identity of persons, entities or agencies who will receive or hold the data, and an assurance that all holders will keep the data confidential.

Source(s):
Jurisdiction

Massachusetts