Can I use third-party customer service tools that collect personal information in Massachusetts? What are the requirements?

Use of Third-Party Customer Service Tools in Massachusetts

As per the document 760 CMR 8.03, a holder shall not collect or maintain more personal data than reasonably necessary for the performance of the holder’s legally authorized functions. Additionally, a holder shall not allow any individual, agency, or entity not employed by the holder or under contract or agreement with the holder to have access to personal data unless such access is authorized by statute or by regulations which are consistent with the purposes of M.G.L. c. 66A.

Therefore, if a third-party customer service tool is collecting personal information, the holder must ensure that the tool is collecting only the necessary personal data required for the holder’s legally authorized functions. Additionally, the holder must ensure that the third-party tool is authorized to access personal data as per the regulations set forth in M.G.L. c. 66A.

Requirements for Collecting and Maintaining Personal Data

As per the document 760 CMR 8.03, each LHA and LRA shall designate one individual to serve as the officer immediately responsible for the privacy, confidentiality, and security of personal data consistent with M.G.L. c. 66A. A holder shall not collect or maintain more personal data than reasonably necessary for the performance of the holder’s legally authorized functions.

Therefore, if a third-party customer service tool is collecting personal information, the holder must ensure that the tool is collecting only the necessary personal data required for the holder’s legally authorized functions. Additionally, the holder must designate an individual responsible for the privacy, confidentiality, and security of personal data.

Duty to Protect and Standards for Protecting Personal Information

As per the document 201 CMR 17.03, every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.

Therefore, if a holder is using a third-party customer service tool that collects personal information, the holder must ensure that the tool is collecting only the necessary personal data required for the holder’s legally authorized functions. Additionally, the holder must develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program.

Conclusion

Based on the information provided in the context documents, if a holder is using a third-party customer service tool that collects personal information, the holder must ensure that the tool is collecting only the necessary personal data required for the holder’s legally authorized functions. Additionally, the holder must designate an individual responsible for the privacy, confidentiality, and security of personal data and develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program.

Jurisdiction

Massachusetts

• Privacy