Can I use third-party email marketing tools that collect personal information in Massachusetts? What are the requirements?

Using Third-Party Email Marketing Tools in Massachusetts

Yes, you can use third-party email marketing tools that collect personal information in Massachusetts, but you must comply with the state’s data protection laws.

According to MGL Chapter 93H, Section 2, any person that owns or licenses personal information about a resident of the commonwealth must adopt regulations designed to safeguard the personal information of residents of the commonwealth and consistent with the safeguards for protection of personal information set forth in the federal regulations by which the person may be regulated.

Additionally, MGL Chapter 93I, Section 2 requires that any agency or person disposing of personal information may contract with a third party to dispose of personal information in accordance with this chapter. Any third party hired to dispose of material containing personal information shall implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of personal information.

Therefore, if you are using a third-party email marketing tool that collects personal information, you must ensure that the third party implements and monitors compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of personal information. You must also adopt regulations designed to safeguard the personal information of residents of the commonwealth and consistent with the safeguards for protection of personal information set forth in the federal regulations by which you may be regulated.

Additional Requirements

In addition to the above requirements, you must also comply with the following regulations:

• According to 201 CMR 17.03, every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to the size, scope, and type of business of the person obligated to safeguard the personal information under such comprehensive information security program. The safeguards contained in such program must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.
• According to MGL Chapter 159C, Section 5, if you obtain the name, residential address, or telephone number of a consumer from published telephone directories or from any other source and republish or compile such information, electronically or otherwise, and sell or offer to sell such publication or compilation to telephone solicitors for marketing or sales solicitation purposes, you must exclude from any such publication or compilation and from any database used exclusively for marketing or sales solicitation purposes, the name, address, and telephone number of a consumer whose name and telephone number appears in the then current quarterly no sales solicitation calls listing made available by the office under section 2.
• According to 207 CMR 13.03, if you use third-party verification calls to authorize a change in carrier or service, you must confirm appropriate verification data, identify the TPV agent and company, and maintain audio recordings of the call. You must also comply with other requirements listed in 207 CMR 13.03.

In summary, if you are using third-party email marketing tools that collect personal information in Massachusetts, you must ensure that the third party implements and monitors compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of personal information. You must also adopt regulations designed to safeguard the personal information of residents of the commonwealth and consistent with the safeguards for protection of personal information set forth in the federal regulations by which you may be regulated. Additionally, you must comply with the regulations listed above.

Jurisdiction

Massachusetts

• Privacy