Almost every comprehensive state privacy law in the United States โ€” Virginia, Colorado, Connecticut, Texas, and the dozen that followed their template โ€” shares one quiet design choice that businesses have come to rely on: enforcement runs through the Attorney General only. No private lawsuits. No class actions. No plaintiffsโ€™ bar turning every technical violation into litigation. California is the lone partial exception, and even there the private right of action is confined to data breaches.

Massachusetts just broke that consensus.

On June 4, 2026, the Massachusetts House of Representatives passed the Massachusetts Consumer Data Privacy Act by a vote of 146-0 โ€” unanimous. The bill (advanced as S-2619 / H.4746) is not another Virginia clone. It carries two provisions that the rest of the comprehensive-law landscape has deliberately kept out: a genuine data-minimization mandate and a private right of action against large data holders. The Senate passed its own version 40-0 in September 2025; the two chambers now head to a conference committee to reconcile, and the unanimous votes on both sides signal this is very likely to become law.

For any business holding data on Massachusetts residents at scale, this is the most consequential state privacy development of the year โ€” not because the rights it grants are novel, but because of who gets to enforce them.

The private right of action: the provision that changes the risk calculus

Here is the structure. The Attorney General retains exclusive enforcement authority over all entities subject to the law. But on top of that, individual consumers receive a private right of action against large data holders โ€” the biggest companies, those processing data on substantial numbers of residents.

That bifurcation is deliberate and important. Small and mid-size businesses face AG enforcement, as they would under any other state law. But the largest data holders โ€” the platforms, brokers, and national brands that hold the most data and create the most concentrated risk โ€” also face the prospect of consumer litigation, including the class-action exposure that comes with it.

Why does this matter so much? Because AG enforcement is discretionary and resource-constrained. A state attorney generalโ€™s privacy unit brings a handful of cases a year and picks them carefully. A private right of action removes that bottleneck entirely. Every large data holderโ€™s compliance posture becomes potentially testable by any affected consumer and the plaintiffsโ€™ bar standing behind them. The deterrent shifts from โ€œwill the AG notice us?โ€ to โ€œcan a plaintiff plead a violation?โ€ That is a categorically different compliance environment, and it is exactly the one that the industry lobbied to keep out of every other state law.

The bill also grants the Attorney General rulemaking authority to adapt requirements as technology changes โ€” meaning the obligations are not frozen at enactment but will evolve.

Data minimization: collection must be proportionate, and deletion is mandatory

The second mold-breaking feature is the data-minimization requirement, and Massachusetts wrote it as a substantive constraint rather than a vague aspiration.

Under the bill, personal data collection must be proportionate to providing the service the consumer actually requested, and data must be protected and deleted when it is no longer necessary or required to be kept by law. During floor debate, the House amended the data-minimization section to spell out the factors a controller must weigh:

  • The personal data reasonably necessary to achieve the collection purpose
  • The impact on consumers of the collection
  • The relationship and context in which the data is collected
  • The existence of safeguards such as encryption

This is a meaningful departure from the dominant state-law model, which generally lets businesses collect whatever they disclose in a privacy notice and obtain consent for. Massachusetts inverts the default: the question is not โ€œdid you disclose it?โ€ but โ€œdid you actually need it?โ€ Collection that exceeds what the service requires is a violation on its face โ€” and, for large data holders, a privately actionable one.

The rights and bans consumers get

Layered on top of the two headline features is a familiar but robust set of consumer protections:

  • Access personal information
  • Correct inaccurate data
  • Delete certain information
  • Portability โ€” transport personal data
  • Opt out of targeted advertising
  • A prohibition on targeted advertising to anyone under 18
  • A blanket ban on the sale of precise geolocation data
  • A requirement of explicit affirmative consent before selling any sensitive data โ€” biometric, genetic, health, reproductive, location, or government identifiers

The geolocation ban deserves emphasis. A flat prohibition on selling precise location data โ€” not an opt-out, a ban โ€” strikes directly at the location-data brokerage industry, which has been the subject of escalating FTC enforcement and is the reason this law has drawn outsized attention from large technology companies.

Applicability: built around large data holders

The private-action exposure attaches to large data holders, and the billโ€™s scope is anchored to companies that control or process personal data on at least 100,000 consumers. That threshold is the dividing line: cross it, and you are not only subject to AG enforcement but exposed to consumer litigation and the full weight of the data-minimization and sensitive-data rules.

For national businesses, 100,000 Massachusetts residents is not a high bar. Any consumer brand, platform, retailer, or service with meaningful penetration in the state will clear it.

Why the rest of the country is watching

The reason this matters far beyond New England is the precedent risk. For five years, industryโ€™s central achievement in the state-privacy wave has been keeping the private right of action out. Every Virginia-model law that passed reinforced the norm that comprehensive privacy means AG-only enforcement. A unanimous, bipartisan 146-0 vote in a major state for a law that includes both a private right of action and hard data minimization shatters that norm and hands a template to every other legislature where privacy advocates have been pushing for one.

If Massachusetts enacts this, expect the model to be introduced in California amendments, in New York, in Washington, and in the progressive-leaning legislatures that have so far accepted the weaker AG-only framework only because nothing stronger was on the table. The Overton window on state privacy enforcement just moved.

It also compounds a year already defined by aggressive enforcement. Californiaโ€™s privacy regulators have been setting settlement records โ€” a $2.75 million CCPA settlement with Disney entities in February 2026, the largest to date โ€” and twenty states now have comprehensive laws live. Add private litigation in Massachusetts to that backdrop and the cost of a sloppy data practice is no longer a discretionary regulatorโ€™s attention; it is a standing invitation to be sued.

What to do now

The conference committee has not finalized the text, and the exact contours of the private right of action could shift. But the direction is set, and the prudent posture is to prepare for the strong version:

  1. Identify whether you are a large data holder. If you control or process data on 100,000+ Massachusetts residents, assume you are exposed to private litigation and prioritize accordingly.
  2. Conduct a data-minimization review now. Inventory what you collect against what each service actually requires. Anything you cannot tie to a requested service is litigation exposure under the proportionality standard. Build and document deletion schedules.
  3. Stop selling precise geolocation, full stop. A flat ban means an opt-out mechanism will not save you. Find every location-data flow and terminate the sale path.
  4. Gate sensitive-data sales behind affirmative consent. Biometric, genetic, health, reproductive, location, and government-identifier data cannot be sold without explicit opt-in.
  5. Pull targeted advertising for minors. The under-18 prohibition is categorical; age-assurance and ad-targeting suppression need to be in place.
  6. Document everything. In a private-right-of-action regime, your contemporaneous compliance record is the difference between a dismissed complaint and a certified class.

The defining feature of the U.S. state privacy patchwork has been that businesses, not plaintiffs, set the pace of enforcement. Massachusetts is the first comprehensive law poised to take that lever away from the largest data holders โ€” and a unanimous vote suggests it will not be the last.

This article is provided for informational purposes only and does not constitute legal advice.