Beginning March 1 of 2010, there will be a new paradigm shift in data security requirements for many online businesses. This is because the Massachusetts legislature has enacted the strictest, and most far-reaching data security regulations for any person or business that owns or licenses “personal information” of a Massachusetts resident. Even California business owners should pay close attention to the data security laws of other states, because as your business grows and it begins to operate on a nation-wide or even world-wide level, the laws of far-away jurisdictions can apply to your operations.
Complying with state law, by contrast, can be mind-numbingly confusing because your nation-wide online business must comply with 50 separate statutory schemes. The easiest solution for many businesses is to identify the state with the strictest privacy laws, and make sure to abide by those laws. Beginning March 1, 2010, that state will be Massachusetts when 201 CMR 17.00 goes into effect.