Massachusetts — No Specific AI Law (Multiple Bills Pending — Monitor Closely): AI Compliance Requirements

Massachusetts 201 CMR 17.00 requires a written "comprehensive information security program" (CISP) for any business that holds personal information of Massachusetts residents. If your AI systems process MA residents' personal information, your CISP must cover: AI system access controls, data encryption for training data and model outputs, vendor oversight for AI SaaS tools, and incident response procedures covering AI-generated data breaches. This is one of the strongest state data security obligations in the US and is actively enforced.

Federal laws apply: FTC Act § 5 (deceptive/unfair AI practices), Title VII / ADA (AI must not discriminate in employment), FCRA (AI credit decisions require adverse action notices), COPPA (AI systems processing children under 13 require parental consent). Massachusetts AG has used Chapter 93A (Consumer Protection Act) to pursue algorithmic discrimination and deceptive AI claims — ensure your AI disclosures are honest and your AI outputs do not discriminate on protected characteristics.

Massachusetts is among the most active states for AI regulation. Monitor malegislature.gov for: the Massachusetts Consumer Privacy Act (MCPA) — would add automated decision-making opt-out rights; the AI Accountability Act — mandatory impact assessments; and AI-generated content disclosure requirements. The Massachusetts AG's office has publicly stated that Chapter 93A applies to deceptive or discriminatory AI practices. Check malegislature.gov and mass.gov/ago for updates.