• by Wendy Davis  @wendyndavis, December 4, 2018

A proposed data breach law in Massachusetts would post an “unnecessary and costly burden on companies,” the Association of National Advertisers says in a letter to state lawmakers.

The current version of the bill would require companies to notify consumers about data breaches even without a “significant risk of identity theft or fraud,” the ANA says.

The bill also requires “rolling” notifications that, according to the ANA, could require “continued, repetitive notifications into the future.”

The organization says it is opposing the bill, unless it is amended to narrow the requirements about when consumers must be notified of breaches.

The ANA argues in a letter to Massachusetts Senate President Karen Spilka that the current, broad requirement for notices in situations where consumers aren't at risk of identity theft or other harms will result in “unnecessary and repetitive notifications ... that will cause Massachusetts residents to ignore all notifications over time, ultimately putting them at greater risk.”

The bill's notification provisions would also “severely impact companies with increased class action litigation risk from consumers that will not suffer a negative impact from a non-harmful breach,” the ANA writes.

“This is a clear example where the response to data security concerns substantially increases problems rather than solves them,” ANA Executive Vice President Dan Jaffe wrote Tuesday on the group's website. “This bill would have severe and negative consequences for advertisers and marketers.”

The bill was introduced last September, at around the same time that Equifax disclosed details of a security breach affecting more than 100 million people.

That incident helped the Massachusetts measure gain momentum, and also spurred new initiatives in other states. Earlier this year, Vermont passed a law requiring data brokers to notify state residents about security breaches, and to disclose whether they allow consumers to opt out of having their information collected, stored or sold. That law also prohibits data brokers from charging customers to place a freeze on their accounts.