Table of Contents >> Show >> Hide
- What Changed in Massachusetts?
- Why P.L. 86-272 Still Matters
- What the Revised MTC Guidance Tried to Do
- How Massachusetts Adopted the Idea Without Copying the Whole Playbook
- Why the Cookie Example Is Such a Big Deal
- Practical Examples Businesses Should Think About
- What Multistate Businesses Should Do Next
- The Broader Legal and Policy Fight
- Real-World Experiences and Lessons From the Field
- Conclusion
State tax headlines are not usually famous for their sparkle. They are more known for sounding like someone spilled alphabet soup onto a legal pad. But the Massachusetts Department of Revenue’s latest move deserves attention, especially for online retailers, manufacturers, and multistate tax teams that have long relied on Public Law 86-272 as a trusty shield against state income taxes.
In plain English, Massachusetts has taken a modern, internet-era view of what counts as protected activity under P.L. 86-272. The Commonwealth did not copy every word of the Multistate Tax Commission’s revised guidance, but it clearly borrowed the central idea: some online activity goes beyond mere solicitation of sales. And once a business steps beyond solicitation, the old federal shield can crack.
That matters because P.L. 86-272 has been one of the most important federal limits on state corporate income taxation for decades. It was built for a world of traveling salespeople, sample kits, and paper order forms. Today’s world has cookies, chatbots, analytics, remote upgrades, marketplace fulfillment, and websites that do much more than smile politely and take orders. Massachusetts is effectively saying that the modern storefront can create modern tax exposure.
For tax departments, this is not just an academic SALT debate. It changes how businesses should review their websites, customer data practices, nexus positions, and filing obligations in Massachusetts. For companies selling tangible personal property into the state, the issue is no longer only whether they have boots on the ground. It is also whether their digital footprint is doing more than asking for the sale.
What Changed in Massachusetts?
Massachusetts amended its corporate nexus regulation, 830 CMR 63.39.1, effective October 10, 2025. The revised rule addresses internet-based activities in the context of P.L. 86-272 and adds a pointed example of conduct that the Commonwealth treats as unprotected. Specifically, the regulation says that a vendor may engage in in-state activity through an internet website accessible by people in Massachusetts when that activity is not entirely ancillary to the solicitation of orders.
The star of the show, or villain depending on your point of view, is the internet cookie example. Massachusetts identifies the placement of cookies on in-state customers’ computers or devices as problematic when those cookies gather search or customer information used to adjust production schedules, manage inventory, develop new products, or identify new items to offer for sale. In other words, if the website is doubling as a business intelligence machine, the Commonwealth views that activity as doing more than merely soliciting orders.
This is a major development because Massachusetts did not just say, “We see your website.” It said, “We see what your website is doing with the data.” That distinction is everything. Static content is one thing. A data-harvesting, decision-driving system is another.
Just as important, Massachusetts did not adopt the entire MTC catalog of internet examples word for word. Instead, it chose a narrower route and inserted one example into its regulation. That means the state embraced the theory behind the revised MTC guidance without importing every scenario into black-letter Massachusetts text. Think of it as a partial adoption with full attitude.
Why P.L. 86-272 Still Matters
A Quick Refresher
P.L. 86-272 is a federal statute enacted in 1959. It generally prevents a state from imposing a net income tax on a business if the business’s only in-state activity is soliciting orders for sales of tangible personal property, with those orders approved outside the state and fulfilled from outside the state. For decades, businesses have used this law to avoid income-tax filing obligations in states where their activity was limited to solicitation.
There are two phrases in that rule that do most of the heavy lifting: soliciting orders and tangible personal property. The protection is narrow. It does not broadly immunize all remote sellers from all taxes. It is aimed at income taxes, not every business tax under the sun. It also does not help much if the company sells services, licenses intangibles, streams content, or otherwise steps outside the sale of tangible goods.
Massachusetts has long recognized that point. If a corporation sells services or licenses intangible property, P.L. 86-272 is not the hero of that movie. It also remains possible in Massachusetts for a business protected from the income measure of the corporate excise to still face the non-income measure of the excise. So even before the 2025 amendment, the Commonwealth was not exactly rolling out a red carpet for broad immunity claims.
The real fight has always been about the edges of the word solicitation. Courts have said protected solicitation includes not only direct requests for orders, but also activities that are entirely ancillary to those requests. If an activity has an independent business function apart from getting the order, the protection starts to wobble. That principle was manageable when the question was whether a salesperson checked inventory or handled complaints in person. It gets much trickier when the “salesperson” is a website doing six jobs at once.
What the Revised MTC Guidance Tried to Do
The Multistate Tax Commission revised its Statement on P.L. 86-272 in 2021 to address business activity conducted via the internet. The MTC took the position that internet sellers should be analyzed under the same basic principles as traditional sellers, but with a modern twist: when a business interacts with customers through a website or app, that interaction can count as business activity in the customer’s state.
The MTC included a series of examples. Some remain protected, such as a website that merely posts static text or photos, or a website that uses cookies only for functions entirely ancillary to solicitation, like remembering items in a shopping cart during a current session or storing basic customer information to streamline ordering. Other examples are treated as unprotected, including interactive post-sale assistance through chat or email, online credit card applications, recruiting employees through the website, remote upgrades or repairs, selling extended warranties, and data-gathering cookies used for operational or product-development purposes.
That 2021 revision immediately became controversial. Supporters argued it simply applied old legal principles to new technology. Critics argued the MTC was effectively rewriting federal law for the internet era without Congress doing the rewriting itself. Either way, the guidance became a roadmap for states looking to tighten P.L. 86-272 positions.
How Massachusetts Adopted the Idea Without Copying the Whole Playbook
Massachusetts is noteworthy because it did not go all in on the full eleven-example MTC internet section. Instead, it adopted the core concept through one example in its nexus regulation. That makes the Massachusetts approach narrower in text but still meaningful in practice.
Why? Because the chosen example is not minor. It targets exactly the type of digital activity many retailers and product sellers perform every day. If a business uses website cookies to capture customer search behavior and then uses that information to make operational decisions, Massachusetts treats that activity as going beyond solicitation. That can remove P.L. 86-272 protection for purposes of the income measure of the corporate excise.
Then the Commonwealth’s broader nexus framework comes back into play. Massachusetts has a receipts-based nexus threshold under which out-of-state corporations with more than $500,000 of Massachusetts receipts can be subject to its corporate excise rules. So the practical question for many businesses is no longer simply, “Do we sell into Massachusetts?” It is, “Do we sell enough into Massachusetts, and does our website do anything that Massachusetts thinks is not ancillary?”
That is a much sharper question, and one that requires real technical review rather than wishful thinking and crossed fingers.
Why the Cookie Example Is Such a Big Deal
Cookies are tiny pieces of code, but in tax law they now carry heavyweight consequences. Massachusetts is drawing a line between cookies used to facilitate the ordering process and cookies used for broader business functions. If a cookie simply remembers what was placed in a cart, stores shipping preferences, or helps a customer avoid retyping information, that looks more like solicitation support. If the cookie gathers data used to plan inventory, tweak production, design products, or identify new sales opportunities, that looks more like business management.
The distinction may seem subtle, but it is legally significant. P.L. 86-272 protects solicitation and activities entirely ancillary to solicitation. It does not protect activities with an independent business purpose. Analytics that shape inventory strategy or product development have their own business function, whether or not they eventually help boost sales. That is precisely why Massachusetts focused on this example.
And here is where many businesses may get surprised: the tax team may not even know the full extent of what the marketing, e-commerce, product, or third-party platform teams are doing. A remote seller may believe it is “just taking online orders” when, in reality, the website stack is collecting behavioral data, feeding dashboards, triggering targeted offers, and guiding inventory planning. In tax terms, that can be the difference between protected and unprotected activity.
Practical Examples Businesses Should Think About
Example 1: The Basic Catalog Site
A company sells kitchen gadgets online. Its website displays products, descriptions, prices, shipping options, and a checkout page. It uses simple session cookies to keep items in the shopping cart and preserve customer login information. That profile is closer to protected activity, assuming the company is not doing more in Massachusetts.
Example 2: The Smart Retailer With Deep Analytics
Another company sells home fitness equipment. Its site tracks searches by Massachusetts users, studies abandoned cart patterns, and feeds that data into inventory planning and new product recommendations. That is the kind of activity Massachusetts now flags as unprotected. The website is not only asking for orders; it is helping run the business.
Example 3: Post-Sale Support Through Live Chat
A seller offers live chat to help Massachusetts customers troubleshoot products after delivery. That example appears in the broader MTC framework as unprotected. Massachusetts did not write that specific scenario into its rule, but businesses should not assume the Commonwealth would look kindly on it. Once the website starts performing post-sale service functions, the argument for protection gets much weaker.
Example 4: Service and Digital Offerings
If a company sells software subscriptions, digital access, streaming content, warranties, or other services, P.L. 86-272 usually is not the right umbrella anyway. Massachusetts and other states have consistently treated service and intangible-related activity differently. Businesses in those categories should not read the Massachusetts update and think, “Great, only my cookies matter.” In many cases, the tax question is already bigger than cookies.
What Multistate Businesses Should Do Next
First, review the website as a tax asset, not just a sales tool. That means sitting down with e-commerce, IT, marketing, product, and privacy teams to identify exactly what cookies, scripts, tags, and embedded tools are active. Ask what data is collected, where it flows, and how it is used. If the answer is, “We think it helps optimize the business,” congratulations, you have found the part tax cares about.
Second, map those digital activities against state nexus positions. Massachusetts matters, but it is not alone. Other states have adopted or proposed similar interpretations, and litigation is still shaping the boundaries. A company that loses P.L. 86-272 protection in one state may have exposure in several others.
Third, document what remains protected. If certain website tools are used solely to facilitate ordering and have no independent business purpose, businesses should be prepared to support that position with facts. The difference between an ancillary cookie and an operational analytics cookie is not always obvious from a vendor’s marketing brochure.
Fourth, model the downstream impact. Losing P.L. 86-272 protection can mean more than one extra return. It can affect apportionment, group filing analysis, estimated tax obligations, reserve questions, audit exposure, and historical risk assessments. State tax problems have a charming tendency to start as a footnote and end as a spreadsheet the size of a small canoe.
The Broader Legal and Policy Fight
Massachusetts did not make this move in isolation. Across the country, states and taxpayers are fighting over how far P.L. 86-272 stretches in the digital economy. California’s administrative guidance was struck down in state court on procedural grounds. New York’s internet-activity regulation was upheld in 2025, though the court rejected retroactive application. New Jersey adopted its own regulation, and New York City proposed rules moving in the same direction.
That mixed landscape tells us two things. First, the trend line is unmistakable: states want a narrower reading of federal protection when websites perform meaningful business functions. Second, the litigation is far from over. Taxpayers continue to argue that agencies and commissions are pushing federal law beyond its text, while states insist they are only applying settled principles to modern facts.
Until Congress updates the statute, businesses are stuck in the middle. And because Congress has not exactly been sprinting to modernize P.L. 86-272, companies should not expect a quick national reset. The smarter move is to evaluate digital activity now instead of waiting for an audit to deliver the news in a less friendly tone.
Real-World Experiences and Lessons From the Field
In practice, experiences related to this issue usually do not begin with a dramatic tax notice. They begin with confusion. A tax director asks whether the company still relies on P.L. 86-272 in Massachusetts, and someone confidently says yes because there are no employees, no warehouse, and no sales reps in the state. Then the web team joins the call, and suddenly the room gets quieter than a library during finals week.
One common experience is the discovery gap. The tax team may believe the website just processes orders, while the digital team knows the site runs heat maps, product-interest tracking, predictive inventory tools, recommendation engines, session replay software, and marketing attribution pixels. None of these tools looked “taxable” when they were installed. They looked efficient, modern, and revenue-friendly. But once Massachusetts and other states focus on whether those tools serve an independent business function, the tax analysis changes fast.
Another common experience is the vendor blind spot. Many businesses rely on third-party e-commerce platforms, ad-tech vendors, analytics providers, and customer engagement tools. The tax department often does not own those contracts, and the legal department may have reviewed them only for privacy or data-security reasons. When nexus analysis begins, companies realize they need more than a vendor name. They need to know what the tool actually does, what information it gathers, and whether that data influences inventory, product design, pricing, or customer retention strategy.
There is also the timing problem. Businesses often review state income tax positions annually, but websites change monthly, weekly, or even daily. Marketing teams launch new plug-ins. Product teams test new features. Customer support rolls out chat tools. None of those updates comes with a sticky note saying, “By the way, this may affect your Massachusetts filing position.” A company can move from protected activity to unprotected activity without any single person recognizing that the line was crossed.
Then comes the operational lesson: tax cannot solve this issue alone. The companies handling it best usually create a repeatable process. They build a questionnaire for website changes, route new digital tools through tax review, and classify activities as clearly protected, clearly unprotected, or gray-area functions needing more analysis. They also preserve documentation. If a cookie is used only to keep a cart open during a session, that should be documented. If a tool supports product planning or operational decisions, that should be documented too, even if the answer is inconvenient.
Finally, there is the mindset shift. For years, some businesses treated P.L. 86-272 as a simple yes-or-no position tied mainly to physical presence. The modern experience is different. Today, the question is dynamic and fact-heavy. It depends on how the website functions, how the business uses data, and how aggressively a state interprets federal protection. That can feel frustrating, but it also creates an opportunity. Companies that understand their digital systems in detail can make better tax decisions, reduce surprises, and avoid learning about their own technology from an auditor who has already highlighted the scary parts in yellow.
Conclusion
Massachusetts has not rewritten all of P.L. 86-272 doctrine in one sweep, but it has sent a clear signal. The Commonwealth is willing to treat certain internet-based activities as unprotected when those activities have an independent business purpose beyond soliciting orders. By adopting an example based on the revised MTC approach, Massachusetts has effectively told remote sellers that digital commerce is not automatically protected commerce.
For businesses selling tangible personal property into Massachusetts, this is the time to review website functionality, cookie usage, data flows, and internal tax positions with fresh eyes. The old comfort of “no people in the state” is no longer enough. In the modern state tax world, a quiet little cookie can make a lot of noise.