Alabama Personal Data Privacy Act

State privacy legislation is evolving rapidly, with an increasing number of states enacting comprehensive laws that govern how personal data is collected, used, and protected. As federal privacy efforts remain limited, state laws are creating a complex patchwork of compliance requirements for businesses nationwide.

The State Privacy Laws Resource Center is designed to help businesses stay informed and compliant in a shifting legal landscape. This resource is for informational purposes only and does not constitute legal advice.

This act shall be known as the Alabama Personal Data Protection Act.

For the purposes of this act, the following terms have the following meanings: 

(1) AFFILIATE. A legal entity that shares common branding with another legal entity or that controls, is controlled by, or is under common control with another legal entity. 

(2) AUTHENTICATE. To use reasonable methods to determine that a request to exercise any of the consumer rights afforded under this act is being made by, or on behalf of, a consumer who is entitled to exercise those consumer rights with respect to the consumer's personal data at issue.

(3) BIOMETRIC DATA. Data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, retina, or iris, that are used to identify a specific individual. The term does not include any of the following: 

a. A digital or physical photograph. 

b. An audio or video recording. 

c. Any data generated from paragraph a. or b. unless the data is used to identify a specific individual. 

(4) CHILD. An individual under 13 years of age. 

(5) CONSENT. A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer, including, but not limited to, a written statement or a statement by electronic means. The term does not include any of the following: 

a. Acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information. 

b. Hovering over, muting, or pausing a given piece of content. 

c. An agreement obtained using dark patterns. 

(6) CONSUMER. An individual who is a resident of this state. The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.

(7) CONTROL. Any of the following: 

a. Ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a company. 

b. Control in any manner over the election of a majority of the directors or of individuals exercising similar functions. 

c. The power to exercise controlling influence over the management of a company.

(8) CONTROLLER. An individual or legal entity that, alone or jointly with others, determines the purposes and means of processing personal data. 

(9) DARK PATTERN. A user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice. 

(10) DEIDENTIFIED DATA. Data that cannot be used to reasonably infer information about or otherwise be linked to an identified or identifiable individual or a device linked to an identified or identifiable individual if the controller that possesses the data does all of the following: 

a. Takes reasonable measures to ensure that the data cannot be associated with an individual. 

b. Publicly commits to process the data in a deidentified fashion only and to not attempt to reidentify the data.

c. Contractually obligates any recipients of the data to satisfy the criteria set forth in Section 11(a) and (b). 

(11) IDENTIFIABLE INDIVIDUAL. An individual who can be readily identified, directly or indirectly. 

(12) NONPROFIT ENTITY. As defined in Section 10A-1-1.03, Code of Alabama 1975. 

(13) PERSONAL DATA. Any information that is linked or reasonably linkable to an identified or identifiable individual. The term does not include deidentified data or publicly available information. 

(14) PRECISE GEOLOCATION DATA. Information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates, which directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. The term does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility. 

(15) PROCESS. Any operation or set of operations, whether by manual or automated means, performed on personal data or on sets of personal data, including, but not limited to, the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. 

(16) PROCESSOR. An individual or legal entity that processes personal data on behalf of a controller. 

(17) PROFILING. Any form of solely-automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. 

(18) PSEUDONYMOUS DATA. Personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributable to an identified or identifiable individual. 

(19) PUBLICLY AVAILABLE INFORMATION. Either of the following: a. Information that is lawfully made available through federal, state, or local government records or widely distributed media. b. Information that a controller has a reasonable basis to believe a consumer has lawfully made available to the public. 

(20) SALE OF PERSONAL DATA. The exchange of personal data for monetary consideration by a controller to a third party, or for other valuable consideration by a controller to a third party where the controller receives a material benefit and the third party is not restricted in its subsequent uses of the personal data. The term does not include any of the following: 

a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller. 

b. The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer.

c. The disclosure or transfer of personal data to an affiliate of the controller. 

d. The disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party. 

e. The disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience. 

f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets. 

g. The disclosure or transfer of personal data to a third party for the purposes of providing analytics or marketing services solely to the controller.

(21) SENSITIVE DATA. Personal data that includes any of the following: 

a. Data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about an individual's sex life, sexual orientation, or citizenship or immigration status. 

b. The processing of genetic or biometric data for the purpose of uniquely identifying an individual. 

c. Personal data collected from a known child. 

d. Precise geolocation data.

(22) SIGNIFICANT DECISION. A decision made by a controller that results in the provision or denial by the controller of credit or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care service, or access to basic necessities such as food or water. 

(23) TARGETED ADVERTISING. Displaying advertisements to a consumer in which the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet websites or online applications to predict the consumer's preferences or interests. The term does not include any of the following:

 a. Advertisements based on activities within a controller's own Internet websites or online applications. 

b. Advertisements based on the context of a consumer's current search query or visit to any Internet website or online application. 

c. Advertisements directed to a consumer in response to the consumer's request for information or feedback. 

d. Processing personal data solely to measure or report advertising frequency, performance, or reach. 

(24) THIRD PARTY. An individual or legal entity other than a consumer, controller, processor, or an affiliate of the controller or processor. 

(25) TRADE SECRET. As defined in Section 8-27-2, Code of Alabama 1975. 

The provisions of this act apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and that meet either of the following qualifications: 

(1) Control or process the personal data of more than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction. 

(2) Derive more than 25 percent of gross revenue from the sale of personal data, regardless of the number of consumers whose data the person controls or processes. 

(a) Notwithstanding any other provisions of this act, this act shall not apply to any of the following: 

(1)a. A political subdivision of the state. b. A public corporation organized pursuant to Title 11, Code of Alabama 1975. 

(2) A two-year or four-year institution of higher education, including affiliates of a two-year or four-year institution of higher education. 

(3) A national securities association that is registered under 15 U.S.C. § 78o-3. 

(4) A financial institution or an affiliate of a financial institution governed by 15 U.S.C. Chapter 94. 

(5) A financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et. seq. 

(6) A covered entity or business associate as defined in the privacy regulations of 45 C.F.R. § 160.103.

(7) A business with fewer than 500 employees, provided the business does not engage in the sale of personal data. 

(8) A nonprofit entity, as defined in Section 10A-1-1.03, Code of Alabama 1975, with less than 100 employees, provided the entity does not engage in the sale of personal data. 

(9) Any person or entity regulated by Chapter 6 of Title 8, Code of Alabama 1975. 

(10) Any person or entity regulated by Chapter 7A of Title 8, Code of Alabama 1975. 

(11) Any trade association explicitly authorized to receive documents or evidence pursuant to Section 27-12A-23, Code of Alabama 1975.

(b) This act shall not apply to any of the following information or data:

 (1) Protected health information under the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996 and related regulations. 

(2) Patient-identifying information for the purposes of 42 C.F.R. Part 2, established pursuant to 42 U.S.C. § 290dd-2. 

(3) Identifiable private information for the purposes of 45 C.F.R. Part 46. 

(4) Identifiable private information that is otherwise collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use. 

(5) The protection of human subjects under 21 C.F.R. Parts 50 and 56, or personal data used or shared in research as defined in the federal Health Insurance Portability and Accountability Act of 1996 and 45 C.F.R. § 164.501, that is conducted in accordance with applicable law.

(6) Information or documents created for the purposes of the federal Health Care Quality Improvement Act of 1986. 

(7) Patient safety work products for the purposes of the federal Patient Safety and Quality Improvement Act of 2005. 

(8) Information derived from any of the health care related information listed in this subsection which is deidentified in accordance with the requirements for deidentification pursuant to the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996. 

(9) Information derived from any of the health care related information listed in this subsection which is included in a limited data set as described in 45 C.F.R. § 164.514(e), to the extent that the information is used, disclosed, and maintained in a manner specified in 45 C.F.R. § 164.514(e). 

(10) Information originating from and intermingled to be indistinguishable with or information treated in the same manner as information exempt under this subsection which is maintained by a covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996 or a program or qualified service organization as specified in 42 U.S.C. § 290dd-2.

(11) Information used for public health activities and purposes as authorized by the federal Health Insurance Portability and Accountability Act of 1996, community health activities, and population health activities. 

(12) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the federal Fair Credit Reporting Act. 

(13) Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994. 

(14) Personal data regulated by the federal Family Educational Rights and Privacy Act of 1974. 

(15) Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act of 1971. 

(16) Data processed or maintained by an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party to the extent that the data is collected and used within the context of that role. 

(17) Data processed or maintained as the emergency contact information of an individual under this act and used for emergency contact purposes. 

(18) Data processed or maintained that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under this section and is used for the purposes of administering the benefits. 

(19) Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as these terms are used in the federal Airline Deregulation Act of 1978 by an air carrier subject to the act. 

(20) Data or information collected or processed to comply with or in accordance with state law. 

(21) Personal data collected or used pursuant to 21 U.S.C. § 830. 

(c) Controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act of 1998 are compliant with any obligation to obtain parental consent pursuant to this act.

(a) Subject to authentication and any other conditions or limitations provided by this act, a consumer may invoke the rights authorized pursuant to this subsection at any time by submitting a request to a controller specifying the consumer right the consumer seeks to invoke. A controller shall comply with an authenticated request to do any of the following: (1) Confirm whether a controller, or a processor or third party acting on a controller's behalf, is processing the consumer's personal data and accessing any of the consumer's personal data under the control of the controller, unless confirmation or access would require the controller to reveal a trade secret.

(2) Correct inaccuracies in the consumer's personal data, considering the nature of the personal data and the purposes of the processing of the consumer's personal data. 

(3) Direct a controller to delete the consumer's personal data. 

(4) Obtain a copy of the consumer's personal data previously provided by the consumer to a controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, unless the provision of the data would require the controller to reveal a trade secret. 

(5) Opt out of the processing of the consumer's personal data for any of the following purposes: 

a. Targeted advertising. 

b. The sale of the consumer's personal data. 

c. Profiling in furtherance of solely automated significant decisions concerning the consumer. 

(b) A controller shall establish a secure and reliable method for a consumer to exercise rights established by this section and shall describe the method in the controller's privacy notice.

(c)(1) A parent or legal guardian of a known child may exercise the consumer's rights on behalf of the known child regarding the processing of personal data. 

(2) A guardian or conservator of a consumer may exercise the consumer's rights on behalf of the consumer regarding the processing of personal data. 

(d) Except as otherwise provided in this act, a controller shall comply with a request by a consumer to exercise the consumer's rights authorized by this section as follows: 

(1)a. A controller shall respond to a consumer's request within 45 days of receipt of the request. b. A controller may extend the response period by 45 additional days, when reasonably necessary considering the complexity and number of the consumer's requests, by notifying the consumer of the extension and the reason for the extension within the initial 45-day response period. 

(2) If a controller declines to act regarding a consumer's request, the controller shall inform the consumer of the justification for declining to act within 45 days of receipt of the request. 

(3) Information provided in response to a consumer request must be provided by a controller, free of charge, once for each consumer during any 12-month period. If a consumer's requests are manifestly unfounded, excessive, technically infeasible, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with a request or decline to act on a request. Upon inquiry by an enforcement authority, the controller bears the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of a request. 

(4) If a controller is unable to authenticate a consumer's request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request until the consumer provides additional information reasonably necessary to authenticate the consumer and the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent or otherwise not authorized. If a controller denies an opt-out request because the controller believes the request is fraudulent or not authorized, the controller shall send notice to the person who made the request disclosing that the controller believes the request is fraudulent or not authorized and that the controller may not comply with the request. 

(5) A controller that has obtained personal data about a consumer from a source other than the consumer is in compliance with a consumer's request to delete the consumer's data if the controller has done either of the following: 

a. Retained a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and refrains from using the retained data for any other purpose.

b. Opted the consumer out of any further processing of the consumer's personal data for any purpose except for those exempted pursuant to this act.

(a) A parent or legal guardian of a known child or a guardian or conservator of a consumer may act on the known child's or the consumer's behalf to opt out of the processing of the known child's or the consumer's personal data for one or more of the purposes specified in Section 5. 

(b) A controller must allow a consumer to opt-out through either of the following methods: 

(1) By providing a clear and conspicuous link on the controller's Internet website to an Internet web page that enables a consumer directly to opt out of any processing of the consumer's personal data for the purposes of targeted advertising or sale of the consumer's personal data, or provides up-to-date contact information for a consumer to submit the opt-out request. 

(2) By January 1, 2028, responding to a consumer's request to opt out of any processing of the consumer's personal data for the purposes of targeted advertising or sale of the consumer's personal data sent through an opt-out preference signal with the consumer's consent, to the controller by a platform, technology, or mechanism that does all of the following: 

a. May not unfairly disadvantage another controller. 

b. Must require the consumer to affirmatively enable the opt-out preference signal to opt out of any personal data processing pursuant to this act. 

c. Must be reasonably consumer friendly and easy to use by the average consumer. 

d. Must be consistent with any federal or state law or regulation.

e. Must be designed to allow the controller to accurately determine whether the consumer is a resident of the state and whether the consumer has made a legitimate request to opt out of any sale of a consumer's personal data or targeted advertising.

(c)(1) If a consumer's decision to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal sent in accordance with this section conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with the consumer's opt-out preference signal but may notify the consumer of the conflict and provide the choice to confirm controller-specific privacy settings or participation in such a program.

(2) If a controller responds to consumer opt-out requests received in accordance with this section by informing the consumer of a charge for the use of any product or service, the controller shall present the terms of any financial incentive offered pursuant to this section for the retention, use, sale, or sharing of the consumer's personal data.

(a) A controller shall do all of the following: 

(1) Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed. 

(2) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue. 

(3) Provide an effective mechanism for a consumer to revoke the consumer's consent under this act that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, on revocation of the consent, cease to further process the personal data as soon as practicable, but no later than 45 days after complying with the consumer's opt-out request consistent with this act. 

(b) A controller may not do any of the following: 

(1) Except as provided in this act, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed by the controller. 

(2) Process sensitive data concerning a consumer other than a known child without obtaining that consumer's consent or, in the case of the processing of personal data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq.

(3) Process personal data in violation of the laws of this state or federal laws that prohibit unlawful discrimination against consumers. 

(4) Process the personal data of a consumer for the purposes of targeted advertising or sell a consumer's personal data without the consumer's consent under circumstances in which a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age.

(5) Deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods or services to a consumer if the consumer opts out of the processing of the consumer's data. However, if a consumer opts out of data processing, the covered entity is not required to provide a service that requires data processing. Controllers may provide different prices or levels for goods or services if the good or service is a bona fide loyalty, rewards, premium features, discount, or club card program in which a consumer voluntarily participates. 

(c) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing. 

(d) A controller shall provide consumers with a reasonably accurate, clear, and meaningful privacy notice that includes all of the following:

(1) The categories of personal data processed by the controller. (2) The purpose for processing personal data. (3) The categories of personal data that the controller shares with third parties, if any. (4) The categories of third parties, if any, with which the controller shares personal data. (5) An active email address or other mechanism that the consumer may use to contact the controller. (6) How consumers may exercise their consumer rights, including a link or contact information for availing themselves of the opt-out method provided in Section 6.

(e)(1) A controller shall establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, as established under Section 5, pursuant to this act considering the ways in which consumers normally interact with the controller, the need for secure and reliable communication of consumer requests, and the ability of the controller to authenticate the identity of the consumer or authorized agent making the request. (2) A controller may not require a consumer to create a new account to exercise consumer rights but may require a consumer to use an existing account as a means of exercising his or her consumer rights. (f) Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's consumer rights as established under this act shall be deemed contrary to public policy and shall be void and unenforceable.

(a) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations under this act, considering the nature of processing and the information available to the processor, including, but not limited to, both of the following: (1) Maintaining appropriate and reasonably practical technical and organizational measures to support the fulfillment of the controller's obligation to respond to consumer rights requests. 

(2) Assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security of the system of the processor to meet both the controller's and the processor's obligations. 

(b)(1) A contract between a controller and a processor shall govern the processor's data processing obligations with respect to processing performed on behalf of the controller. 

(2) The contract shall: 

a. Be binding; 

b. Clearly set forth instructions for processing data; 

c. Clearly set forth the nature and purpose of the processing; 

d. Clearly set forth the type of data subject to processing; 

e. Clearly set forth the duration of processing; and

f. Clearly set forth the rights and obligations of both parties. 

(3) The contract, taking into account the nature of the processing, the relationship between the parties, and other factors, shall also require the processor to: 

a. Ensure that each processor of personal data is subject to a duty of confidentiality with respect to the personal data;

b. Delete or return all personal data to the controller as requested at the end of the provision of services at the controller's direction, unless retention of the personal data is required or permitted by law or the contract; 

c. Make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations of this act upon the reasonable request of the controller; and 

d. Obligate any subcontractor processing personal data to meet the obligations of the processor with respect to the personal data. 

(c) Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller's or processor's role in the processing relationship as described in this act. 

(d) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the following context in which personal data is to be processed:

(1) A person who is not limited in the processing of personal data pursuant to a controller's instructions or who fails to adhere to a controller's instructions is a controller and not a processor with respect to a specific processing of data. 

(2) A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. 

(3) If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under this act.

(a) Any controller in possession of deidentified data shall do all of the following: 

(1) Take measures to ensure that the deidentified data cannot reasonably be associated with an individual. 

(2) Refrain from reidentifying the deidentified data when maintaining and using deidentified data. 

(3) Contractually obligate any recipients of the deidentified data to comply with all provisions of this section. 

(b) Nothing in this act may be construed to require a controller to do any of the following: 

(1) Reidentify deidentified data or pseudonymous data. 

(2) Maintain deidentified data in an identifiable form. 

(3) Collect, obtain, retain, or access any identifiable data associated with deidentified data solely for purposes of authenticating a potential consumer request regarding personal data.

(c) Nothing in this act may be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller or processor: 

(1) Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome to associate the request with the personal data; 

(2) Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and 

(3) Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor or subprocessor, except as otherwise permitted in this section. 

(d) The rights afforded under Section 5 may not apply to pseudonymous data in cases in which the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. 

(e) A controller that discloses pseudonymous data or deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

(a) Nothing in this act may be construed to restrict a controller's or processor's ability to do any of the following: 

(1) Comply with federal, state, or local ordinances or regulations. 

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other government authority. 

(3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local ordinances, rules, or regulations. 

(4) Investigate, establish, exercise, prepare for, or defend legal claims, or otherwise protect the legal rights of the controller or processor. 

(5) Provide a product or service specifically requested by a consumer. 

(6) Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty. 

(7) Take steps at the request of a consumer prior to entering a contract. 

(8) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual and when the processing cannot be manifestly based on another legal basis. 

(9) Prevent, detect, protect against, or respond to security incidents; identify theft, including identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any of these actions.

(10) Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines, or similar independent oversight entities that determine, all of the following: a. Whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller. b. The expected benefits of the research outweigh the privacy risks. c. Whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification. (11) Assist another controller, processor, or third party with any of the obligations under this act. (12) Process personal data for reasons of public interest in public health, community health, or population health, but solely to the extent that the processing is both of the following: a. Subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed. b. Under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law. 

(b) The obligations imposed on controllers or processors under this act may not restrict a controller's or processor's ability to collect, use, or retain personal data for internal use to do any of the following: 

(1) Conduct internal research to develop, improve, or repair products, services, or technology. 

(2) Effectuate a product recall. 

(3) Identify and repair technical errors that impair existing or intended functionality. 

(4) Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party. 

(c) The obligations imposed on controllers or processors under this act may not apply when compliance by the controller or processor with this act would violate an evidentiary privilege under the laws of this state. Nothing in this act may be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication. 

(d)(1) If, at the time a controller or processor discloses personal data to a processor or third-party controller in accordance with this act, the controller or processor did not have actual knowledge that the processor or third-party controller would violate this act, then the controller or processor may not be considered to have violated this act.

(2) A receiving processor or third-party controller receiving personal data from a disclosing controller or processor in compliance with this act is likewise not in violation of this act for the transgressions of the disclosing controller or processor from which the receiving processor or third-party controller receives the personal data. (e) Nothing in this act may be construed to do either of the following: 

(1) Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person. 

(2) Apply to a person's processing of personal data during the person's personal or household activities. 

(f) Personal data processed by a controller pursuant to this section may be processed to the extent that the processing is both of the following: 

(1) Reasonably necessary and proportionate to the purposes listed in this section. 

(2) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. The controller or processor must, when applicable, consider the nature and purpose of the collection, use, or retention of the personal data collected, used, or retained pursuant to this section. The personal data must be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data. 

(g) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in this section. 

(h) Processing personal data for the purposes expressly identified in this section may not solely make a legal entity a controller with respect to the processing. 

(a) The Attorney General may enforce violations of this act. 

(b)(1) The Attorney General, prior to initiating any action for a violation of any provision of this act, shall issue a notice of violation to the controller. 

(2) If the controller fails to correct the violation within 45 days after receipt of the notice of violation, the Attorney General may bring an action for an injunction pursuant to this section. Upon a finding that the controller has violated this act and failed to correct the violation as required by this section, the court may assess a civil penalty of not more than fifteen thousand dollars ($15,000) per violation.

(3) If within the 45-day period the controller corrects the noticed violation and provides the Attorney General an express written statement that the alleged violations have been corrected and that no such further violations will occur, no action may be initiated against the controller.

This act shall become effective on May 1, 2027.

(a) A business that controls the collection of a consumer's personal information shall, at or before the point of collection, inform consumers of the following:

(1) The categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.

(2) If the business collects sensitive personal information, the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether that information is sold or shared. A business shall not collect additional categories of sensitive personal information or use sensitive personal information collected for additional purposes that are incompatible with the disclosed purpose for which the sensitive personal information was collected without providing the consumer with notice consistent with this section.

(3) The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer's personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.

(b) A business that, acting as a third party, controls the collection of personal information about a consumer may satisfy its obligation under subdivision (a) by providing the required information prominently and conspicuously on the homepage of its internet website. In addition, if a business acting as a third party controls the collection of personal information about a consumer on its premises, including in a vehicle, then the business shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information are used, and whether that personal information is sold, in a clear and conspicuous manner at the location.

(c) A business' collection, use, retention, and sharing of a consumer's personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.

(d) A business that collects a consumer's personal information and that sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose shall enter into an agreement with the third party, service provider, or contractor, that:

(1) Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.

(2) Obligates the third party, service provider, or contractor to comply with applicable obligations under this title and obligate those persons to provide the same level of privacy protection as is required by this title.

(3) Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business' obligations under this title.

(4) Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under this title.

(5) Grants the business the right, upon notice, including under paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

(e) A business that collects a consumer's personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.

(f) Nothing in this section shall require a business to disclose trade secrets, as specified in regulations adopted pursuant to paragraph (3) of subdivision (a) of Section 1798.185.

(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer's rights to request the deletion of the consumer's personal information.

(c)   (1) A business that receives a verifiable consumer request from a consumer to delete the consumer's personal information pursuant to subdivision (a) of this section shall delete the consumer's personal information from its records, notify any service providers or contractors to delete the consumer's personal information from their records, and notify all third parties to whom the business has sold or shared the personal information to delete the consumer's personal information unless this proves impossible or involves disproportionate effort.

(2) The business may maintain a confidential record of deletion requests solely for the purpose of preventing the personal information of a consumer who has submitted a deletion request from being sold, for compliance with laws or for other purposes, solely to the extent permissible under this title.

(3) A service provider or contractor shall cooperate with the business in responding to a verifiable consumer request, and at the direction of the business, shall delete, or enable the business to delete and shall notify any of its own service providers or contractors to delete personal information about the consumer collected, used, processed, or retained by the service provider or the contractor. The service provider or contractor shall notify any service providers, contractors, or third parties who may have accessed personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, to delete the consumer's personal information unless this proves impossible or involves disproportionate effort. A service provider or contractor shall not be required to comply with a deletion request submitted by the consumer directly to the service provider or contractor to the extent that the service provider or contractor has collected, used, processed, or retained the consumer's personal information in its role as a service provider or contractor to the business.

(d) A business, or a service provider or contractor acting pursuant to its contract with the business, another service provider, or another contractor, shall not be required to comply with a consumer's request to delete the consumer's personal information if it is reasonably necessary for the business, service provider, or contractor to maintain the consumer's personal information in order to:

(1) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

(2) Help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes.

(3) Debug to identify and repair errors that impair existing intended functionality.

(4) Exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law.

(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.

(6) Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the consumer has provided informed consent.

(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information.

(8) Comply with a legal obligation.

(a) A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information.

(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer's right to request correction of inaccurate personal information.

(c) A business that receives a verifiable consumer request to correct inaccurate personal information shall use commercially reasonable efforts to correct the inaccurate personal information as directed by the consumer, pursuant to Section 1798.130 and regulations adopted pursuant to paragraph (8) of subdivision (a) of Section 1798.185.

(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

(1) The categories of personal information it has collected about that consumer.

(2) The categories of sources from which the personal information is collected.

(3) The business or commercial purpose for collecting, selling, or sharing personal information.

(4) The categories of third parties to whom the business discloses personal information.

(5) The specific pieces of personal information it has collected about that consumer.

(b) A business that collects personal information about a consumer shall disclose to the consumer, pursuant to subparagraph (B) of paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable consumer request from the consumer, provided that a business shall be deemed to be in compliance with paragraphs (1) to (4), inclusive, of subdivision (a) to the extent that the categories of information and the business or commercial purpose for collecting, selling, or sharing personal information it would be required to disclose to the consumer pursuant to paragraphs (1) to (4), inclusive, of subdivision (a) is the same as the information it has disclosed pursuant to paragraphs (1) to (4), inclusive, of subdivision (c).

(c) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130:

(1) The categories of personal information it has collected about consumers.

(2) The categories of sources from which the personal information is collected.

(3) The business or commercial purpose for collecting, selling, or sharing personal information.

(4) The categories of third parties to whom the business discloses personal information.

(5) That a consumer has the right to request the specific pieces of personal information the business has collected about that consumer.

(a) A consumer shall have the right to request that a business that sells or shares the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer:

(1) The categories of personal information that the business collected about the consumer.

(2) The categories of personal information that the business sold or shared about the consumer and the categories of third parties to whom the personal information was sold or shared, by category or categories of personal information for each category of third parties to whom the personal information was sold or shared.

(3) The categories of personal information that the business disclosed about the consumer for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

(b) A business that sells or shares personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.

(c) A business that sells or shares consumers' personal information, or that discloses consumers' personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:

(1) The category or categories of consumers' personal information it has sold or shared, or if the business has not sold or shared consumers' personal information, it shall disclose that fact.

(2) The category or categories of consumers' personal information it has disclosed for a business purpose, or if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact.

(d) A third party shall not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.

(a) A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This right may be referred to as the right to opt-out of sale or sharing.

(b) A business that sells consumers' personal information to, or shares it with, third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold or shared and that consumers have the “right to opt-out” of the sale or sharing of their personal information.

(c) Notwithstanding subdivision (a), a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age.

(d) A business that has received direction from a consumer not to sell or share the consumer's personal information or, in the case of a minor consumer's personal information has not received consent to sell or share the minor consumer's personal information, shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from selling or sharing the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides consent, for the sale or sharing of the consumer's personal information.

(a) A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, to perform the services set forth in paragraphs (2), (4), (5), and (8) of subdivision (e) of Section 1798.140, and as authorized by regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185. A business that uses or discloses a consumer's sensitive personal information for purposes other than those specified in this subdivision shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be used, or disclosed to a service provider or contractor, for additional, specified purposes and that consumers have the right to limit the use or disclosure of their sensitive personal information.

(b) A business that has received direction from a consumer not to use or disclose the consumer's sensitive personal information, except as authorized by subdivision (a), shall be prohibited, pursuant to paragraph (4) of subdivision (c) of Section 1798.135, from using or disclosing the consumer's sensitive personal information for any other purpose after its receipt of the consumer's direction unless the consumer subsequently provides consent for the use or disclosure of the consumer's sensitive personal information for additional purposes.

(c) A service provider or contractor that assists a business in performing the purposes authorized by subdivision (a) may not use the sensitive personal information after it has received instructions from the business and to the extent it has actual knowledge that the personal information is sensitive personal information for any other purpose. A service provider or contractor is only required to limit its use of sensitive personal information received pursuant to a written contract with the business in response to instructions from the business and only with respect to its relationship with that business.

(d) Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to this section, as further defined in regulations adopted pursuant to subparagraph (C) of paragraph (19) of subdivision (a) of Section 1798.185, and shall be treated as personal information for purposes of all other sections of this act, including Section 1798.100.

(a)(1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this title, including, but not limited to, by:

(A) Denying goods or services to the consumer.

(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

(C) Providing a different level or quality of goods or services to the consumer.

(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

(E) Retaliating against an employee, applicant for employment, or independent contractor, as defined in subparagraph (A) of paragraph (2) of subdivision (m) of Section 1798.145, for exercising their rights under this title.

(2) Nothing in this subdivision prohibits a business, pursuant to subdivision (b), from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer's data.

(3) This subdivision does not prohibit a business from offering loyalty, rewards, premium features, discounts, or club card programs consistent with this title.

(b)(1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale or sharing of personal information, or the retention of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is reasonably related to the value provided to the business by the consumer's data.

(2) A business that offers any financial incentives pursuant to this subdivision, shall notify consumers of the financial incentives pursuant to Section 1798.130.

(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.130 that clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time. If a consumer refuses to provide opt-in consent, then the business shall wait for at least 12 months before next requesting that the consumer provide opt-in consent, or as prescribed by regulations adopted pursuant to Section 1798.185.

(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

(a) In order to comply with Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

(1)(A) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively, including, at a minimum, a toll-free telephone number. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or for requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.

(B) If the business maintains an internet website, make the internet website available to consumers to submit requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, or requests for deletion or correction pursuant to Sections 1798.105 and 1798.106, respectively.

(2)(A) Disclose and deliver the required information to a consumer free of charge, correct inaccurate personal information, or delete a consumer's personal information, based on the consumer's request, within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business's duty to disclose and deliver the information, to correct inaccurate personal information, or to delete personal information within 45 days of receipt of the consumer's request. The time period to provide the required information, to correct inaccurate personal information, or to delete personal information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure of the required information shall be made in writing and delivered through the consumer's account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer's option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business may require authentication of the consumer that is reasonable in light of the nature of the personal information requested, but shall not require the consumer to create an account with the business in order to make a verifiable consumer request provided that if the consumer, has an account with the business, the business may require the consumer to use that account to submit a verifiable consumer request.

(B) The disclosure of the required information shall cover the 12-month period preceding the business' receipt of the verifiable consumer request provided that, upon the adoption of a regulation pursuant to paragraph (9) of subdivision (a) of Section 1798.185, a consumer may request that the business disclose the required information beyond the 12-month period, and the business shall be required to provide that information unless doing so proves impossible or would involve a disproportionate effort. A consumer's right to request required information beyond the 12-month period, and a business's obligation to provide that information, shall only apply to personal information collected on or after January 1, 2022. Nothing in this subparagraph shall require a business to keep personal information for any length of time.

(3)(A) A business that receives a verifiable consumer request pursuant to Section 1798.110 or 1798.115 shall disclose any personal information it has collected about a consumer, directly or indirectly, including through or by a service provider or contractor, to the consumer. A service provider or contractor shall not be required to comply with a verifiable consumer request received directly from a consumer or a consumer's authorized agent, pursuant to Section 1798.110 or 1798.115, to the extent that the service provider or contractor has collected personal information about the consumer in its role as a service provider or contractor. A service provider or contractor shall provide assistance to a business with which it has a contractual relationship with respect to the business' response to a verifiable consumer request, including, but not limited to, by providing to the business the consumer's personal information in the service provider or contractor's possession, which the service provider or contractor obtained as a result of providing services to the business, and by correcting inaccurate information or by enabling the business to do the same. A service provider or contractor that collects personal information pursuant to a written contract with a business shall be required to assist the business through appropriate technical and organizational measures in complying with the requirements of subdivisions (d) to (f), inclusive, of Section 1798.100, taking into account the nature of the processing.

(B) For purposes of subdivision (b) of Section 1798.110:

(i) To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

(ii) Identify by category or categories the personal information collected about the consumer for the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected; the categories of sources from which the consumer's personal information was collected; the business or commercial purpose for collecting, selling, or sharing the consumer's personal information; and the categories of third parties to whom the business discloses the consumer's personal information.

(iii) Provide the specific pieces of personal information obtained from the consumer in a format that is easily understandable to the average consumer, and to the extent technically feasible, in a structured, commonly used, machine-readable format that may also be transmitted to another entity at the consumer's request without hindrance. “Specific pieces of information” do not include data generated to help ensure security and integrity or as prescribed by regulation. Personal information is not considered to have been disclosed by a business when a consumer instructs a business to transfer the consumer's personal information from one business to another in the context of switching services.

(4) For purposes of subdivision (b) of Section 1798.115:

(A) Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

(B) Identify by category or categories the personal information of the consumer that the business sold or shared during the applicable period of time by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer's personal information was sold or shared during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold or shared. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).

(C) Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of persons to whom the consumer's personal information was disclosed for a business purpose during the applicable period of time by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).

(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers' privacy rights, or if the business does not maintain those policies, on its internet website, and update that information at least once every 12 months:

(A) A description of a consumer's rights pursuant to Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, and 1798.125 and two or more designated methods for submitting requests, except as provided in subparagraph (A) of paragraph (1) of subdivision (a).

(B) For purposes of subdivision (c) of Section 1798.110:

(i) A list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.

(ii) The categories of sources from which consumers' personal information is collected.

(iii) The business or commercial purpose for collecting, selling, or sharing consumers' personal information.

(iv) The categories of third parties to whom the business discloses consumers' personal information.

(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:

(i) A list of the categories of personal information it has sold or shared about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold or shared, or if the business has not sold or shared consumers' personal information in the preceding 12 months, the business shall prominently disclose that fact in its privacy policy.

(ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information disclosed, or if the business has not disclosed consumers' personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

(6) Ensure that all individuals responsible for handling consumer inquiries about the business' privacy practices or the business' compliance with this title are informed of all requirements in Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

(7) Use any personal information collected from the consumer in connection with the business' verification of the consumer's request solely for the purposes of verification and shall not further disclose the personal information, retain it longer than necessary for purposes of verification, or use it for unrelated purposes.

(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.

(c) The categories of personal information required to be disclosed pursuant to Sections 1798.100, 1798.110, and 1798.115 shall follow the definitions of personal information and sensitive personal information in Section 1798.140 by describing the categories of personal information using the specific terms set forth in subparagraphs (A) to (K), inclusive, of paragraph (1) of subdivision (v) of Section 1798.140 and by describing the categories of sensitive personal information using the specific terms set forth in paragraphs (1) to (9), inclusive, of subdivision (ae) of Section 1798.140.

(a) A business that sells or shares consumers' personal information or uses or discloses consumers' sensitive personal information for purposes other than those authorized by subdivision (a) of Section 1798.121 shall, in a form that is reasonably accessible to consumers:

(1) Provide a clear and conspicuous link on the business's internet homepages, titled “Do Not Sell or Share My Personal Information,” to an internet web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale or sharing of the consumer's personal information.

(2) Provide a clear and conspicuous link on the business' internet homepages, titled “Limit the Use of My Sensitive Personal Information,” that enables a consumer, or a person authorized by the consumer, to limit the use or disclosure of the consumer's sensitive personal information to those uses authorized by subdivision (a) of Section 1798.121.

(3) At the business' discretion, utilize a single, clearly labeled link on the business' internet homepages, in lieu of complying with paragraphs (1) and (2), if that link easily allows a consumer to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information.

(4) In the event that a business responds to opt-out requests received pursuant to paragraph (1), (2), or (3) by informing the consumer of a charge for the use of any product or service, present the terms of any financial incentive offered pursuant to subdivision (b) of Section 1798.125 for the retention, use, sale, or sharing of the consumer's personal information.

(b)(1) A business shall not be required to comply with subdivision (a) if the business allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information through an opt-out preference signal sent with the consumer's consent by a platform, technology, or mechanism, based on technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185, to the business indicating the consumer's intent to opt out of the business' sale or sharing of the consumer's personal information or to limit the use or disclosure of the consumer's sensitive personal information, or both.

(2) A business that allows consumers to opt out of the sale or sharing of their personal information and to limit the use of their sensitive personal information pursuant to paragraph (1) may provide a link to a web page that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to that business' sale or sharing of the consumer's personal information or the use of the consumer's sensitive personal information for additional purposes provided that:

(A) The consent web page also allows the consumer or a person authorized by the consumer to revoke the consent as easily as it is affirmatively provided.

(B) The link to the web page does not degrade the consumer's experience on the web page the consumer intends to visit and has a similar look, feel, and size relative to other links on the same web page.

(C) The consent web page complies with technical specifications set forth in regulations adopted pursuant to paragraph (20) of subdivision (a) of Section 1798.185.

(3) A business that complies with subdivision (a) is not required to comply with subdivision (b). For the purposes of clarity, a business may elect whether to comply with subdivision (a) or subdivision (b).

(c) A business that is subject to this section shall:

(1) Not require a consumer to create an account or provide additional information beyond what is necessary in order to direct the business not to sell or share the consumer's personal information or to limit use or disclosure of the consumer's sensitive personal information.

(2) Include a description of a consumer's rights pursuant to Sections 1798.120 and 1798.121, along with a separate link to the “Do Not Sell or Share My Personal Information” internet web page and a separate link to the “Limit the Use of My Sensitive Personal Information” internet web page, if applicable, or a single link to both choices, or a statement that the business responds to and abides by opt-out preference signals sent by a platform, technology, or mechanism in accordance with subdivision (b), in:

(A) Its online privacy policy or policies if the business has an online privacy policy or policies.

(B) Any California-specific description of consumers' privacy rights.

(3) Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this title are informed of all requirements in Sections 1798.120, 1798.121, and this section and how to direct consumers to exercise their rights under those sections.

(4) For consumers who exercise their right to opt-out of the sale or sharing of their personal information or limit the use or disclosure of their sensitive personal information, refrain from selling or sharing the consumer's personal information or using or disclosing the consumer's sensitive personal information and wait for at least 12 months before requesting that the consumer authorize the sale or sharing of the consumer's personal information or the use and disclosure of the consumer's sensitive personal information for additional purposes, or as authorized by regulations.

(5) For consumers under 16 years of age who do not consent to the sale or sharing of their personal information, refrain from selling or sharing the personal information of the consumer under 16 years of age and wait for at least 12 months before requesting the consumer's consent again, or as authorized by regulations or until the consumer attains 16 years of age.

(6) Use any personal information collected from the consumer in connection with the submission of the consumer's opt-out request solely for the purposes of complying with the opt-out request.

(d) Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.

(e) A consumer may authorize another person to opt-out of the sale or sharing of the consumer's personal information and to limit the use of the consumer's sensitive personal information on the consumer's behalf, including through an opt-out preference signal, as defined in paragraph (1) of subdivision (b), indicating the consumer's intent to opt out, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf, pursuant to regulations adopted by the Attorney General regardless of whether the business has elected to comply with subdivision (a) or (b). For purposes of clarity, a business that elects to comply with subdivision (a) may respond to the consumer's opt-out consistent with Section 1798.125.

(f) If a business communicates a consumer's opt-out request to any person authorized by the business to collect personal information, the person shall thereafter only use that consumer's personal information for a business purpose specified by the business, or as otherwise permitted by this title, and shall be prohibited from:

(1) Selling or sharing the personal information.

(2) Retaining, using, or disclosing that consumer's personal information.

(A) For any purpose other than for the specific purpose of performing the services offered to the business.

(B) Outside of the direct business relationship between the person and the business.

(C) For a commercial purpose other than providing the services to the business.

(g) A business that communicates a consumer's opt-out request to a person pursuant to subdivision (f) shall not be liable under this title if the person receiving the opt-out request violates the restrictions set forth in the title provided that, at the time of communicating the opt-out request, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation. Any provision of a contract or agreement of any kind that purports to waive or limit in any way this subdivision shall be void and unenforceable.

 (a) (1) A business shall not develop or maintain a browser that does not include functionality configurable by a consumer that enables the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser.

(2) The functionality required by paragraph (1) shall be easy for a reasonable person to locate and configure.

(b) A business that develops or maintains a browser shall make clear to a consumer in its public disclosures how the opt-out preference signal works and the intended effect of the opt-out preference signal.

(c) The California Privacy Protection Agency may adopt regulations as necessary to implement and administer this section.

(d) A business that develops or maintains a browser that includes a functionality that enables the browser to send an opt-out preference signal pursuant to this section shall not be liable for a violation of this title by a business that receives the opt-out preference signal.

(e) As used in this section:

(1) “Browser” means an interactive software application that is used by consumers to locate, access, and navigate internet websites.

(2) “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information.

(f) This section shall become operative on January 1, 2027.

For purposes of this title:

(a) “Advertising and marketing” means a communication by a business or a person acting on the business' behalf in any medium intended to induce a consumer to obtain goods, services, or employment.

(b) “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been deidentified.

(c) “Biometric information” means an individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that is used or is intended to be used singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

(d) “Business” means:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households.

(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information.

(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers' personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.

(3) A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.

(4) A person that does business in California, that is not covered by paragraph (1), (2), or (3), and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title.

(e) “Business purpose” means the use of personal information for the business' operational purposes, or other notified purposes, or for the service provider or contractor's operational purposes, as defined by regulations adopted pursuant to paragraph (11) of subdivision (a) of Section 1798.185, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected. Business purposes are:

(1) Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer's current interaction with the business, provided that the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business.

(5) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.

(6) Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.

(7) Undertaking internal research for technological development and demonstration.

(8) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

(f) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.

(g) “Commercial purposes” means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.

(h) “Consent” means any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer, or the consumer's legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.

(i) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.

(j)(1) “Contractor” means a person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract with the business, provided that the contract:

(A) Prohibits the contractor from:

(i) Selling or sharing the personal information.

(ii) Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this title.

(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business.

(iv) Combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the contractor may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) and in regulations adopted by the California Privacy Protection Agency.

(B) Includes a certification made by the contractor that the contractor understands the restrictions in subparagraph (A) and will comply with them.

(C) Permits, subject to agreement with the contractor, the business to monitor the contractor's compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.

(2) If a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).

(k) “Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

(l) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice, as further defined by regulation.

(m) “Deidentified” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer provided that the business that possesses the information:

(1) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.

(2) Publicly commits to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision.

(3) Contractually obligates any recipients of the information to comply with all provisions of this subdivision.

(n) “Designated methods for submitting requests” means a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.

(o) “Device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.

(p) “Homepage” means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application's platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,'' or settings page, and any other location that allows consumers to review the notices required by this title, including, but not limited to, before downloading the application.

(q) “Household” means a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services.

(r) “Infer” or “inference” means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.

(s) “Intentionally interacts” means when the consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, including visiting the person's website or purchasing a good or service from the person. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a person.

(t) “Nonpersonalized advertising” means advertising and marketing that is based solely on a consumer's personal information derived from the consumer's current interaction with the business with the exception of the consumer's precise geolocation.

(u) “Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.

(v)(1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

(B) Any personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(L) Sensitive personal information.

(2) “Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer's knowledge.

(3) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

(w) “Precise geolocation” means any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.

(x) “Probabilistic identifier” means the identification of a consumer or a consumer's device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

(y) “Processing” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.

(z) “Profiling” means any form of automated processing of personal information, as further defined by regulations pursuant to paragraph (16) of subdivision (a) of Section 1798.185, to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(aa) “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.

(ab) “Research” means scientific analysis, systematic study, and observation, including basic research or applied research that is designed to develop or contribute to public or scientific knowledge and that adheres or otherwise conforms to all other applicable ethics and privacy laws, including, but not limited to, studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer's interactions with a business' service or device for other purposes shall be:

(1) Compatible with the business purpose for which the personal information was collected.

(2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, by a business.

(3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, other than as needed to support the research.

(4) Subject to business processes that specifically prohibit reidentification of the information, other than as needed to support the research.

(5) Made subject to business processes to prevent inadvertent release of deidentified information.

(6) Protected from any reidentification attempts.

(7) Used solely for research purposes that are compatible with the context in which the personal information was collected.

(8) Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals as are necessary to carry out the research purpose.

(ac) “Security and integrity” means the ability of:

(1) Networks or information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.

(2) Businesses to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and to help prosecute those responsible for those actions.

(3) Businesses to ensure the physical safety of natural persons.

(ad)(1) “Sell,” “selling,” “sale,” or “sold,'' means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration.

(2) For purposes of this title, a business does not sell personal information when:

(A) A consumer uses or directs the business to intentionally:

(i) Disclose personal information.

(ii) Interact with one or more third parties.

(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer's personal information or limited the use of the consumer's sensitive personal information.

(C) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

(ae) “Sensitive personal information” means:

(1) Personal information that reveals:

(A) A consumer's social security, driver's license, state identification card, or passport number.

(B) A consumer's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

(C) A consumer's precise geolocation.

(D) A consumer's racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership.

(E) The contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication.

(F) A consumer's genetic data.

(2)(A) The processing of biometric information for the purpose of uniquely identifying a consumer.

(B) Personal information collected and analyzed concerning a consumer's health.

(C) Personal information collected and analyzed concerning a consumer's sex life or sexual orientation.

(3) Sensitive personal information that is “publicly available” pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information.

(af) “Service” or “services” means work, labor, and services, including services furnished in connection with the sale or repair of goods.

(ag)(1) “Service provider” means a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person from:

(A) Selling or sharing the personal information.

(B) Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by this title.

(C) Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business.

(D) Combining the personal information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of Section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider's compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.

(2) If a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).

(ah)(1) “Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.

(2) For purposes of this title, a business does not share personal information when:

(A) A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties.

(B) The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer's personal information or limited the use of the consumer's sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer's personal information or limited the use of the consumer's sensitive personal information.

(C) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

(ai) “Third party” means a person who is not any of the following:

(1) The business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business under this title.

(2) A service provider to the business.

(3) A contractor.

(aj) “Unique identifier” or “unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family. For purposes of this subdivision, “family” means a custodial parent or guardian and any children under 18 years of age over which the parent or guardian has custody.

(ak) “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer's behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115, to delete personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, if the business cannot verify, pursuant to this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer's behalf.

(a)(1) The obligations imposed on businesses by this title shall not restrict a business's ability to:

(A) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.

(B) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. Law enforcement agencies, including police and sheriff's departments, may direct a business pursuant to a law enforcement agency-approved investigation with an active case number not to delete a consumer's personal information, and, upon receipt of that direction, a business shall not delete the personal information for 90 days in order to allow the law enforcement agency to obtain a court-issued subpoena, order, or warrant to obtain a consumer's personal information. For good cause and only to the extent necessary for investigatory purposes, a law enforcement agency may direct a business not to delete the consumer's personal information for additional 90-day periods. A business that has received direction from a law enforcement agency not to delete the personal information of a consumer who has requested deletion of the consumer's personal information shall not use the consumer's personal information for any purpose other than retaining it to produce to law enforcement in response to a court-issued subpoena, order, or warrant unless the consumer's deletion request is subject to an exemption from deletion under this title.

(C) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.

(D)(i) Cooperate with a government agency request for emergency access to a consumer's personal information if a natural person is at risk or danger of death or serious physical injury provided that:

(I) The request is approved by a high-ranking agency officer for emergency access to a consumer's personal information.

(II) The request is based on the agency's good faith determination that it has a lawful basis to access the information on a nonemergency basis.

(III) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted.

(ii) For purposes of this subparagraph, a consumer accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services, shall not constitute a natural person being at risk or danger of death or serious physical injury.

(E) Exercise or defend legal claims.

(F) Collect, use, retain, sell, share, or disclose consumers' personal information that is deidentified or aggregate consumer information.

(G) Collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer's personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not prohibit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.

(2)(A) This subdivision shall not apply if the consumer's personal information contains information related to accessing, procuring, or searching for services regarding contraception, pregnancy care, and perinatal care, including, but not limited to, abortion services.

(B) This paragraph does not alter the use of aggregated or deidentified personal information consistent with a business purpose as defined in paragraphs (1), (2), (3), (4), (5), (7), or (8) of subdivision (e) of Section 1798.140, provided that the personal information is only retained in aggregated and deidentified form and is not sold or shared.

(C) This paragraph does not alter the duty of a business to preserve or retain evidence pursuant to California or federal law in an ongoing civil proceeding.

(b) The obligations imposed on businesses by Sections 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, and 1798.135 shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.

(c)(1) This title shall not apply to any of the following:

(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)2 and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).

(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.

(C) Personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, provided that the information is not sold or shared in a manner not permitted by this subparagraph, and, if it is inconsistent, that participants be informed of that use and provide consent.

(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.

(d)(1) This title shall not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code.

(2) Paragraph (1) shall apply only to the extent that such activity involving the collection, maintenance, disclosure, sale, communication, or use of such information by that agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act, Section 1681 et seq., Title 15 of the United States Code and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act.

(3) This subdivision shall not apply to Section 1798.150.

(e) This title shall not apply to personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code), or the federal Farm Credit Act of 1971 (as amended in 12 U.S.C. 2001-2279cc and implementing regulations, 12 C.F.R. 600, et seq.). This subdivision shall not apply to Section 1798.150.

(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver's Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.

(g)(1) Section 1798.120 shall not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer, as defined in Section 426 of the Vehicle Code, and the vehicle's manufacturer, as defined in Section 672 of the Vehicle Code, if the vehicle information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code, provided that the new motor vehicle dealer or vehicle manufacturer with which that vehicle information or ownership information is shared does not sell, share, or use that information for any other purpose.

(2) Section 1798.120 shall not apply to vessel information or ownership information retained or shared between a vessel dealer and the vessel's manufacturer, as defined in Section 651 of the Harbors and Navigation Code, if the vessel information or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vessel repair covered by a vessel warranty or a recall conducted pursuant to Section 4310 of Title 46 of the United States Code, provided that the vessel dealer or vessel manufacturer with which that vessel information or ownership information is shared does not sell, share, or use that information for any other purpose.

(3) For purposes of this subdivision:

(A) “Ownership information” means the name or names of the registered owner or owners and the contact information for the owner or owners.

(B) “Vehicle information” means the vehicle information number, make, model, year, and odometer reading.

(C) “Vessel dealer” means a person who is engaged, wholly or in part, in the business of selling or offering for sale, buying or taking in trade for the purpose of resale, or exchanging, any vessel or vessels, as defined in Section 651 of the Harbors and Navigation Code, and receives or expects to receive money, profit, or any other thing of value.

(D) “Vessel information” means the hull identification number, model, year, month and year of production, and information describing any of the following equipment as shipped, transferred, or sold from the place of manufacture, including all attached parts and accessories:

(i) An inboard engine.

(ii) An outboard engine.

(iii) A stern drive unit.

(iv) An inflatable personal floatation device approved under Section 160.076 of Title 46 of the Code of Federal Regulations.

(h) Notwithstanding a business's obligations to respond to and honor consumer rights requests pursuant to this title:

(1) A time period for a business to respond to a consumer for any verifiable consumer request may be extended by up to a total of 90 days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.

(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.

(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive.

(i)(1) A business that discloses personal information to a service provider or contractor in compliance with this title shall not be liable under this title if the service provider or contractor receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider or contractor intends to commit such a violation. A service provider or contractor shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title provided that the service provider or contractor shall be liable for its own violations of this title.

(2) A business that discloses personal information of a consumer, with the exception of consumers who have exercised their right to opt out of the sale or sharing of their personal information, consumers who have limited the use or disclosure of their sensitive personal information, and minor consumers who have not opted in to the collection or sale of their personal information, to a third party pursuant to a written contract that requires the third party to provide the same level of protection of the consumer's rights under this title as provided by the business shall not be liable under this title if the third party receiving the personal information uses it in violation of the restrictions set forth in this title provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the third party intends to commit such a violation.

(j) This title shall not be construed to require a business, service provider, or contractor to:

(1) Reidentify or otherwise link information that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

(2) Retain any personal information about a consumer if, in the ordinary course of business, that information about the consumer would not be retained.

(3) Maintain information in identifiable, linkable, or associable form, or collect, obtain, retain, or access any data or technology, in order to be capable of linking or associating a verifiable consumer request with personal information.

(k) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other natural persons. A verifiable consumer request for specific pieces of personal information pursuant to Section 1798.110, to delete a consumer's personal information pursuant to Section 1798.105, or to correct inaccurate personal information pursuant to Section 1798.106, shall not extend to personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. A business may rely on representations made in a verifiable consumer request as to rights with respect to personal information and is under no legal requirement to seek out other persons that may have or claim to have rights to personal information, and a business is under no legal obligation under this title or any other provision of law to take any action under this title in the event of a dispute between or among persons claiming rights to personal information in the business's possession.

(l) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.

(m)(1) This title shall not apply to any of the following:

(A) Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the natural person's personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of, that business.

(B) Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file.

(C) Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent contractor of, that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

(2) For purposes of this subdivision:

(A) “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.

(B) “Director” means a natural person designated in the articles of incorporation as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

(C) “Medical staff member” means a licensed physician and surgeon, dentist, or podiatrist, licensed pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code and a clinical psychologist as defined in Section 1316.5 of the Health and Safety Code.

(D) “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.

(E) “Owner” means a natural person who meets one of the following criteria:

(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

(iii) Has the power to exercise a controlling influence over the management of a company.

(3) This subdivision shall not apply to subdivision (a) of Section 1798.100 or Section 1798.150.

(4) This subdivision shall become inoperative on January 1, 2023.

(n)(1) The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.121, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.

(2) For purposes of this subdivision:

(A) “Independent contractor” means a natural person who provides any service to a business pursuant to a written contract.

(B) “Director” means a natural person designated in the articles of incorporation as such or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

(C) “Officer” means a natural person elected or appointed by the board of directors to manage the daily operations of a corporation, such as a chief executive officer, president, secretary, or treasurer.

(D) “Owner” means a natural person who meets one of the following:

(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

(iii) Has the power to exercise a controlling influence over the management of a company.

(3) This subdivision shall become inoperative on January 1, 2023.

(o)(1) Sections 1798.105 and 1798.120 shall not apply to a commercial credit reporting agency's collection, processing, sale, or disclosure of business controller information to the extent the commercial credit reporting agency uses the business controller information solely to identify the relationship of a consumer to a business that the consumer owns or contact the consumer only in the consumer's role as the owner, director, officer, or management employee of the business.

(2) For the purposes of this subdivision:

(A) “Business controller information” means the name or names of the owner or owners, director, officer, or management employee of a business and the contact information, including a business title, for the owner or owners, director, officer, or management employee.

(B) “Commercial credit reporting agency” has the meaning set forth in subdivision (b) of Section 1785.42.

(C) “Owner” means a natural person that meets one of the following:

(i) Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.

(ii) Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

(iii) Has the power to exercise a controlling influence over the management of a company.

(D) “Director” means a natural person designated in the articles of incorporation of a business as director, or elected by the incorporators and natural persons designated, elected, or appointed by any other name or title to act as directors, and their successors.

(E) “Officer” means a natural person elected or appointed by the board of directors of a business to manage the daily operations of a corporation, including a chief executive officer, president, secretary, or treasurer.

(F) “Management employee” means a natural person whose name and contact information is reported to or collected by a commercial credit reporting agency as the primary manager of a business and used solely within the context of the natural person's role as the primary manager of the business.

(p) The obligations imposed on businesses in Sections 1798.105, 1798.106, 1798.110, and 1798.115 shall not apply to household data.

(q)(1) This title does not require a business to comply with a verifiable consumer request to delete a consumer's personal information under Section 1798.105 to the extent the verifiable consumer request applies to a student's grades, educational scores, or educational test results that the business holds on behalf of a local educational agency, as defined in subdivision (d) of Section 49073.1 of the Education Code, at which the student is currently enrolled. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.

(2) This title does not require, in response to a request pursuant to Section 1798.110, that a business disclose on educational standardized assessment or educational assessment or a consumer's specific responses to the educational standardized assessment or educational assessment if consumer access, possession, or control would jeopardize the validity and reliability of that educational standardized assessment or educational assessment. If a business does not comply with a request pursuant to this section, it shall notify the consumer that it is acting pursuant to this exception.

(3) For purposes of this subdivision:

(A) “Educational standardized assessment or educational assessment” means a standardized or nonstandardized quiz, test, or other assessment used to evaluate students in or for entry to kindergarten and grades 1 to 12, inclusive, schools, postsecondary institutions, vocational programs, and postgraduate programs that are accredited by an accrediting agency or organization recognized by the State of California or the United States Department of Education, as well as certification and licensure examinations used to determine competency and eligibility to receive certification or licensure from a government agency or government certification body.

(B) “Jeopardize the validity and reliability of that educational standardized assessment or educational assessment” means releasing information that would provide an advantage to the consumer who has submitted a verifiable consumer request or to another natural person.

(r) Sections 1798.105 and 1798.120 shall not apply to a business's use, disclosure, or sale of particular pieces of a consumer's personal information if the consumer has consented to the business's use, disclosure, or sale of that information to produce a physical item, including a school yearbook containing the consumer's photograph if:

(1) The business has incurred significant expense in reliance on the consumer's consent.

(2) Compliance with the consumer's request to opt out of the sale of the consumer's personal information or to delete the consumer's personal information would not be commercially reasonable.

(3) The business complies with the consumer's request as soon as it is commercially reasonable to do so.

(a) This title shall not apply to any of the following:

(1) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)1 and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5).

(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).

(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses patient information in the same manner as medical information or protected health information as described in paragraph (1).

(4)      (A) Information that meets both of the following conditions:

(i) It is deidentified in accordance with the requirements for deidentification set forth in Section 164.514 of Part 164 of Title 45 of the Code of Federal Regulations.

(ii) It is derived from patient information that was originally collected, created, transmitted, or maintained by an entity regulated by the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, or the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

(B) Information that met the requirements of subparagraph (A) but is subsequently reidentified shall no longer be eligible for the exemption in this paragraph, and shall be subject to applicable federal and state data privacy and security laws, including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality Of Medical Information Act, and this title.

(5) Information that is collected, used, or disclosed in research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.

(b) For purposes of this section, all of the following shall apply:

(1) “Business associate” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

(2) “Covered entity” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

(3) “Identifiable private information” has the same meaning as defined in Section 46.102 of Title 45 of the Code of Federal Regulations.

(4) “Individually identifiable health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

(5) “Medical information” has the same meaning as defined in Section 56.05.

(6) “Patient information” shall mean identifiable private information, protected health information, individually identifiable health information, or medical information.

(7) “Protected health information” has the same meaning as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

(8) “Provider of health care” has the same meaning as defined in Section 56.05.

a) A business or other person shall not reidentify, or attempt to reidentify, information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, except for one or more of the following purposes:

(1) Treatment, payment, or health care operations conducted by a covered entity or business associate acting on behalf of, and at the written direction of, the covered entity. For purposes of this paragraph, “treatment,” “payment,” “health care operations,” covered entity,” and “business associate” have the same meaning as defined in Section 164.501 of Title 45 of the Code of Federal Regulations.

(2) Public health activities or purposes as described in Section 164.512 of Title 45 of the Code of Federal Regulations.

(3) Research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, that is conducted in accordance with Part 46 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule.

(4) Pursuant to a contract where the lawful holder of the deidentified information that met the requirements of paragraph (4) of subdivision (a) of Section 1798.146 expressly engages a person or entity to attempt to reidentify the deidentified information in order to conduct testing, analysis, or validation of deidentification, or related statistical techniques, if the contract bans any other use or disclosure of the reidentified information and requires the return or destruction of the information that was reidentified upon completion of the contract.

(5) If otherwise required by law.

(b) In accordance with paragraph (4) of subdivision (a) of Section 1798.146, information reidentified pursuant this section shall be subject to applicable federal and state data privacy and security laws including, but not limited to, the Health Insurance Portability and Accountability Act, the Confidentiality of Medical Information Act, and this title.

(c) Beginning January 1, 2021, any contract for the sale or license of deidentified information that has met the requirements of paragraph (4) of subdivision (a) of Section 1798.146, where one of the parties is a person residing or doing business in the state, shall include the following, or substantially similar, provisions:

(1) A statement that the deidentified information being sold or licensed includes deidentified patient information.

(2) A statement that reidentification, and attempted reidentification, of the deidentified information by the purchaser or licensee of the information is prohibited pursuant to this section.

(3) A requirement that, unless otherwise required by law, the purchaser or licensee of the deidentified information may not further disclose the deidentified information to any third party unless the third party is contractually bound by the same or stricter restrictions and conditions.

(d) For purposes of this section, “reidentify” means the process of reversal of deidentification techniques, including, but not limited to, the addition of specific pieces of information or data elements that can, individually or in combination, be used to uniquely identify an individual or usage of any statistical method, contrivance, computer software, or other means that have the effect of associating deidentified information with a specific identifiable individual.

(a)(1) Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth.

(b) Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days' written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. The implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.

(c) The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.

(a) Any business, service provider, contractor, or other person that violates this title shall be liable for an administrative fine of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation or violations involving the personal information of consumers whom the business, service provider, contractor, or other person has actual knowledge are under 16 years of age, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185, in an administrative enforcement action brought by the California Privacy Protection Agency.

(b) Any administrative fine assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (a), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts, the Attorney General, and the California Privacy Protection Agency in connection with this title.

(a) A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature first to offset any costs incurred by the state courts in connection with actions brought to enforce this title, the costs incurred by the Attorney General in carrying out the Attorney General's duties under this title, and then for the purposes of establishing an investment fund in the State Treasury, with any earnings or interest from the fund to be deposited in the General Fund, and making grants to promote and protect consumer privacy, educate children in the area of online privacy, and fund cooperative programs with international law enforcement organizations to combat fraudulent activities with respect to consumer data breaches.

(b) Funds transferred to the Consumer Privacy Fund shall be used exclusively as follows:

(1) To offset any costs incurred by the state courts and the Attorney General in connection with this title.

(2) After satisfying the obligations under paragraph (1), the remaining funds shall be allocated each fiscal year as follows:

(A) Ninety-one percent shall be invested by the Treasurer in financial assets with the goal of maximizing long term yields consistent with a prudent level of risk. The principal shall not be subject to transfer or appropriation, provided that any interest and earnings shall be transferred on an annual basis to the General Fund for appropriation by the Legislature for General Fund purposes.

(B) Nine percent shall be made available to the California Privacy Protection Agency for the purposes of making grants in California, with 3 percent allocated to each of the following grant recipients:

(i) Nonprofit organizations to promote and protect consumer privacy.

(ii) Nonprofit organizations and public agencies, including school districts, to educate children in the area of online privacy.

(iii) State and local law enforcement agencies to fund cooperative programs with international law enforcement organizations to combat fraudulent activities with respect to consumer data breaches.

(c) Funds in the Consumer Privacy Fund shall not be subject to appropriation or transfer by the Legislature for any other purpose.

This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information, including, but not limited to, Chapter 22 (commencing with Section 22575) of Division 8 of the Business and Professions Code and Title 1.81 (commencing with Section 1798.80). The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers' personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers' personal information by a business.

(a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

(1) Updating or adding categories of personal information to those enumerated in subdivision (c) of Section 1798.130 and subdivision (v) of Section 1798.140, and updating or adding categories of sensitive personal information to those enumerated in subdivision (ae) of Section 1798.140 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.

(2) Updating as needed the definitions of “deidentified” and “unique identifier” to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and adding, modifying, or deleting categories to the definition of designated methods for submitting requests to facilitate a consumer's ability to obtain information from a business pursuant to Section 1798.130. The authority to update the definition of “deidentified” shall not apply to deidentification standards set forth in Section 164.514 of Title 45 of the Code of Federal Regulations, where such information previously was “protected health information” as defined in Section 160.103 of Title 45 of the Code of Federal Regulations.

(3) Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter, with the intention that trade secrets should not be disclosed in response to a verifiable consumer request.

(4) Establishing rules and procedures for the following:

(A) To facilitate and govern the submission of a request by a consumer to opt out of the sale or sharing of personal information pursuant to Section 1798.120 and to limit the use of a consumer's sensitive personal information pursuant to Section 1798.121 to ensure that consumers have the ability to exercise their choices without undue burden and to prevent business from engaging in deceptive or harassing conduct, including in retaliation against consumers for exercising their rights, while allowing businesses to inform consumers of the consequences of their decision to opt out of the sale or sharing of their personal information or to limit the use of their sensitive personal information.

(B) To govern business compliance with a consumer's opt-out request.

(C) For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information.

(5) Adjusting the monetary thresholds, in January of every odd-numbered year to reflect any increase in the Consumer Price Index, in: subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.140; subparagraph (A) of paragraph (1) of subdivision (a) of Section 1798.150; subdivision (a) of Section 1798.155; Section 1798.199.25; and subdivision (a) of Section 1798.199.90.

(6) Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentives within one year of passage of this title and as needed thereafter.

(7) Establishing rules and procedures to further the purposes of Sections 1798.105, 1798.106, 1798.110, and 1798.115 and to facilitate a consumer's or the consumer's authorized agent's ability to delete personal information, correct inaccurate personal information pursuant to Section 1798.106, or obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business's determination that a request for information received from a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business's authentication of the consumer's identity, within one year of passage of this title and as needed thereafter.

(8) Establishing how often, and under what circumstances, a consumer may request a correction pursuant to Section 1798.106, including standards governing the following:

(A) How a business responds to a request for correction, including exceptions for requests to which a response is impossible or would involve disproportionate effort, and requests for correction of accurate information.

(B) How concerns regarding the accuracy of the information may be resolved.

(C) The steps a business may take to prevent fraud.

(D) If a business rejects a request to correct personal information collected and analyzed concerning a consumer's health, the right of a consumer to provide a written addendum to the business with respect to any item or statement regarding any such personal information that the consumer believes to be incomplete or incorrect. The addendum shall be limited to 250 words per alleged incomplete or incorrect item and shall clearly indicate in writing that the consumer requests the addendum to be made a part of the consumer's record.

(9) Establishing the standard to govern a business's determination, pursuant to subparagraph (B) of paragraph (2) of subdivision (a) of Section 1798.130, that providing information beyond the 12-month period in a response to a verifiable consumer request is impossible or would involve a disproportionate effort.

(10) Issuing regulations further defining and adding to the business purposes, including other notified purposes, for which businesses, service providers, and contractors may use consumers' personal information consistent with consumers' expectations, and further defining the business purposes for which service providers and contractors may combine consumers' personal information obtained from different sources, except as provided for in paragraph (6) of subdivision (e) of Section 1798.140.

(11) Issuing regulations identifying those business purposes, including other notified purposes, for which service providers and contractors may use consumers' personal information received pursuant to a written contract with a business, for the service provider or contractor's own business purposes, with the goal of maximizing consumer privacy.

(12) Issuing regulations to further define “intentionally interacts,” with the goal of maximizing consumer privacy.

(13) Issuing regulations to further define “precise geolocation,” including if the size defined is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing.

(14) Issuing regulations to define the term “specific pieces of information obtained from the consumer” with the goal of maximizing a consumer's right to access relevant personal information while minimizing the delivery of information to a consumer that would not be useful to the consumer, including system log information and other technical data. For delivery of the most sensitive personal information, the regulations may require a higher standard of authentication provided that the agency shall monitor the impact of the higher standard on the right of consumers to obtain their personal information to ensure that the requirements of verification do not result in the unreasonable denial of verifiable consumer requests.

(15) Issuing regulations requiring businesses whose processing of consumers' personal information presents significant risk to consumers' privacy or security, to:

(A) Perform a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that audits are thorough and independent. The factors to be considered in determining when processing may result in significant risk to the security of personal information shall include the size and complexity of the business and the nature and scope of processing activities.

(B) Submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public. Nothing in this section shall require a business to divulge trade secrets.

(16) Issuing regulations governing access and opt-out rights with respect to businesses' use of automated decisionmaking technology, including profiling and requiring businesses' response to access requests to include meaningful information about the logic involved in those decisionmaking processes, as well as a description of the likely outcome of the process with respect to the consumer.

(17) Issuing regulations to further define a “law enforcement agency-approved investigation” for purposes of the exception in subparagraph (B) of paragraph (1) of subdivision (a) of Section 1798.145.

(18) Issuing regulations to define the scope and process for the exercise of the agency's audit authority, to establish criteria for selection of persons to audit, and to protect consumers' personal information from disclosure to an auditor in the absence of a court order, warrant, or subpoena.

(19)      (A) Issuing regulations to define the requirements and technical specifications for an opt-out preference signal sent by a platform, technology, or mechanism, to indicate a consumer's intent to opt out of the sale or sharing of the consumer's personal information and to limit the use or disclosure of the consumer's sensitive personal information. The requirements and specifications for the opt-out preference signal should be updated from time to time to reflect the means by which consumers interact with businesses, and should:

(i) Ensure that the manufacturer of a platform or browser or device that sends the opt-out preference signal cannot unfairly disadvantage another business.

(ii) Ensure that the opt-out preference signal is consumer-friendly, clearly described, and easy to use by an average consumer and does not require that the consumer provide additional information beyond what is necessary.

(iii) Clearly represent a consumer's intent and be free of defaults constraining or presupposing that intent.

(iv) Ensure that the opt-out preference signal does not conflict with other commonly used privacy settings or tools that consumers may employ.

(v) Provide a mechanism for the consumer to selectively consent to a business's sale of the consumer's personal information, or the use or disclosure of the consumer's sensitive personal information, without affecting the consumer's preferences with respect to other businesses or disabling the opt-out preference signal globally.

(vi) State that in the case of a page or setting view that the consumer accesses to set the opt-out preference signal, the consumer should see up to three choices, including:

(I) Global opt out from sale and sharing of personal information, including a direction to limit the use of sensitive personal information.

(II) Choice to “Limit the Use of My Sensitive Personal Information.”

(III) Choice titled “Do Not Sell/Do Not Share My Personal Information for Cross-Context Behavioral Advertising.”

(B) Issuing regulations to establish technical specifications for an opt-out preference signal that allows the consumer, or the consumer's parent or guardian, to specify that the consumer is less than 13 years of age or at least 13 years of age and less than 16 years of age.

(C) Issuing regulations, with the goal of strengthening consumer privacy while considering the legitimate operational interests of businesses, to govern the use or disclosure of a consumer's sensitive personal information, notwithstanding the consumer's direction to limit the use or disclosure of the consumer's sensitive personal information, including:

(i) Determining any additional purposes for which a business may use or disclose a consumer's sensitive personal information.

(ii) Determining the scope of activities permitted under paragraph (8) of subdivision (e) of Section 1798.140, as authorized by subdivision (a) of Section 1798.121, to ensure that the activities do not involve health-related research.

(iii) Ensuring the functionality of the business's operations.

(iv) Ensuring that the exemption in subdivision (d) of Section 1798.121 for sensitive personal information applies to information that is collected or processed incidentally, or without the purpose of inferring characteristics about a consumer, while ensuring that businesses do not use the exemption for the purpose of evading consumers' rights to limit the use and disclosure of their sensitive personal information under Section 1798.121.

(20) Issuing regulations to govern how a business that has elected to comply with subdivision (b) of Section 1798.135 responds to the opt-out preference signal and provides consumers with the opportunity subsequently to consent to the sale or sharing of their personal information or the use and disclosure of their sensitive personal information for purposes in addition to those authorized by subdivision (a) of Section 1798.121. The regulations should:

(A) Strive to promote competition and consumer choice and be technology neutral.

(B) Ensure that the business does not respond to an opt-out preference signal by:

(i) Intentionally degrading the functionality of the consumer experience.

(ii) Charging the consumer a fee in response to the consumer's opt-out preferences.

(iii) Making any products or services not function properly or fully for the consumer, as compared to consumers who do not use the opt-out preference signal.

(iv) Attempting to coerce the consumer to opt in to the sale or sharing of the consumer's personal information, or the use or disclosure of the consumer's sensitive personal information, by stating or implying that the use of the opt-out preference signal will adversely affect the consumer as compared to consumers who do not use the opt-out preference signal, including stating or implying that the consumer will not be able to use the business's products or services or that those products or services may not function properly or fully.

(v) Displaying any notification or pop-up in response to the consumer's opt-out preference signal.

(C) Ensure that any link to a web page or its supporting content that allows the consumer to consent to opt in:

(i) Is not part of a popup, notice, banner, or other intrusive design that obscures any part of the web page the consumer intended to visit from full view or that interferes with or impedes in any way the consumer's experience visiting or browsing the web page or website the consumer intended to visit.

(ii) Does not require or imply that the consumer must click the link to receive full functionality of any products or services, including the website.

(iii) Does not make use of any dark patterns.

(iv) Applies only to the business with which the consumer intends to interact.

(D) Strive to curb coercive or deceptive practices in response to an opt-out preference signal but should not unduly restrict businesses that are trying in good faith to comply with Section 1798.135.

(21) Review existing Insurance Code provisions and regulations relating to consumer privacy, except those relating to insurance rates or pricing, to determine whether any provisions of the Insurance Code provide greater protection to consumers than the provisions of this title. Upon completing its review, the agency shall adopt a regulation that applies only the more protective provisions of this title to insurance companies. For the purpose of clarity, the Insurance Commissioner shall have jurisdiction over insurance rates and pricing.

(22) Harmonizing the regulations governing opt-out mechanisms, notices to consumers, and other operational mechanisms in this title to promote clarity and the functionality of this title for consumers.

(b) The Attorney General may adopt additional regulations as necessary to further the purposes of this title.

(c) The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.

(d) Notwithstanding subdivision (a), the timeline for adopting final regulations required by the act adding this subdivision shall be July 1, 2022. Beginning the later of July 1, 2021, or six months after the agency provides notice to the Attorney General that it is prepared to begin rulemaking under this title, the authority assigned to the Attorney General to adopt regulations under this section shall be exercised by the California Privacy Protection Agency. Notwithstanding any other law, civil and administrative enforcement of the provisions of law added or amended by this act shall not commence until July 1, 2023, and shall only apply to violations occurring on or after that date. Enforcement of provisions of law contained in the California Consumer Privacy Act of 2018 amended by this act shall remain in effect and shall be enforceable until the same provisions of this act become enforceable.

A court or the agency shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title:

(a) If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including the disclosure of information by a business to a third party in order to avoid the definition of sell or share.

(b) If steps or transactions were taken to purposely avoid the definition of sell or share by eliminating any monetary or other valuable consideration, including by entering into contracts that do not include an exchange for monetary or other valuable consideration, but where a party is obtaining something of value or use.

Any provision of a contract or agreement of any kind, including a representative action waiver, that purports to waive or limit in any way rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt out of a business's sale of the consumer's personal information, or authorizing a business to sell or share the consumer's personal information after previously opting out.

Liberal construction of title This title shall be liberally construed to effectuate its purposes.

This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution.

(a) Subject to limitation provided in subdivision (b), and in Section 1798.199, this title shall be operative January 1, 2020.

(b) This title shall become operative only if initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section.

(a) There is hereby established in state government the California Privacy Protection Agency, which is vested with full administrative power, authority, and jurisdiction to implement and enforce the California Consumer Privacy Act of 2018. The agency shall be governed by a five-member board, including the chairperson. The chairperson and one member of the board shall be appointed by the Governor. The Attorney General, Senate Rules Committee, and Speaker of the Assembly shall each appoint one member. These appointments should be made from among Californians with expertise in the areas of privacy, technology, and consumer rights.

(b) The initial appointments to the agency shall be made within 90 days of the effective date of the act adding this section.

Members of the agency board shall:

(a) Have qualifications, experience, and skills, in particular in the areas of privacy and technology, required to perform the duties of the agency and exercise its powers.

(b) Maintain the confidentiality of information which has come to their knowledge in the course of the performance of their tasks or exercise of their powers, except to the extent that disclosure is required by the Public Records Act.

(c) Remain free from external influence, whether direct or indirect, and shall neither seek nor take instructions from another.

(d) Refrain from any action incompatible with their duties and engaging in any incompatible occupation, whether gainful or not, during their term.

(e) Have the right of access to all information made available by the agency to the chairperson.

(f) Be precluded, for a period of one year after leaving office, from accepting employment with a business that was subject to an enforcement action or civil action under this title during the member's tenure or during the five-year period preceding the member's appointment.

(g) Be precluded for a period of two years after leaving office from acting, for compensation, as an agent or attorney for, or otherwise representing, any other person in a matter pending before the agency if the purpose is to influence an action of the agency.

Members of the agency board, including the chairperson, shall serve at the pleasure of their appointing authority but shall serve for no longer than eight consecutive years.

The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees.

The agency board shall appoint an executive director who shall act in accordance with agency policies and regulations and with applicable law. The agency shall appoint and discharge officers, counsel, and employees, consistent with applicable civil service laws, and shall fix the compensation of employees and prescribe their duties. The agency may contract for services that cannot be provided by its employees.

The agency board may delegate authority to the chairperson or the executive director to act in the name of the agency between meetings of the agency, except with respect to resolution of enforcement actions and rulemaking authority.

The agency shall perform the following functions:

(a) Administer, implement, and enforce through administrative actions this title.

(b) On and after the later of July 1, 2021, or within six months of the agency providing the Attorney General with notice that it is prepared to assume rulemaking responsibilities under this title, adopt, amend, and rescind regulations pursuant to Section 1798.185 to carry out the purposes and provisions of the California Consumer Privacy Act of 2018, including regulations specifying recordkeeping requirements for businesses to ensure compliance with this title.

(c) Through the implementation of this title, protect the fundamental privacy rights of natural persons with respect to the use of their personal information.

(d) Promote public awareness and understanding of the risks, rules, responsibilities, safeguards, and rights in relation to the collection, use, sale, and disclosure of personal information, including the rights of minors with respect to their own information, and provide a public report summarizing the risk assessments filed with the agency pursuant to paragraph (15) of subdivision (a) of Section 1798.185 while ensuring that data security is not compromised.

(e) Provide guidance to consumers regarding their rights under this title.

(f) Provide guidance to businesses regarding their duties and responsibilities under this title and appoint a Chief Privacy Auditor to conduct audits of businesses to ensure compliance with this title pursuant to regulations adopted pursuant to paragraph (18) of subdivision (a) of Section 1798.185.

(g) Provide technical assistance and advice to the Legislature, upon request, with respect to privacy-related legislation.

(h) Monitor relevant developments relating to the protection of personal information and, in particular, the development of information and communication technologies and commercial practices.

(i) Cooperate with other agencies with jurisdiction over privacy laws and with data processing authorities in California, other states, territories, and countries to ensure consistent application of privacy protections.

(j) Establish a mechanism pursuant to which persons doing business in California that do not meet the definition of business set forth in paragraph (1), (2), or (3) of subdivision (d) of Section 1798.140 may voluntarily certify that they are in compliance with this title, as set forth in paragraph (4) of subdivision (d) of Section 1798.140, and make a list of those entities available to the public.

(k) Solicit, review, and approve applications for grants to the extent funds are available pursuant to paragraph (2) of subdivision (b) of Section 1798.160.

(l) Perform all other acts necessary or appropriate in the exercise of its power, authority, and jurisdiction and seek to balance the goals of strengthening consumer privacy while giving attention to the impact on businesses.

(a) Upon the sworn complaint of any person or on its own initiative, the agency may investigate possible violations of this title relating to any business, service provider, contractor, or person. The agency may decide not to investigate a complaint or decide to provide a business with a time period to cure the alleged violation. In making a decision not to investigate or provide more time to cure, the agency may consider the following:

(1) Lack of intent to violate this title.

(2) Voluntary efforts undertaken by the business, service provider, contractor, or person to cure the alleged violation prior to being notified by the agency of the complaint.

(b) The agency shall notify in writing the person who made the complaint of the action, if any, the agency has taken or plans to take on the complaint, together with the reasons for that action or nonaction.

No finding of probable cause to believe this title has been violated shall be made by the agency unless, at least 30 days prior to the agency's consideration of the alleged violation, the business, service provider, contractor, or person alleged to have violated this title is notified of the violation by service of process or registered mail with return receipt requested, provided with a summary of the evidence, and informed of their right to be present in person and represented by counsel at any proceeding of the agency held for the purpose of considering whether probable cause exists for believing the person violated this title. Notice to the alleged violator shall be deemed made on the date of service, the date the registered mail receipt is signed, or if the registered mail receipt is not signed, the date returned by the post office. A proceeding held for the purpose of considering probable cause shall be private unless the alleged violator files with the agency a written request that the proceeding be public.

(a) When the agency determines there is probable cause for believing this title has been violated, it shall hold a hearing to determine if a violation has or violations have occurred. Notice shall be given and the hearing conducted in accordance with the Administrative Procedure Act (Chapter 5 (commencing with Section 11500), Part 1, Division 3, Title 2, Government Code). The agency shall have all the powers granted by that chapter. If the agency determines on the basis of the hearing conducted pursuant to this subdivision that a violation or violations have occurred, it shall issue an order that may require the violator to do all or any of the following:

(1) Cease and desist violation of this title.

(2) Subject to Section 1798.155, pay an administrative fine of up to two thousand five hundred dollars ($2,500) for each violation, or up to seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers to the Consumer Privacy Fund within the General Fund of the state. When the agency determines that no violation has occurred, it shall publish a declaration so stating.

(b) If two or more persons are responsible for any violation or violations, they shall be jointly and severally liable.

Whenever the agency rejects the decision of an administrative law judge made pursuant to Section 11517 of the Government Code, the agency shall state the reasons in writing for rejecting the decision.

The agency may subpoena witnesses, compel their attendance and testimony, administer oaths and affirmations, take evidence and require by subpoena the production of any books, papers, records, or other items material to the performance of the agency's duties or exercise of its powers, including, but not limited to, its power to audit a business' compliance with this title.

No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.

(a) The service of the probable cause hearing notice, as required by Section 1798.199.50, upon the person alleged to have violated this title shall constitute the commencement of the administrative action.

(b) If the person alleged to have violated this title engages in the fraudulent concealment of the person's acts or identity, the five-year period shall be tolled for the period of the concealment. For purposes of this subdivision, “fraudulent concealment” means the person knows of material facts related to the person's duties under this title and knowingly conceals them in performing or omitting to perform those duties for the purpose of defrauding the public of information to which it is entitled under this title.

(c) If, upon being ordered by a superior court to produce any documents sought by a subpoena in any administrative proceeding under this title, the person alleged to have violated this title fails to produce documents in response to the order by the date ordered to comply therewith, the five-year period shall be tolled for the period of the delay from the date of filing of the motion to compel until the date the documents are produced.

(a) In addition to any other available remedies, the agency may bring a civil action and obtain a judgment in superior court for the purpose of collecting any unpaid administrative fines imposed pursuant to this title after exhaustion of judicial review of the agency's action. The action may be filed as a small claims, limited civil, or unlimited civil case depending on the jurisdictional amount. The venue for this action shall be in the county where the administrative fines were imposed by the agency. In order to obtain a judgment in a proceeding under this section, the agency shall show, following the procedures and rules of evidence as applied in ordinary civil actions, all of the following:

(1) That the administrative fines were imposed following the procedures set forth in this title and implementing regulations.

(2) That the defendant or defendants in the action were notified, by actual or constructive notice, of the imposition of the administrative fines.

(3) That a demand for payment has been made by the agency and full payment has not been received.

(b) A civil action brought pursuant to subdivision (a) shall be commenced within four years after the date on which the administrative fines were imposed.

(a) If the time for judicial review of a final agency order or decision has lapsed, or if all means of judicial review of the order or decision have been exhausted, the agency may apply to the clerk of the court for a judgment to collect the administrative fines imposed by the order or decision, or the order as modified in accordance with a decision on judicial review.

(b) The application, which shall include a certified copy of the order or decision, or the order as modified in accordance with a decision on judicial review, and proof of service of the order or decision, constitutes a sufficient showing to warrant issuance of the judgment to collect the administrative fines. The clerk of the court shall enter the judgment immediately in conformity with the application.

(c) An application made pursuant to this section shall be made to the clerk of the superior court in the county where the administrative fines were imposed by the agency.

(d) A judgment entered in accordance with this section has the same force and effect as, and is subject to all the provisions of law relating to, a judgment in a civil action and may be enforced in the same manner as any other judgment of the court in which it is entered.

(e) The agency may bring an application pursuant to this section only within four years after the date on which all means of judicial review of the order or decision have been exhausted.

(f) The remedy available under this section is in addition to those available under any other law.

Any decision of the agency with respect to a complaint or administrative fine shall be subject to judicial review in an action brought by an interested party to the complaint or administrative fine and shall be subject to an abuse of discretion standard.

(a) Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation and each violation involving the personal information of minor consumers, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The court may consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of the civil penalty.

(b) Any civil penalty recovered by an action brought by the Attorney General for a violation of this title, and the proceeds of any settlement of any said action, shall be deposited in the Consumer Privacy Fund.

(c) The agency shall, upon request by the Attorney General, stay an administrative action or investigation under this title to permit the Attorney General to proceed with an investigation or civil action and shall not pursue an administrative action or investigation, unless the Attorney General subsequently determines not to pursue an investigation or civil action. The agency may not limit the authority of the Attorney General to enforce this title.

(d) No civil action may be filed by the Attorney General under this section for any violation of this title after the agency has issued a decision pursuant to Section 1798.199.85 or an order pursuant to Section 1798.199.55 against that person for the same violation.

(e) This section shall not affect the private right of action provided for in Section 1798.150.

(a) There is hereby appropriated from the General Fund of the state to the agency the sum of five million dollars ($5,000,000) during the fiscal year 2020-2021, and the sum of ten million dollars ($10,000,000) adjusted for cost-of-living changes, during each fiscal year thereafter, for expenditure to support the operations of the agency pursuant to this title. The expenditure of funds under this appropriation shall be subject to the normal administrative review given to other state appropriations. The Legislature shall appropriate those additional amounts to the commission and other agencies as may be necessary to carry out the provisions of this title.

(b) The Department of Finance, in preparing the state budget and the Budget Act bill submitted to the Legislature, shall include an item for the support of this title that shall indicate all of the following:

(1) The amounts to be appropriated to other agencies to carry out their duties under this title, which amounts shall be in augmentation of the support items of those agencies.

(2) The additional amounts required to be appropriated by the Legislature to the agency to carry out the purposes of this title, as provided for in this section.

(3) In parentheses, for informational purposes, the continuing appropriation during each fiscal year of ten million dollars ($10,000,000), adjusted for cost-of-living changes made pursuant to this section.

(c) The Attorney General shall provide staff support to the agency until the agency has hired its own staff. The Attorney General shall be reimbursed by the agency for these services.

The agency and any court, as applicable, shall consider the good faith cooperation of the business, service provider, contractor, or other person in determining the amount of any administrative fine or civil penalty for a violation of this title. A business shall not be required by the agency, a court, or otherwise to pay both an administrative fine and a civil penalty for the same violation.

(a) This Chapter shall be known as the California Consumer Privacy Act Regulations. It may be cited as such and will be referred to in this Chapter as “these regulations.” These regulations govern compliance with the California Consumer Privacy Act and do not limit any other rights that consumers may have.

(b) A violation of these regulations shall constitute a violation of the CCPA and be subject to the remedies provided for therein.

Note: Authority cited: Sections 1798.175 and 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135, 1798.140, 1798.145, 1798.150, 1798.155, 1798.175, and 1798.185, 1798.199.40, 1798.199.45, 1798.199.50, 1798.199.55 and 1798.199.65, Civil Code.

In addition to the definitions set forth in Civil Code section 1798.140, for purposes of these

regulations:

(a) “Agency” means the California Privacy Protection Agency established by Civil Code section 1798.199.10 et seq.

(b) “Alternative Opt-out Link” means the alternative opt-out link that a business may provide instead of posting the two separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links as set forth in Civil Code section 1798.135, subdivision (a)(3), and specified in section 7015.

(c) “Attorney General” means the California Attorney General or any officer or employee of the California Department of Justice acting under the authority of the California Attorney General.

(d) “Authorized agent” means a natural person or a business entity that a consumer has authorized to act on their behalf subject to the requirements set forth in section 7063.

(e) “Categories of sources” means types or groupings of persons or entities from which a business collects personal information about consumers, described with enough particularity to provide consumers with a meaningful understanding of the type of person or entity. They may include the consumer directly, advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms,social networks, and data brokers.

(f) “Categories of third parties” means types or groupings of third parties with whom the business shares personal information, described with enough particularity to provide consumers with a meaningful understanding of the type of third party. They may include advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and data brokers.

(g) “CCPA” means the California Consumer Privacy Act of 2018, Civil Code section 1798.100 et seq.

(h) “COPPA” means the Children’s Online Privacy Protection Act, 15 U.S.C. sections 6501 to 6506 and 16 Code of Federal Regulations part 312.

(i) “Disproportionate effort” within the context of a business, service provider, contractor, or third party responding to a consumer request means the time and/or resources expended by the business, service provider, contractor, or third party to respond to the individualized request significantly outweighs the reasonably foreseeable impact to the consumer by not responding, taking into account applicable circumstances, such as the size of the business, service provider, contractor, or third party, the nature of the request, and the technical limitations impacting their ability to respond. For example, responding to a consumer request to know may require disproportionate effort when the personal information that is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and there is no reasonably foreseeable material impact to the consumer by not responding. By contrast, the impact to the consumer of denying a request to correct inaccurate information that the business uses and/or sells may outweigh the burden on the business, service provider, contractor, or third party in honoring the request when the reasonably foreseeable consequence of denying the request would be the denial of services or opportunities to the consumer. A business, service provider, contractor, or third party that has failed to put in place adequate processes and procedures to receive and process consumer requests in accordance with the CCPA and these regulations cannot claim that responding to a consumer’s request requires disproportionate effort.

(j) “Employment benefits” means retirement, health, and other benefit programs, services, or products to which consumers and their dependents or their beneficiaries receive access through the consumer’s employer.

(k) “Employment-related information” means personal information that is collected by the business about a natural person for the reasons identified in Civil Code section 1798.145, subdivision (m)(1). The collection of employment-related information, including for the purpose of administering employment benefits, shall be considered a business purpose.

(l) “Financial incentive” means a program, benefit, or other offering, including payments to consumers, for the collection, retention, sale, or sharing of personal information. Price or service differences are types of financial incentives.

(m) “First party” means a consumer-facing business with which the consumer intends and expects to interact.

(n) “Frictionless manner” means a business’s processing of an opt-out preference signal that complies with the requirements set forth in section 7025, subsection (f).

(o) “Information practices” means practices regarding the collection, use, disclosure, sale, sharing, and retention of personal information.

(p) “Nonbusiness” means a person or entity that does not meet the definition of a “business” as defined in Civil Code section 1798.140, subdivision (d). For example, non-profits and government entities are nonbusinesses because “business” is defined, among other things, to include only entities “organized or operated for the profit or financial benefit of its shareholders or other owners.”

(q) “Notice at Collection” means the notice given by a business to a consumer at or before the point at which a business collects personal information from the consumer as required by Civil Code section 1798.100, subdivisions (a) and (b), and specified in these regulations.

(r) “Notice of Right to Limit” means the notice given by a business informing consumers of their right to limit the use or disclosure of the consumer’s sensitive personal information as required by Civil Code sections 1798.121 and 1798.135 and specified in these regulations.

(s) “Notice of Right to Opt-out of Sale/Sharing” means the notice given by a business informing consumers of their right to opt-out of the sale or sharing of their personal information as required by Civil Code sections 1798.120 and 1798.135 and specified in these regulations.

(t) “Notice of Financial Incentive” means the notice given by a business explaining each financial incentive or price or service difference as required by Civil Code section 1798.125, subdivision (b), and specified in these regulations.

(u) “Opt-out preference signal” means a signal that is sent by a platform, technology, or mechanism, on behalf of the consumer, that communicates the consumer choice to optout of the sale and sharing of personal information and that complies with the requirements set forth in section 7025, subsection (b).

(v) “Price or service difference” means (1) any difference in the price or rate charged for any goods or services to any consumer related to the collection, retention, sale, or sharing of personal information, or (2) any difference in the level or quality of any goods or services offered to any consumer related to the collection, retention, sale, or sharing of personal information, including the denial of goods or services to the consumer.

(w) “Privacy policy,” as referred to in Civil Code sections 1798.130, subdivision (a)(5), and 1798.135, subdivision (c)(2), means the statement that a business shall make available to consumers describing the business’s online and offline information practices, and the rights of consumers regarding their own personal information.

(x) “Request to correct” means a consumer request that a business correct inaccurate personal information that it maintains about the consumer, pursuant to Civil Code section 1798.106.

(y) “Request to delete” means a consumer request that a business delete personal information about the consumer that the business has collected from the consumer, pursuant to Civil Code section 1798.105.

(z) “Request to know” means a consumer request that a business disclose personal information that it has collected about the consumer pursuant to Civil Code sections 1798.110 or 1798.115. It includes a request for any or all of the following:

(1) Specific pieces of personal information that a business has collected about the consumer;

(2) Categories of personal information it has collected about the consumer;

(3) Categories of sources from which the personal information is collected;

(4) Categories of personal information that the business sold or disclosed for a business purpose about the consumer;

(5) Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and

(6) The business or commercial purpose for collecting or selling personal information.

(aa) “Request to limit” means a consumer request that a business limit the use and disclosure of the consumer’s sensitive personal information, pursuant to Civil Code section 1798.121, subdivision (a).

(bb) “Request to opt-in to sale/sharing” means an action demonstrating that the consumer has consented to the business’s sale or sharing of personal information about the consumer by a parent or guardian of a consumer less than 13 years of age or by a consumer at least 13 years of age.

(cc) “Request to opt-out of sale/sharing” means a consumer request that a business neither sell nor share the consumer’s personal information to third parties, pursuant to Civil Code section 1798.120, subdivision (a).

(dd) “Right to correct” means the consumer’s right to request that a business correct inaccurate personal information that it maintains about the consumer as set forth in Civil Code section 1798.106.

(ee) “Right to delete” means the consumer’s right to request that a business delete any personal information about the consumer that the business has collected from the consumer as set forth in Civil Code section 1798.105.

(ff) “Right to know” means the consumer’s right to request that a business disclose personal information that it has collected, sold, or shared about the consumer as set forth in Civil Code sections 1798.110 and 1798.115.

(gg) “Right to limit” means the consumer’s right to request that a business limit the use and disclosure of a consumer’s sensitive personal information as set forth in Civil Code section 1798.121.

(hh) “Right to opt-out of sale/sharing” means the consumer’s right to direct a business that sells or shares personal information about the consumer to third parties to stop doing so as set forth in Civil Code section 1798.120.

(ii) “Signed” means that the written attestation, declaration, or permission has either been physically signed or provided electronically in accordance with the Uniform Electronic Transactions Act, Civil Code section 1633.1 et seq.

(jj) “Third-party identity verification service” means a security process offered by an independent third party that verifies the identity of the consumer making a request to the business. Third-party identity verification services are subject to the requirements set forth in Article 5 regarding requests to delete, requests to correct, or requests to know.

(kk) “Unstructured” as it relates to personal information means personal information that is not organized in a pre-defined manner and could not be retrieved or organized in a pre-defined manner without disproportionate effort on behalf of the business, service provider, contractor, or third party.

(ll) “Value of the consumer’s data” means the value provided to the business by the consumer’s data as calculated under section 7081.

(mm) “Verify” means to determine that the consumer making a request to delete, request to correct, or request to know is the consumer about whom the business has collected information, or if that consumer is less than 13 years of age, the consumer’s parent or legal guardian.

Note: Authority cited: Sections 1798.175 and 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135, 1798.140, 1798.145, 1798.150, 1798.155, 1798.175, 1798.185, 1798.199.40, 1798.199.45, 1798.199.50, 1798.199.55 and 1798.199.65, Civil Code.

(a) In accordance with Civil Code section 1798.100, subdivision (c), a business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve:

(1) The purpose(s) for which the personal information was collected or processed, which shall comply with the requirements set forth in subsection (b); or

(2) Another disclosed purpose that is compatible with the context in which the personal information was collected, which shall comply with the requirements set forth in subsection (c).

(b) The purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed. The consumer’s (or consumers’) reasonable expectations concerning the purpose for which their personal information will be collected or processed shall be based on the following:

(1) The relationship between the consumer(s) and the business. For example, if the consumer is intentionally interacting with the business on its website to purchase a good or service, the consumer likely expects that the purpose for collecting or processing the personal information is to provide that good or service. By contrast, for example, the consumer of a business’s mobile flashlight application would not expect the business to collect the consumer’s geolocation information to provide theflashlight service.

(2) The type, nature, and amount of personal information that the business seeks to collect or process. For example, if a business’s mobile communication application requests access to the consumer’s contact list in order to call a specific individual, the consumer who is providing their contact list likely expects that the purpose of the business’s use of that contact list will be to connect the consumer with the specific contact they selected. Similarly, if a business collects the consumer’s fingerprint in connection with setting up the security feature of unlocking the device using the fingerprint, the consumer likely expects that the business’s use of the consumer’s fingerprint is only for the purpose of unlocking their mobile device.

(3) The source of the personal information and the business’s method for collecting or processing it. For example, if the consumer is providing their personal information directly to the business while using the business’s product or service, the consumer likely expects that the business will use the personal information to provide that product or service. However, the consumer may not expect that the business will use that same personal information for a different product or service offered by the business or the business’s subsidiary.

(4) The specificity, explicitness, prominence, and clarity of disclosures to the consumer(s) about the purpose for collecting or processing their personal information, such as in the Notice at Collection and in the marketing materials to the consumer(s) about the business’s good or service. For example, the consumer who receives a pop-up notice that the business wants to collect the consumer’s phone number to verify their identity when they log in likely expects that the business will use their phone number for the purpose of verifying the consumer’s identity and not for marketing purposes. Similarly, the consumer may expect that a mobile application that markets itself as a service that finds gas prices near the consumer’s location will collect and use the consumer’s geolocation information for that specific purpose when they are using the service.

(5) The degree to which the involvement of service providers, contractors, third parties, or other entities in the collecting or processing of personal information is apparent to the consumer(s). For example, the consumer likely expects an online retailer’s disclosure of the consumer’s name and address to a delivery service provider in order for that service provider to deliver a purchased product, because that service provider’s involvement is apparent to the consumer. By contrast, the consumer may not expect the disclosure of personal information to a service provider if the consumer is not directly interacting with the service provider or the service provider’s role in the processing is not apparent to the consumer.

(c) Whether another disclosed purpose is compatible with the context in which the personal information was collected shall be based on the following:

(1) At the time of collection of the personal information, the reasonable expectations of the consumer(s) whose personal information is collected or processed concerning the purpose for which their personal information will be collected or processed, based on the factors set forth in subsection (b).

(2) The other disclosed purpose for which the business seeks to further collect or process the consumer’s personal information, including whether it is a business purpose listed in Civil Code section 1798.140, subdivisions (e)(1) through (e)(8).

(3) The strength of the link between subsection (c)(1) and subsection (c)(2). For example, a strong link exists between the consumer’s reasonable expectations that the personal information will be used to provide them with a requested service at the time of collection, and the use of the information to repair errors that impair the intended functionality of that requested service. This would weigh in favor of compatibility. By contrast, for example, a weak link exists between the consumer’s reasonable expectations that the personal information will be collected to provide a requested cloud storage service at the time of collection, and the use of the information to research and develop an unrelated facial recognition service.

(d) For each purpose identified in compliance with subsection (a)(1) or (a)(2), the collection, use, retention, and/or sharing of a consumer’s personal information to achieve that purpose shall be reasonably necessary and proportionate. The business’s collection, use, retention, and/or sharing of a consumer’s personal information shall also be reasonably necessary and proportionate to achieve any purpose for which the business obtains the consumer’s consent in compliance with subsection (e). Whether a business’s collection, use, retention, and/or sharing of a consumer’s personal information is reasonably necessary and proportionate to achieve the purpose identified in compliance with subsection (a)(1) or (a)(2), or any purpose for which the business obtains consent, shall be based on the following:

(1) The minimum personal information that is necessary to achieve the purpose identified in compliance with subsection (a)(1) or (a)(2), or any purpose for which the business obtains consent. For example, to complete an online purchase and send an email confirmation of the purchase to the consumer, an online retailer may need the consumer’s order information, payment and shipping information, and email address

(2) The possible negative impacts on consumers posed by the business’s collection or processing of the personal information. For example, a possible negative impact of collecting precise geolocation information is that it may reveal other sensitive personal information about the consumer, such as health information based on visits to healthcare providers.

(3) The existence of additional safeguards for the personal information to specifically address the possible negative impacts on consumers considered by the business in subsection (d)(2). For example, a business may consider encryption or automatic deletion of personal information within a specific window of time as potential safeguards.

(e) A business shall obtain the consumer’s consent in accordance with section 7004 before collecting or processing personal information for any purpose that does not meet the requirements set forth in subsection (a).

(f) A business shall not collect categories of personal information other than those disclosed in its Notice at Collection in accordance with the CCPA and section 7012. If the business intends to collect additional categories of personal information or intends to use the personal information for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected, the business shall provide a new Notice at Collection. However, any additional collecting or processing of personal information shall comply with subsection (a).

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.106, 1798.121, 1798.130, 1798.135 and 1798.185, Civil Code.

(a) Disclosures and communications to consumers shall be easy to read and understandable to consumers. For example, they shall use plain, straightforward language and avoid technical or legal jargon.

(b) Disclosures required under Article 2 shall also:

(1) Use a format that makes the disclosure readable, including on smaller screens, if applicable.

(2) Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers in California.

(3) Be reasonably accessible to consumers with disabilities. For notices provided online, the business shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference. In other contexts, the business shall provide information on how a consumer with a disability may access the policy in an alternative format.

(c) For websites, a conspicuous link required under the CCPA or these regulations shall appear in a similar manner as other similarly-posted links used by the business on its homepage(s). For example, the business shall use a font size and color that is at least the approximate size or color as other links next to it that are used by the business on its homepage(s).

(d) For mobile applications, a conspicuous link shall be included in the business’s privacy policy, which must be accessible through the mobile application’s platform page or download page. It may also be accessible through a link within the application, such as through the application’s settings menu.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130 and 1798.135, Civil Code.

(a) Except as expressly allowed by the CCPA and these regulations, businesses shall design and implement methods for submitting CCPA requests and obtaining consumer consent that incorporate the following principles:

(1) Easy to understand. The methods shall use language that is easy for consumers to read and understand. When applicable, they shall comply with the requirements for disclosures to consumers set forth in section 7003.

(2) Symmetry in choice. The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice. Illustrative examples follow.

(A) It is not symmetrical when a business’s process for submitting a request to optout of sale/sharing requires more steps than that business’s process for a consumer to opt-in to the sale of personal information after having previously opted out. The number of steps for submitting a request to opt-out of sale/sharing is measured from when the consumer clicks on the “Do Not Sell or Share My Personal Information” link to completion of the request. The number of steps for submitting a request to opt-in to the sale of personal information is measured from the first indication by the consumer to the business of their interest to opt-in to completion of the request.

(B) A choice to opt-in to the sale of personal information that provides only the two options, “Yes” and “Ask me later,” is not equal or symmetrical because there isno option to decline the opt-in. “Ask me later” implies that the consumer has not declined but delayed the decision and that the business will continue to ask the consumer to opt-in. Framing the consumer’s options in this manner impairs the  consumer’s ability to make a choice. An equal or symmetrical choice could be between “Yes” and “No.”

(C) A website banner that provides only the two options, “Accept All” and “More Information,” or, “Accept All” and “Preferences,” when seeking the consumer’s consent to use their personal information is not equal or symmetrical because the method allows the consumer to “Accept All” in one step, but requires the consumer to take additional steps to exercise their rights over their personal information. Framing the consumer’s options in this manner impairs the consumer’s ability to make a choice. An equal or symmetrical choice could be between “Accept All” and “Decline All.”

(3) Avoid language or interactive elements that are confusing to the consumer. The methods should not use double negatives. Toggles or buttons must clearly indicate the consumer’s choice. Illustrative examples follow.

(A) Giving the choice of “Yes” or “No” next to the statement “Do Not Sell or Share My Personal Information” is a double negative and a confusing choice for a consumer.

(B) Toggles or buttons that state “on” or “off” may be confusing to a consumer and may require further clarifying language.

(C) Unintuitive placement of buttons to confirm a consumer’s choice may be confusing to the consumer. For example, it is confusing to the consumer when a business at first consistently offers choices in the order of “Yes,” then “No,” but then offers choices in the opposite order—“No,” then “Yes”—when asking the consumer something that would contravene the consumer’s expectation.

(4) Avoid choice architecture that impairs or interferes with the consumer’s ability to make a choice. Businesses should also not design their methods in a manner that would impair the consumer’s ability to exercise their choice because consent must be freely given, specific, informed, and unambiguous. Illustrative examples follow.

(A) Requiring the consumer to click through disruptive screens before they are able to submit a request to opt-out of sale/sharing is a choice architecture that impairs or interferes with the consumer’s ability to exercise their choice.

(B) Bundling choices so that the consumer is only offered the option to consent to using personal information for purposes that meet the requirements set forth in section 7002, subsection (a), together with purposes that are incompatible with the context in which the personal information was collected is a choice architecture that impairs or interferes with the consumer’s ability to make a choice. For example, a business that provides a location-based service, such as a mobile application that finds gas prices near the consumer’s location, shall not  require the consumer to consent to incompatible uses (e.g., sale of the consumer’s geolocation to data brokers) together with a reasonably necessary and proportionate use of geolocation information for providing the locationbased services, which does not require consent. This type of choice architecture does not allow consent to be freely given, specific, informed, or unambiguous because it requires the consumer to consent to incompatible uses in order to obtain the expected service. The business should provide the consumer a separate option to consent to the business’s use of personal information that does not meet the requirements set forth in section 7002, subsection (a).

(5) Easy to execute. The business shall not add unnecessary burden or friction to the process by which the consumer submits a CCPA request. Methods should be tested to ensure that they are functional and do not undermine the consumer’s choice to submit the request. Illustrative examples follow.

(A) Upon clicking the “Do Not Sell or Share My Personal Information” link, the business shall not require the consumer to search or scroll through the text of a privacy policy or similar document or webpage to locate the mechanism for submitting a request to opt-out of sale/sharing.

(B) A business that knows of, but does not remedy, circular or broken links, or nonfunctional email addresses, such as inboxes that are not monitored or have aggressive filters that screen emails from the public, may be in violation of this regulation.

(C) Businesses that require the consumer to unnecessarily wait on a webpage as the business processes the request may be in violation of this regulation.

(b) A method that does not comply with subsection (a) may be considered a dark pattern. Any agreement obtained through the use of dark patterns shall not constitute consumer consent. For example, a business that uses dark patterns to obtain consent from a consumer to sell their personal information shall be in the position of never having obtained the consumer’s consent to do so.

(c) A user interface is a dark pattern if the interface has the effect of substantially subverting or impairing user autonomy, decisionmaking, or choice. A business’s intent in designing the interface is not determinative in whether the user interface is a dark pattern, but a factor to be considered. If a business did not intend to design the user interface to subvert or impair user choice, but the business knows of and does not remedy a user interface that has that effect, the user interface may still be a dark pattern. Similarly, a business’s deliberate ignorance of the effect of its user interface may also weigh in favor of establishing a dark pattern.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) Every business that must comply with the CCPA and these regulations shall provide a privacy policy in accordance with the CCPA and section 7011.

(b) A business that controls the collection of a consumer’s personal information from a consumer shall provide a Notice at Collection in accordance with the CCPA and section 7012.

(c) Except as set forth in section 7025, subsection (g), a business that sells or shares personal information shall provide a Notice of Right to Opt-out of Sale/Sharing or the Alternative Opt-out Link in accordance with the CCPA and sections 7013 and 7015.

(d) A business that uses or discloses a consumer’s sensitive personal information for purposes other than those specified in section 7027, subsection (m), shall provide a Notice of Right to Limit or the Alternative Opt-out Link in accordance with the CCPA and sections 7014 and 7015.

(e) A business that offers a financial incentive or price or service difference shall provide a Notice of Financial Incentive in accordance with the CCPA and section 7016.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105,1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130 and 1798.135, Civil Code.

(a) The purpose of the privacy policy is to provide consumers with a comprehensive description of a business’s online and offline information practices. It shall also inform consumers about the rights they have regarding their personal information and provide any information necessary for them to exercise those rights.

(b) The privacy policy shall comply with section 7003, subsections (a) and (b).

(c) The privacy policy shall be available in a format that allows a consumer to print it out as a document.

(d) The privacy policy shall be posted online and accessible through a conspicuous link that complies with section 7003, subsections (c) and (d), using the word “privacy” on the business’s website homepage(s) or on the download or landing page of a mobile application. If the business has a California-specific description of consumers’ privacy rights on its website, then the privacy policy shall be included in that description. A business that does not operate a website shall make the privacy policy conspicuously available to consumers. A mobile application may include a link to the privacy policy in the application’s settings menu.

(e) The privacy policy shall include the following information:

(1) A comprehensive description of the business’s online and offline information practices, which includes the following:

(A) Identification of the categories of personal information the business has collected about consumers in the preceding 12 months. The categories shall be described using the specific terms set forth in Civil Code section 1798.140, subdivisions (v)(1)(A) to (K) and (ae)(1) to (2). To the extent that the business has discretion in its description, the business shall describe the category in a manner that provides consumers a meaningful understanding of the information being collected.

(B) Identification of the categories of sources from which the personal information is collected.

(C) Identification of the specific business or commercial purpose for collecting personal information from consumers. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is collected.

(D) Identification of the categories of personal information, if any, that the business has sold or shared to third parties in the preceding 12 months. If the business has not sold or shared consumers’ personal information in the preceding 12 months, the business shall disclose that fact.

(E) For each category of personal information identified in subsection (e)(1)(D), the categories of third parties to whom the information was sold or shared.

(F) Identification of the specific business or commercial purpose for selling or sharing consumers’ personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is sold or shared.

(G) A statement regarding whether the business has actual knowledge that it sells or shares the personal information of consumers under 16 years of age.

(H) Identification of the categories of personal information, if any, that the business has disclosed for a business purpose to third parties in the preceding 12 months. If the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

(I) For each category of personal information identified in subsection (e)(1)(H), the categories of third parties to whom the information was disclosed.

(J) Identification of the specific business or commercial purpose for disclosing theconsumer’s personal information. The purpose shall be described in a manner that provides consumers a meaningful understanding of why the information is disclosed.

(K) A statement regarding whether the business uses or discloses sensitive personal information for purposes other than those specified in section 7027, subsection (m).

(2) An explanation of the rights that the CCPA confers on consumers regarding their personal information, which includes all of the following:

(A) The right to know what personal information the business has collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom the business discloses personal information, and the specific pieces of personal information the business has collected about the consumer.

(B) The right to delete personal information that the business has collected from the consumer, subject to certain exceptions.

(C) The right to correct inaccurate personal information that a business maintains about a consumer.

(D) If the business sells or shares personal information, the right to opt-out of the sale or sharing of their personal information by the business.

(E) If the business uses or discloses sensitive personal information for reasons other than those set forth in section 7027, subsection (m), the right to limit the use or disclosure of sensitive personal information by the business.

(F) The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.

(3) An explanation of how consumers can exercise their CCPA rights and what consumers can expect from that process, which includes all of the following:

(A) An explanation of the methods by which the consumer can exercise their  CPA rights.

(B) Instructions for submitting a request under the CCPA, including any links to an online request form or portal for making such a request, if offered by the business.

(C) If the business sells or shares personal information, and is required to provide a Notice of Right to Opt-out of Sale/Sharing, the contents of the Notice of Right to Opt-out of Sale/Sharing or a link to that notice in accordance with section 7013, subsection (f).

(D) If the business uses or discloses sensitive personal information for purposes other than those specified in section 7027, subsection (m), and is required to provide a Notice of Right to Limit, the contents of the Notice of Right to Limit or a link to that notice in accordance with section 7014, subsection (f).

(E) A general description of the process the business uses to verify a consumer request to know, request to delete, and request to correct, when applicable, including any information the consumer must provide.

(F) Explanation of how an opt-out preference signal will be processed for the consumer (i.e., whether the signal applies to the device, browser, consumer account, and/or offline sales, and in what circumstances) and how the consumer can use an opt-out preference signal.

(G) If the business processes opt-out preference signals in a frictionless manner, information on how consumers can implement opt-out preference signals for the business to process in a frictionless manner.

(H) Instructions on how an authorized agent can make a request under the CCPA on the consumer’s behalf.

(I) If the business has actual knowledge that it sells the personal information of consumers under 16 years of age, a description of the processes required by sections 7070 and 7071.

(J) A contact for questions or concerns about the business’s privacy policies and information practices using a method reflecting the manner in which the business primarily interacts with the consumer.

(4) Date the privacy policy was last updated.

(5) If subject to the data reporting requirements set forth in section 7102, the information required under section 7102, or a link to that information.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130 and 1798.135, Civil Code.

(a)  The purpose of the Notice at Collection is to provide consumers with timely notice, at or before the point of collection, about the categories of personal information to be collected from them, the purposes for which the personal information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over the business’s use of their personal information. For example, upon receiving the Notice at Collection, the consumer can use the information in the notice as a tool to choose whether to engage with the business, or to direct the business not to sell or share their personal information and to limit the use and disclosure of their sensitive personal information.

(b) The Notice at Collection shall comply with section 7003, subsections (a) and (b).

(c) The Notice at Collection shall be made readily available where consumers will encounter it at or before the point of collection of any personal information. Illustrative examples follow.

(1) When a business collects consumers’ personal information online, it may post a conspicuous link to the notice on the introductory page of the business’s website and on all webpages where personal information is collected.

(2) When a business collects consumers’ personal information through a webform, it may post a conspicuous link to the notice in close proximity to the fields in which the consumer inputs their personal information, or in close proximity to the button by which the consumer submits their personal information to the business.

(3) When a business collects personal information through a mobile application, it may provide a link to the notice on the mobile application’s download page and within the application, such as through the application’s settings menu.

(4) When a business collects consumers’ personal information offline, it may include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to where the notice can be found online.

(5) When a business collects personal information over the telephone or in person, it may provide the notice orally.

(d) If a business does not give the Notice at Collection to the consumer at or before the point of collection of their personal information, the business shall not collect personal information from the consumer.

(e) A business shall include the following in its Notice at Collection:

(1) A list of the categories of personal information about consumers, including categories of sensitive personal information, to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.

(2) The purpose(s) for which the categories of personal information, including categories of sensitive personal information, are collected and used.

(3) Whether each category of personal information identified in subsection (e)(1) is sold or shared. (4) The length of time the business intends to retain each category of personal information identified in subsection (e)(1), or if that is not possible, the criteria used to determine the period of time it will be retained.

(5) If the business sells or shares personal information, the link to the Notice of Right to Opt-out of Sale/Sharing, or in the case of offline notices, where the webpage can be found online.

(6) A link to the business’s privacy policy, or in the case of offline notices, where the privacy policy can be found online.

(f) If a business collects personal information from a consumer online, the Notice at Collection may be given to the consumer by providing a link that takes the consumer directly to the specific section of the business’s privacy policy that contains the information required in subsection

(e)(1) through (6). Directing the consumer to the beginning of the privacy policy, or to another section of the privacy policy that does not contain the required information, so that the consumer is required to scroll through other information in order to determine the categories of personal information to be collected and/or whether the business sells or shares the personal information collected, does not satisfy this standard.

(g) Third Parties that Control the Collection of Personal Information. This subsection shall not affect the first party’s obligations under the CCPA to comply with a consumer’s request to opt-out of sale/sharing.

(1) For purposes of giving Notice at Collection, more than one business may control the collection of a consumer’s personal information, and thus, have an obligation to provide a Notice at Collection in accordance with the CCPA and these regulations. For example, a first party may allow another business, acting as a third party, to control the collection of personal information from consumers browsing the first party’s website. Both the first party that allows the third parties to collect personal information via its website, as well as the third party controlling the collection of personal information, shall provide a Notice at Collection. The first party and third parties may provide a single Notice at Collection that includes the required information about their collective information practices.

(2) A business that, acting as a third party, controls the collection of personal information on another business’s physical premises, such as in a retail store or in a vehicle, shall provide a Notice at Collection in a conspicuous manner at the physical location(s) where it is collecting the personal information.

(3) Illustrative examples follow.

(A) Business F allows Business G, a third party ad network, to collect consumers’ personal information through Business F’s website. Business F may post a conspicuous link to its Notice at Collection on its homepage(s). Business G shall provide a Notice at Collection on its homepage(s) or include the required information about its information practices in Business F’s Notice at Collection.

(B) Business H, a coffee shop, allows Business I, a business providing Wi-Fi services, to collect personal information from consumers using Business I’s services on Business H’s premises. Business H may post conspicuous signage at the entrance of the store or at the point-of-sale directing consumers to where the Notice at Collection for Business H can be found online. In addition, Business I shall post its own Notice at Collection on the first webpage or other interface consumers see before connecting to the Wi-Fi services offered.

(C) Business J, a car rental business, allows Business K to collect personal information from consumers within the vehicles Business J rents to consumers. Business J may give its Notice at Collection to the consumer at the point of sale (i.e., at the rental counter) either in writing or orally. Business K may provide its own Notice at Collection within the vehicle, such as through signage on the vehicle’s dashboard directing consumers to where the notice can be found online.

(h) A business that neither collects nor controls the collection of personal information directly from the consumer does not need to provide a Notice at Collection to the consumer if it neither sells nor shares the consumer’s personal information.

(i) A data broker registered with the Attorney General pursuant to Civil Code section 1798.99.80 et seq. that collects personal information from a source other than directly from the consumer does not need to provide a Notice at Collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out of sale/sharing.

Note: Authority: Section 1798.185, Civil Code. Reference: Sections 1798.99.82, 1798.100, 1798.115, 1798.120, 1798.121, 1798.145 and 1798.185, Civil Code.

(a) The purpose of the Notice of Right to Opt-out of Sale/Sharing is to inform consumers of their right to direct a business that sells or shares their personal information to stop selling or sharing their personal information and to provide them with the opportunity to exercise that right. The purpose of the “Do Not Sell or Share My Personal Information” link is to immediately effectuate the consumer’s right to opt-out of sale/sharing, or in the alternative, direct the consumer to the Notice of Right to Opt-out of Sale/Sharing. Accordingly, clicking the business’s “Do Not Sell or Share My Personal Information” link will either have the immediate effect of opting the consumer out of the sale or sharing of personal information or lead the consumer to a webpage where the consumer can learn about and make that choice.

(b) The Notice of Right to Opt-out of Sale/Sharing shall comply with section 7003, subsections (a) and (b).

(c) The “Do Not Sell or Share My Personal Information” link shall be a conspicuous link that complies with section 7003, subsections (c) and (d) and is located at either the header or footer of the business’s internet homepage(s).

(d) In lieu of posting the “Do Not Sell or Share My Personal Information” link, a business may provide the Alternative Opt-out Link in accordance with section 7015 or process opt-out reference signals in a frictionless manner in accordance with section 7025, subsections (f) and (g). The business must still post a Notice of Right to Opt-out of Sale/Sharing in accordance with these regulations.

(e) A business that sells or shares the personal information of consumers shall provide the Notice of Right to Opt-out of Sale/Sharing to consumers as follows:

(1) A business shall post the Notice of Right to Opt-out of Sale/Sharing on the internet webpage to which the consumer is directed after clicking on the “Do Not Sell or Share My Personal Information” link. The notice shall include the information specified in subsection (f) or be a link that takes the consumer directly to the specific section of the business’s privacy policy that contains the same information. If clicking on the “Do Not Sell or Share My Personal Information” link immediately effectuates the consumer’s right to opt-out of sale/sharing or if the business processes opt-out preference signals in a frictionless manner and chooses not to post a link, the business shall provide the notice within its privacy policy.

(2) A business that does not operate a website shall establish, document, and comply with another method by which it informs consumers of their right to opt-out of sale/sharing. That method shall comply with the requirements set forth in section 7003.

(3) A business shall also provide the notice to opt-out of sale/sharing in the same manner in which it collects the personal information that it sells or shares. Illustrative examples follow.

(A) A business that sells or shares personal information that it collects in the course of interacting with consumers offline, such as in a brick-and-mortar store, shall provide notice through an offline method, e.g., on the paper forms that collect the personal information or by posting signage in the area where the personal information is collected directing consumers to where the notice can be found online.

(B) A business that sells or shares personal information that it collects over the phone shall provide notice orally during the call when the information is collected.

(f) A business shall include the following in its Notice of Right to Opt-out of Sale/Sharing:

(1) A description of the consumer’s right to opt-out of the sale or sharing of their personal information by the business; and

(2) Instructions on how the consumer can submit a request to opt-out of sale/sharing. If notice is provided online, the notice shall include the interactive form by which the consumer can submit their request to opt-out of sale/sharing online, as required by section 7026, subsection (a)(1). If the business does not operate a website, the notice shall explain the offline method by which the consumer can submit their request to opt-out of sale/sharing.

(g) A business does not need to provide a Notice of Right to Opt-out of Sale/Sharing or the “Do Not Sell or Share My Personal Information” link if:

(1) It does not sell or share personal information; and

(2) It states in its privacy policy that it does not sell or share personal information.

(h) A business shall not sell or share the personal information it collected during the time the business did not have a Notice of Right to Opt-out of Sale/Sharing posted unless it obtains the consent of the consumer.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135 and 1798.185, Civil Code.

(a) The purpose of the Notice of Right to Limit is to inform consumers of their right to limit a business’s use and disclosure of their sensitive personal information and to provide them with the opportunity to exercise that right. The purpose of the “Limit the Use of My Sensitive Personal Information” link is to immediately effectuate the consumer’s right to limit, or in the alternative, direct the consumer to the Notice of Right to Limit. Accordingly, clicking the business’s “Limit the Use of My Sensitive Personal Information” link will either have the immediate effect of limiting the use and disclosure of the consumer’s sensitive personal information or lead the consumer to a webpage where the consumer can learn about and make that choice.

(b) The Notice of Right to Limit shall comply with section 7003, subsections (a) and (b).

(c) The “Limit the Use of My Sensitive Personal Information” link shall be a conspicuous link that complies with section 7003, subsections (c) and (d), and is located at either the header or footer of the business’s internet homepage(s).

(d) In lieu of posting the “Limit the Use of My Sensitive Personal Information” link, a business may provide the Alternative Opt-out Link in accordance with section 7015. The business shall still post a Notice of Right to Limit in accordance with these regulations.

(e) A business that uses or discloses a consumer’s sensitive personal information for purposes other than those specified in section 7027, subsection (m), shall provide the Notice of Right to Limit to consumers as follows:

(1) A business shall post the Notice of Right to Limit on the internet webpage to which the consumer is directed after clicking on the “Limit the Use of My Sensitive Personal Information” link. The notice shall include the information specified in subsection (f) or be a link that takes the consumer directly to the specific section of the business’s privacy policy that contains the same information. If clicking on the “Limit the Use of My Sensitive Personal Information” link immediately effectuates the consumer’s right to limit, the business shall provide the notice within its privacy policy.

(2) A business that does not operate a website shall establish, document, and comply with another method by which it informs consumers of their right to limit. That method shall comply with the requirements set forth in section 7003.

(f) A business shall include the following in its Notice of Right to Limit:

(1) A description of the consumer’s right to limit; and

(2) Instructions on how the consumer can submit a request to limit. If notice is provided online, the notice shall include the interactive form by which the consumer can submit their request to limit online, as required by section 7027, subsection (b)(1). If the business does not operate a website, the notice shall explain the offline method by which the consumer can submit their request to limit.

(g) A business does not need to provide a Notice of Right to Limit or the “Limit the Use of My Sensitive Personal Information” link if:

(1) It only uses and discloses sensitive personal information that it collected about the consumer for the purposes specified in section 7027, subsection (m), and states so in its privacy policy; or

(2) It only collects or processes sensitive personal information without the purpose of inferring characteristics about a consumer, and states so in its privacy policy.

(h) A business shall not use or disclose sensitive personal information it collected during the time the business did not have a Notice of Right to Limit posted for purposes other than those specified in section 7027, subsection (m), unless it obtains the consent of the consumer.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.121, 1798.135 and 1798.185, Civil Code.

(a) The purpose of the Alternative Opt-out Link is to provide businesses the option of providing consumers with a single, clearly-labeled link that allows consumers to easily exercise both their right to opt-out of sale/sharing and right to limit, instead of posting the two separate “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links. The Alternative Opt-out Link shall direct the consumer to a webpage that informs them of both their right to opt-out of sale/sharing and right to limit and provides them with the opportunity to exercise both rights. 

(b) A business that chooses to use an Alternative Opt-out Link shall title the link, “Your Privacy Choices,” or, “Your California Privacy Choices,” and shall include the following opt-out icon adjacent to the title. The link shall be a conspicuous link that complies with section 7003, subsections (c) and (d), and is located at either the header or footer of the business’s internet homepage(s). The icon shall be approximately the same size as other icons used by the business in the header or footer of its webpage.

(c) The Alternative Opt-out Link shall direct the consumer to a webpage that includes the following information:

(1) A description of the consumer’s right to opt-out of sale/sharing and right to limit, which shall comply with section 7003, subsections (a) and (b); and

(2) The interactive form or mechanism by which the consumer can submit their request to opt-out of sale/sharing and their right to limit online. The method shall be easy for consumers to execute, shall require minimal steps, and shall comply with section 7004.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.121, 1798.135 and 1798.185, Civil Code.

(a) The purpose of the Notice of Financial Incentive is to explain to the consumer the material terms of a financial incentive or price or service difference the business is offering so that the consumer may make an informed decision about whether to participate. A business that does not offer a financial incentive or price or service difference is not required to provide a Notice of Financial Incentive.

(b) The Notice of Financial Incentive shall comply with section 7003, subsections (a) and (b).

(c) The Notice of Financial Incentive shall be readily available where consumers will encounter it before opting-in to the financial incentive or price or service difference. If the business offers the financial incentive or price or service difference online, the notice may be given by providing a link that takes the consumer directly to the specific section of a business’s privacy policy that contains the information required in subsection (d).

(d) A business shall include the following in its Notice of Financial Incentive:

(1) A succinct summary of the financial incentive or price or service difference offered;

(2) A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data;

(3) How the consumer can opt-in to the financial incentive or price or service difference;

(4) A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and

(5) An explanation of how the price or service difference is reasonably related to the value of the consumer’s data, including:

(A) A good-faith estimate of the value of the consumer’s data that forms the basis for offering the price or service difference; and

(B) A description of the method(s) the business used to calculate the value of the consumer’s data.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125 and 1798.130, Civil Code.

(a) A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to delete, requests to correct, and requests to know.

(b) A business that does not fit the description in subsection (a) shall provide two or more designated methods for submitting requests to delete, requests to correct, and requests to know. One of those methods must be a toll-free telephone number. If the business maintains an internet website, one of the methods for submitting these requests shall be through its website, such as through a webform. Other methods for submitting requests to delete, requests to correct, and requests to know may include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.

(c) A business shall consider the methods by which it primarily interacts with consumers when determining which methods to provide for submitting requests to delete, requests to correct, and requests to know. If the business interacts with consumers in person, the business shall consider providing an in-person method such as a printed form the consumer can directly submit or send by mail, a tablet or computer portal that allows the consumer to complete and submit an online form, or a telephone with which the consumer can call the business’s toll-free number.

(d) A business may use a two-step process for online requests to delete where the consumer must first, submit the request to delete and then second, separately confirm that they want their personal information deleted provided that the business otherwise complies with section 7004.

(e) If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either:

(1) Treat the request as if it had been submitted in accordance with the business’s designated manner, or

(2) Provide the consumer with information on how to submit the request or remedy any deficiencies with the request, if applicable.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.

(a) No later than 10 business days after receiving a request to delete, request to correct, or request to know, a business shall confirm receipt of the request and provide information about how the business will process the request. The information provided shall describe in general the business’s verification process and when the consumer should expect a response, except in instances where the business has already granted or denied the request. The confirmation may be given in the same manner in which the request was received. For example, if the request is made over the phone, the confirmation may be given orally during the phone call.

(b) Businesses shall respond to a request to delete, request to correct, and request to know no later than 45 calendar days after receipt of the request. The 45-day period will begin on the day that the business receives the request, regardless of time required to verify the request. If the business cannot verify the consumer within the 45-day time period, the business may deny the request. If necessary, businesses may take up to an additional 45 calendar days to respond to the consumer’s request, for a maximum total of 90 calendar days from the day the request is received, provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.

(a) For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 5, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified.

(b) A business shall comply with a consumer’s request to delete their personal information by:

(1) Permanently and completely erasing the personal information from its existing systems except archived or backup systems, deidentifying the personal information, or aggregating the consumer information;

(2) Notifying the business’s service providers or contractors of the need to delete from their records the consumer’s personal information that they collected pursuant to their written contract with the business, or if enabled to do so by the service provider or contractor, the business shall delete the personal information that the service provider or contractor collected pursuant to their written contract with the business;and

(3) Notifying all third parties to whom the business has sold or shared the personal information of the need to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort. If a business claims that notifying some or all third parties would be impossible or would involve disproportionate effort, the business shall provide the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot notify all third parties. The business shall not simply state that notifying all third parties is impossible or would require disproportionate effort.

(c) A service provider or contractor shall, with respect to personal information that they collected pursuant to their written contract with the business and upon notification by the business, cooperate with the business in responding to a request to delete by doing all of the following:

(1) Permanently and completely erasing the personal information from its existing systems except archived or backup systems, deidentifying the personal information, aggregating the consumer information, or enabling the business to do so.

(2) To the extent that an exception applies to the deletion of personal information, deleting or enabling the business to delete the consumer’s personal information that is not subject to the exception and refraining from using the consumer’s personal information retained for any purpose other than the purpose provided for by that exception.

(3) Notifying any of its own service providers or contractors of the need to delete from their records in the same manner the consumer’s personal information that they collected pursuant to their written contract with the service provider or contractor.

(4) Notifying any other service providers, contractors, or third parties that may have accessed personal information from or through the service provider or contractor, unless the information was accessed at the direction of the business, of the need to delete the consumer’s personal information unless this proves impossible or involves disproportionate effort.

(d) If a business, service provider, or contractor stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed or used for a sale, disclosure, or commercial purpose.

(e) In responding to a request to delete, a business shall inform the consumer whether it has complied with the consumer’s request. The business shall also inform the consumer that it will maintain a record of the request as required by section 7101, subsection (a). A business, service provider, contractor, or third party may retain a record of the request for the purpose of ensuring that the consumer’s personal information remains deleted from its records.

(f) In cases where a business denies a consumer’s request to delete in whole or in part, the business shall do all of the following:

(1) Provide to the consumer a detailed explanation of the basis for the denial, including any conflict with federal or state law, exception to the CCPA, or factual basis for contending that compliance would be impossible or involve disproportionate effort, unless prohibited from doing so by law.

(2) Delete the consumer’s personal information that is not subject to the exception.

(3) Not use the consumer’s personal information retained for any other purpose than provided for by that exception; and

(4) Instruct its service providers and contractors to delete the consumer’s personal information that is not subject to the exception and to not use the consumer’s personal information retained for any purpose other than the purpose provided for by that exception.

(g) If a business that denies a consumer’s request to delete sells or shares personal information and the consumer has not already made a request to opt-out of sale/sharing, the business shall ask the consumer if they would like to opt-out of the sale or sharing of their personal information and shall include either the contents of, or a link to, the Notice of Right to Opt-out of Sale/Sharing in accordance with section 7013.

(h) In responding to a request to delete, a business may present the consumer with the choice to delete select portions of their personal information as long as a single option to delete all personal information is also offered. A business that provides consumers the ability to delete select categories of personal information in other contexts (e.g., purchase history, browsing history, voice recordings), however, must inform consumers of their ability to do so and direct them to how they can do so. For example, a business may provide the consumer with a link to a support page or other resource that explains consumers’ data deletion options.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.105, 1798.130 and 1798.185, Civil Code.

(a) For requests to correct, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 5, the business may deny the request to correct. The business shall inform the requestor that their identity cannot be verified.

(b) In determining the accuracy of the personal information that is the subject of a consumer’s request to correct, the business shall consider the totality of the circumstances relating to the contested personal information. A business may deny a consumer’s request to correct if it determines that the contested personal information is more likely than not accurate based on the totality of the circumstances.

(1) Considering the totality of the circumstances includes, but is not limited to, considering:

(A) The nature of the personal information (e.g., whether it is objective, subjective, unstructured, sensitive, etc.).

(B) How the business obtained the contested information.

(C) Documentation relating to the accuracy of the information whether provided by the consumer, the business, or another source. Requirements regarding documentation are set forth in subsection (d).

(2) If the business is not the source of the personal information and has no documentation in support of the accuracy of the information, the consumer’s assertion of inaccuracy may be sufficient to establish that the personal information is inaccurate.

(c) A business that complies with a consumer’s request to correct shall correct the personal information at issue on its existing systems. The business shall also instruct all service providers and contractors that maintain the personal information at issue pursuant to their written contract with the business to make the necessary corrections in their respective systems. Service providers and contractors shall comply with the business’s instructions to correct the personal information or enable the business to make the corrections. If a business, service provider, or contractor stores any personal information that is the subject of the request to correct on archived or backup systems, it may delay compliance with the consumer’s request to correct, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed or used.

(d) Documentation.

(1) A business shall accept, review, and consider any documentation that the consumer provides in connection with their right to correct whether provided voluntarily or as required by the business. Consumers should make a good-faith effort to provide businesses with all necessary information available at the time of the request.

(2) A business may require the consumer to provide documentation if necessary to rebut its own documentation that the personal information is accurate. In determining the necessity of the documentation requested, the business shall consider the following:

(A) The nature of the personal information at issue (e.g., whether it is objective, subjective, unstructured, sensitive, etc.).

(B) The nature of the documentation upon which the business considers the personal information to be accurate (e.g., whether the documentation is from a trusted source, whether the documentation is verifiable, etc.)

(C) The purpose for which the business collects, maintains, or uses the personal information. For example, if the personal information is essential to the functioning of the business, the business may require more documentation.

(D) The impact on the consumer. For example, if the personal information has a negative impact on the consumer, the business may require less documentation.

(3) Any documentation provided by the consumer in connection with their request to correct shall only be used and/or maintained by the business for the purpose of correcting the consumer’s personal information and to comply with the recordkeeping obligations under section 7101.

(4) The business shall implement and maintain reasonable security procedures and practices in maintaining any documentation relating to the consumer’s request to correct.

(e) A business may delete the contested personal information as an alternative to correcting the information if the deletion of the personal information does not negatively impact the consumer, or the consumer consents to the deletion. For example, if deleting instead of correcting inaccurate personal information would make it harder for the consumer to obtain a job, housing, credit, education, or other type of opportunity, the business shall process the request to correct or obtain the consumer’s consent to delete the information.

(f) In responding to a request to correct, a business shall inform the consumer whether it has complied with the consumer’s request. If the business denies a consumer’s request to correct in whole or in part, the business shall do the following:

(1) Explain the basis for the denial, including any conflict with federal or state law, exception to the CCPA, inadequacy in the required documentation, or contention that compliance proves impossible or involves disproportionate effort.

(2) If a business claims that complying with the consumer’s request to correct would be impossible or would involve disproportionate effort, the business shall provide the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot comply with the request. The business shall not simply state that it is impossible or would require disproportionate effort.

(3) If a business denies a consumer’s request to correct personal information collected and analyzed concerning a consumer’s health, the business shall also inform the consumer that they may provide a written statement to the business to be made part of the consumer’s record pursuant to Civil Code section 1798.185, subdivision (a)(8)(D). The business shall explain to the consumer that the written statement is limited to 250 words per alleged inaccurate piece of personal information and shall include that the consumer must request that the statement be made part of the consumer’s record. Upon receipt of such a statement, the business shall include it with the consumer’s record.

(4) If the personal information at issue can be deleted pursuant to a request to delete, inform the consumer that they can make a request to delete the personal information and provide instructions on how the consumer can make a request to delete.

(g) A business may deny a consumer’s request to correct if the business has denied the consumer’s request to correct the same alleged inaccuracy within the past six months of receiving the request. However, the business must treat the request to correct as new if the consumer provides new or additional documentation to prove that the information at issue is inaccurate.

(h) A business may deny a request to correct if it has a good-faith, reasonable, and documented belief that a request to correct is fraudulent or abusive. The business shall inform the requestor that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent or abusive.

(i) Where the business is not the source of the information that the consumer contends is inaccurate, in addition to processing the consumer’s request, the business may provide the consumer with the name of the source from which the business received the alleged inaccurate information.

(j) Upon request, a business shall disclose specific pieces of personal information that the business maintains and has collected about the consumer to allow the consumer to confirm that the business has corrected the inaccurate information that was the subject of the consumer’s request to correct. This disclosure shall not be considered a response to a request to know that is counted towards the limitation of two requests within a 12-month period as set forth in Civil Code section 1798.130, subdivision (b). With regard to a correction to a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics, a business shall not disclose this information, but may provide a way to confirm that the personal information it maintains is the same as what the consumer has provided.

(k) Whether a business, service provider, or contractor has implemented measures to ensure that personal information that is the subject of a request to correct remains corrected factors into whether that business, service provider, or contractor has complied with a consumer’s request to correct in accordance with the CCPA and these regulations. For example, a business, service provider, or contractor may supplement personal information it maintains about consumers with information obtained from a data broker. Failing to consider and address the possibility that corrected information may be overridden by inaccurate information subsequently received from a data broker may factor into whether that business, service provider, or contractor has adequately complied with a consumer’s request to correct.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.81.5, 1798.106, 1798.130 and 1798.185, Civil Code.

(a) For requests that seek the disclosure of specific pieces of information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 5, the business shall not disclose any specific pieces of personal information to the requestor and shall inform the requestor that it cannot verify their identity. If the request is denied in whole or in part, the business shall also evaluate the consumer’s request as if it is seeking the disclosure of categories of personal information about the consumer pursuant to subsection (b).

(b) For requests that seek the disclosure of categories of personal information about the consumer, if a business cannot verify the identity of the person making the request pursuant to the regulations set forth in Article 5, the business may deny the request to disclose the categories and other information requested and shall inform the requestor that it cannot verify their identity. If the request is denied in whole or in part, the business shall provide or direct the consumer to its information practices set forth in its privacy policy.

(c) In responding to a request to know, a business is not required to search for personal information if all of the following conditions are met:

(1) The business does not maintain the personal information in a searchable or reasonably accessible format.

(2) The business maintains the personal information solely for legal or compliance purposes.

(3) The business does not sell the personal information and does not use it for any commercial purpose.

(4) The business describes to the consumer the categories of records that may contain personal information that it did not search because it meets the conditions stated above.

(d) A business shall not disclose in response to a request to know a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. The business shall, however, inform the consumer with sufficient particularity that it has collected the type of information. For example, a business shall respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.

(e) If a business denies a consumer’s verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA, the business shall inform the requestor and explain the basis for the denial, unless prohibited from doing so by law. If the request is denied only in part, the business shall disclose the other information sought by the consumer.

(f) A business shall use reasonable security measures when transmitting personal information to the consumer.

(g) If a business maintains a password-protected account with the consumer, it may comply with a request to know by using a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 5.

(h) In response to a request to know, a business shall provide all the personal information it has collected and maintains about the consumer during the 12-month period preceding the business’s receipt of the consumer’s request. A consumer may request that the business provide personal information that the business collected beyond the 12-month period, as long as it was collected on or after January 1, 2022, and the business shall be required to provide that information unless doing so proves impossible or would involve disproportionate effort. That information shall include any personal information that the business’s service providers or contractors collected pursuant to their written contract with the business. If a business claims that providing personal information beyond the 12-month period preceding the business’s receipt of the consumer’s request would be impossible or would involve disproportionate effort, the business shall not be required to provide it as long as the business provides the consumer a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot provide personal information beyond the 12-month period. The business shall not simply state that it is impossible or would require disproportionate effort.

(i) A service provider or contractor shall provide assistance to the business in responding to a verifiable consumer request to know, including by providing the business the consumer’s personal information it has in its possession that it collected pursuant to their written contract with the business, or by enabling the business to access that personal information.

(j) In responding to a consumer’s verified request to know categories of personal information, categories of sources, and/or categories of third parties, a business shall provide an individualized response to the consumer as required by the CCPA. It shall not refer the consumer to the businesses’ information practices outlined in its privacy policy unless its response would be the same for all consumers and the privacy policy discloses all the information that is otherwise required to be in a response to a request to know such categories.

(k) In responding to a verified request to know categories of personal information, the business shall provide all of the following:

(1) The categories of personal information the business has collected about the consumer.

(2) The categories of sources from which the personal information was collected.

(3) The business or commercial purpose for which it collected or sold the personal information.

(4) The categories of third parties with whom the business shares personal information.

(5) The categories of personal information that the business sold, and for each category identified, the categories of third parties to whom it sold that particular category of personal information.

(6) The categories of personal information that the business disclosed for a business purpose, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.

(l) A business shall identify the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information, in a manner that provides consumers a meaningful understanding of the categories listed.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.110, 1798.115, 1798.130, 1798.140 and 1798.185, Civil Code.

(a) The purpose of an opt-out preference signal is to provide consumers with a simple and easy-to-use method by which consumers interacting with businesses online can automatically exercise their right to opt-out of sale/sharing. Through an opt-out preference signal, a consumer can opt-out of sale and sharing of their personal information with all businesses they interact with online without having to make individualized requests with each business.

(b) A business that sells or shares personal information shall process any opt-out preference signal that meets the following requirements as a valid request to opt-out of sale/sharing:

(1) The signal shall be in a format commonly used and recognized by businesses. An example would be an HTTP header field or JavaScript object.

(2) The platform, technology, or mechanism that sends the opt-out preference signal shall make clear to the consumer, whether in its configuration or in disclosures to the public, that the use of the signal is meant to have the effect of opting the consumer out of the sale and sharing of their personal information. The configuration or disclosure does not need to be tailored only to California or to refer to California.

(c) When a business that collects personal information from consumers online receives or detects an opt-out preference signal that complies with subsection (b):

(1) The business shall treat the opt-out preference signal as a valid request to opt-out of sale/sharing submitted pursuant to Civil Code section 1798.120 for that browser or device and any consumer profile associated with that browser or device, including pseudonymous profiles. If known, the business shall also treat the opt-out preference signal as a valid request to opt-out of sale/sharing for the consumer. This is not required for a business that does not sell or share personal information.

(2) The business shall not require a consumer to provide additional information beyond what is necessary to send the signal. However, a business may provide the consumer with an option to provide additional information if it will help facilitate the consumer’s request to opt-out of sale/sharing. Any information provided by the consumer shall not be used, disclosed, or retained for any purpose other than processing the request to opt-out of sale/sharing. For example, a business may give the consumer the option to provide information that identifies the consumer so that the request to opt-out of sale/sharing can apply to offline sale or sharing of personal information. However, if the consumer does not respond, the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile the business associates with that browser or device, including pseudonymous profiles.

(3) If the opt-out preference signal conflicts with a consumer’s business-specific privacy setting that allows the business to sell or share their personal information, the business shall process the opt-out preference signal as a valid request to opt-out of sale/sharing, but may notify the consumer of the conflict and provide the consumer with an opportunity to consent to the sale or sharing of their personal information. The business shall comply with section 7004 in obtaining the consumer’s consent to the sale or sharing of their personal information. If the consumer consents to the sale or sharing of their personal information, the business may ignore the opt-out preference signal for as long as the consumer is known to the business.

(4) If the opt-out preference signal conflicts with the consumer’s participation in a business’s financial incentive program that requires the consumer to consent to the sale or sharing of personal information, the business may notify the consumer that processing the opt-out preference signal as a valid request to opt-out of sale/sharing would withdraw the consumer from the financial incentive program and ask the consumer to affirm that they intend to withdraw from the financial incentive program. If the consumer affirms that they intend to withdraw from the financial incentive program, the business shall process the consumer’s request to opt-out of sale/sharing. If the business asks and the consumer does not affirm their intent to withdraw, the business may ignore the opt-out preference signal with respect to that consumer’s participation in the financial incentive program for as long as the consumer is known to the business. If the business does not ask the consumer to affirm their intent with regard to the financial incentive program, the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or device and any consumer profile the business associates with that browser or device.

(5) Where the consumer is known to the business, the business shall not interpret the absence of an opt-out preference signal after the consumer previously sent an opt-out preference signal as consent to opt-in to the sale or sharing of personal information.

(6) A business may display whether it has processed the consumer’s opt-out preference signal as a valid request to opt-out of sale/sharing on its website. For example, the business may display on its website “Opt-Out Preference Signal Honored” when a browser, device, or consumer using an opt-out preference signal visits the website, or display through a toggle or radio button that the consumer has opted out of the sale of their personal information.

(7) Illustrative examples follow.

(A) Caleb visits Business N’s website using a browser with an opt-out preference signal enabled, but he is not otherwise logged into his account and the business cannot otherwise associate Caleb’s browser with a consumer profile the business maintains. Business N collects and shares Caleb’s personal information tied to his browser identifier for cross-context behavioral advertising. Upon receiving the opt-out preference signal, Business N shall stop selling and sharing Caleb’s information linked to Caleb’s browser identifier for cross-context behavioral advertising, but it would not be able to apply the request to opt-out of the sale/sharing to Caleb’s account information because the connection between Caleb’s browser and Caleb’s account is not known to the business.

(B) Noelle has an account with Business O, an online retailer who manages consumer’s privacy choices through a settings menu. Noelle’s privacy settings default to allowing Business O to sell and share her personal information with the business’s marketing partners. Noelle enables an opt-out preference signal in her browser and then visits Business O’s website. Business O recognizes that Noelle is visiting its website because she is logged into her account. Upon receiving Noelle’s opt-out preference signal, Business O shall treat the signal as a valid request to opt-out of sale/sharing and shall apply it to her device and/or browser and also to her account and any offline sale or sharing of personal information. Business O may inform Noelle that her opt-out preference signal differs from her current privacy settings and provide her with an opportunity to consent to the sale or sharing of her personal information, but it must process the request to opt-out of sale/sharing unless Noelle instructs otherwise. Business O must also wait at least 12 months before asking Noelle to opt-in to the sale or sharing of her personal information in accordance with section 7026, subsection (k). In addition, Business O’s notification would not allow it to fall within the exception set forth in Civil Code section 1798.135, subdivision (b)(1), because it would not be complying with the requirements set forth in subsection (f).

(C) Angela also has an account with Business O and has enabled an opt-out preference signal on her browser while logged into her account. Business O applies the opt-out preference signal as a valid request to opt-out of sale/sharing not only to Angela’s current browser, but also to Angela’s account because she is known to the business while making the request. Angela later logs into her account with Business O using a different device that does not have the opt-out preference signal enabled. Business O shall not interpret the absence of the optout preference signal as consent to opt-in to the sale of personal information.

(D) Ramona participates in Business P’s financial incentive program where she receives coupons in exchange for allowing the business to pseudonymously track and share her online browsing habits with marketing partners. Ramona enables an opt-out preference signal on her browser and then visits Business P’s website. Business P knows that it is Ramona through a cookie that has been placed on her browser, but also detects the opt-out preference signal. Business P may ignore the opt-out preference signal and notify Ramona that her opt-out preference signal conflicts with her participation in the financial incentive program and ask whether she intends to withdraw from the financial incentive program. If Ramona does not affirm her intent to withdraw, Business P may ignore the optout preference signal and place Ramona on a whitelist so that Business P does not have to notify Ramona of the conflict again.

(E) Ramona clears her cookies and revisits Business P’s website with the opt-out preference signal enabled. Business P no longer knows that it is Ramona visiting its website. Business P shall honor Ramona’s opt-out preference signal as it pertains to her browser or device and any consumer profile the business associates with that browser or device.

(d) The business and the platform, technology, or mechanism that sends the opt-out preference signal shall not use, disclose, or retain any personal information collected from the consumer in connection with the sending or processing the request to opt-out of sale/sharing for any purpose other than sending or processing the opt-out preference signal.

(e) Civil Code section 1798.135, subdivisions (b)(1) and (3), provide a business the choice between (1) processing opt-out preference signals and providing the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link; or (2) processing opt-out preference signals in a frictionless manner in accordance with these regulations and not having to provide the “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information” links or the Alternative Opt-out Link. They do not give the business the choice between posting the above-referenced links or honoring opt-out preference signals. Even if the business posts the above-referenced links, the business must still process opt-out preference signals, though it may do so in a non-frictionless manner. If a business processes opt-out preference signals in a frictionless manner in accordance with subsections (f) and (g), then it may, but is not required to, provide the above-referenced links.

(f) Except as allowed by these regulations, processing an opt-out preference signal in a frictionless manner as required by Civil Code section 1798.135, subdivision (b)(1), means that the business shall not:

(1) Charge a fee or require any valuable consideration if the consumer uses an opt-out preference signal.

(2) Change the consumer’s experience with the product or service offered by the business. For example, the consumer who uses an opt-out preference signal shall have the same experience with regard to how the business’s product or service functions compared to a consumer who does not use an opt-out preference signal.

(3) Display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal. However, a business’s display of whether the consumer visiting their website has opted out of the sale or sharing their personal information shall not be considered a violation of this regulation. The business may also provide a link to a privacy settings page, menu, or similar interface that enables the consumer to consent to the business ignoring the opt-out preference signal with respect to the business’s sale or sharing of the consumer’s personal information provided that it complies with subsections (f)(1) through (3).

(g) A business meeting the requirements of Civil Code section 1798.135, subdivision (b)(1) is not required to post the “Do Not Sell or Share My Personal Information” link or the Alternative Opt-out Link if it meets all of the following additional requirements:

(1) Processes the opt-out preference signal in a frictionless manner in accordance with the CCPA and these regulations.

(2) Includes in its privacy policy the following information:

(A) A description of the consumer’s right to opt-out of the sale or sharing of their personal information by the business;

(B) A statement that the business processes opt-out preference signals in a frictionless manner;

(C) Information on how consumers can implement opt-out preference signals for the business to process in frictionless manner; and

(D) Instructions for any other method by which the consumer may submit a request to opt-out of sale/sharing.

(3) Allows the opt-out preference signal to fully effectuate the consumer’s request to optout of sale/sharing. For example, if the business sells or shares personal information offline and needs to request from the consumer additional information that is not provided by the opt-out  reference signal in order to apply the request to opt-out of sale/sharing to offline sales and sharing of personal information, then the business has not fully effectuated the consumer’s request to opt-out of sale/sharing. Illustrative examples follow.

(A) Business Q collects consumers’ online browsing history and shares it with third parties for cross-context behavioral advertising purposes. Business Q also sells consumers’ personal information offline to marketing partners. Business Q cannot fall within the exception set forth in Civil Code section 1798.135, subdivision (b)(1), because a consumer’s opt-out preference signal would only apply to Business Q’s online sharing of personal information about the consumer’s browser or device; the consumer’s opt-out preference signal would not apply to Business Q’s offline selling of the consumer’s information because Business Q could not apply it to the offline selling without additional information provided by the consumer, i.e., the logging into an account.

(B) Business R only sells and shares personal information online for cross-context behavioral advertising purposes. Business R may use the exception set forth in Civil Code section 1798.135, subdivision (b)(1), and not post the “Do Not Sell or Share My Personal Information” link because a consumer using an opt-out preference signal would fully effectuate their right to opt-out of the sale or sharing of their personal information.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) A business that sells or shares personal information shall provide two or more designated methods for submitting requests to opt-out of sale/sharing. A business shall consider the methods by which it interacts with consumers, the manner in which the business collects the personal information that it makes available to third parties, available technology, and ease of use by the consumer when determining which methods consumers may use to submit requests to opt-out of sale/sharing. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer. Illustrative examples follow.

(1) A business that collects personal information from consumers online shall, at a minimum, allow consumers to submit requests to opt-out of sale/sharing through an opt-out preference signal and at least one of the following methods: an interactive form accessible via the “Do Not Sell or Share My Personal Information” link, the Alternative Opt-out Link, or the business’s privacy policy if the business processes an opt-out preference signal in a frictionless manner.

(2) A business that interacts with consumers in person and online may provide an inperson method for submitting requests to opt-out of sale/sharing in addition to the opt-out preference signal.

(3) Other methods for submitting requests to opt-out of the sale/sharing include, but are not limited to, a toll-free phone number, a designated email address, a form submitted in person, and a form submitted through the mail.

(4) A notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to opt-out of sale/sharing because cookies concern the collection of personal information and not the sale or sharing of personal information. An acceptable method for submitting requests to opt-out of sale/sharing must address the sale and sharing of personal information.

(b) A business’s methods for submitting requests to opt-out of sale/sharing shall be easy for consumers to execute, shall require minimal steps, and shall comply with section 7004.

(c) A business shall not require a consumer submitting a request to opt-out of sale/sharing to create an account or provide additional information beyond what is necessary to direct the business not to sell or share the consumer’s personal information.

(d) A business shall not require a verifiable consumer request for a request to opt-out of sale/sharing. A business may ask the consumer for information necessary to complete the request, such as information necessary to identify the consumer whose information shall cease to be sold or shared by the business. However, to the extent that the business can comply with a request to opt-out of sale/sharing without additional information, it shall do so.

(e) If a business has a good-faith, reasonable, and documented belief that a request to opt-out of sale/sharing is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide to the requestor an explanation why it believes the request is fraudulent.

(f) A business shall comply with a request to opt-out of sale/sharing by:

(1) Ceasing to sell to and/or share with third parties the consumer’s personal information as soon as feasibly possible, but no later than 15 business days from the date the business receives the request. Service providers or contractors collecting personal information pursuant to the written contract with the business required by the CCPA and these regulations does not constitute a sale or sharing of personal information.

(2) Notifying all third parties to whom the business has sold or shared the consumer’s personal information, after the consumer submits the request to opt-out of sale/sharing and before the business complies with that request, that the consumer has made a request to opt-out of sale/sharing and directing them to comply with the consumer’s request and forward the request to any other person to whom the third party has made the personal information available during that time period.

(g) A business may provide a means by which the consumer can confirm that their request to opt-out of sale/sharing has been processed by the business. For example, the business may display on its website “Consumer Opted Out of Sale/Sharing” or display through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information.

(h) In responding to a request to opt-out of sale/sharing, a business may present the consumer with the choice to opt-out of the sale or sharing of personal information for certain uses as long as a single option to opt-out of the sale or sharing of all personal information is also offered. However, doing so in response to an opt-out preference signal will prevent the business from using the exception set forth in Civil Code section 1798.135, subdivision (b)(1).

(i) A business that responds to a request to opt-out of sale/sharing by informing the consumer of a charge for the use of any product or service shall comply with Article 7 and shall provide the consumer with a Notice of Financial Incentive that complies with section 7016 in its response. However, doing so in response to an opt-out preference signal will prevent the business from using the exception set forth in Civil Code section 1798.135, subdivision (b)(1).

(j) A consumer may use an authorized agent to submit a request to opt-out of sale/sharing on the consumer’s behalf if the consumer provides the authorized agent written permission signed by the consumer. A business may deny a request from an authorized agent if the agent does not provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf. The requirement to obtain and provide written permission from the consumer does not apply to requests made by an opt-out preference signal.

(k) Except as allowed by these regulations, a business shall wait at least 12 months from the date of the consumer’s request before asking a consumer who has opted out of the sale or sharing of their personal information to consent to the sale or sharing of their personal information.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) The unauthorized use or disclosure of sensitive personal information creates a heightened risk of harm for the consumer. The purpose of the request to limit is to give consumers meaningful control over how their sensitive personal information is collected, used, and disclosed. It gives the consumer the ability to limit the business’s use of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, with some narrowly tailored exceptions, which are set forth in subsection (m). Sensitive personal information that is collected or processed without the purpose of inferring characteristics about a consumer is not subject to requests to limit.

(b) A business that uses or discloses sensitive personal information for purposes other than those set forth in subsection (m) shall provide two or more designated methods for submitting requests to limit. A business shall consider the methods by which it interacts with consumers, the manner in which the business collects the sensitive personal information that it uses for purposes other than those set forth in subsection (m), available technology, and ease of use by the consumer when determining which methods consumers may use to submit requests to limit. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer. Illustrative examples follow.

(1) A business that collects sensitive personal information from consumers online shall, at a minimum, allow consumers to submit requests to limit through an interactive form accessible via the “Limit the Use of My Sensitive Personal Information” link or the Alternative Opt-out Link.

(2) A business that interacts with consumers in person and online may provide an in person method for submitting requests to limit in addition to the online form.

(3) Other methods for submitting requests to limit include, but are not limited to, a tollfree phone number, a designated email address, a form submitted in person, and a form submitted through the mail.

(4) A notification or tool regarding cookies, such as a cookie banner or cookie controls, is not by itself an acceptable method for submitting requests to limit because cookies concern the collection of personal information and not necessarily the use and disclosure of sensitive personal information. An acceptable method for submitting requests to limit must address the specific right to limit.

(c) A business’s methods for submitting requests to limit shall be easy for consumers to execute, shall require minimal steps, and shall comply with section 7004.

(d) A business shall not require a consumer submitting a request to limit to create an account or provide additional information beyond what is necessary to direct the business to limit the use or disclosure of the consumer’s sensitive personal information.

(e) A business shall not require a verifiable consumer request for a request to limit. A business may ask the consumer for information necessary to complete the request, such as information necessary to identify the consumer to whom the request should be applied. However, to the extent that the business can comply with a request to limit without additional information, it shall do so.

(f) If a business has a good-faith, reasonable, and documented belief that a request to limit is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide to the requestor an explanation why it believes the request is fraudulent.

(g) A business shall comply with a request to limit by:

(1) Ceasing to use and disclose the consumer’s sensitive personal information for purposes other than those set forth in subsection (m) as soon as feasibly possible, but no later than 15 business days from the date the business receives the request.

(2) Notifying all the business’s service providers or contractors that use or disclose the consumer’s sensitive personal information for purposes other than those set forth in subsection (m) that the consumer has made a request to limit and instructing them to comply with the consumer’s request to limit within the same time frame.

(3) Notifying all third parties to whom the business has disclosed or made available the consumer’s sensitive personal information for purposes other than those set forth in subsection (m), after the consumer submitted their request and before the business complies with that request, that the consumer has made a request to limit and direct them 1) to comply with the consumer’s request and 2) to forward the request to any other person with whom the third party has disclosed or shared the sensitive personal information during that time period.

(h) A business may provide a means by which the consumer can confirm that their request to limit has been processed by the business. For example, the business may display through a toggle or radio button that the consumer has limited the business’s use and disclosure of their sensitive personal information.

(i) In responding to a request to limit, a business may present the consumer with the choice to allow specific uses for the sensitive personal information as long as a single option to limit the use of the personal information is also offered.

(j) A consumer may use an authorized agent to submit a request to limit on the consumer’s behalf if the consumer provides the authorized agent written permission signed by the consumer. A business may deny a request from an authorized agent if the agent does not provide to the business the consumer’s signed permission demonstrating that they have been authorized by the consumer to act on the consumer’s behalf.

(k) A business that responds to a request to limit by informing the consumer of a charge for the use of any product or service shall comply with Article 7 and shall provide the consumer with a Notice of Financial Incentive that complies with section 7016 in its response.

(l) Except as allowed by these regulations, a business shall wait at least 12 months from the date the consumer’s request to limit is received before asking a consumer who has exercised their right to limit to consent to the use or disclosure of their sensitive personal information for purposes other than those set forth in subsection (m).

(m) The purposes identified in Civil Code section 1798.121, subdivision (a), for which a business may use or disclose sensitive personal information without being required to offer consumers a right to limit are as follows. A business that only uses or discloses sensitive personal information for these purposes, provided that the use or disclosure is reasonably necessary and proportionate for those purposes, is not required to post a Notice of Right to Limit or provide a method for submitting a request to limit.

(1) To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. For example, a consumer’s precise geolocation may be used by a mobile application that is providing the consumer with directions on how to get to a specific location. A consumer’s precise geolocation may not, however, be used by a gaming application where the average consumer would not expect the application to need this piece of sensitive personal information.

(2) To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information. For example, a business may disclose a consumer’s log-in information to a data security company that it has hired to investigate and remediate a data breach that involved that consumer’s account.

(3) To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions. For example, a business may use information about a consumer’s ethnicity and/or the contents of email and text messages to investigate claims of racial discrimination or hate speech.

(4) To ensure the physical safety of natural persons. For example, a business may disclose a consumer’s geolocation information to law enforcement to investigate an alleged kidnapping.

(5) For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. For example, a business that sells religious books can use information about its customers’ interest in its religious content to serve contextual advertising for other kinds of religious merchandise within its store or on its website, so long as the business does not use sensitive personal information to create a profile about an individual consumer or disclose personal information that reveals consumers’ religious beliefs to third parties.

(6) To perform services on behalf of the business. For example, a business may use information for maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.

(7) To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by the business. For example, a car rental business may use a consumer’s driver’s license for the purpose of testing that its internal text recognition software accurately captures license information used in car rental transactions.

(8) To collect or process sensitive personal information where the collection or processing is not for the purpose of inferring characteristics about a consumer. For example, a business that includes a search box on their website by which consumers can search for articles related to their health condition may use the information provided by the consumer for the purpose of providing the search feature without inferring characteristics about the consumer.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.121, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) Requests to opt-in to sale or sharing of personal information shall use a two-step opt-in process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in.

(b) If a consumer who has opted-out of the sale or sharing of their personal information initiates a transaction or attempts to use a product or service that requires the sale or sharing of their personal information, the business may inform the consumer that the transaction, product, or service requires the sale or sharing of their personal information and provide instructions on how the consumer can provide consent to opt-in to the sale or sharing of their personal information. The business shall comply with section 7004 when obtaining the consumer’s consent.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135 and 1798.185, Civil Code.

(a) A service provider or contractor shall not retain, use, or disclose personal information collected pursuant to its written contract with the business except:

(1) For the specific business purpose(s) set forth in the written contract between the business and the service provider or contractor that is required by the CCPA and these regulations.

(2) To retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a service provider or contractor under the CCPA and these regulations.

(3) For internal use by the service provider or contractor to build or improve the quality of the services it is providing to the business, even if this business purpose is not specified in the written contract required by the CCPA and these regulations, provided that the service provider or contractor does not use the personal information to perform services on behalf of another person. Illustrative examples follow.

(A) An email marketing service provider can send emails on a business’s behalf using the business’s customer email list. The service provider could analyze those customers’ interactions with the marketing emails to improve its services and offer those improved services to everyone. But the service provider cannot use the original email list to send marketing emails on behalf of another business.

(B) A shipping service provider that delivers businesses’ products to their customers may use the addresses received from their business clients and their experience delivering to those addresses to identify faulty or incomplete addresses, and thus, improve their delivery services. However, the shipping service provider cannot compile the addresses received from one business to send advertisements on behalf of another business, or compile addresses received from businesses to sell to data brokers.

(4) To prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this business purpose is not specified in the written contract required by the CCPA and these regulations.

(5) For the purposes enumerated in Civil Code section 1798.145, subdivisions (a)(1) through (a)(7).

(b) A service provider or contractor cannot contract with a business to provide cross-context behavioral advertising. Pursuant to Civil Code section 1798.140, subdivision (e)(6), a service provider or contractor may contract with a business to provide advertising and marketing services, but the service provider or contractor shall not combine the personal information of consumers who have opted-out of the sale/sharing that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or collects from its own interaction with consumers. A person who contracts with a business to provide cross-context behavioral advertising is a third party and not a service provider or contractor with respect to cross-context behavioral advertising services. Illustrative examples follow.

(1) Business S, a clothing company, hires a social media company as a service provider for the purpose of providing Business S’s advertisements on the social media company’s platform. The social media company can serve Business S by providing non-personalized advertising services on its platform based on aggregated or demographic information (e.g., advertisements to women, 18-30 years old, that live in Los Angeles). However, it cannot use a list of customer email addresses provided by Business S to identify users on the social media company’s platform to serve advertisements to them.

(2) Business T, a company that sells cookware, hires an advertising company as a service provider for the purpose of advertising its services. The advertising agency can serve Business T by providing contextual advertising services, such as placing advertisements for Business T’s products on websites that post recipes and other cooking tips.

(c) If a service provider or contractor receives a request made pursuant to the CCPA directly from the consumer, the service provider or contractor shall either act on behalf of the business in accordance with the business’s instructions for responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider or contractor.

(d) A service provider or contractor that is a business shall comply with the CCPA and these regulations with regard to any personal information that it collects, maintains, or sells outside of its role as a service provider or contractor.

(e) A person who does not have a contract that complies with section 7051, subsection (a), is not a service provider or a contractor under the CCPA. For example, a business’s disclosure of personal information to a person who does not have a contract that complies with section 7051, subsection (a), may be considered a sale or sharing of personal information for which the business must provide the consumer with the right to opt-out of sale/sharing.

(f) A service provider or a contractor shall comply with the terms of the contract required by the CCPA and these regulations.

(g) Whether an entity that provides services to a nonbusiness must comply with a consumer’s CCPA request depends upon whether the entity is a “business,” as defined by Civil Code section 1798.140, subdivision (d).

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) The contract required by the CCPA for service providers and contractors shall:

(1) Prohibit the service provider or contractor from selling or sharing personal information it collects pursuant to the written contract with the business.

(2) Identify the specific business purpose(s) for which the service provider or contractor is processing personal information pursuant to the written contract with the business, and specify that the business is disclosing the personal information to the service provider or contractor only for the limited and specified business purpose(s) set forth within the contract. The business purpose(s) shall not be described in generic terms, such as referencing the entire contract generally. The description shall be specific.

(3) Prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it collected pursuant to the written contract with the business for any purpose other than the business purpose(s) specified in the contract or as otherwise permitted by the CCPA and these regulations.

(4) Prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it collected pursuant to the written contract with the business for any commercial purpose other than the business purpose(s) specified in the contract, unless expressly permitted by the CCPA or these regulations.

(5) Prohibit the service provider or contractor from retaining, using, or disclosing the personal information that it collected pursuant to the written contract with the business outside the direct business relationship between the service provider or contractor and the business, unless expressly permitted by the CCPA or these regulations. For example, a service provider or contractor shall be prohibited from combining or updating personal information that it collected pursuant to the written contract with the business with personal information that it received from another source or collected from its own interaction with the consumer, unless expressly permitted by the CCPA or these regulations.

(6) Require the service provider or contractor to comply with all applicable sections of the CCPA and these regulations, including—with respect to the personal information that it collected pursuant to the written contract with the business—providing the same level of privacy protection as required of businesses by the CCPA and these regulations. For example, the contract may require the service provider or contractor to cooperate with the business in responding to and complying with consumers’ requests made pursuant to the CCPA, and to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Civil Code section 1798.81.5.

(7) Grant the business the right to take reasonable and appropriate steps to ensure that the service provider or contractor uses the personal information that it collected pursuant to the written contract with the business in a manner consistent with the business’s obligations under the CCPA and these regulations. Reasonable and appropriate steps may include ongoing manual reviews and automated scans of the service provider’s system and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.

(8) Require the service provider or contractor to notify the business after it makes a determination that it can no longer meet its obligations under the CCPA and these regulations.

(9) Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the service provider or contractor’s unauthorized use of personal information. For example, the business may require the service provider or contractor to provide documentation that verifies that they no longer retain or use the personal information of consumers that have made a valid request to delete with the business.

(10) Require the service provider or contractor to enable the business to comply with consumer requests made pursuant to the CCPA or require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that they must comply with and provide the information necessary for the service provider or contractor to comply with the request.

(b) A service provider or contractor that subcontracts with another person in providing services to the business for whom it is a service provider or contractor shall have a contract with the subcontractor that complies with the CCPA and these regulations, including subsection (a).

(c) Whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations. For example, depending on the circumstances, a business that never enforces the terms of the contract nor exercises its rights to audit or test the service provider’s or contractor’s systems might not be able to rely on the defense that it did not have reason to believe that the service provider or contractor intends to use the personal information in violation of the CCPA and these regulations at the time the business disclosed the personal information to the service provider or contractor.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) A business that sells or shares a consumer’s personal information with a third party shall enter into an agreement with the third party that:

(1) Identifies the limited and specified purpose(s) for which the personal information is made available to the third party. The purpose(s) shall not be described in generic terms, such as referencing the entire contract generally. The description shall be specific.

(2) Specifies that the business is making the personal information available to the third party only for the limited and specified purpose(s) set forth within the contract and requires the third party to use it only for that limited and specified purpose(s).

(3) Requires the third party to comply with all applicable sections of the CCPA and these regulations, including—with respect to the personal information that the business makes available to the third party—providing the same level of privacy protection as required of businesses by the CCPA and these regulations. For example, the contract may require the third party to comply with a consumer’s request to opt-out of sale/sharing forwarded to it by a first-party business and to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Civil Code section 1798.81.5.

(4) Grants the business the right—with respect to the personal information that the business makes available to the third party—to take reasonable and appropriate steps to ensure that the third party uses it in a manner consistent with the business’s obligations under the CCPA and these regulations. For example, the business may require the third party to attest that it treats the personal information the business made available to it in the same manner that the business is obligated to treat it under the CCPA and these regulations.

(5) Grants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to the third party. For example, the business may require the third party to provide documentation that verifies that it no longer retains or uses the personal information of consumers who have had their requests to opt-out of sale/sharing forwarded to it by the first party business.

(6) Requires the third party to notify the business after it makes a determination that it can no longer meet its obligations under the CCPA and these regulations.

(b) Whether a business conducts due diligence of the third party factors into whether the business has reason to believe that the third party is using personal information in violation of the CCPA and these regulations. For example, depending on the circumstances, a business that never enforces the terms of the contract might not be able to rely on the defense that it did not have reason to believe that the third party intends to use the personal information in violation of the CCPA and these regulations at the time the business disclosed the personal information to the third party.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) A business that sells or shares a consumer's personal information with a third party shall enter into an agreement with the third party that:

(1) Identifies the limited and specified purpose(s) for which the personal information is made available to the third party. The purpose(s) shall not be described in generic terms, such as referencing the entire contract generally. The description shall be specific.

(2) Specifies that the business is making the personal information available to the third party only for the limited and specified purpose(s) set forth within the contract and requires the third party to use it only for that limited and specified purpose(s).

(3) Requires the third party to comply with all applicable sections of the CCPA and these regulations, including--with respect to the personal information that the business makes available to the third party--providing the same level of privacy protection as required of businesses by the CCPA and these regulations. For example, the contract may require the third party to comply with a consumer's request to opt-out of sale/sharing forwarded to it by a first-party business and to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Civil Code section 1798.81.5.

(4) Grants the business the right--with respect to the personal information that the business makes available to the third party--to take reasonable and appropriate steps to ensure that the third party uses it in a manner consistent with the business's obligations under the CCPA and these regulations. For example, the business may require the third party to attest that it treats the personal information the business made available to it in the same manner that the business is obligated to treat it under the CCPA and these regulations.

(5) Grants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to the third party. For example, the business may require the third party to provide documentation that verifies that it no longer retains or uses the personal information of consumers who have had their requests to opt-out of sale/sharing forwarded to it by the first party business.

(6) Requires the third party to notify the business after it makes a determination that it can no longer meet its obligations under the CCPA and these regulations.

(b) Whether a business conducts due diligence of the third party factors into whether the business has reason to believe that the third party is using personal information in violation of the CCPA and these regulations. For example, depending on the circumstances, a business that never enforces the terms of the contract might not be able to rely on the defense that it did not have reason to believe that the third party intends to use the personal information in violation of the CCPA and these regulations at the time the business disclosed the personal information to the third party.

(a) A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to delete, request to correct, or request to know is the consumer about whom the business has collected information.

(b) A business shall not require a consumer to verify their identity to make a request to optout of sale/sharing or to make a request to limit. A business may ask the consumer for information necessary to complete the request; however, it shall not be burdensome on the consumer. For example, a business may ask the consumer for their name, but it shall not require the consumer to take a picture of themselves with their driver’s license.

(c) In determining the method by which the business will verify the consumer’s identity, the business shall:

(1) Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.

(2) Avoid collecting the types of personal information identified in Civil Code section 1798.81.5, subdivision (d), unless necessary for the purpose of verifying the consumer.

(3) Consider the following factors:

(A) The type, sensitivity, and value of the personal information collected and maintained about the consumer. Sensitive personal information shall warrant a more stringent verification process.

(B) The risk of harm to the consumer posed by any unauthorized deletion, correction, or access. A greater risk of harm to the consumer by unauthorized deletion, correction, or access shall warrant a more stringent verification process.

(C) The likelihood that fraudulent or malicious actors would seek the personal information. The higher the likelihood, the more stringent the verification process shall be.

(D) Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated.

(E) The manner in which the business interacts with the consumer.

(F) Available technology for verification.

(d) A business shall generally avoid requesting additional information from the consumer for purposes of verification. If, however, the business cannot verify the identity of the consumer from the information already maintained by the business, the business may request additional information from the consumer, which shall only be used for the purposes of verifying the identity of the consumer seeking to exercise their rights under the CCPA, security, or fraud-prevention. The business shall delete any new personal information collected for the purposes of verification as soon as practical after processing the consumer’s request, except as required to comply with section 7101.

(e) A business shall not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to delete, request to correct, or request to know. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.

(f) A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent the unauthorized deletion, correction, or access of a consumer’s personal information.

(g) If a business maintains consumer information that is deidentified, a business is not obligated to provide or delete this information in response to a consumer request or to reidentify individual data to verify a consumer request.

(h) For requests to correct, the business shall make an effort to verify the consumer based on personal information that is not the subject of the request to correct. For example, if the consumer is contending that the business has the wrong address for the consumer, the business shall not use address as a means of verifying the consumer’s identity.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.

(a) If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account, provided that the business follows the requirements in section 7060. The business shall also require a consumer to re-authenticate themselves before deleting, correcting, or disclosing the consumer’s data.

(b) If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer’s request to delete, request to correct, or request to know until further verification procedures determine that the consumer request is authentic and the consumer making the request is the person about whom the business has collected information. The business may use the procedures set forth in section 7062 to further verify the identity of the consumer.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.

(a) If a consumer does not have or cannot access a password-protected account with a business, the business shall comply with this section, in addition to section 7060.

(b) A business’s compliance with a request to know categories of personal information requires that the business verify the identity of the consumer making the request to a reasonable degree of certainty. A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by the business that it has determined to be reliable for the purpose of verifying the consumer.

(c) A business’s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a reasonably high degree of certainty. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business that it has determined to be reliable for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. If a business uses this method for verification, the business shall maintain all signed declarations as part of its record-keeping obligations.

(d) A business’s compliance with a request to delete or a request to correct may require that the business verify the identity of the consumer to a reasonable or reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion or correction. For example, the deletion of family photographs or the correction of contact information may require a reasonably high degree of certainty, while the deletion of browsing history or correction of marital status may require only a reasonable degree of certainty. A business shall act in good faith when determining the appropriate standard to apply when verifying the consumer in accordance with these regulations.

(e) Illustrative examples follow:

(1) Example 1: If a business maintains personal information in a manner associated with a named actual person, the business may verify the consumer by requiring the consumer to provide evidence that matches the personal information maintained by the business. For example, if a retailer maintains a record of purchases made by a consumer, the business may require the consumer to identify items that they recently purchased from the store or the dollar amount of their most recent purchase to verify their identity to a reasonable degree of certainty.

(2) Example 2: If a business maintains personal information in a manner that is not associated with a named actual person, the business may verify the consumer by requiring the consumer to demonstrate that they are the sole consumer associated with the personal information. For example, a business may have a mobile application that collects personal information about the consumer but does not require an account. The business may determine whether, based on the facts and considering the factors set forth in section 7060, subsection (b)(3), it may reasonably verify a consumer by asking them to provide information that only the person who used the mobile application may know or by requiring the consumer to respond to a notification sent to their device.

(f) A business shall deny a request to know specific pieces of personal information if it cannot verify the identity of the requestor pursuant to these regulations.

(g) If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and explain why it has no reasonable method by which it can verify the identity of the requestor. If the business has no reasonable method by which it can verify any consumer, the business shall explain why it has no reasonable verification method in its privacy policy. The business shall evaluate and document whether a reasonable method can be established at least once every 12 months, in connection with the requirement to update the privacy policy set forth in Civil Code section 1798.130, subdivision (a)(5).

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.

(a) When a consumer uses an authorized agent to submit a request to delete, request to correct, or a request to know, a business may require the authorized agent to provide proof that the consumer gave the agent signed permission to submit the request. The business may also require the consumer to do either of the following:

(1) Verify their own identity directly with the business.

(2) Directly confirm with the business that they provided the authorized agent permission to submit the request.

(b) Subsection (a) does not apply when a consumer has provided the authorized agent with power of attorney pursuant to Probate Code sections 4121 to 4130. A business shall not require power of attorney in order for a consumer to use an authorized agent to act on their behalf.

(c) An authorized agent shall implement and maintain reasonable security procedures and practices to protect the consumer’s information.

(d) An authorized agent shall not use a consumer’s personal information, or any information collected from or about the consumer, for any purposes other than to fulfill the consumer’s requests, verification, or fraud prevention.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.130 and 1798.185, Civil Code.

(a) Process for Opting-In to Sale or Sharing of Personal Information

(1) A business that has actual knowledge that it sells or shares the personal information of a consumer less than the age of 13 shall establish, document, and comply with a reasonable method for determining that the person consenting to the sale or sharing of the personal information about the child is the parent or guardian of that child. This consent to the sale or sharing of personal information is in addition to any verifiable parental consent required under COPPA.

(2) Methods that are reasonably calculated to ensure that the person providing consent is the child’s parent or guardian include, but are not limited to:

(A) Providing a consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;

(B) Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;

(C) Having a parent or guardian call a toll-free telephone number staffed by trained personnel;

(D) Having a parent or guardian connect to trained personnel via video-conference;

(E) Having a parent or guardian communicate in person with trained personnel; and

(F) Verifying a parent or guardian’s identity by checking a form of government issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.

(b) When a business receives consent to the sale or sharing of personal information pursuant to subsection (a), the business shall inform the parent or guardian of the right to opt-out of sale/sharing and of the process for doing so on behalf of their child pursuant to section 7026, subsections (a)-(f).

(c) A business shall establish, document, and comply with a reasonable method, in accordance with the methods set forth in subsection (a)(2), for determining that a person submitting a request to delete, request to correct, or request to know the personal information of a child under the age of 13 is the parent or guardian of that child.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135 and 1798.185, Civil Code.

(a) A business that has actual knowledge that it sells or shares the personal information of consumers at least 13 years of age and less than 16 years of age shall establish, document, and comply with a reasonable process for allowing such consumers to opt-in to the sale or sharing of their personal information, pursuant to section 7028.

(b) When a business receives a request to opt-in to the sale or sharing of personal information from a consumer at least 13 years of age and less than 16 years of age, the business shall inform the consumer of their ongoing right to opt-out of sale/sharing at any point in the future and of the process for doing so pursuant to section 7026.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135 and 1798.185, Civil Code.

(a)  A business subject to sections 7070 and/or 7071 shall include a description of the processes set forth in those sections in its privacy policy.

(b)  A business that exclusively targets offers of goods or services directly to consumers under 16 years of age and does not sell or share the personal information without the consent of consumers at least 13 years of age and less than 16 years of age, or the consent of their parent or guardian for consumers under 13 years of age, is not required to provide the Notice of Right to Opt-out of Sale/Sharing.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.120, 1798.135 and 1798.185, Civil Code.

(a) A price or service difference is discriminatory, and therefore prohibited by Civil Code section 1798.125, if the business treats a consumer differently because the consumer exercised a right conferred by the CCPA or these regulations.

(b) A business may offer a price or service difference that is non-discriminatory. A price or service difference is non-discriminatory if it is reasonably related to the value of the consumer’s data. If a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the price or service difference.

(c) A business’s denial of a consumer’s request to delete, request to correct, request to know, or request to opt-out of sale/sharing for reasons permitted by the CCPA or these regulations shall not be considered discriminatory.

(d) Illustrative examples follow:

(1) Example 1: A music streaming business offers a free service as well as a premium service that costs $5 per month. If only the consumers who pay for the music streaming service are allowed to opt-out of the sale or sharing of their personal information, then the practice is discriminatory, unless the $5-per-month payment is reasonably related to the value of the consumer’s data to the business.

(2) Example 2: A clothing business offers a loyalty program whereby customers receive a $5-off coupon by email after spending $100 with the business. A consumer submits a request to delete all personal information the business has collected about them but also informs the business that they want to continue to participate in the loyalty program. The business may deny their request to delete with regard to their email address and the amount the consumer has spent with the business because that information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with them pursuant to Civil Code section 1798.105, subdivision(d)(1).

(3) Example 3: A grocery store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers. A consumer submits a request to opt-out of the sale/sharing of their personal information. The retailer complies with their request but no longer allows the consumer to participate in the loyalty program. This practice is discriminatory unless the grocery store can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer’s data to the business.

(4) Example 4: An online bookseller collects information about consumers, including their email addresses. It offers coupons to consumers through browser pop-up windows while the consumer uses the bookseller’s website. A consumer submits a request to delete all personal information that the bookseller has collected about them, including their email address and their browsing and purchasing history. The bookseller complies with the request but stops providing the periodic coupons to the consumer. The bookseller’s failure to provide coupons is discriminatory unless the value of the coupons is reasonably related to the value provided to the business by the consumer’s data. The bookseller may not deny the consumer’s request to delete with regard to the email address because the email address is not necessary to provide the coupons or reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

(e) A business shall notify consumers of any financial incentive or price or service difference subject to Civil Code section 1798.125 that it offers in accordance with section 7016.

(f) A business’s charging of a reasonable fee pursuant to Civil Code section 1798.145, subdivision (h)(3), shall not be considered a financial incentive subject to these regulations.

(g) A price or service difference that is the direct result of compliance with a state or federal law shall not be considered discriminatory.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125, 1798.130 and 1798.185, Civil Code.

(a) A business offering a price or service difference subject to Civil Code section 1798.125 shall use and document a reasonable and good-faith method for calculating the value of the consumer’s data. The business shall consider one or more of the following:

(1) The marginal value to the business of the sale, collection, or deletion of a consumer’s data.

(2) The average value to the business of the sale, collection, or deletion of a consumer’s data.

(3) The aggregate value to the business of the sale, collection, or deletion of consumers’ data divided by the total number of consumers.

(4) Revenue generated by the business from sale, collection, or retention of consumers’ personal information.

(5) Expenses related to the sale, collection, or retention of consumers’ personal information.

(6) Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference.

(7) Profit generated by the business from sale, collection, or retention of consumers’ personal information.

(8) Any other practical and reasonably reliable method of calculation used in good faith.

(b) For the purpose of calculating the value of consumer data, a business may consider the value to the business of the data of all natural persons in the United States and not just consumers.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.125, 1798.130 and 1798.185, Civil Code.

(a) All individuals responsible for handling consumer inquiries about the business’s information practices or the business’s compliance with the CCPA shall be informed of all of the requirements in the CCPA and these regulations and how to direct consumers to exercise their rights under the CCPA and these regulations.

(b) A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.125, 1798.130, 1798.135 and 1798.185, Civil Code.

(a) A business shall maintain records of consumer requests made pursuant to the CCPA and how it responded to the requests for at least 24 months. The business shall implement and maintain reasonable security procedures and practices in maintaining these records.

(b) The records may be maintained in a ticket or log format provided that the ticket or log includes the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part.

(c) A business’s maintenance of the information required by this section, where that information is not used for any other purpose, does not taken alone violate the CCPA or these regulations.

(d) Information maintained for record-keeping purposes shall not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the CCPA and these regulations. Information maintained for record-keeping purposes shall not be shared with any third party except as necessary to comply with a legal obligation.

(e) Other than as required by subsection (b), a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135 and 1798.185, Civil Code.

(a) A business that knows or reasonably should know that it, alone or in combination, buys, receives for the business’s commercial purposes, sells, shares, or otherwise makes available for commercial purposes the personal information of 10,000,000 or more consumers in a calendar year shall:

(1) Compile the following metrics for the previous calendar year:

(A) The number of requests to delete that the business received, complied with in whole or in part, and denied;

(B) The number of requests to correct that the business received, complied with in whole or in part, and denied;

(C) The number of requests to know that the business received, complied with in whole or in part, and denied;

(D) The number of requests to opt-out of sale/sharing that the business received, complied with in whole or in part, and denied;

(E) The number of requests to limit that the business received, complied with in whole or in part, and denied; and

(F) The median or mean number of days within which the business substantively responded to requests to delete, requests to correct, requests to know, requests to opt-out of sale/sharing, and requests to limit.

(2) Disclose, by July 1 of every calendar year, the information compiled in subsection (a)(1) within their privacy policy or posted on their website and accessible from a link included in their privacy policy. In its disclosure, a business may choose to disclose the number of requests that it denied in whole or in part because the request was not verifiable, was not made by a consumer, called for information exempt from disclosure, or was denied on other grounds.

(b) A business may choose to compile and disclose the information required by subsection (a)(1) for requests received from all individuals, rather than requests received from consumers. The business shall state whether it has done so in its disclosure and shall, upon request, compile and provide to the Attorney General the information required by subsection (a)(1) for requests received from consumers.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135 and 1798.185, Civil Code.

(a) Requirements for filing a sworn complaint. Sworn complaints may be filed with the Enforcement Division via the electronic complaint system available on the Agency’s website at https://cppa.ca.gov/ or submitted in person or by mail to the headquarters office of the Agency.
A complaint must:

(1) Identify the business, service provider, contractor, or person who allegedly violated the CCPA;

(2) State the facts that support each alleged violation and include any documents or other evidence supporting this conclusion;

(3) Authorize the alleged violator and the Agency to communicate regarding the complaint, including disclosing the complaint and any information relating to the complaint;

(4) Include the name and current contact information of the complainant; and

(5) Be signed and submitted under penalty of perjury.

(b) The Enforcement Division will notify the complainant in writing of the action, if any, the Agency has taken or plans to take on the complaint, together with the reasons for that action or nonaction. Duplicate complaints submitted by the same complainant may be rejected without notice.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.199.45, Civil Code.

(a) The Agency may open investigations upon the sworn complaint of any person or on its own initiative. For example, the Agency may initiate investigations based upon referrals from government agencies or private organizations, and nonsworn or anonymous complaints.

(b) As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good-faith efforts to comply with those requirements.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.199.45, Civil Code.

(a) Probable Cause. Under Civil Code section 1798.199.50, probable cause exists when the evidence supports a reasonable belief that the CCPA has been violated.

(b) Probable Cause Notice. The Enforcement Division will provide the alleged violator with notice of the probable cause proceeding as required by Civil Code section 1798.199.50.

(c) Probable Cause Proceeding.

(1) The proceeding shall be closed to the public unless the alleged violator files, at least 10 business days before the proceeding, a written request for a public proceeding. If the proceeding is not open to the public, then the proceeding may be conducted in whole or in part by telephone or videoconference.

(2) The Agency shall conduct the proceeding informally. Only the alleged violator(s), their legal counsel, and the Enforcement Division shall have the right to participate at the proceeding. The Agency shall determine whether there is probable cause based on the probable cause notice and any information or arguments presented at the probable cause proceeding by the parties.

(3) If the alleged violator(s) fails to participate or appear at the probable cause proceeding, the alleged violator(s) waives the right to further probable cause proceedings under Civil Code section 1798.199.50, and the Agency shall determine whether there is probable cause based on the notice and any information or arguments provided by the Enforcement Division.

(d) Probable Cause Determination. The Agency shall issue a written decision with its probable cause determination and serve it on the alleged violator electronically or by mail. The Agency’s probable cause determination is final and not subject to appeal.

(e) Notices of probable cause and probable cause determinations shall not be open to the public nor admissible in evidence in any action or special proceeding other than one enforcing the CCPA.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Section 1798.199.50, Civil Code.

(a) At any time before or during an administrative hearing and in lieu of such a hearing, the Head of Enforcement and the alleged violator may stipulate to the entry of a final order. If a stipulation has been agreed upon and the scheduled date of the hearing is set to occur before the next Board meeting, the Enforcement Division will apply for a continuance of the hearing.

(b) The final order must be approved by the Board, which may consider the matter in closed session.

(c) The stipulated final order shall be public and have the force of an order of the Board.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.199.35 and 1798.199.55, Civil Code.

(a) Scope. The Agency may audit a business, service provider, contractor, or person to ensure compliance with any provision of the CCPA.

(b) Criteria for Selection. The Agency may conduct an audit to investigate possible violations of the CCPA. Alternatively, the Agency may conduct an audit if the subject’s collection or processing of personal information presents significant risk to consumer privacy or security, or if the subject has a history of noncompliance with the CCPA or any other privacy protection law.

(c) Audits may be announced or unannounced as determined by the Agency.

(d) Failure to Cooperate. A subject’s failure to cooperate during the Agency’s audit may result in the Agency issuing a subpoena, seeking a warrant, or otherwise exercising its powers to ensure compliance with the CCPA.

(e) Protection of Personal Information. Consumer personal information disclosed to the Agency during an audit shall be maintained in compliance with the Information Practices Act of 1977, Civil Code section 1798, et seq.

Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.185, 1798.199.40 and 1798.199.65, Civil Code; Section 11180, Government Code.

The Political Reform Act (Government Code Section 81000, et seq.) requires state and local government agencies to adopt and promulgate conflict of interest codes. The Fair Political Practices Commission has adopted a regulation (2 California Code of Regulations Section 18730), that contains the terms of a standard conflict of interest code which can be incorporated by reference in an agency’s code. After public notice and hearing, the standard code may be amended by the Fair Political Practices Commission to conform to amendments in the Political Reform Act. Therefore, the terms of 2 California Code of Regulations Section 18730 and any amendments to it duly adopted by the Fair Political Practices Commission are hereby incorporated by reference into the Conflict of Interest Code for the California Privacy Protection Agency. This regulation and the attached Appendices, designating positions, and establishing disclosure requirement categories, shall constitute the Conflict of Interest code of the California

Privacy Protection Agency (CPPA). The statement of economic interests for the CPPA Board Members and the Executive Director shall be filed electronically with the Fair Political Practices Commission. All other individuals holding designated positions shall file their statements with the CPPA. All statements must be made available for public inspection and reproduction (Gov. Code Sec. 81008).

Designated Positions Disclosure Category

California Privacy Protection Agency Board Members 1

Executive Director 1

Chief Privacy Auditor 1

Attorney (all levels) 1

Deputy Director of Administration 2

Consultants / New Positions *

* Consultants/new positions shall be included in the list of designated positions and shall disclose pursuant to the broadest disclosure category in the code subject to the following limitation:

The Executive Director may determine in writing that a particular consultant or new position, although a “designated position,” is hired to perform a range of duties that is limited in scope and thus is not required to comply with the disclosure requirements described in this section. Such determination shall include a description of the consultant’s or new position’s duties and, based upon that description, a statement of the extent of disclosure requirements. The Executive Director’s determination is a public record and shall be retained for public inspection in the same manner and location as this conflict-of-interest code. (Gov. Code Sec. 81008.)

Disclosure Categories

Category 1:

Designated positions in this category shall disclose investments, business positions in business entities and income, (including receipt of gifts, loans and travel payments) and real property in the state of California.

Category 2:

Designated positions in this category shall disclose investments, business positions in business entities and income (including receipt of gifts, loans and travel payments), from sources that provide leased facilities, goods, equipment, vehicles, machinery or services, including training or consulting services of the type utilized by the California Privacy Protection Agency.

NOTE: Authority cited: Section 87300, Government Code. Reference: Sections 87300 and 87302,

Government Code; and Title 2 Code of Regulations Section 18730.

(a) The annual fee to register as a data broker is $400.00.

Note: Authority cited: Section 1798.99.87, Civil Code. Reference: Section 1798.99.82, Civil Code.

For purposes of this title:

(a) The definitions in Section 1798.140 shall apply unless otherwise specified in this title.

(b) “Authorized agent” has the same meaning as used in Chapter 1 (commencing with Section 7000) of Division 6 of Title 11 of the California Code of Regulations.

(c) “Data broker” means a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship. “Data broker” does not include any of the following:

(1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).

(2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act (Public Law 106-102)1 and implementing regulations.

(3) An entity to the extent that it is covered by the Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).

(4) An entity, or a business associate of a covered entity, to the extent their processing of personal information is exempt under Section 1798.146. For purposes of this paragraph, “business associate” and “covered entity” have the same meanings as defined in Section 1798.146.

A fund to be known as the “Data Brokers' Registry Fund” is hereby created within the State Treasury. The fund shall be administered by the California Privacy Protection Agency. All moneys collected or received by the California Privacy Protection Agency and the Department of Justice under this title shall be deposited into the Data Brokers' Registry Fund, to be available for expenditure by the California Privacy Protection Agency, upon appropriation by the Legislature, to offset all of the following costs:

(a) The reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84.

(b) The costs incurred by the state courts and the California Privacy Protection Agency in connection with enforcing this title, as specified in Section 1798.99.82.

(c) The reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86.

(a) On or before January 31 following each year in which a business meets the definition of data broker as provided in this title, the business shall register with the California Privacy Protection Agency pursuant to the requirements of this section.

(b) In registering with the California Privacy Protection Agency, as described in subdivision (a), a data broker shall do all of the following:

(1) Pay a registration fee in an amount determined by the California Privacy Protection Agency, not to exceed the reasonable costs of establishing and maintaining the informational internet website described in Section 1798.99.84 and the reasonable costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in Section 1798.99.86. Registration fees shall be deposited in the Data Brokers' Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, and used for the purposes outlined in this paragraph.

(2) Provide the following information:

(A) The name of the data broker and its primary physical, email, and internet website addresses.

(B) The metrics compiled pursuant to paragraphs (1) and (2) of subdivision (a) of Section 1798.99.85.

(C) Whether the data broker collects the personal information of minors.

(D) Whether the data broker collects consumers' precise geolocation.

(E) Whether the data broker collects consumers' reproductive health care data.

(F) Beginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency.

(G) A link to a page on the data broker's internet website that does both of the following:

(i) Details how consumers may exercise their privacy rights by doing all of the following:

(I) Deleting personal information, as described in Section 1798.105.

(II) Correcting inaccurate personal information, as described in Section 1798.106.

(III) Learning what personal information is being collected and how to access that personal information, as described in Section 1798.110.

(IV) Learning what personal information is being sold or shared and to whom, as described in Section 1798.115.

(V) Learning how to opt out of the sale or sharing of personal information, as described in Section 1798.120.

(VI) Learning how to limit the use and disclosure of sensitive personal information, as described in Section 1798.121.

(ii) Does not make use of any dark patterns.

(H) Whether and to what extent the data broker or any of its subsidiaries is regulated by any of the following:

(i) The federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).

(ii) The Gramm-Leach-Bliley Act (Public Law 106-102)1 and implementing regulations.

(iii) The Insurance Information and Privacy Protection Act (Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code).

(iv) The Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).

(I) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.

(c) A data broker that fails to register as required by this section is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:

(1) An administrative fine of two hundred dollars ($200) for each day the data broker fails to register as required by this section.

(2) An amount equal to the fees that were due during the period it failed to register.

(3) Expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action as the court deems appropriate.

(d) A data broker required to register under this title that fails to comply with the requirements of Section 1798.99.86 is liable for administrative fines and costs in an administrative action brought by the California Privacy Protection Agency as follows:

(1) An administrative fine of two hundred dollars ($200) for each deletion request for each day the data broker fails to delete information as required by Section 1798.99.86.

(2) Reasonable expenses incurred by the California Privacy Protection Agency in the investigation and administration of the action.

(e) Any penalties, fines, fees, and expenses recovered in an action prosecuted under subdivision (c) or (d) shall be deposited in the Data Brokers' Registry Fund, created within the State Treasury pursuant to Section 1798.99.81, with the intent that they be used to fully offset costs incurred by the state courts and the California Privacy Protection Agency in connection with this title.

The California Privacy Protection Agency shall create a page on its internet website where the registration information provided by data brokers described in paragraph (2) of subdivision (b) of Section 1798.99.82 and the accessible deletion mechanism described in Section 1798.99.86 shall be accessible to the public.

(a) On or before July 1 following each calendar year in which a business meets the definition of a data broker as provided in this title, the business shall do all of the following:

(1) Compile the number of requests pursuant to subdivision (c) of Section 1798.99.86 and Sections 1798.105, 1798.110, 1798.115, 1798.120, and 1798.121 that the data broker received, complied with in whole or in part, and denied during the previous calendar year.

(2) Compile the median and the mean number of days within which the data broker substantively responded to requests pursuant to subdivision (c) of Section 1798.99.86 and Sections 1798.105, 1798.110, 1798.115, 1798.120, and 1798.121 that the data broker received during the previous calendar year.

(3) Disclose the metrics compiled pursuant to paragraphs (1) and (2) within the data broker's privacy policy posted on their internet website and accessible from a link included in the data broker's privacy policy.

(b) In its disclosure pursuant to paragraph (3) of subdivision (a) regarding requests made pursuant to subdivision (c) of Section 1798.99.86, a data broker shall disclose the number of requests that the data broker denied in whole or in part because of any of the following:

(1) The request was not verifiable.

(2) The request was not made by a consumer.

(3) The request called for information exempt from deletion.

(4) The request was denied on other grounds.

(c) In its disclosure pursuant to paragraph (3) of subdivision (a), a data broker shall, for each provision of Section 1798.145 or 1798.146 under which deletion was not required, specify the number of requests in which deletion was not required in whole, or in part, under that provision.

(a) By January 1, 2026, the California Privacy Protection Agency shall establish an accessible deletion mechanism that does all of the following:

(1) Implements and maintains reasonable security procedures and practices, including, but not limited to, administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers' personal information from unauthorized use, disclosure, access, destruction, or modification.

(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor.

(3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2).

(4) Allows a consumer to make a request to alter a previous request made under this subdivision after at least 45 days have passed since the consumer last made a request under this subdivision.

(b) The accessible deletion mechanism established pursuant to subdivision (a) shall meet all of the following requirements:

(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request.

(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy-protecting ways determined by the California Privacy Protection Agency to aid in the deletion request.

(3) The accessible deletion mechanism shall allow data brokers registered with the California Privacy Protection Agency to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism unless otherwise specified in this title.

(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the California Privacy Protection Agency.

(5) The accessible deletion mechanism shall not charge a consumer to make a request described in paragraph (1).

(6) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers.

(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities.

(8) The accessible deletion mechanism shall support the ability of a consumer's authorized agents to aid in the deletion request.

(9) The accessible deletion mechanism shall allow the consumer, or their authorized agent, to verify the status of the consumer's deletion request.

(10) The accessible deletion mechanism shall provide a description of all of the following:

(A) The deletion permitted by this section, including, but not limited to, the actions required by subdivisions (c) and (d).

(B) The process for submitting a deletion request pursuant to this section.

(C) Examples of the types of information that may be deleted.

(c)(1) Beginning August 1, 2026, a data broker shall access the accessible deletion mechanism established pursuant to subdivision (a) at least once every 45 days and do all of the following:

(A) Within 45 days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section.

(B) In cases where a data broker denies a consumer request to delete under this title because the request cannot be verified, process the request as an opt-out of the sale or sharing of the consumer's personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.

(C) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in subparagraph (A).

(D) Direct all service providers or contractors associated with the data broker to process a request described by subparagraph (B) as an opt-out of the sale or sharing of the consumer's personal information, as provided for under Section 1798.120 and limited by Sections 1798.105, 1798.145, and 1798.146.

(2) Notwithstanding paragraph (1), a data broker shall not be required to delete a consumer's personal information if either of the following apply:

(A) It is reasonably necessary for the data broker to maintain the personal information to fulfill a purpose described in subdivision (d) of Section 1798.105.

(B) The deletion is not required pursuant to Section 1798.145 or 1798.146.

(3) Personal information described in paragraph (2) shall only be used for the purposes described in paragraph (2) and shall not be used or disclosed for any other purpose, including, but not limited to, marketing purposes.

(d)(1) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section, the data broker shall delete all personal information of the consumer at least once every 45 days pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to paragraph (2) of subdivision (c).

(2) Beginning August 1, 2026, after a consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section, the data broker shall not sell or share new personal information of the consumer unless the consumer requests otherwise or selling or sharing the personal information is permitted under Section 1798.145 or 1798.146.

(e)(1) Beginning January 1, 2028, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section.

(2) For an audit completed pursuant to paragraph (1), the data broker shall submit a report resulting from the audit and any related materials to the California Privacy Protection Agency within five business days of a written request from the California Privacy Protection Agency.

(3) A data broker shall maintain the report and materials described in paragraph (2) for at least six years.

(f)(1) The California Privacy Protection Agency may charge an access fee to a data broker when the data broker accesses the accessible deletion mechanism pursuant to subdivision (c) that does not exceed the reasonable costs of providing that access.

(2) A fee collected by the California Privacy Protection Agency pursuant to paragraph (1) shall be deposited in the Data Brokers' Registry Fund.

(a) Except as provided in subdivision (b), the California Privacy Protection Agency may adopt regulations pursuant to the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement and administer this title.

(b) Notwithstanding subdivision (a), any regulation adopted by the California Privacy Protection Agency to establish fees authorized by this title shall be exempt from the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code).

Nothing in this title shall be construed to supersede or interfere with the operation of the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100)).

No administrative action brought pursuant to this title alleging a violation of any of the provisions of this title shall be commenced more than five years after the date on which the violation occurred.

The short title of this part 13 is the “Colorado Privacy Act”.

(1) The general assembly hereby:

(a) Finds that:

(I) The people of Colorado regard their privacy as a fundamental right and an essential element of their individual freedom;

(II) Colorado's constitution explicitly provides the right to privacy under section 7 of article II, and fundamental privacy rights have long been, and continue to be, integral to protecting Coloradans and to safeguarding our democratic republic;

(III) Ongoing advances in technology have produced exponential growth in the volume and variety of personal data being generated, collected, stored, and analyzed and these advances present both promise and potential peril;

(IV) The ability to harness and use data in positive ways is driving innovation and brings beneficial technologies to society, but it has also created risks to privacy and freedom; and

(V) The unauthorized disclosure of personal information and loss of privacy can have devastating impacts ranging from financial fraud, identity theft, and unnecessary costs in personal time and finances to destruction of property, harassment, reputational damage, emotional distress, and physical harm;

(b) Determines that:

(I) Technological innovation and new uses of data can help solve societal problems and improve lives, and it is possible to build a world where technological innovation and privacy can coexist; and

(II) States across the United States are looking to this part 13 and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level; and

(c) Declares that:

(I) By enacting this part 13, Colorado will be among the states that empower consumers to protect their privacy and require companies to be responsible custodians of data as they continue to innovate;

(II) This part 13 addresses issues of statewide concern and:

(A) Provides consumers the right to access, correct, and delete personal data and the right to opt out not only of the sale of personal data but also of the collection and use of personal data;

(B) Imposes an affirmative obligation upon companies to safeguard personal data; to provide clear, understandable, and transparent information to consumers about how their personal data are used; and to strengthen compliance and accountability by requiring data protection assessments in the collection and use of personal data; and

(C) Empowers the attorney general and district attorneys to access and evaluate a company's data protection assessments, to impose penalties where violations occur, and to prevent future violations.

As used in this part 13, unless the context otherwise requires:

(1) “Adult” means an individual who is eighteen years of age or older.

(1.5)

(a) “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity.

(b) As used in subsection (1.5)(a) of this section, “control” means:

(I) Ownership of, control of, or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons;

(II) Control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or

(III) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. sec. 5481 (24), if any.

(2) “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights in section 6-1-1306 (1) is being made by or on behalf of the consumer who is entitled to exercise the rights.

(2.2) “Biological data” means data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes. “Biological data” includes neural data.

(2.4)

(a) “Biometric data” means one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes.

(b) “Biometric data” does not include the following unless the biometric data is used for identification purposes:

(I) A digital or physical photograph;

(II) An audio or voice recording; or

(III) Any data generated from a digital or physical photograph or an audio or video recording.

(2.5) “Biometric identifier” means data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual. “Biometric identifier” includes:

(a) A fingerprint;

(b) A voiceprint;

(c) A scan or record of an eye retina or iris;

(d) A facial map, facial geometry, or facial template; or

(e) Other unique biological, physical, or behavioral patterns or characteristics.

(3) “Business associate” has the meaning established in 45 CFR 160.103.

(4) “Child” means an individual under thirteen years of age.

(5) “Consent” means a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent:

(a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;

(b) Hovering over, muting, pausing, or closing a given piece of content; and

(c) Agreement obtained through dark patterns.

(6) “Consumer”:

(a) Means an individual who is a Colorado resident acting only in an individual or household context; and

(b) Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.

(7) “Controller” means a person that, alone or jointly with others, determines the purposes for and means of processing personal data.

(8) “Covered entity” has the meaning established in 45 CFR 160.103.

(9) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

(10) “Decisions that produce legal or similarly significant effects concerning a consumer” means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.

(11) “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data:

(a) Takes reasonable measures to ensure that the data cannot be associated with an individual;

(b) Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and

(c) Contractually obligates any recipients of the information to comply with the requirements of this subsection (11).

(12) “Health-care facility” means any entity that is licensed, certified, or otherwise authorized or permitted by law to administer medical treatment in this state.

(13) “Health-care information” means individually identifiable information relating to the past, present, or future health status of an individual.

(14) “Health-care provider” means a person licensed, certified, or registered in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry, optometry, occupational therapy, or other healing arts under title 12.

(14.5) “Heightened risk of harm to minors” means processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause:

(a) Unfair or deceptive treatment of, or unlawful disparate impact on, minors;

(b) Financial, physical, or reputational injury to minors;

(c) Unauthorized disclosure of the personal data of minors as a result of a security breach, as defined in section 6-1-716 (1)(h); or

(d) Physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person.

(15) “HIPAA” means the federal “Health Insurance Portability and Accountability Act of 1996”, as amended, 42 U.S.C. secs. 1320d to 1320d-9.

(16) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.

(16.5) “Minor” means any consumer who is under eighteen years of age.

(16.7) “Neural data” means information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.

(16.8) “Online service, product, or feature”:

(a) Means any service, product, or feature that is provided online; and

(b) Does not include:

(I) Telecommunications service, as defined in 47 U.S.C. sec. 153 (53), as amended;

(II) Broadband internet access service, as defined in 47 CFR 54.400 (l), as amended; or

(III) The delivery or use of a physical product.

(17) “Personal data”:

(a) Means information that is linked or reasonably linkable to an identified or identifiable individual; and

(b) Does not include de-identified data or publicly available information. As used in this subsection (17)(b), “publicly available information” means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.

(17.4)

(a) “Precise geolocation data” means information derived from technology that accurately identifies the present or past location of a device that links or is linkable to an individual within a radius of one thousand eight hundred fifty feet.

(b) “Precise geolocation data” includes:

(I) Global positioning system (GPS) coordinates within a radius of one thousand eight hundred fifty feet; or

(II) Any data derived from a device and that is used or intended to be used to locate a consumer within a geographic area within a radius of one thousand eight hundred fifty feet.

(c) “Precise geolocation data” does not include the content of communications or any data generated by or connected to advanced utility meeting infrastructure systems or equipment for use by a utility.

(17.5) Repealed.

(18) “Process” or “processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.

(19) “Processor” means a person that processes personal data on behalf of a controller.

(20) “Profiling” means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(21) “Protected health information” has the meaning established in 45 CFR 160.103.

(22) “Pseudonymous data” means personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual.

(23)

(a) “Sale”, “sell”, or “sold” means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.

(b) “Sale”, “sell”, or “sold” does not include the following:

(I) The disclosure of personal data to a processor that processes the personal data on behalf of a controller;

(II) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

(III) The disclosure or transfer of personal data to an affiliate of the controller;

(IV) The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; or

(V) The disclosure of personal data:

(A) That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or

(B) Intentionally made available by a consumer to the general public via a channel of mass media.

(24) “Sensitive data” means:

(a) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status;

(b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual;

(c) Personal data from a known child;

(d) Biological data; or

(e) Precise geolocation data.

(25) “Targeted advertising”:

(a) Means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests; and

(b) Does not include:

(I) Advertising to a consumer in response to the consumer’s request for information or feedback;

(II) Advertisements based on activities within a controller’s own websites or online applications;

(III) Advertisements based on the context of a consumer’s current search query, visit to a website, or online application; or

(IV) Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

(26) “Third party” means a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.

(1) Except as specified in subsection (2) of this section:

(a) This part 13, other than sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5, applies to a controller that:

(I)

(A) Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado; and

(B) Satisfies one or both of the following thresholds: controls or processes the personal data of one hundred thousand consumers or more during a calendar year; or derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of twenty-five thousand consumers or more; or

(II) Controls or processes any amount of biometric identifiers or biometric data regardless of the amount of biometric identifiers or biometric data controlled or processed annually; except that a controller that meets the qualifications of this subsection (1)(b) but does not meet the qualifications of subsection (1)(a) of this section shall comply with this part 13 only for the purposes of a biometric identifier or biometric data that the controller collects and processes;

(b) Sections 6-1-1305.5, 6-1-1308.5, and 6-1-1309.5 to 6-1-1313 apply to a controller that conducts business in Colorado or delivers commercial products or services that are intentionally targeted to residents of Colorado.

(2) This part 13 does not apply to:

(a) Protected health information that is collected, stored, and processed by a covered entity or its business associates;

(b) Health-care information that is governed by part 8 of article 1 of title 25 solely for the purpose of access to medical records;

(c) Patient identifying information, as defined in 42 CFR 2.11, that are governed by and collected and processed pursuant to 42 CFR 2, established pursuant to 42 U.S.C. sec. 290dd-2;

(d) Identifiable private information, as defined in 45 CFR 46.102, for purposes of the federal policy for the protection of human subjects pursuant to 45 CFR 46; identifiable private information that is collected as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 CFR 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the categories set forth in this subsection (2)(d);

(e) Information and documents created by a covered entity for purposes of complying with HIPAA and its implementing regulations;

(f) Patient safety work product, as defined in 42 CFR 3.20, that is created for purposes of patient safety improvement pursuant to 42 CFR 3, established pursuant to 42 U.S.C. secs. 299b-21 to 299b-26;

(g) Information that is:

(I) De-identified in accordance with the requirements for de-identification set forth in 45 CFR 164; and

(II) Derived from any of the health-care-related information described in this section;

(h) Information maintained in the same manner as information under subsections (2)(a) to (2)(g) of this section by:

(I) A covered entity or business associate;

(II) A health-care facility or health-care provider; or

(III) A program of a qualified service organization as defined in 42 CFR 2.11;

(i)

(I) Except as provided in subsection (2)(i)(II) of this section, an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by:

(A) A consumer reporting agency as defined in 15 U.S.C. sec. 1681a (f);

(B) A furnisher of information as set forth in 15 U.S.C. sec. 1681s-2 that provides information for use in a consumer report, as defined in 15 U.S.C. sec. 1681a (d); or

(C) A user of a consumer report as set forth in 15 U.S.C. sec. 1681b.

(II) This subsection (2)(i) applies only to the extent that the activity is regulated by the federal “Fair Credit Reporting Act”, 15 U.S.C. sec. 1681 et seq., as amended, and the personal data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by the federal “Fair Credit Reporting Act”, as amended.

(j) Personal data:

(I) Collected and maintained for purposes of article 22 of title 10;

(II) Collected, processed, sold, or disclosed pursuant to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;

(III) Collected, processed, sold, or disclosed pursuant to the federal “Driver’s Privacy Protection Act of 1994”, 18 U.S.C. sec. 2721 et seq., as amended, if the collection, processing, sale, or disclosure is regulated by that law, including implementing rules, regulations, or exemptions;

(IV) Regulated by the federal “Children’s Online Privacy Protection Act of 1998”, 15 U.S.C. secs. 6501 to 6506, as amended, if collected, processed, and maintained in compliance with that law; or

(V) Regulated by the federal “Family Educational Rights and Privacy Act of 1974”, 20 U.S.C. sec. 1232g et seq., as amended, and its implementing regulations;

(k) Data maintained for employment records purposes;

(l) An air carrier as defined in and regulated under 49 U.S.C. sec. 40101 et seq., as amended, and 49 U.S.C. sec. 41713, as amended;

(m) A national securities association registered pursuant to the federal “Securities Exchange Act of 1934”, 15 U.S.C. sec. 78o-3, as amended, or implementing regulations;

(n) Customer data maintained by a public utility as defined in section 40-1-103 (1)(a)(I) or an authority as defined in section 43-4-503 (1), if the data are not collected, maintained, disclosed, sold, communicated, or used except as authorized by state and federal law;

(o) Data maintained by a state institution of higher education, as defined in section 23-18-102 (10), the state, the judicial department of the state, or a county, city and county, or municipality if the data is collected, maintained, disclosed, communicated, and used as authorized by state and federal law for noncommercial purposes. This subsection (2)(o) does not effect any other exemption available under this part 13.

(p) Information used and disclosed in compliance with 45 CFR 164.512; or

(q) A financial institution or an affiliate of a financial institution as defined by and that is subject to the federal “Gramm-Leach-Bliley Act”, 15 U.S.C. sec. 6801 et seq., as amended, and implementing regulations, including Regulation P, 12 CFR 1016.

(3) The obligations imposed on controllers or processors under this part 13 do not:

(a) Restrict a controller’s or processor’s ability to:

(I) Comply with federal, state, or local laws, rules, or regulations;

(II) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

(III) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local law;

(IV) Investigate, exercise, prepare for, or defend actual or anticipated legal claims;

(V) Conduct internal research to improve, repair, or develop products, services, or technology;

(VI) Identify and repair technical errors that impair existing or intended functionality;

(VII) Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship with the controller;

(VIII) Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, or take steps at the request of the consumer prior to entering into a contract;

(IX) Protect the vital interests of the consumer or of another individual;

(X) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;

(XI) Process personal data for reasons of public interest in the area of public health, but solely to the extent that the processing:

(A) Is subject to suitable and specific measures to safeguard the rights of the consumer whose personal data are processed; and

(B) Is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; or

(XII) Assist another person with any of the activities set forth in this subsection (3);

(b) Apply where compliance by the controller or processor with this part 13 would violate an evidentiary privilege under Colorado law;

(c) Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Colorado law as part of a privileged communication;

(d) Apply to information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law;

(e) Apply to the processing of personal data by an individual in the course of a purely personal or household activity;

(f) Require a controller or processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers, but a controller that chooses to conduct commercially reasonable age estimation to determine which consumers are minors is not liable for an erroneous age estimation; and

(g) Impose any obligation on a controller or processor that adversely affects the rights of any person to freedom of speech or freedom of the press guaranteed by the first amendment to the United States constitution.

(4) Personal data that are processed by a controller pursuant to an exception provided by this section:

(a) Shall not be processed for any purpose other than a purpose expressly listed in this section or as otherwise authorized by this part 13; and

(b) Shall be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section or as otherwise authorized by this part 13.

(5) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in subsection (4) of this section.

(1) Controllers and processors shall meet their respective obligations established under this part 13.

(2) Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this part 13. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by:

(a) Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 6-1-1306;

(b) Helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 6-1-716; and

(c) Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 6-1-1309. The controller and processor are each responsible for only the measures allocated to them.

(3) Notwithstanding the instructions of the controller, a processor shall:

(a) Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and

(b) Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with subsection (5) of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

(4) Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

(5) Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out:

(a) The processing instructions to which the processor is bound, including the nature and purpose of the processing;

(b) The type of personal data subject to the processing, and the duration of the processing;

(c) The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and

(d) The following requirements:

(I) At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(II)(A) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and

(B) The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organizational measures in support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor shall provide a report of the audit to the controller upon request.

(6) In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by this part 13.

(7) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it is a controller with respect to the processing.

(8)(a) A controller or processor that discloses personal data to another controller or processor in compliance with this part 13 does not violate this part 13 if the recipient processes the personal data in violation of this part 13, and, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

(b) A controller or processor receiving personal data from a controller or processor in compliance with this part 13 as specified in subsection (8)(a) of this section does not violate this part 13 if the controller or processor from which it receives the personal data fails to comply with applicable obligations under this part 13.

(1) A processor shall adhere to the instructions of a controller and shall assist the controller to meet the controller’s obligations under sections 6-1-1308.5 and 6-1-1309.5, taking into account the nature of the processing and the information available to the processor. The processor shall assist the controller by:

(a) Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller’s obligations under section 6-1-1308.5; and

(b) Providing information to enable the controller to conduct and document data protection assessments pursuant to section 6-1-1309.5.

(2) A contract between a controller and a processor must satisfy the requirements in section 6-1-1305 (5).

(3) Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller’s or processor’s role in the processing relationship as described in sections 6-1-1308.5 and 6-1-1309.5.

(4) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person that is not limited in the person’s processing of personal data pursuant to a controller’s instructions, or that fails to adhere to the instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under section 6-1-1311.

(1) Consumers may exercise the following rights by submitting a request using the methods specified by the controller in the privacy notice required under section 6-1-1308(1)(a). The method must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication relating to the request, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to this section but may require a consumer to use an existing account. A consumer may submit a request at any time to a controller specifying which of the following rights the consumer wishes to exercise:

(a) Right to opt out. (I) A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:

(A) Targeted advertising;

(B) The sale of personal data; or

(C) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

(II) A consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data for one or more of the purposes specified in subsection (1)(a)(I) of this section, including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. A controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

(III) A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(I) of this section. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under this part 13, and in a clear, conspicuous, and readily accessible location outside the privacy notice.

(IV)(A) A controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. This subsection (1)(a)(IV)(A) is repealed, effective July 1, 2024.

(B) Effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.

(C) Notwithstanding a consumer's decision to exercise the right to opt out of the processing of personal data through a universal opt-out mechanism pursuant to subsection (1)(a)(IV)(B) of this section, a controller may enable the consumer to consent, through a web page, application, or a similar method, to the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data, and the consent takes precedence over any choice reflected through the universal opt-out mechanism. Before obtaining a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer with a clear and conspicuous notice informing the consumer about the choices available under this section, describing the categories of personal data to be processed and the purposes for which they will be processed, and explaining how and where the consumer may withdraw consent. The web page, application, or other means by which a controller obtains a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.

(b) Right of access. A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data.

(c) Right to correction. A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

(d) Right to deletion. A consumer has the right to delete personal data concerning the consumer.

(e) Right to data portability. When exercising the right to access personal data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in this subsection (1)(e) requires a controller to provide the data to the consumer in a manner that would disclose the controller's trade secrets.

(2) Responding to consumer requests. (a) A controller shall inform a consumer of any action taken on a request under subsection (1) of this section without undue delay and, in any event, within forty-five days after receipt of the request. The controller may extend the forty-five-day period by forty-five additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller shall inform the consumer of an extension within forty-five days after receipt of the request, together with the reasons for the delay.

(b) If a controller does not take action on the request of a consumer, the controller shall inform the consumer, without undue delay and, at the latest, within forty-five days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subsection (3) of this section.

(c) Upon request, a controller shall provide to the consumer the information specified in this section free of charge; except that, for a second or subsequent request within a twelve-month period, the controller may charge an amount calculated in the manner specified in section 24-72-205(5)(a).

(d) A controller is not required to comply with a request to exercise any of the rights under subsection (1) of this section if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request.

(3)(a) A controller shall establish an internal process whereby consumers may appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer's receipt of the notice sent by the controller under subsection (2)(b) of this section. The appeal process must be conspicuously available and as easy to use as the process for submitting a request under this section.

(b) Within forty-five days after receipt of an appeal, a controller shall inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support of the response. The controller may extend the forty-five-day period by sixty additional days where reasonably necessary, taking into account the complexity and number of requests serving as the basis for the appeal. The controller shall inform the consumer of an extension within forty-five days after receipt of the appeal, together with the reasons for the delay.

(c) The controller shall inform the consumer of the consumer's ability to contact the attorney general if the consumer has concerns about the result of the appeal.

(1) This part 13 does not require a controller or processor to do any of the following solely for purposes of complying with this part 13:

(a) Reidentify de-identified data;

(b) Comply with an authenticated consumer request to access, correct, delete, or provide personal data in a portable format pursuant to section 6-1-1306(1), if all of the following are true:

(I)(A) The controller is not reasonably capable of associating the request with the personal data; or

(B) It would be unreasonably burdensome for the controller to associate the request with the personal data;

(II) The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

(III) The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party, except as otherwise authorized by the consumer; or

(c) Maintain data in identifiable form or collect, obtain, retain, or access any data or technology in order to enable the controller to associate an authenticated consumer request with personal data.

(2) A controller that uses de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data are subject and shall take appropriate steps to address any breaches of contractual commitments.

(3) The rights contained in section 6-1-1306(1)(b) to (1)(e) do not apply to pseudonymous data if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

(1) Duty of transparency. (a) A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

(I) The categories of personal data collected or processed by the controller or a processor;

(II) The purposes for which the categories of personal data are processed;

(III) How and where consumers may exercise the rights pursuant to section 6-1-1306, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request;

(IV) The categories of personal data that the controller shares with third parties, if any; and

(V) The categories of third parties, if any, with whom the controller shares personal data.

(b) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

(c) A controller shall not:

(I) Require a consumer to create a new account in order to exercise a right; or

(II) Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service.

(d) Nothing in this part 13 shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

(2) Duty of purpose specification. A controller shall specify the express purposes for which personal data are collected and processed.

(3) Duty of data minimization. A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.

(4) Duty to avoid secondary use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer's consent.

(5) Duty of care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.

(6) Duty to avoid unlawful discrimination. A controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.

(7) Duty regarding sensitive data. A controller shall not process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.

(1)

(a) A controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid any heightened risk of harm to minors caused by the online service, product, or feature.

(b) In any enforcement action brought by the attorney general or a district attorney pursuant to section 6-1-1311, there is a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with this section.

(2) Unless a controller has obtained consent in accordance with subsection (3) of this section, a controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall not:

(a) Process a minor’s personal data:

(I) For the purposes of:

(A) Targeted advertising;

(B) The sale of personal data; or

(C) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;

(II) For any processing purpose other than the processing purpose that the controller disclosed at the time the controller collected the minor’s personal data or that is reasonably necessary for, and compatible with, the processing purpose that the controller disclosed at the time the controller collected the minor’s personal data; or

(III) For longer than is reasonably necessary to provide the online service, product, or feature;

(b) Use any system design feature to significantly increase, sustain, or extend a minor’s use of the online service, product, or feature; or

(c) Collect a minor’s precise geolocation data unless:

(I) The minor’s precise geolocation data is reasonably necessary for the controller to provide the online service, product, or feature;

(II) The controller only collects and retains the minor’s precise geolocation data for the time necessary to provide the online service, product, or feature; and

(III) The controller provides to the minor a signal indicating that the controller is collecting the minor’s precise geolocation data and makes the signal available to the minor for the entire duration of the collection of the minor’s precise geolocation data; except that this subsection (2)(c)(III) does not apply to any service or application that is used by and under the direction of a ski area operator, as defined in section 33-44-103 (7).

(3)

(a) A controller shall not engage in the activities described in subsection (2) of this section unless the controller obtains:

(I) The minor’s consent; or

(II)

(A) If the minor is a child, the consent of the minor’s parent or legal guardian.

(B) A controller that complies with the verifiable parental consent requirements established in the “Children’s Online Privacy Protection Act of 1998”, 15 U.S.C. sec. 6501 et seq., as amended, and the regulations, rules, guidance, and exemptions adopted pursuant to said act, as amended, is deemed to have satisfied any requirement to obtain parental consent under this subsection (3)(a)(II).

(b)

(I) A controller that offers any online service, product, or feature to a consumer whom that controller actually knows or willfully disregards is a minor shall not:

(A) Provide any consent mechanism that is designed to substantially subvert or impair, or is manipulated with the effect of substantially subverting or impairing, user autonomy, decision-making, or choice; or

(B) Except as provided in subsection (3)(b)(II) of this section, offer any direct messaging apparatus for use by a minor without providing readily accessible and easy-to-use safeguards to limit the ability of an adult to send unsolicited communications to the minor with whom the adult is not connected.

(II) Subsection (3)(b)(I)(B) of this section does not apply to an online service, product, or feature of which the predominant or exclusive function is:

(A) Electronic mail; or

(B) Direct messaging consisting of text, photos, or videos that are sent between devices by electronic means, where messages are shared between the sender and the recipient, only visible to the sender and the recipient, and not posted publicly.

(4) Subsections (2)(a) and (2)(b) of this section do not apply to any service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program.

(1) A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after July 1, 2023, that present a heightened risk of harm to a consumer.

(2) For purposes of this section, “processing that presents a heightened risk of harm to a consumer” includes the following:

(a) Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of:

(I) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;

(II) Financial or physical injury to consumers;

(III) A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or

(IV) Other substantial injury to consumers;

(b) Selling personal data; and

(c) Processing sensitive data.

(3) Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

(4) A controller shall make the data protection assessment available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and with other laws, including this article 1. Data protection assessments are confidential and exempt from public inspection and copying under the “Colorado Open Records Act”, part 2 of article 72 of title 24. The disclosure of a data protection assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.

(5) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(6) Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.

(1) A controller that, on or after October 1, 2025, offers any online service, product, or feature to a consumer whom such controller actually knows or willfully disregards is a minor shall conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors. The controller shall conduct the data protection assessment:

(a) In a manner that is consistent with the requirements established in section 6-1-1309; and

(b) That addresses:

(I) The purpose of the online service, product, or feature;

(II) The categories of a minor’s personal data that the online service, product, or feature processes;

(III) The purposes for which the controller processes a minor’s personal data with respect to the online service, product, or feature; and

(IV) Any heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service, product, or feature to minors.

(2) A controller that conducts a data protection assessment pursuant to subsection (1) of this section shall:

(a) Review the data protection assessment as necessary to account for any material change to the processing operations of the online service, product, or feature that is the subject of the data protection assessment; and

(b) Maintain documentation concerning the data protection assessment for the longer of:

(I) Three years after the date on which the processing operations cease; or

(II) The date the controller ceases offering the online service, product, or feature.

(3) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(4) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment is deemed to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.

(5) If a controller conducts a data protection assessment pursuant to subsection (1) of this section or a data protection assessment review pursuant to subsection (2)(a) of this section and determines that the online service, product, or feature that is the subject of the assessment poses a heightened risk of harm to minors, the controller shall establish and implement a plan to mitigate or eliminate the heightened risk.

(6)

(a) A data protection assessment conducted pursuant to this section:

(I) Is confidential, except as provided in subsection (6)(b) of this section; and

(II) Is not a public record, and is exempt from public inspection and copying, under the “Colorado Open Records Act”, part 2 of article 72 of title 24.

(b)

(I) A controller shall make a data protection assessment conducted pursuant to this section available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with section 6-1-1308.5 and with other laws, including this article 1.

(II) The disclosure of a data protection assessment pursuant to a request from the attorney general does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information in the assessment.

(7) Data protection assessment requirements apply to processing activities created or generated after October 1, 2025, and are not retroactive.

(1) Notwithstanding any provision in part 1 of this article 1, this part 13 does not authorize a private right of action for a violation of this part 13 or any other provision of law. This subsection (1) neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including this article 1, the state constitution, or the United States constitution.

(2) Where more than one controller or processor, or both a controller and a processor, involved in the same processing violates this part 13, the liability shall be allocated among the parties according to principles of comparative fault.

(1)

(a) Notwithstanding any other provision of this article 1, the attorney general and district attorneys have exclusive authority to enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13.

(b) Notwithstanding any other provision of this article 1, nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law.

(c) For purposes only of enforcement of this part 13 by the attorney general or a district attorney, a violation of this part 13 is a deceptive trade practice.

(d)

(I) Repealed.

(II) Prior to any enforcement action pursuant to subsection (1)(a) of this section to enforce section 6-1-1305.5, 6-1-1308.5, or 6-1-1309.5, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d)(II) is repealed, effective December 31, 2026.

(2) The state treasurer shall credit all receipts from the imposition of civil penalties under this part 13 pursuant to section 24-31-108.

As used in this section and sections 42-516 to 42-526, inclusive, unless the context otherwise requires:

(1) “Abortion” means terminating a pregnancy for any purpose other than producing a live birth.

(2) “Affiliate” means a legal entity that shares common branding with another legal entity or controls, is controlled by or is under common control with another legal entity. For the purposes of this subdivision, “control” and “controlled” mean (A) ownership of, or the power to vote, more than fifty per cent of the outstanding shares of any class of voting security of a company, (B) control in any manner over the election of a majority of the directors or of individuals exercising similar functions, or (C) the power to exercise controlling influence over the management of a company.

(3) “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights afforded under subdivisions (1) to (4), inclusive, of subsection (a) of section 42-518 is being made by, or on behalf of, the consumer who is entitled to exercise such consumer rights with respect to the personal data at issue.

(4) “Biometric data” means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual. “Biometric data” does not include (A) a digital or physical photograph, (B) an audio or video recording, or (C) any data generated from a digital or physical photograph, or an audio or video recording, unless such data [is] are generated to identify a specific individual.

(5) “Business associate” has the same meaning as provided in HIPAA.

(6) “Child” has the same meaning as provided in COPPA.

(7) “Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” does not include (A) acceptance of general or broad terms of use or a similar document that contains descriptions of personal data processing along with other, unrelated information, (B) hovering over, muting, pausing or closing a given piece of content, or (C) agreement obtained through the use of dark patterns.

(8) “Consumer” means an individual who is a resident of this state. “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit organization or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit organization or government agency.

(9) “Consumer health data” means any personal data that a controller uses to identify a consumer's physical or mental health condition, [or] diagnosis or status, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.

(10) “Consumer health data controller” means any controller that, alone or jointly with others, determines the purpose and means of processing consumer health data.

(11) “Controller” means a person who, alone or jointly with others, determines the purpose and means of processing personal data.

(12) “COPPA” means the Children's Online Privacy Protection Act of 1998, 15 USC 6501 et seq., and the regulations, rules, guidance and exemptions adopted pursuant to said act, as said act and such regulations, rules, guidance and exemptions may be amended from time to time.

(13) “Covered entity” has the same meaning as provided in HIPAA.

(14) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a “dark pattern”.

(15) [“Decisions that produce legal or similarly significant effects concerning the consumer”] "Decision that produces any legal or similarly significant effect"  means [decisions] any decision made by the controller, or on behalf of the controller,  that [result] results in the provision or denial by the controller of any financial or lending [services,] service, any  housing, any insurance, any education enrollment or opportunity, any criminal justice, any employment [opportunities,] opportunity or any  health care [services or access to essential goods or services] service.

(16) “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller that possesses such data (A) takes reasonable measures to ensure that such data cannot be associated with an individual, (B) publicly commits to process such data only in a de-identified fashion and not attempt to re-identify such data, and (C) contractually obligates any recipients of such data to satisfy the criteria set forth in subparagraphs (A) and (B) of this subdivision.

(17) “Gender-affirming health care services” has the same meaning as provided in section 52-571n.

(18) “Gender-affirming health data” means any personal data concerning an effort made by a consumer to seek, or a consumer's receipt of, gender-affirming health care services.

(19) “Geofence” means any technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, wireless fidelity technology data or any other form of location detection, or any combination of such coordinates, connectivity, data, identification or other form of location detection, to establish a virtual boundary.

(20) “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, 42 USC 1320d et seq., as amended from time to time.

(21) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly.

(22) “Institution of higher education” means any individual who, or school, board, association, limited liability company or corporation that, is licensed or accredited to offer one or more programs of higher learning leading to one or more degrees.

(23) “Mental health facility” means any health care facility in which at least seventy per cent of the health care services provided in such facility are mental health services.

(24) "Neural Data" means any information that is generated by measuring the activity of an individual's central nervous system. 

[(24)] (25) "Nonprofit organization" means any organization that is exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986, or any subsequent corresponding internal revenue code of the United States, as amended from time to time.

[(25)] (26) "Person" means an individual, association, company, limited liability company, corporation, partnership, sole proprietorship, trust or other legal entity.

[(26)] (27) "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual. "Personal data" does not include de-identified data or publicly available information. 

[(27)] (28) "Precise geolocation data" means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

[(28)] (29) "Process" and "processing" mean any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

[(29)] (30) "Processor" means a person who processes personal data on behalf of a controller.

[(30)] (31) "Profiling" means any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

[(31)] (32) "Protected health information" has the same meaning as provided in HIPAA.

[(32)] (33) "Pseudonymous data" means personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data [is] are not attributed to an identified or identifiable individual.

[(33)] (34) "Publicly available information" (A) means information that [(A)] (i) is lawfully made available [through] from federal, state or municipal government records, or [widely distributed media, and (B)] (ii) a controller has a reasonable basis to believe (I) a consumer has lawfully made available to the general public, or (II) has been lawfully made available to the general public from widely distributed media, and (B) does not include any biometric data that can be associated with a specific consumer and were collected without the consumer's consent.

[(34)] (35)“Reproductive or sexual health care” means any health care-related services or products rendered or provided concerning a consumer's reproductive system or sexual well-being, including, but not limited to, any such service or product rendered or provided concerning (A) an individual health condition, status, disease, diagnosis, diagnostic test or treatment, (B) a social, psychological, behavioral or medical intervention, (C) a surgery or procedure, including, but not limited to, an abortion, (D) a use or purchase of a medication, including, but not limited to, a medication used or purchased for the purposes of an abortion, (E) a bodily function, vital sign or symptom, (F) a measurement of a bodily function, vital sign or symptom, or (G) an abortion, including, but not limited to, medical or nonmedical services, products, diagnostics, counseling or follow-up services for an abortion.

[(35)] (36) “Reproductive or sexual health data” means any personal data concerning an effort made by a consumer to seek, or a consumer's receipt of, reproductive or sexual health care.

[(36)] (37) “Reproductive or sexual health facility” means any health care facility in which at least seventy per cent of the health care-related services or products rendered or provided in such facility are reproductive or sexual health care.

[(37)] (38) “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. “Sale of personal data” does not include (A) the disclosure of personal data to a processor that processes the personal data on behalf of the controller, (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer, (C) the disclosure or transfer of personal data to an affiliate of the controller, (D) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, (E) the disclosure of personal data that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience, or (F) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller's assets.

[(38)] (39) "Sensitive data" means personal data that includes (A) data revealing (i) racial or ethnic origin, (ii) religious beliefs, (iii) a mental or physical health condition, [or] diagnosis, disability or treatment, (iv) sex life, sexual orientation or status as nonbinary or transgender, or (v) citizenship or immigration status, (B) consumer health data, (C) [the processing of] genetic or biometric data [for the purpose of uniquely identifying an individual] or information derived therefrom, (D) personal data collected from [a known] an individual the controller has actual knowledge, or wilfully disregards, is a child, (E) data concerning an individual's status as a victim of crime, as defined in section 1-1k, [or] (F) precise geolocation data, (G) neural data, (H) a consumer's financial account number, financial account log-in information or credit card or debit card number that, in combination with any required access or security code, password or credential, would allow access to a consumer's financial account, or (I) government-issued identification number, including, but not limited to, Social Security number, passport number, state identification card number or driver's license number, that applicable law does not require to be publicly displayed.

[(39)] (40) “Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer's preferences or interests. “Targeted advertising” does not include (A) advertisements based on activities within a controller's own Internet web sites or online applications, (B) advertisements based on the context of a consumer's current search query, visit to an Internet web site or online application, (C) advertisements directed to a consumer in response to the consumer's request for information or feedback, or (D) processing personal data solely to measure or report advertising frequency, performance or reach.

[(40)] (41) “Third party” means a person, such as a public authority, agency or body, other than the consumer, controller or processor or an affiliate of the processor or the controller.

[(41)] (42) “Trade secret” has the same meaning as provided in section 35-51.

The provisions of sections 42-515 to 42-525, inclusive, apply to persons that: [conduct] (1) Conduct business in this state, or [persons that] produce products or services that are targeted to residents of this state, and [that] during the preceding calendar year [: (1) Controlled] controlled or processed the personal data of not [less] fewer than [one hundred thousand] thirty-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; [or (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data] (2) control or process consumers' sensitive data, excluding personal data controlled or processed solely for the purposes of completing a payment transaction; or (3) offer consumers' personal data for sale in trade or commerce.

(a) The provisions of sections 42-515 to 42-525, inclusive, do not apply to any: (1) Body, authority, board, bureau, commission, district or agency of this state or of any political subdivision of this state; (2) person who has entered into a contract with any body, authority, board, bureau, commission, district or agency described in subdivision (1) of this subsection while such person is processing consumer health data on behalf of such body, authority, board, bureau, commission, district or agency pursuant to such contract; (3) nonprofit organization; (4) candidate committee, national committee, party committee or political committee, as such terms are defined in section 9-601; (5) institution of higher education; [(5)] (6) national securities association that is registered under 15 USC 78o-3 of the Securities Exchange Act of 1934, as amended from time to time; [(6) financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq.;] (7) covered entity or business associate, as defined in 45 CFR 160.103; (8) tribal nation government organization; [or] (9) air carrier, as defined in 49 USC 40102, as amended from time to time, and regulated under the Federal Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act of 1978, 49 USC 41713, as said acts may be amended from time to time; (10) insurer, as defined in section 38a-1, or its affiliate, fraternal benefit society, within the meaning of section 38a-595, health carrier, as defined in section 38a-591a, insurance-support organization, as defined in section 38a-976, or insurance agent or insurance producer, as such terms are defined in section 38a-702a; (11) bank, Connecticut credit union, federal credit union, out-of-state bank or out-of-state credit union, or any affiliate or subsidiary thereof, as such terms are defined in section 36a-2, that (A) is only and directly engaged in financial activities as described in 12 USC 1843(k), (B) is regulated and examined by the Department of Banking or an applicable federal bank regulatory agency, and (C) has established a program to comply with all applicable requirements established by the Banking Commissioner or the applicable federal bank regulatory agency concerning personal data; or (12) agent, broker-dealer, investment adviser or investment adviser agent, as such terms are defined in section 36b-3, who is regulated by the Department of Banking or the Securities and Exchange Commission.

(b) The following information and data [is] are exempt from the provisions of sections 42-515 to 42-526, inclusive: (1) Protected health information under HIPAA; (2) patient-identifying information for purposes of 42 USC 290dd-2; (3) identifiable private information for purposes of the federal policy for the protection of human subjects under 45 CFR 46; (4) identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; (5) personal data for purposes of the protection of human subjects under 21 CFR Parts 6, 50 and 56, or personal data used or shared in research, as defined in 45 CFR 164.501, that is conducted in accordance with the standards set forth in this subdivision and subdivisions (3) and (4) of this subsection, or other research conducted in accordance with applicable law; (6) information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 USC 11101 et seq.; (7) patient safety work product for purposes of section 19a-127o and the Patient Safety and Quality Improvement Act, 42 USC 299b-21 et seq., as amended from time to time; (8) information derived from any of the health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; (9) information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection that is maintained by a covered entity or business associate, program or qualified service organization, as specified in 42 USC 290dd-2, as amended from time to time; (10) information used for public health activities and purposes as authorized by HIPAA, community health activities and population health activities; (11) the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency, furnisher or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 USC 1681 et seq., as amended from time to time; (12) personal data collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq., as amended from time to time; (13) personal data regulated by the Family Educational Rights and Privacy Act, 20 USC 1232g et seq., as amended from time to time; (14) personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act, 12 USC 2001 et seq., as amended from time to time; (15) data processed or maintained (A) in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor, consumer health data controller or third party, to the extent that the data is collected and used within the context of that role, (B) as the emergency contact information of an individual under sections 42-515 to 42-526, inclusive, used for emergency contact purposes, or (C) that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under subdivision (1) of this subsection and used for the purposes of administering such benefits; and (16) personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Federal Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act of 1978, 49 USC 41713, as said acts may be amended from time to time; (17) data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq., as amended from time to time; and (18) information included in a limited data set, as described in 45 CFR 164.514(e), as amended from time to time, to the extent such information is used, disclosed and maintained in the manner specified in 45 CFR 164.514(e), as amended from time to time.

(c) Controllers, processors and consumer health data controllers that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent pursuant to sections 42-515 to 42-526, inclusive.

(a) A consumer shall have the right to: (1) Confirm whether or not a controller is processing the consumer's personal data and access such personal data, including, but not limited to, any inferences about the consumer derived from such personal data and whether a controller or processor is processing a consumer's personal data for the purposes of profiling to make a decision that produces any legal or similarly significant effect concerning a consumer, unless such confirmation or access would require the controller to reveal a trade secret or the controller is prohibited from disclosing such personal data under subsection (e) of this section; (2) correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data; (3) delete personal data provided by, or obtained about, the consumer; (4) obtain a copy of the consumer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by Substitute Senate Bill No. 1295 Public Act No. 25-113 34 of 80 automated means, provided such controller shall not be required to reveal any trade secret; [and] (5) opt out of the processing of the personal data for purposes of (A) targeted advertising, (B) the sale of personal data, except as provided in subdivision (2) of subsection [(b)] (a) of section 42-520, as amended by this act, or (C) profiling in furtherance of [solely] any automated [decisions that produce] decision that produces any legal or similarly significant [effects] effect concerning the consumer; (6) if the consumer's personal data were processed for the purposes of profiling in furtherance of any automated decision that produced any legal or similarly significant effect concerning the consumer, and if feasible, (A) question the result of such profiling, (B) be informed of the reason that such profiling resulted in such decision, (C) review the consumer's personal data that were processed for the purposes of such profiling, and (D) if the profiling decision concerned housing, taking into account the nature of the personal data and the purposes for which such personal data were processed, allow the consumer to correct any incorrect personal data that were processed for the purposes of such profiling and have the profiling decision reevaluated based on the corrected personal data; and (7) obtain from the controller a list of the third parties to which such controller has sold the consumer's personal data or, if such controller does not maintain a list of the third parties to which such controller has sold the consumer's personal data, a list of all third parties to which such controller has sold personal data, provided the controller shall not be required to reveal any trade secret.

(b) A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with section 42-519 to exercise the rights of such consumer to opt out of the processing of such consumer's personal data for purposes of subdivision (5) of subsection (a) of this section on behalf of the consumer. In the case of processing personal Substitute Senate Bill No. 1295 Public Act No. 25-113 35 of 80 data of a [known] consumer who the controller has actual knowledge, or wilfully disregards, is a child, the parent or legal guardian may exercise such consumer rights on the child's behalf. In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer's behalf.

(c) Except as otherwise provided in sections 42-515 to 42-525, inclusive, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to said sections as follows:

(1) A controller shall respond to the consumer without undue delay, but not later than forty-five days after receipt of the request. The controller may extend the response period by forty-five additional days when reasonably necessary, considering the complexity and number of the consumer's requests, provided the controller informs the consumer of any such extension within the initial forty-five-day response period and of the reason for the extension.

(2) If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than forty-five days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

(3) Information provided in response to a consumer request shall be provided by a controller, free of charge, once per consumer during any twelve-month period. If requests from a consumer are manifestly unfounded, excessive or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request.

(4) If a controller is unable to authenticate a request to exercise any of the rights afforded under subdivisions (1) to (4), inclusive, of subsection (a) of this section or subdivision (6) of said subsection using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until such consumer provides additional information reasonably necessary to authenticate such consumer and such consumer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request.

(5) A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subdivision (3) of subsection (a) of this section by (A) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to the provisions of sections 42-515 to 42-525, inclusive, or (B) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of sections 42-515 to 42-525, inclusive.

(d) A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than sixty days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.

(e) A controller shall not disclose the following personal data in response to a request to exercise the consumer's rights under subdivision (1) of subsection (a) of this section, and shall instead inform the consumer or the person exercising such right on behalf of the consumer, with sufficient particularity, that the controller has collected such personal data: (1) The consumer's Social Security number; (2) the consumer's driver's license number, state identification card number or other government-issued identification number; (3) the consumer's financial account number; (4) the consumer's health insurance identification number or medical identification number; (5) the consumer's account password; (6) the consumer's security question or answer thereto; or (7) the consumer's biometric data.

A consumer may designate another person to serve as the consumer's authorized agent, and act on such consumer's behalf, to opt out of the processing of such consumer's personal data for one or more of the purposes specified in subdivision (5) of subsection (a) of section 42-518. The consumer may designate such authorized agent by way of, among other things, a technology, including, but not limited to, an Internet link or a browser setting, browser extension or global device setting, indicating such consumer's intent to opt out of such processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on such consumer's behalf.

(a) (1) A controller shall: [(1)] (A) Limit the collection of personal data to what is [adequate, relevant and] reasonably necessary and proportionate in relation to the purposes for which such data [is] are processed, as disclosed to the consumer; [(2) except as otherwise provided in sections 42-515 to 42-525, inclusive] (B) unless the controller obtains the consumer's consent, not process the consumer's personal Substitute Senate Bill No. 1295 Public Act No. 25-113 38 of 80 data for [purposes] any material new purpose that [are] is neither reasonably necessary to, nor compatible with, the [disclosed] purposes [for which such personal data is processed, as] that were disclosed to the consumer, [unless the controller obtains the consumer's consent; (3)] pursuant to subparagraph (A) of this subdivision, taking into account (i) the consumer's reasonable expectation regarding such personal data at the time such personal data were collected based on the purposes that were disclosed to the consumer pursuant to subparagraph (A) of this subdivision, (ii) the relationship that such new purpose bears to the purposes that were disclosed to the consumer pursuant to subparagraph (A) of this subdivision, (iii) the impact that processing such personal data for such new purpose might have on the consumer, (iv) the relationship between the consumer and the controller and the context in which the personal data were collected, and (v) the existence of additional safeguards, including, but not limited to, encryption or pseudonymization, in processing such personal data for such new purpose; (C) establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue; [(4)] (D) not process sensitive data concerning a consumer unless such processing is reasonably necessary in relation to the purposes for which such sensitive data are processed and without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a [known] consumer who the controller has actual knowledge, or wilfully disregards, is a child, without processing such data in accordance with COPPA; [(5)] (E) not process personal data in violation of [the laws] any law of this state [and federal laws that prohibit] that prohibits unlawful discrimination against consumers, and any evidence, or lack of evidence, concerning proactive anti-bias testing or any similar proactive effort to avoid processing such data in violation of such law, including, but not limited to, any evidence or lack of evidence concerning the quality, efficacy, recency and scope of any such testing or effort, the results of such testing or effort and the response to the results of such testing or effort, shall be relevant to any claim available for a violation of such law and any defense available thereto; (F) not process personal data in violation of any federal law that prohibits unlawful discrimination against consumers; [(6)] (G) provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request; (H) not sell the sensitive data of a consumer without the consumer's consent; and [(7)] (I) not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, [without the consumer's consent,] under circumstances where a controller has actual knowledge, or wilfully disregards, that the consumer is at least thirteen years of age but younger than [sixteen] eighteen years of age. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in sections 42-515 to 42-525, inclusive, as amended by this act, including denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.

[(b)] (2) Nothing in subdivision (1) of this subsection [(a) of this section] shall be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.

[(c)] (b) (1) A controller shall provide consumers with a reasonably accessible, clear and meaningful privacy notice that includes: [(1)] (A) The categories of personal data processed by the controller; [(2)] (B) the purpose for processing personal data; [(3) how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision] (C) a description of the means, established pursuant to subsection (c) of this section, for consumers to submit requests to exercise their consumer rights pursuant to sections 42-515 to 42-525, inclusive, as amended by this act, including, but not limited to, a description of (i) how consumers may exercise their consumer rights under subsection (a) of section 42-518, as amended by this act, and (ii) how consumers may appeal controllers' decisions with regard to [the consumer's request; (4)] requests to exercise such rights; (D) the categories of personal data that the controller [shares with] sells to third parties, if any; [(5)] (E) the categories of third parties, if any, [with] to which the controller [shares] sells personal data; [and (6)] (F) a clear and conspicuous disclosure of (i) any processing of personal data for purposes of targeted advertising, or (ii) any sale of personal data to a third party for purposes of targeted advertising; (G) an active electronic mail address or other online mechanism that [the consumer] consumers may use to contact the controller; (H) a statement disclosing whether the controller collects, uses or sells personal data for the purpose of training large language models; and (I) the most recent month and year during which the controller updated such privacy notice.

(2) A controller shall make the privacy notice required under subdivision (1) of this subsection publicly available: (A) Through a conspicuous hyperlink that includes the word "privacy" (i) on the home page of the controller's Internet web site, if the controller maintains an Internet web site, (ii) on the application store page or download page of a mobile device, if the controller maintains an application for use on a mobile device, and (iii) on the application's settings menu or in a similarly conspicuous and accessible location, if the controller maintains an application for use on a mobile device or other device used to connect to the Internet; (B) through a medium in which the controller regularly interacts with consumers, including, but not limited to, mail, if the controller does not maintain an Internet web site; (C) in each language in which the controller (i) provides any product or service that is subject to the privacy notice, or (ii) carries out any activity that is related to any product or service described in subparagraph (C)(i) of this subdivision; and (D) in a manner that is reasonably accessible to, and usable by, individuals with disabilities.

(3) Whenever a controller makes any retroactive material change to the controller's privacy notice or practices, the controller shall: (A) Notify the consumers affected by such material change with respect to any personal data to be collected after the effective date of such material change; and (B) provide a reasonable opportunity for the consumers described in subparagraph (A) of this subdivision to withdraw consent to any further and materially different collection, processing or transfer of previously collected personal data following such material change. The controller shall take all reasonable electronic measures to provide such notice to such affected consumers, taking into account the technology available to the controller and the nature of the controller's relationship with such affected consumers.

(4) Nothing in this subsection shall be construed to require a controller to provide a privacy notice that is specific to this state if the controller provides a generally applicable privacy notice that satisfies the requirements established in this subsection.

[(d) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.]

[(e)] (c) (1) A controller shall establish [, and shall describe in a privacy notice,] one or more secure and reliable means for consumers to Substitute Senate Bill No. 1295 Public Act No. 25-113 42 of 80 submit a request to exercise their consumer rights pursuant to sections 42-515 to 42-525, inclusive, as amended by this act. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include:

(A) (i) Providing a clear and conspicuous [link] hyperlink on the controller's Internet web site to an Internet web page that enables [a] the consumer, or an agent of the consumer, to opt out of the processing of the consumer's personal data for purposes of targeted advertising, or any sale of the consumer's personal data; and

(ii) [Not later than January 1, 2025, allowing] Allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale. Such platform, technology or mechanism shall:

(I) Not unfairly disadvantage another controller;

(II) Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of such consumer's personal data pursuant to sections 42-515 to 42-525, inclusive;

(III) Be consumer-friendly and easy to use by the average consumer;

(IV) Be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation; and

(V) Enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt out of any sale of such consumer's personal data or targeted advertising.

(B) If a consumer's decision to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with the provisions of subparagraph (A) of this subdivision conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts or club card program, the controller shall comply with such consumer's opt-out preference signal but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.

(2) If a controller responds to consumer opt‐out requests received pursuant to subparagraph (A) of subdivision (1) of this subsection by informing the consumer of a charge for the use of any product or service, the controller shall present the terms of any financial incentive offered pursuant to subdivision (2) of subsection [(b)] (a) of this section for the retention, use, sale or sharing of the consumer's personal data.

(a) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations under sections 42-515 to 42-525, inclusive, as amended by this act. Such assistance shall include: (1) Taking into account the nature of processing and [the information available to the processor, by appropriate technical and organizational measures,] insofar as is [reasonably practicable] possible, to fulfill the controller's obligation to respond to [consumer rights requests] consumers' requests to exercise their rights under section 42-518, as amended by this act; (2) taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security, as defined in section 36a-701b, of the system of the processor, in order to meet the controller's obligations; and (3) providing necessary information to enable the controller to conduct and document data protection assessments and impact assessments.

(b) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor: (1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (2) at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in sections 42-515 to 42-525, inclusive, as amended by this act; (4) after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and (5) allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's

(c) Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship, as described in sections 42-515 to 42-525, inclusive.

(d) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data [is] are to be processed. A person who is not limited in such person's processing of personal data pursuant to a controller's instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under section 42-525.

(a) For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes: (1) The processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational injury to consumers, (C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (D) other substantial injury to consumers; and (4) the processing of sensitive data.

[(a)] (b) (1) A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer. [For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes: (1) The processing of personal data for the purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational injury to consumers, (C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (D) other substantial injury to consumers; and (4) the processing of sensitive data.]

[(b) Data protection assessments] (2) Each data protection assessment conducted pursuant to subdivision (1) of this subsection [(a) of this section] shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The controller shall factor into [any] each such data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

(c) Each controller that engages in any profiling for the purposes of making a decision that produces any legal or similarly significant effect concerning a consumer shall conduct an impact assessment for such profiling. Such impact assessment shall include, to the extent reasonably known by or available to the controller, as applicable: (1) A statement by the controller disclosing the purpose, intended use cases and deployment context of, and benefits afforded by, such profiling; (2) an analysis of whether such profiling poses any known or reasonably foreseeable heightened risk of harm to a consumer, and, if so, (A) the nature of such heightened risk of harm to a consumer, and (B) the steps that have been taken to mitigate such heightened risk of harm to a consumer; (3) a description of (A) the main categories of personal data processed as inputs for the purposes of such profiling, and (B) the outputs such profiling produces; (4) an overview of the main categories of personal data the controller used to customize such profiling, if the controller used data to customize such profiling; (5) any metrics used to evaluate the performance and known limitations of such profiling; (6) a description of any transparency measures taken concerning such profiling, including, but not limited to, any measures taken to disclose to consumers that such controller is engaged in such profiling while such controller is engaged in such profiling; and (7) a description of the post-deployment monitoring and user safeguards provided concerning such profiling, including, but not limited to, the oversight, use and learning processes established by the controller to address issues arising from such profiling.

[(c)] (d) The Attorney General may require that a controller disclose any data protection assessment or impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection assessment or impact assessment available to the Attorney General. The Attorney General may evaluate the data protection assessment or impact assessment for compliance with the responsibilities set forth in sections 42-515 to 42-525, inclusive. Data protection assessments and impact assessments shall be confidential and shall be exempt from disclosure under the Freedom of Information Act, as defined in section 1-200. To the extent any information contained in a data protection assessment or impact assessment disclosed to the Attorney General includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection.

[(d)] (e) A single data protection assessment or impact assessment may address a comparable set of processing operations that include similar activities.

[(e)] (f) If a controller conducts a data protection assessment or impact assessment for the purpose of complying with another applicable law or regulation, the data protection assessment or impact assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment or impact assessment is reasonably similar in scope and effect to the data protection assessment or impact assessment that would otherwise be conducted pursuant to this section.

[(f)] (g) (1) Data protection assessment requirements shall apply to processing activities created or generated after July 1, 2023, and are not retroactive.

(2) Impact assessment requirements shall apply to processing activities created or generated on or after August 1, 2026, and are not retroactive.

(a) Any controller in possession of de-identified data shall: (1) Take reasonable measures to ensure that the data cannot be associated with an individual; (2) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and (3) contractually obligate any recipients of the de-identified data to comply with all provisions of sections 42-515 to 42-525, inclusive.

(b) Nothing in sections 42-515 to 42-525, inclusive, shall be construed to: (1) Require a controller or processor to re-identify de-identified data or pseudonymous data; or (2) maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

(c) Nothing in sections 42-515 to 42-525, inclusive, shall be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller: (1) Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; (2) does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and (3) does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

(d) The rights afforded under subdivisions (1) to (4), inclusive, of subsection (a) of section 42-518 shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

(e) A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

(a) Nothing in sections 42-515 to 42-526, inclusive, as amended by this act, shall be construed to restrict a controller's, processor's or consumer health data controller's ability to: (1) Comply with federal, state or municipal ordinances or regulations; (2) comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities; (3) cooperate with law enforcement agencies concerning conduct or activity that the controller, processor or consumer health data controller reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations; (4) investigate, establish, exercise, prepare for or defend legal claims; (5) provide a product or service specifically requested by a consumer; (6) perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; (7) take steps at the request of a consumer prior to entering into a contract; (8) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis; (9) prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action; (10) engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine, (A) whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller or consumer health data controller, (B) the expected benefits of the research outweigh the privacy risks, and (C) whether the controller or consumer health data controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; (11) assist another controller, processor, consumer health data controller or third party with any of the obligations under sections 42-515 to 42-526, inclusive, as amended by this act; or (12) process personal data for reasons of public interest in the area of public health, community health or population health, but solely to the extent that such processing is (A) subject to suitable and specific measures to safeguard the rights of the consumer whose personal data [is] are being processed, and (B) under the responsibility of a professional subject to confidentiality obligations under federal, state or local law.

(b) The obligations imposed on controllers, processors or consumer health data controllers under sections 42-515 to 42-526, inclusive, shall not restrict a controller's, processor's or consumer health data controller's ability to collect, use or retain data for internal use to: (1) Conduct internal research to develop, improve or repair products, services or technology; (2) effectuate a product recall; (3) identify and repair technical errors that impair existing or intended functionality; (4) process personal data for the purposes of profiling in furtherance of any automated decision that may produce any legal or similarly significant effect concerning a consumer, provided such personal data are (A) processed only to the extent necessary to detect or correct any bias that may result from processing such data for such purposes, such bias cannot effectively be detected or corrected without processing such data and such data are deleted once such processing has been completed, (B) processed subject to appropriate safeguards to protect the rights of consumers secured by the Constitution or laws of this state or of the United States, (C) subject to technical restrictions concerning the reuse of such data and industry-standard security and privacy measures, including, but not limited to, pseudonymization, (D) subject to measures to ensure that such data are secure, protected and subject to suitable safeguards, including, but not limited to, strict controls concerning, and documentation of, access to such data, to avoid misuse and ensure that only authorized persons may access such data while preserving the confidentiality of such data, and (E) not transmitted, transferred or otherwise accessed by any third party; [or (4)] (5) perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or consumer health data controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or (6) perform internal operations in accordance with the internal operations exception established in COPPA if the controller, processor or consumer health data controller is processing data in accordance with such exception.

(c) The obligations imposed on controllers, processors or consumer health data controllers under sections 42-515 to 42-526, inclusive, shall not apply where compliance by the controller, processor or consumer health data controller with said sections would violate an evidentiary privilege under the laws of this state. Nothing in sections 42-515 to 42-526, inclusive, shall be construed to prevent a controller, processor or consumer health data controller from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the state as part of a privileged communication.

(d) A controller, processor or consumer health data controller that discloses personal data to a processor or third-party controller in accordance with sections 42-515 to 42-526, inclusive, shall not be deemed to have violated said sections if the processor or third-party controller that receives and processes such personal data violates said sections, provided, at the time the disclosing controller, processor or consumer health data controller disclosed such personal data, the disclosing controller, processor or consumer health data controller did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller, processor or consumer health data controller in compliance with sections 42-515 to 42-526, inclusive, is likewise not in violation of said sections for the transgressions of the controller, processor or consumer health data controller from which such third-party controller or processor receives such personal data.

(e) Nothing in sections 42-515 to 42-526, inclusive, shall be construed to: (1) Impose any obligation on a controller, processor or consumer health data controller that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person (A) to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution, or (B) under section 52-146t; or (2) apply to any person's processing of personal data in the course of such person's purely personal or household activities.

(f) Personal data processed by a controller or consumer health data controller pursuant to this section may be processed to the extent that such processing is: (1) Reasonably necessary and proportionate to the purposes listed in this section; and (2) adequate, relevant and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used or retained pursuant to subsection (b) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use or retention of personal data.

(g) If a controller or consumer health data controller processes personal data pursuant to an exemption in this section, the controller or consumer health data controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in subsection (f) of this section.

(h) Processing personal data for the purposes expressly identified in this section shall not solely make a legal entity a controller or consumer health data controller with respect to such processing.

(a) The Attorney General shall have exclusive authority to enforce violations of sections 42-515 to 42-524, inclusive, and section 42-526.

(b) (1) During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524, inclusive, issue a notice of violation to the controller if the Attorney General determines that a cure is possible. If the controller fails to cure such violation within sixty days of receipt of the notice of violation, the Attorney General may bring an action pursuant to this section.

(2) During the period beginning on October 1, 2023, and ending on December 31, 2024, the Attorney General shall, prior to initiating any action for a violation of any provision of sections 42-515 to 42-524, inclusive, and section 42-526, issue a notice of violation to the consumer health data controller if the Attorney General determines that a cure is possible. If the consumer health data controller fails to cure such violation within sixty days of receipt of the notice of violation, the Attorney General may bring an action pursuant to this section.

(3) Not later than February 1, 2024, the Attorney General shall submit a report, in accordance with section 11-4a, to the joint standing committee of the General Assembly having cognizance of matters relating to general law disclosing: (A) The number of notices of violation the Attorney General has issued; (B) the nature of each violation; (C) the number of violations that were cured during the sixty-day cure period; and (D) any other matter the Attorney General deems relevant for the purposes of such report.

(c) Beginning on January 1, 2025, the Attorney General may, in determining whether to grant a controller, processor or consumer health data controller the opportunity to cure an alleged violation described in subsection (b) of this section, consider: (1) The number of violations; (2) the size and complexity of the controller, processor or consumer health data controller; (3) the nature and extent of the controller's, processor's or consumer health data controller's processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of persons or property; (6) whether such alleged violation was likely caused by human or technical error; and (7) the sensitivity of the data.

(d) Nothing in sections 42-515 to 42-524, inclusive, or section 42-526, shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law.

(e) A violation of the requirements of sections 42-515 to 42-524, inclusive, or section 42-526, shall constitute an unfair trade practice for purposes of section 42-110b and shall be enforced solely by the Attorney General, provided the provisions of section 42-110g shall not apply to such violation.

(a) (1) Except as provided in subsection (b) of this section, subsections (b) and (c) of section 42-517 and section 42-524, no person shall: (A) Provide any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality; (B) provide any processor with access to consumer health data unless such person and processor comply with section 42-521; (C) use a geofence to establish a virtual boundary that is within one thousand seven hundred fifty feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer's consumer health data; or (D) sell, or offer to sell, consumer health data without first obtaining the consumer's consent.

(2) Notwithstanding section 42-516, the provisions of subsection (a) of this section, and the provisions of section 42-515 and sections 42-517 to 42-525, inclusive, concerning consumer health data and consumer health data controllers, apply to persons that conduct business in this state and persons that produce products or services that are targeted to residents of this state.

(b) The provisions of subsection (a) of this section shall not apply to any: (1) Body, authority, board, bureau, commission, district or agency of this state or of any political subdivision of this state; (2) person who has entered into a contract with any body, authority, board, bureau, commission, district or agency described in subdivision (1) of this subsection while such person is processing consumer health data on behalf of such body, authority, board, bureau, commission, district or agency pursuant to such contract; (3) institution of higher education; (4) national securities association that is registered under 15 USC 78o-3 of the Securities Exchange Act of 1934, as amended from time to time; (5) financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq.; (6) covered entity or business associate, as defined in 45 CFR 160.103; (7) tribal nation government organization; or (8) air carrier, as defined in 49 USC 40102, as amended from time to time, and regulated under the Federal Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act of 1978, 49 USC 41713, as said acts may be amended from time to time.

(a) For the purposes of this section: 

(1) "Authenticate" means to use reasonable means and make a commercially reasonable effort to determine whether a request to exercise any right afforded under subsection (b) of this section has been submitted by, or on behalf of, the minor who is entitled to exercise such right; 

(2) "Consumer" has the same meaning as provided in section 42-515; 

(3) "Minor" means any consumer who is younger than eighteen years of age; 

(4) "Personal data" has the same meaning as provided in section 42- 515;

(5) "Social media platform" (A) means a public or semi-public Internet-based service or application that (i) is used by a consumer in this state, (ii) is primarily intended to connect and allow users to socially interact within such service or application, and (iii) enables a user to (I) construct a public or semi-public profile for the purposes of signing into and using such service or application, (II) populate a public list of other users with whom the user shares a social connection within such service or application, and (III) create or post content that is viewable by other users, including, but not limited to, on message boards, in chat rooms, or through a landing page or main feed that presents the user with content generated by other users, and (B) does not include a public or semi-public Internet-based service or application that (i) exclusively provides electronic mail or direct messaging services, (ii) primarily consists of news, sports, entertainment, interactive video games, electronic commerce or content that is preselected by the provider or for which any chat, comments or interactive functionality is incidental to, directly related to, or dependent on the provision of such content, or (iii) is used by and under the direction of an educational entity, including, but not limited to, a learning management system or a student engagement program; and

(6) "Unpublish" means to remove a social media platform account from public visibility.

(b) (1) Not later than fifteen business days after a social media platform receives a request from a minor or, if the minor is younger than sixteen years of age, from such minor's parent or legal guardian to unpublish such minor's social media platform account, the social media platform shall unpublish such minor's social media platform account.

(2) Not later than forty-five business days after a social media platform receives a request from a minor or, if the minor is younger than sixteen years of age, from such minor's parent or legal guardian to delete such minor's social media platform account, the social media platform shall delete such minor's social media platform account and cease processing such minor's personal data except where the preservation of such minor's social media platform account or personal data is otherwise permitted or required by applicable law, including, but not limited to, sections 42-515 to 42-525, inclusive.

A social media platform may extend such forty-five business day period by an additional forty-five business days if such extension is reasonably necessary considering the complexity and number of the consumer's requests, provided the social media platform informs the minor or, if the minor is younger than sixteen years of age, such minor's parent or legal guardian within the initial forty-five business day response period of such extension and the reason for such extension.

(3) A social media platform shall establish, and shall describe in a privacy notice, one or more secure and reliable means for submitting a request pursuant to this subsection. A social media platform that provides a mechanism for a minor or, if the minor is younger than sixteen years of age, the minor's parent or legal guardian to initiate a process to delete or unpublish such minor's social media platform account shall be deemed to be in compliance with the provisions of this subsection.

(4) No social media platform shall require a minor's parent or legal guardian to create a social media platform account to submit a request pursuant to this subsection. A social media platform may require a minor's parent or legal guardian to use an existing social media platform account to submit such a request, provided such parent or legal guardian has access to the existing social media platform account.

For the purposes of this section and sections 42-529a to 42-529e, inclusive, as amended by this act: 

(1)"Adult" means any individual who is at least eighteen years of age; 

(2) "Consent" has the same meaning as provided in section 42-515;

(3) "Consumer" has the same meaning as provided in section 42-515;

(4) "Controller" has the same meaning as provided in section 42-515;

(5) "Heightened risk of harm to minors" means processing minors' personal data in a manner that presents any reasonably foreseeable risk of (A) any unfair or deceptive treatment of, or any unlawful disparate impact on, minors, (B) any material financial, physical or reputational injury to minors, [or] (C) any material physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if such intrusion would be offensive to a reasonable person, (D) any physical violence against minors, (E) any material harassment of minors on any online service, product or feature, which harassment is severe, pervasive or objectively offensive to a reasonable person, or (F) any sexual abuse or sexual exploitation of minors;

(6) "HIPAA" has the same meaning as provided in section 42-515;

(7) "Minor" means any consumer who is younger than eighteen years of age;

(8) "Online service, product or feature" means any service, product or feature that is provided online. "Online service, product or feature" does not include any (A) telecommunications service, as defined in 47 USC 153, as amended from time to time, (B) broadband Internet access service, as defined in 47 CFR 54.400, as amended from time to time, or (C) delivery or use of a physical product;

(9) "Person" has the same meaning as provided in section 42-515;

(10) "Personal data" has the same meaning as provided in section 42-515;

(11) "Precise geolocation data" has the same meaning as provided in section 42-515;

(12) "Process" and "processing" have the same meaning as provided in section 42-515;

(13) "Processor" has the same meaning as provided in section 42-515;

(14) "Profiling" has the same meaning as provided in section 42-515;

(15) "Protected health information" has the same meaning as provided in section 42-515;

(16) "Sale of personal data" has the same meaning as provided in section 42-515;

(17) "Targeted advertising" has the same meaning as provided in section 42-515;

(18) "Third party" has the same meaning as provided in section 42- 515;

(a) Each controller that offers any online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall use reasonable care to avoid any heightened risk of harm to minors caused by such online service, product or feature. In any enforcement action brought by the Attorney General pursuant to section 42-529e, there shall be a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with the provisions of section 42-529b, concerning data protection assessments and impact assessments.

(b) (1) [Subject to the consent requirement established in subdivision (3) of this subsection, no] No controller that offers any online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall [: (A) Process] process any minor's personal data: [(i) for] (A) For the purposes of [(I)] (i) targeted advertising, [(II)] or (ii) any sale of personal data; [, or (III) profiling in furtherance of any fully automated decision made by such controller that produces any legal or similarly significant effect concerning the provision or denial by such controller of any financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care services or access to essential goods or services, (ii)] (B) unless such processing is reasonably necessary to provide such online service, product or feature; [, (iii)] (C) for any processing purpose [(I)] (i) other than the processing purpose that the controller disclosed at the time such controller collected such personal data, or [(II)] (ii) [that] other than what is reasonably necessary for, and compatible with, the processing purpose described in subparagraph [(A)(iii)(I)] (C)(i) of this subdivision; [,] or [(iv)] (D) for longer than is reasonably necessary to provide such online service, product or feature. [; or (B) use any system design feature to significantly increase, sustain or extend any minor's use of such online service, product or feature.] The provisions of this subdivision shall not apply to any service or application that is used by and under the direction of an educational entity, including, but not limited to, a learning management system or a student engagement program.

(2) [Subject to the consent requirement established in subdivision (3) of this subsection, no] No controller that offers an online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall collect a minor's precise geolocation data unless: (A) Such precise geolocation data [is reasonably] are strictly necessary for the controller to provide such online service, product or feature and, if such data [is] are necessary to provide such online service, product or feature, such controller may only collect such data for the time necessary to provide such online service, product or feature; and (B) the controller provides to the minor a signal indicating that such controller is collecting such precise geolocation data, which signal shall be available to such minor for the entire duration of such collection.

(3) (A) Subject to the consent requirement established in subparagraph (B) of this subdivision, no controller that offers any online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall process any minor's personal data for purposes of profiling in furtherance of any automated decision made by such controller that produces any legal or similarly significant effect concerning the provision or denial by such controller of any financial or lending service, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunity, health care service or access to any essential good or service, unless such processing is reasonably necessary to provide such online service, product or feature.

[(3)] (B) No controller shall engage in the activities described in [subdivisions (1) and (2) of this subsection] subparagraph (A) of this subdivision unless the controller obtains the minor's consent or, if the minor is younger than thirteen years of age, the consent of such minor's parent or legal guardian. A controller that complies with the verifiable parental consent requirements established in the Children's Online Privacy Protection Act of 1998, 15 USC 6501 et seq., and the regulations, rules, guidance and exemptions adopted pursuant to said act, as said act and such regulations, rules, guidance and exemptions may be amended from time to time, shall be deemed to have satisfied any requirement to obtain parental consent under this [subdivision] subparagraph.

(c) (1) No controller that offers any online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall: (A) Provide any consent mechanism that is designed to substantially subvert or impair, or is manipulated with the effect of substantially subverting or impairing, user autonomy, decisionmaking or choice; [or] (B) except as provided in subdivision (2) of this subsection, offer any direct messaging apparatus for use by minors [without providing] unless (i) such controller provides readily accessible and easy-to-use safeguards to [limit the ability of adults to send] enable any minor, or any minor's parent or legal guardian, to prevent any adult from sending any unsolicited [communications to minors with whom they are not connected] communication to such minor unless such minor and adult are already connected on such online service, product or feature, and (ii) the safeguards required under subparagraph (B)(i) of this subdivision, as a default setting, prevent any adult from sending any unsolicited communication to any minor unless such minor and adult are already connected on such online service, product or feature; or (C) except as provided in subdivision (3) of this subsection, use any system design feature to significantly increase, sustain or extend any minor's use of such online service, product or feature.

(2) The provisions of subparagraph (B) of subdivision (1) of this subsection shall not apply to services where the predominant or exclusive function is: (A) Electronic mail; or (B) direct messaging consisting of text, photos or videos that are sent between devices by electronic means, where messages are (i) shared between the sender and the recipient, (ii) only visible to the sender and the recipient, and (iii) not posted publicly.

(3) The provisions of subparagraph (C) of subdivision (1) of this subsection shall not apply to any service or application that is used by and under the direction of an educational entity, including, but not limited to, a learning management system or a student engagement program.

(a) Each controller that [, on or after October 1, 2024,] offers any online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall conduct a data protection assessment for such online service, product or feature: (1) In a manner that is consistent with the requirements established in section 42-522; and (2) that addresses (A) the purpose of such online service, product or feature, (B) the categories of minors' personal data that such online service, product or feature processes, (C) the purposes for which such controller processes minors' personal data with respect to such online service, product or feature, and (D) any heightened risk of harm to minors that is a reasonably foreseeable result of offering such online service, product or feature to minors.

(b) Each controller that offers any online service, product or feature to consumers whom such controller has actual knowledge, or wilfully disregards, are minors shall, if such online service, product or feature engages in any profiling based on such consumers' personal data, conduct an impact assessment for such online service, product or feature. Such impact assessment shall include, to the extent reasonably known by or available to the controller, as applicable: (1) A statement by the controller disclosing the purpose, intended use cases and deployment context of, and benefits afforded by, such online service, product or feature, if such online service, product or feature engages in any profiling for the purpose of making decisions that produce legal or similarly significant effects concerning such consumers; (2) an analysis of whether such profiling poses any reasonably foreseeable heightened risk of harm to minors and, if so, (A) the nature of such heightened risk of harm to minors, and (B) the steps that have been taken to mitigate such heightened risk of harm to minors; (3) a description of (A) the categories of personal data such online service, product or feature processes as inputs for the purposes of such profiling, and (B) the outputs such online service, product or feature produces for the purposes of such profiling; (4) an overview of the categories of personal data the controller used to customize such online service, product or feature for the purposes of such profiling, if the controller used data to customize such online service, product or feature for the purposes of such profiling; (5) a description of any transparency measures taken concerning such online service, product or feature with respect to such profiling, including, but not limited to, any measures taken to disclose to consumers that such online service, product or feature is being used for such profiling while such online service, product or feature is being used for such profiling; and (6) a description of the post-deployment monitoring and user safeguards provided concerning such online service, product or feature for the purposes of such profiling, including, but not limited to, the oversight, use and learning processes established by the controller to address issues arising from deployment of such online service, product or feature for the purposes of such profiling.  

[(b)] (c) Each controller that conducts a data protection assessment pursuant to subsection (a) of this section, or an impact assessment pursuant to subsection (b) of this section, shall: (1) Review such data protection assessment or impact assessment as necessary to account for any material change to the processing or profiling operations of the online service, product or feature that is the subject of such data protection assessment or impact assessment; and (2) maintain documentation concerning such data protection assessment or impact assessment for the longer of (A) the three-year period beginning on the date on which such processing or profiling operations cease, or (B) as long as such controller offers such online service, product or feature.

[(c)] (d) A single data protection assessment or impact assessment may address a comparable set of processing or profiling operations that include similar activities.

[(d)] (e) If a controller conducts a data protection assessment or impact assessment for the purpose of complying with another applicable law or regulation, the data protection assessment or impact assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment or impact assessment is reasonably similar in scope and effect to the data protection assessment or impact assessment that would otherwise be conducted pursuant to this section.

[(e)] (f) If any controller conducts a data protection assessment pursuant to subsection (a) of this section, or an impact assessment pursuant to subsection (b) of this section, and determines that the online service, product or feature that is the subject of such assessment poses a heightened risk of harm to minors, such controller shall establish and implement a plan to mitigate or eliminate such risk. The Attorney General may require a controller to disclose to the Attorney General a plan established pursuant to this subsection if the plan is relevant to an investigation conducted by the Attorney General. The controller shall disclose such plan to the Attorney General not later than ninety days after the Attorney General notifies the controller, in a form and manner prescribed by the Attorney General, that the Attorney General requires the controller to disclose such plan to the Attorney General.

[(f)] (g) Data protection assessments, impact assessments and harm mitigation or elimination plans shall be confidential and shall be exempt from disclosure under the Freedom of Information Act, as defined in section 1-200. To the extent any information contained in a data protection assessment, impact assessment or harm mitigation or elimination plan disclosed to the Attorney General includes information subject to the attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection.

(a) A processor shall adhere to the instructions of a controller, and shall: (1) Assist the controller in meeting the controller's obligations under sections 42-529 to 42-529e, inclusive, taking into account (A) the nature of the processing, (B) the information available to the processor by appropriate technical and organizational measures, and (C) whether such assistance is reasonably practicable and necessary to assist the controller in meeting such obligations; and (2) provide any information that is necessary to enable the controller to conduct and document data protection assessments and impact assessments pursuant to section 42-529b.

(d) No obligation imposed on a controller or processor under any provision of sections 42-529 to 42-529c, inclusive, as amended by this act, or section 42-529e shall be construed to restrict a controller's or processor's ability to collect, use or retain data for internal use to: (1) Conduct internal research to develop, improve or repair products, services or technology; (2) effectuate a product recall; (3) identify and repair technical errors that impair existing or intended functionality; (4) process personal data for the purposes of profiling in furtherance of any automated decision that may produce any legal or similarly significant effect concerning a consumer, provided such personal data are (A) processed only to the extent necessary to detect or correct any bias that may result from processing such personal data for such purposes, such bias cannot effectively be detected or corrected without processing such personal data and such personal data are deleted once such processing has been completed, (B) processed subject to appropriate safeguards to protect the rights of consumers secured by the Constitution or laws of this state or of the United States, (C) subject to technical restrictions concerning the reuse of such personal data and industry-standard security and privacy measures, including, but not limited to, pseudonymization, (D) subject to measures to ensure that such personal data are secure, protected and subject to suitable safeguards, including, but not limited to, strict controls concerning, and documentation of, access to such personal data, to avoid misuse and ensure that only authorized persons may access such personal data while preserving the confidentiality of such personal data, and (E) not transmitted, transferred or otherwise accessed by any third party; or [(4)] (5) perform solely internal operations that are (A) reasonably aligned with the expectations of a minor or reasonably anticipated based on the minor's existing relationship with the controller or processor, or (B) otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a minor.

(a) Any violation of the provisions of sections 42-529 to 42-529d, inclusive, shall constitute an unfair trade practice under subsection (a) of section 42-110b and shall be enforced solely by the Attorney General. Nothing in this section or sections 42-529 to 42-529d, inclusive, shall be construed to create a private right of action or to provide grounds for an action under section 42-110g.

(b) (1) During the period beginning October 1, 2024, and ending December 31, 2025, if the Attorney General, in the Attorney General's discretion, determines that a controller or processor has violated any provision of sections 42-529 to 42-529d, inclusive, but may cure such alleged violation, the Attorney General shall provide written notice to such controller or processor, in a form and manner prescribed by the Attorney General and before the Attorney General commences any action to enforce such provision, disclosing such alleged violation and such provision.

(2) (A) Not later than thirty days after a controller or processor receives a notice under subdivision (1) of this subsection, the controller or processor may send a notice to the Attorney General, in a form and manner prescribed by the Attorney General, disclosing that such controller or processor has: (i) Determined that such controller or processor did not commit the alleged violation of sections 42-529 to 42-529d, inclusive; or (ii) cured such violation and taken measures that are sufficient to prevent further such violations.

(B) If the Attorney General receives a notice described in subparagraph (A) of this subdivision and determines, in the Attorney General's discretion, that the controller or processor that sent such notice did not commit the alleged violation or has cured such violation and taken the measures described in subparagraph (A)(ii) of this subdivision, such controller or processor shall not be liable for any civil penalty under subsection (a) of this section.

(C) Not later than February 1, 2026, the Attorney General shall submit a report, in accordance with section 11-4a, to the joint standing committee of the General Assembly having cognizance of matters relating to general law. Such report shall disclose: (i) The number of notices the Attorney General has issued pursuant to subdivision (1) of this subsection; (ii) the number of violations that were cured pursuant to subparagraphs (A) and (B) of this subdivision; and (iii) any other matter the Attorney General deems relevant for the purposes of such report.

(c) Beginning on January 1, 2026, the Attorney General may, in the Attorney General's discretion, provide to a controller or processor an opportunity to cure any alleged violation of the provisions of sections 42-529 to 42-529d, inclusive, in the manner described in subdivisions (1) and (2) of subsection (b) of this section. In determining whether to grant the controller or processor an opportunity to cure such alleged violation, the Attorney General may consider: (1) The number of such violations that such controller or processor is alleged to have committed; (2) the size and complexity of such controller or processor; (3) the nature and extent of such controller's or processor's processing activities; (4) whether there exists a substantial likelihood that such alleged violation has caused or will cause public injury; (5) the safety of persons or property; (6) whether such alleged violation was likely caused by a human or technical error; and (7) the sensitivity of the data.

This chapter shall be known and may be cited as the “Delaware Personal Data Privacy Act.”

For purposes of this chapter, the following definitions shall apply:

(1) “Affiliate” means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity. For the purposes of this paragraph, “control” or “controlled” means any of the following:

a. Ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a legal entity.

b. Control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

c. The power to exercise controlling influence over the management of a legal entity.

(2) “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights afforded under § 12D-104(a)(1) to (a)(4) of this title, inclusive, is being made by, or on behalf of, the consumer who is entitled to exercise such consumer rights with respect to the personal data at issue.

(3) “Biometric data” means data generated by automatic measurements of an individual’s unique biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. “Biometric data” does not include any of the following:

a. A digital or physical photograph.

b. An audio or video recording.

c. Any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

(4) “Business associate” means as defined in HIPAA.

(5) “Child” means as defined in COPPA.

(6) “Child abuse” means, with respect to an individual under 18 years of age, as defined in § 901(1) of Title 10, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.

(7) “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” does not include any of the following:

a. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.

b. Hovering over, muting, pausing, or closing a given piece of content.

c. Agreement obtained through the use of dark patterns.

(8) “Consumer” means an individual who is a resident of this State. “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.

(9) “Controller” means a person that, alone or jointly with others, determines the purpose and means of processing personal data.

(10) “COPPA” means the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501, et seq., and the regulations, rules, guidance, and exemptions adopted pursuant to said act, as said act and such regulations, rules, guidance, and exemptions may be amended.

(11) “Covered entity” means as defined in HIPAA.

(12) “Dark pattern” means any of the following:

a. A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

b. Any other practice the Federal Trade Commission refers to as a “dark pattern.”

(13) “Decisions that produce legal or similarly significant effects concerning the consumer” means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.

(14) “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller that possesses such data does all of the following:

a. Takes reasonable measures to ensure that such data cannot be associated with an individual.

b. Publicly commits to process such data only in a de-identified fashion and not attempt to re-identify such data.

c. Contractually obligates any recipients of such data to comply with all of the provisions of this chapter applicable to the controller with respect to such data.

(15) “Domestic violence” means as defined in § 1041 of Title 10, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.

(16) “Genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. For purposes of this paragraph, “genetic material” includes deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.

(17) “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d, et seq., as amended.

(18) “Human trafficking” means the offense defined in § 787 of Title 11, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.

(19) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly.

(20) “Nonprofit organization” means any organization that is exempt from taxation under § 501(c)(3), (c)(4), (c)(6) or (c)(12) of the Internal Revenue Code of 1986 [26 U.S.C. § 501(c)(3), (c)(4), (c)(6) or (c)(12)], or any subsequent corresponding internal revenue code of the United States, as amended.

(21) “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.

(22) “Precise geolocation data” means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. “Precise geolocation data” does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

(23) “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

(24) “Processor” means a person that processes personal data on behalf of a controller.

(25) “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.

(26) “Protected health information” means as defined in HIPAA.

(27) “Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

(28) “Publicly available information” means any of the following:

a. Information that is lawfully made available through federal, state, or local government records.

b. Information that a controller has a reasonable basis to believe that the consumer has lawfully made available to the general public through widely distributed media.

(29) “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. “Sale of personal data” does not include any of the following:

a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing.

b. The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer.

c. The disclosure or transfer of personal data to an affiliate of the controller.

d. The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.

e. The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.

f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller’s assets.

(30) “Sensitive data” means personal data that includes any of the following:

a. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.

b. Genetic or biometric data.

c. Personal data of a known child.

d. Precise geolocation data.

(31) “Sexual assault” means any of the offenses defined in §§ 768 to 780 and § 787 of Title 11, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.

(32) “Stalking” means the offense defined in § 1312 of Title 11, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.

(33) “Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer’s preferences or interests. “Targeted advertising” does not include any of the following:

a. Advertisements based on activities within a controller’s own Internet websites or online applications.

b. Advertisements based on the context of a consumer’s current search query, visit to an Internet website, or online application.

c. Advertisements directed to a consumer in direct response to the consumer’s request for information or feedback.

d. Processing personal data solely to measure or report advertising frequency, performance, or reach.

(34) “Third party” means, with respect to personal data controlled by a controller, any person other than the relevant consumer, the controller of such personal data, or a processor or an affiliate of the processor or the controller.

(35) “Trade secret” means as defined in § 2001(4) of this title.

(36) “Violent felony” means as defined in § 4201 of Title 11 and includes any equivalent provision in the laws of any other state, the United States, and territory, district, or subdivision of the United States, or any foreign jurisdiction.

(a) This chapter applies to persons that conduct business in the State or persons that produce products or services that are targeted to residents of the State and that during the preceding calendar year did any of the following:

(1) Controlled or processed the personal data of not less than 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

(2) Controlled or processed the personal data of not less than 10,000 consumers and derived more than 20% of their gross revenue from the sale of personal data.

(b) This chapter does not apply to any of the following entities:

(1) Any regulatory, administrative, advisory, executive, appointive, legislative, or judicial body of the State or a political subdivision of the State, including any board, bureau, commission, agency of the State or a political subdivision of the State, but excluding any institution of higher education.

(2) Any financial institution or affiliate of a financial institution, all as defined in 15 U.S.C. §  6809, to the extent that the financial institution or affiliate is subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et seq., as amended) and the rules and implementing regulations promulgated thereunder.

(3) Any nonprofit organization dedicated exclusively to preventing and addressing insurance crime.

(4) A national securities association registered pursuant to § 15A of the Securities Exchange Act of 1934 (15 U.S.C. § 78o-3, as amended) and the rules and implementing regulations promulgated thereunder, or a registered futures association so designated pursuant to § 17 of the Commodity Exchange Act (7 U.S.C. § 21, as amended) and the rules and implementing regulations promulgated thereunder.

(c) This chapter does not apply to the following information and data:

(1) Protected health information under HIPAA.

(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2.

(3) Identifiable private information, as defined in 45 C.F.R. § 46.102, to the extent that it is used for purposes of the federal policy for the protection of human subjects pursuant to 45 C.F.R. Part 46.

(4) Identifiable private information to the extent it is collected and used as part of human subjects research pursuant to the ICH E6 Good Clinical Practice Guideline issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 C.F.R. Parts 50 and 56.

(5) Patient safety work product, as defined in 42 C.F.R. § 3.20, that is created and used for purposes of patient safety improvement pursuant to 42 C.F.R. Part 3, established pursuant to 42 U.S.C. §§ 299b-21 to 299b-26.

(6) Information to the extent it is used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a covered entity or when provided by or to a business associate pursuant to a business associate agreement with a covered entity.

(7) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681, et seq., as amended).

(8) Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721, et seq., as amended.

(9) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g, et seq., as amended.

(10) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act, 12 U.S.C. § 2001, et seq., as amended.

(11) Data processed or maintained in any of the following ways:

a. In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

b. As the emergency contact information of an individual, used for emergency contact purposes.

c. Necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under paragraph (c)(11)a. of this section and used for the purposes of administering such benefits.

(12) Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. § 40101, et seq., as amended, by an air carrier subject to said act, to the extent any part of this chapter is preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as amended.

(13) Personal data of a victim of or witness to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking that is collected, processed, or maintained by a nonprofit organization that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony, or stalking.

(14) Data subject to Title V of the Gramm Leach Bliley Act (15 U.S.C. § 6801, et. seq., as amended) and the rules and implementing regulations promulgated thereunder.

(d) Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be deemed compliant with any obligation to obtain parental consent set forth in this chapter with respect to a consumer who is a child.

(a) A consumer has the right to do all of the following:

(1) Confirm whether a controller is processing the consumer’s personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret.

(2) Correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.

(3) Delete personal data provided by, or obtained about, the consumer.

(4) Obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily-usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.

(5) Obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.

(6) Opt out of the processing of the personal data for purposes of any of the following:

a. Targeted advertising.

b. The sale of personal data, except as provided in § 12D-106(b) of this title.

c. Profiling in furtherance of solely-automated decisions that produce legal or similarly significant effects concerning the consumer.

(b) A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller’s privacy notice. A consumer may designate an authorized agent in accordance with § 12D-105 of this title to exercise the rights of such consumer to opt out of the processing of such consumer’s personal data for purposes of paragraph (a)(6) of this section on behalf of the consumer. In the case of processing personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child’s behalf. In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer’s behalf.

(c) Except as otherwise provided in this chapter, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to said sections as follows:

(1) A controller shall respond to the consumer without undue delay, but not later than 45 days after receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer’s requests, provided the controller informs the consumer of any such extension within the initial 45-day response period and of the reason for the extension.

(2) If a controller declines to take action regarding the consumer’s request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

(3) Information provided in response to a consumer request shall be provided by a controller, free of charge, once per consumer during any 12-month period. If requests from a consumer are manifestly unfounded, excessive or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request.

(4) If a controller is unable to authenticate a request to exercise any of the rights afforded under paragraphs (a)(1) through (a)(5) of this section, inclusive, using commercially-reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until such consumer provides additional information reasonably necessary to authenticate such consumer and such consumer’s request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent, and that such controller shall not comply with such request.

(5) A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data pursuant to paragraph (a)(3) of this section if the controller retains a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and does not use such retained data for any other purpose.

(d) A controller shall establish a process for a consumer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Department of Justice to submit a complaint.

(a) A consumer may designate an authorized agent to act on the consumer’s behalf to opt out of the processing of such consumer’s personal data for 1 or more of the purposes specified in § 12D-104(a)(6) of this title. The consumer may designate such authorized agent by way of, among other things, a platform, technology, or mechanism, including an Internet link or a browser setting, browser extension, or global device setting, indicating such consumer’s intent to opt out of such processing. For the purposes of such designation, the platform, technology, or mechanism may function as the agent for purposes of conveying the consumer’s decision to opt-out.

(b) A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially-reasonable effort, the identity of the consumer and the authorized agent’s authority to act on such consumer’s behalf. The Department of Justice may publish or reference on its website a list of agents who presumptively shall have such authority unless the controller has established a reasonable basis to conclude that the agent lacks such authority.

(a) A controller shall do all of the following:

(1) Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

(2) Except as otherwise permitted by this chapter, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.

(3) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

(4) Not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without first obtaining consent from the child’s parent or lawful guardian and otherwise complying with § 1204C of this title.

(5) Not process personal data in violation of the laws of this State and federal laws that prohibit unlawful discrimination.

(6) Provide an effective mechanism for a consumer to revoke the consumer’s consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request.

(7) Not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge or wilfully disregards that the consumer is at least 13 years of age but younger than 18 years of age.

(8) Not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

(b) Nothing in subsection (a) of this section shall be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

(c) A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes all of the following:

(1) The categories of personal data processed by the controller.

(2) The purpose for processing personal data.

(3) How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request.

(4) The categories of personal data that the controller shares with third parties, if any.

(5) The categories of third parties with which the controller shares personal data, if any.

(6) An active electronic mail address or other online mechanism that the consumer may use to contact the controller.

(d) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

(e) (1) A controller shall establish, and shall describe in the privacy notice required by subsection (c) of this section, 1 or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer or the consumer’s authorized agent to use an existing account. Any such means shall include all of the following:

a.1. Providing a clear and conspicuous link on the controller’s Internet website to an Internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or the sale of the consumer’s personal data.

2. Not later than January 1, 2026, allowing a consumer to opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer’s consent, by a platform, technology, or mechanism to the controller indicating such consumer’s intent to opt out of any such processing or sale. Such platform, technology, or mechanism shall do all of the following:

A. Not unfairly disadvantage another controller.

B. Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of any processing of such consumer’s personal data pursuant to this chapter.

C. Be consumer friendly and easy to use by the average consumer.

D. Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation.

E. Enable the controller to reasonably determine whether the consumer is a resident of the State and whether the consumer has made a legitimate request to opt out of any sale of such consumer’s personal data or targeted advertising.

b. If a consumer’s decision to opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with the provisions of paragraph (e)(1)a. of this section conflicts with the consumer’s existing controller-specific privacy setting or voluntary participation in a controller’s bona fide loyalty, rewards, premium features, discounts or club card program, the controller shall comply with such consumer’s opt-out preference signal but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.

(2) If a controller responds to consumer opt-out requests received pursuant to paragraph (e)(1)a. of this section by informing the consumer of a charge for the use of any product or service, the controller shall present the terms of any financial incentive offered pursuant to paragraph (e)(1)b. of this section for the retention, use, sale, or sharing of the consumer’s personal data.

(a) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller’s obligations under this chapter. Such assistance must include all of the following:

(1) Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller’s obligation to respond to consumer rights requests.

(2) Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to the notification of a “breach of security,” as defined in § 12B-101(1) this title, of the system of the processor, in order to meet the controller’s obligations.

(3) Providing necessary information to enable the controller to conduct and document data protection assessments.

(b) A contract between a controller and a processor must govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract must also require that the processor do all of the following:

(1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.

(2) At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.

(3) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this chapter.

(4) After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

(5) Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor’s policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.

(c) Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller’s or processor’s role in the processing relationship, as described in this chapter.

(d) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person who is not limited in such person’s processing of personal data pursuant to a controller’s instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller’s instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under this chapter.

(a) A controller that controls or processes the data of not less than 100,000 consumers, excluding data controlled or processed solely for the purpose of completing a payment transaction, shall conduct and document, on a regular basis, a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes any of the following:

(1) The processing of personal data for the purposes of targeted advertising.

(2) The sale of personal data.

(3) The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of any of the following:

a. Unfair or deceptive treatment of, or unlawful disparate impact on, consumers.

b. Financial, physical, or reputational injury to consumers.

c. A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person.

d. Other substantial injury to consumers.

(4) The processing of sensitive data.

(b) Data protection assessments conducted pursuant to subsection (a) of this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The controller shall factor into any such data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

(c) The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection assessment available to the Attorney General. The Attorney General may evaluate the data protection assessment for compliance with the responsibilities set forth in this chapter. Data protection assessments must be treated as confidential and are not public records within the meaning of § 10002(o) of Title 29. Notwithstanding the foregoing, a controller’s data protection assessment may be used in an action to enforce this chapter. To the extent any information contained in a data protection assessment disclosed to the Attorney General includes and conspicuously identifies information subject to attorney-client privilege or work product protection, such disclosure by itself does not constitute a waiver of such privilege or protection.

(d) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(e) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.

(f) Data protection assessment requirements shall apply to processing activities created or generated on or after July 1, 2025, and are not retroactive.

(a) Nothing in this chapter shall be construed to require a controller or processor to re-identify de-identified data or pseudonymous data, or to maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

(b) Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated consumer rights request if all of the following apply:

(1) The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data.

(2) The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer.

(3) The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

(c) The rights afforded under § 12D-104(a)(1) to (a)(4) of this title, inclusive, do not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

(d) A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments. The determination of the reasonableness of such oversight and the appropriateness of contractual enforcement must take into account whether the disclosed data includes data that would be sensitive data if it were re-identified.

(a) Nothing in this chapter shall be construed to restrict a controller’s or processor’s ability to do any of the following:

(1) Comply with federal, state, or local laws, rules, or regulations.

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.

(3) Cooperate with law-enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.

(4) Investigate, establish, exercise, prepare for, or defend legal claims.

(5) Provide a product or service specifically requested by a consumer.

(6) Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty.

(7) Take steps at the request of a consumer prior to entering into a contract.

(8) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis.

(9) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report or prosecute those responsible for any such activity.

(10) Engage in public or peer-reviewed scientific research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

(11) Assist another controller, processor, or third party with any of the activities under this subsection.

(b) The obligations imposed on controllers or processors under this chapter, other than those imposed by § 12D-109 of this title, do not restrict a controller’s or processor’s ability to collect consumer data, or use or retain such data, for internal use only, to do any of the following:

(1) Conduct internal research to develop, improve or repair products, services or technology.

(2) Effectuate a product recall.

(3) Identify and repair technical errors that impair existing or intended functionality.

(4) Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

(c) The obligations imposed on controllers or processors under this chapter shall not apply where compliance by the controller or processor with said sections would violate an evidentiary privilege under the laws of this State. Nothing in this chapter shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this State as part of a privileged communication.

(d) A controller or processor that discloses personal data to a processor or third-party controller in compliance with this chapter shall not be deemed to have violated this chapter if the processor or third-party controller that receives and processes such personal data violates this chapter, provided that:

(1) At the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller had violated or would violate this chapter; and

(2) The disclosing controller or processor was, and remained, in compliance with its obligations as the discloser of such data hereunder.

A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of this chapterfor the independent misconduct of the controller or processor from which such third-party controller or processor receives such personal data.

(e) Nothing in this chapter may be construed to do any of the following:

(1) Impose any obligation on a controller or processor that adversely affects the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution or § 5 of Article I of the Delaware Constitution of 1897.

(2) Apply to any person’s processing of personal data in the course of such person’s purely personal or household activities.

(f) Personal data processed pursuant to this section may be processed to the extent that such processing is reasonably necessary and proportionate to the purposes listed in this section, and is adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (b) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data.

(g) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in subsection (f) of this section.

(h) Processing personal data for the purposes expressly identified in this section shall not solely make a legal entity a controller with respect to such processing.

(a) The Department of Justice has enforcement authority over this chapter and may investigate and prosecute violations of this chapter in accordance with the provisions of subchapter II of Chapter 25 of Title 29.

(b) During the period beginning on January 1, 2025, and ending on December 31, 2025, the Department of Justice shall, prior to initiating any action for a violation of any provision of this chapter, issue a notice of violation to the controller if the Department of Justice determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the Department of Justice may bring an enforcement proceeding pursuant to subsection (a) of this section.

(c) Beginning on January 1, 2026, the Department of Justice may, in determining whether to grant a controller or processor the opportunity to cure an alleged violation of any provision of this chapter, may consider all of the following:

(1) The number of violations.

(2) The size and complexity of the controller or processor.

(3) The nature and extent of the controller’s or processor’s processing activities.

(4) The substantial likelihood of injury to the public.

(5) The safety of persons or property.

(6) Whether such alleged violation was likely caused by human or technical error.

(7) The extent to which the controller or processor has violated this or similar laws in the past.

(d) Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of said sections or any other law.

(e) A violation of this chapter shall be deemed an unlawful practice under § 2513 of this title and a violation of subchapter II of this title, and shall be enforced solely by the Department of Justice.

This part may be cited as the “Florida Digital Bill of Rights.”

As used in this part, the term:

(1) “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or that shares common branding with another legal entity. For purposes of this subsection, the term “control” or “controlled” means any of the following:

(a) The ownership of, or power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company.

(b) The control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

(c) The power to exercise controlling influence over the management of a company.

(2) “Aggregate consumer information” means information that relates to a group or category of consumers from which the identity of an individual consumer has been removed and is not reasonably capable of being directly or indirectly associated or linked with any consumer, household, or device. The term does not include information about a group or category of consumers used to facilitate targeted advertising or the display of ads online. The term does not include personal information that has been deidentified.

(3) “Authenticate” or “authenticated” means to verify or the state of having been verified, respectively, through reasonable means that the consumer who is entitled to exercise the consumer's rights under s. 501.705 is the same consumer exercising those consumer rights with respect to the personal data at issue.

(4) “Biometric data” means data generated by automatic measurements of an individual's biological characteristics. The term includes fingerprints, voiceprints, eye retinas or irises, or other unique biological patterns or characteristics used to identify a specific individual. The term does not include physical or digital photographs; video or audio recordings or data generated from video or audio recordings; or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(5) “Business associate” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(6) “Child” means an individual younger than 18 years of age.

(7) “Consent,” when referring to a consumer, means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act. The term does not include any of the following:

(a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.

(b) Hovering over, muting, pausing, or closing a given piece of content.

(c) Agreement obtained through the use of dark patterns.

(8) “Consumer” means an individual who is a resident of or is domiciled in this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.

(9) “Controller” means:

(a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:

1. Is organized or operated for the profit or financial benefit of its shareholders or owners;

2. Conducts business in this state;

3. Collects personal data about consumers, or is the entity on behalf of which such information is collected;

4. Determines the purposes and means of processing personal data about consumers alone or jointly with others;

5. Makes in excess of $1 billion in global gross annual revenues; and

6. Satisfies at least one of the following:

a. Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;

b. Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or

c. Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.

(b) Any entity that controls or is controlled by a controller. As used in this paragraph, the term “control” means:

1. Ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a controller;

2. Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or

3. The power to exercise a controlling influence over the management of a company.

(10) “Covered entity” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(11) “Dark pattern” means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decisionmaking, or choice. The term includes any practice the Federal Trade Commission refers to as a dark pattern.

(12) “Decision that produces a legal or similarly significant effect concerning a consumer” means a decision made by a controller which results in the provision or denial by the controller of any of the following:

(a) Financial and lending services.

(b) Housing, insurance, or health care services.

(c) Education enrollment.

(d) Employment opportunities.

(e) Criminal justice.

(f) Access to basic necessities, such as food and water.

(13) “Deidentified data” means data that cannot reasonably be linked to an identified or identifiable individual or a device linked to that individual.

(14) “Health care provider” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(15) “Health record” means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual which concerns the individual and the services provided. The term includes any of the following:

(a) The substance of any communication made by an individual to a health care provider in confidence during or in connection with the provision of health care services.

(b) Information otherwise acquired by the health care provider about an individual in confidence and in connection with health care services provided to the individual.

(16) “Identified or identifiable individual” means a consumer who can be readily identified, directly or indirectly.

(17) “Known child” means a child under circumstances of which a controller has actual knowledge of, or willfully disregards, the child's age.

(18) “Nonprofit organization” means any of the following:

(a) An organization exempt from federal taxation under s. 501(a) of the Internal Revenue Code of 1986 by virtue of being listed as an exempt organization under s. 501(c)(3), s. 501(c)(4), s. 501(c)(6), or s. 501(c)(12) of that code.

(b) A political organization.

(19) “Personal data” means any information, including sensitive data, which is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.

(20) “Political organization” means a party, a committee, an association, a fund, or any other organization, regardless of whether incorporated, organized and operated primarily for the purpose of influencing or attempting to influence any of the following:

(a) The selection, nomination, election, or appointment of an individual to a federal, state, or local public office or an office in a political organization, regardless of whether the individual is selected, nominated, elected, or appointed.

(b) The election of a presidential or vice-presidential elector, regardless of whether the elector is selected, nominated, elected, or appointed.

(21) “Postsecondary education institution” means a Florida College System institution, state university, or nonpublic postsecondary education institution that receives state funds.

(22) “Precise geolocation data” means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, which directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. The term does not include the content of communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility.

(23) “Process” or “processing” means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

(24) “Processor” means a person who processes personal data on behalf of a controller.

(25) “Profiling” means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(26) “Protected health information” has the same meaning as in 45 C.F.R. s. 160.103 and the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(27) “Pseudonymous data” means any information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

(28) “Publicly available information” means information lawfully made available through government records, or information that a business has a reasonable basis for believing is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.

(29) “Sale of personal data” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include any of the following:

(a) The disclosure of personal data to a processor who processes the personal data on the controller's behalf.

(b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.

(c) The disclosure of information that the consumer:

1. Intentionally made available to the general public through a mass media channel; and

2. Did not restrict to a specific audience.

(d) The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.

(30) “Search engine” means technology and systems that use algorithms to sift through and index vast third-party websites and content on the Internet in response to search queries entered by a user. The term does not include the license of search functionality for the purpose of enabling the licensee to operate a third-party search engine service in circumstances where the licensee does not have legal or operational control of the search algorithm, the index from which results are generated, or the ranking order in which the results are provided.

(31) “Sensitive data” means a category of personal data which includes any of the following:

(a) Personal data revealing an individual's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.

(b) Genetic or biometric data processed for the purpose of uniquely identifying an individual.

(c) Personal data collected from a known child.

(d) Precise geolocation data.

(32) “State agency” means any department, commission, board, office, council, authority, or other agency in the executive branch of state government created by the State Constitution or state law. The term includes a postsecondary education institution.

(33) “Targeted advertising” means displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer's preferences or interests. The term does not include an advertisement that is:

(a) Based on the context of a consumer's current search query on the controller's own website or online application; or

(b) Directed to a consumer search query on the controller's own website or online application in response to the consumer's request for information or feedback.

(34) “Third party” means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor.

(35) “Trade secret” has the same meaning as in s. 812.081.

(36) “Voice recognition feature” means the function of a device which enables the collection, recording, storage, analysis, transmission, interpretation, or other use of spoken words or other sounds.

(1) This part applies only to a person who:

(a) Conducts business in this state or produces a product or service used by residents of this state; and

(b) Processes or engages in the sale of personal data.

(2) This part does not apply to any of the following:

(a) A state agency or a political subdivision of the state.

(b) A financial institution or data subject to Title V, Gramm-Leach-Bliley Act, 15 U.S.C. ss. 6801 et seq.

(c) A covered entity or business associate governed by the privacy, security, and breach notification regulations issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq., and the Health Information Technology for Economic and Clinical Health Act, Division A, Title XIII and Division B, Title IV, Pub. L. No. 111-5.

(d) A nonprofit organization.

(e) A postsecondary education institution.

(f) The processing of personal data:

1. By a person in the course of a purely personal or household activity.

2. Solely for measuring or reporting advertising performance, reach, or frequency.

(3) A controller or processor that complies with the authenticated parental consent requirements of the Children's Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq., with respect to data collected online, is considered to be in compliance with any requirement to obtain parental consent under this part.

All of the following information is exempt from this part:

(1) Protected health information under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(2) Health records.

(3) Patient identifying information for purposes of 42 U.S.C. s. 290dd-2.

(4) Identifiable private information:

(a) For purposes of the federal policy for the protection of human subjects under 45 C.F.R. part 46;

(b) Collected as part of human subjects research under the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 C.F.R. parts 50 and 56; or

(c) That is personal data used or shared in research conducted in accordance with this part or other research conducted in accordance with applicable law.

(5) Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. ss. 11101 et seq.

(6) Patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. ss. 299b-21 et seq.

(7) Information derived from any of the health-care-related information listed in this section which is deidentified in accordance with the requirements for deidentification under the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(8) Information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section which is maintained by a covered entity or business associate as defined by the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq. or by a program or a qualified service organization as defined by 42 U.S.C. s. 290dd-2.

(9) Information included in a limited data set as described by 45 C.F.R. s. 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R. s. 164.514(e).

(10) Information used only for public health activities and purposes as described in 45 C.F.R. s. 164.512.

(11) Information collected or used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. ss. 1320d et seq.

(12) The collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, or by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. ss. 1681 et seq.

(13) Personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. ss. 2721 et seq.

(14) Personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. s. 1232g.

(15) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971, 12 U.S.C. ss. 2001 et seq.

(16) Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

(17) Data processed or maintained as the emergency contact information of an individual under this part which is used for emergency contact purposes.

(18) Data that is processed or maintained and that is necessary to retain to administer benefits for another individual which relates to an individual described in subsection (16) and which is used for the purposes of administering those benefits.

(19) Personal data collected and transmitted which is necessary for the sole purpose of sharing such personal data with a financial service provider solely to facilitate short-term, transactional payment processing for the purchase of products or services.

(20) Personal data collected, processed, sold, or disclosed in relation to price, route, or service as those terms are used in the Airline Deregulation Act, 49 U.S.C. ss. 40101 et seq., by entities subject to that act, to the extent the provisions of this act are preempted by 49 U.S.C. s. 41713.

(21) Personal data shared between a manufacturer of a tangible product and authorized third-party distributors or vendors of the product, as long as such personal data is used solely for advertising, marketing, or servicing the product that is acquired directly through such manufacturer and such authorized third-party distributors or vendors. Such personal data may not be sold or shared unless otherwise authorized under this part.

(1) A consumer is entitled to exercise the consumer rights authorized by this section at any time by submitting a request to a controller which specifies the consumer rights that the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise these rights on behalf of the child.

(2) A controller shall comply with an authenticated consumer request to exercise any of the following rights:

(a) To confirm whether a controller is processing the consumer's personal data and to access the personal data.

(b) To correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

(c) To delete any or all personal data provided by or obtained about the consumer.

(d) To obtain a copy of the consumer's personal data in a portable and, to the extent technically feasible, readily usable format if the data is available in a digital format.

(e) To opt out of the processing of the personal data for purposes of:

1. Targeted advertising;

2. The sale of personal data; or

3. Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning a consumer.

(f) To opt out of the collection of sensitive data, including precise geolocation data, or the processing of sensitive data.

(g) To opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.

(3) A device that has a voice recognition feature, a facial recognition feature, a video recording feature, an audio recording feature, or any other electronic, visual, thermal, or olfactory feature that collects data may not use those features for the purpose of surveillance by the controller, processor, or affiliate of a controller or processor when such features are not in active use by the consumer, unless otherwise expressly authorized by the consumer.

(1) Except as otherwise provided by this part, a controller shall comply with a request submitted by a consumer to exercise the consumer's rights pursuant to s. 501.705, as provided in this section.

(2) A controller shall respond to the consumer request without undue delay, which may not be later than 45 days after the date of receipt of the request. The controller may extend the response period once by an additional 15 days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

(3) If a controller cannot take action regarding the consumer's request, the controller must inform the consumer without undue delay, which may not be later than 45 days after the date of receipt of the request, of the justification for the inability to take action on the request and provide instructions on how to appeal the decision in accordance with s. 501.707. A controller is not required to comply with a consumer request submitted under s. 501.705 if the controller cannot authenticate the request. However, the controller must make a reasonable effort to request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request. If a controller maintains a self-service mechanism to allow a consumer to correct certain personal data, the controller may deny the consumer's request and require the consumer to correct his or her own personal data through such mechanism.

(4) A controller must provide the consumer with notice within 60 days after the request is received that the controller has complied with the consumer's request as required in this section.

(5) A controller shall provide information or take action in response to a consumer request free of charge, at least twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The controller bears the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive.

(6) A controller who has obtained personal data about a consumer from a source other than the consumer is considered in compliance with a consumer's request to delete that personal data pursuant to s. 501.705(2)(c), by doing any of the following:

(a) Deleting the personal data, retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose under this part.

(b) Opting the consumer out of the processing of that personal data for any purpose other than a purpose exempt under this part.

Any provision of a contract or agreement which waives or limits in any way a consumer right described by s. 501.705, s. 501.706, or s. 501.707 is contrary to public policy and is void and unenforceable.

(1) A controller shall establish two or more methods to enable consumers to submit a request to exercise their consumer rights under this part. The methods must be secure, reliable, and clearly and conspicuously accessible. The methods must take all of the following into account:

(a) The ways in which consumers normally interact with the controller.

(b) The necessity for secure and reliable communications of these requests.

(c) The ability of the controller to authenticate the identity of the consumer making the request.

(2) A controller may not require a consumer to create a new account to exercise the consumer's rights under this part but may require a consumer to use an existing account.

(3) A controller shall provide a mechanism on its website for a consumer to submit a request for information required to be disclosed under this part. A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal data may also provide an e-mail address for the submission of requests.

(1) A controller shall:

(a) Limit the collection of personal data to data that is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed, as disclosed to the consumer; and

(b) For purposes of protecting the confidentiality, integrity, and accessibility of personal data, establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue.

(2) A controller may not do any of the following:

(a) Except as otherwise provided by this part, process personal data for a purpose that is neither reasonably necessary nor compatible with the purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.

(b) Process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.

(c) Discriminate against a consumer for exercising any of the consumer rights contained in this part, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer. A controller may offer financial incentives, including payments to consumers as compensation, for processing of personal data if the consumer gives the controller prior consent that clearly describes the material terms of the financial incentive program and provided that such incentive practices are not unjust, unreasonable, coercive, or usurious in nature. The consent may be revoked by the consumer at any time.

(d) Process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data with the affirmative authorization for such processing by a known child who is between 13 and 18 years of age or in accordance with the Children's Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child under the age of 13.

(3) Paragraph (2)(c) may not be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer's right to opt out under s. 501.705(2) or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

(4) A controller that operates a search engine shall make available, in an easily accessible location on the web page which does not require a consumer to log in or register to read, an up-to-date, plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results. Algorithms are not required to be disclosed nor is any other information that, with reasonable certainty, would enable deception of or harm to consumers through the manipulation of search results.

(1) A controller shall provide consumers with a reasonably accessible and clear privacy notice, updated at least annually, that includes all of the following information:

(a) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller.

(b) The purpose of processing personal data.

(c) How consumers may exercise their rights under s. 501.705(2), including the process by which a consumer may appeal a controller's decision with regard to the consumer's request.

(d) If applicable, the categories of personal data that the controller shares with third parties.

(e) If applicable, the categories of third parties with whom the controller shares personal data.

(f) A description of the methods specified in s. 501.709 by which consumers can submit requests to exercise their consumer rights under this part.

(2) If a controller engages in the sale of personal data that is sensitive data, the controller must provide the following notice: “NOTICE: This website may sell your sensitive personal data.” The notice must be posted in accordance with subsection (1).

(3) If a controller engages in the sale of personal data that is biometric data, the controller must provide the following notice: “NOTICE: This website may sell your biometric personal data.” The notice must be posted in accordance with subsection (1).

(4) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.

(5) A controller may not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

(1) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller's duties under this section and the requirements of this part, including the following:

(a) Assisting the controller in responding to consumer rights requests submitted pursuant to ss. 501.705 and 501.709, by using appropriate technical and organizational measures, as reasonably practicable, taking into account the nature of processing and the information available to the processor.

(b) Assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor's system under s. 501.171, taking into account the nature of processing and the information available to the processor.

(c) Providing necessary information to enable the controller to conduct and document data protection assessments under s. 501.713.

(2) A contract between a controller and a processor governs the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract must include all of the following information:

(a) Clear instructions for processing data.

(b) The nature and purpose of processing.

(c) The type of data subject to processing.

(d) The duration of processing.

(e) The rights and obligations of both parties.

(f) A requirement that the processor:

1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

2. At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;

3. Make available to the controller, upon reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with this part;

4. Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and

5. Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

(3) Notwithstanding subparagraph (2)(f)4., a processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the requirements under this part using an appropriate and accepted control standard or framework and assessment procedure. The processor shall provide a report of the assessment to the controller upon request.

(4) This section may not be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor by virtue of its role in the processing relationship as described by this part.

(5) A determination as to whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains in the role of a processor.

(1) A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:

(a) The processing of personal data for purposes of targeted advertising.

(b) The sale of personal data.

(c) The processing of personal data for purposes of profiling if the profiling presents a reasonably foreseeable risk of:

1. Unfair or deceptive treatment of or unlawful disparate impact on consumers;

2. Financial, physical, or reputational injury to consumers;

3. A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or

4. Other substantial injury to consumers.

(d) The processing of sensitive data.

(e) Any processing activities involving personal data which present a heightened risk of harm to consumers.

(2) A data protection assessment conducted under subsection (1) must do all of the following:

(a) Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.

(b) Factor into the assessment:

1. The use of deidentified data;

2. The reasonable expectations of consumers;

3. The context of the processing; and

4. The relationship between the controller and the consumer whose personal data will be processed.

(3) The disclosure of a data protection assessment in compliance with a request from the Attorney General pursuant to s. 501.72 does not constitute a waiver of attorney-client privilege or work-product protection with respect to the assessment and any information contained in the assessment.

(4) A single data protection assessment may address a comparable set of processing operations which include similar activities.

(5) A data protection assessment conducted by a controller for the purpose of compliance with any other law or regulation may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect.

(6) This section applies only to processing activities generated on or after July 1, 2023.

(1) A controller in possession of deidentified data shall do all of the following:

(a) Take reasonable measures to ensure that the data cannot be associated with an individual.

(b) Maintain and use the data in deidentified form. A controller may not attempt to reidentify the data, except that the controller may attempt to reidentify the data solely for the purpose of determining whether its deidentification processes satisfy the requirements of this section.

(c) Contractually obligate any recipient of the deidentified data to comply with this part.

(d) Implement business processes to prevent the inadvertent release of deidentified data.

(2) This part may not be construed to require a controller or processor to do any of the following:

(a) Reidentify deidentified data or pseudonymous data.

(b) Maintain data in an identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data.

(c) Comply with an authenticated consumer rights request under s. 501.705 if the controller:

1. Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

2. Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

3. Does not sell the personal data to a third party or otherwise voluntarily disclose the personal data to a third party other than a processor, except as otherwise authorized by this section.

(3) The consumer rights enumerated under s. 501.705(2) and controller duties imposed under s. 501.71 do not apply to pseudonymous data or aggregate consumer information in cases in which the controller is able to demonstrate that any information necessary to identify the consumer is kept separate and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

(4) A controller that discloses pseudonymous data, deidentified data, or aggregate consumer information shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the data or information is subject and shall take appropriate steps to address any breach of the contractual commitments.

(1) A person who meets the requirements of s. 501.702(9)(a) 1-3. for the definition of a controller may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer or, if the sensitive data is of a known child, without processing that data with the affirmative authorization for such processing by a known child who is between 13 and 18 years of age or in accordance with the Children's Online Privacy Protection Act, 15 U.S.C. ss. 6501 et seq. for a known child under the age of 13.

(2) A person in subsection (1) who engages in the sale of personal data that is sensitive data must provide the following notice: “NOTICE: This website may sell your sensitive personal data.”

(3) A person who violates this section is subject to the penalty imposed under s. 501.72.

(1) This part may not be construed to restrict a controller's or processor's ability to do any of the following:

(a) Comply with federal or state laws, rules, or regulations.

(b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.

(c) Investigate, establish, exercise, prepare for, or defend legal claims.

(d) Provide a product or service specifically requested by a consumer or the parent or guardian of a child; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer before entering into a contract.

(e) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual and in which the processing cannot be manifestly based on another legal basis.

(f) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity.

(g) Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security.

(h) Engage in public or peer-reviewed scientific or statistical research in the public interest which adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entity that determines:

1. Whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;

2. Whether the expected benefits of the research outweigh the privacy risks; and

3. Whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

(i) Assist another controller, processor, or third party in complying with the requirements of this part.

(j) Disclose personal data disclosed when a consumer uses or directs the controller to intentionally disclose information to a third party or uses the controller to intentionally interact with a third party. An intentional interaction occurs when the consumer intends to interact with the third party by one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party.

(k) Transfer personal data to a third party as an asset that is part of a merger, an acquisition, a bankruptcy, or other transaction in which the third party assumes control of all or part of the controller, provided that the information is used or shared in a manner consistent with this part. If a third party materially alters how it uses or shares the personal data of a consumer in a manner that is materially inconsistent with the commitments or promises made at the time of collection, it must provide prior notice of the new or changed practice to the consumer. The notice must be sufficiently prominent and robust to ensure that consumers can easily exercise choices consistent with this part.

(2) This part may not be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.

(3) This part may not be construed as imposing a requirement on controllers and processors which adversely affects the rights or freedoms of any person, including the right of free speech.

(4) This part may not be construed as requiring a controller, processor, third party, or consumer to disclose a trade secret.

(1) The requirements imposed on controllers and processors under this part may not restrict a controller's or processor's ability to collect, use, or retain data to do any of the following:

(a) Conduct internal research to develop, improve, or repair products, services, or technology.

(b) Effect a product recall.

(c) Identify and repair technical errors that impair existing or intended functionality.

(d) Perform internal operations that are:

1. Reasonably aligned with the expectations of the consumer;

2. Reasonably anticipated based on the consumer's existing relationship with the controller; or

3. Otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

(2) A requirement imposed on a controller or processor under this part does not apply if compliance with the requirement by the controller or processor, as applicable, would violate an evidentiary privilege under the laws of this state.

(1) A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this part does not violate this part if the third-party controller or processor that receives and processes that personal data violates this part, provided that, at the time of the data's disclosure, the disclosing controller or processor could not have reasonably known that the recipient intended to commit a violation.

(2) A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this part may not be held liable for violations of this part committed by the controller or processor from which the third-party controller or processor receives the personal data.

(1) Personal data processed by a controller pursuant to ss. 501.716-501.718 may not be processed for any purpose other than those specified in those sections. Personal data processed by a controller pursuant to ss. 501.716-501.718 may be processed to the extent that the processing of the data is:

(a) Reasonably necessary and proportionate to the purposes specified in ss. 501.716-501.718;

(b) Adequate, relevant, and limited to what is necessary in relation to the purposes specified in ss. 501.716-501.718; and

(c) Done to assist another controller, processor, or third party with any of the purposes specified in s. 501.716, s. 501.717, or s. 501.718.

(2) A controller or processor that collects, uses, or retains personal data for the purposes specified in s. 501.717(1) must take into account the nature and purpose of such collection, use, or retention. Such personal data is subject to reasonable administrative, technical, and physical measures to protect its confidentiality, integrity, and accessibility and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

(3) A controller or processor shall adopt and implement a retention schedule that prohibits the use or retention of personal data not subject to an exemption by the controller or processor after the satisfaction of the initial purpose for which such information was collected or obtained, after the expiration or termination of the contract pursuant to which the information was collected or obtained, or 2 years after the consumer's last interaction with the controller or processor. This subsection does not apply to personal data reasonably used or retained to do any of the following:

(a) Provide a good or service requested by the consumer, or reasonably anticipate the request of such good or service within the context of a controller's ongoing business relationship with the consumer.

(b) Debug to identify and repair errors that impair existing intended functionality.

(c) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the controller or that are compatible with the context in which the consumer provided the information.

(4) A controller or processor that processes personal data pursuant to ss. 501.716-501.718 bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of this section.

(1) A violation of this part is an unfair and deceptive trade practice actionable under part II of this chapter solely by the Department of Legal Affairs. If the department has reason to believe that a person is in violation of this section, the department may, as the enforcing authority, bring an action against such person for an unfair or deceptive act or practice. For the purpose of bringing an action pursuant to this section, ss. 501.211 and 501.212 do not apply. In addition to other remedies under part II of this chapter, the department may collect a civil penalty of up to $50,000 per violation. Civil penalties may be tripled for any of the following violations:

(a) A violation involving a Florida consumer who is a known child. A controller that willfully disregards the consumer's age is deemed to have actual knowledge of the consumer's age.

(b) Failure to delete or correct the consumer's personal data pursuant to this section after receiving an authenticated consumer request or directions from a controller to delete or correct such personal data, unless an exception to the requirements to delete or correct such personal data under this section applies.

(c) Continuing to sell or share the consumer's personal data after the consumer chooses to opt out under this part.

(2) After the department has notified a person in writing of an alleged violation, the department may grant a 45-day period to cure the alleged violation and issue a letter of guidance. The 45-day cure period does not apply to an alleged violation of paragraph (1)(a). The department may consider the number and frequency of violations, the substantial likelihood of injury to the public, and the safety of persons or property in determining whether to grant 45 calendar days to cure and the issuance of a letter of guidance. If the alleged violation is cured to the satisfaction of the department and proof of such cure is provided to the department, the department may not bring an action for the alleged violation but, in its discretion, may issue a letter of guidance that indicates that the person will not be offered a 45-day cure period for any future violations. If the person fails to cure the alleged violation within 45 calendar days, the department may bring an action against such person for the alleged violation.

(3) Any action brought by the department may be brought only on behalf of a Florida consumer.

(4) By February 1 of each year, the department shall make a report publicly available on the department's website describing any actions taken by the department to enforce this section. The report must include statistics and relevant information detailing all of the following:

(a) The number of complaints received and the categories or types of violations alleged by the complainant.

(b) The number and type of enforcement actions taken and the outcomes of such actions, including the amount of penalties issued and collected.

(c) The number of complaints resolved without the need for litigation.

(d) For the report due February 1, 2024, the status of the development and implementation of rules to implement this section.

(5) The department shall adopt rules to implement this section, including standards for authenticated consumer requests, enforcement, data security, and authorized persons who may act on a consumer's behalf.

(6) The department may collaborate and cooperate with other enforcement authorities of the Federal Government or other state governments concerning consumer data privacy issues and consumer data privacy investigations if such enforcement authorities have restrictions governing confidentiality at least as stringent as the restrictions provided in this section.

(7) Liability for a tort, contract claim, or consumer protection claim unrelated to an action brought under this section does not arise solely from the failure of a person to comply with this part.

(8) This part does not establish a private cause of action.

(9) The department may employ or use the legal services of outside counsel and the investigative services of outside personnel to fulfill the obligations of this section.

(10) For purposes of bringing an action pursuant to this section, any person who meets the definition of controller as defined in this part who collects, shares, or sells the personal data of Florida consumers is considered to be engaged in both substantial and not isolated activities within this state and operating, conducting, engaging in, or carrying on a business, and doing business in this state, and is, therefore, subject to the jurisdiction of the courts of this state.

This part is a matter of statewide concern and supersedes all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection, processing, sharing, or sale of consumer personal data by a controller or processor. The regulation of the collection, processing, sharing, or sale of consumer personal data by a controller or processor is preempted to the state.

This section is repealed by its own terms on October 2, 2028, unless reviewed and saved from repeal by the Legislature.

(1) All information received by the department pursuant to a notification of a violation under this part, or received by the department pursuant to an investigation by the department or a law enforcement agency of a violation of this part, is confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution, until such time as the investigation is completed or ceases to be active. This exemption shall be construed in conformity with s. 119.071(2)(c).

(2) During an active investigation, information made confidential and exempt pursuant to subsection (1) may be disclosed by the department:

(a) In the furtherance of its official duties and responsibilities;

(b) For print, publication, or broadcast if the department determines that such release would assist in notifying the public or locating or identifying a person that the department believes to be a victim of a data breach or an improper use or disposal of customer records, except that information made confidential and exempt by subsection (3) may not be released pursuant to this paragraph; or

(c) To another governmental entity in the furtherance of its official duties and responsibilities.

(3) Upon completion of an investigation or once an investigation ceases to be active, the following information received by the department shall remain confidential and exempt from s. 119.07(1) and s. 24(a), Art. I of the State Constitution:

(a) All information to which another public records exemption applies.

(b) Personal information.

(c) A computer forensic report.

(d) Information that would otherwise reveal weaknesses in the data security of a controller, processor, or third party.

(e) Information that would disclose the proprietary information of a controller, processor, or third party.

(4) For purposes of this section, the term “proprietary information” means information that:

(a) Is owned or controlled by the controller, processor, or third party.

(b) Is intended to be private and is treated by the controller, processor, or third party as private because disclosure would harm the controller, processor, or third party or its business operations.

(c) Has not been disclosed except as required by law or a private agreement that provides that the information will not be released to the public.

(d) Is not publicly available or otherwise readily ascertainable through proper means from another source in the same configuration as received by the department.

(e) Includes:

1. Trade secrets as defined in s. 688.002.

2. Competitive interests, the disclosure of which would impair the competitive advantage of the controller, processor, or third party who is the subject of the information.

(5) This section is subject to the Open Government Sunset Review Act in accordance with s. 119.15 and shall stand repealed on October 2, 2028, unless reviewed and saved from repeal through reenactment by the Legislature.

As used in this chapter, unless the context otherwise requires:

1. “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For the purposes of this definition, “control” or “controlled” means:

a. Ownership of, or the power to vote, more than fifty percent of the outstanding shares of any class of voting security of a company.

b. Control in any manner over the election of a majority of the directors or of individuals exercising similar functions.

c. The power to exercise controlling influence over the management of a company.

2. “Aggregate data” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer.

3. “Authenticate” means verifying through reasonable means that a consumer, entitled to exercise their consumer rights in section 715D.3, is the same consumer exercising such consumer rights with respect to the personal data at issue.

4. “Biometric data” means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual. “Biometric data” does not include a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

5. “Child” means any natural person younger than thirteen years of age.

6. “Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. “Consent” may include a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

7. “Consumer” means a natural person who is a resident of the state acting only in an individual or household context and excluding a natural person acting in a commercial or employment context.

8. “Controller” means a person that, alone or jointly with others, determines the purpose and means of processing personal data.

9. “Covered entity” means the same as “covered entity” defined by HIPAA.

10. “De-identified data” means data that cannot reasonably be linked to an identified or identifiable natural person.

11. “Fund” means the consumer education and litigation fund established pursuant to section 714.16C.

12. “Health care provider” means any of the following:

a. A general hospital, ambulatory surgical or treatment center, skilled nursing center, or assisted living center licensed or certified by the state.

b. A psychiatric hospital licensed by the state.

c. A hospital operated by the state.

d. A hospital operated by the state board of regents.

e. A person licensed to practice medicine or osteopathy in the state.

f. A person licensed to furnish health care policies or plans in the state.

g. A person licensed to practice dentistry in the state.

h. “Health care provider” does not include a continuing care retirement community or any nursing facility of a religious body which depends upon prayer alone for healing.

13. “Health Insurance Portability and Accountability Act” or “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, including amendments thereto and regulations promulgated thereunder.

14. “Health record” means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health services to an individual concerning the individual and the services provided, including related health information provided in confidence to a health care provider.

15. “Identified or identifiable natural person” means a person who can be readily identified, directly or indirectly.

16. “Institution of higher education” means nonprofit private institutions of higher education and proprietary private institutions of higher education in the state, community colleges, and each associate-degree-granting and baccalaureate public institutions of higher education in the state.

17. “Nonprofit organization” means any corporation organized under chapter 504, any organization exempt from taxation under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any organization exempt from taxation under section 501(c)(4) of the Internal Revenue Code that is established to detect or prevent insurance-related crime or fraud, and any subsidiaries and affiliates of entities organized pursuant to chapter 499.

18. “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable natural person. “Personal data” does not include de-identified or aggregate data or publicly available information.

19. “Precise geolocation data” means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty feet. “Precise geolocation data” does not include the content of communications, or any data generated by or connected to utility metering infrastructure systems or equipment for use by a utility.

20. “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

21. “Processor” means a person that processes personal data on behalf of a controller.

22. “Protected health information” means the same as protected health information established by HIPAA.

23. “Pseudonymous data” means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

24. “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.

25. “Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party. “Sale of personal data” does not include:

a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller.

b. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer or a parent of a child.

c. The disclosure or transfer of personal data to an affiliate of the controller.

d. The disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience.

e. The disclosure or transfer of personal data when a consumer uses or directs a controller to intentionally disclose personal data or intentionally interact with one or more third parties.

f. The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

26. “Sensitive data” means a category of personal data that includes the following:

a. Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law.

b. Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person.

c. The personal data collected from a known child.

d. Precise geolocation data.

27. “State agency” means the same as defined in 129 IAC 10.2(8B).

28. “Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. “Targeted advertising” does not include the following:

a. Advertisements based on activities within a controller's own or affiliated websites or online applications.

b. Advertisements based on the context of a consumer's current search query, visit to a website, or online application.

c. Advertisements directed to a consumer in response to the consumer's request for information or feedback.

d. Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

29. “Third party” means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.

30. “Trade secret” means information, including but not limited to a formula, pattern, compilation, program, device, method, technique, or process, that consists of the following:

a. Information that derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use.

b. Information that is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

1. This chapter applies to a person conducting business in the state or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following:

a. Controls or processes personal data of at least one hundred thousand consumers.

b. Controls or processes personal data of at least twenty-five thousand consumers and derives over fifty percent of gross revenue from the sale of personal data.

2. This chapter shall not apply to the state or any political subdivision of the state; financial institutions, affiliates of financial institutions, or data subject to Tit. V of the federal Gramm-Leach-Bliley Act of 1999, l5 U.S.C. § 6801 et seq.; persons who are subject to and comply with regulations promulgated pursuant to Tit. II, subtit. F, of the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and Tit. XIII, subtit. D, of the federal Health Information Technology for Economic and Clinical Health Act of 2009, 42 U.S.C. § 17921--17954; nonprofit organizations; or institutions of higher education.

3. The following information and data is exempt from this chapter:

a. Protected health information under HIPAA.

b. Health records.

c. Patient identifying information for purposes of 42 U.S.C. § 290dd-2.

d. Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. pt. 46.

e. Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonization of technical requirements for pharmaceuticals for human use.

f. The protection of human subjects under 21 C.F.R. pts. 6, 50, and 56.

g. Personal data used or shared in research conducted in accordance with the requirements set forth in this chapter, or other research conducted in accordance with applicable law.

h. Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq.

i. Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act, 42 U.S.C. § 299b-21 et seq.

j. Information derived from any of the health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA.

k. Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. § 290dd-2.

l. Information used only for public health activities and purposes as authorized by HIPAA.

m. The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.

n. Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq.

o. Personal data regulated by the federal Family Educational Rights and Privacy Act, 20 U.S.C. § 1232 et seq.

p. Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act, 12 U.S.C. § 2001 et seq.

q. Data processed or maintained as follows:

(1) In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role.

(2) As the emergency contact information of an individual under this chapter used for emergency contact purposes.

(3) That is necessary to retain to administer benefits for another individual relating to the individual under subparagraph (1) and used for the purposes of administering those benefits.

r. Personal data used in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. § 6501 - 6506, and its rules, regulations, and exceptions thereto.

1. A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to the controller, through the means specified by the controller pursuant to section 715D.4, subsection 6, specifying the consumer rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke such consumer rights on behalf of the known child regarding processing personal data belonging to the child. A controller shall comply with an authenticated consumer request to exercise all of the following:

a. To confirm whether a controller is processing the consumer's personal data and to access such personal data.

b. To delete personal data provided by the consumer.

c. To obtain a copy of the consumer's personal data, except as to personal data that is defined as “personal information” pursuant to section 715C.1 that is subject to security breach protection, that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

d. To opt out of the sale of personal data.

2. Except as otherwise provided in this chapter, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to this section as follows:

a. A controller shall respond to the consumer without undue delay, but in all cases within ninety days of receipt of a request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five additional days when reasonably necessary upon considering the complexity and number of the consumer's requests by informing the consumer of any such extension within the initial ninety-day response period, together with the reason for the extension.

b. If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay of the justification for declining to take action, except in the case of a suspected fraudulent request, in which case the controller may state that the controller was unable to authenticate the request. The controller shall also provide instructions for appealing the decision pursuant to subsection 3.

c. Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, repetitive, technically unfeasible, or the controller reasonably believes that the primary purpose of the request is not to exercise a consumer right, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, repetitive, or technically unfeasible nature of the request.

d. If a controller is unable to authenticate a request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.

3. A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the controller shall also provide the consumer with an online mechanism through which the consumer may contact the attorney general to submit a complaint.

1. A controller shall adopt and implement reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Such data security practices shall be appropriate to the volume and nature of the personal data at issue.

2. A controller shall not process sensitive data collected from a consumer for a nonexempt purpose without the consumer having been presented with clear notice and an opportunity to opt out of such processing, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq.

3. A controller shall not process personal data in violation of state and federal laws that prohibit unlawful discrimination against a consumer. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this chapter shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer's right to opt out pursuant to section 715D.3 or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

4. Any provision of a contract or agreement that purports to waive or limit in any way consumer rights pursuant to section 715D.3 shall be deemed contrary to public policy and shall be void and unenforceable.

5. A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following:

a. The categories of personal data processed by the controller.

b. The purpose for processing personal data.

c. How consumers may exercise their consumer rights pursuant to section 715D.3, including how a consumer may appeal a controller's decision with regard to the consumer's request.

d. The categories of personal data that the controller shares with third parties, if any.

e. The categories of third parties, if any, with whom the controller shares personal data.

6. If a controller sells a consumer's personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity.

7. A controller shall establish, and shall describe in a privacy notice, secure and reliable means for consumers to submit a request to exercise their consumer rights under this chapter. Such means shall consider the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights pursuant to section 715D.3, but may require a consumer to use an existing account.

1. A processor shall assist a controller in duties required under this chapter, taking into account the nature of processing and the information available to the processor by appropriate technical and organizational measures, insofar as is reasonably practicable, as follows:

a. To fulfill the controller's obligation to respond to consumer rights requests pursuant to section 715D.3.

b. To meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a security breach of the processor pursuant to section 715C.2.

2. A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties. The contract shall also include requirements that the processor shall do all of the following:

a. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.

b. At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.

c. Upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in this chapter.

d. Engage any subcontractor or agent pursuant to a written contract in accordance with this section that requires the subcontractor to meet the duties of the processor with respect to the personal data.

3. Nothing in this section shall be construed to relieve a controller or a processor from imposed liabilities by virtue of the controller or processor's role in the processing relationship as defined by this chapter.

4. Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.

1. Nothing in this chapter shall be construed to require the following:

a. A controller or processor to re-identify de-identified data or pseudonymous data.

b. Maintaining data in identifiable form.

c. Collecting, obtaining, retaining, or accessing any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

2. Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated consumer rights request, pursuant to section 715D.3, if all of the following apply:

a. The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data.

b. The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer.

c. The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this chapter.

3. Consumer rights contained in sections 715D.3 and 715D.4 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

4. Controllers that disclose pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

1. Nothing in this chapter shall be construed to restrict a controller's or processor's ability to do the following:

a. Comply with federal, state, or local laws, rules, or regulations.

b. Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities.

c. Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.

d. Investigate, establish, exercise, prepare for, or defend legal claims.

e. Provide a product or service specifically requested by a consumer or parent or guardian of a child, perform a contract to which the consumer or parent or guardian of a child is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent or guardian of a child prior to entering into a contract.

f. Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis.

g. Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity.

h. Preserve the integrity or security of systems.

i. Investigate, report, or prosecute those responsible for any such action.

j. Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine the following:

(1) If the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller.

(2) The expected benefits of the research outweigh the privacy risks.

(3) If the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

k. Assist another controller, processor, or third party with any of the obligations under this subsection.

2. The obligations imposed on a controller or processor under this chapter shall not restrict a controller's or processor's ability to collect, use, or retain data as follows:

a. To conduct internal research to develop, improve, or repair products, services, or technology.

b. To effectuate a product recall.

c. To identify and repair technical errors that impair existing or intended functionality.

d. To perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or parent or guardian of a child or the performance of a contract to which the consumer or parent or guardian of a child is a party.

3. The obligations imposed on controllers or processors under this chapter shall not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under the laws of the state. Nothing in this chapter shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the state as part of a privileged communication.

4. A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of this chapter, is not in violation of this chapter if the third-party controller or processor that receives and processes such personal data is in violation of this chapter, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is likewise not in violation of this chapter for the offenses of the controller or processor from which it receives such personal data.

5. Nothing in this chapter shall be construed as an obligation imposed on a controller or a processor that adversely affects the privacy or other rights or freedoms of any persons, such as exercising the right of free speech pursuant to the first amendment to the United States Constitution, or applies to personal data by a person in the course of a purely personal or household activity.

6. Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by this chapter. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is as follows:

a. Reasonably necessary and proportionate to the purposes listed in this section.

b. Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data.

7. If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in subsection 6.

8. Processing personal data for the purposes expressly identified in subsection 1 shall not in and of itself make an entity a controller with respect to such processing.

9. This chapter shall not require a controller, processor, third party, or consumer to disclose trade secrets.

1. The attorney general shall have exclusive authority to enforce the provisions of this chapter. Whenever the attorney general has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of this chapter, the attorney general is empowered to issue a civil investigative demand. The provisions of section 685.6 shall apply to civil investigative demands issued under this chapter.

2. Prior to initiating any action under this chapter, the attorney general shall provide a controller or processor ninety days' written notice identifying the specific provisions of this chapter the attorney general alleges have been or are being violated. If within the ninety-day period, the controller or processor cures the noticed violation and provides the attorney general an express written statement that the alleged violations have been cured and that no further such violations shall occur, no action shall be initiated against the controller or processor.

3. If a controller or processor continues to violate this chapter following the cure period in subsection 2 or breaches an express written statement provided to the attorney general under that subsection, the attorney general may initiate an action in the name of the state and may seek an injunction to restrain any violations of this chapter and civil penalties of up to seven thousand five hundred dollars for each violation under this chapter. Any moneys collected under this section including civil penalties, costs, attorney fees, or amounts which are specifically directed shall be paid into the consumer education and litigation fund established under section 714.16C.

4. Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations of this chapter or under any other law.

1. This chapter supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, municipality, or local agency regarding the processing of personal data by controllers or processors.

2. Any reference to federal, state, or local law or statute in this chapter shall be deemed to include any accompanying rules or regulations or exemptions thereto, or in the case of a federal agency, guidance issued by such agency thereto.

 Ch. 1.Applicability

           Ch. 2.Definitions

           Ch. 3.Personal Data; Consumer Rights

           Ch. 4.Data Controller Responsibilities; Transparency

           Ch. 5.Responsibility According to Role; Controllers and Processors

           Ch. 6.Data Protection Impact Assessments

           Ch. 7.Processing De-identified Data or Pseudonymous Data; Exemptions

           Ch. 8.Limitations

           Ch. 9.Investigative Authority

           Ch. 10.Enforcement

           Ch. 11.Preemption; Other Laws

Effective 1-1-2026.

24-15-1-1Applicability to persons; exceptions

           24-15-1-2Exempt information and data

           24-15-1-3Compliance with Children's Online Privacy Protection Act; satisfaction of obligation to obtain parental consent

Effective 1-1-2026.

  Sec. 1. (a) This article applies to a person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year:

(1) controls or processes personal data of at least one hundred thousand (100,000) consumers who are Indiana residents; or

(2) controls or processes personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derives more than fifty percent (50%) of gross revenue from the sale of personal data.

     (b) This article does not apply to any of the following:

(1) Either of the following:

(A) The state, a state agency, or a body, authority, board, bureau, commission, district, or agency of any political subdivision of the state.

(B) A third party under contract with an entity described in clause (A), when acting on behalf of the entity. This clause does not exempt data held or created by third parties outside of the scope of the contract with the entity.

(2) Any financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).

(3) Any covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (45 CFR Parts 160 and 164) pursuant to HIPAA.

(4) Any nonprofit organization.

(5) Any institution of higher education.

(6) Any public utility (as defined in IC 8-1-2-1(a)) or service company affiliated with a public utility (as defined in IC 8-1-2-1(a)). For purposes of this subdivision, "service company" means an associate company within a holding company system organized specifically for the purpose of providing goods or services to a public utility (as defined in IC 8-1-2-1(a)) in the same holding company system.

As added by P.L.94-2023, SEC.1.

Sec. 2. The following information and data are exempt from this article:

(1) Protected health information under HIPAA and related regulations under 45 CFR Part 160, 45 CFR Part 162, and 45 CFR Part 164.

(2) Patient identifying information for purposes of 42 U.S.C. 290dd-2.

(3) Any of the following:

(A) Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 CFR Part 46.

(B) Identifiable private information that is otherwise information collected as part of human subjects research under the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use.

(C) The protection of human subjects under 21 CFR Parts 50 and 56.

(D) Personal data used or shared in research conducted in accordance with the requirements set forth in this article.

(E) Other research conducted in accordance with applicable law.

(4) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (42 U.S.C. 11101 et seq.).

(5) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. 299b-21 et seq.).

(6) Information derived from any of the health care related information set forth in this section that is de-identified in accordance with the requirements for de-identification under HIPAA.

(7) Information:

(A) originating from;

(B) intermingled with so as to be indistinguishable from; or

(C) treated in the same manner as;

information that is exempt under this section and that is maintained by a covered entity or business associate, as defined in HIPAA, or a program or qualified service organization under 42 U.S.C. 290dd-2.

(8) Information used only for public health activities and purposes, as authorized by HIPAA.

(9) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by:

(A) a consumer reporting agency, furnisher, or user that provides information for use in a consumer report; or

(B) a user of a consumer report;

but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

(10) Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.).

(11) Personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. 1232g et seq.).

(12) Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. 2001 et seq.).

(13) Data processed or maintained:

(A) in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;

(B) as emergency contact information for an individual under this article and used for emergency contact purposes; or

(C) that is necessary to retain to administer benefits for another individual relating to the individual under clause (A) and used for the purposes of administering those benefits.

As added by P.L.94-2023, SEC.1.

Sec. 3. A:

(1) controller; or

(2) processor;

that complies with the Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.), and with any rules or regulations under that act, satisfies any obligation to obtain parental consent under this article.

As added by P.L.94-2023, SEC.1.

    24-15-2-0.5Applicability of definitions

           24-15-2-1"Affiliate"

           24-15-2-2"Aggregate data"

           24-15-2-3"Authenticate"

           24-15-2-4"Biometric data"

           24-15-2-5"Business associate"

           24-15-2-6"Child"

           24-15-2-7"Consent"

           24-15-2-8"Consumer"

           24-15-2-9"Controller"

           24-15-2-10"Covered entity"

           24-15-2-11"Decision that produces legal or similarly significant effects concerning a consumer"

           24-15-2-12"De-identified data"

           24-15-2-13"Health care provider"

           24-15-2-14"Health record"

           24-15-2-15"HIPAA"

           24-15-2-16"Identified or identifiable individual"

           24-15-2-17"Institution of higher education"

           24-15-2-18"Nonprofit organization"

           24-15-2-19"Personal data"

           24-15-2-20"Precise geolocation data"

           24-15-2-21"Processing"

           24-15-2-22"Processor"

           24-15-2-23"Profiling"

           24-15-2-24"Protected health information"

           24-15-2-25"Pseudonymous data"

           24-15-2-26"Publicly available information"

           24-15-2-27"Sale of personal data"

           24-15-2-28"Sensitive data"

           24-15-2-29"State agency"

           24-15-2-30"Targeted advertising"

           24-15-2-31"Third party"

           24-15-2-32"Trade secret"

Sec. 0.5. The definitions in this chapter apply throughout this article.

As added by P.L.94-2023, SEC.1.

Sec. 1. (a) "Affiliate" means a legal entity that:

(1) controls, is controlled by, or is under common control with another legal entity; or

(2) shares common branding with another legal entity.

     (b) For purposes of this section, "control", with respect to a company, means:

(1) ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of voting security of the company;

(2) control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

(3) the power to exercise controlling influence over the management of the company.

As added by P.L.94-2023, SEC.1.

  Sec. 2. "Aggregate data" means information:

(1) that relates to a group or category of consumers;

(2) from which individual consumer identities have been removed; and

(3) that is not linked or reasonably linkable to any consumer.

As added by P.L.94-2023, SEC.1.

Sec. 3. "Authenticate" means to verify through reasonable means that a consumer who is entitled to exercise the personal data rights provided by IC 24-15-3 is the same consumer exercising such rights with respect to particular personal data.

As added by P.L.94-2023, SEC.1.

Sec. 4. (a) "Biometric data" means data that:

(1) is generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, images of the retina or iris, or other unique biological patterns or characteristics; and

(2) is used to identify a specific individual.

     (b) The term does not include:

(1) a physical or digital photograph, or data generated from a physical or digital photograph;

(2) a video or audio recording, or data generated from a video or audio recording; or

(3) information collected, used, or stored for health care treatment, payment, or operations under HIPAA.

As added by P.L.94-2023, SEC.1.

Sec. 5. "Business associate" has the meaning set forth in 45 CFR 160.103.

As added by P.L.94-2023, SEC.1.

Sec. 6. "Child" means any individual who is less than thirteen (13) years of age.

As added by P.L.94-2023, SEC.1.

   Sec. 7. (a) "Consent" means a clear affirmative act that signifies a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer.

     (b) For purposes of this section, a "clear affirmative act" includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.

As added by P.L.94-2023, SEC.1.

Sec. 8. (a) "Consumer" means an individual who:

(1) is a resident of Indiana; and

(2) is acting only for a personal, family, or household purpose.

     (b) The term does not include an individual acting in a commercial or employment context.

As added by P.L.94-2023, SEC.1.

Sec. 9. "Controller" means a person that, alone or jointly with others, determines the purpose and means of processing personal data.

As added by P.L.94-2023, SEC.1.

Sec. 10. "Covered entity" has the meaning set forth in 45 CFR 160.103.

As added by P.L.94-2023, SEC.1.

Sec. 11. "Decision that produces legal or similarly significant effects concerning a consumer" means a decision made by a controller that results in the provision or denial by the controller of:

(1) financial and lending services;

(2) housing;

(3) insurance;

(4) education enrollment;

(5) criminal justice;

(6) employment opportunities;

(7) health care services; or

(8) access to basic necessities, such as food and water.

As added by P.L.94-2023, SEC.1.

Sec. 12. "De-identified data" means data that cannot reasonably be linked to an identified or identifiable individual because a controller that possesses the data:

(1) takes reasonable measures to ensure that the data cannot be associated with an individual;

(2) publicly commits to maintaining and using the data without attempting to re-identify the data; and

(3) obligates any recipients of the data through contractual requirements to comply with all applicable provisions of this article.

As added by P.L.94-2023, SEC.1.

Sec. 13. "Health care provider" has the meaning set forth in IC 4-6-14-2.

As added by P.L.94-2023, SEC.1.

Sec. 14. "Health record" has the meaning set forth in IC 1-1-4-5(a)(6).

As added by P.L.94-2023, SEC.1.

Sec. 15. "HIPAA" refers to the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d et seq.).

As added by P.L.94-2023, SEC.1.

Sec. 16. "Identified or identifiable individual" means an individual who can be readily identified, directly or indirectly.

As added by P.L.94-2023, SEC.1.

Sec. 17. "Institution of higher education" means a public or private college or university.

As added by P.L.94-2023, SEC.1.

Sec. 18. "Nonprofit organization" means any organization exempt from taxation under Section 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code.

As added by P.L.94-2023, SEC.1.

Sec. 19. (a) "Personal data" means information that is linked or reasonably linkable to an identified or identifiable individual.

     (b) The term does not include:

(1) de-identified data;

(2) aggregate data; or

(3) publicly available information.

As added by P.L.94-2023, SEC.1.

Sec. 20. (a) "Precise geolocation data" means information derived from technology, including global positioning system level latitude and longitude coordinates, that directly identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty (1,750) feet.

     (b) The term does not include:

(1) the content of communications; or

(2) any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

As added by P.L.94-2023, SEC.1.

Sec. 21. "Processing", with respect to personal data, means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

As added by P.L.94-2023, SEC.1.

Sec. 22. "Processor" means a person that processes personal data on behalf of a controller.

As added by P.L.94-2023, SEC.1.

Sec. 23. "Profiling" means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health or health records, personal preferences, interests, reliability, behavior, location, or movements.

As added by P.L.94-2023, SEC.1.

Sec. 24. "Protected health information" has the meaning set forth in 45 CFR 160.103.

As added by P.L.94-2023, SEC.1.

Sec. 25. "Pseudonymous data" means personal data that cannot be attributed to a specific individual because additional information that would allow the data to be attributed to a specific individual is:

(1) kept separately; and

(2) subject to appropriate technical and organizational measures;

to ensure that the personal data is not attributed to an identified or identifiable individual.

As added by P.L.94-2023, SEC.1.

Sec. 26. "Publicly available information" means information:

(1) that is lawfully made available through federal, state, or local government records; or

(2) that a business has a reasonable basis to believe is lawfully made available:

(A) to the general public through widely distributed media;

(B) by the consumer to whom the information pertains; or

(C) by a person to whom the consumer has disclosed the information;

unless the consumer has restricted the information to a specific audience.

As added by P.L.94-2023, SEC.1.

Sec. 27. (a) "Sale of personal data" means the exchange of personal data for monetary consideration by a controller to a third party.

     (b) The term does not include:

(1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;

(2) the disclosure of personal data to a third party for purposes of providing a product or service requested by:

(A) the consumer; or

(B) the parent of a child;

to whom the personal data pertains;

(3) the disclosure or transfer of personal data to an affiliate of the controller;

(4) the disclosure of information that the consumer:

(A) intentionally made available to the general public via a channel of mass media; and

(B) did not restrict to a specific audience; or

(5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

As added by P.L.94-2023, SEC.1.

Sec. 28. "Sensitive data" means a category of personal data that includes any of the following:

(1) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status.

(2) Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual.

(3) Personal data collected from a known child.

(4) Precise geolocation data.

As added by P.L.94-2023, SEC.1.

Sec. 29. "State agency" has the meaning set forth in IC 1-1-15-3.

As added by P.L.94-2023, SEC.1.

Sec. 30. (a) "Targeted advertising" means the displaying of an advertisement to a consumer in which the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.

     (b) The term does not include:

(1) advertisements based on activities within a controller's own or affiliated websites or online applications;

(2) advertisements based on the context of a consumer's current search query, visit to a website, or online application;

(3) advertisements directed to a consumer in response to the consumer's request for information or feedback; or

(4) the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.

As added by P.L.94-2023, SEC.1.

Sec. 31. "Third party", with respect to a context to which this article applies, means a natural or legal person, public authority, agency, or body other than:

(1) the consumer;

(2) the controller;

(3) the processor; or

(4) an affiliate of the processor or the controller.

As added by P.L.94-2023, SEC.1.

Sec. 32. "Trade secret" has the meaning set forth in IC 24-2-3-2.

As added by P.L.94-2023, SEC.1

 24-15-3-1Personal data; consumer rights; consumer's request to controller; compliance by controller; consumer's right to appeal

Effective 1-1-2026.

Sec. 1. (a) A consumer may invoke one (1) or more rights set forth in subsection (b) by submitting to a controller a request specifying the rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke on behalf of the child one (1) or more rights set forth in subsection (b) with respect to the processing of personal data belonging to the known child by submitting to a controller a request specifying the rights the consumer wishes to invoke on behalf of the child. Except as provided in IC 24-15-7-1(c) and IC 24-15-7-2, and subject to any limitations or conditions set forth in subsections (b) and (c), a controller shall comply with an authenticated consumer request to exercise a right set forth in subsection (b).

     (b) A consumer has the following rights:

(1) To confirm whether or not a controller is processing the consumer's personal data and, subject to the limitations set forth in subdivision (4), to access such personal data.

(2) To correct inaccuracies in the consumer's personal data that the consumer previously provided to a controller, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. Upon receiving a request from a consumer under this subdivision, a controller shall correct inaccurate information as requested by the consumer, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

(3) To delete personal data provided by or obtained about the consumer.

(4) To obtain either:

(A) a copy of; or

(B) a representative summary of;

the consumer's personal data that the consumer previously provided to the controller. Information provided to a consumer under this subdivision must be in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data or summary to another controller without hindrance, in any case in which the processing is carried out by automated means. The controller has the discretion to send either a copy or a representative summary of the consumer's personal data under this subdivision, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. A controller is not required to provide a copy or a representative summary of a consumer's personal data to the same consumer under this subdivision more than one (1) time in a twelve (12) month period.

(5) To opt out of the processing of the consumer's personal data for purposes of:

(A) targeted advertising;

(B) the sale of personal data; or

(C) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

     (c) Except as otherwise provided in this article, a controller shall comply with a request by a consumer to exercise a consumer right set forth in subsection (b) as follows:

(1) A controller shall respond to the consumer without undue delay, but in any case not later than forty-five (45) days after receipt of the consumer's request under this section. The response period prescribed by this subdivision may be extended once by an additional forty-five (45) days when reasonably necessary, taking into account the complexity and number of the consumer's requests, as long as the controller informs the consumer of any such extension within the initial forty-five (45) day response period, along with the reason for the extension.

(2) If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but in any case not later than forty-five (45) days after receipt of the consumer's request under this section, of the justification for declining to take action, and shall provide instructions for how to appeal the decision under subsection (d).

(3) Information provided in response to a consumer request shall be provided by a controller free of charge, up to one (1) time annually per consumer. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.

(4) If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.

(5) A controller that has obtained personal data about a consumer from a source other than the consumer is considered to comply with a request by the consumer under subsection (b)(3) to delete the consumer's personal data if the controller:

(A) retains:

(i) a record of the consumer's request for deletion; and

(ii) the minimum data necessary to ensure that the consumer's personal data remains deleted from the controller's records; and

(B) does not use the data retained under clause (A)(ii) for any other purpose.

     (d) A controller shall establish a process for a consumer to appeal, within a reasonable period of time after the consumer's receipt of a decision by the controller under subsection (c)(2), the controller's refusal to take action on a request by the consumer under this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to invoke a right under this section. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.

As added by P.L.94-2023, SEC.1.

 24-15-4-1Responsibilities of controller; discrimination against consumer for exercising consumer rights prohibited; processing of sensitive data

           24-15-4-2Contract provisions purporting to waive or limit consumer rights

           24-15-4-3Privacy notice to consumers; required elements

           24-15-4-4Sale of personal data to third parties; use of personal data for targeted advertising; disclosure; consumer's right to opt out

           24-15-4-5Exercise of rights by consumers; controller's duty to provide secure and reliable means for submitting requests

           24-15-4-6Compliance by controllers; authority of attorney general to provide online resources for controllers

Effective 1-1-2026.

     Sec. 1. Except as provided in IC 24-15-7-2, a controller has the following responsibilities:

(1) A controller shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.

(2) Except as otherwise provided in this article, a controller shall not process personal data for purposes that are neither reasonably necessary for nor compatible with the disclosed purposes for which the personal data is processed, unless the controller obtains the consumer's consent.

(3) A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices required under this subdivision must be appropriate to the volume and nature of the personal data at issue.

(4) A controller shall not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights set forth in this article, including by denying goods or services to the consumer, charging different prices or rates for goods and services, or providing a different level or quality of goods or services to the consumer. However, nothing in this subdivision shall be construed to:

(A) require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain; or

(B) prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer's right to opt out under IC 24-15-3-1(b)(5) or if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

(5) A controller shall not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the federal Children's Online Privacy Protection Act (15 U.S.C. 6501 et seq.).

As added by P.L.94-2023, SEC.1.

Sec. 2. Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under IC 24-15-3 is contrary to public policy and is void and unenforceable.

As added by P.L.94-2023, SEC.1.

Sec. 3. A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

(1) the categories of personal data processed by the controller;

(2) the purpose for processing personal data;

(3) how consumers may exercise their consumer rights under IC 24-15-3, including how a consumer may appeal a controller's decision with regard to the consumer's request;

(4) the categories of personal data that the controller shares with third parties, if any; and

(5) the categories of third parties, if any, with whom the controller shares personal data.

As added by P.L.94-2023, SEC.1.

Sec. 4. If a controller sells a consumer's personal data to third parties or uses a consumer's personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such sales or use.

As added by P.L.94-2023, SEC.1.

Sec. 5. A controller shall establish, and shall describe in a privacy notice provided under section 3 of this chapter, one (1) or more secure and reliable means for consumers to submit a request to exercise their rights under IC 24-15-3. Such means must take into account:

(1) the ways in which consumers normally interact with the controller;

(2) the need for the secure and reliable communication of such requests; and

(3) the ability of the controller to authenticate the identity of the consumer making the request.

A controller may not require a consumer to create a new account in order to exercise the consumer's rights under IC 24-15-3 but may require a consumer to use an existing account.

As added by P.L.94-2023, SEC.1.

Sec. 6. The attorney general may maintain on the attorney general's website a list of resources for controllers, including sample privacy notices and disclosures, to assist controllers in complying with this chapter.

As added by P.L.94-2023, SEC.1.

   24-15-5-1Duty of processor to assist controller in meeting obligations regarding personal data

           24-15-5-2Contract between controller and processor; requirements for processor; liabilities

           24-15-5-3Determination of role as controller or processor; context dependent

Effective 1-1-2026.

  Sec. 1. A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under this chapter. Such assistance shall include the following:

(1) Assisting the controller in meeting the controller's obligation to respond to consumer requests under IC 24-15-3 by appropriate technical and organizational measures, insofar as this is reasonably practicable, and taking into account the nature of processing and the information available to the processor.

(2) Taking into account the nature of processing and the information available to the processor, assisting the controller in meeting the controller's obligations in relation to:

(A) the security of processing the personal data; and

(B) the notification of a breach of security of the system of the processor under IC 24-4.9;

in order to meet the controller's obligations.

(3) Providing necessary information to enable the controller to conduct and document data protection impact assessments under IC 24-15-6.

As added by P.L.94-2023, SEC.1.

Sec. 2. (a) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also include requirements that the processor do the following:

(1) Ensure that each individual processing personal data is subject to a duty of confidentiality with respect to the data.

(2) At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law.

(3) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter.

(4) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the processor's obligations under this chapter using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of any such assessment to the controller upon request.

(5) Subject to subsection (b), engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

     (b) Nothing in this section shall be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor by virtue of its role in the processing relationship.

As added by P.L.94-2023, SEC.1.

Sec. 3. Determining whether a person is acting as a controller or a processor with respect to a specific processing of data is a fact based determination that depends upon the context in which personal data is processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.

As added by P.L.94-2023, SEC.1.

 24-15-6-1Applicability of data protection impact assessment requirements; controller's duty to conduct assessment; activities subject to assessment; weighing of benefits and risks; assessments conducted for compliance with other laws

           24-15-6-2Attorney general's request for data protection impact assessment; controller's duty to provide; confidentiality

Effective 1-1-2026.

Sec. 1. (a) The data protection impact assessment requirements set forth in this chapter apply to processing activities created or generated after December 31, 2025, and are not retroactive to any processing activities created or generated before January 1, 2026.

     (b) A controller shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data:

(1) The processing of personal data for purposes of targeted advertising.

(2) The sale of personal data.

(3) The processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:

(A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers;

(B) financial, physical, or reputational injury to consumers;

(C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or

(D) other substantial injury to consumers.

(4) The processing of sensitive data.

(5) Any processing activities involving personal data that present a heightened risk of harm to consumers.

     (c) Data protection impact assessments conducted under this chapter shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.

     (d) A single data protection impact assessment may address a comparable set of processing operations that include similar activities.

     (e) A data protection impact assessment conducted by a controller for the purpose of compliance with other laws or regulations may be used to comply with this section if the assessment has a reasonably comparable scope and effect to an assessment conducted under this section.

As added by P.L.94-2023, SEC.1.

Sec. 2. (a) The attorney general may request, pursuant to a civil investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the attorney general. Upon receipt of such a request, the controller shall make the data protection impact assessment available to the attorney general. Subject to subsection (b), the attorney general may evaluate the data protection impact assessment for a controller's compliance with the responsibilities set forth in IC 24-15-4.

     (b) Data protection impact assessments are confidential and exempt from public inspection and copying under IC 5-14-3-4. The disclosure of a data protection impact assessment pursuant to a request from the attorney general does not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.

As added by P.L.94-2023, SEC.1.

 24-15-7-1Duties of controller possessing de-identified data

           24-15-7-2Pseudonymous data; technical and organizational controls

           24-15-7-3Controller's disclosure of de-identified or pseudonymous data; compliance with contractual commitments

Effective 1-1-2026.

Sec. 1. (a) A controller in possession of de-identified data shall:

(1) take reasonable measures to ensure that the data cannot be associated with an individual;

(2) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and

(3) contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter.

     (b) This chapter shall not be construed to require a controller or processor to:

(1) re-identify de-identified data or pseudonymous data;

(2) maintain data in identifiable form; or

(3) collect, obtain, retain, or access any data or technology;

in order to be capable of associating an authenticated consumer request with personal data.

     (c) This chapter shall not be construed to require a controller or processor to comply with a request of a consumer under IC 24-15-3 if all of the following conditions are met:

(1) The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data.

(2) The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer.

(3) The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor.

As added by P.L.94-2023, SEC.1.

Sec. 2. The:

(1) rights of a consumer set forth in IC 24-15-3-1(b)(1) through IC 24-15-3-1(b)(4); and

(2) responsibilities of a controller under IC 24-15-4-1(1) through IC 24-15-4-1(5);

do not apply to pseudonymous data in any case in which the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

As added by P.L.94-2023, SEC.1.

Sec. 3. A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

As added by P.L.94-2023, SEC.1.

           24-15-8-1Permissible activities by controllers and processors

           24-15-8-2Collecting, using, or retaining data; permissible purposes

           24-15-8-3Evidentiary privilege; exemption from obligations concerning personal data

           24-15-8-4Disclosure of personal data to third party controller or processor

           24-15-8-5Personal rights or freedoms; free speech; personal data in context of purely personal or household activity

           24-15-8-6Controller not required to disclose trade secrets

           24-15-8-7Processing of personal data for authorized purposes; collection, use, or retention of personal data; burden of proof for exemption

Effective 1-1-2026.

Sec. 1. (a) This article shall not be construed to restrict a controller's or processor's ability to do any of the following:

(1) Comply with federal, state, or local laws, rules, or regulations or, in the case of an owner of a riverboat licensed under IC 4-33-6, implement and operate a facial recognition program approved by the Indiana gaming commission.

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, state, local, or other governmental authority.

(3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations.

(4) Investigate, establish, exercise, prepare for, or defend legal claims.

(5) Provide a product or service specifically requested by a consumer, perform a contract to which the consumer, or a parent of a child, is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer or parent before entering into a contract.

(6) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual, if the processing cannot be manifestly based on another legal basis.

(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems.

(8) Engage in public or peer reviewed scientific or statistical research that is in the public interest and that adheres to all applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or a similar independent oversight entity, that determines if:

(A) the information is likely to provide substantial benefits that do not exclusively accrue to the controller;

(B) the expected benefits of the research outweigh the privacy risks; and

(C) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.

(9) Assist another controller, processor, or third party with any obligation described in this section.

     (b) Processing personal data for a purpose expressly identified in subsection (a)(1) through (a)(9) does not by itself make a person a controller with respect to such processing.

As added by P.L.94-2023, SEC.1.

Sec. 2. The obligations imposed on a controller or a processor under this article do not prohibit or restrict a controller or processor from collecting, using, or retaining data to do the following:

(1) Conduct internal research to develop, improve, or repair products, services, or technology.

(2) Effectuate a product recall.

(3) Identify and repair technical errors that impair existing or intended functionality.

(4) Perform internal operations that are:

(A) reasonably compatible with the expectations of the consumer;

(B) reasonably anticipated based on the consumer's existing relationship with the controller; or

(C) otherwise compatible with:

(i) processing data in furtherance of the provision of a product or service specifically requested by a consumer, or the parent of a child; or

(ii) the performance of a contract to which the consumer is a party.

As added by P.L.94-2023, SEC.1.

Sec. 3. The obligations imposed on a controller or a processor under this article do not apply if compliance by the controller or processor with this article would violate an evidentiary privilege under Indiana law. This article shall not be construed to prohibit a controller or processor from providing, as part of a privileged communication, personal data concerning a consumer to a person covered by an evidentiary privilege under Indiana law.

As added by P.L.94-2023, SEC.1

Sec. 5. This article:

(1) shall not be construed as an obligation imposed on controllers and processors that adversely affects the rights or freedoms of any persons, such as exercising the right of free speech under the First Amendment to the Constitution of the United States; and

(2) does not apply to personal data in the context of a purely personal or household activity.

As added by P.L.94-2023, SEC.1.

Sec. 6. Nothing in this article shall be construed as requiring a controller to disclose trade secrets.

As added by P.L.94-2023, SEC.1.

Sec. 7. (a) Personal data processed by a controller for a purpose authorized under this chapter may not be processed for any other purpose unless otherwise allowed under this article. Personal data processed by a controller under this chapter may be processed to the extent that such processing is:

(1) reasonably necessary and proportionate to a purpose authorized under this chapter; and

(2) adequate, relevant, and limited to what is necessary in relation to the specific purpose.

     (b) Personal data collected, used, or retained under section 2 of this chapter:

(1) shall, as applicable, take into account the nature and purpose of the collection, use, or retention; and

(2) must be subject to reasonable administrative, technical, and physical measures to:

(A) protect the confidentiality, integrity, and accessibility of the personal data; and

(B) reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of the personal data.

     (c) If a controller processes personal data pursuant to an exemption under this chapter, the controller bears the burden of demonstrating that such processing:

(1) qualifies for the exemption; and

(2) complies with the requirements set forth in this section.

As added by P.L.94-2023, SEC.1.

 24-15-9-1Violations; civil investigative demand by attorney general

Effective 1-1-2026.

Sec. 1. Whenever the attorney general has reasonable cause to believe that any person has engaged in, is engaging in, or is about to engage in any violation of this article, the attorney general is empowered to issue a civil investigative demand to investigate the suspected violation.

As added by P.L.94-2023, SEC.1.

 24-15-10-1Attorney general's exclusive enforcement authority

           24-15-10-2Action by attorney general for violation; injunction; civil penalty; recovery of expenses

           24-15-10-3Notice of alleged violation; controller's or processor's right to cure

           24-15-10-4No private right of action for violation

Effective 1-1-2026.

Sec. 1. The attorney general has exclusive authority to enforce the provisions of this article.

As added by P.L.94-2023, SEC.1.

Sec. 2. (a) The attorney general may initiate an action in the name of the state and may seek an injunction to restrain any violations of this article and a civil penalty not to exceed seven thousand five hundred dollars ($7,500) for each violation under this article.

     (b) The attorney general may recover reasonable expenses incurred in investigating and preparing the case, including attorney's fees, in any action initiated under this chapter.

As added by P.L.94-2023, SEC.1.

Sec. 3. (a) Before initiating an action under section 2 of this chapter, the attorney general shall provide a controller or processor thirty (30) days written notice identifying the specific provisions of this article that the attorney general alleges have been or are being violated. If within the thirty (30) day period set forth in this section, the controller or processor:

(1) cures the alleged violation; and

(2) provides the attorney general an express written statement that:

(A) the alleged violation has been cured; and

(B) actions have been taken to ensure no further such violations will occur;

the attorney general shall not initiate an action against the controller or processor.

     (b) If a controller or processor:

(1) continues the alleged violation following the thirty (30) day period set forth in subsection (a); or

(2) breaches an express written statement provided to the attorney general under subsection (a)(2);

the attorney general may initiate an action under section 2 of this chapter.

As added by P.L.94-2023, SEC.1.

Sec. 4. Nothing in this article shall be construed as providing the basis for a private right of action for violations of this article or any other law.

As added by P.L.94-2023, SEC.1.

    24-15-11-1Preemption of local laws

           24-15-11-2References to federal, state, or local laws

Effective 1-1-2026.

Sec. 1. This article supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the processing of personal data by controllers or processors.

As added by P.L.94-2023, SEC.1.

Sec. 2. Any reference to federal, state, or local law or statute in this article includes any accompanying rules, regulations, or exemptions.

As added by P.L.94-2023, SEC.1.

As used in KRS 367.3611 to 367.3629:

(1) "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For the purposes of this definition, "control" or "controlled" means:

(a) Ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of voting security of a company;

(b) Control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

(c) The power to exercise controlling influence over the management of a company;

(2) "Authenticate" means verifying through reasonable means that the consumer entitled to exercise his or her consumer rights in KRS 367.3615 is the same consumer exercising such consumer rights with respect to the personal data at issue;

(3) "Biometric data" means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. Biometric data does not include a physical or digital photograph, a video or audio recording, or data generated therefrom, unless that data is generated to identify a specific individual or information collected, used, or stored for health care treatment, payment, or operations under HIPAA;

(4) "Business associate" has the same meaning as established in 45 C.F.R. sec. 160.103 pursuant to HIPAA;

(5) "Child" has the same meaning as in 15 U.S.C. sec. 6501;

(6) "Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. Consent may include a written statement, written by electronic means or any other unambiguous affirmative action;

(7) "Consumer" means a natural person who is a resident of the Commonwealth of Kentucky acting only in an individual context. Consumer does not include a natural person acting in a commercial or employment context;

(8) "Controller" means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data;

(9) "Covered entity" has the same meaning as established in 45 C.F.R. sec. 160.103 pursuant to HIPAA;

(10) "Decisions that produce legal or similarly significant effects concerning a consumer" means a decision made by a controller that results in the provision or denial by the controller of financial and lending services, housing, insurance, education enrollment, criminal justice, employment opportunities, health care services, or access to basic necessities like food and water;

(11) "De-identified data" means data that cannot reasonably be linked to an identified or identifiable natural person or a device linked to a person;

(12) "Fund" means the consumer privacy fund established in KRS 367.3629;

(13) "Health care provider" means:

(a) Any health facility as defined in KRS 216B.015;

(b) Any person or entity providing health care or health services, including those licensed, certified, or registered under, or subject to, KRS 194A.700 to 194A.729 or KRS Chapter 310, 311, 311A, 311B, 312, 313, 314, 314A, 315, 319, 319A, 319B, 319C, 320, 327, 333, 334A, or 335;

(c) The current and former employers, officers, directors, administrators, agents, or employees of those entities listed in paragraphs (a) and (b) of this subsection; or 

(d) Any person acting within the course and scope of his or her office, employment, or agency relating to a health care provider;

(14) "Health record" means a record, other than for financial or billing purposes, relating to an individual, kept by a health care provider as a result of the professional relationship established between the health care provider and the individual;

(15) "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191;

(16) "Identified or identifiable natural person" means a person who can be readily identified directly or indirectly;

(17) "Institution of higher education" means an educational institution which:

(a) Admits as regular students only individuals having a certificate of graduation from a high school or the recognized equivalent of such a certificate;

(b) Is legally authorized in this state to provide a program of education beyond high school;

(c) Provides an educational program for which it awards a bachelor's or higher degree, or provides a program which is acceptable for full credit toward such a degree, a program of postgraduate or postdoctoral studies, or a program of training to prepare students for gainful employment in a recognized occupation; and

(d) Is a public or other nonprofit institution;

(18) "Nonprofit organization" means any incorporated or unincorporated entity that:

(a) Is operating for religious, charitable, or educational purposes; and 

(b) Does not provide net earnings to, or operate in any manner that inures to the benefit of, any officer, employee, or shareholder of the entity;

(19) "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information;

(20) "Precise geolocation data" means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty (1,750) feet. Precise geolocation data does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility;

(21) "Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, including but not limited to the collection, use, storage, disclosure, analysis, deletion, or modification of personal data;

(22) "Processor" means a natural or legal entity that processes personal data on behalf of a controller;

(23) "Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

(24) "Protected health information" means the same as established in 45 C.F.R. sec. 160.103 pursuant to HIPAA;

(25) "Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;

(26) "Publicly available information" means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience;

(27) "Sale of personal data" means the exchange of personal data for monetary consideration by the controller to a third party. Sale of personal data does not include:

(a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;

(b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

(c) The disclosure or transfer of personal data to an affiliate of the controller;

(d) The disclosure of information that the consumer:

1. Intentionally made available to the general public via a channel of mass media; and 

2. Did not restrict to a specific audience; or

(e) The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets;

(28) "Sensitive data" means a category of personal data that includes:

(a) Personal data indicating racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

(b) The processing of genetic or biometric data that is processed for the purpose of uniquely identifying a specific natural person;

(c) The personal data collected from a known child; or

(d) Precise geolocation data;

(29) "State agency" means all departments, offices, commissions, boards, institutions, and political and corporate bodies of the state, including the offices of the clerk of the Supreme Court, clerks of the appellate courts, the several courts of the state, and the legislature, its committees, or commissions;

(30) "Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated websites or online applications to predict that consumer's preferences or interests. "Targeted advertising" does not include:

(a) Advertisements based on activities within a controller's own or affiliated websites or online applications;

(b) Advertisements based on the context of a consumer's current search query, visit to a website, or online application;

(c) Advertisements directed to a consumer in response to the consumer's request for information or feedback; or

(d) Processing personal data solely for measuring or reporting advertising performance, reach, or frequency;

(31) "Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller; and

(32) "Trade secret" has the same meaning as in KRS 365.880.

(1) KRS 367.3611 to 367.3629 apply to persons that conduct business in the Commonwealth or produce products or services that are targeted to residents of the Commonwealth and that during a calendar year control or process personal data of at least:

(a) One hundred thousand (100,000) consumers; or

(b) Twenty-five thousand (25,000) consumers and derive over fifty percent (50%) of gross revenue from the sale of personal data.

(2) KRS 367.3611 to 367.3629 shall not apply to any:

(a) City, state agency, or any political subdivision of the state;

(b) Financial institutions, their affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act, 15 U.S.C. sec. 6801 et seq.;

(c) Covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. pts. 160 and 164 established pursuant to HIPAA;

(d) Nonprofit organization;

(e) Institution of higher education;

(f) Organization that:

1. Does not provide net earnings to, or operate in any manner that inures to the benefit of, any officer, employee, or shareholder of the entity; and

2. Is an entity such as those recognized under KRS 304.47-060(1)(e), so long as the entity collects, processes, uses, or shares data solely in relation to identifying, investigating, or assisting:

a. Law enforcement agencies in connection with suspected insurance-related criminal or fraudulent acts; or

b. First responders in connection with catastrophic events; or

(g) Small telephone utility as defined in KRS 278.516, a Tier III CMRS provider as defined in KRS 65.7621, or a municipally owned utility that does not sell or share personal data with any third-party.

(3) The following information and data are exempt from KRS 367.3611 to 367.3629:

(a) Protected health information under HIPAA;

(b) Health records;

(c) Patient identifying information for purposes of 42 C.F.R. sec. 2.11;

(d) Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. pt. 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; the protection of human subjects under 21 C.F.R. pts. 50 and 56; or personal data used or shared in research conducted in accordance with the requirements set forth in KRS 367.3611 to 367.3629, or other research conducted in accordance with applicable law;

(e) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. sec. 11101 et seq.;

(f) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act, 42 U.S.C. sec. 299b-21 et seq.;

(g) Information derived from any of the health care-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;

(h) Information originating from, and intermingled to be indistinguishable from, or information treated in the same manner as information exempt under this subsection that is maintained by a covered entity or business associate, or a program or qualified service organization as defined by 42 C.F.R. sec. 2.11;

(i) Information collected by a health care provider who is a covered entity that maintains protected health information in accordance with HIPAA and related regulations, 45 C.F.R. sec. pts. 160, 162, and 164;

(j) Information included in a limited data set as described in 45 C.F.R. sec. 164.514(e), to the extent the information is used, disclosed, and maintained as specified in 45 C.F.R. sec. 164.514(e);

(k) Information used only for public health activities and purposes as authorized by HIPAA;

(l) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act, 15 U.S.C. sec. 1681 et seq.;

(m) Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. sec. 2721 et seq.;

(n) Personal data regulated by the federal Family Educational Rights and Privacy Act, 20 U.S.C. sec. 1232g et seq.;

(o) Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act, 12 U.S.C. sec. 2001 et seq.;

(p) Data processed or maintained:

1. In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;

2. As the emergency contact information of an individual used for emergency contact purposes; or

3. That is necessary to retain to administer benefits for another individual relating to the individual under subparagraph 1. of this paragraph and used for the purposes of administering those benefits;

(q) Data processed by a utility, an affiliate of a utility, or a holding company system organized specifically for the purpose of providing goods or services to a utility as defined in KRS 278.010. For purposes of this paragraph, “holding company system” means two (2) or more affiliated persons, one (1) or more of which is a utility; and

(r) Personal data collected and used for purposes of federal policy under the Combat Methamphetamine Epidemic Act of 2005.

(4) Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq., shall be deemed compliant with any obligation to obtain parental consent under KRS 367.3611 to 367.3629.

(1) A consumer may invoke the consumer rights authorized pursuant to this section at any time by submitting a request to a controller, via the means specified by the controller pursuant to KRS 367.3617, specifying the consumer rights the consumer wishes to invoke. A child's parent or legal guardian may invoke such consumer rights on behalf of the child regarding processing personal data belonging to the child.

(2) A controller shall comply with an authenticated consumer request to exercise the right to:

(a) Confirm whether or not a controller is processing the consumer's personal data and to access the personal data, unless the confirmation and access would require the controller to reveal a trade secret;

(b) Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of processing the data;

(c) Delete personal data provided by or obtained about the consumer;

(d) Obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically practicable, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means. The controller shall not be required to reveal any trade secrets; and

(e) Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

(3) Except as otherwise provided in KRS 367.3611 to 367.3629, a controller shall comply with a request by a consumer to exercise the consumer rights pursuant to this section as follows:

(a) A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of the request submitted pursuant to the methods described in this section. The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into consideration the complexity and number of the consumer's requests, so long as the controller informs the consumer of any extension within the initial forty-five (45) day response period, together with the reason for the extension;

(b) If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but no later than forty-five (45) days after receipt of the request, of the justification for declining to take action and instructions on how to appeal the decision;

(c) Information provided in response to a consumer request shall be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are excessive, repetitive, technically infeasible, or manifestly unfounded, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the excessive, repetitive, technically infeasible, or manifestly unfounded nature of the request;

(d) If a controller is unable to authenticate the request using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action under subsection (1) of this section and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request; and

(e) A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to subsection (2)(c) of this section by:

1. Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business' records and not using the retained data for any other purpose pursuant to the provisions of KRS 367.3611 to 367.3629; or

2. Opting the consumer out of the processing of the personal data for any purpose except for those exempted pursuant to KRS 367.3613.

(4) A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subsection (3)(b) of this section. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.

(1) A controller shall:

(a) Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer; 

(b) Except as otherwise provided in this section, not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer, unless the controller obtains the consumer's consent; (c) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices shall be appropriate to the volume and nature of the personal data at issue; 

(d) Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in KRS 367.3615, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, nothing in this paragraph shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain, or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and 

(e) Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data collected from a known child, process the data in accordance with the federal Children's Online Privacy Protection Act, 15 U.S.C. sec. 6501 et seq.

(2) Any provision of a contract or agreement of any kind that purports to waive or limit in any way consumer rights pursuant to KRS 367.3615 shall be deemed contrary to public policy and shall be void and unenforceable.

(3) Controllers shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

(a) The categories of personal data processed by the controller; 

(b) The purpose for processing personal data; 

(c) How consumers may exercise their consumer rights pursuant to KRS 367.3615, including how a consumer may appeal a controller's decision with regard to the consumer's request; 

(d) The categories of personal data that the controller shares with third parties, if any; and 

(e) The categories of third parties, if any, with whom the controller shares personal data.

(4) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of processing.

(5) A controller shall establish, and shall describe in a privacy notice, one (1) or more secure and reliable means for consumers to submit a request to exercise their consumer rights under KRS 367.3615. The different ways to submit a request by a consumer shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to KRS 367.3615 but may require a consumer to use an existing account.

(1) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under KRS 367.3611 to 367.3629. Such assistance shall include:

(a) Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to KRS 367.3615;

(b) Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system of the processor pursuant to KRS 365.732; and

(c) Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to KRS 367.3621.

(2) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and shall clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also include requirements that the processor shall:

(a) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

(b) At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; 

(c) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations prescribed in KRS 367.3611 to 367.3629; 

(d) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations in KRS 367.3611 to 367.3629 using an appropriate and accepted control standard or framework and assessment procedure for assessments. The processor shall provide a report of the assessment to the controller upon request; and 

(e) Engage any subcontractor pursuant to a written contract in accordance with this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

(3) Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on it by virtue of its role in a processing relationship as defined by KRS 367.3611 to 367.3629.

(4) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.

(1) Controllers shall conduct and document a data protection impact assessment of each of the following processing activities involving personal data:

(a) The processing of personal data for the purposes of targeted advertising;

(b) The processing of personal data for the purposes of selling of personal data;

(c) The processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of:

1. Unfair or deceptive treatment of consumers or unlawful, disparate impact on consumers;

2. Financial, physical, or reputational injury to consumers;

3. A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where an intrusion would be offensive to a reasonable person; or

4. Other substantial injury to consumers;

(d) The processing of sensitive data; and

(e) Any processing of personal data that presents a heightened risk of harm to consumers.

(2) Data protection impact assessments conducted under this section shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risk. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing of personal data and the relationship between the controller and the consumer whose personal data will be processed, shall be factored into this assessment by the controller.

(3) The Attorney General may request, pursuant to an investigative demand, that a controller disclose any data protection impact assessment that is relevant to an investigation conducted by the Attorney General, and the controller shall make the data protection impact assessment available to the Attorney General. The Attorney General may evaluate the data protection impact assessments for compliance with the requirements of KRS 367.3611 to 367.3629.

(4) Data protection impact assessments are confidential and exempt from disclosure, public inspection, and copying under KRS 61.870 to 61.884.

(5) The disclosure of a data protection impact assessment pursuant to a request from the Attorney General under subsection (3) of this section does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.

(6) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(7) Data protection assessments conducted by a controller for the purpose of compliance with other laws or regulations may comply under this section if the assessments have a reasonably comparable scope and effect.

(8) Data protection assessment requirements shall apply to processing activities created or generated on or after June 1, 2026.

(1) The controller in possession of de-identified data shall: 

(a) Take reasonable measures to ensure the data cannot be associated with a natural person; 

(b) Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and 

(c) Contractually obligate any recipients of the de-identified data to comply with all provisions of KRS 367.3611 to 367.3629.

(2) Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to: 

(a) Re-identify de-identified data or pseudonymous data; or 

(b) Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

(3) Nothing in KRS 367.3611 to 367.3629 shall be construed to require a controller or processor to comply with an authenticated consumer rights request pursuant to KRS 367.3615 if: 

(a) The controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data; 

(b) The controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and 

(c) The controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section

(4) The consumer rights contained in KRS 367.3615 shall not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

(5) A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

(1) Nothing in KRS 367.3611 to 367.3629 shall be construed to restrict a controller's or processor's ability to: 

(a) Comply with federal, state, or local laws or regulations; 

(b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; 

(c) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; 

(d) Investigate, establish, exercise, prepare for, or defend legal claims; 

(e) Provide a product or service specifically requested by a consumer or a parent or guardian of a known child; 

(f) Perform a contract to which the consumer or parent or guardian of a known child is a party, including fulfilling the terms of a written warranty; 

(g) Take steps at the request of the consumer or parent or guardian of a known child prior to entering into a contract; 

(h) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis; 

(i) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action; 

(j) Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities that determine:

1. If the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; 

2. The expected benefits of the research outweigh the privacy risks; and 

3. If the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification; or

(k) Assist another controller, processor, or third party with any of the obligations under this subsection.

(2) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not restrict a controller's or processor's ability to collect, use, or retain data to: 

(a) Conduct internal research to develop, improve, or repair products, services, or technology;

(b) Effectuate a product recall; 

(c) Identify and repair technical errors that impair existing or intended functionality; or 

(d) Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or a parent or guardian of a known child or the performance of a contract to which the consumer or a parent or guardian of a known child is a party.

(3) The obligations imposed on controllers or processors under KRS 367.3611 to 367.3629 shall not apply to a controller or processor if compliance under KRS 367.3611 to 367.3629 would violate an evidentiary privilege under the laws of this Commonwealth. Nothing in KRS 367.3611 to 367.3629 shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this Commonwealth as part of a privileged communication. 

(4) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of KRS 367.3611 to 367.3629, is not in violation of KRS 367.3611 to 367.3629 if the third-party controller or processor that receives and processes such personal data is in violation of KRS 367.3611 to 367.3629, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of KRS 367.3611 to 367.3629 is likewise not in violation of KRS 367.3611 to 367.3629 for the transgressions of the controller or processor from which it receives such personal data. 

(5) Nothing in KRS 367.3611 to 367.3629 shall be construed as an obligation imposed on controllers and processors that adversely affects the privacy or other rights or freedoms of any persons, including but not limited to the right of free speech pursuant to the First Amendment to the Constitution of the United States, or applies to the processing of personal data by a person in the course of a purely personal or household activity.

(6) Personal data processed by a controller pursuant to this section shall not be processed for any purpose other than those expressly listed in this section unless otherwise allowed by KRS 367.3611 to 367.3629. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is:

(a) Reasonably necessary and proportionate to the purposes listed in this section; and 

(b) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained pursuant to subsection (2) of this section shall, where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. The data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

(7) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section.

(8) Processing personal data for the purposes expressly identified in subsection (1) of this section shall not by itself make an entity a controller with respect to such processing.

(1) The Attorney General shall have exclusive authority to enforce violations of KRS 367.3611 to 367.3629. The Attorney General may enforce KRS 367.3611 to 367.3629 by bringing an action in the name of the Commonwealth of Kentucky or on behalf of persons residing in this Commonwealth. The Attorney General shall have all powers and duties granted to the Attorney General under KRS Chapter 15 to investigate and prosecute any violation of KRS 367.3611 to 367.3629. The Attorney General may demand any information, documentary material, or physical evidence from any controller or processor believed to be engaged in, or about to engage in, any violation of KRS 367.3611 to 367.3629.

(2) Prior to initiating any action for violation of KRS 367.3611 to 367.3629, the Attorney General shall provide a controller or processor thirty (30) days' written notice identifying the specific provisions of KRS 367.3611 to 367.3629, the Attorney General alleges have been or are being violated. If within the thirty (30) days the controller or processor cures the noticed violation and provides the Attorney General an express written statement that the alleged violations have been cured and that no further violations shall occur, no action for damages under subsection (3) of this section shall be initiated against the controller or processor.

(3) If a controller or processor continues to violate KRS 367.3611 to 367.3629 following the cure period in subsection (2) of this section or breaches an express written statement provided to the Attorney General under subsection (2) of this section, the Attorney General may initiate an action and seek damages for up to seven thousand five hundred dollars ($7,500) for each continued violation under KRS 367.3611 to 367.3629.

(4) Nothing in KRS 367.3611 to 367.3629 or any other law, regulation, or the equivalent shall be construed as providing the basis for, or give rise to, a private right of action for violations of KRS 367.3611 to 367.3629.

(5) The Attorney General may recover reasonable expenses incurred in investigating and preparing the case, court costs, attorney's fees, and any other relief ordered by the court of any action initiated under KRS 367.3611 to 367.3629.

There is hereby created a trust and agency account to be known as the consumer privacy fund. The fund shall be administered by the Office of the Attorney General. All civil penalties collected pursuant to KRS 367.3611 to 367.3629 shall be deposited into the fund. Interest earned on moneys in the fund shall accrue to the fund. Moneys in the fund shall be used by the Office of the Attorney General to enforce KRS 367.3611 to 367.3629. Notwithstanding KRS 45.229, any moneys remaining in the fund at the close of the fiscal year shall not lapse but shall be carried forward into the succeeding fiscal year to be used by the Office of the Attorney General for the purposes set forth in KRS 367.3611 to 367.3629.

(a) In this subtitle the following words have the meanings indicated.

(b) “Affiliate” means a person that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with another person, such that the person:

(1) Owns or has the power to vote more than 50% of the outstanding shares of any voting class of the other person's securities;

(2) Has the power to elect or influence the election of a majority of the directors, members, or managers of the other person;

(3) Has the power to direct the management of the other person; or

(4) Is subject to the other person's exercise of the powers described in item (1), (2), or (3) of this subsection.

(c) “Authenticate” means to use reasonable means to determine that a request to exercise a consumer right in accordance with § 14-4705 of this subtitle is being made by, or on behalf of, a consumer who is entitled to exercise the consumer right with respect to the personal data at issue.

(d) (1) “Biometric data” means data generated by automatic measurements of the biological characteristics of a consumer that can be used to uniquely authenticate a consumer's identity.

(2) “Biometric data” includes:

(i) A fingerprint;

(ii) A voice print;

(iii) An eye retina or iris image; and

(iv) Any other unique biological characteristics that can be used to uniquely authenticate a consumer's identity.

(3) “Biometric data” does not include:

(i) A digital or physical photograph;

(ii) An audio or video recording; or

(iii) Any data generated from a digital or physical photograph or an audio or video recording, unless the data is generated to identify a specific consumer.

(e) “Business associate” has the meaning stated in HIPAA.

(f) “Child” has the meaning stated in COPPA.

(g)(1) “Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer for a particular purpose.

(2) “Consent” includes:

(i) A written statement;

(ii) A written statement by electronic means; or

(iii) Any other unambiguous affirmative action.

(3) “Consent” does not include:

(i) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other unrelated information;

(ii) Hovering over, muting, pausing, or closing a piece of content; or

(iii) Agreement obtained through the use of dark patterns.

(h)(1) “Consumer” means an individual who is a resident of the State.

(2) “Consumer” does not include:

(i) An individual acting in a commercial or employment context; or

(ii) An individual acting as an employee, an owner, a director, an officer, or a contractor of a company, a partnership, a sole proprietorship, a nonprofit organization, or a governmental unit whose communications or transactions with a controller occur only within the context of the individual's role with the company, partnership, sole proprietorship, nonprofit organization, or governmental unit.

(i)(1) “Consumer health data” means personal data that a controller uses to identify a consumer's physical or mental health status.

(2) “Consumer health data” includes data related to:

(i) Gender-affirming treatment; or

(ii) Reproductive or sexual health care.

(j) “Control” means:

(1) Ownership of or the power to vote more than 50% of the outstanding shares of any class of voting security of a business;

(2) Any manner of control over the election of a majority of the directors of a business, or individuals exercising similar functions; or

(3) The power to exercise a controlling influence over the management of a business.

(k) “Controller” means a person that, alone or jointly with others, determines the purpose and means of processing personal data.

(l) “COPPA” means the federal Children's Online Privacy Protection Act of 1998 and the regulations, rules, guidance, and exemptions adopted under the Act, and as the Act and the regulations, rules, guidance, and exemptions may be amended.

(m) “Covered entity” has the meaning stated in HIPAA.

(n)(1) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting user autonomy, decision making, or choice.

(2) “Dark pattern” includes any practice the Federal Trade Commission refers to as a “dark pattern”.

(o) “Decisions that produce legal or similarly significant effects concerning the consumer” means decisions that result in the provision or denial of:

(1) Financial or lending services;

(2) Housing;

(3) Education enrollment or opportunity;

(4) Criminal justice;

(5) Employment opportunities;

(6) Health care services; or

(7) Access to essential goods or services.

(p) “De-identified data” has the meaning stated in § 14-4401 of this title.

(q) “Gender-affirming treatment” has the meaning stated in § 15-151(a) of the Health--General Article.

(r) “Genetic data” has the meaning stated in § 14-4401 of this title.

(s)(1) “Geofence” means technology that establishes a virtual geographical boundary.

(2) “Geofence” includes boundaries that are established or monitored through the use of:

(i) Global positioning technology;

(ii) Cell tower connectivity;

(iii) Cellular data;

(iv) Radio frequency identification;

(v) Wireless fidelity technology; or

(vi) Any other form of location determination technology.

(t) “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996.

(u) “Identified or identifiable consumer” means a consumer who can readily be identified, either directly or indirectly.

(v) “Mental health facility” means a health care facility in which not less than 70% of health care services offered are mental health services.

(w)(1) “Personal data” means any information that is linked or can be reasonably linked to an identified or identifiable consumer.

(2) “Personal data” does not include:

(i) De-identified data; or

(ii) Publicly available information.

(x)(1) “Precise geolocation data” means information derived from technology that can precisely and accurately identify the specific location of a consumer within a radius of 1,750 feet.

(2) “Precise geolocation data” includes global positioning system level latitude and longitude coordinates or other similar mechanisms.

(3) “Precise geolocation data” does not include:

(i) The content of communications;

(ii) Data generated by or connected to an advanced utility metering infrastructure system; or

(iii) Data generated by equipment used by a utility company.

(y)(1) “Process” means an operation or set of operations performed by manual or automated means on personal data.

(2) “Process” includes collecting, using, storing, disclosing, analyzing, deleting, or modifying personal data.

(z) “Processor” means a person that processes personal data on behalf of a controller.

(aa) “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable consumer's economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.

(bb) “Protected health information” has the meaning stated in HIPAA.

(cc)(1) “Publicly available information” means information that a person:

(i) Lawfully obtains from a record of a governmental entity;

(ii) Reasonably believes a consumer or widely distributed media have lawfully made available to the general public; or

(iii) If the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.

(2) “Publicly available information” does not include biometric data collected by a business about a consumer without the consumer's knowledge.

(dd) “Reproductive or sexual health care” means a health care-related service or product rendered or provided concerning a consumer's reproductive system or sexual well-being, including:

(1) A service or product provided related to an individual health condition, status, disease, diagnosis, test, or treatment;

(2) A social, psychological, behavioral, or medical intervention;

(3) A surgery or procedure;

(4) The purchase or use of a medication, including a medication purchased or used for the purposes of an abortion;

(5) A service or product related to a bodily function, vital sign, or symptom;

(6) A measurement of a bodily function, vital sign, or symptom; and

(7) An abortion, and medical and nonmedical services, products, diagnostics, counseling, and follow-up services for an abortion.

(ee) “Reproductive or sexual health care facility” means a health care facility where not less than 70% of services offered are reproductive or sexual health care services.

(ff)(1) “Sale of personal data” means the exchange of personal data by a controller, a processer, or an affiliate of a controller or processor to a third party for monetary or other valuable consideration.

(2) “Sale of personal data” does not include:

(i) The disclosure of personal data to a processor that processes personal data on behalf of a controller if limited to the purposes of the processing;

(ii) The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer;

(iii) The disclosure or transfer of personal data to an affiliate of the controller;

(iv) The disclosure of personal data where the consumer:

1. Directs the controller to disclose the personal data; or

2. Intentionally uses the controller to interact with a third party;

(v) The disclosure of personal data that the consumer:

1. Intentionally made available to the general public through a channel of mass media; and

2. Did not restrict to a specific audience; or

(vi) The disclosure or transfer of personal data to a third party as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction where the third party assumes control of all or part of the controller's assets.

(gg) “Sensitive data” means personal data that includes:

(1) Data revealing:

(i) Racial or ethnic origin;

(ii) Religious beliefs;

(iii) Consumer health data;

(iv) Sex life;

(v) Sexual orientation;

(vi) Status as transgender or nonbinary;

(vii) National origin; or

(viii) Citizenship or immigration status;

(2) Genetic data or biometric data;

(3) Personal data of a consumer that the controller knows or has reason to know is a child; or

(4) Precise geolocation data.

(hh)(1) “Targeted advertising” means displaying advertisements to a consumer or on a device identified by a unique identifier, where the advertisement is selected based on personal data obtained or inferred from the consumer's activities over time and across nonaffiliated websites or online applications that are unaffiliated with each other, in order to predict the consumer's preferences or interests.

(2) “Targeted advertising” does not include:

(i) Advertisements based on the context of a consumer's current search query, visit to a website, or online application;

(ii) Advertisements based on a consumer's activities within a controller's websites or online applications;

(iii) Advertisements directed to a consumer in response to the consumer's request for information or feedback; or

(iv) Processing personal data solely to measure or report advertising frequency, performance, or reach.

(ii) “Third party” means a person other than the relevant consumer, controller, processor, or affiliate of the controller or processor of relevant personal data.

(jj) “Trade secret” has the meaning stated in § 11-1201 of this article.

This subtitle applies to a person that conducts business in the State or provides products or services that are targeted to residents of the State, and that during the preceding calendar year did any of the following:

(1) Controlled or processed the personal data of at least 35,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) Controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data.

a) This subtitle does not apply to:

(1) A regulatory, administrative, advisory, executive, appointive, legislative, judicial body or instrumentality of the State, including a board, bureau, commission, or unit of the State or a political subdivision of the State;

(2) A national securities association that is registered under § 15 of the federal Securities Exchange Act of 1934 or a registered futures association designated in accordance with § 17 of the federal Commodity Exchange Act;

(3) A financial institution, an affiliate of a financial institution, or data that is subject to Title V of the federal Gramm-Leach-Bliley Act and regulations adopted under that act; or

(4) A nonprofit controller that processes or shares personal data solely for the purposes of assisting:

(i) Law enforcement agencies in investigating criminal or fraudulent acts relating to insurance; or

(ii) First responders in responding to catastrophic events.

(b) The following information and data are exempt from this subtitle:

(1) Protected health information under HIPAA;

(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2;

(3) Identifiable private information that is used for purposes of the federal policy for the protection of human subjects in accordance with 45 C.F.R. § 46;

(4) Identifiable private information to the extent that it is collected and used as part of human subjects research in accordance with the ICH 36 Good Clinical Practice Guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or the protection of human subjects under 21 C.F.R. §§ 50 and 56;

(5) Patient safety work product that is created and used for purposes of patient safety improvement in accordance with 42 C.F.R. § 3, established in accordance with 42 U.S.C. §§ 299b-21 through 299b-26;

(6)(i) Information to the extent it is used for public health, community health, or population health activities and purposes, as authorized by HIPAA, when provided by or to a covered entity or when provided by or to a business associate in accordance with the business associate agreement with a covered entity;

(ii) Information that is a medical record under § 4-301 of the Health--General Article if:

1. The information is held by an entity that is a covered entity or business associate under HIPAA because it collects, uses, or discloses protected health information; and

2. The entity applies the same standards for the collection, use, and disclosure of the information as required for protected health information under HIPAA and medical records under § 4-301 of the Health--General Article, including specific standards regarding legally protected health care; and

(iii) Information that is de-identified in accordance with the requirements for de-identification set forth in 45 C.F.R. 164.514 that is derived from individually identifiable health information as described in HIPAA or personal information consistent with the human subject protection requirements of the U.S. Food and Drug Administration;

(7) The collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the federal Fair Credit Reporting Act;

(8) Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;

(9) Personal data regulated by the federal Family Educational Rights and Privacy Act;

(10) Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act;

(11) Data processed or maintained:

(i) In the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of the role;

(ii) As the emergency contact information of a consumer if the data is used for emergency contact purposes; or

(iii) That is:

1. Necessary to retain to administer benefits for another individual relating to the consumer who is the subject of the information under item (i) of this item; and

2. Used for the purposes of administering the benefits;

(12) Personal data collected, processed, sold, or disclosed in relation to price, route, or service by an air carrier subject to the federal Airline Deregulation Act to the extent this subtitle is preempted by the federal Airline Deregulation Act; and

(13) Personal data collected by or on behalf of a person regulated under the Insurance Article or an affiliate of such a person, in furtherance of the business of insurance.

(c) Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be considered compliant with an obligation to obtain parental consent in accordance with this subtitle with respect to a consumer who is a child.

A person may not:

(1) Provide an employee or a contractor access to consumer health data unless:

(i) The employee or contractor is subject to a contractual or statutory duty of confidentiality; or

(ii) Confidentiality is required as a condition of employment of the employee;

(2) Provide a processor access to consumer health data unless the person providing access to the consumer health data and the processor comply with § 14-4708 of this subtitle; or

(3) Use a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, or collecting data from, or sending any notification to a consumer regarding the consumer's consumer health data.

(a) Nothing in this section may be construed to require a controller to reveal a trade secret.

(b) A consumer shall have the right to:

(1) Confirm whether a controller is processing the consumer's personal data;

(2) If a controller is processing a consumer's personal data, access the consumer's personal data;

(3) Considering the nature of the consumer's personal data and the purposes of the processing of the personal data, correct inaccuracies in the consumer's personal data;

(4) Require a controller to delete personal data provided by, or obtained about, the consumer unless retention of the personal data is required by law;

(5) If the processing of personal data is done by automatic means, obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to easily transmit the data to another controller without hindrance;

(6) Obtain a list of the categories of third parties to which the controller has disclosed the consumer's personal data or a list of the categories of third parties to which the controller has disclosed any consumer's personal data if the controller does not maintain this information in a format specific to the consumer; and

(7) Opt out of the processing of personal data for purposes of:

(i) Targeted advertising;

(ii) The sale of personal data; or

(iii) Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

(c)(1) A controller shall establish a secure and reliable method for a consumer to exercise a consumer right under this section.

(2) A consumer may exercise a consumer right under this section by the method established by the controller under paragraph (1) of this subsection.

(d)(1) A consumer may designate an authorized agent in accordance with § 14-4706 of this subtitle to opt out of the processing of the consumer's personal data under subsection (b)(7) of this section on behalf of a consumer.

(2) A parent or legal guardian of a child may exercise a consumer right listed in subsection (b) of this section on the child's behalf regarding the processing of personal data.

(3) A guardian or conservator of a consumer subject to a guardianship, conservatorship, or other protective arrangement may exercise a consumer right listed in subsection (b) of this section on the consumer's behalf regarding the processing of personal data.

(e)(1) Except as otherwise provided in this subtitle, a controller shall comply with a request by a consumer to exercise a consumer right listed in this section.

(2)(i) A controller shall respond to a consumer request not later than 45 days after the controller receives the consumer request.

(ii) A controller may extend the completion period by an additional 45 days if:

1. It is reasonably necessary to complete the request based on the complexity and number of the consumer's requests; and

2. The controller informs the consumer of the extension and the reason for the extension within the initial 45-day response period.

(3) If a controller declines to act regarding a consumer's request, the controller shall:

(i) Inform the consumer without undue delay, but not later than 45 days after receiving the request, of the justification for declining to act; and

(ii) Provide instructions for how to appeal the decision.

(4)(i) A controller shall provide information to a consumer in response to a consumer's request to exercise rights under this subtitle free of charge once during any 12-month period.

(ii) If requests from a consumer are manifestly unfounded, excessive, technically infeasible, or repetitive, a controller may:

1. Charge the consumer a reasonable fee to cover the administrative costs of complying with the request; or

2. Decline to act on the request.

(iii) The controller has the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of the request.

(5) If a controller is unable to authenticate a request to exercise a consumer right afforded under subsection (b)(1) through (5) of this section using commercially reasonable efforts, the controller:

(i) May not be required to comply with a request to initiate an action in accordance with this section; and

(ii) Shall provide notice to the consumer that the controller is unable to authenticate the request to exercise the right until the consumer provides additional information reasonably necessary to authenticate the consumer and the consumer's request to exercise the consumer's rights.

(6) A controller may not be required to authenticate an opt-out request.

(7) A controller that has obtained personal data about a consumer from a source other than the consumer shall be considered compliant with the consumer's request to delete the consumer's data in accordance with subsection (b)(4) of this section by retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer's personal data:

(i) Remains deleted from the controller's records; and

(ii) Is not being used for any other purpose.

(f)(1) A controller shall establish a process for a consumer to appeal the controller's refusal to act on a consumer rights request within a reasonable period after the consumer receives the decision.

(2) The appeal process shall be:

(i) Conspicuously available; and

(ii) Similar to the process for submitting requests to initiate an action in accordance with this section.

(3) Not later than 60 days after receiving an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.

(4) If a controller denies an appeal, the controller shall provide the consumer with an online mechanism, if available, through which the consumer may contact the Division to submit a complaint.

(a)(1) A consumer may designate an individual to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data for one or more of the purposes specified in § 14-4705(b)(7) of this subtitle.

(2) A consumer may designate an authorized agent by an Internet link or a browser setting, browser extension, global device setting, or other similar technology, indicating a consumer's intent to opt out of the processing of the consumer's personal data.

(b) A controller shall comply with an opt-out request received from an authorized agent if, using commercially reasonable efforts, the controller is able to authenticate:

(1) The identity of the consumer; and

(2) The authorized agent's authority to act on the consumer's behalf.

(a) A controller may not:

(1) Except where the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer to whom the personal data pertains, collect, process, or share sensitive data concerning a consumer;

(2) Sell sensitive data;

(3) Process personal data in violation of State or federal laws that prohibit unlawful discrimination;

(4) Process the personal data of a consumer for the purposes of targeted advertising if the controller knew or should have known that the consumer is under the age of 18 years;

(5) Sell the personal data of a consumer if the controller knew or should have known that the consumer is under the age of 18 years;

(6) Discriminate against a consumer for exercising a consumer right contained in this subtitle, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer;

(7) Collect, process, or transfer personal data or publicly available data in a manner that unlawfully discriminates in or otherwise unlawfully makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability, unless the collection, processing, or transfer of personal data is for:

(i) The controller's self-testing to prevent or mitigate unlawful discrimination;

(ii) The controller's diversifying of an applicant, participant, or customer pool; or

(iii) A private club or group not open to the public, as described in § 201(e) of the Civil Rights Act of 1964; or

(8) Unless the controller obtains the consumer's consent, process personal data for a purpose that is neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed, as disclosed to the consumer.

(b)(1) A controller shall:

(i) Limit the collection of personal data to what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains;

(ii) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and

(iii) Provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent.

(2) If a consumer revokes consent under this section, the controller shall stop processing the consumer's personal data as soon as practicable, but not later than 30 days after receiving the request.

(c) Nothing in subsection (a) or (b) of this section may be construed to:

(1) Require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain; or

(2) Prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program, provided that the selling of personal data is not a condition of participation in the program.

(d) A controller shall provide a consumer with a reasonably accessible, clear, and meaningful privacy notice that includes:

(1) The categories of personal data processed by the controller, including sensitive data;

(2) The controller's purpose for processing personal data;

(3) How a consumer may exercise the consumer's rights under this subtitle, including how a consumer may appeal a controller's decision regarding the consumer's request or may revoke consent;

(4) The categories of third parties with which the controller shares personal data with a level of detail that enables a consumer to understand the type of, business model of, or processing conducted by each third party;

(5) The categories of personal data, including sensitive data, that the controller shares with third parties; and

(6) An active e-mail address or other online mechanism that a consumer may use to contact the controller.

(e)(1) If a controller sells personal data to third parties or processes personal data for targeted advertising or for the purposes of profiling the consumer in furtherance of decisions that produce legal or similarly significant effects, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

(2) The disclosure required under paragraph (1) of this subsection shall be prominently displayed, and use clear, easy to understand, and unambiguous language, to state whether the consumer's information will be sold or shared with a third party.

(f)(1) The privacy notice under subsection (d) of this section shall establish one or more secure and reliable methods for a consumer to submit a request to exercise a consumer right in accordance with this subtitle that take into account:

(i) The ways in which consumers normally interact with the controller;

(ii) The need for secure and reliable communication of consumer requests; and

(iii) The ability of the controller to verify the identity of a consumer making the request.

(2)(i) A controller may not require a consumer to create a new account in order to exercise a consumer right.

(ii) A controller may require a consumer to use an existing account to exercise a consumer right.

(3) A controller may utilize the following methods to satisfy paragraph (1) of this subsection:

(i) Providing a clear and conspicuous link on the controller's website to a webpage that allows a consumer, or an authorized agent of the consumer, to opt out of the targeted advertising or the sale of the consumer's personal data; or

(ii) On or before October 1, 2025, allowing a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale.

(4) A platform, technology, or mechanism used in accordance with paragraph (3) of this subsection shall:

(i) Be consumer-friendly and easy to use by the average consumer;

(ii) Use clear, easy to understand, and unambiguous language;

(iii) Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or State law or regulation;

(iv) Enable the controller to reasonably determine whether the consumer:

1. Is a resident of the State; and

2. Has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising; and

(v) Require a consumer to make an affirmative, unambiguous, and voluntary choice in order to opt out of any processing of the consumer's personal data.

(5) A platform, technology, or mechanism used in accordance with paragraph (3) of this subsection may not:

(i) Unfairly disadvantage another controller; or

(ii) Use a default setting to opt a consumer out of any processing of the consumer's personal data.

(g)(1) If a consumer's decision to opt out of the processing of the consumer's personal data for the purposes of targeted advertising, or the sale of personal data through an opt-out preference signal sent in accordance with subsection (f)(3) of this section conflicts with the consumer's existing controller-specific privacy setting or the consumer's voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller may notify the consumer of a conflict and provide the choice to confirm controller-specific privacy settings or participation in a program listed in this paragraph.

(2) A controller that recognizes signals approved by other states shall be considered in compliance with this section.

(a)(1) If a controller uses a processor to process the personal data of consumers, the controller and the processor shall enter into a contract that governs the processor's data processing procedures with respect to processing performed on behalf of the controller.

(2) The contract shall be binding and shall clearly set forth:

(i) Instructions for processing data;

(ii) The nature and purpose of processing;

(iii) The type of data subject to processing;

(iv) The duration of processing; and

(v) The rights and obligations of both parties.

(3) The contract shall require that the processor:

(i) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data;

(ii) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, considering the volume and nature of the personal data;

(iii) Stop processing data on request by the controller made in accordance with a consumer's authenticated request;

(iv) At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of service, unless retention of the personal data is required by law;

(v) On the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in this subtitle;

(vi) After providing the controller an opportunity to object, engage a subcontractor to assist with processing personal data on the controller's behalf only in accordance with a written contract that requires the subcontractor to meet the processor's obligations regarding the personal data under the processor's contract with the controller; and

(vii) Allow and cooperate with reasonable assessments by the controller, the controller's designated assessor, or a qualified and independent assessor arranged for by the processor to assess the processor's policies and technical and organizational measures in support of the obligations under this subtitle.

(4)(i) On request, the processor shall provide a report of an assessment required by paragraph (3)(v) of this subsection to the controller.

(ii) An assessment conducted in accordance with paragraph (3)(v) of this subsection shall be conducted using an appropriate and accepted control standard or framework and assessment procedure for the assessments.

(b) A processor shall:

(1) Adhere to the contract and instructions of a controller;

(2) Assist the controller in meeting the controller's obligations under this subtitle, including:

(i) By appropriate technical and organizational measures as much as reasonably practicable to fulfill the controller's obligation to respond to consumer rights requests, considering the nature of processing and the information available to the processor; and

(ii) By assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of a system, as defined in § 14-3504 of this title; and

(3) Provide necessary information to enable the controller to conduct and document data protection assessments.

(c) Nothing in this section may be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor by virtue of the controller's or processor's role in the processing relationship in accordance with this section.

(d)(1) The determination of whether a person is acting as a controller or a processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is being processed.

(2) A person is considered to be a controller if the person:

(i) Is not limited in the person's processing of specific personal data in accordance with a controller's instructions; or

(ii) Fails to adhere to a controller's instructions with respect to a specific processing of personal data.

(3) A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.

(4) If a processor or third party begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor:

(i) Is a controller with respect to the processing; and

(ii) May be subject to an enforcement action under this subtitle.

(e) Nothing in this section may be construed to alter a controller's obligation to limit a person's processing of personal data or to take steps to ensure that a processor adheres to the controller's instructions.

(a) If a third party uses or shares a consumer's information in a manner inconsistent with promises made to the consumer at the time of collection of the information, the third party shall provide an affected consumer with notice of the new or changed practice before implementing the new or changed practice.

(b) The notice provided under subsection (a) of this section shall be provided in a manner and at a time reasonably calculated to allow a consumer to exercise the rights provided under this subtitle.

(a) In this section, “processing activities that present a heightened risk of harm to a consumer” means:

(1) The processing of personal data for the purposes of targeted advertising;

(2) The sale of personal data;

(3) The processing of sensitive data; and

(4) The processing of personal data for the purposes of profiling, in which the profiling presents a reasonably foreseeable risk of:

(i) Unfair, abusive, or deceptive treatment of a consumer;

(ii) Having an unlawful disparate impact on a consumer;

(iii) Financial, physical, or reputational injury to a consumer;

(iv) A physical or other intrusion on the solitude or seclusion or the private affairs or concerns of a consumer in which the intrusion would be offensive to a reasonable person; or

(v) Other substantial injury to a consumer.

(b) A controller shall conduct and document, on a regular basis, a data protection assessment for each of the controller's processing activities that present a heightened risk of harm to a consumer, including an assessment for each algorithm that is used.

(c)(1) A data protection assessment conducted in accordance with this section shall identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, the consumer, other interested parties, and the public against:

(i) The potential risks to the rights of the consumer associated with the processing as mitigated by safeguards that may be employed by the controller to reduce these risks; and

(ii) The necessity and proportionality of processing in relation to the stated purpose of the processing.

(2) The controller shall factor into a data protection assessment:

(i) The use of de-identified data;

(ii) The reasonable expectations of consumers;

(iii) The context of the processing; and

(iv) The relationship between the controller and the consumer whose personal data will be processed.

(d)(1) The Division may require that a controller make available to the Division a data protection assessment that is relevant to an investigation conducted by the Division.

(2)(i) The Division may evaluate a data protection assessment for compliance with the responsibilities established in this subtitle.

(ii) A controller's data protection assessment may be used in an action to enforce this subtitle.

(3) A data protection assessment is confidential and is exempt from disclosure under the federal Freedom of Information Act or the Public Information Act.

(e) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(f) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be considered to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted in accordance with this section.

(g) To the extent that any information contained in a data protection assessment disclosed to the Division includes information subject to attorney-client privilege or work product protection, the disclosure may not constitute a waiver of that privilege or protection.

(h) A data protection assessment conducted under this section:

(1) Shall apply to processing activities that occur on or after October 1, 2025; and

(2) Is not required for processing activities that occur before October 1, 2025.

(a) Nothing in this subtitle may be construed to require a controller or a processor to:

(1) Re-identify de-identified data;

(2) Maintain data in an identifiable form; or

(3) Collect, obtain, retain, or access any data or technology in order to be capable of associating an authenticated consumer request with personal data.

(b) Nothing in this subtitle may be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller:

(1) Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

(2) Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

(3) Does not sell the personal data to a third party or otherwise voluntarily disclose the personal data to a third party other than a processor, except as otherwise allowed in this subtitle.

(c)(1) A controller that discloses de-identified data shall:

(i) Exercise reasonable oversight to monitor compliance with any contractual commitments to which the de-identified data is subject; and

(ii) Take appropriate steps to address any breaches of any contractual commitments.

(2) The determination of whether oversight is reasonable and whether appropriate steps were taken in accordance with paragraph (1) of this subsection shall take into account whether the disclosed data includes data that would be considered sensitive data if the data were re-identified.

(a) Nothing in this subtitle may be construed to restrict a controller's or processor's ability to:

(1) Comply with federal, State, or local laws or regulations;

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by a federal, State, local, or other governmental authority;

(3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State, or local laws or regulations;

(4) Investigate, establish, exercise, prepare for, or defend a legal claim;

(5) Provide a product or service specifically requested by a consumer;

(6) Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;

(7) Take steps at the request of a consumer before entering into a contract;

(8) Take immediate steps to protect an interest that is essential for the life or physical safety of a consumer or another individual and when the processing cannot be manifestly based on another legal basis;

(9) Prevent, detect, protect against, investigate, prosecute those responsible, or otherwise respond to a security incident, identity theft, fraud, harassment, malicious or deceptive activity, or any other type of illegal activity;

(10) Preserve the integrity or security of systems; or

(11) Assist another controller, processor, or third party with an obligation under this subtitle.

(b)(1) This subsection does not apply to an obligation required under § 14-4711 of this subtitle.

(2) An obligation imposed on a controller or processor under this subtitle may not restrict a controller's or processor's ability to collect, use, or retain personal data for internal use to:

(i) Effectuate a product recall;

(ii) Identify and repair technical errors that impair existing or intended functionality; or

(iii) Perform internal operations that are:

1. Reasonably aligned with the expectations of the consumer or can be reasonably anticipated based on the consumer's existing relationship with the controller; or

2. Otherwise compatible with processing data in furtherance of:

A. The provision of a product or service specifically requested by a consumer; or

B. The performance of a contract to which the consumer is a party.

(c)(1) An obligation imposed on a controller or a processor under this subtitle does not apply when compliance by the controller or processor with the subtitle would violate an evidentiary privilege under State law.

(2) Nothing in this subtitle may be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under State law as part of a privileged communication.

(d)(1) A controller or processor that discloses personal data to a processor or a third-party controller in compliance with this subtitle is not in violation of this subtitle if the processor or third-party controller that receives the personal data violates this subtitle and:

(i) at the time the disclosing controller or processor disclosed the personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate this subtitle; and

(ii) the disclosing controller was, and remained, in compliance with its obligations as the discloser of the personal data.

(2) A third-party controller or processor that receives personal data from a controller or processor in compliance with this subtitle is not in violation of this subtitle for the independent misconduct of the controller or processor from which the third-party controller or processor received the personal data.

(e) Nothing in this subtitle may be construed to:

(1) Impose an obligation on a controller or a processor that adversely affects the rights or freedoms of any person, including the rights of a person to freedom of speech or freedom of the press as guaranteed in the First Amendment to the U.S. Constitution; or

(2) Apply to a person's processing of personal data during the person's personal or household activities.

(f) If a controller or processor processes personal data in accordance with an exemption under this section, the controller or processor shall demonstrate that the processing:

(1) Qualifies for an exemption; and

(2) Complies with the requirements of subsection (g) of this section.

(g) Personal data processed by a controller or processor in accordance with this section:

(1) Shall be subject to reasonable administrative, technical, and physical measures to:

(i) Protect the confidentiality, integrity, and accessibility of the personal data; and

(ii) Reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data; and

(2) May be processed to the extent that the processing is:

(i) Reasonably necessary and proportionate to the purposes listed in this section; and

(ii) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section.

(h) A person that processes personal data for a purpose expressly identified in this section may not be considered a controller solely based on the processing of personal data.

(a) Except as provided in subsection (b) of this section, a violation of this subtitle is:

(1) An unfair, abusive, or deceptive trade practice within the meaning of Title 13 of this article; and

(2) Subject to the enforcement and penalty provisions contained in Title 13 of this article, except for § 13-408 of this article.

(b) This section does not prevent a consumer from pursuing any other remedy provided by law.

(a) This section applies to an enforcement action under § 14-4713 of this subtitle for an alleged violation that occurs on or before April 1, 2027.

(b) Before initiating any action under § 14-4713 of this subtitle, the Division may issue a notice of violation to the controller or processor if the Division determines that a cure is possible.

(c)(1) If the Division issues a notice of violation under subsection (b) of this section, the controller or processor shall have at least 60 days to cure the violation after receipt of the notice.

(2) If the controller or processor fails to cure the violation within the time period specified by the Division, the Division may bring an enforcement action under § 14-4713 of this subtitle.

(d) In determining whether to grant a controller or processor an opportunity to cure an alleged violation, the Division may consider the following factors:

(1) The number of violations;

(2) The size and complexity of the controller or processor;

(3) The nature and extent of the controller's or processor's processing activities;

(4) The likelihood of injury to the public;

(5) The safety of persons or property;

(6) Whether the alleged violation was likely caused by a human or technical error; and

(7) The extent to which the controller or processor has violated this subtitle or similar laws in the past.

This chapter may be cited as the "Minnesota Consumer Data Privacy Act."

(a) For purposes of this chapter, the following terms have the meanings given.

(b) "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity. For purposes of this paragraph, "control" or "controlled" means: ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.

(c) "Authenticate" means to use reasonable means to determine that a request to exercise any of the rights under section 325O.05, subdivision 1, paragraphs (b) to (h), is being made by or rightfully on behalf of the consumer who is entitled to exercise the rights with respect to the personal data at issue.

(d) "Biometric data" means data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. Biometric data does not include:

(1) a digital or physical photograph;

(2) an audio or video recording; or

(3) any data generated from a digital or physical photograph, or an audio or video recording, unless the data is generated to identify a specific individual.

(e) "Child" has the meaning given in United States Code, title 15, section 6501.

(f) "Consent" means any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. A consent is not valid when the consumer's indication has been obtained by a dark pattern. A consumer may revoke consent previously given, consistent with this chapter.

(g) "Consumer" means a natural person who is a Minnesota resident acting only in an individual or household context. Consumer does not include a natural person acting in a commercial or employment context.

(h) "Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.

(i) "Decisions that produce legal or similarly significant effects concerning the consumer" means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods or services.

(j) "Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.

(k) "Deidentified data" means data that cannot reasonably be used to infer information about or otherwise be linked to an identified or identifiable natural person or a device linked to an identified or identifiable natural person, provided that the controller that possesses the data:

(1) takes reasonable measures to ensure that the data cannot be associated with a natural person;

(2) publicly commits to process the data only in a deidentified fashion and not attempt to reidentify the data; and

(3) contractually obligates any recipients of the information to comply with all provisions of this paragraph.

(l) "Delete" means to remove or destroy information so that it is not maintained in human- or machine-readable form and cannot be retrieved or utilized in the ordinary course of business.

(m) "Genetic information" has the meaning given in section 13.386, subdivision 1.

(n) "Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.

(o) "Known child" means a person under circumstances where a controller has actual knowledge of, or willfully disregards, that the person is under 13 years of age.

(p) "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include deidentified data or publicly available information. For purposes of this paragraph, "publicly available information" means information that (1) is lawfully made available from federal, state, or local government records or widely distributed media, or (2) a controller has a reasonable basis to believe has lawfully been made available to the general public.

(q) "Process" or "processing" means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, including but not limited to the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

(r) "Processor" means a natural or legal person who processes personal data on behalf of a controller.

(s) "Profiling" means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(t) "Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

(u) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. Sale does not include the following:

(1) the disclosure of personal data to a processor who processes the personal data on behalf of the controller;

(2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

(3) the disclosure or transfer of personal data to an affiliate of the controller;

(4) the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;

(5) the disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or

(6) the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer's agents.

(v) Sensitive data is a form of personal data. "Sensitive data" means:

(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;

(2) the processing of biometric data or genetic information for the purpose of uniquely identifying an individual;

(3) the personal data of a known child; or

(4) specific geolocation data.

(w) "Specific geolocation data" means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates. Specific geolocation data does not include the content of communications, the contents of databases containing street address information which are accessible to the public as authorized by law, or any data generated by or connected to advanced utility metering infrastructure systems or other equipment for use by a public utility.

(x) "Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. Targeted advertising does not include:

(1) advertising based on activities within a controller's own websites or online applications;

(2) advertising based on the context of a consumer's current search query or visit to a website or online application;

(3) advertising to a consumer in response to the consumer's request for information or feedback; or

(4) processing personal data solely for measuring or reporting advertising performance, reach, or frequency.

(y) "Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.

(z) "Trade secret" has the meaning given in section 325C.01, subdivision 5.

Subdivision 1. Scope.

(a) This chapter applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

(1) during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(2) derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

(b) A controller or processor acting as a technology provider under section 13.32 shall comply with this chapter and section 13.32, except that when the provisions of section 13.32 conflict with this chapter, section 13.32 prevails.

Subd. 2. Exclusions.

(a) This chapter does not apply to the following entities, activities, or types of information:

(1) a government entity, as defined by section 13.02, subdivision 7a;

(2) a federally recognized Indian tribe;

(3) information that meets the definition of:

(i) protected health information, as defined by and for purposes of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;

(ii) health records, as defined in section 144.291, subdivision 2;

(iii) patient identifying information for purposes of Code of Federal Regulations, title 42, part 2, established pursuant to United States Code, title 42, section 290dd-2;

(iv) identifiable private information for purposes of the federal policy for the protection of human subjects, Code of Federal Regulations, title 45, part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation; the protection of human subjects under Code of Federal Regulations, title 21, parts 50 and 56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth in this paragraph;

(v) information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, Public Law 99-660, and related regulations; or

(vi) patient safety work product for purposes of Code of Federal Regulations, title 42, part 3, established pursuant to United States Code, title 42, sections 299b-21 to 299b-26;

(4) information that is derived from any of the health care-related information listed in clause (3), but that has been deidentified in accordance with the requirements for deidentification set forth in Code of Federal Regulations, title 45, part 164;

(5) information originating from, and intermingled to be indistinguishable with, any of the health care-related information listed in clause (3) that is maintained by:

(i) a covered entity or business associate, as defined by the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;

(ii) a health care provider, as defined in section 144.291, subdivision 2; or

(iii) a program or a qualified service organization, as defined by Code of Federal Regulations, title 42, part 2, established pursuant to United States Code, title 42, section 290dd-2;

(6) information that is:

(i) maintained by an entity that meets the definition of health care provider under Code of Federal Regulations, title 45, section 160.103, to the extent that the entity maintains the information in the manner required of covered entities with respect to protected health information for purposes of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;

(ii) included in a limited data set, as described under Code of Federal Regulations, title 45, part 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by that part;

(iii) maintained by, or maintained to comply with the rules or orders of, a self-regulatory organization as defined by United States Code, title 15, section 78c(a)(26);

(iv) originated from, or intermingled with, information described in clause (9) and that a licensed residential mortgage originator, as defined under section 58.02, subdivision 19, or residential mortgage servicer, as defined under section 58.02, subdivision 20, collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified in clause (9); or

(v) originated from, or intermingled with, information described in clause (9) and that a nonbank financial institution, as defined by section 46A.01, subdivision 12, collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified in clause (9);

(7) information used only for public health activities and purposes, as described under Code of Federal Regulations, title 45, part 164.512;

(8) an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in United States Code, title 15, section 1681a(f), by a furnisher of information, as set forth in United States Code, title 15, section 1681s-2, who provides information for use in a consumer report, as defined in United States Code, title 15, section 1681a(d), and by a user of a consumer report, as set forth in United States Code, title 15, section 1681b, except that information is only excluded under this paragraph to the extent that the activity involving the collection, maintenance, disclosure, sale, communication, or use of the information by the agency, furnisher, or user is subject to regulation under the federal Fair Credit Reporting Act, United States Code, title 15, sections 1681 to 1681x, and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act;

(9) personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;

(10) personal data collected, processed, sold, or disclosed pursuant to the federal Driver's Privacy Protection Act of 1994, United States Code, title 18, sections 2721 to 2725, if the collection, processing, sale, or disclosure is in compliance with that law;

(11) personal data regulated by the federal Family Educational Rights and Privacy Act, United States Code, title 20, section 1232g, and implementing regulations;

(12) personal data collected, processed, sold, or disclosed pursuant to the federal Farm Credit Act of 1971, as amended, United States Code, title 12, sections 2001 to 2279cc, and implementing regulations, Code of Federal Regulations, title 12, part 600, if the collection, processing, sale, or disclosure is in compliance with that law;

(13) data collected or maintained:

(i) in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role;

(ii) as the emergency contact information of an individual under item (i) if used solely for emergency contact purposes; or

(iii) that is necessary for the business to retain to administer benefits for another individual relating to the individual under item (i) if used solely for the purposes of administering those benefits;

(14) personal data collected, processed, sold, or disclosed pursuant to the Minnesota Insurance Fair Information Reporting Act in sections 72A.49 to 72A.505;

(15) data collected, processed, sold, or disclosed as part of a payment-only credit, check, or cash transaction where no data about consumers, as defined in section 325O.02, are retained;

(16) a state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities, as described in United States Code, title 12, section 1843(k);

(17) information that originates from, or is intermingled so as to be indistinguishable from, information described in clause (8) and that a person licensed under chapter 56 collects, processes, uses, or maintains in the same manner as is required under the laws and regulations specified in clause (8);

(18) an insurance company, as defined in section 60A.02, subdivision 4, an insurance producer, as defined in section 60K.31, subdivision 6, a third-party administrator of self-insurance, or an affiliate or subsidiary of any entity identified in this clause that is principally engaged in financial activities, as described in United States Code, title 12, section 1843(k), except that this clause does not apply to a person that, alone or in combination with another person, establishes and maintains a self-insurance program that does not otherwise engage in the business of entering into policies of insurance;

(19) a small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, except that a small business identified in this clause is subject to section 325O.075;

(20) a nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance; and

(21) an air carrier subject to the federal Airline Deregulation Act, Public Law 95-504, only to the extent that an air carrier collects personal data related to prices, routes, or services and only to the extent that the provisions of the Airline Deregulation Act preempt the requirements of this chapter.

(b) Controllers that are in compliance with the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and implementing regulations, shall be deemed compliant with any obligation to obtain parental consent under this chapter.

(a) Controllers and processors are responsible for meeting the respective obligations established under this chapter.

(b) Processors are responsible under this chapter for adhering to the instructions of the controller and assisting the controller to meet the controller's obligations under this chapter. Assistance under this paragraph shall include the following:

(1) taking into account the nature of the processing, the processor shall assist the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 325O.05; and

(2) taking into account the nature of processing and the information available to the processor, the processor shall assist the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 325E.61, and shall provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by section 325O.08.

(c) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract shall also require that the processor:

(1) ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and

(2) engage a subcontractor only (i) after providing the controller with an opportunity to object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

(d) Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures.

(e) Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets out the processing instructions to which the processor is bound, including the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing, and the obligations and rights of both parties. The contract shall include the requirements imposed by this paragraph, paragraphs (c) and (d), as well as the following requirements:

(1) at the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(2) upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this chapter; and

(3) the processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter. The assessor must use an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable, and shall provide a report of an assessment to the controller upon request.

(f) In no event shall any contract relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship under this chapter.

(g) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in the person's processing of personal data pursuant to a controller's instructions, or that fails to adhere to a controller's instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing.

Subdivision 1. Consumer rights provided.

(a) Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision.

(b) A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing.

(c) A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data.

(d) A consumer has the right to delete personal data concerning the consumer.

(e) A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

(f) A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.

(g) If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.

(h) A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead.

Subd. 2. Exercising consumer rights.

(a) A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise.

(b) In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf.

(c) In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf.

(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

Subd. 3. Universal opt-out mechanisms.

(a) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must:

(1) not unfairly disadvantage another controller;

(2) not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data;

(3) be consumer-friendly and easy to use by the average consumer;

(4) be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and

(5) enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence.

(b) If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program.

(c) The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4.

(d) A controller that recognizes opt-out preference signals that have been approved by other state laws or regulations is in compliance with this subdivision.

Subd. 4. Controller response to consumer requests.

(a) Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1.

(b) A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests.

(c) A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section.

(d) A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request.

(e) A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay.

(f) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5.

(g) Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.

(h) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief.

(i) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information:

(1) Social Security number;

(2) driver's license number or other government-issued identification number;

(3) financial account number;

(4) health insurance account number or medical identification number;

(5) account password, security questions, or answers; or

(6) biometric data.

(j) In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret.

(k) A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either:

(1) retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or

(2) opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter.

Subd. 5. Appeal process required.

(a) A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f).

(b) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests.

(c) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay.

(d) When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general.

(a) This chapter does not require a controller or processor to do any of the following solely for purposes of complying with this chapter:

(1) reidentify deidentified data;

(2) maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or

(3) comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to section 325O.05, subdivision 1, if all of the following are true:

(i) the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data;

(ii) the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and

(iii) the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

(b) The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (e) and (h), do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

(c) A controller that uses pseudonymous data or deidentified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments.

(d) A processor or third party must not attempt to identify the subjects of deidentified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized.

(e) A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers.

Subdivision 1. Transparency obligations.

(a) Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

(1) the categories of personal data processed by the controller;

(2) the purposes for which the categories of personal data are processed;

(3) an explanation of the rights contained in section 325O.05 and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request;

(4) the categories of personal data that the controller sells to or shares with third parties, if any;

(5) the categories of third parties, if any, with whom the controller sells or shares personal data;

(6) the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller;

(7) a description of the controller's retention policies for personal data; and

(8) the date the privacy notice was last updated.

(b) If a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request.

(c) The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service.

(d) The controller must provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities.

(e) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship.

(f) A controller is not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information required by this section.

(g) The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website home page or on a mobile application's app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail.

Subd. 2. Use of data.

(a) A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer.

(b) Except as provided in this chapter, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.

(c) A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.

(d) Except as otherwise provided in this act, a controller may not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or lawful guardian, in accordance with the requirement of the Children's Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its implementing regulations, rules, and exemptions.

(e) A controller shall provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, the child's parent or lawful guardian, to revoke previously given consent under this subdivision. The mechanism provided shall be at least as easy as the mechanism by which the consent was previously given. Upon revocation of consent, a controller shall cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request.

(f) A controller may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16.

(g) A controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09.

Subd. 3. Nondiscrimination.

(a) A controller shall not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.

(b) A controller may not discriminate against a consumer for exercising any of the rights contained in this chapter, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This subdivision does not: (1) require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or (2) prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Subd. 4. Waiver of rights unenforceable.

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this chapter is contrary to public policy and is void and unenforceable.

(a) A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent.

(b) Penalties and attorney general enforcement procedures under section 325O.10 apply to a small business that violates this section.

(a) A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with this chapter. The description must include, where applicable:

(1) the name and contact information for the controller's chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of this chapter; and

(2) a description of the controller's data privacy policies and procedures which reflect the requirements in section 325O.07, and any policies and procedures designed to:

(i) reflect the requirements of this chapter in the design of the controller's systems;

(ii) identify and provide personal data to a consumer as required by this chapter;

(iii) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item;

(iv) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed;

(v) prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and

(vi) identify and remediate violations of this chapter.

(b) A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:

(1) the processing of personal data for purposes of targeted advertising;

(2) the sale of personal data;

(3) the processing of sensitive data;

(4) any processing activities involving personal data that present a heightened risk of harm to consumers; and

(5) the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of:

(i) unfair or deceptive treatment of, or disparate impact on, consumers;

(ii) financial, physical, or reputational injury to consumers;

(iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or

(iv) other substantial injury to consumers.

(c) A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed.

(d) A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller.

(e) A data privacy and protection assessment must include the description of policies and procedures required by paragraph (a).

(f) As part of a civil investigative demand, the attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted by the attorney general. The controller must make a data privacy and protection assessment available to the attorney general upon a request made under this paragraph. The attorney general may evaluate the data privacy and protection assessments for compliance with this chapter. Data privacy and protection assessments are classified as nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the attorney general under this paragraph does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.

(g) Data privacy and protection assessments or risk assessments conducted by a controller for the purpose of compliance with other laws or regulations may qualify under this section if the assessments have a similar scope and effect.

(h) A single data protection assessment may address multiple sets of comparable processing operations that include similar activities.

(a) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or a processor's ability to:

(1) comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data;

(2) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

(3) cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;

(4) investigate, establish, exercise, prepare for, or defend legal claims;

(5) provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract;

(6) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis;

(7) prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;

(8) assist another controller, processor, or third party with any of the obligations under this paragraph;

(9) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined:

(i) the research is likely to provide substantial benefits that do not exclusively accrue to the controller;

(ii) the expected benefits of the research outweigh the privacy risks; and

(iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification; or

(10) process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is:

(i) subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and

(ii) under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law.

(b) The obligations imposed on controllers or processors under this chapter do not restrict a controller's or processor's ability to collect, use, or retain data to:

(1) effectuate a product recall or identify and repair technical errors that impair existing or intended functionality;

(2) perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or

(3) conduct internal research to develop, improve, or repair products, services, or technology.

(c) The obligations imposed on controllers or processors under this chapter do not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication.

(d) A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of this chapter is not in violation of this chapter if the recipient processes the personal data in violation of this chapter, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter is not in violation of this chapter for the obligations of the controller or processor from which the third-party controller or processor receives the personal data.

(e) Obligations imposed on controllers and processors under this chapter shall not:

(1) adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or

(2) apply to the processing of personal data by a natural person in the course of a purely personal or household activity.

(f) Personal data that are processed by a controller pursuant to this section may be processed solely to the extent that the processing is:

(1) necessary, reasonable, and proportionate to the purposes listed in this section;

(2) adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in this section; and

(3) insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers.

(g) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in paragraph (f).

(h) Processing personal data solely for the purposes expressly identified in paragraph (a), clauses (1) to (7), does not, by itself, make an entity a controller with respect to the processing.

(a) In the event that a controller or processor violates this chapter, the attorney general, prior to filing an enforcement action under paragraph (b), must provide the controller or processor with a warning letter identifying the specific provisions of this chapter the attorney general alleges have been or are being violated. If, after 30 days of issuance of the warning letter, the attorney general believes the controller or processor has failed to cure any alleged violation, the attorney general may bring an enforcement action under paragraph (b). This paragraph expires January 31, 2026.

(b) The attorney general may bring a civil action against a controller or processor to enforce a provision of this chapter in accordance with section 8.31. If the state prevails in an action to enforce this chapter, the state may, in addition to penalties provided by paragraph (c) or other remedies provided by law, be allowed an amount determined by the court to be the reasonable value of all or part of the state's litigation expenses incurred.

(c) Any controller or processor that violates this chapter is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation.

(d) Nothing in this chapter establishes a private right of action, including under section 8.31, subdivision 3a, for a violation of this chapter or any other law.

(a) This chapter supersedes and preempts laws, ordinances, regulations, or the equivalent adopted by any local government regarding the processing of personal data by controllers or processors.

(b) If any provision of this chapter or the chapter's application to any person or circumstance is held invalid, the remainder of the chapter or the application of the provision to other persons or circumstances is not affected.

Sec. 14. EFFECTIVE DATE.

This article is effective July 31, 2025, except that postsecondary institutions regulated by the Office of Higher Education are not required to comply with this article until July 31, 2029.

This part may be cited as the "Consumer Data Privacy Act".

As used in this part, unless the context clearly indicates otherwise, the following definitions apply:

(1) “Adult” means an individual who is 18 years of age or older.

(2) “Affiliate” means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity.

(3) “Authenticate” means to use reasonable methods to determine that a request to exercise any of the rights afforded under 30-14-2808(1)(a) through (1)(e) is being made by, or on behalf of, the consumer who is entitled to exercise these consumer rights with respect to the personal data at issue.

(4)(a) “Biometric data” means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.

(b) The term does not include:

(i) a digital or physical photograph;

(ii) an audio or video recording; or

(iii) any data generated from a digital or physical photograph or an audio or video recording, unless that data is generated to identify a specific individual.

(5) “Child” means an individual under 13 years of age.

(6)(a) “Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous affirmative action.

(b) The term does not include:

(i) acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information;

(ii) hovering over, muting, pausing, or closing a given piece of content; or

(iii) an agreement obtained using dark patterns.

(7)(a) “Consumer” means an individual who is a resident of this state.

(b) The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.

(8) “Control” or “controlled” means:

(a) ownership of or the power to vote more than 50% of the outstanding shares of any class of voting security of a company;

(b) control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

(c) the power to exercise controlling influence over the management of a company.

(9) “Controller” means an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.

(10) “Dark pattern” means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice.

(11) “Decisions that produce legal or similarly significant effects concerning the consumer” means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to necessities such as food and water.

(12) “De-identified data” means data that cannot be used to reasonably infer information about or otherwise be linked to an identified or identifiable individual or a device linked to the individual if the controller that possesses the data:

(a) takes reasonable measures to ensure that the data cannot be associated with an individual;

(b) publicly commits to process the data in a de-identified fashion only and to not attempt to re-identify the data; and

(c) contractually obligates any recipients of the data to satisfy the criteria set forth in subsections (12)(a) and (12)(b).

(13) “Heightened risk of harm to minors” means processing the personal data of a minor in a manner that presents a reasonably foreseeable risk that could cause:

(a) unfair or deceptive treatment of or an unlawful disparate impact on a minor;

(b) financial, physical, or reputational injury to a minor;

(c) unauthorized disclosure of the personal data of a minor as a result of a security breach as described in 30-14-1704; or

(d) physical or other intrusion on the solitude or seclusion or the private affairs or concerns of a minor if the intrusion would be considered offensive to a reasonable person.

(14) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly.

(15) “Institution of higher education” means any individual who or school, board, association, limited liability company, or corporation that is licensed or accredited to offer one or more programs of higher learning leading to one or more degrees.

(16) “Minor” means a consumer who is under 18 years of age.

(17) “Nonprofit organization” means any organization that is exempt from taxation under section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986 or any subsequent corresponding internal revenue code of the United States as amended from time to time.

(18)(a) “Online service, product, or feature” means a service, product, or feature that is provided online.

(b) The term does not include:

(i) a telecommunications service as defined in 47 U.S.C. 153(53), as amended;

(ii) broadband internet access service as defined in 47 CFR 54.400(l), as amended; or

(iii) the delivery or use of a physical product.

(19)(a) “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual.

(b) The term does not include de-identified data or publicly available information.

(20)(a) “Precise geolocation data” means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.

(b) The term does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

(21) “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

(22) “Processor” means an individual who or legal entity that processes personal data on behalf of a controller.

(23) “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(24) “Protected health information” has the same meaning as provided in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996.

(25) “Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

(26) “Publicly available information” means information that:

(a) is lawfully made available through federal, state, or municipal government records or widely distributed media; or

(b) a controller has a reasonable basis to believe a consumer has lawfully made available to the public.

(27)(a) “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

(b) The term does not include:

(i) the disclosure of personal data to a processor that processes the personal data on behalf of the controller;

(ii) the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;

(iii) the disclosure or transfer of personal data to an affiliate of the controller;

(iv) the disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;

(v) the disclosure of personal data that the consumer:

(A) intentionally made available to the public via a channel of mass media; and

(B) did not restrict to a specific audience; or

(vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

(28) “Sensitive data” means personal data that includes:

(a) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;

(b) the processing of genetic or biometric data for the purpose of uniquely identifying an individual;

(c) personal data collected from a known child; or

(d) precise geolocation data.

(29)(a) “Targeted advertising” means displaying advertisements to a consumer in which the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated internet websites or online applications to predict the consumer's preferences or interests.

(b) The term does not include:

(i) advertisements based on activities within a controller's own internet websites or online applications;

(ii) advertisements based on the context of a consumer's current search query or visit to an internet website or online application;

(iii) advertisements directed to a consumer in response to the consumer's request for information or feedback; or

(iv) processing personal data solely to measure or report advertising frequency, performance, or reach.

(30) “Third party” means an individual or legal entity, such as a public authority, agency, or body, other than the consumer, controller, or processor or an affiliate of the controller or processor.

(31) “Trade secret” has the same meaning as provided in 30-14-402.

(1) This part does not apply to any:

(a) body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;

(b) nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance;

(c) institution of higher education;

(d) national securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934, as amended;

(e) state or federally chartered bank or credit union or an affiliate or subsidiary that is principally engaged in financial activities as described in 12 U.S.C. 1843(k);

(f) personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801, et seq.;

(g) covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 160.103; or

(h) insurer, as defined in 33-1-201, an insurance producer, as defined in 33-17-102, a third-party administrator of self-insurance, or an affiliate or subsidiary of an entity identified in this subsection (1)(h) that is principally engaged in financial activities, as described in 12 U.S.C. 1843(k), except that this subsection (1)(h) does not apply to a person who, alone or in combination with another person, establishes and maintains a self-insurance program that does not otherwise engage in the business of entering into policies of insurance.

(2) Information and data exempt from this part include:

(a) protected health information under the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996;

(b) patient-identifying information for the purposes of 42 U.S.C. 290dd-2;

(c) identifiable private information for the purposes of the federal policy for the protection of human subjects of 1991, 45 CFR, part 46;

(d) identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonisation of technical requirements for pharmaceuticals for human use;

(e) the protection of human subjects under 21 CFR, parts 6, 50, and 56, or personal data used or shared in research as defined in the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 164.501, that is conducted in accordance with the standards set forth in this subsection (2)(e), or other research conducted in accordance with applicable law;

(f) information and documents created for the purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101, et seq.;

(g) patient safety work products for the purposes of the Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. 299b-21, et seq., as amended;

(h) information derived from any of the health care-related information listed in this subsection (2) that is:

(i) de-identified in accordance with the requirements for de-identification pursuant to the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996; or

(ii) included in a limited data set as described in 45 CFR 164.514(e), to the extent that the information is used, disclosed, and maintained in a manner specified in 45 CFR 164.514(e).

(i) information originating from and intermingled to be indistinguishable with or information treated in the same manner as information exempt under this subsection (2) that is maintained by a covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 160.103, or a program or qualified service organization, as specified in 42 U.S.C. 290dd-2, as amended;

(j) information used for public health activities and purposes as authorized by the federal Health Insurance Portability and Accountability Act of 1996, community health activities, and population health activities;

(k) the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. 1681, as amended;

(l) personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721, et seq., as amended;

(m) personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, et seq., as amended;

(n) personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1993, 12 U.S.C. 2001, et seq., as amended;

(o) data processed or maintained:

(i) by an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party to the extent that the data is collected and used within the context of that role;

(ii) as the emergency contact information of an individual under this part and used for emergency contact purposes; or

(iii) that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under subsection (2)(a) and is used for the purposes of administering the benefits; and

(p) personal data collected, processed, sold, or disclosed in relation to price, route, or service, as these terms are used in the Airline Deregulation Act of 1978, 49 U.S.C. 40101, et seq., as amended, by an air carrier subject to the Airline Deregulation Act of 1978, to the extent this part is preempted by the Airline Deregulation Act of 1978, 49 U.S.C. 41713, as amended.

(3) Controllers and processors that comply with the verifiable parental consent requirements of the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq., shall be considered compliant with any obligation to obtain parental consent pursuant to this part.

(1) A consumer must have the right to:

(a) confirm whether a controller is processing the consumer's personal data and access the consumer's personal data, unless such confirmation or access would require the controller to reveal a trade secret;

(b) correct inaccuracies in the consumer's personal data, considering the nature of the personal data and the purposes of the processing of the consumer's personal data;

(c) delete personal data about the consumer;

(d) obtain a copy of the consumer's personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secret; and

(e) opt out of the processing of the consumer's personal data for the purposes of:

(i) targeted advertising;

(ii) the sale of the consumer's personal data, except as provided in 30-14-2812(2); or

(iii) profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

(2) A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller's privacy notice.

(3)(a) A consumer may designate an authorized agent in accordance with 30-14-2809 to exercise the rights of the consumer to opt out of the processing of the consumer's personal data under subsection (1)(e) on behalf of the consumer.

(b) A parent or legal guardian of a known child may exercise the consumer rights on the known child's behalf regarding the processing of personal data.

(c) A guardian or conservator of a consumer subject to a guardianship, conservatorship, or other protective arrangement, may exercise the rights on the consumer's behalf regarding the processing of personal data.

(4) Except as otherwise provided in this part, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to this section as follows:

(a) A controller shall respond to the consumer without undue delay, but not later than 45 days after receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer's requests, provided the controller informs the consumer of the extension within the initial 45-day response period and the reason for the extension.

(b) If a controller declines to act regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to act and provide instructions for how to appeal the decision.

(c) Information provided in response to a consumer request must be provided by a controller, free of charge, once for each consumer during any 12-month period. If requests from a consumer are manifestly unfounded, excessive, technically infeasible, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of the request.

(d) If a controller is unable to authenticate a request to exercise any of the rights afforded under subsections (1)(a) through (1)(d) of this section using commercially reasonable efforts, the controller may not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise the right or rights until the consumer provides additional information reasonably necessary to authenticate the consumer and the consumer's request to exercise the consumer's rights. A controller may not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes the request is fraudulent, the controller shall send notice to the person who made the request disclosing that the controller believes the request is fraudulent and that the controller may not comply with the request.

(e) A controller that has obtained personal data about a consumer from a source other than the consumer must be deemed in compliance with the consumer's request to delete the consumer's data pursuant to subsection (1)(c) by:

(i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using the retained data for any other purpose pursuant to the provisions of this part; or

(ii) opting the consumer out of the processing of the consumer's personal data for any purpose except for those exempted pursuant to the provisions of this part.

(5) A controller shall establish a process for a consumer to appeal the controller's refusal to act on a request within a reasonable period after the consumer's receipt of the decision. The appeal process must be conspicuously available and like the process for submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.

(6) In response to a consumer request under subsection (1)(a), a controller may not disclose the following information about a consumer but shall inform the consumer instead with sufficient particularity that the controller has collected this information:

(a) social security number;

(b) driver's license number or other government-issued identification number;

(c) financial account number;

(d) health insurance account number or medical identification number;

(e) account password, security questions, or answer; or

(f) biometric data.

(1) A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data for one or more of the purposes specified in 30-14-2808(1)(e). The consumer may designate an authorized agent by way of a technology, including but not limited to an internet link or a browser setting, browser extension, or global device setting indicating a customer's intent to opt out of such processing.

(2) A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

(3) Opt-out methods must:

(a) provide a clear and conspicuous link on the controller's internet website to an internet web page that enables a consumer, or an agent of the consumer, to opt out of the targeted advertising or sale of the consumer's personal data; and

(b) by no later than January 1, 2025, allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer's consent, to the controller by a platform, technology, or mechanism that:

(i) may not unfairly disadvantage another controller;

(ii) may not make use of a default setting, but require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of a customer's personal data pursuant to this part;

(iii) must be consumer-friendly and easy to use by the average consumer;

(iv) must be consistent with any federal or state law or regulation; and

(v) must allow the controller to accurately determine whether the consumer is a resident of the state and whether the consumer has made a legitimate request to opt out of any sale of a consumer's personal data or targeted advertising.

(4)

(a) If a consumer's decision to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of personal data, through an opt-out preference signal sent in accordance with the provisions of subsection (3) conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with the consumer's opt-out preference signal but may notify the consumer of the conflict and provide the choice to confirm controller-specific privacy settings or participation in such a program.

(b) If a controller responds to consumer opt-out requests received in accordance with subsection (3) by informing the consumer of a charge for the use of any product or service, the controller shall present the terms of any financial incentive offered pursuant to subsection (3) for the retention, use, sale, or sharing of the consumer's personal data.

(1)(a) A controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid a heightened risk of harm to minors caused by the online service, product, or feature.

(b) In an enforcement action brought by the attorney general pursuant to 30-14-2817, there is a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with this section.

(2) Unless a controller has obtained consent in accordance with subsection (3), a controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor may not:

(a) process a minor's personal data:

(i) for the purposes of:

(A) targeted advertising;

(B) the sale of personal data; or

(C) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;

(ii) for any processing purpose other than the processing purpose that the controller disclosed at the time the controller collected the minor's personal data or that is reasonably necessary for and compatible with the processing purpose that the controller disclosed at the time the controller collected the minor's personal data; or

(iii) for longer than is reasonably necessary to provide the online service, product, or feature;

(b) use a system design feature to significantly increase, sustain, or extend a minor's use of the online service, product, or feature; or

(c) collect a minor's precise geolocation data unless:

(i) the minor's precise geolocation data is reasonably necessary for the controller to provide the online service, product, or feature;

(ii) the controller only collects and retains the minor's precise geolocation data for the time necessary to provide the online service, product, or feature; and

(iii) the controller provides to the minor a signal indicating that the controller is collecting the minor's precise geolocation data and makes the signal available to the minor for the entire duration of the collection of the minor's precise geolocation data. This subsection (2)(c)(iii) does not apply to a service or application that is used by and under the direction of a ski area operator.

(3)(a) A controller may not engage in the activities described in subsection (2) unless the controller obtains:

(i) the minor's consent; or

(ii) if the minor is a child, the consent of the minor's parent or legal guardian. A controller that complies with the verifiable parental consent requirements established in the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq., as amended, and the regulations, rules, guidance, and exemptions adopted pursuant to this act, as amended, is considered to have satisfied any requirement to obtain parental consent under this subsection (3)(a)(ii).

(b)(i) A controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor may not:

(A) provide a consent mechanism that is designed to substantially subvert or impair or is manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice; or

(B) except as provided in subsection (3)(b)(ii), offer a direct messaging apparatus for use by a minor without providing readily accessible and easy-to-use safeguards to limit the ability of an adult to send unsolicited communications to the minor with whom the adult is not connected.

(ii) Subsection (3)(b)(i)(B) does not apply to an online service, product, or feature of which the predominant or exclusive function is:

(A) electronic mail; or

(B) direct messaging consisting of text, photos, or videos that are sent between devices by electronic means in which messages are:

(I) shared between the sender and the recipient;

(II) only visible to the sender and the recipient; and

(III) not posted publicly.

(4) Subsections (2)(a) and (2)(b) do not apply to a service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program.

(1)(a) A controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid a heightened risk of harm to minors caused by the online service, product, or feature.

(b) In an enforcement action brought by the attorney general pursuant to 30-14-2817, there is a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with this section.

(2) Unless a controller has obtained consent in accordance with subsection (3), a controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor may not:

(a) process a minor's personal data:

(i) for the purposes of:

(A) targeted advertising;

(B) the sale of personal data; or

(C) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;

(ii) for any processing purpose other than the processing purpose that the controller disclosed at the time the controller collected the minor's personal data or that is reasonably necessary for and compatible with the processing purpose that the controller disclosed at the time the controller collected the minor's personal data; or

(iii) for longer than is reasonably necessary to provide the online service, product, or feature;

(b) use a system design feature to significantly increase, sustain, or extend a minor's use of the online service, product, or feature; or

(c) collect a minor's precise geolocation data unless:

(i) the minor's precise geolocation data is reasonably necessary for the controller to provide the online service, product, or feature;

(ii) the controller only collects and retains the minor's precise geolocation data for the time necessary to provide the online service, product, or feature; and

(iii) the controller provides to the minor a signal indicating that the controller is collecting the minor's precise geolocation data and makes the signal available to the minor for the entire duration of the collection of the minor's precise geolocation data. This subsection (2)(c)(iii) does not apply to a service or application that is used by and under the direction of a ski area operator.

(3)(a) A controller may not engage in the activities described in subsection (2) unless the controller obtains:

(i) the minor's consent; or

(ii) if the minor is a child, the consent of the minor's parent or legal guardian. A controller that complies with the verifiable parental consent requirements established in the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq., as amended, and the regulations, rules, guidance, and exemptions adopted pursuant to this act, as amended, is considered to have satisfied any requirement to obtain parental consent under this subsection (3)(a)(ii).

(b)(i) A controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor may not:

(A) provide a consent mechanism that is designed to substantially subvert or impair or is manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice; or

(B) except as provided in subsection (3)(b)(ii), offer a direct messaging apparatus for use by a minor without providing readily accessible and easy-to-use safeguards to limit the ability of an adult to send unsolicited communications to the minor with whom the adult is not connected.

(ii) Subsection (3)(b)(i)(B) does not apply to an online service, product, or feature of which the predominant or exclusive function is:

(A) electronic mail; or

(B) direct messaging consisting of text, photos, or videos that are sent between devices by electronic means in which messages are:

(I) shared between the sender and the recipient;

(II) only visible to the sender and the recipient; and

(III) not posted publicly.

(4) Subsections (2)(a) and (2)(b) do not apply to a service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program.

(1) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations under this part to include:

(a) considering the nature of processing and the information available to the processor by appropriate technical and organizational measures as much as reasonably practicable to fulfill the controller's obligation to respond to consumer rights requests;

(b) considering the nature of processing and the information available to the processor by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security, as provided for in 30-14-1704, of the system of the processor to meet the controller's obligations; and

(c) providing necessary information to enable the controller to conduct and document data protection assessments.

(2) A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also require that the processor:

(a) ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data;

(b) at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(c) on the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in this part;

(d) engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and

(e) allow and cooperate with reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations under this part using an appropriate and accepted control standard or framework and assessment procedure for the assessments. The processor shall provide a report of the assessment to the controller on request.

(3) Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller's or processor's role in the processing relationship, as described in this part.

(4) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the following context in which personal data is to be processed:

(a) A person who is not limited in the processing of personal data pursuant to a controller's instructions or who fails to adhere to a controller's instructions is a controller and not a processor with respect to a specific processing of data.

(b) A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.

(c) If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under 30-14-2817.

(1) A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer. For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes:

(a) the processing of personal data for the purposes of targeted advertising;

(b) the sale of personal data;

(c) the processing of personal data for the purposes of profiling in which the profiling presents a reasonably foreseeable risk of:

(i) unfair or deceptive treatment of or unlawful disparate impact on consumers;

(ii) financial, physical, or reputational injury to consumers;

(iii) a physical or other form of intrusion on the solitude or seclusion or the private affairs or concerns of consumers in which the intrusion would be offensive to a reasonable person; or

(iv) other substantial injury to consumers; and

(d) the processing of sensitive data.

(2)

(a) Data protection assessments conducted pursuant to subsection (1) must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing as mitigated by safeguards that may be employed by the controller to reduce these risks.

(b) The controller shall factor into any data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

(3)

(a) The attorney general may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general.

(b) The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in this part.

(c) Data protection assessments are confidential and are exempt from disclosure under the Freedom of Information Act, 5 U.S.C. 552.

(d) To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, the disclosure may not constitute a waiver of the privilege or protection.

(4) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(5) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment must be considered to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.

(6) Data protection assessment requirements must apply to processing activities created or generated after January 1, 2025, and are not retroactive.

(1) Any controller in possession of de-identified data shall:

(a) take reasonable measures to ensure that the de-identified data cannot be associated with an individual;

(b) publicly commit to maintaining and using de-identified data without attempting to re-identify the de-identified data; and

(c) contractually obligate any recipients of the de-identified data to comply with all provisions of this part.

(2) Nothing in this part may be construed to:

(a) require a controller or processor to re-identify de-identified data or pseudonymous data; or

(b) maintain data in identifiable form or collect, obtain, retain, or access any data or technology to be capable of associating an authenticated consumer request with personal data.

(3) Nothing in this part may be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller:

(a) is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

(b) does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

(c) does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

(4) The rights afforded under 30-14-2808(1)(a) through (1)(d) may not apply to pseudonymous data in cases in which the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

(5) A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

(1) Nothing in this part may be construed to restrict a controller's or processor's ability to:

(a) comply with federal, state, or municipal ordinances or regulations;

(b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, municipal, or other government authorities;

(c) cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or regulations;

(d) investigate, establish, exercise, prepare for, or defend legal claims;

(e) provide a product or service specifically requested by a consumer;

(f) perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;

(g) take steps at the request of a consumer prior to entering a contract;

(h) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual and when the processing cannot be manifestly based on another legal basis;

(i) prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions;

(j) engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines or similar independent oversight entities that determine:

(i) whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;

(ii) the expected benefits of the research outweigh the privacy risks; and

(iii) whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification;

(k) assist another controller, processor, or third party with any of the obligations under this part; or

(l) process personal data for reasons of public interest in public health, community health, or population health, but solely to the extent that the processing is:

(i) subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and

(ii) under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

(2) The obligations imposed on controllers or processors under this part may not restrict a controller's or processor's ability to collect, use, or retain personal data for internal use to:

(a) conduct internal research to develop, improve, or repair products, services, or technology;

(b) effectuate a product recall;

(c) identify and repair technical errors that impair existing or intended functionality; or

(d) perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

(3) The obligations imposed on controllers or processors under this part may not apply when compliance by the controller or processor with this part would violate an evidentiary privilege under the laws of this state. Nothing in this part may be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.

(4) A controller or processor that discloses personal data to a processor or third-party controller in accordance with this part may not be considered to have violated this part if the processor or third-party controller that receives and processes the personal data violates this part provided, at the time the disclosing controller or processor disclosed the personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate this part. A receiving processor or third-party controller receiving personal data from a disclosing controller or processor in compliance with this part is likewise not in violation of this part for the transgressions of the disclosing controller or processor from which the receiving processor or third-party controller receives the personal data.

(5) Nothing in this part may be construed to:

(a) impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including but not limited to the rights of any person:

(i) to freedom of speech or freedom of the press guaranteed in the first amendment to the United States constitution; or

(ii) under Rule 504 of the Montana Rules of Evidence;

(b) apply to a person's processing of personal data during the person's personal or household activities; or

(c) require a controller or processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers, but a controller that chooses to conduct commercially reasonable age estimation to determine which consumers are minors is not liable for an erroneous age estimation.

(6) Personal data processed by a controller pursuant to this section may be processed to the extent that the processing is:

(a) reasonably necessary and proportionate to the purposes listed in this section; and

(b) adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. The controller or processor must, when applicable, consider the nature and purpose of the collection, use, or retention of the personal data collected, used, or retained pursuant to subsection (2). The personal data must be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

(7) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements in subsection (6).

(8) Processing personal data for the purposes expressly identified in this section may not solely make a legal entity a controller with respect to the processing.

(1) The attorney general has exclusive authority and may use the duties and powers provided by Title 30, chapter 14, parts 1 and 2, to enforce violations pursuant to this part.

(2) The attorney general shall post on the attorney general's website:

(a) information relating to:

(i) the responsibilities of a controller pursuant to this part;

(ii) the responsibilities of a processor pursuant to this part; and

(iii) a consumer's rights pursuant to this part; and

(b) an online mechanism through which a consumer may submit a complaint regarding consumer data privacy to the attorney general.

(3)(a) If the attorney general has reasonable cause to believe that a person has engaged in or is engaging in a violation of this part, the attorney general may issue a civil investigative demand pursuant to 30-14-113.

(b) As part of a civil investigative demand, the attorney general may request that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general. The attorney general may evaluate the data protection assessment for compliance with the requirements pursuant to this part.

(4) Actions brought by the department to enforce this part are subject to the statute of limitations pursuant to 27-2-231.

(5) Nothing in this part may be construed as providing the basis for or be subject to a private right of action for violations of this part or any other law.

(1) A processor shall adhere to the instructions of a controller and shall assist the controller to meet the controller's obligations under 30-14-2811 and 30-14-2819, taking into account the nature of the processing and the information available to the processor. The processor shall assist the controller by:

(a) taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligations under 30-14-2811; and

(b) providing information to enable the controller to conduct and document data protection assessments pursuant to 30-14-2819.

(2) A contract between a controller and a processor must satisfy the requirements of 30-14-2813(2).

(3) Nothing in this section may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of the controller's or processor's role in the processing relationship as described in 30-14-2811 and 30-14-2819.

(4) Determining whether a person is acting as a controller or processor with respect to a specific processing of personal data is a fact-based determination that depends on the context in which personal data is to be processed. A person that is not limited in the person's processing of personal data pursuant to a controller's instructions or that fails to adhere to the instructions is a controller and not a processor with respect to a specific processing of personal data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under 30-14-2817.

(1) A controller that, on or after October 1, 2025, offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors. The controller shall conduct the data protection assessment:

(a) in a manner that is consistent with the requirements established in 30-14-2814; and

(b) to address:

(i) the purpose of the online service, product, or feature;

(ii) the categories of a minor's personal data that the online service, product, or feature processes;

(iii) the purposes for which the controller processes a minor's personal data with respect to the online service, product, or feature; and

(iv) a heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service, product, or feature to minors.

(2) A controller that conducts a data protection assessment pursuant to subsection (1) shall:

(a) review the data protection assessment as necessary to account for a material change to the processing operations of the online service, product, or feature that is the subject of the data protection assessment; and

(b) maintain documentation concerning the data protection assessment for the longer of:

(i) 3 years after the date on which the processing operations cease; or

(ii) the date the controller ceases offering the online service, product, or feature.

(3) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(4) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment is considered to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.

(5) If a controller conducts a data protection assessment pursuant to subsection (1) or a data protection assessment review pursuant to subsection (2)(a) and determines that the online service, product, or feature that is the subject of the assessment poses a heightened risk of harm to minors, the controller shall establish and implement a plan to mitigate or eliminate the heightened risk.

(6)(a) A data protection assessment conducted pursuant to this section:

(i) is confidential, except as provided in subsection (6)(b); and

(ii) is not a public record and is exempt from public inspection and copying under the Freedom of Information Act, 5 U.S.C. 552.

(b)(i) A controller shall make a data protection assessment conducted pursuant to this section available to the attorney general on request. The attorney general may evaluate the data protection assessment for compliance with this section and with other laws.

(ii) The disclosure of a data protection assessment pursuant to a request from the attorney general does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information in the assessment.

(7) Data protection assessment requirements apply to processing activities created or generated after October 1, 2025, and are not retroactive.

(1) A violation of this part is a violation of Title 30, chapter 14, parts 1 and 2.

(2) A person who violates the provisions of this part following the 30-day period described in 30-14-2817(3) is liable for a civil penalty in an amount not to exceed $7,500 for each violation.

(3) The attorney general may bring an action in the name of this state to:

(a) recover a civil penalty under this section;

(b) restrain or enjoin the person from violating this part; or

(c) recover the civil penalty and seek injunctive relief.

(4) The attorney general may recover reasonable attorney fees and other reasonable expenses incurred in investigating and bring an action under this section.

(5) The attorney general shall deposit a civil penalty collected under this section in a special revenue account to the credit of the department pursuant to 30-14-143.

Sections 87-1101 to 87-1130 shall be known and may be cited as the Data Privacy Act.

For purposes of the Data Privacy Act:

(1) Affiliate means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For purposes of this subdivision, control or controlled means:

(a) The ownership of, or power to vote, more than fifty percent of the outstanding shares of any class of voting security of a company;

(b) The control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

(c) The power to exercise controlling influence over the management of a company;

(2) Authenticate means to verify through reasonable means that the consumer who is entitled to exercise the consumer's rights under sections 87-1107 to 87-1111, or a person on behalf of such consumer, is the same consumer exercising those consumer rights with respect to the personal data at issue;

(3)(a) Biometric data means data that is generated to identify a specific individual through an automatic measurement of a biological characteristic of such individual and includes any:

(i) Fingerprint;

(ii) Voice print;

(iii) Retina image;

(iv) Iris image; or

(v) Unique biological pattern or characteristic.

(b) Biometric data does not include:

(i) Except when generated to identify a specific individual, any physical or digital photograph, video or audio recording, or data generated from a physical or digital photograph; or

(ii) Information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act;

(4) Business associate has the meaning assigned to the term by the Health Insurance Portability and Accountability Act;

(5) Child means an individual younger than thirteen years of age;

(6)(a) Consent means, when referring to a consumer, a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer.

(b) Consent, when referring to a consumer, does not include:

(i) Acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other, unrelated information;

(ii) Hovering over, muting, pausing, or closing a given piece of content; or

(iii) Agreement obtained through the use of a dark pattern;

(7)(a) Consumer means an individual who is a resident of this state acting only in an individual or household context.

(b) Consumer does not include an individual acting in a commercial or employment context;

(8) Controller means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data;

(9) Covered entity has the same meaning as defined in 45 C.F.R. 160.103, as such regulation existed on January 1, 2024;

(10) Dark pattern means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice determined by the Federal Trade Commission to be a dark pattern as of January 1, 2024;

(11) Decision that produces a legal or similarly significant effect concerning a consumer means a decision made by the controller that results in the provision or denial by the controller of:

(a) Financial and lending services;

(b) Housing, insurance, or health care services;

(c) Education enrollment;

(d) Employment opportunities;

(e) Criminal justice; or

(f) Access to basic necessities, such as food and water;

(12) Deidentified data means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual;

(13) Health care provider has the same meaning as in the Health Insurance Portability and Accountability Act;

(14) Health Insurance Portability and Accountability Act means the federal Health Insurance Portability and Accountability Act of 1996, as such act existed on January 1, 2024;

(15) Health record means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual that concerns the individual and the services provided to such individual, and includes:

(a) The substance of any communication made by an individual to a health care provider in confidence during or in connection with the provision of health care services; or

(b) Information otherwise acquired by the health care provider about an individual in confidence and in connection with health care services provided to the individual;

(16) Identified or identifiable individual means a consumer who can be directly or indirectly readily identified;

(17) Institution of higher education means any postsecondary institution or private postsecondary institution as such terms are defined in section 85-2403;

(18) Known child means a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child's age;

(19) Nonprofit organization means any corporation organized under the Nebraska Nonprofit Corporation Act, any organization exempt from taxation under section 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any organization exempt from taxation under section 501(c)(4) of the Internal Revenue Code that is established to detect or prevent insurance-related crime or fraud, and any subsidiary or affiliate of a cooperative corporation organized in this state;

(20)(a) Personal data means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.

(b) Personal data does not include deidentified data or publicly available information;

(21) Political organization means a party, committee, association, fund, or other organization, regardless of whether incorporated, that is organized and operated primarily for the purpose of influencing or attempting to influence:

(a) The selection, nomination, election, or appointment of an individual to a federal, state, or local public office or an office in a political organization, regardless of whether the individual is selected, nominated, elected, or appointed; or

(b) The election of a presidential or vice-presidential elector, regardless of whether the elector is selected, nominated, elected, or appointed;

(22)(a) Precise geolocation data means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet.

(b) Precise geolocation data does not include the content of communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility;

(23) Process or processing means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data;

(24) Processor means a person that processes personal data on behalf of a controller;

(25) Profiling means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

(26) Protected health information has the same meaning as in the Health Insurance Portability and Accountability Act;

(27) Pseudonymous data means any personal information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual;

(28) Publicly available information means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience;

(29)(a) Sale of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

(b) Sale of personal data does not include:

(i) The disclosure of personal data to a processor that processes the personal data on the controller's behalf;

(ii) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

(iii) The disclosure or transfer of personal data to an affiliate of the controller;

(iv) The disclosure of information that the consumer:

(A) Intentionally made available to the general public through a mass media channel; and

(B) Did not restrict to a specific audience; or

(v) The disclosure or transfer of personal data to a third party as an asset in which the third party assumes control of all or part of the controller's assets that is part of a proposed or actual:

(A) Merger;

(B) Acquisition;

(C) Bankruptcy; or

(D) Other transaction;

(30) Sensitive data means a category of personal data, and includes:

(a) Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

(b) Genetic or biometric data that is processed for the purpose of uniquely identifying an individual;

(c) Personal data collected from a known child; or

(d) Precise geolocation data;

(31) State agency means a department, commission, board, office, council, authority, or other agency in any branch of state government that is created by the constitution or a statute of this state, including any university system or any postsecondary institution as defined in section 85-2403;

(32)(a) Targeted advertising means displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.

(b) Targeted advertising does not include:

(i) An advertisement that:

(A) Is based on activities within a controller's own websites or online applications;

(B) Is based on the context of a consumer's current search query, visit to a website, or online application; or

(C) Is directed to a consumer in response to the consumer's request for information or feedback; or

(ii) The processing of personal data solely for measuring or reporting advertising performance, reach, or frequency;

(33) Third party means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor; and

(34) Trade secret has the same meaning as in section 87-502.

(1) The Data Privacy Act applies only to a person that:

(a) Conducts business in this state or produces a product or service consumed by residents of this state;

(b) Processes or engages in the sale of personal data; and

(c) Is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024, except to the extent that section 87-1118 applies to a person described by this subdivision.

(2) The Data Privacy Act does not apply to any:

(a) State agency or political subdivision of this state;

(b) Financial institution, affiliate of a financial institution, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., as such title existed on January 1, 2024;

(c) Covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, as such parts existed on January 1, 2024, and Division A, Title XIII, and Division B, Title IV, of the federal Health Information Technology for Economic and Clinical Health Act, Public Law No. 111-5, as such act existed on January 1, 2024;

(d) Nonprofit organization;

(e) Institution of higher education;

(f) Electric supplier or supplier of electricity as defined in section 70-1001.01;

(g) Natural gas public utility as defined in section 66-1802; or

(h) Natural gas utility owned or operated by a city or a metropolitan utilities district.

The Data Privacy Act does not apply to the following:

(1) Protected health information under the Health Insurance Portability and Accountability Act;

(2) Health records;

(3) Patient identifying information for purposes of 42 U.S.C. 290dd-2, as such section existed on January 1, 2024;

(4) Identifiable private information:

(a) For purposes of the federal policy for the protection of human subjects under 45 C.F.R. part 46, as such part existed on January 1, 2024;

(b) Collected as part of human subjects research under the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use, as such guidelines existed on January 1, 2024, or of the protection of human subjects under 21 C.F.R. parts 50 and 56, as such parts existed on January 1, 2024; or

(c) That is personal data used or shared in research conducted pursuant to the Data Privacy Act or other research conducted in accordance with applicable Nebraska law;

(5) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq., as such act existed on January 1, 2024;

(6) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. 299b-21 et seq., as such act existed on January 1, 2024;

(7) Information derived from any of the health care-related information listed in this section that is deidentified in accordance with the requirements for deidentification under the Health Insurance Portability and Accountability Act;

(8) Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate as defined by the Health Insurance Portability and Accountability Act or by a program or a qualified service organization as defined by 42 U.S.C. 290dd-2, as such section existed on January 1, 2024;

(9) Information that is included in a limited data set as described by 45 C.F.R. 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R. 164.514(e), as such regulation existed on January 1, 2024;

(10) Information collected or used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act;

(11) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., as such act existed on January 1, 2024;

(12) Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq., as such act existed on January 1, 2024;

(13) Personal data regulated by the federal Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, as such act existed on January 1, 2024;

(14) Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act of 1971, 12 U.S.C. 2001 et seq., as such act existed on January 1, 2024;

(15) Data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;

(16) Data processed or maintained as the emergency contact information of an individual under the Data Privacy Act that is used for emergency contact purposes; or

(17) Data that is processed or maintained and is necessary to retain to administer benefits for another individual that relates to an individual described by subdivision (15) of this section and used for the purposes of administering such benefits.

The Data Privacy Act does not apply to the processing of personal data by a person in the course of a purely personal or household activity.

A controller or processor that complies with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., and the rules, regulations, and guidance adopted and promulgated under such act as such act, rules, regulations, and guidance existed on January 1, 2024, with respect to data collected online is considered to be in compliance with any requirement to obtain parental consent under the Data Privacy Act.

(1) A consumer may at any time submit a request to a controller specifying the consumer rights the consumer wishes to exercise. With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise the consumer rights on behalf of the known child.

(2) A controller shall comply with an authenticated consumer request to exercise the right to:

(a) Confirm whether a controller is processing the consumer's personal data and to access the personal data;

(b) Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;

(c) Delete personal data provided by or obtained about the consumer;

(d) If the data is available in a digital format and the processing is completed by automated means, obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; or

(e) Opt out of the processing of the personal data for purposes of:

(i) Targeted advertising;

(ii) The sale of personal data; or

(iii) Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

(1) Except as otherwise provided in the Data Privacy Act, a controller shall comply with a request submitted by a consumer to exercise the consumer's rights pursuant to section 87-1107.

(2) A controller shall respond to the consumer request without undue delay within forty-five days after the date of receipt of the request. The controller may extend the response period once by an additional forty-five days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension.

(3) If a controller declines to comply with a consumer's request, the controller shall inform the consumer within forty-five days after the date of receipt of the request of the justification for declining to comply and provide instructions on how to appeal the decision to the Attorney General in accordance with section 87-1109.

(4) A controller shall provide information in response to a consumer request free of charge, up to twice annually per consumer. If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request. The controller bears the burden of demonstrating that a request is manifestly unfounded, excessive, or repetitive.

(5) If a controller is unable to authenticate the request using commercially reasonable efforts, the controller is not required to comply with a consumer request submitted under section 87-1107 and may request that the consumer provide additional information reasonably necessary to authenticate the consumer's identity and the consumer's request.

(6) A controller that has obtained personal data about a consumer from a source other than the consumer is in compliance with a consumer's request to delete such personal data pursuant to subdivision (2)(c) of section 87-1107 by:

(a) Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records and not using the retained data for any other purpose under the Data Privacy Act; or

(b) Opting the consumer out of the processing of that personal data for any purpose other than a purpose that is exempt under the Data Privacy Act.

(1) A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision under subsection (3) of section 87-1108.

(2) The appeal process must be conspicuously available and similar to the process for initiating an action to exercise consumer rights by submitting a request under section 87-1107.

(3) A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section not later than the sixtieth day after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision.

(4) If the controller denies an appeal, the controller shall provide the consumer with the online mechanism described in section 87-1108 through which the consumer may contact the Attorney General to submit a complaint.

Any provision of a contract or agreement that waives or limits in any way a consumer right described in sections 87-1107 to 87-1109 is contrary to public policy and is void and unenforceable.

(1) A controller shall establish two or more secure and reliable methods to enable a consumer to submit a request to exercise consumer rights under the Data Privacy Act. The methods shall take into account:

(a) The ways in which consumers normally interact with the controller;

(b) The necessity for secure and reliable communications of those requests; and

(c) The ability of the controller to authenticate the identity of the consumer making the request.

(2) A controller shall not require a consumer to create a new account to exercise a consumer right under the Data Privacy Act, but may require a consumer to use an existing account.

(3) Except as provided by subsection (4) of this section, if the controller maintains an Internet website, the controller shall provide a mechanism on the website for a consumer to submit a request for information required to be disclosed under the Data Privacy Act.

(4) A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal information is only required to provide an email address for the submission of a request described by subsection (3) of this section.

(5) A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data under subdivisions (2)(e)(i) and (ii) of section 87-1107. A consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing of the consumer's personal data under subdivisions (2)(e)(i) and (ii) of section 87-1107. A controller shall comply with an opt-out request received from an authorized agent under this subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. A controller is not required to comply with an opt-out request received from an authorized agent under this subsection if:

(a) The authorized agent does not communicate the request to the controller in a clear and unambiguous manner;

(b) The controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state;

(c) The controller does not possess the ability to process the request; or

(d) The controller does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.

(6) A technology described by subsection (5) of this section:

(a) Shall not unfairly disadvantage another controller;

(b) Shall not make use of a default setting, but shall require the consumer to make an affirmative, freely given, and unambiguous choice to indicate the consumer's intent to opt out of any processing of a consumer's personal data; and

(c) Shall be consumer-friendly and easy to use by the average consumer.

(1) A controller:

(a) Shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and

(b) For purposes of protecting the confidentiality, integrity, and accessibility of personal data, shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.

(2) A controller shall not:

(a) Except as otherwise provided in the Data Privacy Act, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;

(b) Process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;

(c) Discriminate against a consumer for exercising any of the consumer rights contained in the Data Privacy Act, including by denying a good or service, charging a different price or rate for a good or service, or providing a different level of quality of a good or service to the consumer; or

(d) Process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., as such act existed on January 1, 2024.

(3) Subdivision (2)(c) of this section shall not be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of a good or service to a consumer, including offering a good or service for no fee, if the consumer has exercised the consumer's right to opt out under section 87-1107 or the offer is related to a consumer's voluntary participation in a bona fide loyalty, reward, premium feature, discount, or club card program.

A controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes:

(1) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller;

(2) The purpose for processing personal data;

(3) How a consumer may exercise a consumer right under sections 87-1107 to 87-1111, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request;

(4) If applicable, any category of personal data that the controller shares with any third party;

(5) If applicable, any category of third party with whom the controller shares personal data; and

(6) A description of each method required under section 87-1111 through which a consumer may submit a request to exercise a consumer right under the Data Privacy Act.

If a controller sells personal data to any third party or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.

(1) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller's duties or requirements under the Data Privacy Act, including:

(a) Assisting the controller in responding to consumer rights requests submitted under section 87-1107 by using appropriate technical and organizational measures, as reasonably practicable, taking into account the nature of processing and the information available to the processor;

(b) Assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor's system relating to an operator's or driver's license, taking into account the nature of processing and the information available to the processor; and

(c) Providing necessary information to enable the controller to conduct and document data protection assessments under section 87-1116.

(2) A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall include:

(a) Clear instructions for processing data;

(b) The nature and purpose of processing;

(c) The type of data subject to processing;

(d) The duration of processing;

(e) The rights and obligations of both parties; and

(f) A requirement that the processor shall:

(i) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

(ii) At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;

(iii) Make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of the Data Privacy Act;

(iv) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and

(v) Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

(3) Notwithstanding the requirement described by subdivision (2)(f)(iv) of this section, a processor, in the alternative, may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the requirements under the Data Privacy Act using an appropriate and accepted control standard or framework and assessment procedure. The processor shall provide a report of the assessment to the controller on request.

(4) This section shall not be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor by virtue of the role of the controller or processor in the processing relationship as described in the Data Privacy Act.

(5) A determination of whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains in the role of a processor.

(1) A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:

(a) The processing of personal data for purposes of targeted advertising;

(b) The sale of personal data;

(c) The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:

(i) Unfair or deceptive treatment of or unlawful disparate impact on any consumer;

(ii) Financial, physical, or reputational injury to any consumer;

(iii) A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of any consumer, if the intrusion would be offensive to a reasonable person; or

(iv) Other substantial injury to any consumer;

(d) The processing of sensitive data; and

(e) Any processing activity that involves personal data that presents a heightened risk of harm to any consumer.

(2) A data protection assessment conducted under subsection (1) of this section shall:

(a) Identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks; and

(b) Factor into the assessment:

(i) The use of deidentified data;

(ii) The reasonable expectations of consumers;

(iii) The context of the processing; and

(iv) The relationship between the controller and the consumer whose personal data will be processed.

(3) A controller shall make a data protection assessment requested under subsection (2) of section 87-1121 available to the Attorney General pursuant to a civil investigative demand under section 87-1121.

(4) A data protection assessment is confidential and exempt from disclosure as a public record pursuant to sections 84-712 to 84-712.09. Disclosure of a data protection assessment in compliance with a request from the Attorney General does not constitute a waiver of attorney-client privilege or work-product protection with respect to the assessment and any information contained in the assessment.

(5) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(6) A data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect.

(1) A controller in possession of deidentified data shall:

(a) Take reasonable measures to ensure that the data cannot be associated with an individual;

(b) Publicly commit to maintaining and using deidentified data without attempting to reidentify the data; and

(c) Contractually obligate any recipient of the deidentified data to comply with the Data Privacy Act.

(2) The Data Privacy Act shall not be construed to require a controller or processor to:

(a) Reidentify deidentified data or pseudonymous data;

(b) Maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or

(c) Comply with an authenticated consumer rights request under section 87-1107, if the controller:

(i) Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

(ii) Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

(iii) Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by this section.

(3) The consumer rights under subdivisions (2)(a) through (d) of section 87-1107 and controller duties under section 87-1112 do not apply to pseudonymous data in any case in which the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

(4) A controller that discloses pseudonymous data or deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and shall take appropriate steps to address any breach of the contractual commitments.

(1) A person described by subdivision (1)(c) of section 87-1103 shall not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.

(2) A person who violates this section is subject to the penalty under section 87-1124.

The Attorney General has exclusive authority to enforce the Data Privacy Act.

The Attorney General shall post on the Attorney General's website:

(1) Information relating to:

(a) The responsibilities of a controller under the Data Privacy Act;

(b) The responsibilities of a processor under the Data Privacy Act; and

(c) A consumer's rights under the Data Privacy Act; and

(2) An online mechanism through which a consumer may submit a complaint under the Data Privacy Act to the Attorney General.

(1) If the Attorney General has reasonable cause to believe that a controller or processor has engaged in or is engaging in a violation of the Data Privacy Act, the Attorney General may issue a civil investigative demand pursuant to section 87-1123.

(2) The Attorney General may request, pursuant to a civil investigative demand, that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General. The Attorney General may evaluate the data protection assessment for compliance with sections 87-1112 to 87-1114.

Before bringing an action under section 87-1124, the Attorney General shall notify a controller or processor in writing, not later than the thirtieth day before bringing the action, identifying the specific provisions of the Data Privacy Act the Attorney General alleges have been or are being violated. The Attorney General may not bring an action against the controller or processor if:

(1) Within the thirty-day period, the controller or processor cures the identified violation; and

(2) The controller or processor provides the Attorney General:

(a) A written statement that the controller or processor cured the alleged violation and supportive documentation to show how such violation was cured; and

(b) An express written statement that the controller or processor shall not commit any such violation after the alleged violation has been cured.

(1) Whenever the Attorney General believes that any person may be in possession, custody, or control of any original or copy of any book, record, report, memorandum, paper, communication, tabulation, map, chart, photograph, mechanical transcription, or other tangible document or recording, wherever situated, which he or she believes to be relevant to the subject matter of an investigation of a possible violation of the Data Privacy Act, the Attorney General may, prior to the institution of a civil proceeding under such act, execute in writing and cause to be served upon such a person a civil investigative demand requiring such person to produce such documentary material and permit inspection and copying thereof. This section shall not be applicable to criminal prosecutions.

(2) Each such demand shall:

(a) State the statute and section or sections thereof the alleged violation of which is under investigation, and the general subject matter of the investigation;

(b) Describe the class or classes of documentary material to be produced thereunder with reasonable specificity so as fairly to indicate the material demanded;

(c) Prescribe a return date within which the documentary material shall be produced; and

(d) Identify the members of the Attorney General's staff to whom such documentary material shall be made available for inspection and copying.

(3) No such demand shall:

(a) Contain any requirement which would be unreasonable or improper if contained in a subpoena duces tecum issued by a court of this state; or

(b) Require the disclosure of any documentary material which would be privileged, or which for any other reason would not be required by a subpoena duces tecum issued by a court of this state.

(4) Service of any such demand may be made by:

(a) Delivering a duly executed copy thereof to the person to be served, or, if such person is not a natural person, to any officer of the person to be served;

(b) Delivering a duly executed copy thereof to the principal place of business in this state of the person to be served; or

(c) Mailing by certified mail a duly executed copy thereof addressed to the person to be served at the principal place of business in this state, or, if such person has no place of business in this state, to his or her principal office or place of business.

(5) Documentary material demanded pursuant to this section shall be produced for inspection and copying during normal business hours at the principal office or place of business of the person served, or at such other times and places as may be agreed upon by the person served and the Attorney General.

(6) No documentary material produced pursuant to a demand, or copies thereof, shall, unless otherwise ordered by a district court for good cause shown, be produced for inspection or copying by, nor shall the contents thereof be disclosed to, other than an authorized employee of the Attorney General, without the consent of the person who produced such material, except that:

(a) Under such reasonable terms and conditions as the Attorney General shall prescribe, the copies of such documentary material shall be available for inspection and copying by the person who produced such material or any duly authorized representative of such person;

(b) The Attorney General may provide copies of such documentary material to an official of this or any other state, or an official of the federal government, who is charged with the enforcement of federal or state antitrust or consumer protection laws, if such official agrees in writing to not disclose such documentary material to any person other than the official's authorized employees, except as such disclosure is permitted under subdivision (c) of this subsection; and

(c) The Attorney General or any assistant attorney general or an official authorized to receive copies of documentary material under subdivision (b) of this subsection may use such copies of documentary material as he or she determines necessary in the enforcement of the Data Privacy Act, including presentation before any court, except that any such material that contains trade secrets shall not be presented except with the approval of the court in which action is pending after adequate notice to the person furnishing such material.

(7) At any time before the return date specified in the demand, or within twenty days after the demand has been served, whichever period is shorter, a petition to extend the return date for or to modify or set aside a demand issued pursuant to subsection (1) of this section, stating good cause, may be filed in the district court for Lancaster County, or in such other county where the parties reside. A petition by the person on whom the demand is served, stating good cause, to require the Attorney General or any person to perform any duty imposed by this section, and all other petitions in connection with a demand, may be filed in the district court for Lancaster County or in the county where the parties reside.

(8) Whenever any person fails to comply with any civil investigative demand for documentary material duly served upon him or her under this section, or whenever satisfactory copying or reproduction of any such material cannot be done and such person refuses to surrender such material, the Attorney General may file, in the district court of the county in which such person resides, is found, or transacts business, and serve upon such person a petition for an order of such court for the enforcement of this section, except that if such person transacts business in more than one county, such petition shall be filed in the county in which such person maintains his or her principal place of business or in such other county as may be agreed upon by the parties to such petition. Whenever any petition is filed in the district court of any county under this section, such court shall have jurisdiction to hear and determine the matter so presented and to enter such order as may be required to carry this section into effect. Disobedience of any order entered under this section by any court shall be punished as a contempt thereof.

(1) A person who violates the Data Privacy Act following the cure period described by section 87-1122 or who breaches a written statement provided to the Attorney General under such section is liable for a civil penalty in an amount not to exceed seven thousand five hundred dollars for each violation.

(2) The Attorney General may bring an action in the name of the State of Nebraska to:

(a) Recover a civil penalty under this section;

(b) Restrain or enjoin the person from violating the Data Privacy Act; or

(c) Recover the civil penalty and seek injunctive relief.

(3) The Attorney General may recover reasonable attorney's fees and other reasonable expenses incurred in investigating and bringing an action under this section.

(4) All money collected under this section shall be remitted to the State Treasurer for distribution in accordance with Article VII, section 5, of the Constitution of Nebraska.

The Data Privacy Act shall not be construed as providing a basis for, or being subject to, a private right of action for a violation of the Data Privacy Act or any other law.

The Data Privacy Act shall not be construed to:

(1) Restrict a controller's or processor's ability to:

(a) Comply with federal, state, or local laws, rules, or regulations;

(b) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

(c) Cooperate with any law enforcement agency concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate any federal, state, or local law, rule, or regulation;

(d) Investigate, establish, exercise, prepare for, or defend legal claims;

(e) Provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take action at the request of the consumer before entering into a contract;

(f) Take immediate action to protect an interest that is essential for the life or physical safety of the consumer or of another individual and in which the processing cannot be manifestly based on another legal basis;

(g) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;

(h) Preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security;

(i) Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entity that determines:

(i) If the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;

(ii) Whether the expected benefits of the research outweigh the privacy risks; and

(iii) If the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification; or

(j) Assist another controller, processor, or third party with any of the requirements under subdivision (1) of this section;

(2) Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication;

(3) Impose a requirement on any controller or processor that adversely affects any right or freedom of any person, including the right of free speech pursuant to the First Amendment to the Constitution of the United States;

(4) Require a controller, processor, third party, or consumer to disclose a trade secret;

(5) Apply to the processing of personal data by any individual in the course of a purely personal or household activity; or

(6) Prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege as part of a privileged communication.

(1) The requirements imposed on any controller or processor under the Data Privacy Act shall not restrict a controller's or processor's ability to collect, use, or retain data to:

(a) Conduct internal research to develop, improve, or repair products, services, or technology;

(b) Effect a product recall;

(c) Identify and repair technical errors that impair existing or intended functionality; or

(d) Perform internal operations that:

(i) Are reasonably aligned with the expectations of the consumer;

(ii) Are reasonably anticipated based on the consumer's existing relationship with the controller; or

(iii) Are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

(2) A requirement imposed on a controller or processor under the Data Privacy Act shall not apply if compliance with the requirement by the controller or processor, as applicable, would violate an evidentiary privilege under any law of this state.

(1) A controller or processor that discloses personal data to a third-party controller or processor, in compliance with any requirement of the Data Privacy Act, does not violate the Data Privacy Act if the third-party controller or processor that receives and processes that personal data is in violation of the Data Privacy Act, if at the time of the data's disclosure the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

(2) A third-party controller or processor that receives personal data from a controller or processor in compliance with the requirements of the Data Privacy Act does not violate the Data Privacy Act for the transgressions of the controller or processor from which the third-party controller or processor received the personal data.

(1) Personal data processed by a controller under sections 87-1126 to 87-1129 may not be processed for any purpose other than a purpose listed in sections 87-1126 to 87-1129 unless otherwise allowed by the Data Privacy Act. Personal data processed by a controller under sections 87-1126 to 87-1129 may be processed to the extent that the processing of the data is:

(a) Reasonably necessary and proportionate to the purposes listed in sections 87-1126 to 87-1129; and

(b) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in sections 87-1126 to 87-1129.

(2) Personal data collected, used, or retained under subsection (1) of section 87-1127 shall, where applicable, take into account the nature and purpose of such collection, use, or retention. The personal data described by this subsection is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

(3) A controller that processes personal data under an exemption in sections 87-1126 to 87-1129 bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of subsections (1) and (2) of this section.

(4) The processing of personal data by an entity for the purposes described by section 87-1126 does not solely make the entity a controller with respect to the processing of the data.

The Data Privacy Act supersedes and preempts any ordinance, resolution, rule, or other regulation adopted by a political subdivision regarding the processing of personal data by a controller or processor.

In this chapter:

I. “Affiliate” means a legal entity that shares common branding with another legal entity, or is controlled by, or is under common control with, another legal entity.

II. “Control” or “Controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or, the power to exercise controlling influence over the management of a company.

III. “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights afforded under RSA 507-H:4, I(a)-(d) is being made by, or on behalf of, the consumer who is entitled to exercise such consumer rights with respect to the personal data at issue.

IV. “Biometric data” means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns, or characteristics that are used to identify a specific individual. “Biometric data” does not include a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

V. “Business associate” has the same meaning as provided in the Health Insurance Portability and Accountability Act (HIPAA).

VI. “Child” has the same meaning as provided in the Children's Online Privacy Protection Act (COPPA).

VII. “Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” does not include acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing or closing a given piece of content; or, an agreement obtained through the use of deceptive design patterns (also known as “dark patterns”).

VIII. “Consumer” means an individual who is a resident of this state. “Consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.

IX. “Controller” means an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.

X. “COPPA” means the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq., and any amendments, regulations, rules, guidance and exemptions adopted under that act.

XI. “Covered entity” has the same meaning as provided in HIPAA.

XII. “Dark pattern” or “deceptive design pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a “dark pattern”.

XIII. “Decisions that produce legal or similarly significant effects concerning the consumer” means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services or access to essential goods or services.

XIV. “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller that possesses such data takes reasonable measures to ensure that such data cannot be associated with an individual; publicly commits to process such data only in a de-identified way and not attempt to re-identify such data; and, contractually obligates any recipients of such data to satisfy the criteria under this paragraph.

XV. “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d et seq., as amended.

XVI. “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly.

XVII. “Institution of higher education” means any individual who, or school, board, association, limited liability company or corporation that, is licensed or accredited to offer one or more programs of higher learning leading to one or more degrees.

XVIII. “Nonprofit organization” means any organization that is exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12)1 of the Internal Revenue Code of 1986, or any subsequent corresponding internal revenue code of the United States, as amended.

XIX. “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.

XX. “Precise geolocation data” means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. “Precise geolocation data” does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

XXI. “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

XXII. “Processor” means an individual who, or legal entity that, processes personal data on behalf of a controller.

XXIII. “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

XXIV. “Protected health information” has the same meaning as provided in HIPAA.

XXV. “Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

XXVI. “Publicly available information” means information that is lawfully made available through federal, state, municipal government records, or widely distributed media, and a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.

XXVII. “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. “Sale of personal data” does not include:

(a) The disclosure of personal data to a processor that processes the personal data on behalf of the controller;

(b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

(c) The disclosure or transfer of personal data to an affiliate of the controller;

(d) The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;

(e) The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience; or,

(f) The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller's assets.

XXVII-a. “Secure and reliable means” are methods, systems, technologies, or processes that are designed to reasonably ensure the protection, integrity, and confidentiality of data or information, and consistently function in a dependable manner. They include, but are not limited to encryption protocols, authentication mechanisms, access controls, redundant systems, and other measures designed to safeguard personal data and ensure consistent performance and reasonable and appropriate physical, technical, organizational, and administrative measures to safeguard and keep personal data confidential.

XXVIII. “Sensitive data” means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or, precise geolocation data.

XXIX. “Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet websites or online applications to predict such consumer's preferences or interests. “Targeted advertising” does not include:

(a) Advertisements based on activities within a controller's own Internet websites or online applications;

(b) Advertisements based on the context of a consumer's current search query, visit to an Internet website, or online application;

(c) Advertisements directed to a consumer in response to the consumer's request for information or feedback; or,

(d) Processing personal data solely to measure or report advertising frequency, performance, or reach.

XXX. “Third-party” means an individual or legal entity, such as a public authority, agency, or body, other than the consumer, controller, or processor, or an affiliate of the processor or the controller.

I. This chapter applies to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state that during a one year period:

(a) Controlled or processed the personal data of not less than 35,000 unique consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(b) Controlled or processed the personal data of not less than 10,000 unique consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

II. The secretary of state shall notice and post a link to RSA 507-H on the secretary of state’s website.

I. This chapter shall not apply to any:

(a) Body, authority, board, bureau, commission, district or agency of this state or of any political subdivision of this state;

(b) Nonprofit organization;

(c) Institution of higher education;

(d) National securities association that is registered under 15 U.S.C. section 78o-3 of the Securities Exchange Act of 1934, as amended;

(e) Financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.; or,

(f) A covered entity or business associate, as defined in 45 C.F.R. 160.103.(b).

II. The following information and data shall be exempt from this chapter:

(a) Protected health information under HIPAA;

(b) Patient-identifying information for purposes of 42 U.S.C. section 290dd-2;

(c) Identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. 46;

(d) Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use;

(e) The protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, or personal data used or shared in research, as defined in 45 C.F.R. 164.501, that is conducted in accordance with the standards set forth in this chapter, or other research conducted in accordance with applicable law;

(f) Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq.;

(g) Patient safety work product for purposes of the Patient Safety and Quality Improvement Act, 42 U.S.C. 299b-21 et seq., as amended;

(h) Information derived from any of the health care related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;

(i) Information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate, program or qualified service organization, as specified in 42 U.S.C. 290dd-2, as amended;

(j) Information used for public health activities and purposes as authorized by HIPAA, community health activities and population health activities;

(k) The collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency, furnisher or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.;

(l) Personal data collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq., as amended;

(m) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g et seq., as amended;

(n) Personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act, 12 U.S.C. 2001 et seq., as amended;

(o) Data processed or maintained in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role; as the emergency contact information of an individual under this chapter used for emergency contact purposes; or, that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under HIPPA and used for the purposes of administering such benefits;

(p) Personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. 40101 et seq., as amended, by an air carrier subject to the act, to the extent this chapter is preempted by the Airline Deregulation Act, 49 U.S.C. 41713, as amended;

(q) Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal Controlled Substances Act, 21 U.S.C. section 830; and

(r) Information included in a limited data set as described at 45 C.F.R. 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified at 45 C.F.R. 164.514(e).

III. Controllers and processors that comply with the verifiable parental consent requirements of COPPA shall be compliant with any obligation to obtain parental consent pursuant to this chapter.

I. A consumer shall have the right to:

(a) Confirm whether or not a controller is processing the consumer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;

(b) Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;

(c) Delete personal data provided by, or obtained about, the consumer;

(d) Obtain a copy of the consumer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret; and

(e) Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, except as provided in RSA 507-H:6, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

II. A consumer may exercise rights under this section by any secure and reliable means described to the consumer in the controller's privacy notice. A consumer may designate an authorized agent in accordance with RSA 507-H:5 to exercise the rights of such consumer to opt-out of the processing of such consumer's personal data for purposes of RSA 507-H:4, III(e) on behalf of the consumer. In the case of processing personal data of a known child, the parent or legal guardian may exercise such consumer rights on the child's behalf. In the case of processing personal data concerning a consumer subject to a guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the consumer may exercise such rights on the consumer's behalf.

III. Except as otherwise provided in this chapter, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to this chapter as follows:

(a) A controller shall respond to the consumer without undue delay, but not later than 45 days after receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer's requests, provided the controller informs the consumer of any such extension within the initial 45-day response period and of the reason for the extension.

(b) If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

(c) Information provided in response to a consumer request shall be provided by a controller, free of charge, once per consumer during any twelve-month period. If requests from a consumer are manifestly unfounded, excessive or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive or repetitive nature of the request.

(d) If a controller is unable to authenticate a request to exercise any of the rights afforded under RSA 507-H:4, I(a)-(d) using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until such consumer provides additional information reasonably necessary to authenticate such consumer and such consumer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request.

(e) A controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to RSA 507-H:4, I(c) by retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained data for any other purpose pursuant to this chapter, or opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant this chapter.

IV. A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.

A consumer may designate another person to serve as the consumer's authorized agent, and act on such consumer's behalf, to opt-out of the processing of such consumer's personal data for one or more of the purposes specified in RSA 507-H:4, I(e). The consumer may designate such authorized agent by way of, among other things, a technology, including, but not limited to, an Internet link or a browser setting, browser extension or global device setting, indicating such consumer's intent to opt-out of such processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on such consumer's behalf.

I. A controller shall:

(a) Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;

(b) Except as otherwise provided in this chapter, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;

(c) Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue;

(d) Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;

(e) Not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers;

(f) Provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and

(g) Not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and wilfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age. A controller shall not discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.

II. Nothing in this section shall be construed to require a controller to provide a product or service that requires the personal data of a consumer which the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.

III. A controller shall provide consumers with a clear and meaningful privacy notice in a reasonably accessible format. The controller may make the notice available online, on accompanying mobile applications, or on a device through which consumers regularly interact with the controller, if applicable. Said notice shall also be reasonably accessible to consumers with disabilities, including through the use of digital accessibility tools. The notice must include the following:

(a) The categories of personal data processed by the controller;

(b) The purpose for processing personal data;

(c) How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request;

(d) The categories of personal data that the controller shares with third parties, if any;

(e) The categories of third-parties, if any, with which the controller shares personal data;

(f) An active electronic mail address or other online mechanism that the consumer may use to contact the controller; and

(g) The date the privacy notice was last updated.

IV. If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing.

V. (a) A controller shall establish, and shall describe in the privacy notice required by paragraph III, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this chapter. Such means shall take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication of such requests and the ability of the controller to verify the identity of the consumer making the request. A controller shall not require a consumer to create a new account in order to exercise consumer rights, but may require a consumer to use an existing account. Any such means shall include:

(1)(A) Providing a clear and conspicuous link on the controller's Internet website to an Internet webpage that enables a consumer, or an agent of the consumer, to opt-out of the targeted advertising or sale of the consumer's personal data; and

(B) Not later than January 1, 2025, allowing a consumer to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent, with such consumer's consent, by a platform, technology, or mechanism to the controller indicating such consumer's intent to opt-out of any such processing or sale. Such platform, technology, or mechanism shall:

(i) Not unfairly disadvantage another controller;

(ii) Not make use of a default setting, but, rather, require the consumer to make an affirmative, freely given, and unambiguous choice to opt-out of any processing of such consumer's personal data pursuant to this chapter;

(iii) Be consumer-friendly and easy to use by the average consumer;

(iv) Be as consistent as possible with any other similar platform, technology or mechanism required by any federal or state law or regulation; and

(v) Enable the controller to accurately determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt-out of any sale of such consumer's personal data or targeted advertising.

(2) If a consumer's decision to opt-out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data, through an opt-out preference signal sent in accordance with RSA 507-H:6, V(a)(1)(A) conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller shall comply with such consumer's opt-out preference signal, but may notify such consumer of such conflict and provide to such consumer the choice to confirm such controller-specific privacy setting or participation in such program.

(b) If a controller responds to consumer opt-out requests received pursuant to RSA 507-H:6, V(a)(1) by informing the consumer of a charge for the use of any product or service, the controller shall present the terms of any financial incentive offered pursuant to 507-H:6, II for the retention, use, sale or sharing of the consumer's personal data.

I. A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller's obligations under this chapter. Such assistance shall include:

(a) Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests;

(b) Taking into account the nature of processing and the information available to the processor, by assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security or of the system of the processor, in order to meet the controller's obligations; and

(c) Providing necessary information to enable the controller to conduct and document data protection assessments.

II. A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. The contract shall also require that the processor:

(a) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

(b) At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(c) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this chapter;

(d) After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and

(e) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this chapter, using an appropriate and accepted control standard or framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.

III. Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller's or processor's role in the processing relationship, as described in this chapter.

IV. Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data is to be processed. A person who is not limited in such person's processing of personal data pursuant to a controller's instructions, or who fails to adhere to such instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under RSA 507-H:11.

I. A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer. For the purposes of this section, processing that presents a heightened risk of harm to a consumer includes:

(a) The processing of personal data for the purposes of targeted advertising;

(b) The sale of personal data;

(c) The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers, financial, physical or reputational injury to consumers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or other substantial injury to consumers; and

(d) The processing of sensitive data.

II. Data protection assessments conducted pursuant to RSA 507-H:8, I shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The controller shall factor into any such data protection assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

III. The attorney general may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general. The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure under RSA 91-A. To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection.

IV. A single data protection assessment may address a comparable set of processing operations that include similar activities.

V. If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.

VI. Data protection assessment requirements shall apply to processing activities created or generated after July 1, 2024, and are not retroactive.

I. Any controller in possession of de-identified data shall:

(a) Take reasonable measures to ensure that the data cannot be associated with an individual;

(b) Publicly commit to maintaining and using de-identified data without attempting to reidentify the data; and

(c) Contractually obligate any recipients of the deidentified data to comply with all provisions of this chapter.

II. Nothing in this chapter shall be construed to:

(a) Require a controller or processor to re-identify de-identified data or pseudonymous data; or

(b) Maintain data in identifiable form, or collect, obtain, retain or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data.

III. Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated consumer rights request if the controller:

(a) Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

(b) Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and

(c) Does not sell the personal data to any third-party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

IV. The rights afforded under RSA 507-H:4, I(a)-(d) shall not apply to pseudonymized data in cases where the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

V. A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

I. Nothing in this chapter shall be construed to restrict a controller's or processor's ability to:

(a) Comply with federal, state or municipal ordinances or regulations;

(b) Comply with a civil, criminal or regulatory inquiry, investigation, subpoena or summons by federal, state, municipal or other governmental authorities;

(c) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or municipal ordinances or regulations;

(d) Investigate, establish, exercise, prepare for or defend legal claims;

(e) Provide a product or service specifically requested by a consumer;

(f) Perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;

(g) Take steps at the request of a consumer prior to entering into a contract;

(h) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis;

(i) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action;

(j) Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored and governed by an institutional review board that determines, or similar independent oversight entities that determine;

(1) Whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;

(2) The expected benefits of the research outweigh the privacy risks; and

(3) Whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification;

(k) Assist another controller, processor, or third-party with any of the obligations under this chapter; or

(l) Process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is:

(1) Subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and

(2) Under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

II. The obligations imposed on controllers or processors under this chapter shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to:

(a) Conduct internal research to develop, improve, or repair products, services, or technology;

(b) Effectuate a product recall;

(c) Identify and repair technical errors that impair existing or intended functionality; or

(d) Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

III. The obligations imposed on controllers or processors under this chapter shall not apply where compliance by the controller or processor with said sections would violate an evidentiary privilege under the laws of this state. Nothing in this chapter shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the state as part of a privileged communication.

IV. A controller or processor that discloses personal data to a processor or third-party controller in accordance with this chapter shall not be deemed to have violated said sections if the processor or third-party controller that receives and processes such personal data violates said sections, provided, at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data.

V. Nothing in this chapter shall be construed to:

(a) Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or

(b) Apply to any person's processing of personal data in the course of such person's purely personal or household activities.

VI. Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is:

(a) Reasonably necessary and proportionate to the purposes listed in this section; and

(b) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained under RSA 507-H:10, I(b), where applicable, take into account the nature and purpose or purposes of such collection, use, or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use or retention of personal data.

VII. If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in RSA 507-H:10, VI.

VIII. Processing personal data for the purposes expressly identified in this section shall not solely make a legal entity a controller with respect to such processing.

I. The attorney general shall have exclusive authority to enforce violations under this chapter.

II. During the period beginning January 1, 2025 and ending December 31, 2025, the attorney general shall, and following said period the attorney general may, prior to initiating any action for a violation under this chapter, issue a notice of violation to the controller if the attorney general determines that a cure is possible. If the controller fails to cure such violation within 60 days of receipt of the notice of violation, the attorney general may bring an action pursuant to this section.

III. Beginning January 1, 2026, in determining whether to grant a controller or processor the opportunity to cure an alleged violation described under this chapter, the attorney general may consider:

(1) The number of violations;

(2) The size and complexity of the controller or processor;

(3) The nature and extent of the controller's or processor's processing activities;

(4) The substantial likelihood of injury to the public;

(5) The safety of persons or property; and

(6) Whether such alleged violation was likely caused by human or technical error.

IV. Nothing in this chapter shall be construed as providing the basis for, or be subject to, a private right of action for violations under this chapter or any other law.

V. A violation under this chapter shall constitute an unfair method of competition or any unfair or deceptive act or practice in the conduct of any trade or commerce within this state under RSA 358-A:2 and shall be enforced by the attorney general.

An individual or entity covered by this chapter and other law regarding third party providers of information and services is required to comply with both chapters, provided, however, that to the extent there is a direct conflict between the 2 chapters which precludes compliance with both statutes, the individual or entity shall comply with the statute that provides the greater measure of privacy protection to individuals. For purposes of this section, an “opt in” procedure for an individual to grant consent for the disclosure of personal information shall be deemed to provide a greater measure of protection of privacy than the “opt out” procedure established under this chapter.

“Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. For the purposes of this definition, “control” means: the ownership of or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company; the control in any manner over the election of a majority of the directors or individuals exercising similar functions; or the power to exercise a controlling influence over the management or policies of a company.

“Biometric data” means data generated by automatic or technological processing, measurements, or analysis of an individual's biological, physical, or behavioral characteristics, including, but not limited to, fingerprint, voiceprint, eye retinas, irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics that are used or intended to be used, singularly or in combination with each other or with other personal data, to identify a specific individual. “Biometric data” shall not include: a digital or physical photograph; an audio or video recording; or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

“Child” shall have the same meaning as provided in COPPA.

“Consent” means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent shall not include: acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; hovering over, muting, pausing, or closing a given piece of content; or agreement obtained through the use of dark patterns.

“Consumer” means an identified person who is a resident of this State acting only in an individual or household context. “Consumer” shall not include a person acting in a commercial or employment context.

“Controller” means an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.

“COPPA” means the federal Children's Online Privacy Protection Act, 15 U.S.C. s.6501 et seq., and any rules, regulations, guidelines, and exceptions thereto, as may be amended from time to time.

“Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is not limited to, any practice the United States Federal Trade Commission refers to as a “dark pattern.”

“Decisions that produce legal or similarly significant effects concerning the consumer” means decisions that result in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods and services.

“De-identified data” means: data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (1) takes reasonable measures to ensure that the data cannot be associated with an individual, (2) publicly commits to maintain and use the data only in a de-identified fashion and not to attempt to re-identify the data, and (3) contractually obligates any recipients of the information to comply with the requirements of this paragraph.

“Designated request address” means an electronic mail address, Internet website, or toll-free telephone number that a consumer may use to request the information required to be provided pursuant to section 3 of P.L.2023, c. 266 (C.56:8-166.6).

“Personal data” means any information that is linked or reasonably linkable to an identified or identifiable person. “Personal data” shall not include de-identified data or publicly available information.

“Precise geolocation data” means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. “Precise geolocation data” does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

“Process” or “processing” means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data, and also includes the actions of a controller directing a processor to process personal data.

“Processor” means a person, private entity, public entity, agency, or other entity that processes personal data on behalf of the controller.

“Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

“Publicly available information” means information that is lawfully made available from federal, State, or local government records or widely distributed media or information that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public and has not restricted to a specific audience.

“Sale” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. “Sale” shall not include:

The disclosure of personal data to a processor that processes the personal data on the controller's behalf;

The disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;

The disclosure or transfer of personal data to an affiliate of the controller;

The disclosure of personal data that the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience; or

The disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

“Sensitive data” means personal data revealing racial or ethnic origin; religious beliefs; mental or physical health condition, treatment, or diagnosis; financial information, which shall include a consumer's account number, account log-in, financial account, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a consumer's financial account; sex life or sexual orientation; citizenship or immigration status; status as transgender or non-binary; genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

“Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer's preferences or interests. “Targeted advertising” shall not include: advertisements based on activities within a controller's own internet websites or online applications; advertisements based on the context of a consumer's current search query, visit to an internet website or online application; advertisements directed to a consumer in response to the consumer's request for information or feedback; or processing personal data solely to measure or report advertising frequency, performance, or reach.

“Third party” means a person, private entity, public entity, agency, or entity other than the consumer, controller, or affiliate or processor of the controller.

“Trade secret” has the same meaning as section 2 of P.L.2011, c. 161 (C.56:15-2).

“Verified request” means the process through which a consumer may submit a request to exercise a right or rights established in P.L.2023, c. 266 (C.56:8-166.4 et seq.), and by which a controller can reasonably authenticate the request and the consumer making the request using commercially reasonable means.

Notwithstanding any State law, rule, regulation, or order to the contrary, the provisions of P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall only apply to controllers that conduct business in the State or produce products or services that are targeted to residents of the State, and that during a calendar year either:

a. control or process the personal data of at least 100,000 consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or

b. control or process the personal data of at least 25,000 consumers and the controller derives revenue, or receives a discount on the price of any goods or services, from the sale of personal data.

a. A controller shall provide to a consumer a reasonably accessible, clear, and meaningful privacy notice that shall include, but may not be limited to:

(1) the categories of the personal data that the controller processes;

(2) the purpose for processing personal data;

(3) the categories of all third parties to which the controller may disclose a consumer's personal data;

(4) the categories of personal data that the controller shares with third parties, if any;

(5) how consumers may exercise their consumer rights, including the controller's contact information and how a consumer may appeal a controller's decision with regard to the consumer's request;

(6) the process by which the controller notifies consumers of material changes to the notification required to be made available pursuant to this subsection, along with the effective date of the notice; and

(7) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.

b. If a controller sells personal data to third parties or processes personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, the controller shall clearly and conspicuously disclose such sale or processing, as well as the manner in which a consumer may exercise the right to opt out of such sale or processing.

c. A controller shall not:

(1) require a consumer to create a new account in order to exercise a right, but may require a consumer to use an existing account to submit a verified request; or

(2) based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service.

a. A controller that receives a verified request from a consumer shall provide a response to the consumer within 45 days of the controller's receipt of the request. The controller may extend the response period by 45 additional days where reasonably necessary, considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of any such extension within the initial 45-day response period and the reason for the extension and shall provide the information for all disclosures of personal data that occurred in the prior 12 months.

b. This section shall not apply to personal data collected prior to the effective date of P.L.2023, c. 266 (C.56:8-166.4 et seq.) unless the controller continues to process such information thereafter.

c. If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision.

d. Information provided in response to a consumer request shall be provided by a controller, free of charge, once per consumer during any twelve-month period. If requests from a consumer are manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.

e. If a controller is unable to authenticate a request to exercise any of the rights afforded under section 5 of P.L.2023, c. 266 (C.56:8-166.8) using commercially reasonable efforts, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until such consumer provides additional information reasonably necessary to authenticate such consumer and such consumer's request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent and that such controller shall not comply with such request.

f. A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision. The appeal process shall be conspicuously available and similar to the process for submitting requests to initiate action pursuant to this section. Not later than 45 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint.

A controller shall be prohibited from discriminating against a consumer if the consumer chooses to opt out of the processing for sale, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects of the consumer's personal data pursuant to P.L.2023, c. 266 (C.56:8-166.4 et seq.). The provisions of this section shall not prohibit the controller's ability to offer consumers discounts, loyalty programs, or other incentives for the sale of the consumer's personal data, or to provide different services to consumers that are reasonably related to the value of the relevant data, provided that the controller has clearly and conspicuously disclosed to the consumer that the offered discounts, programs, incentives, or services include the sale or processing of personal data that the consumer otherwise has a right to opt out of.

A waiver of the requirements of, or an agreement that does not comply with, the provisions of P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall be void and unenforceable.

a. A consumer shall have the right to:

(1) confirm whether a controller processes the consumer's personal data and accesses such personal data, provided that nothing in this paragraph shall require a controller to provide the data to the consumer in a manner that would reveal the controller's trade secrets;

(2) correct inaccuracies in the consumer's personal data, taking into account the nature of the information and the purposes of the processing of the information;

(3) delete personal data concerning the consumer;

(4) obtain a copy of the consumer's personal data held by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance, provided that nothing in this paragraph shall require a controller to provide the data to the consumer in a manner that would reveal the controller's trade secrets; and

(5) opt out of the processing of personal data for the purposes of (a) targeted advertising; (b) the sale of personal data; or (c) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

b. A controller that has lawfully obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer's request to delete such data pursuant to this subsection by:

(1) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the controller's records and not using such retained information for any other purpose pursuant to the provisions of P.L.2023, c. 266 (C.56:8-166.4 et seq.); or

(2) deleting such personal data.

a. A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing and sale of the consumer's personal data. A consumer may designate an authorized agent using technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the collection and processing for the purpose of any sale of data or for the purpose of targeted advertising or, when such technology exists, for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. A controller shall comply with an opt-out request received from an authorized agent under this subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

b. (1) Beginning not later than six months following the effective date of P.L.2023, c. 266 (C.56:8-166.4 et seq.), a controller that processes personal data for purposes of targeted advertising, or the sale of personal data shall allow consumers to exercise the right to opt out of such processing through a user-selected universal opt-out mechanism.

(2) The platform, technology, or mechanism shall:

(a) not permit its manufacturer to unfairly disadvantage another controller;

(b) not make use of a default setting that opts in a consumer to the processing or sale of personal data, unless the controller has determined that the consumer has selected such default setting and the selection clearly represents the consumer's affirmative, freely given, and unambiguous choice to opt into any processing of such consumer's personal data pursuant to P.L.2023, c. 266 (C.56:8-166.4 et seq.);

(c) be consumer-friendly, clearly described, and easy to use by the average consumer;

(d) be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and

(e) enable the controller to accurately determine whether the consumer is a resident of this State and whether the consumer has made a legitimate request to opt out of the processing of personal data for the purposes of any sale of such consumer's personal data or targeted advertising.

c. The Division of Consumer Affairs in the Department of Law and Public Safety may adopt rules and regulations that detail the technical specifications for one or more universal opt-out mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data pursuant to P.L.2023, c. 266 (C.56:8-166.4 et seq.), including regulations that permit the controller to accurately authenticate the consumer as a resident of this state and determine that the mechanism represents a legitimate request to opt out of the processing of personal data pursuant to P.L.2023, c. 266 (C.56:8-166.4 et seq.). The division may update the rules that detail the technical specifications for the mechanisms from time to time to reflect the means by which consumers interact with controllers.

a. A controller shall:

(1) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;

(2) except as otherwise provided in P.L.2023, c. 266 (C.56:8-166.4 et seq.), not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;

(3) take reasonable measures to establish, implement, and maintain administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and to secure personal data during both storage and use from unauthorized acquisition. The data security practices shall be appropriate to the volume and nature of the personal data at issue;

(4) not process sensitive data concerning a consumer without first obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without processing such data in accordance with COPPA;

(5) not process personal data in violation of the laws of this State and federal laws that prohibit unlawful discrimination against consumers;

(6) provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request;

(7) not process the personal data of a consumer for purposes of targeted advertising, the sale of the consumer's personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer without the consumer's consent, under circumstances where a controller has actual knowledge, or willfully disregards, that the consumer is at least 13 years of age but younger than 17 years of age;

(8) specify the express purposes for which personal data are processed; and

(9) not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of P.L.2023, c. 266 (C.56:8-166.4 et seq.) that present a heightened risk of harm to a consumer.

b. Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed. A controller shall make the data protection assessment available to the Division of Consumer Affairs in the Department of Law and Public Safety upon request. The division may evaluate the data protection assessment for compliance with the duties contained in this section and with other laws. Data protection assessments shall be confidential and exempt from public inspection under P.L.1963 c.3 (C.47:1A-1 et al.). The disclosure of a data protection assessment pursuant to a request from the division under this section shall not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.

c. For the purposes of this section, “heightened risk” includes:

(1) processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of: unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial or physical injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or other substantial injury to consumers;

(2) selling personal data; and

(3) processing sensitive data.

d. A single data protection assessment may address a comparable set of processing operations that include similar activities.

Nothing in P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall apply to:

a. protected health information collected by a covered entity or business associate subject to the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the “Health Insurance Portability and Accountability Act of 1996,” Pub.L.104-191, and the “Health Information Technology for Economic and Clinical Health Act,” 42 U.S.C. s.17921 et seq.;

b. a financial institution, data, or an affiliate of a financial institution that is subject to Title V of the federal “Gramm-Leach-Bliley Act,” 15 U.S.C. s.6801 et seq., and the rules and implementing regulations promulgated thereunder;

c. the secondary market institutions identified in 15 U.S.C.s.6809(3)(D) and 12 C.F.R. s.1016.3(l)(3)(iii);

d. an insurance institution subject to P.L.1985, c. 179 (C.17:23A-1 et seq.);

e. the sale of a consumer's personal data by the New Jersey Motor Vehicle Commission that is permitted by the federal “Drivers' Privacy Protection Act of 1994,” 18 U.S.C. s.2721 et seq.;

f. personal data collected, processed, sold, or disclosed by a consumer reporting agency, as defined in 15 U.S.C. s.1681a(f), if the collection, processing, sale, or disclosure of the personal data is limited, governed, and collected, maintained, disclosed, sold, communicated, or used only as authorized by the federal “Fair Credit Reporting Act,” 15 U.S.C. s. 1681 et seq., and implementing regulations;

g. any State agency as defined in section 2 of P.L.1971, c. 182 (C.52:13D-13), any political subdivision, and any division, board, bureau, office, commission, or other instrumentality created by a political subdivision; or

h. personal data that is collected, processed, or disclosed, as part of research conducted in accordance with the Federal Policy for the protection of human subjects pursuant to 45 C.F.R. Part 46 or the protection of human subjects pursuant to 21 C.F.R. Parts 50 and 56.

Nothing in P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall require a controller to:

a. re-identify de-identified data;

b. collect, retain, use, link, or combine personal data concerning a consumer that it would not otherwise collect, retain, use, link, or combine in the ordinary course of business.

a. Nothing in P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall be construed to restrict a controller's or processor's ability to:

(1) comply with federal or State law or regulations;

(2) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena or summons by federal, State, municipal, or other governmental authorities;

(3) cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, State, or municipal ordinances or regulations;

(4) investigate, establish, exercise, prepare for, or defend legal claims;

(5) provide a product or service specifically requested by a consumer;

(6) perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;

(7) take steps at the request of a consumer prior to entering into a contract;

(8) take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual, and where the processing cannot be manifestly based on another legal basis;

(9) prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any such action;

(10) engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines, or similar independent oversight entities that determine,

(a) whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller,

(b) the expected benefits of the research outweigh the privacy risks, and

(c) whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification;

(11) assist another controller, processor, or third party with any of the obligations under P.L.2023, c. 266 (C.56:8-166.4 et seq.); or

(12) personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is

(a) subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed, and

(b) under the responsibility of a professional subject to confidentiality obligations under federal, State, or local law.

b. The obligations imposed on controllers or processors under P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall not restrict a controller's or processor's ability to collect, use or retain data for internal use to:

(1) conduct internal research to develop, improve, or repair products, services, or technology;

(2) effectuate a product recall;

(3) identify and repair technical errors that impair existing or intended functionality; or

(4) perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party. Personal data collected, used, or retained pursuant to this subsection shall, where applicable, take into account the nature and purpose or purposes of such collection, use or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention of personal data.

c. The obligations imposed on controllers or processors under P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall not apply where compliance by the controller or processor with the provisions of law would violate an evidentiary privilege under the laws of this State. Nothing in P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of the State as part of a privileged communication.

d. Personal data that are processed by a controller pursuant to an exception provided by this section:

(1) shall not be processed for any purpose other than a purpose expressly listed in this section; and

(2) shall be processed solely to the extent that the processing is necessary, reasonable, and proportionate to the specific purpose or purposes listed in this section.

e. If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption and complies with the requirements in this section.

f. Processing personal data for the purposes expressly identified in this section shall not solely make a legal entity a controller with respect to such processing if such entity would not otherwise meet the definition of a controller.

a. Controllers and processors shall meet their respective obligations established under P.L.2023, c. 266 (C.56:8-166.4 et seq.).

b. Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this act. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by:

(1) taking appropriate technical and organizational measures, insofar as possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights under this act;

(2) helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to notification of a breach of the security of the system; and

(3) providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 9 of P.L.2023, c. 266 (C.56:8-166.12). The controller and processor are each responsible for only the measures allocated to them.

c. Notwithstanding the instructions of the controller, a processor shall:

(1) ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and

(2) engage a subcontractor pursuant to a written contract in accordance with subsection e. of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data.

d. Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

e. Processing by a processor shall be governed by a contract between the controller and the processor that is binding on both parties and that sets forth:

(1) the processing instructions to which the processor is bound, including the nature and purpose of the processing;

(2) the type of personal data subject to the processing, and the duration of the processing;

(3) the requirements imposed by this subsection and subsections c. and d. of this section; and

(4) the following requirements:

(a) At the discretion of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(b)(i) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this act; and

(ii) The processor shall allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under this act using an appropriate and accepted control standard or framework for the assessment as applicable. The processor shall provide a report of the assessment to the controller upon request.

f. In no event may a contract relieve a controller or a processor from the liabilities imposed on them by virtue of its role in the processing relationship as defined by P.L.2023, c. 266 (C.56:8-166.4 et seq.).

g. Determining whether a person is acting as a controller or processor with respect to a specific processing of data shall be a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in its processing of personal data pursuant to a controller's instructions, or that fails to adhere to the instructions, shall be deemed a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data shall remain a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, it shall be deemed a controller with respect to the processing.

a. It shall be an unlawful practice and violation of P.L.1960, c. 39 (C.56:8-1 et seq.) for a controller to violate the provisions of P.L.2023, c. 266 (C.56:8-166.4 et seq.).

b. Until the first day of the 18th month next following the effective date of P.L.2023, c. 266 (C.56:8-166.4 et seq.), prior to bringing an enforcement action before an administrative law judge or a court of competent jurisdiction in this State, the Division of Consumer Affairs in the Department of Law and Public Safety shall issue a notice to the controller if a cure is deemed possible. If the operator controller fails to cure the alleged violation of P.L.2023, c. 266 (C.56:8-166.4 et seq.) within 30 days after receiving notice of alleged noncompliance from the division, such enforcement action may be brought.

The Director of the Division of Consumer Affairs in the Department of Law and Public Safety shall promulgate rules and regulations, pursuant to the “Administrative Procedure Act,” P.L.1968, c. 410 (C.52:14B-1 et seq.), necessary to effectuate the purposes of P.L.2023, c. 266 (C.56:8-166.4 et seq.).

The Office of the Attorney General shall have sole and exclusive authority to enforce a violation of P.L.2023, c. 266 (C.56:8-166.4 et seq.). Nothing in P.L.2023, c. 266 (C.56:8-166.4 et seq.) shall be construed as providing the basis for, or subject to, a private right of action for violations of P.L.2023, c. 266 (C.56:8-166.4 et seq.).

(1) “Affiliate” means a person that, directly or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person such that:

(a) The person owns or has the power to vote more than 50 percent of the outstanding shares of any voting class of the other person's securities;

(b) The person has the power to elect or influence the election of a majority of the directors, members or managers of the other person;

(c) The person has the power to direct the management of another person; or

(d) The person is subject to another person's exercise of the powers described in paragraph (a), (b) or (c) of this subsection.

(2) “Authenticate” means to determine, using commercially reasonable methods, whether a consumer with the rights described in ORS 646A.574, or a person acting on behalf of the consumer, is the consumer who has asked to exercise, or is a person who has authority to exercise, any of the consumer's rights.

(3)(a) “Biometric data” means personal data generated by automatic measurements of a consumer's biological characteristics, such as the consumer's fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer.

(b) “Biometric data” does not include:

(A) A photograph recorded digitally or otherwise;

(B) An audio or video recording;

(C) Data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or

(D) Facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.

(4) “Business associate” has the meaning given that term in 45 C.F.R. 160.103, as in effect on January 1, 2024.

(5) “Child” means an individual under the age of 13.

(6) “Consent” means an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer's freely given, specific, informed and unambiguous assent to another person's act or practice under the following conditions:

(a) The user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer's autonomy, decision-making or choice; and

(b) The consumer's inaction does not constitute consent.

(7) “Consumer” means a natural person who resides in this state and acts in any capacity other than in a commercial or employment context.

(8) “Controller” means a person that, alone or jointly with another person, determines the purposes and means for processing personal data.

(9) “Covered entity” has the meaning given that term in 45 C.F.R. 160.103, as in effect on January 1, 2024.

(10) “Decisions that produce legal effects or effects of similar significance” means decisions that result in providing or denying financial or lending services, housing, insurance, enrollment in education or educational opportunity, criminal justice, employment opportunities, health care services or access to essential goods and services.

(11) “Deidentified data” means data that:

(a) Cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or to a device that identifies, is linked to or is reasonably linkable to a consumer; or

(b) Is:

(A) Derived from patient information that was originally created, collected, transmitted or maintained by an entity subject to regulation under the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as in effect on January 1, 2024, or the Federal Policy for the Protection of Human Subjects, codified as 45 C.F.R. part 46 and in various other deferral regulations, as codified in various sections of the Code of Federal Regulations and as in effect on January 1, 2024; and

(B) Deidentified as provided in 45 C.F.R. 164.514, as in effect on January 1, 2024.

(12) “Device” means electronic equipment designed for a consumer's use that can transmit or receive personal data.

(13)(a) “Personal data” means data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household.

(b) “Personal data” does not include deidentified data or data that:

(A) Is lawfully available through federal, state or local government records or through widely distributed media; or

(B) A controller reasonably has understood to have been lawfully made available to the public by a consumer.

(14) “Process” or “processing” means an action, operation or set of actions or operations that is performed, automatically or otherwise, on personal data or on sets of personal data, such as collecting, using, storing, disclosing, analyzing, deleting or modifying the personal data.

(15) “Processor” means a person that processes personal data on behalf of a controller.

(16) “Profiling” means an automated processing of personal data for the purpose of evaluating, analyzing or predicting an identified or identifiable consumer's economic circumstances, health, personal preferences, interests, reliability, behavior, location or movements.

(17)(a) “Sale” or “sell” means the exchange of personal data for monetary or other valuable consideration by the controller with a third party.

(b) “Sale” or “sell” does not include:

(A) A disclosure of personal data to a processor;

(B) A disclosure of personal data to an affiliate of a controller or to a third party for the purpose of enabling the controller to provide a product or service to a consumer that requested the product or service;

(C) A disclosure or transfer of personal data from a controller to a third party as part of a proposed or completed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller's assets, including the personal data; or

(D) A disclosure of personal data that occurs because a consumer:

(i) Directs a controller to disclose the personal data;

(ii) Intentionally discloses the personal data in the course of directing a controller to interact with a third party; or

(iii) Intentionally discloses the personal data to the public by means of mass media, if the disclosure is not restricted to a specific audience.

(18)(a) “Sensitive data” means personal data that:

(A) Reveals a consumer's racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status;

(B) Is a child's personal data;

(C) Accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or

(D) Is genetic or biometric data.

(b) “Sensitive data” as defined in paragraph (a)(C) of this subsection does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

(19)(a) “Targeted advertising” means advertising that is selected for display to a consumer on the basis of personal data obtained from the consumer's activities over time and across one or more unaffiliated websites or online applications and is used to predict the consumer's preferences or interests.

(b) “Targeted advertising” does not include:

(A) Advertisements that are based on activities within a controller's own websites or online applications;

(B) Advertisements based on the context of a consumer's current search query, visit to a specific website or use of an online application;

(C) Advertisements that are directed to a consumer in response to the consumer's request for information or feedback; or

(D) A processing of personal data solely for the purpose of measuring or reporting an advertisement's frequency, performance or reach.

(20) “Third party” means a person, a public corporation, including the Oregon Health and Science University and the Oregon State Bar, or a public body, as defined in ORS 174.109, other than a consumer, a controller, a processor or an affiliate of a controller or processor.

(1)(a) ORS 646A.570 to 646A.589 apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes:

(A) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or

(B) The personal data of 25,000 or more consumers, while deriving 25 percent or more of the person's annual gross revenue from selling personal data.

(b) Notwithstanding the threshold numbers specified in paragraph (a)(A) and (B) of this subsection for the application of ORS 646A.570 to 646A.589, and subject to the exemptions set forth in subsections (2) and (3) of this section, ORS 646A.570 to 646A.589 apply to a motor vehicle manufacturer and any affiliate of a motor vehicle manufacturer that controls or processes any personal data obtained from a consumer's use of a motor vehicle or any component of a motor vehicle.

(2) ORS 646A.570 to 646A.589 do not apply to:

(a) A public corporation, including the Oregon Health and Science University and the Oregon State Bar, or a public body, as defined in ORS 174.109;

(b) Protected health information that a covered entity or business associate processes in accordance with, or documents that a covered entity or business associate creates for the purpose of complying with, the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, and regulations promulgated under the Act, as in effect on January 1, 2024;

(c) Information used only for public health activities and purposes described in 45 C.F.R. 164.512, as in effect on January 1, 2024;

(d) Information that identifies a consumer in connection with:

(A) Activities that are subject to the Federal Policy for the Protection of Human Subjects, codified as 45 C.F.R. part 46 and in various other federal regulations, as in effect on January 1, 2024;

(B) Research on human subjects undertaken in accordance with good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use;

(C) Activities that are subject to the protections provided in 21 C.F.R. parts 50 and 56, as in effect on January 1, 2024; or

(D) Research conducted in accordance with the requirements set forth in subparagraphs (A) to (C) of this paragraph or otherwise in accordance with applicable law;

(e) Patient identifying information, as defined in 42 C.F.R. 2.11, as in effect on January 1, 2024, that is collected and processed in accordance with 42 C.F.R. part 2;

(f) Patient safety work product, as defined in 42 C.F.R. 3.20, as in effect on January 1, 2024, that is created for purposes of improving patient safety under 42 C.F.R. part 3;

(g) Information and documents created for the purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101 et seq., and implementing regulations, both as in effect on January 1, 2024;

(h) Information that originates from, or that is intermingled so as to be indistinguishable from, information described in paragraphs (b) to (g) of this subsection that a covered entity or business associate, or a program of a qualified service organization, as defined in 42 C.F.R. 2.11, as in effect on January 1, 2024, creates, collects, processes, uses or maintains in the same manner as is required under the laws, regulations and guidelines described in paragraphs (b) to (g) of this subsection;

(i) Information processed or maintained solely in connection with, and for the purpose of, enabling:

(A) An individual's employment or application for employment;

(B) An individual's ownership of, or function as a director or officer of, a business entity;

(C) An individual's contractual relationship with a business entity;

(D) An individual's receipt of benefits from an employer, including benefits for the individual's dependents or beneficiaries; or

(E) Notice of an emergency to persons that an individual specifies;

(j) Any activity that involves collecting, maintaining, disclosing, selling, communicating or using information for the purpose of evaluating a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living if done strictly in accordance with the provisions of the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq., as in effect on January 1, 2024, by:

(A) A consumer reporting agency, as defined in 15 U.S.C. 1681a(f), as in effect on January 1, 2024;

(B) A person who furnishes information to a consumer reporting agency under 15 U.S.C. 1681s-2, as in effect on January 1, 2024; or

(C) A person who uses a consumer report as provided in 15 U.S.C. 1681b(a)(3);

(k) Information collected, processed, sold or disclosed under and in accordance with the following federal laws, all as in effect on January 1, 2024:

(A) The Gramm-Leach-Bliley Act, P.L. 106-102, and regulations adopted to implement that Act;

(B) The Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq.;

(C) The Family Educational Rights and Privacy Act, 20 U.S.C. 1232g and regulations adopted to implement that Act; and

(D) The Airline Deregulation Act, P.L. 95-504, only to the extent that an air carrier collects information related to prices, routes or services and only to the extent that the provisions of the Airline Deregulation Act preempt ORS 646A.570 to 646A.589;

(L) A financial institution, as defined in ORS 706.008, or a financial institution's affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. 1843(k), as in effect on January 1, 2024;

(m) Information that originates from, or is intermingled so as to be indistinguishable from, information described in paragraph (k)(A) of this subsection and that a licensee, as defined in ORS 725.010, collects, processes, uses or maintains in the same manner as is required under the laws and regulations specified in paragraph (k)(A) of this subsection;

(n) An insurer, as defined in ORS 731.106, other than a person that, alone or in combination with another person, establishes and maintains a self-insurance program and that does not otherwise engage in the business of entering into policies of insurance;

(o) An insurance producer, as defined in ORS 731.104;

(p) An insurance consultant, as defined in ORS 744.602;

(q) A person that holds a third party administrator license issued under ORS 744.710;

(r) A nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance; and

(s) Noncommercial activity of:

(A) A publisher, editor, reporter or other person who is connected with or employed by a newspaper, magazine, periodical, newsletter, pamphlet, report or other publication in general circulation;

(B) A radio or television station that holds a license issued by the Federal Communications Commission;

(C) A nonprofit organization that provides programming to radio or television networks; or

(D) An entity that provides an information service, including a press association or wire service.

(3) ORS 646A.570 to 646A.589 do not prohibit a controller or processor from:

(a) Complying with federal, state or local statutes, ordinances, rules or regulations;

(b) Complying with a federal, state or local governmental inquiry, investigation, subpoena or summons related to a civil, criminal or administrative proceeding;

(c) Cooperating with a law enforcement agency concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state or local statutes, ordinances, rules or regulations;

(d) Investigating, establishing, initiating or defending legal claims;

(e) Preventing, detecting, protecting against or responding to, and investigating, reporting or prosecuting persons responsible for, security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activity or preserving the integrity or security of systems;

(f) Identifying and repairing technical errors in a controller's or processor's information systems that impair existing or intended functionality;

(g) Providing a product or service that a consumer specifically requests from the controller or processor or requests as the parent or guardian of a child on the child's behalf or as the guardian or conservator of a person subject to a guardianship, conservatorship or other protective arrangement on the person's behalf;

(h) Negotiating, entering into or performing a contract with a consumer, including fulfilling the terms of a written warranty;

(i) Protecting any person's health and safety;

(j) Effectuating a product recall;

(k) Conducting internal research to develop, improve or repair products, services or technology;

(L) Performing internal operations that are reasonably aligned with a consumer's expectations, that the consumer may reasonably anticipate based on the consumer's existing relationship with the controller or that are otherwise compatible with processing data for the purpose of providing a product or service the consumer specifically requested or for the purpose of performing a contract to which the consumer is a party; or

(m) Assisting another controller or processor with any of the activities set forth in this subsection.

(4) ORS 646A.570 to 646A.589 do not apply to the extent that a controller's or processor's compliance with ORS 646A.570 to 646A.589 would violate an evidentiary privilege under the laws of this state. Notwithstanding the provisions of ORS 646A.570 to 646A.589, a controller or processor may provide personal data about a consumer in a privileged communication to a person that is covered by an evidentiary privilege under the laws of this state.

(5) A controller may process personal data in accordance with subsection (3) of this section only to the extent that the processing is adequate and reasonably necessary for, relevant to, proportionate in relation to and limited to the purposes set forth in this section.

(6) Collection, use and retention of personal data under subsection (3)(e) and (f) of this section must, where applicable, take into account the nature and purpose of the collection, use or retention. The personal data must be subject to reasonable administrative, technical and physical measures to protect the confidentiality, integrity and security of the personal data and reduce reasonably foreseeable risks of harm to consumers from the collection, use or retention.

(7) A controller that claims that the controller's processing of personal data is exempt under subsection (3) of this section has the burden of demonstrating that the controller's processing qualifies for the exemption and complies with the requirements of subsections (5) and (6) of this section.

(1) Subject to ORS 646A.576, a consumer may:

(a) Obtain from a controller:

(A) Confirmation as to whether the controller is processing or has processed the consumer's personal data and the categories of personal data the controller is processing or has processed;

(B) At the controller's option, a list of specific third parties, other than natural persons, to which the controller has disclosed:

(i) The consumer's personal data; or

(ii) Any personal data; and

(C) A copy of all of the consumer's personal data that the controller has processed or is processing;

(b) Require a controller to correct inaccuracies in personal data about the consumer, taking into account the nature of the personal data and the controller's purpose for processing the personal data;

(c) Require a controller to delete personal data about the consumer, including personal data the consumer provided to the controller, personal data the controller obtained from another source and derived data; or

(d) Opt out from a controller's processing of personal data of the consumer that the controller processes for any of the following purposes:

(A) Targeted advertising;

(B) Selling the personal data; or

(C) Profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance.

(2) A controller that provides a copy of personal data to a consumer under subsection (1)(a)(C) of this section shall provide the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another person without hindrance.

(3) This section does not require a controller to disclose the controller's trade secrets, as defined in ORS 646.461.

(1) A consumer may exercise the rights described in ORS 646A.574 by submitting a request to a controller using the method that the controller specifies in the privacy notice described in ORS 646A.578.

(2) A controller may not require a consumer to create an account for the purpose described in subsection (1) of this section, but the controller may require the consumer to use an account the consumer created previously.

(3) A parent or legal guardian may exercise the rights described in ORS 646A.574 on behalf of the parent's child or on behalf of a child for whom the guardian has legal responsibility. A guardian or conservator may exercise the rights described in subsection (1) of this section on behalf of a consumer that is subject to a guardianship, conservatorship or other protective arrangement.

(4) A consumer may designate another person to act on the consumer's behalf as the consumer's authorized agent for the purpose of opting out of a controller's processing of the consumer's personal data, as provided in ORS 646A.574 (1)(d). The consumer may designate an authorized agent by means of an internet link, browser setting, browser extension, global device setting or other technology that enables the consumer to opt out of the controller's processing of the consumer's personal data. A controller shall comply with an opt-out request the controller receives from an authorized agent if the controller can verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

(5) Except as otherwise provided in ORS 646A.570 to 646A.589, in responding to a request under subsection (1) of this section, a controller shall:

(a) Respond to a request from a consumer without undue delay and not later than 45 days after receiving the request. The controller may extend the period within which the controller responds by an additional 45 days if the extension is reasonably necessary to comply with the consumer's request, taking into consideration the complexity of the request and the number of requests the consumer makes. A controller that intends to extend the period for responding shall notify the consumer within the initial 45-day response period and explain the reason for the extension.

(b) Notify the consumer without undue delay and not later than 45 days after receiving the consumer's request if the controller declines to take action on the request. The controller in the notice shall explain the justification for not taking action and include instructions for appealing the controller's decision.

(c) Provide information the consumer requests once during any 12-month period without charge to the consumer. A controller may charge a reasonable fee to cover the administrative costs of complying with a second or subsequent request within the 12-month period, unless the purpose of the second or subsequent request is to verify that the controller corrected inaccuracies in, or deleted, the consumer's personal data in compliance with the consumer's request.

(d) Notify the consumer if the controller cannot, using commercially reasonable methods, authenticate the consumer's request without additional information from the consumer. A controller that sends a notification under this paragraph does not have to comply with the request until the consumer provides the information necessary to authenticate the request.

(e) Comply with a request under ORS 646A.574 (1)(d) to opt out of the controller's processing of the consumer's personal data without requiring authentication, except that:

(A) A controller may ask for additional information necessary to comply with the request, such as information that is necessary to identify the consumer that requested to opt out.

(B) A controller may deny a request to opt out if the controller has a good-faith, reasonable and documented belief that the request is fraudulent. If the controller denies a request under this subparagraph, the controller shall notify the consumer that the controller believes the request is fraudulent, stating in the notice that the controller will not comply with the request.

(6) A controller shall establish a process by means of which a consumer may appeal the controller's refusal to take action on a request under subsection (1) of this section. The controller's process must:

(a) Allow a reasonable period of time after the consumer receives the controller's refusal within which to appeal;

(b) Be conspicuously available to the consumer;

(c) Be similar to the manner in which a consumer must submit a request under subsection (1) of this section; and

(d) Require the controller to approve or deny the appeal within 45 days after the date on which the controller received the appeal and to notify the consumer in writing of the controller's decision and the reasons for the decision. If the controller denies the appeal, the notice must provide or specify information that enables the consumer to contact the Attorney General to submit a complaint.

(7) A controller that obtains personal data about a consumer from a source other than the consumer complies with the consumer's request to delete the personal data if the controller:

(a) Deletes the data but retains a record of the deletion request and a minimal amount of data necessary to ensure that the personal data remains deleted and does not use the minimal data for any other purpose; or

(b) Opts the consumer out of the controller's processing of the consumer's personal data for any purpose other than a purpose that is exempt under ORS 646A.572.

(1) A controller shall:

(a) Specify in the privacy notice described in subsection (4) of this section the express purposes for which the controller is collecting and processing personal data;

(b) Limit the controller's collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the purposes the controller specified in paragraph (a) of this subsection;

(c) Establish, implement and maintain for personal data the same safeguards described in ORS 646A.622 that are required for protecting personal information, as defined in ORS 646A.602, such that the controller's safeguards protect the confidentiality, integrity and accessibility of the personal data to the extent appropriate for the volume and nature of the personal data; and

(d) Provide an effective means by which a consumer may revoke consent a consumer gave under ORS 646A.570 to 646A.589 to the controller's processing of the consumer's personal data. The means must be at least as easy as the means by which the consumer provided consent. Once the consumer revokes consent, the controller shall cease processing the personal data as soon as is practicable, but not later than 15 days after receiving the revocation.

(2) A controller may not:

(a) Process personal data for purposes that are not reasonably necessary for and compatible with the purposes the controller specified in subsection (1)(a) of this section, unless the controller obtains the consumer's consent.

(b) Process sensitive data about a consumer without first obtaining the consumer's consent or, if the controller knows the consumer is a child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq. and the regulations, rules and guidance adopted under the Act, all as in effect on January 1, 2024.

(c) Process a consumer's personal data for the purposes of targeted advertising or of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance if the controller has actual knowledge that, or willfully disregards whether, the consumer is under 16 years of age.

(d) Sell personal data that:

(A) Pertains to a consumer if the controller has actual knowledge that, or willfully disregards whether, the consumer is under 16 years of age; or

(B) Accurately identifies within a radius of 1,750 feet a consumer's present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates, except that personal data that is not subject to sale under this subparagraph does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

(e) Discriminate against a consumer that exercises a right provided to the consumer under ORS 646A.570 to 646A.589 by means such as denying goods or services, charging different prices or rates for goods or services or providing a different level of quality or selection of goods or services to the consumer.

(3) Subsections (1) and (2) of this section do not:

(a) Require a controller to provide a good or service that requires personal data from a consumer that the controller does not collect or maintain; or

(b) Prohibit a controller from offering a different price, rate, level of quality or selection of goods or services to a consumer, including an offer for no fee or charge, in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount or club card program.

(4) A controller shall provide to consumers a reasonably accessible, clear and meaningful privacy notice that:

(a) Lists the categories of personal data, including the categories of sensitive data, that the controller processes;

(b) Describes the controller's purposes for processing the personal data;

(c) Describes how a consumer may exercise the consumer's rights under ORS 646A.570 to 646A.589, including how a consumer may appeal a controller's denial of a consumer's request under ORS 646A.576;

(d) Lists all categories of personal data, including the categories of sensitive data, that the controller shares with third parties;

(e) Describes all categories of third parties with which the controller shares personal data at a level of detail that enables the consumer to understand what type of entity each third party is and, to the extent possible, how each third party may process personal data;

(f) Specifies an electronic mail address or other online method by which a consumer can contact the controller that the controller actively monitors;

(g) Identifies the controller, including any business name under which the controller registered with the Secretary of State and any assumed business name that the controller uses in this state;

(h) Provides a clear and conspicuous description of any processing of personal data in which the controller engages for the purpose of targeted advertising or for the purpose of profiling the consumer in furtherance of decisions that produce legal effects or effects of similar significance, and a procedure by which the consumer may opt out of this type of processing; and

(i) Describes the method or methods the controller has established for a consumer to submit a request under ORS 646A.576 (1).

(5) The method or methods described in subsection (4)(i) of this section for submitting a consumer's request to a controller must:

(a) Take into account:

(A) Ways in which consumers normally interact with the controller;

(B) A need for security and reliability in communications related to the request; and

(C) The controller's ability to authenticate the identity of the consumer that makes the request;

(b) Provide a clear and conspicuous link to a webpage where the consumer or an authorized agent may opt out from a controller's processing of the consumer's personal data as described in ORS 646A.574 (1)(d) or, solely if the controller does not have a capacity needed for linking to a webpage, provide another method the consumer can use to opt out; and

(c) Allow a consumer or authorized agent to send a signal to the controller that indicates the consumer's preference to opt out of the sale of personal data or targeted advertising under ORS 646A.574 (1)(d) by means of a platform, technology or mechanism that:

(A) Does not unfairly disadvantage another controller;

(B) Does not use a default setting but instead requires the consumer or authorized agent to make an affirmative, voluntary and unambiguous choice to opt out;

(C) Is consumer friendly and easy for an average consumer to use;

(D) Is as consistent as possible with similar platforms, technologies or mechanisms required under federal or state laws or regulations; and

(E) Enables the controller to accurately determine whether the consumer is a resident of this state and has made a legitimate request under ORS 646A.576 to opt out as described in ORS 646A.574 (1)(d).

(6) If a consumer or authorized agent uses a method described in subsection (5) of this section to opt out of a controller's processing of the consumer's personal data under ORS 646A.574 (1)(d) and the decision conflicts with a consumer's voluntary participation in a bona fide reward, club card or loyalty program or a program that provides premium features or discounts in return for the consumer's consent to the controller's processing of the consumer's personal data, the controller may either comply with the request to opt out or notify the consumer of the conflict and ask the consumer to affirm that the consumer intends to withdraw from the bona fide reward, club card or loyalty program or the program that provides premium features or discounts. If the consumer affirms that the consumer intends to withdraw, the controller shall comply with the request to opt out.

(1) A processor shall adhere to a controller's instructions and shall assist the controller in meeting the controller's obligations under ORS 646A.570 to 646A.589. In assisting the controller, the processor must:

(a) Enable the controller to respond to requests from consumers under ORS 646A.576 by means that take into account how the processor processes personal data and the information available to the processor and that use appropriate technical and organizational measures to the extent reasonably practicable;

(b) Adopt administrative, technical and physical safeguards that are reasonably designed to protect the security and confidentiality of the personal data the processor processes, taking into account how the processor processes the personal data and the information available to the processor; and

(c) Provide information reasonably necessary for the controller to conduct and document data protection assessments.

(2) The processor shall enter into a contract with the controller that governs how the processor processes personal data on the controller's behalf. The contract must:

(a) Be valid and binding on both parties;

(b) Set forth clear instructions for processing data, the nature and purpose of the processing, the type of data that is subject to processing and the duration of the processing;

(c) Specify the rights and obligations of both parties with respect to the subject matter of the contract;

(d) Ensure that each person that processes personal data is subject to a duty of confidentiality with respect to the personal data;

(e) Require the processor to delete the personal data or return the personal data to the controller at the controller's direction or at the end of the provision of services, unless a law requires the processor to retain the personal data;

(f) Require the processor to make available to the controller, at the controller's request, all information the controller needs to verify that the processor has complied with all obligations the processor has under ORS 646A.570 to 646A.589;

(g) Require the processor to enter into a subcontract with a person the processor engages to assist with processing personal data on the controller's behalf and in the subcontract require the subcontractor to meet the processor's obligations under the processor's contract with the controller; and

(h) Allow the controller, the controller's designee or a qualified and independent person the processor engages, in accordance with an appropriate and accepted control standard, framework or procedure, to assess the processor's policies and technical and organizational measures for complying with the processor's obligations under ORS 646A.570 to 646A.589, and require the processor to cooperate with the assessment and, at the controller's request, report the results of the assessment to the controller.

(3) This section does not relieve a controller or processor from any liability that accrues under ORS 646A.570 to 646A.589 as a result of the controller's or processor's actions in processing personal data.

(4)(a) For purposes of determining obligations under ORS 646A.570 to 646A.589, a person is a controller with respect to processing a set of personal data, and is subject to an action under ORS 646A.589 to punish a violation of ORS 646A.570 to 646A.589, if the person:

(A) Does not need to adhere to another person's instructions to process the personal data;

(B) Does not adhere to another person's instructions with respect to processing the personal data when the person is obligated to do so; or

(C) Begins at any point to determine the purposes and means for processing the personal data, alone or in concert with another person.

(b) A determination under this subsection is a fact-based determination that must take account of the context in which a set of personal data is processed.

(c) A processor that adheres to a controller's instructions with respect to a specific processing of personal data remains a processor.

(1)(a) A controller shall conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer.

(b) Processing activities that present a heightened risk of harm to a consumer include:

(A) Processing personal data for the purpose of targeted advertising;

(B) Processing sensitive data;

(C) Selling personal data; and

(D) Using the personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:

(i) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;

(ii) Financial, physical or reputational injury to consumers;

(iii) Physical or other types of intrusion upon a consumer's solitude, seclusion or private affairs or concerns, if the intrusion would be offensive to a reasonable person; or

(iv) Other substantial injury to consumers.

(c) A single data protection assessment may address a comparable set of processing operations that present a similar heightened risk of harm.

(2) A data protection assessment shall identify and weigh how processing personal data may directly or indirectly benefit the controller, the consumer, other stakeholders and the public against potential risks to the consumer, taking into account how safeguards the controller employs can mitigate the risks. In conducting the assessment, the controller shall consider how deidentified data might reduce risks, the reasonable expectations of consumers, the context in which the data is processed and the relationship between the controller and the consumers whose personal data the controller will process.

(3) The Attorney General may require a controller to provide to the Attorney General any data protection assessments the controller has conducted if the data protection assessment is relevant to an investigation the Attorney General conducts under ORS 646A.589. The Attorney General may evaluate a data protection assessment for the controller's compliance with the requirements of ORS 646A.570 to 646A.589. If a data protection assessment the Attorney General obtains under this subsection includes information that is subject to attorney-client privilege or is work product that is subject to a privilege, the controller's provision of the data protection assessment does not waive the privilege.

(4) A data protection assessment that a controller conducts to comply with another applicable law or regulation satisfies the requirements of this section if the data protection assessment is reasonably similar in scope and effect to a data protection assessment conducted under this section.

(5) Requirements that apply to a data protection assessment under this section apply only to processing activities that occur on and after July 1, 2024, and are not retroactive.

(6) A controller shall retain for at least five years all data protection assessments the controller conducts under this section.

(7) A data protection assessment is confidential and is not subject to disclosure under ORS 192.311 to 192.478.

(1)(a) The Attorney General may serve an investigative demand upon any person that possesses, controls or has custody of any information, document or other material that the Attorney General determines is relevant to an investigation of a violation of ORS 646A.570 to 646A.589 or that could lead to a discovery of relevant information. An investigative demand may require the person to:

(A) Appear and testify under oath at the time and place specified in the investigative demand;

(B) Answer written interrogatories; or

(C) Produce relevant documents or physical evidence for examination at the time and place specified in the investigative demand.

(b) The Attorney General shall serve an investigative demand under this section in the manner provided in ORS 646.622. The Attorney General may enforce the investigative demand as provided in ORS 646.626.

(2)(a) An attorney may accompany, represent and advise in confidence a person that appears in response to a demand under subsection (1)(a)(A) of this section. The person may refuse to answer any question on constitutional grounds or on the basis of any other legal right or privilege, including protection against self-incrimination, but must answer any other question that is not subject to the right or privilege. If the person refuses to answer a question on grounds that the answer would be self-incriminating, the Attorney General may compel the person to testify as provided in ORS 136.617.

(b) The Attorney General shall exclude from the place in which the Attorney General conducts an examination under this subsection all persons other than the person the Attorney General is examining, the person's attorney, the officer before which the person gives the testimony and any stenographer recording the testimony.

(3)(a) The Attorney General shall hold in confidence and may not disclose to any person any documents, including data protection assessments, answers to interrogatories and transcripts of oral testimony, except that the Attorney General may disclose the documents to:

(A) The person that provided the documents or the oral testimony;

(B) The attorney or representative of the person that provided the documents or oral testimony;

(C) Persons employed by the Attorney General; or

(D) An official of the United States or of any state who is authorized to enforce federal or state consumer protection laws if the Attorney General first obtains a written agreement from the official in which the official agrees to abide by the confidentiality requirements of this subsection.

(b) The Attorney General may use any of the materials described in paragraph (a) of this subsection in any investigation the Attorney General conducts under this section or in any action or proceeding the Attorney General brings or initiates in a court or before an administrative agency in connection with the investigation.

(4)(a) The Attorney General may bring an action to seek a civil penalty of not more than $7,500 for each violation of ORS 646A.570 to 646A.589 or to enjoin a violation or obtain other equitable relief. The Attorney General shall bring the action in the circuit court for Multnomah County or the circuit court of a county where any part of the violation occurred.

(b) A court may award reasonable attorney fees, expert witness fees and costs of investigation to the Attorney General if the Attorney General prevails in an action under this subsection. The court may award reasonable attorney fees to a defendant that prevails in an action under this subsection if the court finds that the Attorney General had no objectively reasonable basis for asserting the claim or for appealing an adverse decision of the trial court.

(c) The Attorney General shall deposit the proceeds of any recovery under this subsection into the Department of Justice Protection and Education Revolving Account, as provided in ORS 180.095.

(5) The Attorney General shall bring an action under subsection (4) of this section within five years after the date of the last act of a controller that constituted the violation for which the Attorney General seeks relief.

(6) The remedies available to the Attorney General under subsection (4) of this section are in addition to and not in lieu of any other relief available to the Attorney General or another person under other applicable provisions of law. A claim available under another provision of law may be joined to the Attorney General's claim under subsection (4) of this section.

(7) The Attorney General has exclusive authority to enforce the provisions of ORS 646A.570 to 646A.589.

ORS 646A.570 to 646A.589, or any other laws of this state, do not create a private right of action to enforce a violation of ORS 646A.570 to 646A.589.

(1) As used in this section:

(a) “Brokered personal data” means any of the following computerized data elements about a resident individual, if categorized or organized for sale or licensing to another person:

(A) The resident individual's name or the name of a member of the resident individual's immediate family or household;

(B) The resident individual's address or an address for a member of the resident individual's immediate family or household;

(C) The resident individual's date or place of birth;

(D) The maiden name of the resident individual's mother;

(E) Biometric information about the resident individual;

(F) The resident individual's Social Security number or the number of any other government-issued identification for the resident individual; or

(G) Other information that, alone or in combination with other information that is sold or licensed, can reasonably be associated with the resident individual.

(b)(A) “Business entity” means:

(i) A resident individual who regularly engages in commercial activity for the purpose of generating income;

(ii) A corporation or nonprofit corporation, limited liability company, partnership or limited liability partnership, business trust, joint venture or other form of business organization the constituent parts of which share a common economic interest;

(iii) A financial institution, as defined in ORS 706.008; or

(iv) Another person that controls, is controlled by or is under common control with a person described in sub-subparagraphs (ii) and (iii) of this subparagraph.

(B) “Business entity” does not include the state or a state agency, a local government, as defined in ORS 174.116, a public corporation or a business entity or other person during a period in which the business entity or person is acting solely on behalf of and at the direction of the state, a state agency, the local government or a public corporation.

(c)(A) “Data broker” means a business entity or part of a business entity that collects and sells or licenses brokered personal data to another person.

(B) “Data broker” does not include:

(i) A consumer reporting agency, as defined in 15 U.S.C. 1681a(f), a person that furnishes information to a consumer reporting agency, as provided in 15 U.S.C. 1681s-2, or a user of a consumer report, as defined in 15 U.S.C. 1681a(d), to the extent that the consumer reporting agency, the person that furnishes information to a consumer reporting agency or the user of a consumer report engages in activities that are subject to regulation under the federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.;

(ii) A financial institution, an affiliate or a nonaffiliated third party, as those terms are defined in 15 U.S.C. 6809, to the extent that the financial institution, affiliate or nonaffiliated third party engages in activities that are subject to regulation under Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 to 6809, and regulations adopted under Title V of the Gramm-Leach-Bliley Act;

(iii) A business entity that collects information about a resident individual if the resident individual is or was:

(I) A customer, subscriber or user of the business entity's goods or services;

(II) An employee or agent of the business entity or is in a contractual relationship with the business entity;

(III) An investor in the business entity;

(IV) A donor to the business entity; or

(V) In another relationship with the business entity the nature of which is similar to the relationships described in this sub-subparagraph; or

(iv) A business entity that performs services for, acts on behalf of or acts as an agent of a business entity described in sub-subparagraph (iii) of this subparagraph.

(d)(A) “License” means a grant of access to, or distribution of, data by one person to another person in exchange for consideration.

(B) “License” does not include a use of data for the sole benefit of a data provider where the data provider maintains control over the use of the data.

(e) “Resident individual” means a natural person who resides in this state.

(2)(a) Except as provided in paragraph (b) of this subsection, a data broker may not collect, sell or license brokered personal data within this state unless the data broker first registers with the Department of Consumer and Business Services as provided in subsection (3) of this section.

(b) A data broker may collect, sell or license brokered personal data without registering with the department if the collection, sale or licensing involves only:

(A) Providing publicly available information that is related to a resident individual's business or profession;

(B) Providing publicly available information as part of a service that provides alerts for health or safety purposes;

(C) Providing information that is lawfully available from federal, state or local government records;

(D) Publishing, selling, reselling, distributing or providing digital access to journals, books, periodicals, newspapers, magazines, news media or educational, academic or instructional works;

(E) Developing or maintaining an electronic commerce service or software;

(F) Providing directory assistance or directory information services as, or on behalf of, a telecommunications carrier; or

(G) Selling the assets of a business entity or a part of a business entity a single time, or only occasionally, as part of a transfer of control over the assets that is not part of the ordinary conduct of the business entity or a part of the business entity.

(3) To register with the department, a data broker shall:

(a) Submit on a form and in a format the department specifies:

(A) The name of the data broker;

(B) The street address and telephone number of the data broker; and

(C) The data broker's primary website and electronic mail address.

(b) Pay a fee in an amount the department specifies by rule. The department shall set the fee in an amount that is sufficient, when aggregated, to pay the costs of administering the registration program.

(c) Include with the application form a declaration in which the data broker:

(A) States whether resident individuals may opt out of all or a portion of the data broker's collection, sale or licensing of the resident individuals' brokered personal data;

(B) Identifies which of the data broker's activities of collecting, selling or licensing brokered personal data a resident individual may opt out of or which portion of the resident individual's brokered personal data the resident individual may opt out of providing or permitting the data broker to collect, sell or license;

(C) Describes the method by which a resident individual may exercise the choices described in subparagraphs (A) and (B) of this paragraph; and

(D) States whether a resident individual may authorize another person to exercise the choice described in subparagraph (A) of this paragraph on the resident individual's behalf and, if so, how to do so.

(4) If a data broker complies with the requirements set forth in subsection (3) of this section, the department shall approve the registration. A registration under this section is valid until December 31 of the year in which the department approves the registration.

(5) The department may approve and renew a registration under this section by means of an agreement with the Nationwide Multistate Licensing System and may, by rule, conform the practices, procedures and information that the department uses to approve or renew a registration to the requirements of the Nationwide Multistate Licensing System.

(6) The department shall make the information that business entities submit for registration under this section publicly available on or by means of the department's website.

(7)(a) The department may impose a civil penalty:

(A) In an amount that does not exceed $500 for each of a data broker's violations of a requirement under this section or each violation of a rule the department adopted under this section; or

(B) In the case of a continuing violation, in the amount of $500 for each day in which the violation continues.

(b) The total amount of penalties that the department imposes on a data broker may not exceed $10,000 during any calendar year.

(8) The department may adopt rules that are necessary to implement the provisions of this section.

This chapter shall be known and may be cited as the “Rhode Island Data Transparency and Privacy Protection Act”.

As used in this chapter:

(1) “Affiliate” means any entity that shares common branding with another legal entity directly or indirectly, controls, is controlled by, or is under common control with another legal entity. For this purpose, “control” or “controlled” means ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or the power to exercise controlling influence over the management of a company.

(2) “Authenticate” means to use reasonable means to determine that a request to exercise any of the rights afforded under this chapter is being made by, or on behalf of, the customer who is entitled to exercise such customer rights with respect to the personal data at issue.

(3) “Biometric data” means data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. “Biometric data” does not include a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.

(4) “Business associate” has the same meaning as provided in 45 C.F.R. § 160.103.

(5) “Child” has the same meaning as provided in 15 U.S.C. § 6501.

(6) “Consent” means a clear, affirmative act signifying a customer has freely given specific, informed, and unambiguous agreement to allow the processing of personal data relating to the customer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” does not include acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other, unrelated information, hovering over, muting, pausing, or closing a given piece of content, or agreement obtained through the use of dark patterns.

(7) “Controller” means an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.

(8) “COPPA” means the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq., and the regulations, rules, guidance, and exemptions adopted, pursuant to said act, as said act and such regulations, rules, guidance, and exemptions may be amended from time to time.

(9) “Covered entity” has the same meaning as provided in 45 C.F.R. § 160.103.

(10) “Customer” means an individual residing in this state acting in an individual or household context. “Customer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

(11) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and includes, but is not limited to, any practice the Federal Trade Commission refers to as a “dark pattern”.

(12) “Decisions that produce legal or similarly significant effects concerning the customer” means decisions made by the controller that result in the provision or denial by the controller of: financial or lending services; housing; insurance; education enrollment or opportunity; criminal justice; employment opportunities; healthcare services; or access to essential goods or services.

(13) “De-identified data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual.

(14) “HIPAA” means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as amended from time to time.

(15) “Identified or identifiable individual” means an individual who can be readily identified, directly or indirectly.

(16) “Institution of higher education” means any individual who, or school, board, association, limited liability company, or corporation that, is licensed or accredited to offer one or more programs of higher learning leading to one or more degrees.

(17) “Nonprofit organization” means any organization that is exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6), or 501(c)(12) of the Internal Revenue Code of 1986, or any subsequent corresponding Internal Revenue Code of the United States, as amended from time to time.

(18) “Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

(19) “Precise geolocation data” means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet (1,750′). “Precise geolocation data” does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

(20) “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. “Processor” means an individual who, or legal entity that, processes personal data on behalf of a controller.

(21) “Profiling” means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(22) “Protected health information” has the same meaning as provided in 42 U.S.C. § 1320d.

(23) “Pseudonymous data” means personal data that cannot be attributed to a specific individual without the use of additional information; provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

(24) “Publicly available information” means information that is lawfully made available through federal, state, or municipal government records or widely distributed media, or a controller has a reasonable basis to believe a customer has lawfully made available to the general public.

(25) “Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. “Sale of personal data” does not include the disclosure of personal data to a processor that processes the personal data on behalf of the controller; the disclosure of personal data to a third party for purposes of providing a product or service requested by the customer; the disclosure or transfer of personal data to an affiliate of the controller; the disclosure of personal data where the customer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, the disclosure of personal data that the customer:

(i) Intentionally made available to the general public via a channel of mass media; and

(ii) Did not restrict to a specific audience, or the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction, in which the third party assumes control of all or part of the controller’s assets.

(26) “Sensitive data” means personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.

(27) “Targeted advertising” means displaying advertisements to a customer where the advertisement is selected based on personal data obtained or inferred from that customer’s activities over time and across nonaffiliated internet websites or online applications to predict such customer’s preferences or interests. “Targeted advertising” does not include advertisements based on activities within a controller’s own internet websites or online applications, advertisements based on the context of a customer’s current search query, or current visit to an internet website or online application, advertisements directed to a customer in response to the customer’s request for information or feedback, or processing personal data solely to measure or report advertising frequency, performance, or reach.

(28) “Third party” means an individual or legal entity, such as a public authority, agency, or body, other than the customer, controller, or processor, or an affiliate of the processor or of the controller.

(29) “Trade secret” has the same meaning as § 6-41-1.

(a) Any commercial website or internet service provider conducting business in Rhode Island or with customers in Rhode Island or otherwise subject to Rhode Island jurisdiction, shall designate a controller. If a commercial website or internet service provider collects, stores, and sells customers’ personally identifiable information, then the controller shall, in its customer agreement or incorporated addendum, or in another conspicuous location on its website or online service platform where similar notices are customarily posted:

(1) Identify all categories of personal data that the controller collects through the website or online service about customers;

(2) Identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information; and

(3) Identify an active electronic mail address or other online mechanism that the customer may use to contact the controller.

(b) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing.

(c) Nothing in this chapter shall be construed to authorize the collection, storage, or disclosure of information or data that is otherwise prohibited or restricted by state or federal law.

(d) This chapter does not apply to any body, authority, board, bureau, commission, district, or agency of this state, or any political subdivision of this state; nonprofit organization; institution of higher education; national securities association that is registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934, as amended from time to time; financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; or covered entity or business associate, as defined in 45 C.F.R. § 160.103.

(e) The following information and data are exempt from the provisions of this chapter:

(1) Protected health information under HIPAA;

(2) Patient-identifying information for purposes of 42 U.S.C. § 290dd-2;

(3) Identifiable private information for purposes of the federal policy for the protection of human research subjects under 45 C.F.R. §§ 46.101 through 46.124;

(4) Identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use;

(5) The protection of human subjects under 21 C.F.R. Parts 50 and 56, or personal data used or shared in research, as defined in 45 C.F.R. § 164.501 or other research conducted in accordance with applicable law;

(6) Information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq.;

(7) Patient safety work product for purposes of the Patient Safety and Quality Improvement Act, 42 U.S.C. § 299b-21 et seq., as amended from time to time;

(8) Information derived from any of the healthcare-related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA;

(9) Information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection that is maintained by a covered entity or business associate, program, or qualified service organization, as specified in 42 U.S.C. § 290dd-2, as amended from time to time;

(10) Information used for public health activities and purposes as authorized by HIPAA, community health activities, and population health activities;

(11) The collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a customer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a customer reporting agency, furnisher, or user that provides information for use in a customer report, and by a user of a customer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., as amended from time to time;

(12) Personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq., as amended from time to time;

(13) Personal data regulated by the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g et seq., as amended from time to time;

(14) Personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act, 12 U.S.C. § 2001 et seq., as amended from time to time;

(15) Data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role, as the emergency contact information of an individual or that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under this subsection and used for the purposes of administering such benefits; and

(16) Personal data collected, processed, sold, or disclosed in relation to price, route, or service, as such terms are used in the Airline Deregulation Act, 49 U.S.C. § 40101 et seq., as amended from time to time, by an air carrier subject to said act, to the extent subsections (e)(1) to (e)(11), inclusive, of this section are preempted by the Airline Deregulation Act, 49 U.S.C. § 41713, as amended from time to time.

(a) This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

(1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

(2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.

(b) The controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

(c) The controller shall not process sensitive data concerning a customer without obtaining customer consent and shall not process sensitive data of a known child unless consent is obtained and the information is processed in accordance with COPPA. Controllers and processors that comply with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) shall be deemed compliant with any obligation to obtain parental consent under this chapter.

(d) The controller shall not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against customers.

(e) The controller shall provide customers with a mechanism to grant and revoke consent where consent is required. Upon receipt of revocation, the controller shall suspend the processing of data as soon as is practicable. The controller shall have no longer than fifteen (15) days from receipt to effectuate the revocation.

(a) This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

(1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

(2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.

(b) No controller shall discriminate against a customer for exercising their customer rights.

(c) No controller shall deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods or services to the customer if the customer opts out to use of their data. However, if a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection.

(d) Controllers may provide different prices and levels for goods and services if it is for a bona fide loyalty, rewards, premium features, discount, or club card programs in which customers voluntarily participate.

(e) A customer shall have the right to:

(1) Confirm whether or not a controller is processing the customer’s personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;

(2) Correct inaccuracies in the customer’s personal data and delete personal data provided by, or obtained about, the customer, taking into account the nature of the personal data and the purposes of the processing of the customer’s personal data;

(3) Obtain a copy of the customer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the customer to transmit the data to another controller without undue delay, where the processing is carried out by automated means; provided such controller shall not be required to reveal any trade secret; and

(4) Opt out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the customer.

(f) A customer may exercise rights under this section by secure and reliable means established by the controller and described to the customer in the controller’s privacy notice. A customer may designate an authorized agent to exercise the rights to opt out on their behalf. In the case of processing personal data of a known child, the parent or legal guardian may exercise such customer rights on the child’s behalf. In the case of processing personal data concerning a customer subject to a guardianship, conservatorship, or other protective arrangement, the guardian or the conservator of the customer may exercise such rights on the customer’s behalf.

(a) This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

(1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

(2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.

(b) A controller shall comply with a request by a customer to exercise the customer rights authorized as follows:

(1) A controller shall respond to the customer without undue delay, but not later than forty-five (45) days after receipt of the request. The controller may extend the response period by forty-five (45) additional days when reasonably necessary, considering the complexity and number of the customer’s requests; provided the controller informs the customer of any such extension within the initial forty-five (45) day response period and of the reason for the extension.

(2) If a controller declines to act regarding the customer’s request, the controller shall inform the customer without undue delay, but not later than forty-five (45) days after receipt of the request, of the justification for declining to act and instructions for how to appeal the decision.

(3) Information provided in response to a customer request shall be provided by a controller, free of charge, once per customer during any twelve-month (12) period. If requests from a customer are manifestly unfounded, excessive, or repetitive, the controller may charge the customer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, or repetitive nature of the request.

(4) If a controller is unable to authenticate a request to exercise any of the rights afforded, the controller shall not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the customer that the controller is unable to authenticate the request to exercise such right or rights until such customer provides additional information reasonably necessary to authenticate such customer and such customer’s request to exercise such right or rights. A controller shall not be required to authenticate an opt-out request, but may deny an opt-out request if the controller has reasonable and documented belief that such request is fraudulent. If a controller denies an opt-out request because the controller believes such request is fraudulent, the controller shall send a notice to the person who made such request disclosing that such controller believes such request is fraudulent, why such controller believes such request is fraudulent, and that such controller shall not comply with such request.

(5) A controller that has obtained personal data about a customer from a source other than the customer shall be deemed in compliance with a customer’s request to delete such data by doing the following:

(i) Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the customer’s personal data remains deleted from the controller’s records and not using such retained data for any other purpose pursuant to the provisions of this chapter; or

(ii) Opting the customer out of the processing of such personal data for any purpose except for those exempted pursuant to the provisions of this chapter.

(6) A controller shall establish a process for a customer to appeal the controller’s refusal to take action on a request within a reasonable period of time after the customer’s receipt of the decision. The appeal process shall be clearly and conspicuously available. Not later than sixty (60) days after receipt of an appeal, a controller shall inform the customer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If the appeal is denied, the customer may submit a complaint to the attorney general.

(7) A customer may designate another person to serve as the customer’s authorized agent and act on such customer’s behalf, to opt out of the processing of such customer’s personal data. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the customer and the authorized agent’s authority to act on the customer’s behalf.

(a) This section shall apply to for-profit entities that conduct business in the state or for-profit entities that produce products or services that are targeted to residents of the state and that during the preceding calendar year did any of the following:

(1) Controlled or processed the personal data of not less than thirty-five thousand (35,000) customers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.

(2) Controlled or processed the personal data of not less than ten thousand (10,000) customers and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.

(b) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting the controller’s obligations of this chapter.

(c) A contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data; the nature and purpose of processing; the type of data subject to processing; the duration of processing; and the rights and obligations of both parties. The contract shall also require that the processor:

(1) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

(2) At the controller’s direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;

(3) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations of this chapter;

(4) After providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and

(5) Allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor’s policies and technical and organizational measures in support of the obligations of this chapter, using an appropriate and accepted control standard of framework and assessment procedure for such assessments. The processor shall provide a report of such assessment to the controller upon request.

(d) Nothing in this section shall be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of such controller’s or processor’s role in the processing relationship. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to such processing and may be subject to an enforcement action under § 6-48.1-8.

(e) A controller shall conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a customer. For the purposes of this section, processing that presents a heightened risk of harm to a customer includes:

(1) The processing of personal data for the purposes of targeted advertising;

(2) The sale of personal data;

(3) The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, customers, financial, physical or reputational injury to customers, a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of customers, where such intrusion would be offensive to a reasonable person, or other substantial injury to customers; and

(4) The processing of sensitive data.

(f) The attorney general may require a controller to disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available. The attorney general may evaluate the data protection assessment for compliance with responsibilities of this chapter. Data protection assessments shall be confidential and shall be exempt from disclosure pursuant to chapter 2 of title 38 (“access to public records”). To the extent any information contained in a data protection assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, such disclosure shall not constitute a waiver of such privilege or protection.

(g) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(h) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment shall be deemed to satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.

(i) Data protection assessment requirements shall apply to processing activities created or generated after January 1, 2026, and are not retroactive.

(j) Any controller in possession of de-identified data shall:

(1) Take reasonable measures to ensure that the data cannot be associated with an individual;

(2) Publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and

(3) Contractually obligate any recipients of the de-identified data to comply with all provisions of this chapter.

(k) Nothing in this chapter shall be construed to:

(1) Require a controller or processor to re-identify de-identified data or pseudonymous data; or

(2) Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated customer request with personal data.

(l) Nothing in this chapter shall be construed to require a controller or processor to comply with an authenticated customer rights request if the controller:

(1) Is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

(2) Does not use the personal data to recognize or respond to the specific customer who is the subject of the personal data, or associate the personal data with the other personal data about the same specific customer; and

(3) Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in this section.

(m) The rights afforded under this section, and inclusive of § 6-48.1-5(f), shall not apply to pseudonymous data in cases where the controller is able to demonstrate that any information necessary to identify the customer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

(n) A controller who or that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address any breaches of those contractual commitments.

(o) This chapter shall not be construed to restrict a controller’s or processor’s ability to:

(1) Comply with federal, state, or municipal ordinances or regulations;

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, municipal, or other governmental authorities;

(3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or regulations;

(4) Investigate, establish, exercise, prepare for, or defend legal claims;

(5) Provide a product or service specifically requested by a customer;

(6) Perform under a contract to which a customer is a party, including fulfilling the terms of a written warranty;

(7) Take steps at the request of a customer prior to entering into a contract;

(8) Take immediate steps to protect an interest that is essential for the life or physical safety of the customer or another individual, and where the processing cannot be manifestly based on another legal basis;

(9) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report, or prosecute those responsible for any such action;

(10) Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines, or similar independent oversight entities that determine, whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller, the expected benefits of the research outweigh the privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification;

(11) Assist another controller, processor, or third party with any of the obligations of this chapter; or

(12) Process personal data for reasons of public interest in the area of public health, community health, or population health, but solely to the extent that such processing is:

(i) Subject to suitable and specific measures to safeguard the rights of the customer whose personal data is being processed, and

(ii) Under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

(p) The obligations imposed on controllers or processors shall not restrict a controller’s or processor’s ability to collect, use, or retain data for internal use to:

(1) Conduct internal research to develop, improve, or repair products, services, or technology;

(2) Effectuate a product recall;

(3) Identify and repair technical errors that impair existing or intended functionality; or

(4) Perform internal operations that are reasonably aligned with the expectations of the customer or reasonably anticipated based on the customer’s existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a customer or the performance of a contract to which the customer is a party.

(q) A controller or processor who or that discloses personal data to a processor or third-party controller shall not be deemed to have violated this chapter if the processor or third-party controller who or that receives and processes such personal data violates said sections; provided at the time the disclosing controller or processor disclosed such personal data, the disclosing controller or processor did not have actual knowledge that the receiving processor or third-party controller would violate said sections. A third-party controller or processor receiving personal data from a controller or processor in compliance with this chapter is likewise not in violation of said sections for the transgressions of the controller or processor from which such third-party controller or processor receives such personal data.

(r) Nothing in this chapter shall be construed to:

(1) Impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, the rights of any person to freedom of speech or freedom of the press guaranteed in the First Amendment to the United States Constitution; or

(2) Apply to any person’s processing of personal data in the course of such person’s purely personal or household activities.

(s) Personal data processed by a controller pursuant to this section may be processed to the extent that such processing is reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer and proportionate to the purposes in this section; and adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal data collected, used, or retained shall, where applicable, consider the nature and purpose or purposes of such collection, use, or retention. Such data shall be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to customers relating to such collection, use, or retention of personal data.

(t) If a controller processes personal data pursuant to an exemption in this section, the controller bears the burden of demonstrating that such processing qualifies for the exemption.

(u) Processing personal data for the purposes expressly identified in this section shall not solely make a legal entity a controller with respect to such processing.

(v) If a customer opts out of data collection, the covered entity is not required to provide a service that requires this data collection.

(a) A violation of this chapter constitutes a violation of the general regulatory provisions of commercial law in this title and shall constitute a deceptive trade practice in violation of chapter 13.1 of this title; provided, further, that in the event that any individual or entity intentionally discloses personal data:

(1) To a shell company or any entity that has been formed or established solely, or in part, for the purposes of circumventing the intent of this chapter; or

(2) In violation of any provision of this chapter, that individual or entity shall pay a fine of not less than one hundred dollars ($100) and no more than five hundred dollars ($500) for each such disclosure.

(b) The attorney general shall have sole enforcement authority of the provisions of this chapter and may enforce a violation of this chapter pursuant to:

(1) The provisions of this section; or

(2) General regulatory provisions of commercial law in this title, or both.

(c) Nothing in this section shall be construed to authorize any private right of action to enforce any provision of this chapter, any regulation hereunder, or any other provisions of law.

Any waiver of the provisions of this chapter shall be void and unenforceable. If any provision of this chapter or its application to any person or circumstance is held invalid by a court of competent jurisdiction, the invalidity shall not affect other provisions of applications of the chapter that can be given effect without the invalid provision or application, and to this end the provisions of the chapter are severable.

(a) Nothing in this chapter shall be deemed to apply in any manner to a financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and its implementing regulations, or to information or data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191.

(b) Nothing in this chapter shall be construed to apply to a contractor, subcontractor, or agent of a state agency or local unit of government when working for that state agency or local unit of government.

(c) Nothing in this chapter shall be construed to apply to any entity recognized as a tax-exempt organization under the Internal Revenue Code.

(d) Nothing in this chapter shall be construed to mandate and/or require the retention or disclosure of any specific individual’s personally identifiable information.

(e) Nothing in this chapter shall prohibit or restrict the dissemination or sale of product sales summaries or statistical information or aggregate customer data that may include personally identifiable information.

(f) Nothing in this chapter shall be construed to apply to any personally identifiable information or any other information collected, used, processed, or disclosed by or for a customer reporting agency as defined by 15 U.S.C. § 1681a(f). Provided, further, nothing in this chapter shall be construed to require any entity to collect, store, or sell personally identifiable information, and furthermore, nothing in this chapter shall be construed to require a controller to provide a good or service that requires the personal data of a customer that the controller does not collect or maintain. This chapter is intended to apply only to covered entities that choose to collect, store, and sell or otherwise transfer or disclose personally identifiable information. The obligations imposed on controllers or processors under this chapter shall not apply where compliance by the controller or processor with this chapter would violate an evidentiary privilege under the law of this state. Nothing in this chapter shall be construed to prevent a controller or processor from providing personal data concerning a customer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.

This part is known and may be cited as the “Tennessee Information Protection Act.”

As used in this part:

(1) “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. As used in this subdivision (1), “control” or “controlled” means:

(A) Ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of a class of voting security of a company;

(B) Control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

(C) The power to exercise controlling influence over the management of a company;

(2) “Authenticate” means to verify using reasonable means that a consumer who is entitled to exercise the rights in § 47–18–3203, is the same consumer who is exercising those consumer rights with respect to the personal information at issue;

(3) “Biometric data”:

(A) Means data generated by automatic measurement of an individual's biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual; and

(B) Does not include a physical or digital photograph, video recording, or audio recording or data generated from a photograph or video or audio recording; or information collected, used, or stored for healthcare treatment, payment, or operations under HIPAA;

(4) “Business associate” has the same meaning as defined by HIPAA;

(5) “Child” means a natural person younger than thirteen (13) years of age;

(6) “Consent”:

(A) Means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal information relating to the consumer; and

(B) May include a written statement, including a statement written by electronic means, or an unambiguous affirmative action;

(7) “Consumer”:

(A) Means a natural person who is a resident of this state acting only in a personal context; and

(B) Does not include a natural person acting in a commercial or employment context;

(8) “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information;

(9) “Covered entity” has the same meaning as defined by HIPAA;

(10) “Decisions that produce legal or similarly significant effects concerning the consumer” means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to basic necessities, such as food and water;

(11) “De-identified data” means data that cannot reasonably be linked to an identified or identifiable natural person, or a device linked to that individual;

(12) “Health record”:

(A) Means a written, printed, or electronically recorded material that:

(i) Was created or is maintained by a healthcare entity described in or licensed under title 68 in the course of providing healthcare services to an individual; and

(ii) Concerns the individual and the services provided; and

(B) Includes the substance of a communication made by an individual to a healthcare entity described in or licensed under title 68 in confidence during or in connection with the provision of healthcare services or information otherwise acquired by the healthcare entity about an individual in confidence and in connection with the provision of healthcare services to the individual;

(13) “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. § 1320d et seq.);

(14) “Identified or identifiable natural person,” “natural person,” and “individual” mean a human being who can be readily identified, whether directly or indirectly;

(15) “Institution of higher education” means a public or private institution of higher education;

(16) “Nonprofit organization” means:

(A) A corporation organized under the Tennessee Nonprofit Corporation Act, compiled in title 48, chapter 51;

(B) An organization exempt from taxation under the Internal Revenue Code, codified in 26 U.S.C. §§ 501–530;

(C) A public utility organized under the laws of this state; or

(D) An entity owned or controlled by a nonprofit organization;

(17) “Personal information”:

(A) Means information that is linked or reasonably linkable to an identified or identifiable natural person; and

(B) Does not include information that is:

(i) Publicly available information; or

(ii) De–identified or aggregate consumer information;

(18) “Precise geolocation data”:

(A) Means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty feet (1,750′); and

(B) Does not include:

(i) The content of communications; or

(ii) Data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility;

(19) “Process” or “processing” means an operation or set of operations performed, whether by manual or automated means, on personal information or on sets of personal information, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal information;

(20) “Processor” means a natural or legal entity that processes personal information on behalf of a controller;

(21) “Profiling” means a form of solely automated processing performed on personal information to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;

(22) “Protected health information” has the same meaning as defined by HIPAA;

(23) “Pseudonymous data” means personal information that cannot be attributed to a specific natural person without the use of additional information, so long as the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable natural person;

(24) “Publicly available information” means information that is lawfully made available through federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by the consumer, or by a person to whom the consumer has disclosed the information, unless the consumer has restricted the information to a specific audience;

(25) “Sale of personal information”:

(A) Means the exchange of personal information for valuable monetary consideration by the controller to a third party; and

(B) Does not include:

(i) The disclosure of personal information to a processor that processes the personal information on behalf of the controller;

(ii) The disclosure of personal information to a third party for purposes of providing a product or service requested by the consumer;

(iii) The disclosure or transfer of personal information to an affiliate of the controller;

(iv) The disclosure of information that the consumer:

(a) Intentionally made available to the general public via a channel of mass media; and

(b) Did not restrict to a specific audience; or

(v) The disclosure or transfer of personal information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets;

(26) “Sensitive data” means a category of personal information that includes:

(A) Personal information revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;

(B) The processing of genetic or biometric data for the purpose of uniquely identifying a natural person;

(C) The personal information collected from a known child; or

(D) Precise geolocation data;

(27) “State agency” means an agency, institution, board, bureau, commission, council, or instrumentality of state government in the executive branch;

(28) “Targeted advertising”:

(A) Means displaying to a consumer an advertisement that is selected based on personal information obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests; and

(B) Does not include:

(i) Advertisements based on activities within a controller's own websites or online applications;

(ii) Advertisements based on the context of a consumer's current search query, visit to a website, or online application;

(iii) Advertisements directed to a consumer in response to the consumer's request for information or feedback; or

(iv) Personal information processed solely for measuring or reporting advertising performance, reach, or frequency;

(29) “Third party” means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller; and

(30) “Trade secret” means information, without regard to form, including, but not limited to, technical, nontechnical, or financial data, a formula, pattern, compilation, program, device, method, technique, plan, or process, that:

(A) Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from the information's disclosure or use; and

(B) Is the subject of efforts that are reasonable under the circumstances to maintain the information's secrecy.

This part applies to persons that conduct business in this state producing products or services that target residents of this state and that:

(1) Exceed twenty-five million dollars ($25,000,000) in revenue; and

(2)(A) Control or process personal information of at least twenty-five thousand (25,000) consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or

(B) During a calendar year, control or process personal information of at least one hundred seventy-five thousand (175,000) consumers.

(a)(1) A consumer may invoke the consumer rights authorized pursuant to subdivision (a)(2) at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to invoke. A known child's parent or legal guardian may invoke the consumer rights authorized pursuant to subdivision (a)(2) on behalf of the child regarding processing personal information belonging to the known child.

(2) A controller shall comply with an authenticated consumer request to exercise the right to:

(A) Confirm whether a controller is processing the consumer's personal information and to access the personal information;

(B) Correct inaccuracies in the consumer's personal information, taking into account the nature of the personal information and the purposes of the processing of the consumer's personal information;

(C) Delete personal information provided by or obtained about the consumer. A controller is not required to delete information that it maintains or uses as aggregate or de-identified data; provided, that such data in the possession of the controller is not linked to a specific consumer. A controller that obtained personal information about a consumer from a source other than the consumer is in compliance with a consumer's request to delete such personal information by:

(a) Retaining a record of the deletion request and the minimum information necessary for the purpose of ensuring that the consumer's personal information remains deleted from the controller's records; and

(b) Not using such retained personal information for any purpose prohibited under this part; or

(ii) Opting the consumer out of the processing of such personal data for any purpose except for those exempted under this part;

(D) Obtain a copy of the consumer's personal information that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; or

(E) Opt out of a controller's processing of personal information for purposes of:

(i) Selling personal information about the consumer;

(ii) Targeted advertising; or

(iii) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

(b) Except as otherwise provided in this part, a controller shall comply with an authenticated request by a consumer to exercise the consumer rights authorized pursuant to subdivision (a)(2) as follows:

(1) A controller shall respond to the consumer without undue delay, but in all cases within forty-five (45) days of receipt of a request submitted pursuant to subsection (a). The response period may be extended once by forty-five (45) additional days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five-day response period, together with the reason for the extension;

(2) If a controller declines to take action regarding the consumer's request, then the controller shall inform the consumer without undue delay, but in all cases and at the latest within forty-five (45) days of receipt of the request, of the justification for declining to take action and instructions for how to appeal the decision pursuant to subsection (c);

(3) Information provided in response to a consumer request must be provided by a controller free of charge, up to twice annually per consumer. If requests from a consumer are manifestly unfounded, technically infeasible, excessive, or repetitive, then the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, technically infeasible, excessive, or repetitive nature of the request; and

(4) If a controller is unable to authenticate the request using commercially reasonable efforts, then the controller is not required to comply with a request to initiate an action under subsection (a) and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.

(c) A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision pursuant to subdivision (b)(2). The appeal process must be made available to the consumer in a conspicuous manner, must be available at no cost to the consumer, and must be similar to the process for submitting requests to initiate action pursuant to subsection (a). Within sixty (60) days of receipt of an appeal, a controller shall inform the consumer in writing of action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, then the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general and reporter to submit a complaint.

(a) A controller shall:

(1) Limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed, as disclosed to the consumer;

(2) Except as otherwise provided in this part, not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;

(3) Establish, implement, and maintain reasonable administrative, technical, and physical data security practices, as described in § 47–18–3213, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue;

(4) Not be required to delete information that it maintains or uses as aggregate or de-identified data, provided that such data in the possession of the business is not linked to a specific consumer;

(5) Not process personal information in violation of state and federal laws that prohibit unlawful discrimination against consumers. A controller shall not discriminate against a consumer for exercising the consumer rights contained in this part, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to the consumer. However, this subdivision (a)(5) does not require a controller to provide a product or service that requires the personal information of a consumer that the controller does not collect or maintain, or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the right to opt out pursuant to § 47–18–3203(a)(2)(F) or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program; and

(6) Not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the federal Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) and its implementing regulations.

(b) A provision of a contract or agreement that purports to waive or limit the consumer rights described in § 47–18–3203 is contrary to public policy and is void and unenforceable.

(c) A controller shall provide a reasonably accessible, clear, and meaningful privacy notice that includes:

(1) The categories of personal information processed by the controller;

(2) The purpose for processing personal information;

(3) How consumers may exercise their consumer rights pursuant to § 47–18–3203, including how a consumer may appeal a controller's decision with regard to the consumer's request;

(4) The categories of personal information that the controller sells to third parties, if any; and

(5) The categories of third parties, if any, to whom the controller sells personal information.

(d) If a controller sells personal information to third parties or processes personal information for targeted advertising, then the controller shall clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.

(e)(1) A controller shall provide, and shall describe in a privacy notice, one (1) or more secure and reliable means for a consumer to submit a request to exercise the consumer rights in § 47–18–3203. Such means must take into account the:

(A) Ways in which a consumer normally interacts with the controller;

(B) Need for secure and reliable communication of such requests; and

(C) Ability of a controller to authenticate the identity of the consumer making the request.

(2) A controller shall not require a consumer to create a new account in order to exercise consumer rights in § 47–18–3203, but may require a consumer to use an existing account.

(a) A processor shall adhere to the instructions of a controller and shall assist the controller in meeting its obligations under this part. The assistance must include:

(1) Taking into account the nature of processing and the information available to the processor, by appropriate technical and organizational measures, insofar as this is reasonably practicable, to fulfill the controller's obligation to respond to consumer rights requests pursuant to § 47–18–3203; and

(2) Providing necessary information to enable the controller to conduct and document data protection assessments pursuant to § 47–18–3206.

(b) A contract between a controller and a processor governs the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract is binding and must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also include requirements that the processor shall:

(1) Ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data;

(2) At the controller's direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law;

(3) Upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in this part;

(4) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; alternatively, the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the obligations under this part using an appropriate and accepted control standard or framework and assessment procedure for the assessments. The processor shall provide a report of each assessment to the controller upon request; and

(5) Engage a subcontractor pursuant to a written contract in that requires the subcontractor to meet the obligations of the processor with respect to the personal information.

(c) This section does not relieve a controller or a processor from the liabilities imposed on it by virtue of its role in the processing relationship as described in subsection (b).

(d) Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal information is to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal information remains a processor.

(a) A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal information:

(1) The processing of personal information for purposes of targeted advertising;

(2) The sale of personal information;

(3) The processing of personal information for purposes of profiling, where the profiling presents a reasonably foreseeable risk of:

(A) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers;

(B) Financial, physical, or reputational injury to consumers;

(C) A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or

(D) Other substantial injury to consumers;

(4) The processing of sensitive data; and

(5) Processing activities involving personal information that present a heightened risk of harm to consumers.

(b) Data protection assessments conducted pursuant to subsection (a) must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the risks. The use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal information will be processed, must be factored into this assessment by the controller.

(c) The attorney general and reporter may request pursuant to a civil investigative demand that a controller disclose a data protection assessment that is relevant to an investigation conducted by the attorney general and reporter, and the controller shall make the data protection assessment available to the attorney general and reporter. The attorney general and reporter may evaluate the data protection assessment for compliance with the responsibilities set forth in § 47–18–3204. Data protection assessments are confidential and not open to public inspection and copying. The disclosure of a data protection assessment pursuant to a request from the attorney general and reporter does not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and information contained in the assessment.

(d) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(e) Data protection assessments conducted by a controller for the purpose of compliance with other laws, rules, or regulations may comply with this section if the assessments have a reasonably comparable scope and effect.

(f) Data protection assessment requirements apply to processing activities created or generated on or after July 1, 2024, and are not retroactive.

(a) The controller in possession of de-identified data shall:

(1) Take reasonable measures to ensure that the data cannot be associated with a natural person;

(2) Publicly commit to maintaining and using de-identified data without attempting to reidentify the data; and

(3) Contractually obligate recipients of the de-identified data to comply with this part.

(b) This section does not require a controller or processor to:

(1) Reidentify de-identified data or pseudonymous data;

(2) Maintain data in identifiable form, or collect, obtain, retain, or access data or technology, in order to be capable of associating an authenticated consumer request with personal information; or

(3) Comply with an authenticated consumer rights request, pursuant to § 47–18–3203, if:

(A) The controller is not reasonably capable of associating the request with the personal information or it would be unreasonably burdensome for the controller to associate the request with the personal information;

(B) The controller does not use the personal information to recognize or respond to the specific consumer who is the subject of the personal information, or associate the personal information with other personal information about the same specific consumer; and

(C) The controller does not sell the personal information to a third party or otherwise voluntarily disclose the personal information to a third party other than a processor, except as otherwise permitted in this section.

(c) The consumer rights contained in §§ 47–18–3203 and 47–18–3204 do not apply to pseudonymous data in cases where the controller is able to demonstrate information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing that information.

(d) A controller that discloses pseudonymous data or de-identified data shall exercise reasonable oversight to monitor compliance with contractual commitments to which the pseudonymous data or de-identified data is subject and shall take appropriate steps to address breaches of those contractual commitments.

(a) This part does not restrict a controller's or processor's ability to:

(1) Comply with federal, state, or local laws, rules, or regulations;

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

(3) Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;

(4) Investigate, establish, exercise, prepare for, or defend legal claims;

(5) Provide a product or service specifically requested by a consumer or the parent or legal guardian of a known child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract;

(6) Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis;

(7) Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activity, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for such action;

(8) Engage in public- or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entity that determines whether:

(A) Deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;

(B) The expected benefits of the research outweigh the privacy risks; and

(C) The controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including risks associated with reidentification; or

(9) Assist another controller, processor, or third party with the obligations under this part.

(b) The obligations imposed on controllers or processors under this part do not restrict a controller's or processor's ability to collect, use, or retain data to:

(1) Conduct internal research to develop, improve, or repair products, services, or technology;

(2) Effectuate a product recall;

(3) Identify and repair technical errors that impair existing or intended functionality; or

(4) Perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

(c) The obligations imposed on controllers or processors under this part do not apply where compliance by the controller or processor with this part would violate an evidentiary privilege under the laws of this state. This part does not prevent a controller or processor from providing personal information concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.

(d)(1) A controller or processor that discloses personal information to a third-party controller or processor, in compliance with the requirements of this part, is not in violation of this part if:

(A) The third-party controller or processor that receives and processes the personal information is in violation of this part; and

(B) At the time of disclosing the personal information, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

(2) A third-party controller or processor receiving personal information from a controller or processor in compliance with the requirements of this part is likewise not in violation of this part for the violations of the controller or processor from which it receives such personal information.

(e) This part does not impose an obligation on controllers and processors that adversely affects the rights or freedoms of a person, such as exercising the right of free speech pursuant to the First Amendment to the United States Constitution, or applies to the processing of personal information by a person in the course of a purely personal activity.

(f) A controller shall not process personal information for purposes other than those expressly listed in this section unless otherwise allowed by this part. Personal information processed by a controller pursuant to this section may be processed to the extent that the processing is:

(1) Reasonably necessary and proportionate to the purposes listed in this section; and

(2) Adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section. Personal information collected, used, or retained pursuant to subsection (b) shall, where applicable, take into account the nature and purpose or purposes of the collection, use, or retention. The data is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal information and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal information.

(g) If a controller processes personal information pursuant to an exemption in this section, then the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with subsection (f).

(h) Processing personal information for the purposes expressly identified in subdivisions (a)(1)–(9) does not solely make an entity a controller with respect to the processing.

If the attorney general and reporter has reasonable cause to believe that an individual, controller, or processor has engaged in, is engaging in, or is about to engage in a violation of this part, then the attorney general and reporter may issue a civil investigative demand.

(a) This part does not apply to:

(1) A body, authority, board, bureau, commission, district, or agency of this state or of a political subdivision of this state;

(2) A financial institution, an affiliate of a financial institution, or data subject to Title V of the federal Gramm–Leach–Bliley Act (15 U.S.C. § 6801 et seq.);

(3) An individual, firm, association, corporation, or other entity that is licensed in this state under title 56 as an insurance company and transacts insurance business;

(4) A covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States department of health and human services, 45 CFR Parts 160 and 164 established pursuant to HIPAA, and the federal Health Information Technology for Economic and Clinical Health Act (P.L 111–5);

(5) A nonprofit organization;

(6) An institution of higher education;

(7) Protected health information under HIPAA;

(8) Health records for purposes of title 68;

(9) Patient identifying information for purposes of 42 U.S.C. § 290dd–2;

(10) Personal information:

(A) Processed for purposes of:

(i) Research conducted in accordance with the federal policy for the protection of human subjects under 45 CFR Part 46;

(ii) Human subjects research conducted in accordance with good clinical practice guidelines issued by The International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use; or

(iii) Research conducted in accordance with the protection of human subjects under 21 CFR Parts 6, 50, and 56; or

(B) Processed or sold in connection with research conducted in accordance with the requirements set forth in this part, or other research conducted in accordance with applicable law;

(11) Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986 (42 U.S.C. § 11101 et seq.);

(12) Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b–21 et seq.);

(13) Information that is:

(A) Derived from the healthcare-related information listed in this subsection (a) that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA; or

(B) Included in a limited data set as described in 45 CFR 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified in 45 CFR 164.514(e);

(14) Information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection (a) that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. § 290dd–2;

(15) Information used only for public health activities and purposes as authorized by HIPAA;

(16) The collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.);

(17) Personal information collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.);

(18) Personal information or educational information regulated by the federal Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g et seq.);

(19) Personal information collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.);

(20) Data processed or maintained:

(A) In the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;

(B) As the emergency contact information of an individual under this part used for emergency contact purposes; or

(C) That is necessary to retain to administer benefits for another individual relating to the individual under subdivision (a)(20)(A) and used for the purposes of administering those benefits;

(21) Information collected as part of public- or peer-reviewed scientific or statistical research in the public interest;

(22) An insurance producer licensed under title 56; or

(23) Personal information maintained or used for purposes of compliance with the regulation of listed chemicals under the federal Controlled Substances Act (21 U.S.C. § 830).

(b) Controllers and processors that comply with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act (15 U.S.C. § 6501 et seq.) are deemed compliant with an obligation to obtain parental consent under this part.

(c) This part does not require a controller, processor, third party, or consumer to disclose trade secrets.

(a) A provision of a contract or agreement that waives or limits a consumer's rights under this part, including, but not limited to, a right to a remedy or means of enforcement, is contrary to public policy, void, and unenforceable.

(b) This part does not prevent a consumer from declining to request information from a controller, declining to opt out of a controller's sale of the consumer's personal information, or authorizing a controller to sell the consumer's personal information after previously opting out.

(c) This part applies to contracts entered into, amended, or renewed on or after the effective date of this act.

(a) The attorney general and reporter has exclusive authority to enforce this part.

(b) The attorney general and reporter may develop reasonable cause to believe that a controller or processor is in violation of this part, based on the attorney general and reporter's own inquiry or on consumer or public complaints. Prior to initiating an action under this part, the attorney general and reporter shall provide a controller or processor sixty-days' written notice identifying the specific provisions of this part the attorney general and reporter alleges have been or are being violated. If within the sixty-day period, the controller or processor cures the noticed violation and provides the attorney general and reporter an express written statement that the alleged violations have been cured and that no such further violations shall occur, then the attorney general and reporter shall not initiate an action against the controller or processor.

(c) If a controller or processor continues to violate this part following the cure period in subsection (b) or breaches an express written statement provided to the attorney general and reporter under subsection (b), then the attorney general and reporter may bring an action in a court of competent jurisdiction seeking any of the following relief:

(1) Declaratory judgment that the act or practice violates this chapter;

(2) Injunctive relief, including preliminary and permanent injunctions, to prevent an additional violation of and compel compliance with this part;

(3) Civil penalties, as described in subsection (d);

(4) Reasonable attorney's fees and investigative costs; or

(5) Other relief the court determines appropriate.

(d)(1) A court may impose a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation of this part.

(2) If the court finds the controller or processor willfully or knowingly violated this part, then the court may, in its discretion, award treble damages.

(e) A violation of this part shall not serve as the basis for, or be subject to, a private right of action, including a class action lawsuit, under this part or other law.

(f) The attorney general and reporter may recover reasonable expenses incurred in investigating and preparing a case, including attorney fees, in an action initiated under this part.

(a) A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that:

(1)(A) Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other documented policies, standards, and procedures designed to safeguard consumer privacy; and

(B) Is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and

(2) Provides a person with the substantive rights required by this part.

(b) The scale and scope of a controller or processor's privacy program under subsection (a) is appropriate if it is based on all of the following factors:

(1) The size and complexity of the controller or processor's business;

(2) The nature and scope of the activities of the controller or processor;

(3) The sensitivity of the personal information processed;

(4) The cost and availability of tools to improve privacy protections and data governance; and

(5) Compliance with a comparable state or federal law.

(c)(1) In addition to subsections (a) and (b):

(A) A controller may be certified pursuant to the Asia Pacific Economic Cooperation's Cross Border Privacy Rules system; and

(B) A processor may be certified pursuant to the Asia Pacific Economic Cooperation's Privacy Recognition for Processors system.

(2) Certifications under subdivision (c)(1) may be considered in addition to the factors in subsection (b).

SECTION 3. If a provision of this act or its application to a person or circumstance is held invalid, then the invalidity does not affect other provisions or applications of the act that can be given effect without the invalid provision or application, and to that end, the provisions of this act are severable.

SECTION 4. This act supersedes and preempts any conflicting provisions of any public or private act and laws, ordinances, resolutions, regulations, or the equivalent adopted by a home rule municipality, county, including a metropolitan government, or city regarding the processing of personal data by controllers or processors. To the extent there exists a conflict, this section does not require the home rule municipality, county, or city to adopt any law, ordinance, resolution, regulation, or the equivalent to modify or repeal such conflicting provisions enacted prior to the effective date of this act.

SECTION 5. The headings in this act are for reference purposes only and do not constitute a part of the law enacted by this act. However, the Tennessee Code Commission is requested to include the headings in any compilation or publication containing this act.

SECTION 6. This act takes effect July 1, 2025, the public welfare requiring it.

Approved this 11th day of May, 2023

In this chapter, unless a different meaning is required by the context:

(1)  "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For purposes of this subdivision, "control" or "controlled" means:

(A)  the ownership of, or power to vote, more than 50 percent of the outstanding shares of any class of voting security of a company;

(B)  the control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

(C)  the power to exercise controlling influence over the management of a company.

(2)  "Authenticate" means to verify through reasonable means that the consumer who is entitled to exercise the consumer's rights under Subchapter B is the same consumer exercising those consumer rights with respect to the personal data at issue.

(3)  "Biometric data" means data generated by automatic measurements of an individual's biological characteristics.  The term includes a fingerprint, voiceprint, eye retina or iris, or other unique biological pattern or characteristic that is used to identify a specific individual. The term does not include a physical or digital photograph or data generated from a physical or digital photograph, a video or audio recording or data generated from a video or audio recording, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).

(4)  "Business associate" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).

(5)  "Child" means an individual younger than 13 years of age.

(6)  "Consent," when referring to a consumer, means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.  The term does not include:

(A)  acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;

(B)  hovering over, muting, pausing, or closing a given piece of content; or

(C)  agreement obtained through the use of dark patterns.

(7)  "Consumer" means an individual who is a resident of this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.

(8)  "Controller" means an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.

(9)  "Covered entity" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).

(10)  "Dark pattern" means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice, and includes any practice the Federal Trade Commission refers to as a dark pattern.

(11)  "Decision that produces a legal or similarly significant effect concerning a consumer" means a decision made by the controller that results in the provision or denial by the controller of:

(A)  financial and lending services;

(B)  housing, insurance, or health care services;

(C)  education enrollment;

(D)  employment opportunities;

(E)  criminal justice; or

(F)  access to basic necessities, such as food and water.

(12)  "Deidentified data" means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual.

(13)  "Health care provider" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).

(14)  "Health record" means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual that concerns the individual and the services provided. The term includes:

(A)  the substance of any communication made by an individual to a health care provider in confidence during or in connection with the provision of health care services; or

(B)  information otherwise acquired by the health care provider about an individual in confidence and in connection with health care services provided to the individual.

(15)  "Identified or identifiable individual" means a consumer who can be readily identified, directly or indirectly.

(16)  "Institution of higher education" means:

(A)  an institution of higher education as defined by Section 61.003, Education Code; or

(B)  a private or independent institution of higher education as defined by Section 61.003, Education Code.

(17)  "Known child" means a child under circumstances where a controller has actual knowledge of, or wilfully disregards, the child's age.

(18)  "Nonprofit organization" means:

(A)  a corporation organized under Chapters 20 and 22, Business Organizations Code, and the provisions of Title 1, Business Organizations Code, to the extent applicable to nonprofit corporations;

(B)  an organization exempt from federal taxation under Section 501(a), Internal Revenue Code of 1986, by being listed as an exempt organization under Section 501(c)(3), 501(c)(6), 501(c)(12), or 501(c)(19) of that code;

(C)  a political organization; or

(D)  an organization that:

(i)  is exempt from federal taxation under Section 501(a), Internal Revenue Code of 1986, by being listed as an exempt organization under Section 501(c)(4) of that code; and

(ii)  is described by Section 701.052(a), Insurance Code.

(19)  "Personal data" means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual.  The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual.  The term does not include deidentified data or publicly available information.

(20)  "Political organization" means a party, committee, association, fund, or other organization, regardless of whether incorporated, that is organized and operated primarily for the purpose of influencing or attempting to influence:

(A)  the selection, nomination, election, or appointment of an individual to a federal, state, or local public office or an office in a political organization, regardless of whether the individual is selected, nominated, elected, or appointed; or

(B)  the election of a presidential/vice-presidential elector, regardless of whether the elector is selected, nominated, elected, or appointed.

(21)  "Precise geolocation data" means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.  The term does not include the content of communications or any data generated by or connected to an advanced utility metering infrastructure system or to equipment for use by a utility.

(22)  "Process" or "processing" means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

(23)  "Processor" means a person that processes personal data on behalf of a controller.

(24)  "Profiling" means any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

(25)  "Protected health information" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).

(26)  "Pseudonymous data" means any information that cannot be attributed to a specific individual without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.

(27)  "Publicly available information" means information that is lawfully made available through government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public through widely distributed media, by a consumer, or by a person to whom a consumer has disclosed the information, unless the consumer has restricted the information to a specific audience.

(28)  "Sale of personal data" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party.  The term does not include:

(A)  the  disclosure of personal data to a processor that processes the personal data on the controller's behalf;

(B)  the  disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;

(C)  the disclosure or transfer of personal data to an affiliate of the controller;

(D)  the disclosure of information that the consumer:

(i)  intentionally made available to the general public through a mass media channel; and

(ii)  did not restrict to a specific audience; or

(E)  the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.

(29)  "Sensitive data" means a category of personal data.  The term includes:

(A)  personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status;

(B)  genetic or biometric data that is processed for the purpose of uniquely identifying an individual;

(C)  personal data collected from a known child; or

(D)  precise geolocation data.

(30)  "State agency" means a department, commission, board, office, council, authority, or other agency in any branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by Section 61.003, Education Code.

(31)  "Targeted advertising" means displaying to a consumer an advertisement that is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests.  The term does not include:

(A)  an advertisement that:

(i)  is based on activities within a controller's own websites or online applications;

(ii)  is based on the context of a consumer's current search query, visit to a website, or online application; or

(iii)  is directed to a consumer in response to the consumer's request for information or feedback; or

(B)  the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.

(32)  "Third party" means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor.

(33)  "Trade secret" means all forms and types of information, including business, scientific, technical, economic, or engineering information, and any formula, design, prototype, pattern, plan, compilation, program device, program, code, device, method, technique, process, procedure, financial data, or list of actual or potential customers or suppliers, whether tangible or intangible and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if:

(A)  the owner of the trade secret has taken reasonable measures under the circumstances to keep the information secret; and

(B)  the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  This chapter applies only to a person that:

(1)  conducts business in this state or produces a product or service consumed by residents of this state;

(2)  processes or engages in the sale of personal data; and

(3)  is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 applies to a person described by this subdivision.

(b)  This chapter does not apply to:

(1)  a state agency or a political subdivision of this state;

(2)  a financial institution or data subject to Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);

(3)  a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.), and the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5);

(4)  a nonprofit organization;

(5)  an institution of higher education; or

(6)  an electric utility, a power generation company, or a retail electric provider, as those terms are defined by Section 31.002, Utilities Code.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

The following information is exempt from this chapter:

(1)  protected health information under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);

(2)  health records;

(3)  patient identifying information for purposes of 42 U.S.C. Section 290dd-2;

(4)  identifiable private information:

(A)  for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46;

(B)  collected as part of human subjects research under the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use (ICH) or of the protection of human subjects under 21 C.F.R. Parts 50 and 56; or

(C)  that is personal data used or shared in research conducted in accordance with the requirements set forth in this chapter or other research conducted in accordance with applicable law;

(5)  information and documents created for purposes of the Health Care Quality Improvement Act of 1986 (42 U.S.C. Section 11101 et seq.);

(6)  patient safety work product for purposes of the Patient Safety and Quality Improvement Act of 2005 (42 U.S.C. Section 299b-21 et seq.);

(7)  information derived from any of the health care-related information listed in this section that is deidentified in accordance with the requirements for deidentification under the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);

(8)  information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this section that is maintained by a covered entity or business associate as defined by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.) or by a program or a qualified service organization as defined by 42 U.S.C. Section 290dd-2;

(9)  information that is included in a limited data set as described by 45 C.F.R. Section 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by 45 C.F.R. Section 164.514(e);

(10)  information collected or used only for public health activities and purposes as authorized by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);

(11)  the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act (15 U.S.C. Section 1681 et seq.);

(12)  personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994 (18 U.S.C. Section 2721 et seq.);

(13)  personal data regulated by the Family Educational Rights and Privacy Act of 1974 (20 U.S.C. Section 1232g);

(14)  personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1971 (12 U.S.C. Section 2001 et seq.);

(15)  data processed or maintained in the course of an individual applying to, being employed by, or acting as an agent or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role;

(16)  data processed or maintained  as the emergency contact information of an individual under this chapter that is used for emergency contact purposes; or

(17)  data that is processed or maintained and is necessary to retain to administer benefits for another individual that relates to an individual described by Subdivision (15) and used for the purposes of administering those benefits.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

This chapter does not apply to the processing of personal data by a person in the course of a purely personal or household activity.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

A controller or processor that complies with the verifiable parental consent requirements of the Children's Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.) with respect to data collected online is considered to be in compliance with any requirement to obtain parental consent under this chapter.

(a)  A consumer is entitled to exercise the consumer rights authorized by this section at any time by submitting a request to a controller specifying the consumer rights the consumer wishes to exercise.  With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise the consumer rights on behalf of the child.

(b)  A controller shall comply with an authenticated consumer request to exercise the right to:

(1)  confirm whether a controller is processing the consumer's personal data and to access the personal data;

(2)  correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;

(3)  delete personal data provided by or obtained about the consumer;

(4)  if the data is available in a digital format, obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; or

(5)  opt out of the processing of the personal data for purposes of:

(A)  targeted advertising;

(B)  the sale of personal data; or

(C)  profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  Except as otherwise provided by this chapter, a controller shall comply with a request submitted by a consumer to exercise the consumer's rights pursuant to Section 541.051 as provided by this section.

(b)  A controller shall respond to the consumer request without undue delay, which may not be later than the 45th day after the date of receipt of the request.  The controller may extend the response period once by an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial 45-day response period, together with the reason for the extension.

(c)  If a controller declines to take action regarding the consumer's request, the controller shall inform the consumer without undue delay, which may not be later than the 45th day after the date of receipt of the request, of the justification for declining to take action and provide instructions on how to appeal the decision in accordance with Section 541.053.

(d)  A controller shall provide information in response to a consumer request free of charge, at least twice annually per consumer.  If a request from a consumer is manifestly unfounded, excessive, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or may decline to act on the request.  The controller bears the burden of demonstrating for purposes of this subsection that a request is manifestly unfounded, excessive, or repetitive.

(e)  If a controller is unable to authenticate the request using commercially reasonable efforts, the controller is not required to comply with a consumer request submitted under Section 541.051 and may request that the consumer provide additional information reasonably necessary to authenticate the consumer and the consumer's request.

(f)  A controller that has obtained personal data about a consumer from a source other than the consumer is considered in compliance with a consumer's request to delete that personal data pursuant to Section 541.051(b)(3) by:

(1)  retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records and not using the retained data for any other purpose under this chapter; or

(2)  opting the consumer out of the processing of that personal data for any purpose other than a purpose that is exempt under the provisions of this chapter.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision under Section 541.052(c).

(b)  The appeal process must be conspicuously available and similar to the process for initiating action to exercise consumer rights by submitting a request under Section 541.051.

(c)  A controller shall inform the consumer in writing of any action taken or not taken in response to an appeal under this section not later than the 60th day after the date of receipt of the appeal, including a written explanation of the reason or reasons for the decision.

(d)  If the controller denies an appeal, the controller shall provide the consumer with the online mechanism described by Section 541.152 through which the consumer may contact the attorney general to submit a complaint.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

Any provision of a contract or agreement that waives or limits in any way a consumer right described by Sections 541.051, 541.052, and 541.053 is contrary to public policy and is void and unenforceable.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A controller shall establish two or more secure and reliable methods to enable consumers to submit a request to exercise their consumer rights under this chapter. The methods must take into account:

(1)  the ways in which consumers normally interact with the controller;

(2)  the necessity for secure and reliable communications of those requests; and

(3)  the ability of the controller to authenticate the identity of the consumer making the request.

(b)  A controller may not require a consumer to create a new account to exercise the consumer's rights under this subchapter but may require a consumer to use an existing account.

(c)  Except as provided by Subsection (d), if the controller maintains an Internet website, the controller must provide a mechanism on the website for consumers to submit requests for information required to be disclosed under this chapter.

(d)  A controller that operates exclusively online and has a direct relationship with a consumer from whom the controller collects personal information is only required to provide an e-mail address for the submission of requests described by Subsection (c).

(e)  A consumer may designate another person to serve as the consumer's authorized agent and act on the consumer's behalf to opt out of the processing of the consumer's personal data under Sections 541.051(b)(5)(A) and (B).  A consumer may designate an authorized agent using a technology, including a link to an Internet website, an Internet browser setting or extension, or a global setting on an electronic device, that allows the consumer to indicate the consumer's intent to opt out of the processing.  A controller shall comply with an opt-out request received from an authorized agent under this subsection if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.  A controller is not required to comply with an opt-out request received from an authorized agent under this subsection if:

(1)  the authorized agent does not communicate the request to the controller in a clear and unambiguous manner;

(2)  the controller is not able to verify, with commercially reasonable effort, that the consumer is a resident of this state;

(3)  the controller does not possess the ability to process the request; or

(4)  the controller does not process similar or identical requests the controller receives from consumers for the purpose of complying with similar or identical laws or regulations of another state.

(f)  A technology described by Subsection (e):

(1)  may not unfairly disadvantage another controller;

(2)  may not make use of a default setting, but must require the consumer to make an affirmative, freely given, and unambiguous choice to indicate the consumer's intent to opt out of any processing of a consumer's personal data; and

(3)  must be consumer-friendly and easy to use by the average consumer.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A controller:

(1)  shall limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and

(2)  for purposes of protecting the confidentiality, integrity, and accessibility of personal data, shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.

(b)  A controller may not:

(1)  except as otherwise provided by this chapter, process personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;

(2)  process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers;

(3)  discriminate against a consumer for exercising any of the consumer rights contained in this chapter, including by denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer; or

(4)  process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the Children's Online Privacy Protection Act of 1998 (15 U.S.C. Section 6501 et seq.).

(c)  Subsection (b)(3) may not be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised the consumer's right to opt out under Section 541.051 or the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A controller shall provide consumers with a reasonably accessible and clear privacy notice that includes:

(1)  the categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller;

(2)  the purpose for processing personal data;

(3)  how consumers may exercise their consumer rights under Subchapter B, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request;

(4)  if applicable, the categories of personal data that the controller shares with third parties;

(5)  if applicable, the categories of third parties with whom the controller shares personal data; and

(6)  a description of the methods required under Section 541.055 through which consumers can submit requests to exercise their consumer rights under this chapter.

(b)  If a controller engages in the sale of personal data that is sensitive data, the controller shall include the following notice:

"NOTICE: We may sell your sensitive personal data."  The notice must be posted in the same location and in the same manner as the privacy notice described by Subsection (a).

(c)  If a controller engages in the sale of personal data that is biometric data, the controller shall include the following notice:

"NOTICE: We may sell your biometric personal data."  The notice must be posted in the same location and in the same manner as the privacy notice described by Subsection (a).

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose that process and the manner in which a consumer may exercise the right to opt out of that process.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A processor shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller's duties or requirements under this chapter, including:

(1)  assisting the controller in responding to consumer rights requests submitted under Section 541.051 by using appropriate technical and organizational measures, as reasonably practicable, taking into account the nature of processing and the information available to the processor;

(2)  assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor's system under Chapter 521, taking into account the nature of processing and the information available to the processor; and

(3)  providing necessary information to enable the controller to conduct and document data protection assessments under Section 541.105.

(b)  A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract must include:

(1)  clear instructions for processing data;

(2)  the nature and purpose of processing;

(3)  the type of data subject to processing;

(4)  the duration of processing;

(5)  the rights and obligations of both parties; and

(6)  a requirement that the processor shall:

(A)  ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

(B)  at the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;

(C)  make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of this chapter;

(D)  allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and

(E)  engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.

(c)  Notwithstanding the requirement described by Subsection (b)(6)(D), a processor, in the alternative, may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the requirements under this chapter using an appropriate and accepted control standard or framework and assessment procedure.  The processor shall provide a report of the assessment to the controller on request.

(d)  This section may not be construed to relieve a controller or a processor from the liabilities imposed on the controller or processor by virtue of its role in the processing relationship as described by this chapter.

(e)  A determination of whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends on the context in which personal data is to be processed.  A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains in the role of a processor.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A controller shall conduct and document a data protection assessment of each of the following processing activities involving personal data:

(1)  the processing of personal data for purposes of targeted advertising;

(2)  the sale of personal data;

(3)  the processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:

(A)  unfair or deceptive treatment of or unlawful disparate impact on consumers;

(B)  financial, physical, or reputational injury to consumers;

(C)  a physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of consumers, if the intrusion would be offensive to a reasonable person; or

(D)  other substantial injury to consumers;

(4)  the processing of sensitive data; and

(5)  any processing activities involving personal data that present a heightened risk of harm to consumers.

(b)  A data protection assessment conducted under Subsection (a) must:

(1)  identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risks; and

(2)  factor into the assessment:

(A)  the use of deidentified data;

(B)  the reasonable expectations of consumers;

(C)  the context of the processing; and

(D)  the relationship between the controller and the consumer whose personal data will be processed.

(c)  A controller shall make a data protection assessment requested under Section 541.153(b) available to the attorney general pursuant to a civil investigative demand under Section 541.153.

(d)  A data protection assessment is confidential and exempt from public inspection and copying under Chapter 552, Government Code. Disclosure of a data protection assessment in compliance with a request from the attorney general does not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.

(e)  A single data protection assessment may address a comparable set of processing operations that include similar activities.

(f)  A data protection assessment conducted by a controller for the purpose of compliance with other laws or regulations may constitute compliance with the requirements of this section if the assessment has a reasonably comparable scope and effect.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A controller in possession of deidentified data shall:

(1)  take reasonable measures to ensure that the data cannot be associated with an individual;

(2)  publicly commit to maintaining and using deidentified data without attempting to reidentify the data; and

(3)  contractually obligate any recipient of the deidentified data to comply with the provisions of this chapter.

(b)  This chapter may not be construed to require a controller or processor to:

(1)  reidentify deidentified data or pseudonymous data;

(2)  maintain data in identifiable form or obtain, retain, or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or

(3)  comply with an authenticated consumer rights request under Section 541.051, if the controller:

(A)  is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;

(B)  does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data or associate the personal data with other personal data about the same specific consumer; and

(C)  does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by this section.

(c)  The consumer rights under Sections 541.051(b)(1)-(4) and controller duties under Section 541.101 do not apply to pseudonymous data in cases in which the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

(d)  A controller that discloses pseudonymous data or deidentified data shall exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data is subject and shall take appropriate steps to address any breach of the contractual commitments.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A person described by Section 541.002(a)(3) may not engage in the sale of personal data that is sensitive data without receiving prior consent from the consumer.

(b)  A person who violates this section is subject to the penalty under Section 541.155.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

The attorney general has exclusive authority to enforce this chapter.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

The attorney general shall post on the attorney general's Internet website:

(1)  information relating to:

(A)  the responsibilities of a controller under Subchapters B and C;

(B)  the responsibilities of a processor under Subchapter C; and

(C)  a consumer's rights under Subchapter B; and

(2)  an online mechanism through which a consumer may submit a complaint under this chapter to the attorney general.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  If the attorney general has reasonable cause to believe that a person has engaged in or is engaging in a violation of this chapter, the attorney general may issue a civil investigative demand.  The procedures established for the issuance of a civil investigative demand under Section 15.10 apply to the same extent and manner to the issuance of a civil investigative demand under this section.

(b)  The attorney general may request, pursuant to a civil investigative demand issued under Subsection (a), that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general.  The attorney general may evaluate the data protection assessment for compliance with the requirements set forth in Sections 541.101, 541.102, and 541.103.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

Before bringing an action under Section 541.155, the attorney general shall notify a person in writing, not later than the 30th day before bringing the action, identifying the specific provisions of this chapter the attorney general alleges have been or are being violated.  The attorney general may not bring an action against the person if:

(1)  within the 30-day period, the person cures the identified violation; and

(2)  the person provides the attorney general a written statement that the person:

(A)  cured the alleged violation;

(B)  notified the consumer that the consumer's privacy violation was addressed, if the consumer's contact information has been made available to the person;

(C)  provided supportive documentation to show how the privacy violation was cured; and

(D)  made changes to internal policies, if necessary, to ensure that no such further violations will occur.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A person who violates this chapter following the cure period described by Section 541.154 or who breaches a written statement provided to the attorney general under that section is liable for a civil penalty in an amount not to exceed $7,500 for each violation.

(b)  The attorney general may bring an action in the name of this state to:

(1)  recover a civil penalty under this section;

(2)  restrain or enjoin the person from violating this chapter; or

(3)  recover the civil penalty and seek injunctive relief.

(c)  The attorney general may recover reasonable attorney's fees and other reasonable expenses incurred in investigating and bringing an action under this section.

(d)  The attorney general shall deposit a civil penalty collected under this section in accordance with Section 402.007, Government Code.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

This chapter may not be construed as providing a basis for, or being subject to, a private right of action for a violation of this chapter or any other law.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  This chapter may not be construed to restrict a controller's or processor's ability to:

(1)  comply with federal, state, or local laws, rules, or regulations;

(2)  comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;

(3)  investigate, establish, exercise, prepare for, or defend legal claims;

(4)  provide a product or service specifically requested by a consumer or the parent or guardian of a child, perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer before entering into a contract;

(5)  take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another individual and in which the processing cannot be manifestly based on another legal basis;

(6)  prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity;

(7)  preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security;

(8)  engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or similar independent oversight entity that determines:

(A)  if the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;

(B)  whether the expected benefits of the research outweigh the privacy risks; and

(C)  if the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification; or

(9)  assist another controller, processor, or third party with any of the requirements under this subsection.

(b)  This chapter may not be construed to prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part of a privileged communication.

(c)  This chapter may not be construed as imposing a requirement on controllers and processors that adversely affects the rights or freedoms of any person, including the right of free speech.

(d)  This chapter may not be construed as requiring a controller, processor, third party, or consumer to disclose a trade secret.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  The requirements imposed on controllers and processors under this chapter may not restrict a controller's or processor's ability to collect, use, or retain data to:

(1)  conduct internal research to develop, improve, or repair products, services, or technology;

(2)  effect a product recall;

(3)  identify and repair technical errors that impair existing or intended functionality; or

(4)  perform internal operations that:

(A)  are reasonably aligned with the expectations of the consumer;

(B)  are reasonably anticipated based on the consumer's existing relationship with the controller; or

(C)  are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

(b)  A requirement imposed on a controller or processor under this chapter does not apply if compliance with the requirement by the controller or processor, as applicable, would violate an evidentiary privilege under the laws of this state.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of this chapter, does not violate this chapter if the third-party controller or processor that receives and processes that personal data is in violation of this chapter, provided that, at the time of the data's disclosure, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation.

(b)  A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of this chapter does not violate this chapter for the transgressions of the controller or processor from which the third-party controller or processor receives the personal data.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(a)  Personal data processed by a controller under this subchapter may not be processed for any purpose other than a purpose listed in this subchapter unless otherwise allowed by this chapter. Personal data processed by a controller under this subchapter may be processed to the extent that the processing of the data is:

(1)  reasonably necessary and proportionate to the purposes listed in this subchapter; and

(2)  adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this subchapter.

(b)  Personal data collected, used, or retained under Section 541.202(a) must, where applicable, take into account the nature and purpose of such collection, use, or retention.  The personal data described by this subsection is subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

(c)  A controller that processes personal data under an exemption in this subchapter bears the burden of demonstrating that the processing of the personal data qualifies for the exemption and complies with the requirements of Subsections (a) and (b).

(d)  The processing of personal data by an entity for the purposes described by Section 541.201 does not solely make the entity a controller with respect to the processing of the data.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

This chapter supersedes and preempts any ordinance, resolution, rule, or other regulation adopted by a political subdivision regarding the processing of personal data by a controller or processor.

Added by Acts 2023, 88th Leg., R.S., Ch. 995 (H.B. 4), Sec. 2, eff. July 1, 2024.

(1) “Account” means the Consumer Privacy Restricted Account established in Section 13-61-403.

(2) “Affiliate” means an entity that:

(a) controls, is controlled by, or is under common control with another entity; or

(b) shares common branding with another entity.

(3) “Aggregated data” means information that relates to a group or category of consumers:

(a) from which individual consumer identities have been removed; and

(b) that is not linked or reasonably linkable to any consumer.

(4) “Air carrier” means the same as that term is defined in 49 U.S.C. Sec. 40102.

(5) “Authenticate” means to use reasonable means to determine that a consumer's request to exercise the rights described in Section 13-61-201 is made by the consumer who is entitled to exercise those rights.

(6)(a) “Biometric data” means data generated by automatic measurements of an individual's unique biological characteristics.

(b) “Biometric data” includes data described in Subsection (6)(a) that are generated by automatic measurements of an individual's fingerprint, voiceprint, eye retinas, irises, or any other unique biological pattern or characteristic that is used to identify a specific individual.

(c) “Biometric data” does not include:

(i) a physical or digital photograph;

(ii) a video or audio recording;

(iii) data generated from an item described in Subsection (6)(c)(i) or (ii);

(iv) information captured from a patient in a health care setting; or

(v) information collected, used, or stored for treatment, payment, or health care operations as those terms are defined in 45 C.F.R. Parts 160, 162, and 164.

(7) “Business associate” means the same as that term is defined in 45 C.F.R. Sec. 160.103.

(8) “Child” means an individual younger than 13 years old.

(9) “Consent” means an affirmative act by a consumer that unambiguously indicates the consumer's voluntary and informed agreement to allow a person to process personal data related to the consumer.

(10)(a) “Consumer” means an individual who is a resident of the state acting in an individual or household context.

(b) “Consumer” does not include an individual acting in an employment or commercial context.

(11) “Control” or “controlled” as used in Subsection (2) means:

(a) ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting securities of an entity;

(b) control in any manner over the election of a majority of the directors or of the individuals exercising similar functions; or

(c) the power to exercise controlling influence of the management of an entity.

(12) “Controller” means a person doing business in the state who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others.

(13) “Covered entity” means the same as that term is defined in 45 C.F.R. Sec. 160.103.

(14)(a) “Deidentified data” means data that:

(i) cannot reasonably be linked to an identified individual or an identifiable individual; and

(ii) are possessed by a controller who:

(A) takes reasonable measures to ensure that a person cannot associate the data with an individual;

(B) publicly commits to maintain and use the data only in deidentified form and not attempt to reidentify the data; and

(C) contractually obligates any recipients of the data to comply with the requirements described in Subsections (14)(b)(i) and (ii).

(b) “Deidentified data” includes synthetic data.

(15) “Director” means the director of the Division of Consumer Protection.

(16) “Division” means the Division of Consumer Protection created in Section 13-2-1.

(17) “Governmental entity” means the same as that term is defined in Section 63G-2-103.

(18) “Health care facility” means the same as that term is defined in Section 26B-2-201.

(19) “Health care provider” means the same as that term is defined in Section 78B-3-403.

(20) “Identifiable individual” means an individual who can be readily identified, directly or indirectly.

(21) “Institution of higher education” means a public or private institution of higher education.

(22) “Local political subdivision” means the same as that term is defined in Section 11-14-102.

(23) “Nonprofit corporation” means:

(a) the same as that term is defined in Section 16-6a-102; or

(b) a foreign nonprofit corporation as defined in Section 16-6a-102.

(24)(a) “Personal data” means information that is linked or reasonably linkable to an identified individual or an identifiable individual.

(b) “Personal data” does not include deidentified data, aggregated data, or publicly available information.