|
Assembly Actions -
Lowercase Senate Actions - UPPERCASE |
|
|---|---|
| Jan 03, 2024 |
referred to science and technology |
| Apr 03, 2023 |
referred to science and technology |
Assembly Bill A6319
2023-2024 Legislative Session
Relates to data privacy protection; establishes the privacy and security victims relief fund
download bill text pdfSponsored By
SOLAGES
Current Bill Status - In Assembly Committee
- Introduced
-
- In Committee Assembly
- In Committee Senate
-
- On Floor Calendar Assembly
- On Floor Calendar Senate
-
- Passed Assembly
- Passed Senate
- Delivered to Governor
- Signed By Governor
Actions
2023-A6319 (ACTIVE) - Details
- Current Committee:
- Assembly Science And Technology
- Law Section:
- General Business Law
- Laws Affected:
- Add Art 45 Title I §§1500 & 1501, Title II §§1510 - 1513, Title III §§1520 - 1529, Title IV §§1540 - 1544, Title V §§1550 - 1554, Gen Bus L; add §85, St Fin L
2023-A6319 (ACTIVE) - Bill Text download pdf
S T A T E O F N E W Y O R K
________________________________________________________________________
6319
2023-2024 Regular Sessions
I N A S S E M B L Y
April 3, 2023
___________
Introduced by M. of A. SOLAGES -- read once and referred to the Commit-
tee on Science and Technology
AN ACT to amend the general business law, in relation to establishing
consumers' foundational data privacy rights, creating oversight mech-
anisms, and establishing enforcement mechanisms; and to amend the
state finance law, in relation to establishing the privacy and securi-
ty victims relief fund
THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
BLY, DO ENACT AS FOLLOWS:
Section 1. The general business law is amended by adding a new article
45 to read as follows:
ARTICLE 45
DATA PRIVACY AND PROTECTION
TITLE I. SHORT TITLE AND DEFINITIONS (§§ 1500--1501).
TITLE II. DUTY OF LOYALTY (§§ 1510--1513).
TITLE III. CONSUMER DATA RIGHTS (§§ 1520--1529).
TITLE IV. CORPORATE ACCOUNTABILITY (§§ 1540--1544).
TITLE V. ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS (§§
1550--1554).
TITLE I
SHORT TITLE AND DEFINITIONS
SECTION 1500. SHORT TITLE.
1501. DEFINITIONS.
§ 1500. SHORT TITLE. THIS ARTICLE SHALL BE KNOWN AND MAY BE CITED AS
THE "AMERICAN DATA PRIVACY AND PROTECTION ACT".
§ 1501. DEFINITIONS. AS USED IN THIS ARTICLE:
1. (A) "AFFIRMATIVE EXPRESS CONSENT" MEANS AN AFFIRMATIVE ACT BY AN
INDIVIDUAL THAT CLEARLY COMMUNICATES THE INDIVIDUAL'S FREELY GIVEN,
EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
[ ] is old law to be omitted.
LBD09996-01-3
A. 6319 2
SPECIFIC, AND UNAMBIGUOUS AUTHORIZATION FOR AN ACT OR PRACTICE AFTER
HAVING BEEN INFORMED, IN RESPONSE TO A SPECIFIC REQUEST FROM A COVERED
ENTITY THAT MEETS THE REQUIREMENTS OF PARAGRAPH (B) OF THIS SUBDIVISION.
(B) THE REQUIREMENTS OF THIS PARAGRAPH WITH RESPECT TO A REQUEST FROM
A COVERED ENTITY TO AN INDIVIDUAL ARE THE FOLLOWING:
(I) THE REQUEST IS PROVIDED TO THE INDIVIDUAL IN A CLEAR AND CONSPICU-
OUS STANDALONE DISCLOSURE MADE THROUGH THE PRIMARY MEDIUM USED TO OFFER
THE COVERED ENTITY'S PRODUCT OR SERVICE, OR ONLY IF THE PRODUCT OR
SERVICE IS NOT OFFERED IN A MEDIUM THAT PERMITS THE MAKING OF THE
REQUEST UNDER THIS PARAGRAPH, ANOTHER MEDIUM REGULARLY USED IN CONJUNC-
TION WITH THE COVERED ENTITY'S PRODUCT OR SERVICE.
(II) THE REQUEST INCLUDES A DESCRIPTION OF THE PROCESSING PURPOSE FOR
WHICH THE INDIVIDUAL'S CONSENT IS SOUGHT AND:
(A) CLEARLY STATES THE SPECIFIC CATEGORIES OF COVERED DATA THAT THE
COVERED ENTITY SHALL COLLECT, PROCESS, AND TRANSFER NECESSARY TO EFFEC-
TUATE THE PROCESSING PURPOSE; AND
(B) INCLUDES A PROMINENT HEADING AND IS WRITTEN IN EASY-TO-UNDERSTAND
LANGUAGE THAT WOULD ENABLE A REASONABLE INDIVIDUAL TO IDENTIFY AND
UNDERSTAND THE PROCESSING PURPOSE FOR WHICH CONSENT IS SOUGHT AND THE
COVERED DATA TO BE COLLECTED, PROCESSED, OR TRANSFERRED BY THE COVERED
ENTITY FOR SUCH PROCESSING PURPOSE.
(III) THE REQUEST CLEARLY EXPLAINS THE INDIVIDUAL'S APPLICABLE RIGHTS
RELATED TO CONSENT.
(IV) THE REQUEST IS MADE IN A MANNER REASONABLY ACCESSIBLE TO AND
USABLE BY INDIVIDUALS WITH DISABILITIES.
(V) THE REQUEST IS MADE AVAILABLE TO THE INDIVIDUAL IN EACH COVERED
LANGUAGE IN WHICH THE COVERED ENTITY PROVIDES A PRODUCT OR SERVICE FOR
WHICH AUTHORIZATION IS SOUGHT.
(VI) THE OPTION TO REFUSE CONSENT SHALL BE AT LEAST AS PROMINENT AS
THE OPTION TO ACCEPT, AND THE OPTION TO REFUSE CONSENT SHALL TAKE THE
SAME NUMBER OF STEPS OR FEWER AS THE OPTION TO ACCEPT.
(VII) PROCESSING OR TRANSFERRING ANY COVERED DATA COLLECTED PURSUANT
TO AFFIRMATIVE EXPRESS CONSENT FOR A DIFFERENT PROCESSING PURPOSE THAN
THAT FOR WHICH AFFIRMATIVE EXPRESS CONSENT WAS OBTAINED SHALL REQUIRE
AFFIRMATIVE EXPRESS CONSENT FOR THE SUBSEQUENT PROCESSING PURPOSE.
(C) A COVERED ENTITY MAY NOT INFER THAT AN INDIVIDUAL HAS PROVIDED
AFFIRMATIVE EXPRESS CONSENT TO AN ACT OR PRACTICE FROM THE INACTION OF
THE INDIVIDUAL OR THE INDIVIDUAL'S CONTINUED USE OF A SERVICE OR PRODUCT
PROVIDED BY THE COVERED ENTITY.
(D) A COVERED ENTITY MAY NOT OBTAIN OR ATTEMPT TO OBTAIN THE AFFIRMA-
TIVE EXPRESS CONSENT OF AN INDIVIDUAL THROUGH:
(I) THE USE OF ANY FALSE, FICTITIOUS, FRAUDULENT, OR MATERIALLY
MISLEADING STATEMENT OR REPRESENTATION; OR
(II) THE DESIGN, MODIFICATION, OR MANIPULATION OF ANY USER INTERFACE
WITH THE PURPOSE OR SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR
IMPAIRING A REASONABLE INDIVIDUAL'S AUTONOMY, DECISION MAKING, OR CHOICE
TO PROVIDE SUCH CONSENT OR ANY COVERED DATA.
2. "AUTHENTICATION" MEANS THE PROCESS OF VERIFYING AN INDIVIDUAL OR
ENTITY FOR SECURITY PURPOSES.
3. (A) "BIOMETRIC INFORMATION" MEANS ANY COVERED DATA GENERATED FROM
THE TECHNOLOGICAL PROCESSING OF AN INDIVIDUAL'S UNIQUE BIOLOGICAL, PHYS-
ICAL, OR PHYSIOLOGICAL CHARACTERISTICS THAT IS LINKED OR REASONABLY
LINKABLE TO AN INDIVIDUAL, INCLUDING:
(I) FINGERPRINTS;
(II) VOICE PRINTS;
(III) IRIS OR RETINA SCANS;
A. 6319 3
(IV) FACIAL OR HAND MAPPING, GEOMETRY, OR TEMPLATES; OR
(V) GAIT OR PERSONALLY IDENTIFYING PHYSICAL MOVEMENTS.
(B) "BIOMETRIC INFORMATION" DOES NOT INCLUDE:
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH;
(II) AN AUDIO OR VIDEO RECORDING; OR
(III) DATA GENERATED FROM A DIGITAL OR PHYSICAL PHOTOGRAPH, OR AN
AUDIO OR VIDEO RECORDING, THAT CANNOT BE USED TO IDENTIFY AN INDIVIDUAL.
4. "COLLECT" AND "COLLECTION" MEAN BUYING, RENTING, GATHERING, OBTAIN-
ING, RECEIVING, ACCESSING, OR OTHERWISE ACQUIRING COVERED DATA BY ANY
MEANS.
5. "CONTROL" MEANS, WITH RESPECT TO AN ENTITY:
(A) OWNERSHIP OF, OR THE POWER TO VOTE, MORE THAN FIFTY PERCENT OF THE
OUTSTANDING SHARES OF ANY CLASS OF VOTING SECURITY OF THE ENTITY;
(B) CONTROL OVER THE ELECTION OF A MAJORITY OF THE DIRECTORS OF THE
ENTITY (OR OF INDIVIDUALS EXERCISING SIMILAR FUNCTIONS); OR
(C) THE POWER TO EXERCISE A CONTROLLING INFLUENCE OVER THE MANAGEMENT
OF THE ENTITY.
6. "COVERED ALGORITHM" MEANS A COMPUTATIONAL PROCESS THAT USES MACHINE
LEARNING, NATURAL LANGUAGE PROCESSING, ARTIFICIAL INTELLIGENCE TECH-
NIQUES, OR OTHER COMPUTATIONAL PROCESSING TECHNIQUES OF SIMILAR OR
GREATER COMPLEXITY AND THAT MAKES A DECISION OR FACILITATES HUMAN DECI-
SION-MAKING WITH RESPECT TO COVERED DATA, INCLUDING TO DETERMINE THE
PROVISION OF PRODUCTS OR SERVICES OR TO RANK, ORDER, PROMOTE, RECOMMEND,
AMPLIFY, OR SIMILARLY DETERMINE THE DELIVERY OR DISPLAY OF INFORMATION
TO AN INDIVIDUAL.
7. (A) "COVERED DATA" MEANS INFORMATION THAT IDENTIFIES OR IS LINKED
OR REASONABLY LINKABLE, ALONE OR IN COMBINATION WITH OTHER INFORMATION,
TO AN INDIVIDUAL OR A DEVICE THAT IDENTIFIES OR IS LINKED OR REASONABLY
LINKABLE TO AN INDIVIDUAL, AND MAY INCLUDE DERIVED DATA AND UNIQUE
PERSISTENT IDENTIFIERS.
(B) "COVERED DATA" DOES NOT INCLUDE:
(I) DE-IDENTIFIED DATA;
(II) EMPLOYEE DATA;
(III) PUBLICLY AVAILABLE INFORMATION; OR
(IV) INFERENCES MADE EXCLUSIVELY FROM MULTIPLE INDEPENDENT SOURCES OF
PUBLICLY AVAILABLE INFORMATION THAT DO NOT REVEAL SENSITIVE COVERED DATA
WITH RESPECT TO AN INDIVIDUAL.
8. (A) "COVERED ENTITY":
(I) MEANS ANY ENTITY OR ANY PERSON, OTHER THAN AN INDIVIDUAL ACTING IN
A NON-COMMERCIAL CONTEXT, THAT ALONE OR JOINTLY WITH OTHERS DETERMINES
THE PURPOSES AND MEANS OF COLLECTING, PROCESSING, OR TRANSFERRING
COVERED DATA AND:
(A) IS SUBJECT TO THE FEDERAL TRADE DIVISION ACT (15 U.S.C. 41 ET
SEQ.);
(B) IS A COMMON CARRIER SUBJECT TO THE COMMUNICATIONS ACT OF 1934 (47
U.S.C. 151 ET SEQ.) AND ALL ACTS AMENDATORY THEREOF AND SUPPLEMENTARY
THERETO; OR
(C) IS AN ORGANIZATION NOT ORGANIZED TO CARRY ON BUSINESS FOR ITS OWN
PROFIT OR THAT OF ITS MEMBERS; AND
(II) INCLUDES ANY ENTITY OR PERSON THAT CONTROLS, IS CONTROLLED BY, OR
IS UNDER COMMON CONTROL WITH THE COVERED ENTITY.
(B) "COVERED ENTITY" DOES NOT INCLUDE:
(I) A FEDERAL, STATE, TRIBAL, TERRITORIAL, OR LOCAL GOVERNMENT ENTITY
SUCH AS A BODY, AUTHORITY, BOARD, BUREAU, DIVISION, DISTRICT, AGENCY, OR
POLITICAL SUBDIVISION OF THE FEDERAL GOVERNMENT OR A STATE, TRIBAL,
TERRITORIAL, OR LOCAL GOVERNMENT;
A. 6319 4
(II) A PERSON OR AN ENTITY THAT IS COLLECTING, PROCESSING, OR TRANS-
FERRING COVERED DATA ON BEHALF OF A FEDERAL, STATE, TRIBAL, TERRITORIAL,
OR LOCAL GOVERNMENT ENTITY, IN SO FAR AS SUCH PERSON OR ENTITY IS ACTING
AS A SERVICE PROVIDER TO THE GOVERNMENT ENTITY; OR
(III) AN ENTITY THAT SERVES AS A DESIGNATED NONPROFIT, NATIONAL
RESOURCE CENTER, AND CLEARINGHOUSE TO PROVIDE ASSISTANCE TO VICTIMS,
FAMILIES, CHILD-SERVING PROFESSIONALS, AND THE GENERAL PUBLIC ON MISSING
AND EXPLOITED CHILDREN ISSUES.
(C) AN ENTITY SHALL NOT BE CONSIDERED TO BE A COVERED ENTITY FOR
PURPOSES OF THIS ARTICLE IN SO FAR AS THE ENTITY IS ACTING AS A SERVICE
PROVIDER AS DEFINED IN SUBDIVISION THIRTY OF THIS SECTION.
9. "COVERED LANGUAGE" MEANS THE TEN LANGUAGES WITH THE MOST USERS IN
THE UNITED STATES, ACCORDING TO THE MOST RECENT UNITED STATES CENSUS.
10. "COVERED MINOR" MEANS AN INDIVIDUAL UNDER THE AGE OF SEVENTEEN.
11. "DE-IDENTIFIED DATA" MEANS INFORMATION THAT DOES NOT IDENTIFY AND
IS NOT LINKED OR REASONABLY LINKABLE TO A DISTINCT INDIVIDUAL OR A
DEVICE, REGARDLESS OF WHETHER THE INFORMATION IS AGGREGATED, AND IF THE
COVERED ENTITY OR SERVICE PROVIDER:
(A) TAKES REASONABLE TECHNICAL MEASURES TO ENSURE THAT THE INFORMATION
CANNOT, AT ANY POINT, BE USED TO RE-IDENTIFY ANY INDIVIDUAL OR DEVICE
THAT IDENTIFIES OR IS LINKED OR REASONABLY LINKABLE TO AN INDIVIDUAL;
(B) PUBLICLY COMMITS IN A CLEAR AND CONSPICUOUS MANNER:
(I) TO PROCESS AND TRANSFER THE INFORMATION SOLELY IN A DE-IDENTIFIED
FORM WITHOUT ANY REASONABLE MEANS FOR RE-IDENTIFICATION; AND
(II) TO NOT ATTEMPT TO RE-IDENTIFY THE INFORMATION WITH ANY INDIVIDUAL
OR DEVICE THAT IDENTIFIES OR IS LINKED OR REASONABLY LINKABLE TO AN
INDIVIDUAL; AND
(C) CONTRACTUALLY OBLIGATES ANY PERSON OR ENTITY THAT RECEIVES THE
INFORMATION FROM THE COVERED ENTITY OR SERVICE PROVIDER:
(I) TO COMPLY WITH ALL OF THE PROVISIONS OF THIS PARAGRAPH WITH
RESPECT TO THE INFORMATION; AND
(II) TO REQUIRE THAT SUCH CONTRACTUAL OBLIGATIONS BE INCLUDED CONTRAC-
TUALLY IN ALL SUBSEQUENT INSTANCES FOR WHICH THE DATA MAY BE RECEIVED.
12. "DERIVED DATA" MEANS COVERED DATA THAT IS CREATED BY THE DERIVA-
TION OF INFORMATION, DATA, ASSUMPTIONS, CORRELATIONS, INFERENCES,
PREDICTIONS, OR CONCLUSIONS FROM FACTS, EVIDENCE, OR ANOTHER SOURCE OF
INFORMATION OR DATA ABOUT AN INDIVIDUAL OR AN INDIVIDUAL'S DEVICE.
13. "DEVICE" MEANS ANY ELECTRONIC EQUIPMENT CAPABLE OF COLLECTING,
PROCESSING, OR TRANSFERRING COVERED DATA THAT IS USED BY ONE OR MORE
INDIVIDUALS.
14. "DIVISION" MEANS THE DIVISION OF CONSUMER PROTECTION.
15. "EMPLOYEE" MEANS AN INDIVIDUAL WHO IS AN EMPLOYEE, DIRECTOR, OFFI-
CER, STAFF MEMBER INDIVIDUAL WORKING AS AN INDEPENDENT CONTRACTOR THAT
IS NOT A SERVICE PROVIDER, TRAINEE, VOLUNTEER, OR INTERN OF AN EMPLOYER,
REGARDLESS OF WHETHER SUCH INDIVIDUAL IS PAID, UNPAID, OR EMPLOYED ON A
TEMPORARY BASIS.
16. "EMPLOYEE DATA" MEANS:
(A) INFORMATION RELATING TO A JOB APPLICANT COLLECTED BY A COVERED
ENTITY ACTING AS A PROSPECTIVE EMPLOYER OF SUCH JOB APPLICANT IN THE
COURSE OF THE APPLICATION, OR HIRING PROCESS, IF SUCH INFORMATION IS
COLLECTED, PROCESSED, OR TRANSFERRED BY THE PROSPECTIVE EMPLOYER SOLELY
FOR PURPOSES RELATED TO THE EMPLOYEE'S STATUS AS A CURRENT OR FORMER JOB
APPLICANT OF SUCH EMPLOYER;
(B) INFORMATION PROCESSED BY AN EMPLOYER RELATING TO AN EMPLOYEE WHO
IS ACTING IN A PROFESSIONAL CAPACITY FOR THE EMPLOYER, PROVIDED THAT
SUCH INFORMATION IS COLLECTED, PROCESSED, OR TRANSFERRED SOLELY FOR
A. 6319 5
PURPOSES RELATED TO SUCH EMPLOYEE'S PROFESSIONAL ACTIVITIES ON BEHALF OF
THE EMPLOYER;
(C) THE BUSINESS CONTACT INFORMATION OF AN EMPLOYEE, INCLUDING THE
EMPLOYEE'S NAME, POSITION OR TITLE, BUSINESS TELEPHONE NUMBER, BUSINESS
ADDRESS, OR BUSINESS EMAIL ADDRESS THAT IS PROVIDED TO AN EMPLOYER BY AN
EMPLOYEE WHO IS ACTING IN A PROFESSIONAL CAPACITY, IF SUCH INFORMATION
IS COLLECTED, PROCESSED, OR TRANSFERRED SOLELY FOR PURPOSES RELATED TO
SUCH EMPLOYEE'S PROFESSIONAL ACTIVITIES ON BEHALF OF THE EMPLOYER;
(D) EMERGENCY CONTACT INFORMATION COLLECTED BY AN EMPLOYER THAT
RELATES TO AN EMPLOYEE OF THAT EMPLOYER, IF SUCH INFORMATION IS
COLLECTED, PROCESSED, OR TRANSFERRED SOLELY FOR THE PURPOSE OF HAVING AN
EMERGENCY CONTACT ON FILE FOR THE EMPLOYEE AND FOR PROCESSING OR TRANS-
FERRING SUCH INFORMATION IN CASE OF AN EMERGENCY; OR
(E) INFORMATION RELATING TO AN EMPLOYEE (OR A SPOUSE, DEPENDENT, OTHER
COVERED FAMILY MEMBER, OR BENEFICIARY OF SUCH EMPLOYEE) THAT IS NECES-
SARY FOR THE EMPLOYER TO COLLECT, PROCESS, OR TRANSFER SOLELY FOR THE
PURPOSE OF ADMINISTERING BENEFITS TO WHICH SUCH EMPLOYEE (OR SPOUSE,
DEPENDENT, OTHER COVERED FAMILY MEMBER, OR BENEFICIARY OF SUCH EMPLOYEE)
IS ENTITLED ON THE BASIS OF THE EMPLOYEE'S POSITION WITH THAT EMPLOYER.
17. "EXECUTIVE AGENCY" MEANS ANY DEPARTMENT, BOARD, BUREAU, COMMIS-
SION, DIVISION, OFFICE, COUNCIL, COMMITTEE OR OFFICER OF THE STATE, A
PUBLIC BENEFIT CORPORATION OR PUBLIC AUTHORITY AT LEAST ONE OF WHOSE
MEMBERS IS APPOINTED BY THE GOVERNOR.
18. "FIRST PARTY ADVERTISING OR MARKETING" MEANS ADVERTISING OR
MARKETING CONDUCTED BY A FIRST PARTY EITHER THROUGH DIRECT COMMUNI-
CATIONS WITH A USER SUCH AS DIRECT MAIL, EMAIL, OR TEXT MESSAGE COMMUNI-
CATIONS, OR ADVERTISING OR MARKETING CONDUCTED ENTIRELY WITHIN THE
FIRST-PARTY CONTEXT, SUCH AS IN A PHYSICAL LOCATION OPERATED BY THE
FIRST PARTY, OR ON A WEBSITE OR APP OPERATED BY THE FIRST PARTY.
19. "GENETIC INFORMATION" MEANS ANY COVERED DATA, REGARDLESS OF ITS
FORMAT, THAT CONCERNS AN INDIVIDUAL'S GENETIC CHARACTERISTICS, INCLUD-
ING:
(A) RAW SEQUENCE DATA THAT RESULTS FROM THE SEQUENCING OF THE
COMPLETE, OR A PORTION OF THE, EXTRACTED DEOXYRIBONUCLEIC ACID (DNA) OF
AN INDIVIDUAL; OR
(B) GENOTYPIC AND PHENOTYPIC INFORMATION THAT RESULTS FROM ANALYZING
RAW SEQUENCE DATA DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION.
20. "INDIVIDUAL" MEANS A NATURAL PERSON RESIDING IN THE STATE.
21. (A) "KNOWLEDGE" MEANS:
(I) WITH RESPECT TO A COVERED ENTITY THAT IS A COVERED HIGH-IMPACT
SOCIAL MEDIA COMPANY, THE ENTITY KNEW OR SHOULD HAVE KNOWN THE INDIVID-
UAL WAS A COVERED MINOR;
(II) WITH RESPECT TO A COVERED ENTITY OR SERVICE PROVIDER THAT IS A
LARGE DATA HOLDER, AND OTHERWISE IS NOT A COVERED HIGH-IMPACT SOCIAL
MEDIA COMPANY, THAT THE COVERED ENTITY KNEW OR ACTED IN WILLFUL DISRE-
GARD OF THE FACT THAT THE INDIVIDUAL WAS A COVERED MINOR; AND
(III) WITH RESPECT TO A COVERED ENTITY OR SERVICE PROVIDER THAT DOES
NOT MEET THE REQUIREMENTS OF SUBPARAGRAPH (I) OR (II) OF THIS PARAGRAPH,
ACTUAL KNOWLEDGE.
(B) FOR PURPOSES OF THIS SUBDIVISION, THE TERM "COVERED HIGH-IMPACT
SOCIAL MEDIA COMPANY" MEANS A COVERED ENTITY THAT PROVIDES ANY INTER-
NET-ACCESSIBLE PLATFORM WHERE:
(I) SUCH COVERED ENTITY GENERATES THREE BILLION DOLLARS OR MORE IN
ANNUAL REVENUE;
A. 6319 6
(II) SUCH PLATFORM HAS THREE HUNDRED MILLION OR MORE MONTHLY ACTIVE
USERS FOR NOT FEWER THAN THREE OF THE PRECEDING TWELVE MONTHS ON THE
ONLINE PRODUCT OR SERVICE OF SUCH COVERED ENTITY; AND
(III) SUCH PLATFORM CONSTITUTES AN ONLINE PRODUCT OR SERVICE THAT IS
PRIMARILY USED BY USERS TO ACCESS OR SHARE, USER-GENERATED CONTENT.
22. (A) "LARGE DATA HOLDER" MEANS A COVERED ENTITY OR SERVICE PROVIDER
THAT, IN THE MOST RECENT CALENDAR YEAR:
(I) HAD ANNUAL GROSS REVENUES OF TWO HUNDRED FIFTY MILLION DOLLARS OR
MORE; AND
(II) COLLECTED, PROCESSED, OR TRANSFERRED:
(A) THE COVERED DATA OF MORE THAN FIVE MILLION INDIVIDUALS OR DEVICES
THAT IDENTIFY OR ARE LINKED OR REASONABLY LINKABLE TO ONE OR MORE INDI-
VIDUALS, EXCLUDING COVERED DATA COLLECTED AND PROCESSED SOLELY FOR THE
PURPOSE OF INITIATING, RENDERING, BILLING FOR, FINALIZING, COMPLETING,
OR OTHERWISE COLLECTING PAYMENT FOR A REQUESTED PRODUCT OR SERVICE; AND
(B) THE SENSITIVE COVERED DATA OF MORE THAN TWO HUNDRED THOUSAND INDI-
VIDUALS OR DEVICES THAT IDENTIFY OR ARE LINKED OR REASONABLY LINKABLE TO
ONE OR MORE INDIVIDUALS.
(B) "LARGE DATA HOLDER" DOES NOT INCLUDE ANY INSTANCE IN WHICH THE
COVERED ENTITY OR SERVICE PROVIDER WOULD QUALIFY AS A LARGE DATA HOLDER
SOLELY ON THE BASIS OF COLLECTING OR PROCESSING:
(I) PERSONAL EMAIL ADDRESSES;
(II) PERSONAL TELEPHONE NUMBERS; OR
(III) LOG-IN INFORMATION OF AN INDIVIDUAL OR DEVICE TO ALLOW THE INDI-
VIDUAL OR DEVICE TO LOG IN TO AN ACCOUNT ADMINISTERED BY THE COVERED
ENTITY OR SERVICE PROVIDER.
(C) FOR PURPOSES OF DETERMINING WHETHER ANY COVERED ENTITY OR SERVICE
PROVIDER IS A LARGE DATA HOLDER, THE TERM "REVENUE", WITH RESPECT TO ANY
COVERED ENTITY OR SERVICE PROVIDER THAT IS NOT ORGANIZED TO CARRY ON
BUSINESS FOR ITS OWN PROFIT OR THAT OF ITS MEMBERS:
(I) MEANS THE GROSS RECEIPTS THE COVERED ENTITY OR SERVICE PROVIDER
RECEIVED, IN WHATEVER FORM, FROM ALL SOURCES, WITHOUT SUBTRACTING ANY
COSTS OR EXPENSES; AND
(II) INCLUDES CONTRIBUTIONS, GIFTS, GRANTS, DUES OR OTHER ASSESSMENTS,
INCOME FROM INVESTMENTS, AND PROCEEDS FROM THE SALE OF REAL OR PERSONAL
PROPERTY.
23. "MARKET RESEARCH" MEANS THE COLLECTION, PROCESSING, OR TRANSFER OF
COVERED DATA AS REASONABLY NECESSARY AND PROPORTIONATE TO INVESTIGATE
THE MARKET FOR OR MARKETING OF PRODUCTS, SERVICES, OR IDEAS, WHERE THE
COVERED DATA IS NOT:
(A) INTEGRATED INTO ANY PRODUCT OR SERVICE;
(B) OTHERWISE USED TO CONTACT ANY INDIVIDUAL OR INDIVIDUAL'S DEVICE;
OR
(C) USED TO ADVERTISE OR MARKET TO ANY INDIVIDUAL OR INDIVIDUAL'S
DEVICE.
24. "MATERIAL" MEANS, WITH RESPECT TO AN ACT, PRACTICE, OR REPRESEN-
TATION OF A COVERED ENTITY (INCLUDING A REPRESENTATION MADE BY THE
COVERED ENTITY IN A PRIVACY POLICY OR SIMILAR DISCLOSURE TO INDIVIDUALS)
INVOLVING THE COLLECTION, PROCESSING, OR TRANSFER OF COVERED DATA, THAT
SUCH ACT, PRACTICE, OR REPRESENTATION IS LIKELY TO AFFECT A REASONABLE
INDIVIDUAL'S DECISION OR CONDUCT REGARDING A PRODUCT OR SERVICE.
25. (A) "PRECISE GEOLOCATION INFORMATION" MEANS INFORMATION THAT IS
DERIVED FROM A DEVICE OR TECHNOLOGY THAT REVEALS THE PAST OR PRESENT
PHYSICAL LOCATION OF AN INDIVIDUAL OR DEVICE THAT IDENTIFIES OR IS
LINKED OR REASONABLY LINKABLE TO ONE OR MORE INDIVIDUALS, WITH SUFFI-
CIENT PRECISION TO IDENTIFY STREET LEVEL LOCATION INFORMATION OF AN
A. 6319 7
INDIVIDUAL OR DEVICE OR THE LOCATION OF AN INDIVIDUAL OR DEVICE WITHIN A
RANGE OF EIGHTEEN HUNDRED FIFTY FEET OR LESS.
(B) "PRECISE GEOLOCATION INFORMATION" DOES NOT INCLUDE GEOLOCATION
INFORMATION IDENTIFIABLE OR DERIVED SOLELY FROM THE VISUAL CONTENT OF A
LEGALLY OBTAINED IMAGE, INCLUDING THE LOCATION OF THE DEVICE THAT
CAPTURED SUCH IMAGE.
26. "PROCESS" MEANS TO CONDUCT OR DIRECT ANY OPERATION OR SET OF OPER-
ATIONS PERFORMED ON COVERED DATA, INCLUDING ANALYZING, ORGANIZING,
STRUCTURING, RETAINING, STORING, USING, OR OTHERWISE HANDLING COVERED
DATA.
27. "PROCESSING PURPOSE" MEANS A REASON FOR WHICH A COVERED ENTITY OR
SERVICE PROVIDER COLLECTS, PROCESSES, OR TRANSFERS COVERED DATA THAT IS
SPECIFIC AND GRANULAR ENOUGH FOR A REASONABLE INDIVIDUAL TO UNDERSTAND
THE MATERIAL FACTS OF HOW AND WHY THE COVERED ENTITY OR SERVICE PROVIDER
COLLECTS, PROCESSES, OR TRANSFERS THE COVERED DATA.
28. (A) "PUBLICLY AVAILABLE INFORMATION" MEANS ANY INFORMATION THAT A
COVERED ENTITY OR SERVICE PROVIDER HAS A REASONABLE BASIS TO BELIEVE HAS
BEEN LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC FROM:
(I) FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS, IF THE COVERED ENTITY
COLLECTS, PROCESSES, AND TRANSFERS SUCH INFORMATION IN ACCORDANCE WITH
ANY RESTRICTIONS OR TERMS OF USE PLACED ON THE INFORMATION BY THE RELE-
VANT GOVERNMENT ENTITY;
(II) WIDELY DISTRIBUTED MEDIA;
(III) A WEBSITE OR ONLINE SERVICE MADE AVAILABLE TO ALL MEMBERS OF THE
PUBLIC, FOR FREE OR FOR A FEE, INCLUDING WHERE ALL MEMBERS OF THE
PUBLIC, FOR FREE OR FOR A FEE, CAN LOG IN TO THE WEBSITE OR ONLINE
SERVICE;
(IV) A DISCLOSURE THAT HAS BEEN MADE TO THE GENERAL PUBLIC AS REQUIRED
BY FEDERAL, STATE, OR LOCAL LAW; OR
(V) THE VISUAL OBSERVATION OF THE PHYSICAL PRESENCE OF AN INDIVIDUAL
OR A DEVICE IN A PUBLIC PLACE, NOT INCLUDING DATA COLLECTED BY A DEVICE
IN THE INDIVIDUAL'S POSSESSION.
(B)(I) FOR PURPOSES OF THIS PARAGRAPH, INFORMATION FROM A WEBSITE OR
ONLINE SERVICE IS NOT AVAILABLE TO ALL MEMBERS OF THE PUBLIC IF THE
INDIVIDUAL WHO MADE THE INFORMATION AVAILABLE VIA THE WEBSITE OR ONLINE
SERVICE HAS RESTRICTED THE INFORMATION TO A SPECIFIC AUDIENCE.
(II) "PUBLICLY AVAILABLE INFORMATION" DOES NOT INCLUDE:
(A) ANY OBSCENE VISUAL DEPICTION (AS DEFINED IN SECTION 1460 OF TITLE
18, UNITED STATES CODE);
(B) ANY INFERENCE MADE EXCLUSIVELY FROM MULTIPLE INDEPENDENT SOURCES
OF PUBLICLY AVAILABLE INFORMATION THAT REVEALS SENSITIVE COVERED DATA
WITH RESPECT TO AN INDIVIDUAL;
(C) BIOMETRIC INFORMATION;
(D) PUBLICLY AVAILABLE INFORMATION THAT HAS BEEN COMBINED WITH COVERED
DATA;
(E) GENETIC INFORMATION, UNLESS OTHERWISE MADE AVAILABLE BY THE INDI-
VIDUAL TO WHOM THE INFORMATION PERTAINS AS DESCRIBED IN SUBPARAGRAPH
(II) OR (III) OF PARAGRAPH (A) OF THIS SUBDIVISION; OR
(F) INTIMATE IMAGES KNOWN TO BE NONCONSENSUAL.
29. (A) "SENSITIVE COVERED DATA" MEANS THE FOLLOWING TYPES OF COVERED
DATA:
(I) A GOVERNMENT-ISSUED IDENTIFIER, SUCH AS A SOCIAL SECURITY NUMBER,
PASSPORT NUMBER, OR DRIVER'S LICENSE NUMBER, THAT IS NOT REQUIRED BY LAW
TO BE DISPLAYED IN PUBLIC.
A. 6319 8
(II) ANY INFORMATION THAT DESCRIBES OR REVEALS THE PAST, PRESENT, OR
FUTURE PHYSICAL HEALTH, MENTAL HEALTH, DISABILITY, DIAGNOSIS, OR HEALTH-
CARE CONDITION OR TREATMENT OF AN INDIVIDUAL.
(III) A FINANCIAL ACCOUNT NUMBER, DEBIT CARD NUMBER, CREDIT CARD
NUMBER, OR INFORMATION THAT DESCRIBES OR REVEALS THE INCOME LEVEL OR
BANK ACCOUNT BALANCES OF AN INDIVIDUAL, EXCEPT THAT THE LAST FOUR DIGITS
OF A DEBIT OR CREDIT CARD NUMBER SHALL NOT BE DEEMED SENSITIVE COVERED
DATA.
(IV) BIOMETRIC INFORMATION.
(V) GENETIC INFORMATION.
(VI) PRECISE GEOLOCATION INFORMATION.
(VII) AN INDIVIDUAL'S PRIVATE COMMUNICATIONS SUCH AS VOICEMAILS,
EMAILS, TEXTS, DIRECT MESSAGES, OR MAIL, OR INFORMATION IDENTIFYING THE
PARTIES TO SUCH COMMUNICATIONS, VOICE COMMUNICATIONS, VIDEO COMMUNI-
CATIONS, AND ANY INFORMATION THAT PERTAINS TO THE TRANSMISSION OF SUCH
COMMUNICATIONS, INCLUDING TELEPHONE NUMBERS CALLED, TELEPHONE NUMBERS
FROM WHICH CALLS WERE PLACED, THE TIME CALLS WERE MADE, CALL DURATION,
AND LOCATION INFORMATION OF THE PARTIES TO THE CALL, UNLESS THE COVERED
ENTITY OR A SERVICE PROVIDER ACTING ON BEHALF OF THE COVERED ENTITY IS
THE SENDER OR AN INTENDED RECIPIENT OF THE COMMUNICATION. COMMUNI-
CATIONS ARE NOT PRIVATE FOR PURPOSES OF THIS CLAUSE IF SUCH COMMUNI-
CATIONS ARE MADE FROM OR TO A DEVICE PROVIDED BY AN EMPLOYER TO AN
EMPLOYEE INSOFAR AS SUCH EMPLOYER PROVIDES CONSPICUOUS NOTICE THAT SUCH
EMPLOYER MAY ACCESS SUCH COMMUNICATIONS.
(VIII) ACCOUNT OR DEVICE LOG-IN CREDENTIALS, OR SECURITY OR ACCESS
CODES FOR AN ACCOUNT OR DEVICE.
(IX) INFORMATION IDENTIFYING THE SEXUAL BEHAVIOR OF AN INDIVIDUAL IN A
MANNER INCONSISTENT WITH THE INDIVIDUAL'S REASONABLE EXPECTATION REGARD-
ING THE COLLECTION, PROCESSING, OR TRANSFER OF SUCH INFORMATION.
(X) CALENDAR INFORMATION, ADDRESS BOOK INFORMATION, PHONE OR TEXT
LOGS, PHOTOS, AUDIO RECORDINGS, OR VIDEOS, MAINTAINED FOR PRIVATE USE BY
AN INDIVIDUAL, REGARDLESS OF WHETHER SUCH INFORMATION IS STORED ON THE
INDIVIDUAL'S DEVICE OR IS ACCESSIBLE FROM THAT DEVICE AND IS BACKED UP
IN A SEPARATE LOCATION. SUCH INFORMATION IS NOT SENSITIVE FOR PURPOSES
OF THIS PARAGRAPH IF SUCH INFORMATION IS SENT FROM OR TO A DEVICE
PROVIDED BY AN EMPLOYER TO AN EMPLOYEE INSOFAR AS SUCH EMPLOYER PROVIDES
CONSPICUOUS NOTICE THAT IT MAY ACCESS SUCH INFORMATION.
(XI) A PHOTOGRAPH, FILM, VIDEO RECORDING, OR OTHER SIMILAR MEDIUM THAT
SHOWS THE NAKED OR UNDERGARMENT-CLAD PRIVATE AREA OF AN INDIVIDUAL.
(XII) INFORMATION REVEALING THE VIDEO CONTENT REQUESTED OR SELECTED BY
AN INDIVIDUAL COLLECTED BY A COVERED ENTITY THAT IS NOT A PROVIDER OF A
SERVICE DESCRIBED IN SUBDIVISION FOUR OF SECTION FIFTEEN HUNDRED ELEVEN
OF THIS ARTICLE. THIS SUBPARAGRAPH DOES NOT INCLUDE COVERED DATA USED
SOLELY FOR TRANSFERS FOR INDEPENDENT VIDEO MEASUREMENT.
(XIII) INFORMATION ABOUT AN INDIVIDUAL WHEN THE COVERED ENTITY OR
SERVICE PROVIDER HAS KNOWLEDGE THAT THE INDIVIDUAL IS A COVERED MINOR.
(XIV) AN INDIVIDUAL'S RACE, COLOR, ETHNICITY, RELIGION, OR UNION
MEMBERSHIP.
(XV) INFORMATION IDENTIFYING AN INDIVIDUAL'S ONLINE ACTIVITIES OVER
TIME AND ACROSS THIRD PARTY WEBSITES OR ONLINE SERVICES.
(XVI) ANY OTHER COVERED DATA COLLECTED, PROCESSED, OR TRANSFERRED FOR
THE PURPOSE OF IDENTIFYING THE TYPES OF COVERED DATA LISTED IN SUBPARA-
GRAPHS (I) THROUGH (XV) OF THIS PARAGRAPH.
(B) THE DIRECTOR OF THE DIVISION OF CONSUMER PROTECTION MAY PROMULGATE
RULES AND REGULATIONS TO INCLUDE IN THE DEFINITION OF "SENSITIVE COVERED
DATA" ANY OTHER TYPE OF COVERED DATA THAT MAY REQUIRE A SIMILAR LEVEL OF
A. 6319 9
PROTECTION AS THE TYPES OF COVERED DATA LISTED IN SUBPARAGRAPHS (I)
THROUGH (XVI) OF PARAGRAPH (A) OF THIS SUBDIVISION AS A RESULT OF ANY
NEW METHOD OF COLLECTING, PROCESSING, OR TRANSFERRING COVERED DATA.
30. (A) "SERVICE PROVIDER" MEANS A PERSON OR ENTITY THAT:
(I) COLLECTS, PROCESSES, OR TRANSFERS COVERED DATA ON BEHALF OF, AND
AT THE DIRECTION OF, A COVERED ENTITY OR A FEDERAL, STATE, TRIBAL,
TERRITORIAL, OR LOCAL GOVERNMENT ENTITY; AND
(II) RECEIVES COVERED DATA FROM OR ON BEHALF OF A COVERED ENTITY OR A
FEDERAL, STATE, TRIBAL, TERRITORIAL, OR LOCAL GOVERNMENT ENTITY.
(B) A SERVICE PROVIDER THAT RECEIVES SERVICE PROVIDER DATA FROM ANOTH-
ER SERVICE PROVIDER AS PERMITTED UNDER THIS ARTICLE SHALL BE TREATED AS
A SERVICE PROVIDER UNDER THIS ARTICLE WITH RESPECT TO SUCH DATA.
31. "SERVICE PROVIDER DATA" MEANS COVERED DATA THAT IS COLLECTED OR
PROCESSED BY OR HAS BEEN TRANSFERRED TO A SERVICE PROVIDER BY OR ON
BEHALF OF A COVERED ENTITY, A FEDERAL, STATE, TRIBAL, TERRITORIAL, OR
LOCAL GOVERNMENT ENTITY, OR ANOTHER SERVICE PROVIDER FOR THE PURPOSE OF
ALLOWING THE SERVICE PROVIDER TO WHOM SUCH COVERED DATA IS TRANSFERRED
TO PERFORM A SERVICE OR FUNCTION ON BEHALF OF, AND AT THE DIRECTION OF,
SUCH COVERED ENTITY OR FEDERAL, STATE, TRIBAL, TERRITORIAL, OR LOCAL
GOVERNMENT ENTITY.
32. THE TERM "STATE PRIVACY AUTHORITY" MEANS THE DIRECTOR OF THE DIVI-
SION OF CONSUMER PROTECTION.
33. "SUBSTANTIAL PRIVACY RISK" MEANS THE COLLECTION, PROCESSING, OR
TRANSFER OF COVERED DATA IN A MANNER THAT MAY RESULT IN ANY REASONABLY
FORESEEABLE SUBSTANTIAL PHYSICAL INJURY, ECONOMIC INJURY, HIGHLY OFFEN-
SIVE INTRUSION INTO THE PRIVACY EXPECTATIONS OF A REASONABLE INDIVIDUAL
UNDER THE CIRCUMSTANCES, OR DISCRIMINATION ON THE BASIS OF RACE, COLOR,
RELIGION, NATIONAL ORIGIN, SEX, OR DISABILITY.
34. (A) "TARGETED ADVERTISING" MEANS PRESENTING TO AN INDIVIDUAL OR
DEVICE IDENTIFIED BY A UNIQUE IDENTIFIER, OR GROUPS OF INDIVIDUALS OR
DEVICES IDENTIFIED BY UNIQUE IDENTIFIERS, AN ONLINE ADVERTISEMENT THAT
IS SELECTED BASED ON KNOWN OR PREDICTED PREFERENCES, CHARACTERISTICS, OR
INTERESTS ASSOCIATED WITH THE INDIVIDUAL OR A DEVICE IDENTIFIED BY A
UNIQUE IDENTIFIER; AND
(B) "TARGETED ADVERTISING" DOES NOT INCLUDE:
(I) ADVERTISING OR MARKETING TO AN INDIVIDUAL OR AN INDIVIDUAL'S
DEVICE IN RESPONSE TO THE INDIVIDUAL'S SPECIFIC REQUEST FOR INFORMATION
OR FEEDBACK;
(II) CONTEXTUAL ADVERTISING, WHICH IS WHEN AN ADVERTISEMENT IS
DISPLAYED BASED ON THE CONTENT IN WHICH THE ADVERTISEMENT APPEARS AND
DOES NOT VARY BASED ON WHO IS VIEWING THE ADVERTISEMENT; OR
(III) PROCESSING COVERED DATA SOLELY FOR MEASURING OR REPORTING ADVER-
TISING OR CONTENT, PERFORMANCE, REACH, OR FREQUENCY, INCLUDING INDEPEND-
ENT MEASUREMENT.
35. (A) "THIRD PARTY" MEANS ANY PERSON OR ENTITY, INCLUDING A COVERED
ENTITY, THAT:
(I) COLLECTS, PROCESSES, OR TRANSFERS COVERED DATA THAT THE PERSON OR
ENTITY DID NOT COLLECT DIRECTLY FROM THE INDIVIDUAL LINKED OR LINKABLE
TO SUCH COVERED DATA; AND
(II) IS NOT A SERVICE PROVIDER WITH RESPECT TO SUCH DATA; AND
(B) THIRD PARTY DOES NOT INCLUDE A PERSON OR ENTITY THAT COLLECTS
COVERED DATA FROM ANOTHER ENTITY IF THE TWO ENTITIES ARE RELATED BY
COMMON OWNERSHIP OR CORPORATE CONTROL, BUT ONLY IF A REASONABLE CONSUM-
ER'S REASONABLE EXPECTATION WOULD BE THAT SUCH ENTITIES SHARE INFORMA-
TION.
36. (A) "THIRD-PARTY COLLECTING ENTITY":
A. 6319 10
(I) MEANS A COVERED ENTITY WHOSE PRINCIPAL SOURCE OF REVENUE IS
DERIVED FROM PROCESSING OR TRANSFERRING COVERED DATA THAT THE COVERED
ENTITY DID NOT COLLECT DIRECTLY FROM THE INDIVIDUALS LINKED OR LINKABLE
TO THE COVERED DATA; AND
(II) DOES NOT INCLUDE A COVERED ENTITY INSOFAR AS SUCH ENTITY PROC-
ESSES EMPLOYEE DATA COLLECTED BY AND RECEIVED FROM A THIRD PARTY
CONCERNING ANY INDIVIDUAL WHO IS AN EMPLOYEE OF THE THIRD PARTY FOR THE
SOLE PURPOSE OF SUCH THIRD PARTY PROVIDING BENEFITS TO THE EMPLOYEE.
(B) FOR PURPOSES OF THIS SUBDIVISION, THE TERM "PRINCIPAL SOURCE OF
REVENUE" MEANS, FOR THE PRIOR TWELVE-MONTH PERIOD, EITHER:
(I) MORE THAN FIFTY PERCENT OF ALL REVENUE OF THE COVERED ENTITY; OR
(II) OBTAINING REVENUE FROM PROCESSING OR TRANSFERRING THE COVERED
DATA OF MORE THAN FIVE MILLION INDIVIDUALS THAT THE COVERED ENTITY DID
NOT COLLECT DIRECTLY FROM THE INDIVIDUALS LINKED OR LINKABLE TO THE
COVERED DATA.
(C) AN ENTITY MAY NOT BE CONSIDERED TO BE A THIRD-PARTY COLLECTING
ENTITY FOR PURPOSES OF THIS ARTICLE IF THE ENTITY IS ACTING AS A SERVICE
PROVIDER.
37. "THIRD PARTY DATA" MEANS COVERED DATA THAT HAS BEEN TRANSFERRED TO
A THIRD PARTY.
38. "TRANSFER" MEANS TO DISCLOSE, RELEASE, DISSEMINATE, MAKE AVAIL-
ABLE, LICENSE, RENT, OR SHARE COVERED DATA ORALLY, IN WRITING, ELECTRON-
ICALLY, OR BY ANY OTHER MEANS.
39. "UNIQUE IDENTIFIER":
(A) MEANS AN IDENTIFIER TO THE EXTENT THAT SUCH IDENTIFIER IS REASON-
ABLY LINKABLE TO AN INDIVIDUAL OR DEVICE THAT IDENTIFIES OR IS LINKED OR
REASONABLY LINKABLE TO ONE OR MORE INDIVIDUALS, INCLUDING A DEVICE IDEN-
TIFIER, INTERNET PROTOCOL ADDRESS, COOKIE, BEACON, PIXEL TAG, MOBILE AD
IDENTIFIER, OR SIMILAR TECHNOLOGY, CUSTOMER NUMBER, UNIQUE PSEUDONYM,
USER ALIAS, TELEPHONE NUMBER, OR OTHER FORM OF PERSISTENT OR PROBABILIS-
TIC IDENTIFIER THAT IS LINKED OR REASONABLY LINKABLE TO AN INDIVIDUAL OR
DEVICE; AND
(B) DOES NOT INCLUDE AN IDENTIFIER ASSIGNED BY A COVERED ENTITY FOR
THE SPECIFIC PURPOSE OF GIVING EFFECT TO AN INDIVIDUAL'S EXERCISE OF
AFFIRMATIVE EXPRESS CONSENT OR OPT-OUTS OF THE COLLECTION, PROCESSING,
AND TRANSFER OF COVERED DATA PURSUANT TO SECTION FIFTEEN HUNDRED TWEN-
TY-THREE OF THIS ARTICLE OR OTHERWISE LIMITING THE COLLECTION, PROCESS-
ING, OR TRANSFER OF SUCH INFORMATION.
40. "WIDELY DISTRIBUTED MEDIA" MEANS INFORMATION THAT IS AVAILABLE TO
THE GENERAL PUBLIC, INCLUDING INFORMATION FROM A TELEPHONE BOOK OR
ONLINE DIRECTORY, A TELEVISION, INTERNET, OR RADIO PROGRAM, THE NEWS
MEDIA, OR AN INTERNET SITE THAT IS AVAILABLE TO THE GENERAL PUBLIC ON AN
UNRESTRICTED BASIS, BUT DOES NOT INCLUDE AN OBSCENE VISUAL DEPICTION (AS
DEFINED IN SECTION 1460 OF TITLE 18, UNITED STATES CODE).
TITLE II
DUTY OF LOYALTY
SECTION 1510. DATA MINIMIZATION.
1511. LOYALTY DUTIES.
1512. PRIVACY BY DESIGN.
1513. LOYALTY TO INDIVIDUALS WITH RESPECT TO PRICING.
§ 1510. DATA MINIMIZATION. 1. A COVERED ENTITY MAY NOT COLLECT, PROC-
ESS, OR TRANSFER COVERED DATA UNLESS THE COLLECTION, PROCESSING, OR
TRANSFER IS LIMITED TO WHAT IS REASONABLY NECESSARY AND PROPORTIONATE
TO:
(A) PROVIDE OR MAINTAIN A SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE
INDIVIDUAL TO WHOM THE DATA PERTAINS; OR
A. 6319 11
(B) EFFECT A PURPOSE PERMITTED UNDER SUBDIVISION TWO OF THIS SECTION.
2. A COVERED ENTITY MAY COLLECT, PROCESS, OR TRANSFER COVERED DATA FOR
ANY OF THE FOLLOWING PURPOSES IF THE COLLECTION, PROCESSING, OR TRANSFER
IS LIMITED TO WHAT IS REASONABLY NECESSARY AND PROPORTIONATE TO SUCH
PURPOSE:
(A) TO INITIATE, MANAGE, OR COMPLETE A TRANSACTION OR FULFILL AN ORDER
FOR SPECIFIC PRODUCTS OR SERVICES REQUESTED BY AN INDIVIDUAL, INCLUDING
ANY ASSOCIATED ROUTINE ADMINISTRATIVE, OPERATIONAL, AND ACCOUNT-SERVIC-
ING ACTIVITY SUCH AS BILLING, SHIPPING, DELIVERY, STORAGE, AND ACCOUNT-
ING.
(B) WITH RESPECT TO COVERED DATA PREVIOUSLY COLLECTED IN ACCORDANCE
WITH THIS ARTICLE, NOTWITHSTANDING THIS EXCEPTION:
(I) TO PROCESS SUCH DATA AS NECESSARY TO PERFORM SYSTEM MAINTENANCE OR
DIAGNOSTICS;
(II) TO DEVELOP, MAINTAIN, REPAIR, OR ENHANCE A PRODUCT OR SERVICE FOR
WHICH SUCH DATA WAS COLLECTED;
(III) TO CONDUCT INTERNAL RESEARCH OR ANALYTICS TO IMPROVE A PRODUCT
OR SERVICE FOR WHICH SUCH DATA WAS COLLECTED;
(IV) TO PERFORM INVENTORY MANAGEMENT OR REASONABLE NETWORK MANAGEMENT;
(V) TO PROTECT AGAINST SPAM; OR
(VI) TO DEBUG OR REPAIR ERRORS THAT IMPAIR THE FUNCTIONALITY OF A
SERVICE OR PRODUCT FOR WHICH SUCH DATA WAS COLLECTED.
(C) TO AUTHENTICATE USERS OF A PRODUCT OR SERVICE.
(D) TO FULFILL A PRODUCT OR SERVICE WARRANTY.
(E) TO PREVENT, DETECT, PROTECT AGAINST, OR RESPOND TO A SECURITY
INCIDENT. FOR PURPOSES OF THIS PARAGRAPH, SECURITY IS DEFINED AS NETWORK
SECURITY AND PHYSICAL SECURITY AND LIFE SAFETY, INCLUDING AN INTRUSION
OR TRESPASS, MEDICAL ALERTS, FIRE ALARMS, AND ACCESS CONTROL SECURITY.
(F) TO PREVENT, DETECT, PROTECT AGAINST, OR RESPOND TO FRAUD, HARASS-
MENT, OR ILLEGAL ACTIVITY. FOR PURPOSES OF THIS PARAGRAPH, THE TERM
"ILLEGAL ACTIVITY" MEANS A VIOLATION OF A FEDERAL, STATE, OR LOCAL LAW
PUNISHABLE AS A FELONY OR MISDEMEANOR THAT CAN DIRECTLY HARM.
(G) TO COMPLY WITH A LEGAL OBLIGATION IMPOSED BY FEDERAL, TRIBAL,
LOCAL, OR STATE LAW, OR TO INVESTIGATE, ESTABLISH, PREPARE FOR, EXER-
CISE, OR DEFEND LEGAL CLAIMS INVOLVING THE COVERED ENTITY OR SERVICE
PROVIDER.
(H) TO PREVENT AN INDIVIDUAL, OR GROUP OF INDIVIDUALS, FROM SUFFERING
HARM WHERE THE COVERED ENTITY OR SERVICE PROVIDER BELIEVES IN GOOD FAITH
THAT THE INDIVIDUAL, OR GROUP OF INDIVIDUALS, IS AT RISK OF DEATH, SERI-
OUS PHYSICAL INJURY, OR OTHER SERIOUS HEALTH RISK.
(I) TO EFFECTUATE A PRODUCT RECALL PURSUANT TO FEDERAL OR STATE LAW.
(J) (I) TO CONDUCT A PUBLIC OR PEER-REVIEWED SCIENTIFIC, HISTORICAL,
OR STATISTICAL RESEARCH PROJECT THAT:
(A) IS IN THE PUBLIC INTEREST; AND
(B) ADHERES TO ALL RELEVANT LAWS AND REGULATIONS GOVERNING SUCH
RESEARCH, INCLUDING REGULATIONS FOR THE PROTECTION OF HUMAN SUBJECTS, OR
IS EXCLUDED FROM CRITERIA OF THE INSTITUTIONAL REVIEW BOARD.
(II) NOT LATER THAN EIGHTEEN MONTHS AFTER THE EFFECTIVE DATE OF THIS
ARTICLE, THE DIVISION SHOULD ISSUE GUIDELINES TO HELP COVERED ENTITIES
ENSURE THE PRIVACY OF AFFECTED USERS AND THE SECURITY OF COVERED DATA,
PARTICULARLY AS DATA IS BEING TRANSFERRED TO AND STORED BY RESEARCHERS.
SUCH GUIDELINES SHOULD CONSIDER RISKS AS THEY PERTAIN TO PROJECTS USING
COVERED DATA WITH SPECIAL CONSIDERATIONS FOR PROJECTS THAT ARE EXEMPT
UNDER PART 46 OF TITLE 45, CODE OF FEDERAL REGULATIONS (PROTECTION OF
HUMAN SUBJECTS UNDER UNITED STATES LAW) (OR ANY SUCCESSOR REGULATION) OR
ARE EXCLUDED FROM THE CRITERIA FOR INSTITUTIONAL REVIEW BOARD REVIEW.
A. 6319 12
(K) TO DELIVER A COMMUNICATION THAT IS NOT AN ADVERTISEMENT TO AN
INDIVIDUAL, IF THE COMMUNICATION IS REASONABLY ANTICIPATED BY THE INDI-
VIDUAL WITHIN THE CONTEXT OF THE INDIVIDUAL'S INTERACTIONS WITH THE
COVERED ENTITY.
(L) TO DELIVER A COMMUNICATION AT THE DIRECTION OF AN INDIVIDUAL
BETWEEN SUCH INDIVIDUAL AND ONE OR MORE INDIVIDUALS OR ENTITIES.
(M) TO TRANSFER ASSETS TO A THIRD PARTY IN THE CONTEXT OF A MERGER,
ACQUISITION, BANKRUPTCY, OR SIMILAR TRANSACTION WHEN THE THIRD PARTY
ASSUMES CONTROL, IN WHOLE OR IN PART, OF THE COVERED ENTITY'S ASSETS,
ONLY IF THE COVERED ENTITY, IN A REASONABLE TIME PRIOR TO SUCH TRANSFER,
PROVIDES EACH AFFECTED INDIVIDUAL WITH:
(I) A NOTICE DESCRIBING SUCH TRANSFER, INCLUDING THE NAME OF THE ENTI-
TY OR ENTITIES RECEIVING THE INDIVIDUAL'S COVERED DATA AND THEIR PRIVACY
POLICIES AS DESCRIBED IN SECTION FIFTEEN HUNDRED TWENTY-ONE OF THIS
ARTICLE; AND
(II) A REASONABLE OPPORTUNITY TO WITHDRAW ANY PREVIOUSLY GIVEN
CONSENTS IN ACCORDANCE WITH THE REQUIREMENTS OF AFFIRMATIVE EXPRESS
CONSENT UNDER THIS ARTICLE RELATED TO THE INDIVIDUAL'S COVERED DATA AND
A REASONABLE OPPORTUNITY TO REQUEST THE DELETION OF THE INDIVIDUAL'S
COVERED DATA, AS DESCRIBED IN SECTION FIFTEEN HUNDRED TWENTY-TWO OF THIS
ARTICLE.
(N) TO ENSURE THE DATA SECURITY AND INTEGRITY OF COVERED DATA, AS
DESCRIBED IN SECTION FIFTEEN HUNDRED TWENTY-SEVEN OF THIS ARTICLE.
(O) WITH RESPECT TO COVERED DATA PREVIOUSLY COLLECTED IN ACCORDANCE
WITH THIS ARTICLE, A SERVICE PROVIDER ACTING AT THE DIRECTION OF A
GOVERNMENT ENTITY, OR A SERVICE PROVIDED TO A GOVERNMENT ENTITY BY A
COVERED ENTITY, AND ONLY INSOFAR AS AUTHORIZED BY STATUTE, TO PREVENT,
DETECT, PROTECT AGAINST OR RESPOND TO A PUBLIC SAFETY INCIDENT, INCLUD-
ING TRESPASS, NATURAL DISASTER, OR NATIONAL SECURITY INCIDENT. THIS
PARAGRAPH DOES NOT PERMIT, HOWEVER, THE TRANSFER OF COVERED DATA FOR
PAYMENT OR OTHER VALUABLE CONSIDERATION TO A GOVERNMENT ENTITY.
(P) WITH RESPECT TO COVERED DATA COLLECTED IN ACCORDANCE WITH THIS
ARTICLE, NOTWITHSTANDING THIS EXCEPTION, TO PROCESS SUCH DATA AS NECES-
SARY TO PROVIDE FIRST PARTY ADVERTISING OR MARKETING OF PRODUCTS OR
SERVICES PROVIDED BY THE COVERED ENTITY FOR INDIVIDUALS WHO ARE NOT-COV-
ERED MINORS.
(Q) WITH RESPECT TO COVERED DATA PREVIOUSLY COLLECTED IN ACCORDANCE
WITH THIS ARTICLE, NOTWITHSTANDING THIS EXCEPTION AND PROVIDED SUCH
COLLECTION, PROCESSING, AND TRANSFERRING OTHERWISE COMPLIES WITH THE
REQUIREMENTS OF THIS ARTICLE, INCLUDING SUBDIVISION THREE OF SECTION
FIFTEEN HUNDRED TWENTY-THREE OF THIS ARTICLE, TO PROVIDE TARGETED ADVER-
TISING.
3. THE DIVISION SHALL ISSUE GUIDANCE REGARDING WHAT IS REASONABLY
NECESSARY AND PROPORTIONATE TO COMPLY WITH THIS SECTION. SUCH GUIDANCE
SHALL TAKE INTO CONSIDERATION:
(A) THE SIZE OF, AND THE NATURE, SCOPE, AND COMPLEXITY OF THE ACTIV-
ITIES ENGAGED IN BY, THE COVERED ENTITY, INCLUDING WHETHER THE COVERED
ENTITY IS A LARGE DATA HOLDER, NONPROFIT ORGANIZATION, COVERED ENTITY
MEETING THE REQUIREMENTS OF SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF THIS
ARTICLE, THIRD PARTY, OR THIRD-PARTY COLLECTING ENTITY;
(B) THE SENSITIVITY OF COVERED DATA COLLECTED, PROCESSED, OR TRANS-
FERRED BY THE COVERED ENTITY;
(C) THE VOLUME OF COVERED DATA COLLECTED, PROCESSED, OR TRANSFERRED BY
THE COVERED ENTITY; AND
(D) THE NUMBER OF INDIVIDUALS AND DEVICES TO WHICH THE COVERED DATA
COLLECTED, PROCESSED, OR TRANSFERRED BY THE COVERED ENTITY RELATES.
A. 6319 13
4. A COVERED ENTITY OR SERVICE PROVIDER MAY NOT ENGAGE IN DECEPTIVE
ADVERTISING OR MARKETING WITH RESPECT TO A PRODUCT OR SERVICE OFFERED TO
AN INDIVIDUAL.
5. NOTHING IN THIS ARTICLE SHALL BE CONSTRUED TO LIMIT OR DIMINISH
FIRST AMENDMENT FREEDOMS GUARANTEED UNDER THE CONSTITUTION OF THE UNITED
STATES OR UNDER THE STATE CONSTITUTION.
§ 1511. LOYALTY DUTIES. 1. NOTWITHSTANDING THE PROVISIONS OF SECTION
FIFTEEN HUNDRED TEN OF THIS TITLE, AND UNLESS AN EXCEPTION APPLIES, WITH
RESPECT TO COVERED DATA, A COVERED ENTITY OR SERVICE PROVIDER MAY NOT:
(A) COLLECT, PROCESS, OR TRANSFER A SOCIAL SECURITY NUMBER, EXCEPT
WHEN NECESSARY TO FACILITATE AN EXTENSION OF CREDIT, AUTHENTICATION,
FRAUD AND IDENTITY FRAUD DETECTION AND PREVENTION, THE PAYMENT OR
COLLECTION OF TAXES, THE ENFORCEMENT OF A CONTRACT BETWEEN PARTIES, OR
THE PREVENTION, INVESTIGATION, OR PROSECUTION OF FRAUD OR ILLEGAL ACTIV-
ITY, OR AS OTHERWISE REQUIRED BY FEDERAL, STATE, OR LOCAL LAW;
(B) COLLECT OR PROCESS SENSITIVE COVERED DATA, EXCEPT WHERE SUCH
COLLECTION OR PROCESSING IS STRICTLY NECESSARY TO PROVIDE OR MAINTAIN A
SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE INDIVIDUAL TO WHOM THE
COVERED DATA PERTAINS, OR IS STRICTLY NECESSARY TO EFFECT A PURPOSE
ENUMERATED IN PARAGRAPHS (A) THROUGH (L) AND (N) THROUGH (O) OF SUBDIVI-
SION TWO OF SECTION FIFTEEN HUNDRED TEN OF THIS ARTICLE;
(C) TRANSFER AN INDIVIDUAL'S SENSITIVE COVERED DATA TO A THIRD PARTY,
UNLESS:
(I) THE TRANSFER IS MADE PURSUANT TO THE AFFIRMATIVE EXPRESS CONSENT
OF THE INDIVIDUAL;
(II) THE TRANSFER IS NECESSARY TO COMPLY WITH A LEGAL OBLIGATION
IMPOSED BY FEDERAL, STATE, TRIBAL, OR LOCAL LAW, OR TO ESTABLISH, EXER-
CISE, OR DEFEND LEGAL CLAIMS;
(III) THE TRANSFER IS NECESSARY TO PREVENT AN INDIVIDUAL FROM IMMINENT
INJURY WHERE THE COVERED ENTITY BELIEVES IN GOOD FAITH THAT THE INDIVID-
UAL IS AT RISK OF DEATH, SERIOUS PHYSICAL INJURY, OR SERIOUS HEALTH
RISK;
(IV) WITH RESPECT TO COVERED DATA COLLECTED IN ACCORDANCE WITH THIS
ARTICLE, NOTWITHSTANDING THIS EXCEPTION, A SERVICE PROVIDER ACTING AT
THE DIRECTION OF A GOVERNMENT ENTITY, OR A SERVICE PROVIDED TO A GOVERN-
MENT ENTITY BY A COVERED ENTITY, AND ONLY INSOFAR AS AUTHORIZED BY STAT-
UTE, THE TRANSFER IS NECESSARY TO PREVENT, DETECT, PROTECT AGAINST OR
RESPOND TO A PUBLIC SAFETY INCIDENT INCLUDING TRESPASS, NATURAL DISAS-
TER, OR NATIONAL SECURITY INCIDENT. THIS PARAGRAPH DOES NOT PERMIT,
HOWEVER, THE TRANSFER OF COVERED DATA FOR PAYMENT OR OTHER VALUABLE
CONSIDERATION TO A GOVERNMENT ENTITY;
(V) IN THE CASE OF THE TRANSFER OF A PASSWORD, THE TRANSFER IS NECES-
SARY TO USE A DESIGNATED PASSWORD MANAGER OR IS TO A COVERED ENTITY FOR
THE EXCLUSIVE PURPOSE OF IDENTIFYING PASSWORDS THAT ARE BEING RE-USED
ACROSS SITES OR ACCOUNTS;
(VI) IN THE CASE OF THE TRANSFER OF GENETIC INFORMATION, THE TRANSFER
IS NECESSARY TO PERFORM A MEDICAL DIAGNOSIS OR MEDICAL TREATMENT SPECIF-
ICALLY REQUESTED BY AN INDIVIDUAL, OR TO CONDUCT MEDICAL RESEARCH IN
ACCORDANCE WITH CONDITIONS OF PARAGRAPH (J) OF SUBDIVISION TWO OF
SECTION FIFTEEN HUNDRED TEN OF THIS TITLE; OR
(VII) TO TRANSFER ASSETS IN THE MANNER DESCRIBED IN PARAGRAPH (M) OF
SUBDIVISION TWO OF SECTION FIFTEEN HUNDRED TEN OF THIS TITLE; OR
(D) IN THE CASE OF A PROVIDER OF BROADCAST TELEVISION SERVICE, CABLE
SERVICE, SATELLITE SERVICE, STREAMING MEDIA SERVICE, OR OTHER VIDEO
PROGRAMMING SERVICE DESCRIBED IN SECTION 713(H)(2) OF THE COMMUNICATIONS
ACT OF 1934 (47 U.S.C. 613(H)(2)), TRANSFER TO AN UNAFFILIATED THIRD
A. 6319 14
PARTY COVERED DATA THAT REVEALS THE VIDEO CONTENT OR SERVICES REQUESTED
OR SELECTED BY AN INDIVIDUAL FROM SUCH SERVICE, EXCEPT WITH THE AFFIRMA-
TIVE EXPRESS CONSENT OF THE INDIVIDUAL OR PURSUANT TO ONE OF THE PERMIS-
SIBLE PURPOSES ENUMERATED IN PARAGRAPHS (A) THROUGH (O) OF SUBDIVISION
TWO OF SECTION FIFTEEN HUNDRED TEN OF THIS TITLE.
§ 1512. PRIVACY BY DESIGN. 1. A COVERED ENTITY AND A SERVICE PROVIDER
SHALL ESTABLISH, IMPLEMENT, AND MAINTAIN REASONABLE POLICIES, PRACTICES,
AND PROCEDURES THAT REFLECT THE ROLE OF THE COVERED ENTITY OR SERVICE
PROVIDER IN THE COLLECTION, PROCESSING, AND TRANSFERRING OF COVERED DATA
AND THAT:
(A) CONSIDER APPLICABLE FEDERAL LAWS, RULES, OR REGULATIONS RELATED TO
COVERED DATA THE COVERED ENTITY OR SERVICE PROVIDER COLLECTS, PROCESSES,
OR TRANSFERS;
(B) IDENTIFY, ASSESS, AND MITIGATE PRIVACY RISKS RELATED TO COVERED
MINORS (INCLUDING, IF APPLICABLE, WITH RESPECT TO A COVERED ENTITY THAT
IS NOT AN ENTITY MEETING THE REQUIREMENTS OF SECTION FIFTEEN HUNDRED
TWENTY-EIGHT OF THIS ARTICLE, IN A MANNER THAT CONSIDERS THE DEVELOP-
MENTAL NEEDS OF DIFFERENT AGE RANGES OF COVERED MINORS) TO RESULT IN
REASONABLY NECESSARY AND PROPORTIONATE RESIDUAL RISK TO COVERED MINORS;
(C) MITIGATE PRIVACY RISKS, INCLUDING SUBSTANTIAL PRIVACY RISKS,
RELATED TO THE PRODUCTS AND SERVICES OF THE COVERED ENTITY OR THE
SERVICE PROVIDER, INCLUDING IN THE DESIGN, DEVELOPMENT, AND IMPLEMENTA-
TION OF SUCH PRODUCTS AND SERVICES, TAKING INTO ACCOUNT THE ROLE OF THE
COVERED ENTITY OR SERVICE PROVIDER AND THE INFORMATION AVAILABLE TO IT;
AND
(D) IMPLEMENT REASONABLE TRAINING AND SAFEGUARDS WITHIN THE COVERED
ENTITY AND SERVICE PROVIDER TO PROMOTE COMPLIANCE WITH ALL PRIVACY LAWS
APPLICABLE TO COVERED DATA THE COVERED ENTITY COLLECTS, PROCESSES, OR
TRANSFERS OR COVERED DATA THE SERVICE PROVIDER COLLECTS, PROCESSES, OR
TRANSFERS ON BEHALF OF THE COVERED ENTITY AND MITIGATE PRIVACY RISKS,
INCLUDING SUBSTANTIAL PRIVACY RISKS, TAKING INTO ACCOUNT THE ROLE OF THE
COVERED ENTITY OR SERVICE PROVIDER AND THE INFORMATION AVAILABLE TO IT.
2. THE POLICIES, PRACTICES, AND PROCEDURES ESTABLISHED BY A COVERED
ENTITY AND A SERVICE PROVIDER UNDER SUBDIVISION ONE OF THIS SECTION,
SHALL CORRESPOND WITH, AS APPLICABLE:
(A) THE SIZE OF THE COVERED ENTITY OR THE SERVICE PROVIDER AND THE
NATURE, SCOPE, AND COMPLEXITY OF THE ACTIVITIES ENGAGED IN BY THE
COVERED ENTITY OR SERVICE PROVIDER, INCLUDING WHETHER THE COVERED ENTITY
OR SERVICE PROVIDER IS A LARGE DATA HOLDER, NONPROFIT ORGANIZATION,
ENTITY MEETING THE REQUIREMENTS OF SECTION FIFTEEN HUNDRED TWENTY-EIGHT
OF THIS ARTICLE, THIRD PARTY, OR THIRD-PARTY COLLECTING ENTITY, TAKING
INTO ACCOUNT THE ROLE OF THE COVERED ENTITY OR SERVICE PROVIDER AND THE
INFORMATION AVAILABLE TO IT;
(B) THE SENSITIVITY OF THE COVERED DATA COLLECTED, PROCESSED, OR
TRANSFERRED BY THE COVERED ENTITY OR SERVICE PROVIDER;
(C) THE VOLUME OF COVERED DATA COLLECTED, PROCESSED, OR TRANSFERRED BY
THE COVERED ENTITY OR SERVICE PROVIDER;
(D) THE NUMBER OF INDIVIDUALS AND DEVICES TO WHICH THE COVERED DATA
COLLECTED, PROCESSED, OR TRANSFERRED BY THE COVERED ENTITY OR SERVICE
PROVIDER RELATES; AND
(E) THE COST OF IMPLEMENTING SUCH POLICIES, PRACTICES, AND PROCEDURES
IN RELATION TO THE RISKS AND NATURE OF THE COVERED DATA.
3. NOT LATER THAN ONE YEAR AFTER THE DATE OF ENACTMENT OF THIS ARTI-
CLE, THE DIVISION SHALL ISSUE GUIDANCE AS TO WHAT CONSTITUTES REASONABLE
POLICIES, PRACTICES, AND PROCEDURES AS REQUIRED BY THIS SECTION. THE
DIVISION SHALL CONSIDER UNIQUE CIRCUMSTANCES APPLICABLE TO NONPROFIT
A. 6319 15
ORGANIZATIONS, TO ENTITIES MEETING THE REQUIREMENTS OF SECTION FIFTEEN
HUNDRED TWENTY-EIGHT OF THIS ARTICLE, AND TO SERVICE PROVIDERS.
§ 1513. LOYALTY TO INDIVIDUALS WITH RESPECT TO PRICING. 1. A COVERED
ENTITY MAY NOT RETALIATE AGAINST AN INDIVIDUAL FOR EXERCISING ANY OF THE
RIGHTS GUARANTEED BY THIS ARTICLE, OR ANY REGULATIONS PROMULGATED UNDER
THIS ARTICLE, INCLUDING DENYING GOODS OR SERVICES, CHARGING DIFFERENT
PRICES OR RATES FOR GOODS OR SERVICES, OR PROVIDING A DIFFERENT LEVEL OF
QUALITY OF GOODS OR SERVICES.
2. NOTHING IN SUBDIVISION ONE OF THIS SECTION MAY BE CONSTRUED TO:
(A) PROHIBIT THE RELATION OF THE PRICE OF A SERVICE OR THE LEVEL OF
SERVICE PROVIDED TO AN INDIVIDUAL TO THE PROVISION, BY THE INDIVIDUAL,
OF FINANCIAL INFORMATION THAT IS NECESSARILY COLLECTED AND PROCESSED
ONLY FOR THE PURPOSE OF INITIATING, RENDERING, BILLING FOR, OR COLLECT-
ING PAYMENT FOR A SERVICE OR PRODUCT REQUESTED BY THE INDIVIDUAL;
(B) PROHIBIT A COVERED ENTITY FROM OFFERING A DIFFERENT PRICE, RATE,
LEVEL, QUALITY OR SELECTION OF GOODS OR SERVICES TO AN INDIVIDUAL,
INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFERING IS IN
CONNECTION WITH AN INDIVIDUAL'S VOLUNTARY PARTICIPATION IN A BONA FIDE
LOYALTY PROGRAM;
(C) REQUIRE A COVERED ENTITY TO PROVIDE A BONA FIDE LOYALTY PROGRAM
THAT WOULD REQUIRE THE COVERED ENTITY TO COLLECT, PROCESS, OR TRANSFER
COVERED DATA THAT THE COVERED ENTITY OTHERWISE WOULD NOT COLLECT, PROC-
ESS, OR TRANSFER;
(D) PROHIBIT A COVERED ENTITY FROM OFFERING A FINANCIAL INCENTIVE OR
OTHER CONSIDERATION TO AN INDIVIDUAL FOR PARTICIPATION IN MARKET
RESEARCH;
(E) PROHIBIT A COVERED ENTITY FROM OFFERING DIFFERENT TYPES OF PRICING
OR FUNCTIONALITIES WITH RESPECT TO A PRODUCT OR SERVICE BASED ON AN
INDIVIDUAL'S EXERCISE OF A RIGHT UNDER PARAGRAPH (C) OF SUBDIVISION 1 OF
SECTION FIFTEEN HUNDRED TWENTY-TWO OF THIS ARTICLE; OR
(F) PROHIBIT A COVERED ENTITY FROM DECLINING TO PROVIDE A PRODUCT OR
SERVICE INSOFAR AS THE COLLECTION AND PROCESSING OF COVERED DATA IS
STRICTLY NECESSARY FOR SUCH PRODUCT OR SERVICE.
3. FOR PURPOSES OF THIS SECTION, THE TERM "BONA FIDE LOYALTY PROGRAM"
INCLUDES REWARDS, PREMIUM FEATURES, DISCOUNT OR CLUB CARD PROGRAMS.
TITLE III
CONSUMER DATA RIGHTS
SECTION 1520. CONSUMER AWARENESS.
1521. TRANSPARENCY.
1522. INDIVIDUAL DATA OWNERSHIP AND CONTROL.
1523. RIGHT TO CONSENT AND OBJECT.
1524. DATA PROTECTIONS FOR CHILDREN AND MINORS.
1525. THIRD-PARTY COLLECTING ENTITIES.
1526. CIVIL RIGHTS AND ALGORITHMS.
1527. DATA SECURITY AND PROTECTION OF COVERED DATA.
1528. SMALL BUSINESS PROTECTIONS.
1529. UNIFIED OPT-OUT MECHANISMS.
§ 1520. CONSUMER AWARENESS. 1. NOT LATER THAN NINETY DAYS AFTER THE
EFFECTIVE DATE OF THIS ARTICLE, THE DIVISION SHALL PUBLISH, ON THE
PUBLIC WEBSITE OF THE DIVISION, A WEBPAGE THAT DESCRIBES EACH PROVISION,
RIGHT, OBLIGATION, AND REQUIREMENT OF THIS ARTICLE, LISTED SEPARATELY
FOR INDIVIDUALS AND FOR COVERED ENTITIES AND SERVICE PROVIDERS, AND THE
REMEDIES, EXEMPTIONS, AND PROTECTIONS ASSOCIATED WITH THIS ARTICLE, IN
PLAIN AND CONCISE LANGUAGE AND IN AN EASY-TO-UNDERSTAND MANNER.
A. 6319 16
2. THE DIVISION SHALL UPDATE THE INFORMATION PUBLISHED UNDER SUBDIVI-
SION ONE OF THIS SECTION ON A QUARTERLY BASIS AS NECESSITATED BY ANY
CHANGE IN LAW, REGULATION, GUIDANCE, OR JUDICIAL DECISIONS.
3. THE DIVISION SHALL PUBLISH THE INFORMATION REQUIRED TO BE PUBLISHED
UNDER SUBDIVISION ONE OF THIS SECTION IN THE TEN LANGUAGES WITH THE MOST
USERS IN THE STATE, ACCORDING TO THE MOST RECENT UNITED STATES CENSUS.
§ 1521. TRANSPARENCY. 1. EACH COVERED ENTITY SHALL MAKE PUBLICLY
AVAILABLE, IN A CLEAR, CONSPICUOUS, NOT MISLEADING, AND EASY-TO-READ AND
READILY ACCESSIBLE MANNER, A PRIVACY POLICY THAT PROVIDES A DETAILED AND
ACCURATE REPRESENTATION OF THE DATA COLLECTION, PROCESSING, AND TRANSFER
ACTIVITIES OF THE COVERED ENTITY.
2. A COVERED ENTITY OR SERVICE PROVIDER SHALL HAVE A PRIVACY POLICY
THAT INCLUDES, AT A MINIMUM, THE FOLLOWING:
(A) THE IDENTITY AND THE CONTACT INFORMATION OF:
(I) THE COVERED ENTITY OR SERVICE PROVIDER TO WHICH THE PRIVACY POLICY
APPLIES (INCLUDING THE COVERED ENTITY'S OR SERVICE PROVIDER'S POINTS OF
CONTACT AND GENERIC ELECTRONIC MAIL ADDRESSES, AS APPLICABLE FOR PRIVACY
AND DATA SECURITY INQUIRIES); AND
(II) ANY OTHER ENTITY WITHIN THE SAME CORPORATE STRUCTURE AS THE
COVERED ENTITY OR SERVICE PROVIDER TO WHICH COVERED DATA IS TRANSFERRED
BY THE COVERED ENTITY.
(B) THE CATEGORIES OF COVERED DATA THE COVERED ENTITY OR SERVICE
PROVIDER COLLECTS OR PROCESSES.
(C) THE PROCESSING PURPOSES FOR EACH CATEGORY OF COVERED DATA THE
COVERED ENTITY OR SERVICE PROVIDER COLLECTS OR PROCESSES.
(D) WHETHER THE COVERED ENTITY OR SERVICE PROVIDER TRANSFERS COVERED
DATA AND, IF SO, EACH CATEGORY OF SERVICE PROVIDER AND THIRD PARTY TO
WHICH THE COVERED ENTITY OR SERVICE PROVIDER TRANSFERS COVERED DATA, THE
NAME OF EACH THIRD-PARTY COLLECTING ENTITY TO WHICH THE COVERED ENTITY
OR SERVICE PROVIDER TRANSFERS COVERED DATA, AND THE PURPOSES FOR WHICH
SUCH DATA IS TRANSFERRED TO SUCH CATEGORIES OF SERVICE PROVIDERS AND
THIRD PARTIES OR THIRD-PARTY COLLECTING ENTITIES, EXCEPT FOR A TRANSFER
TO A GOVERNMENTAL ENTITY PURSUANT TO A COURT ORDER OR LAW THAT PROHIBITS
THE COVERED ENTITY OR SERVICE PROVIDER FROM DISCLOSING SUCH TRANSFER.
(E) THE LENGTH OF TIME THE COVERED ENTITY OR SERVICE PROVIDER INTENDS
TO RETAIN EACH CATEGORY OF COVERED DATA, INCLUDING SENSITIVE COVERED
DATA, OR, IF IT IS NOT POSSIBLE TO IDENTIFY THAT TIMEFRAME, THE CRITERIA
USED TO DETERMINE THE LENGTH OF TIME THE COVERED ENTITY OR SERVICE
PROVIDER INTENDS TO RETAIN CATEGORIES OF COVERED DATA.
(F) A PROMINENT DESCRIPTION OF HOW AN INDIVIDUAL CAN EXERCISE THE
RIGHTS DESCRIBED IN THIS ARTICLE.
(G) A GENERAL DESCRIPTION OF THE COVERED ENTITY'S OR SERVICE PROVID-
ER'S DATA SECURITY PRACTICES.
(H) THE EFFECTIVE DATE OF THE PRIVACY POLICY.
(I) WHETHER OR NOT ANY COVERED DATA COLLECTED BY THE COVERED ENTITY OR
SERVICE PROVIDER IS TRANSFERRED TO, PROCESSED IN, STORED IN, OR OTHER-
WISE ACCESSIBLE TO THE PEOPLE'S REPUBLIC OF CHINA, RUSSIA, IRAN, OR
NORTH KOREA.
3. THE PRIVACY POLICY REQUIRED UNDER SUBDIVISION ONE OF THIS SECTION
SHALL BE MADE AVAILABLE TO THE PUBLIC IN EACH COVERED LANGUAGE IN WHICH
THE COVERED ENTITY OR SERVICE PROVIDER:
(A) PROVIDES A PRODUCT OR SERVICE THAT IS SUBJECT TO THE PRIVACY POLI-
CY; OR
(B) CARRIES OUT ACTIVITIES RELATED TO SUCH PRODUCT OR SERVICE.
A. 6319 17
4. THE COVERED ENTITY OR SERVICE PROVIDER SHALL ALSO PROVIDE THE
DISCLOSURES UNDER THIS SECTION IN A MANNER THAT IS REASONABLY ACCESSIBLE
TO AND USABLE BY INDIVIDUALS WITH DISABILITIES.
5. (A) IF A COVERED ENTITY MAKES A MATERIAL CHANGE TO ITS PRIVACY
POLICY OR PRACTICES, THE COVERED ENTITY SHALL NOTIFY EACH INDIVIDUAL
AFFECTED BY SUCH MATERIAL CHANGE BEFORE IMPLEMENTING THE MATERIAL CHANGE
WITH RESPECT TO ANY PROSPECTIVELY COLLECTED COVERED DATA AND, EXCEPT AS
PROVIDED IN PARAGRAPHS (A) THROUGH (O) OF SUBDIVISION TWO OF SECTION
FIFTEEN HUNDRED TEN OF THIS ARTICLE, PROVIDE A REASONABLE OPPORTUNITY
FOR EACH INDIVIDUAL TO WITHDRAW CONSENT TO ANY FURTHER MATERIALLY
DIFFERENT COLLECTION, PROCESSING, OR TRANSFER OF PREVIOUSLY COLLECTED
COVERED DATA UNDER THE CHANGED POLICY.
(B) THE COVERED ENTITY SHALL TAKE ALL REASONABLE ELECTRONIC MEASURES
TO PROVIDE DIRECT NOTIFICATION REGARDING MATERIAL CHANGES TO THE PRIVACY
POLICY TO EACH AFFECTED INDIVIDUAL, IN EACH COVERED LANGUAGE IN WHICH
THE PRIVACY POLICY IS MADE AVAILABLE, AND TAKING INTO ACCOUNT AVAILABLE
TECHNOLOGY AND THE NATURE OF THE RELATIONSHIP.
(C) NOTHING IN THIS SECTION MAY BE CONSTRUED TO AFFECT THE REQUIRE-
MENTS FOR COVERED ENTITIES UNDER SECTION FIFTEEN HUNDRED ELEVEN OR
FIFTEEN HUNDRED TWENTY-THREE OF THIS ARTICLE.
(D) EACH LARGE DATA HOLDER SHALL RETAIN COPIES OF PREVIOUS VERSIONS OF
ITS PRIVACY POLICY FOR AT LEAST TEN YEARS BEGINNING AFTER THE DATE OF
ENACTMENT OF THIS ARTICLE AND PUBLISH THEM ON ITS WEBSITE. SUCH LARGE
DATA HOLDER SHALL MAKE PUBLICLY AVAILABLE, IN A CLEAR, CONSPICUOUS, AND
READILY ACCESSIBLE MANNER, A LOG DESCRIBING THE DATE AND NATURE OF EACH
MATERIAL CHANGE TO ITS PRIVACY POLICY OVER THE PAST TEN YEARS. THE
DESCRIPTIONS SHALL BE SUFFICIENT FOR A REASONABLE INDIVIDUAL TO UNDER-
STAND THE MATERIAL EFFECT OF EACH MATERIAL CHANGE. THE OBLIGATIONS IN
THIS PARAGRAPH SHALL NOT APPLY TO ANY PREVIOUS VERSIONS OF A LARGE DATA
HOLDER'S PRIVACY POLICY, OR ANY MATERIAL CHANGES TO SUCH POLICY, THAT
PRECEDE THE DATE OF ENACTMENT OF THIS ARTICLE.
6. (A) IN ADDITION TO THE PRIVACY POLICY REQUIRED UNDER SUBDIVISION
ONE OF THIS SECTION, A LARGE DATA HOLDER THAT IS A COVERED ENTITY SHALL
PROVIDE A SHORT-FORM NOTICE OF ITS COVERED DATA PRACTICES IN A MANNER
THAT IS:
(I) CONCISE, CLEAR, CONSPICUOUS, AND NOT MISLEADING;
(II) READILY ACCESSIBLE TO THE INDIVIDUAL, BASED ON WHAT IS REASONABLY
ANTICIPATED WITHIN THE CONTEXT OF THE RELATIONSHIP BETWEEN THE INDIVID-
UAL AND THE LARGE DATA HOLDER;
(III) INCLUSIVE OF AN OVERVIEW OF INDIVIDUAL RIGHTS AND DISCLOSURES TO
REASONABLY DRAW ATTENTION TO DATA PRACTICES THAT MAY REASONABLY BE UNEX-
PECTED TO A REASONABLE PERSON OR THAT INVOLVE SENSITIVE COVERED DATA;
AND
(IV) NO MORE THAN FIVE HUNDRED WORDS IN LENGTH.
(B) THE DIVISION SHALL PROMULGATE RULES AND REGULATIONS ESTABLISHING
THE MINIMUM DATA DISCLOSURES NECESSARY FOR THE SHORT-FORM NOTICE
REQUIRED UNDER PARAGRAPH (A) OF THIS SUBDIVISION, WHICH SHALL NOT EXCEED
THE CONTENT REQUIREMENTS IN SUBDIVISION TWO OF THIS SECTION AND SHALL
INCLUDE TEMPLATES OR MODELS OF SHORT-FORM NOTICES.
§ 1522. INDIVIDUAL DATA OWNERSHIP AND CONTROL. 1. IN ACCORDANCE WITH
SUBDIVISIONS TWO AND THREE OF THIS SECTION, A COVERED ENTITY SHALL
PROVIDE AN INDIVIDUAL, AFTER RECEIVING A VERIFIED REQUEST FROM THE INDI-
VIDUAL, WITH THE RIGHT TO:
(A) ACCESS:
(I) IN A HUMAN-READABLE FORMAT THAT A REASONABLE INDIVIDUAL CAN UNDER-
STAND AND DOWNLOAD FROM THE INTERNET, THE COVERED DATA (EXCEPT COVERED
A. 6319 18
DATA IN A BACK-UP OR ARCHIVAL SYSTEM) OF THE INDIVIDUAL MAKING THE
REQUEST THAT IS COLLECTED, PROCESSED, OR TRANSFERRED BY THE COVERED
ENTITY OR ANY SERVICE PROVIDER OF THE COVERED ENTITY WITHIN THE TWENTY-
FOUR MONTHS PRECEDING THE REQUEST;
(II) THE CATEGORIES OF ANY THIRD PARTY, IF APPLICABLE, AND AN OPTION
FOR CONSUMERS TO OBTAIN THE NAMES OF ANY SUCH THIRD PARTY AS WELL AS AND
THE CATEGORIES OF ANY SERVICE PROVIDERS TO WHOM THE COVERED ENTITY HAS
TRANSFERRED FOR CONSIDERATION THE COVERED DATA OF THE INDIVIDUAL, AS
WELL AS THE CATEGORIES OF SOURCES FROM WHICH THE COVERED DATA WAS
COLLECTED; AND
(III) A DESCRIPTION OF THE PURPOSE FOR WHICH THE COVERED ENTITY TRANS-
FERRED THE COVERED DATA OF THE INDIVIDUAL TO A THIRD PARTY OR SERVICE
PROVIDER;
(B) CORRECT ANY VERIFIABLE SUBSTANTIAL INACCURACY OR SUBSTANTIALLY
INCOMPLETE INFORMATION WITH RESPECT TO THE COVERED DATA OF THE INDIVID-
UAL THAT IS PROCESSED BY THE COVERED ENTITY AND INSTRUCT THE COVERED
ENTITY TO MAKE REASONABLE EFFORTS TO NOTIFY ALL THIRD PARTIES OR SERVICE
PROVIDERS TO WHICH THE COVERED ENTITY TRANSFERRED SUCH COVERED DATA OF
THE CORRECTED INFORMATION;
(C) DELETE COVERED DATA OF THE INDIVIDUAL THAT IS PROCESSED BY THE
COVERED ENTITY AND INSTRUCT THE COVERED ENTITY TO MAKE REASONABLE
EFFORTS TO NOTIFY ALL THIRD PARTIES OR SERVICE PROVIDER TO WHICH THE
COVERED ENTITY TRANSFERRED SUCH COVERED DATA OF THE INDIVIDUAL'S
DELETION REQUEST; AND
(D) TO THE EXTENT TECHNICALLY FEASIBLE, EXPORT TO THE INDIVIDUAL OR
DIRECTLY TO ANOTHER ENTITY THE COVERED DATA OF THE INDIVIDUAL THAT IS
PROCESSED BY THE COVERED ENTITY, INCLUDING INFERENCES LINKED OR REASON-
ABLY LINKABLE TO THE INDIVIDUAL BUT NOT INCLUDING OTHER DERIVED DATA,
WITHOUT LICENSING RESTRICTIONS THAT LIMIT SUCH TRANSFERS IN:
(I) A HUMAN-READABLE FORMAT THAT A REASONABLE INDIVIDUAL CAN UNDER-
STAND AND DOWNLOAD FROM THE INTERNET; AND
(II) A PORTABLE, STRUCTURED, INTEROPERABLE, AND MACHINE-READABLE
FORMAT.
2. A COVERED ENTITY MAY NOT CONDITION, EFFECTIVELY CONDITION, ATTEMPT
TO CONDITION, OR ATTEMPT TO EFFECTIVELY CONDITION THE EXERCISE OF A
RIGHT DESCRIBED IN SUBDIVISION ONE OF THIS SECTION THROUGH:
(A) THE USE OF ANY FALSE, FICTITIOUS, FRAUDULENT, OR MATERIALLY
MISLEADING STATEMENT OR REPRESENTATION; OR
(B) THE DESIGN, MODIFICATION, OR MANIPULATION OF ANY USER INTERFACE
WITH THE PURPOSE OR SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR
IMPAIRING A REASONABLE INDIVIDUAL'S AUTONOMY, DECISION MAKING, OR CHOICE
TO EXERCISE SUCH RIGHT.
3. (A) SUBJECT TO SUBDIVISIONS FOUR AND FIVE OF THIS SECTION, EACH
REQUEST UNDER SUBDIVISION ONE OF THIS SECTION SHALL BE COMPLETED BY ANY:
(I) LARGE DATA HOLDER WITHIN FORTY-FIVE DAYS OF SUCH REQUEST FROM AN
INDIVIDUAL, UNLESS IT IS DEMONSTRABLY IMPRACTICABLE OR IMPRACTICABLY
COSTLY TO VERIFY SUCH INDIVIDUAL;
(II) COVERED ENTITY THAT IS NOT A LARGE DATA HOLDER OR A COVERED ENTI-
TY MEETING THE REQUIREMENTS OF SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF
THIS TITLE WITHIN SIXTY DAYS OF SUCH REQUEST FROM AN INDIVIDUAL, UNLESS
IT IS DEMONSTRABLY IMPRACTICABLE OR IMPRACTICABLY COSTLY TO VERIFY SUCH
INDIVIDUAL; OR
(III) COVERED ENTITY MEETING THE REQUIREMENTS OF SECTION FIFTEEN
HUNDRED TWENTY-EIGHT OF THIS TITLE WITHIN NINETY DAYS OF SUCH REQUEST
FROM AN INDIVIDUAL, UNLESS IT IS DEMONSTRABLY IMPRACTICABLE OR IMPRACTI-
CABLY COSTLY TO VERIFY SUCH INDIVIDUAL.
A. 6319 19
(B) A RESPONSE PERIOD SET FORTH IN THIS SUBSECTION MAY BE EXTENDED
ONCE BY FORTY-FIVE ADDITIONAL DAYS WHEN REASONABLY NECESSARY, CONSIDER-
ING THE COMPLEXITY AND NUMBER OF THE INDIVIDUAL'S REQUESTS, SO LONG AS
THE COVERED ENTITY INFORMS THE INDIVIDUAL OF ANY SUCH EXTENSION WITHIN
THE INITIAL FORTY-FIVE-DAY RESPONSE PERIOD, TOGETHER WITH THE REASON FOR
THE EXTENSION.
4. A COVERED ENTITY:
(A) SHALL PROVIDE AN INDIVIDUAL WITH THE OPPORTUNITY TO EXERCISE EACH
OF THE RIGHTS DESCRIBED IN SUBDIVISION ONE OF THIS SECTION; AND
(B) WITH RESPECT TO:
(I) THE FIRST TWO TIMES THAT AN INDIVIDUAL EXERCISES ANY RIGHT
DESCRIBED IN SUBDIVISION ONE OF THIS SECTION IN ANY TWELVE-MONTH PERIOD,
SHALL ALLOW THE INDIVIDUAL TO EXERCISE SUCH RIGHT FREE OF CHARGE; AND
(II) ANY TIME BEYOND THE INITIAL TWO TIMES DESCRIBED IN SUBPARAGRAPH
(I) OF THIS PARAGRAPH, MAY ALLOW THE INDIVIDUAL TO EXERCISE SUCH RIGHT
FOR A REASONABLE FEE FOR EACH REQUEST.
5. (A) A COVERED ENTITY MAY NOT PERMIT AN INDIVIDUAL TO EXERCISE A
RIGHT DESCRIBED IN SUBDIVISION ONE OF THIS SECTION, IN WHOLE OR IN PART,
IF THE COVERED ENTITY:
(I) CANNOT REASONABLY VERIFY THAT THE INDIVIDUAL MAKING THE REQUEST TO
EXERCISE THE RIGHT IS THE INDIVIDUAL WHOSE COVERED DATA IS THE SUBJECT
OF THE REQUEST OR AN INDIVIDUAL AUTHORIZED TO MAKE SUCH A REQUEST ON THE
INDIVIDUAL'S BEHALF;
(II) REASONABLY BELIEVES THAT THE REQUEST IS MADE TO INTERFERE WITH A
CONTRACT BETWEEN THE COVERED ENTITY AND ANOTHER INDIVIDUAL;
(III) DETERMINES THAT THE EXERCISE OF THE RIGHT WOULD REQUIRE ACCESS
TO OR CORRECTION OF ANOTHER INDIVIDUAL'S SENSITIVE COVERED DATA;
(IV) REASONABLY BELIEVES THAT THE EXERCISE OF THE RIGHT WOULD REQUIRE
THE COVERED ENTITY TO ENGAGE IN AN UNFAIR OR DECEPTIVE PRACTICE UNDER
SECTION 5 OF THE FEDERAL TRADE DIVISION ACT (15 U.S.C. 45); OR
(V) REASONABLY BELIEVES THAT THE REQUEST IS MADE TO FURTHER FRAUD,
SUPPORT CRIMINAL ACTIVITY, OR THE EXERCISE OF THE RIGHT PRESENTS A DATA
SECURITY THREAT.
(B) IF A COVERED ENTITY CANNOT REASONABLY VERIFY THAT A REQUEST TO
EXERCISE A RIGHT DESCRIBED IN SUBDIVISION ONE OF THIS SECTION IS MADE BY
THE INDIVIDUAL WHOSE COVERED DATA IS THE SUBJECT OF THE REQUEST (OR AN
INDIVIDUAL AUTHORIZED TO MAKE SUCH A REQUEST ON THE INDIVIDUAL'S
BEHALF), THE COVERED ENTITY:
(I) MAY REQUEST THAT THE INDIVIDUAL MAKING THE REQUEST TO EXERCISE THE
RIGHT PROVIDE ANY ADDITIONAL INFORMATION NECESSARY FOR THE SOLE PURPOSE
OF VERIFYING THE IDENTITY OF THE INDIVIDUAL; AND
(II) MAY NOT PROCESS OR TRANSFER SUCH ADDITIONAL INFORMATION FOR ANY
OTHER PURPOSE.
(C) (I) A COVERED ENTITY MAY DECLINE, WITH ADEQUATE EXPLANATION TO THE
INDIVIDUAL, TO COMPLY WITH A REQUEST TO EXERCISE A RIGHT DESCRIBED IN
SUBDIVISION ONE OF THIS SECTION, IN WHOLE OR IN PART, THAT WOULD:
(A) REQUIRE THE COVERED ENTITY TO RETAIN ANY COVERED DATA COLLECTED
FOR A SINGLE, ONE-TIME TRANSACTION, IF SUCH COVERED DATA IS NOT PROC-
ESSED OR TRANSFERRED BY THE COVERED ENTITY FOR ANY PURPOSE OTHER THAN
COMPLETING SUCH TRANSACTION;
(B) BE DEMONSTRABLY IMPRACTICABLE OR PROHIBITIVELY COSTLY TO COMPLY
WITH, AND THE COVERED ENTITY SHALL PROVIDE A DESCRIPTION TO THE REQUE-
STOR DETAILING THE INABILITY TO COMPLY WITH THE REQUEST;
(C) REQUIRE THE COVERED ENTITY TO ATTEMPT TO RE-IDENTIFY DE-IDENTIFIED
DATA;
A. 6319 20
(D) REQUIRE THE COVERED ENTITY TO MAINTAIN COVERED DATA IN AN IDEN-
TIFIABLE FORM OR COLLECT, RETAIN, OR ACCESS ANY DATA IN ORDER TO BE
CAPABLE OF ASSOCIATING A VERIFIED INDIVIDUAL REQUEST WITH COVERED DATA
OF SUCH INDIVIDUAL;
(E) RESULT IN THE RELEASE OF TRADE SECRETS OR OTHER PRIVILEGED OR
CONFIDENTIAL BUSINESS INFORMATION;
(F) REQUIRE THE COVERED ENTITY TO CORRECT ANY COVERED DATA THAT CANNOT
BE REASONABLY VERIFIED AS BEING INACCURATE OR INCOMPLETE;
(G) INTERFERE WITH LAW ENFORCEMENT, JUDICIAL PROCEEDINGS, INVESTI-
GATIONS, OR REASONABLE EFFORTS TO GUARD AGAINST, DETECT, PREVENT, OR
INVESTIGATE FRAUDULENT, MALICIOUS, OR UNLAWFUL ACTIVITY, OR ENFORCE
VALID CONTRACTS;
(H) VIOLATE FEDERAL OR STATE LAW OR THE RIGHTS AND FREEDOMS OF ANOTHER
INDIVIDUAL, INCLUDING UNDER THE CONSTITUTION OF THE UNITED STATES OR THE
STATE CONSTITUTION;
(I) PREVENT A COVERED ENTITY FROM BEING ABLE TO MAINTAIN A CONFIDEN-
TIAL RECORD OF DELETION REQUESTS, MAINTAINED SOLELY FOR THE PURPOSE OF
PREVENTING COVERED DATA OF AN INDIVIDUAL FROM BEING RECOLLECTED AFTER
THE INDIVIDUAL SUBMITTED A DELETION REQUEST AND REQUESTED THAT THE
COVERED ENTITY NO LONGER COLLECT, PROCESS, OR TRANSFER SUCH DATA;
(J) FALL WITHIN AN EXCEPTION ENUMERATED IN THE REGULATIONS PROMULGATED
BY THE DIVISION PURSUANT TO SUBPARAGRAPH (IV) OF THIS SUBDIVISION; OR
(K) WITH RESPECT TO REQUESTS FOR DELETION:
(I) UNREASONABLY INTERFERE WITH THE PROVISION OF PRODUCTS OR SERVICES
BY THE COVERED ENTITY TO ANOTHER PERSON IT CURRENTLY SERVES;
(II) DELETE COVERED DATA THAT RELATES TO A PUBLIC FIGURE AND FOR WHICH
THE REQUESTING INDIVIDUAL HAS NO REASONABLE EXPECTATION OF PRIVACY;
(III) DELETE COVERED DATA REASONABLY NECESSARY TO PERFORM A CONTRACT
BETWEEN THE COVERED ENTITY AND THE INDIVIDUAL;
(IV) DELETE COVERED DATA THAT THE COVERED ENTITY NEEDS TO RETAIN IN
ORDER TO COMPLY WITH PROFESSIONAL ETHICAL OBLIGATIONS;
(V) DELETE COVERED DATA THAT THE COVERED ENTITY REASONABLY BELIEVES
MAY BE EVIDENCE OF UNLAWFUL ACTIVITY OR AN ABUSE OF THE COVERED ENTITY'S
PRODUCTS OR SERVICES; OR
(VI) FOR PRIVATE ELEMENTARY AND SECONDARY SCHOOLS AS DEFINED BY STATE
LAW AND PRIVATE INSTITUTIONS OF HIGHER EDUCATION AS DEFINED BY TITLE I
OF THE HIGHER EDUCATION ACT OF 1965, DELETE COVERED DATA THAT WOULD
UNREASONABLY INTERFERE WITH THE PROVISION OF EDUCATION SERVICES BY OR
THE ORDINARY OPERATION OF THE SCHOOL OR INSTITUTION.
(II) IN A CIRCUMSTANCE THAT WOULD ALLOW A DENIAL PURSUANT TO SUBPARA-
GRAPH (I) OF THIS SUBDIVISION, A COVERED ENTITY SHALL PARTIALLY COMPLY
WITH THE REMAINDER OF THE REQUEST IF IT IS POSSIBLE AND NOT UNDULY
BURDENSOME TO DO SO.
(III) FOR PURPOSES OF CLAUSE (B) OF SUBPARAGRAPH (I) OF THIS PARA-
GRAPH, THE RECEIPT OF A LARGE NUMBER OF VERIFIED REQUESTS, ON ITS OWN,
MAY NOT BE CONSIDERED TO RENDER COMPLIANCE WITH A REQUEST DEMONSTRABLY
IMPRACTICABLE.
(IV) THE DIVISION MAY, BY REGULATION AS DESCRIBED IN SUBDIVISION SEVEN
OF THIS SECTION, ESTABLISH ADDITIONAL PERMISSIVE EXCEPTIONS NECESSARY TO
PROTECT THE RIGHTS OF INDIVIDUALS, ALLEVIATE UNDUE BURDENS ON COVERED
ENTITIES, PREVENT UNJUST OR UNREASONABLE OUTCOMES FROM THE EXERCISE OF
ACCESS, CORRECTION, DELETION, OR PORTABILITY RIGHTS, OR AS OTHERWISE
NECESSARY TO FULFILL THE PURPOSES OF THIS SECTION. IN ESTABLISHING SUCH
EXCEPTIONS, THE DIVISION SHOULD CONSIDER ANY RELEVANT CHANGES IN TECH-
NOLOGY, MEANS FOR PROTECTING PRIVACY AND OTHER RIGHTS, AND BENEFICIAL
USES OF COVERED DATA BY COVERED ENTITIES.
A. 6319 21
6. A LARGE DATA HOLDER THAT IS A COVERED ENTITY SHALL, FOR EACH CALEN-
DAR YEAR IN WHICH IT WAS A LARGE DATA HOLDER, DO THE FOLLOWING:
(A) COMPILE THE FOLLOWING METRICS FOR THE PRIOR CALENDAR YEAR:
(I) THE NUMBER OF VERIFIED ACCESS REQUESTS UNDER PARAGRAPH (A) OF
SUBDIVISION ONE OF THIS SECTION.
(II) THE NUMBER OF VERIFIED DELETION REQUESTS UNDER PARAGRAPH (C) OF
SUBDIVISION ONE OF THIS SECTION.
(III) THE NUMBER OF REQUESTS TO OPT-OUT OF COVERED DATA TRANSFERS
UNDER SUBDIVISION TWO OF SECTION FIFTEEN HUNDRED TWENTY-THREE OF THIS
TITLE.
(IV) THE NUMBER OF REQUESTS TO OPT-OUT OF TARGETED ADVERTISING UNDER
SUBDIVISION THREE OF SECTION FIFTEEN HUNDRED TWENTY-THREE OF THIS TITLE.
(V) THE NUMBER OF REQUESTS IN EACH OF SUBPARAGRAPHS (I) THROUGH (IV)
OF THIS PARAGRAPH THAT SUCH LARGE DATA HOLDER (A) COMPLIED WITH IN WHOLE
OR IN PART AND (B) DENIED.
(VI) THE MEDIAN OR MEAN NUMBER OF DAYS WITHIN WHICH SUCH LARGE DATA
HOLDER SUBSTANTIVELY RESPONDED TO THE REQUESTS IN EACH OF SUBPARAGRAPHS
(I) THROUGH (IV) OF THIS PARAGRAPH.
(B) DISCLOSE BY JULY FIRST OF EACH APPLICABLE CALENDAR YEAR THE INFOR-
MATION COMPILED IN PARAGRAPH (A) OF THIS SUBDIVISION WITHIN SUCH LARGE
DATA HOLDER'S PRIVACY POLICY REQUIRED UNDER SECTION FIFTEEN HUNDRED
TWENTY-ONE OF THIS TITLE OR ON THE PUBLICLY ACCESSIBLE WEBSITE OF SUCH
LARGE DATA HOLDER THAT IS ACCESSIBLE FROM A HYPERLINK INCLUDED IN THE
PRIVACY POLICY.
7. NOT LATER THAN TWO YEARS AFTER THE EFFECTIVE DATE OF THIS ARTICLE,
THE DIVISION SHALL PROMULGATE RULES AND REGULATIONS AS NECESSARY TO
ESTABLISH PROCESSES BY WHICH COVERED ENTITIES ARE TO COMPLY WITH THE
PROVISIONS OF THIS SECTION. SUCH REGULATIONS SHALL TAKE INTO CONSIDER-
ATION:
(A) THE SIZE OF, AND THE NATURE, SCOPE, AND COMPLEXITY OF THE ACTIV-
ITIES ENGAGED IN BY THE COVERED ENTITY, INCLUDING WHETHER THE COVERED
ENTITY IS A LARGE DATA HOLDER, NONPROFIT ORGANIZATION, COVERED ENTITY
MEETING THE REQUIREMENTS OF SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF THIS
TITLE, THIRD PARTY, OR THIRD-PARTY COLLECTING ENTITY;
(B) THE SENSITIVITY OF COVERED DATA COLLECTED, PROCESSED, OR TRANS-
FERRED BY THE COVERED ENTITY;
(C) THE VOLUME OF COVERED DATA COLLECTED, PROCESSED, OR TRANSFERRED BY
THE COVERED ENTITY;
(D) THE NUMBER OF INDIVIDUALS AND DEVICES TO WHICH THE COVERED DATA
COLLECTED, PROCESSED, OR TRANSFERRED BY THE COVERED ENTITY RELATES; AND
(E) AFTER CONSULTING THE NATIONAL INSTITUTE OF STANDARDS AND TECHNOLO-
GY, STANDARDS FOR ENSURING THE DELETION OF COVERED DATA UNDER THIS ARTI-
CLE WHERE APPROPRIATE.
8. A COVERED ENTITY SHALL FACILITATE THE ABILITY OF INDIVIDUALS TO
MAKE REQUESTS UNDER SUBDIVISION ONE OF THIS SECTION IN ANY COVERED
LANGUAGE IN WHICH THE COVERED ENTITY PROVIDES A PRODUCT OR SERVICE. THE
MECHANISMS BY WHICH A COVERED ENTITY ENABLES INDIVIDUALS TO MAKE
REQUESTS UNDER SUBDIVISION ONE OF THIS SECTION SHALL BE READILY ACCESSI-
BLE AND USABLE BY INDIVIDUALS WITH DISABILITIES.
§ 1523. RIGHT TO CONSENT AND OBJECT. 1. A COVERED ENTITY SHALL PROVIDE
AN INDIVIDUAL WITH A CLEAR AND CONSPICUOUS, EASY-TO-EXECUTE MEANS TO
WITHDRAW ANY AFFIRMATIVE EXPRESS CONSENT PREVIOUSLY PROVIDED BY THE
INDIVIDUAL THAT IS AS EASY TO EXECUTE BY A REASONABLE INDIVIDUAL AS THE
MEANS TO PROVIDE CONSENT, WITH RESPECT TO THE PROCESSING OR TRANSFER OF
THE COVERED DATA OF THE INDIVIDUAL.
2. (A) A COVERED ENTITY:
A. 6319 22
(I) MAY NOT TRANSFER OR DIRECT THE TRANSFER OF THE COVERED DATA OF AN
INDIVIDUAL TO A THIRD PARTY IF THE INDIVIDUAL OBJECTS TO THE TRANSFER;
AND
(II) SHALL ALLOW AN INDIVIDUAL TO OBJECT TO SUCH A TRANSFER THROUGH AN
OPT-OUT MECHANISM, AS DESCRIBED IN SECTION FIFTEEN HUNDRED TWENTY-NINE
OF THIS TITLE.
(B) EXCEPT AS PROVIDED IN SUBPARAGRAPH (III) OF PARAGRAPH (C) OF
SUBDIVISION TWO OF SECTION FIFTEEN HUNDRED TWENTY-FIVE OF THIS TITLE, A
COVERED ENTITY NEED NOT ALLOW AN INDIVIDUAL TO OPT OUT OF THE
COLLECTION, PROCESSING, OR TRANSFER OF COVERED DATA MADE PURSUANT TO THE
EXCEPTIONS IN PARAGRAPHS (A) THROUGH (O) OF SUBDIVISION TWO OF SECTION
FIFTEEN HUNDRED TEN OF THIS ARTICLE.
3. (A) A COVERED ENTITY OR SERVICE PROVIDER THAT DIRECTLY DELIVERS A
TARGETED ADVERTISEMENT SHALL:
(I) PRIOR TO ENGAGING IN TARGETED ADVERTISING TO AN INDIVIDUAL OR
DEVICE AND AT ALL TIMES THEREAFTER, PROVIDE SUCH INDIVIDUAL WITH A CLEAR
AND CONSPICUOUS MEANS TO OPT OUT OF TARGETED ADVERTISING;
(II) ABIDE BY ANY OPT-OUT DESIGNATION BY AN INDIVIDUAL WITH RESPECT TO
TARGETED ADVERTISING AND NOTIFY THE COVERED ENTITY THAT DIRECTED THE
SERVICE PROVIDER TO DELIVER THE TARGETED ADVERTISEMENT OF THE OPT-OUT
DECISION; AND
(III) ALLOW AN INDIVIDUAL TO MAKE AN OPT-OUT DESIGNATION WITH RESPECT
TO TARGETED ADVERTISING THROUGH AN OPT-OUT MECHANISM, AS DESCRIBED IN
SECTION FIFTEEN HUNDRED TWENTY-NINE OF THIS TITLE.
(B) A COVERED ENTITY OR SERVICE PROVIDER THAT RECEIVES AN OPT-OUT
NOTIFICATION PURSUANT TO SUBPARAGRAPH (II) OF PARAGRAPH (A) OF THIS
SUBDIVISION OR THIS PARAGRAPH SHALL ABIDE BY SUCH OPT-OUT DESIGNATIONS
BY AN INDIVIDUAL AND NOTIFY ANY OTHER PERSON THAT DIRECTED THE COVERED
ENTITY OR SERVICE PROVIDER TO SERVE, DELIVER, OR OTHERWISE HANDLE THE
ADVERTISEMENT OF THE OPT-OUT DECISION.
4. A COVERED ENTITY MAY NOT CONDITION, EFFECTIVELY CONDITION, ATTEMPT
TO CONDITION, OR ATTEMPT TO EFFECTIVELY CONDITION THE EXERCISE OF ANY
INDIVIDUAL RIGHT UNDER THIS SECTION THROUGH:
(A) THE USE OF ANY FALSE, FICTITIOUS, FRAUDULENT, OR MATERIALLY
MISLEADING STATEMENT OR REPRESENTATION; OR
(B) THE DESIGN, MODIFICATION, OR MANIPULATION OF ANY USER INTERFACE
WITH THE PURPOSE OR SUBSTANTIAL EFFECT OF OBSCURING, SUBVERTING, OR
IMPAIRING A REASONABLE INDIVIDUAL'S AUTONOMY, DECISION MAKING, OR CHOICE
TO EXERCISE ANY SUCH RIGHT.
§ 1524. DATA PROTECTIONS FOR CHILDREN AND MINORS. 1. A COVERED ENTITY
MAY NOT ENGAGE IN TARGETED ADVERTISING TO ANY INDIVIDUAL IF THE COVERED
ENTITY HAS KNOWLEDGE THAT THE INDIVIDUAL IS A COVERED MINOR.
2. (A) A COVERED ENTITY MAY NOT TRANSFER OR DIRECT THE TRANSFER OF THE
COVERED DATA OF A COVERED MINOR TO A THIRD PARTY IF THE COVERED ENTITY:
(I) HAS KNOWLEDGE THAT THE INDIVIDUAL IS A COVERED MINOR; AND
(II) HAS NOT OBTAINED AFFIRMATIVE EXPRESS CONSENT FROM THE COVERED
MINOR OR THE COVERED MINOR'S PARENT OR GUARDIAN.
(B) A COVERED ENTITY OR SERVICE PROVIDER MAY COLLECT, PROCESS, OR
TRANSFER COVERED DATA OF AN INDIVIDUAL THE COVERED ENTITY OR SERVICE
PROVIDER KNOWS IS UNDER THE AGE OF EIGHTEEN SOLELY IN ORDER TO SUBMIT
INFORMATION RELATING TO CHILD VICTIMIZATION TO LAW ENFORCEMENT OR TO THE
NONPROFIT, NATIONAL RESOURCE CENTER AND CLEARINGHOUSE DESIGNATED TO
PROVIDE ASSISTANCE TO VICTIMS, FAMILIES, CHILD-SERVING PROFESSIONALS,
AND THE GENERAL PUBLIC ON MISSING AND EXPLOITED CHILDREN ISSUES.
A. 6319 23
3. (A) THERE IS ESTABLISHED WITHIN THE DIVISION IN THE PRIVACY BUREAU
ESTABLISHED IN TITLE V OF THIS ARTICLE, AN OFFICE TO BE KNOWN AS THE
"YOUTH PRIVACY AND MARKETING OFFICE" (THE "OFFICE").
(B) THE OFFICE SHALL BE HEADED BY A DIRECTOR, WHO SHALL BE APPOINTED
BY THE CHAIR OF THE OFFICE.
(C) THE OFFICE SHALL BE RESPONSIBLE FOR ASSISTING THE DIVISION IN
ADDRESSING, AS IT RELATES TO THIS ARTICLE:
(I) THE PRIVACY OF CHILDREN AND MINORS; AND
(II) MARKETING DIRECTED AT CHILDREN AND MINORS.
(D) THE DIRECTOR OF THE OFFICE SHALL HIRE ADEQUATE STAFF TO CARRY OUT
THE DUTIES DESCRIBED IN PARAGRAPH (C) OF THIS SUBDIVISION, INCLUDING BY
HIRING INDIVIDUALS WHO ARE EXPERTS IN DATA PROTECTION, DIGITAL ADVERTIS-
ING, DATA ANALYTICS, AND YOUTH DEVELOPMENT.
(E) NOT LATER THAN TWO YEARS AFTER THE EFFECTIVE DATE OF THIS ARTICLE,
AND ANNUALLY THEREAFTER, THE OFFICE SHALL SUBMIT TO THE GOVERNOR, THE
MAJORITY AND MINORITY LEADERS OF THE SENATE AND THE MAJORITY AND MINORI-
TY LEADERS OF THE ASSEMBLY A REPORT THAT INCLUDES:
(I) A DESCRIPTION OF THE WORK OF THE OFFICE REGARDING EMERGING
CONCERNS RELATING TO YOUTH PRIVACY AND MARKETING PRACTICES; AND
(II) AN ASSESSMENT OF HOW EFFECTIVELY THE OFFICE HAS, DURING THE PERI-
OD FOR WHICH THE REPORT IS SUBMITTED, ASSISTED THE DIVISION TO ADDRESS
YOUTH PRIVACY AND MARKETING PRACTICES.
(F) NOT LATER THAN TEN DAYS AFTER THE DATE ON WHICH A REPORT IS
SUBMITTED UNDER PARAGRAPH (E) OF THIS SUBDIVISION, THE DIVISION SHALL
PUBLISH THE REPORT ON ITS WEBSITE.
§ 1525. THIRD-PARTY COLLECTING ENTITIES. 1. (A) EACH THIRD-PARTY
COLLECTING ENTITY SHALL PLACE A CLEAR, CONSPICUOUS, NOT MISLEADING, AND
READILY ACCESSIBLE NOTICE ON THE WEBSITE OR MOBILE APPLICATION OF THE
THIRD-PARTY COLLECTING ENTITY (IF THE THIRD-PARTY COLLECTING ENTITY
MAINTAINS SUCH A WEBSITE OR MOBILE APPLICATION) THAT:
(A) NOTIFIES INDIVIDUALS THAT THE ENTITY IS A THIRD-PARTY COLLECTING
ENTITY USING SPECIFIC LANGUAGE THAT THE DIVISION SHALL DEVELOP THROUGH
RULEMAKING UNDER SECTION 553 OF TITLE 5, UNITED STATES CODE;
(B) INCLUDES A LINK TO THE WEBSITE ESTABLISHED UNDER PARAGRAPH (C) OF
SUBDIVISION TWO OF THIS SECTION; AND
(C) IS REASONABLY ACCESSIBLE TO AND USABLE BY INDIVIDUALS WITH DISA-
BILITIES.
2. (A) NOT LATER THAN JANUARY THIRTY-FIRST OF EACH CALENDAR YEAR THAT
FOLLOWS A CALENDAR YEAR DURING WHICH A COVERED ENTITY ACTED AS A THIRD-
PARTY COLLECTING ENTITY AND PROCESSED COVERED DATA PERTAINING TO MORE
THAN FIVE THOUSAND INDIVIDUALS OR DEVICES THAT IDENTIFY OR ARE LINKED OR
REASONABLY LINKABLE TO AN INDIVIDUAL, SUCH COVERED ENTITY SHALL REGISTER
WITH THE DIVISION IN ACCORDANCE WITH THIS SUBDIVISION.
(B) IN REGISTERING WITH THE DIVISION AS REQUIRED UNDER PARAGRAPH (A)
OF THIS SUBDIVISION, A THIRD-PARTY COLLECTING ENTITY SHALL DO THE
FOLLOWING:
(I) PAY TO THE DIVISION A REGISTRATION FEE OF ONE HUNDRED DOLLARS.
(II) PROVIDE THE DIVISION WITH THE FOLLOWING INFORMATION:
(A) THE LEGAL NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET ADDRESSES
OF THE THIRD-PARTY COLLECTING ENTITY;
(B) A DESCRIPTION OF THE CATEGORIES OF COVERED DATA THE THIRD-PARTY
COLLECTING ENTITY PROCESSES AND TRANSFERS;
(C) THE CONTACT INFORMATION OF THE THIRD-PARTY COLLECTING ENTITY,
INCLUDING A CONTACT PERSON, A TELEPHONE NUMBER, AN EMAIL ADDRESS, A
WEBSITE, AND A PHYSICAL MAILING ADDRESS; AND
A. 6319 24
(D) A LINK TO A WEBSITE THROUGH WHICH AN INDIVIDUAL MAY EASILY EXER-
CISE THE RIGHTS PROVIDED UNDER THIS SUBDIVISION.
(C) THE DIVISION SHALL ESTABLISH AND MAINTAIN ON A WEBSITE A SEARCHA-
BLE, PUBLICLY AVAILABLE, CENTRAL REGISTRY OF THIRD-PARTY COLLECTING
ENTITIES THAT ARE REGISTERED WITH THE DIVISION UNDER THIS SUBDIVISION
THAT INCLUDES THE FOLLOWING:
(I) A LISTING OF ALL REGISTERED THIRD-PARTY COLLECTING ENTITIES AND A
SEARCH FEATURE THAT ALLOWS MEMBERS OF THE PUBLIC TO IDENTIFY INDIVIDUAL
THIRD-PARTY COLLECTING ENTITIES.
(II) FOR EACH REGISTERED THIRD-PARTY COLLECTING ENTITY, THE INFORMA-
TION PROVIDED UNDER PARAGRAPH (B) OF THIS SUBDIVISION.
(III) (A) A "DO NOT COLLECT" REGISTRY LINK AND MECHANISM BY WHICH AN
INDIVIDUAL MAY, EASILY SUBMIT A REQUEST TO ALL REGISTERED THIRD-PARTY
COLLECTING ENTITIES THAT ARE NOT CONSUMER REPORTING AGENCIES (AS DEFINED
IN SECTION 603(F) OF THE FAIR CREDIT REPORTING ACT (15 U.S.C.
1681A(F))), AND TO THE EXTENT SUCH THIRD-PARTY COLLECTING ENTITIES ARE
NOT ACTING AS CONSUMER REPORTING AGENCIES (AS SO DEFINED), TO:
(I) DELETE ALL COVERED DATA RELATED TO SUCH INDIVIDUAL THAT THE THIRD-
PARTY COLLECTING ENTITY DID NOT COLLECT FROM SUCH INDIVIDUAL DIRECTLY OR
WHEN ACTING AS A SERVICE PROVIDER; AND
(II) ENSURE THAT THE THIRD-PARTY COLLECTING ENTITY NO LONGER COLLECTS
COVERED DATA RELATED TO SUCH INDIVIDUAL WITHOUT THE AFFIRMATIVE EXPRESS
CONSENT OF SUCH INDIVIDUAL, EXCEPT INSOFAR AS THE THIRD-PARTY COLLECTING
ENTITY IS ACTING AS A SERVICE PROVIDER.
(B) EACH THIRD-PARTY COLLECTING ENTITY THAT RECEIVES SUCH A REQUEST
FROM AN INDIVIDUAL SHALL DELETE ALL THE COVERED DATA OF THE INDIVIDUAL
NOT LATER THAN THIRTY DAYS AFTER THE REQUEST IS RECEIVED BY THE THIRD-
PARTY COLLECTING ENTITY.
(C) NOTWITHSTANDING THE PROVISIONS OF CLAUSES (A) AND (B) OF THIS
SUBPARAGRAPH, A THIRD-PARTY COLLECTING ENTITY MAY DECLINE TO FULFILL A
"DO NOT COLLECT" REQUEST FROM AN INDIVIDUAL WHO IT HAS ACTUAL KNOWLEDGE
HAS BEEN CONVICTED OF A CRIME RELATED TO THE ABDUCTION OR SEXUAL EXPLOI-
TATION OF A CHILD, AND THE DATA THE ENTITY IS COLLECTING IS NECESSARY TO
EFFECTUATE THE PURPOSES OF A NATIONAL OR STATE-RUN SEX OFFENDER REGISTRY
OR THE CONGRESSIONALLY DESIGNATED ENTITY THAT SERVES AS THE NONPROFIT
NATIONAL RESOURCE CENTER AND CLEARINGHOUSE TO PROVIDE ASSISTANCE TO
VICTIMS, FAMILIES, CHILD-SERVING PROFESSIONALS, AND THE GENERAL PUBLIC
ON MISSING AND EXPLOITED CHILDREN ISSUES.
3. (A) A THIRD-PARTY COLLECTING ENTITY THAT FAILS TO REGISTER OR
PROVIDE THE NOTICE AS REQUIRED UNDER THIS SECTION SHALL BE LIABLE FOR:
(I) A CIVIL PENALTY OF ONE HUNDRED DOLLARS FOR EACH DAY THE THIRD-PAR-
TY COLLECTING ENTITY FAILS TO REGISTER OR PROVIDE NOTICE AS REQUIRED
UNDER THIS SECTION, NOT TO EXCEED A TOTAL OF TEN THOUSAND DOLLARS FOR
ANY YEAR; AND
(II) AN AMOUNT EQUAL TO THE REGISTRATION FEES DUE UNDER SUBPARAGRAPH
(I) OF PARAGRAPH (B) OF SUBDIVISION TWO OF THIS SECTION FOR EACH YEAR
THAT THE THIRD-PARTY COLLECTING ENTITY FAILED TO REGISTER AS REQUIRED
UNDER PARAGRAPH (A) OF SUCH SUBDIVISION.
(B) NOTHING IN THIS SUBDIVISION SHALL BE CONSTRUED AS ALTERING, LIMIT-
ING, OR AFFECTING ANY ENFORCEMENT AUTHORITIES OR REMEDIES UNDER THIS
ARTICLE.
§ 1526. CIVIL RIGHTS AND ALGORITHMS. 1. (A) A COVERED ENTITY OR A
SERVICE PROVIDER MAY NOT COLLECT, PROCESS, OR TRANSFER COVERED DATA IN A
MANNER THAT DISCRIMINATES IN OR OTHERWISE MAKES UNAVAILABLE THE EQUAL
ENJOYMENT OF GOODS OR SERVICES ON THE BASIS OF RACE, COLOR, RELIGION,
NATIONAL ORIGIN, SEX, OR DISABILITY.
A. 6319 25
(B) THIS SUBDIVISION SHALL NOT APPLY TO:
(I) THE COLLECTION, PROCESSING, OR TRANSFER OF COVERED DATA FOR THE
PURPOSE OF:
(A) A COVERED ENTITY'S OR A SERVICE PROVIDER'S SELF-TESTING TO PREVENT
OR MITIGATE UNLAWFUL DISCRIMINATION; OR
(B) DIVERSIFYING AN APPLICANT, PARTICIPANT, OR CUSTOMER POOL; OR
(II) ANY PRIVATE CLUB OR GROUP NOT OPEN TO THE PUBLIC, AS DESCRIBED IN
SECTION 201(E) OF THE CIVIL RIGHTS ACT OF 1964 (42 U.S.C. 2000A(E)).
2. (A) WHENEVER THE DIVISION OBTAINS INFORMATION THAT A COVERED ENTITY
OR SERVICE PROVIDER MAY HAVE COLLECTED, PROCESSED, OR TRANSFERRED
COVERED DATA IN VIOLATION OF SUBDIVISION ONE OF THIS SECTION, THE DIVI-
SION SHALL TRANSMIT SUCH INFORMATION AS ALLOWABLE UNDER FEDERAL AND
STATE LAW TO ANY EXECUTIVE AGENCY WITH AUTHORITY TO INITIATE ENFORCEMENT
ACTIONS OR PROCEEDINGS RELATING TO SUCH VIOLATION.
(B) NOT LATER THAN THREE YEARS AFTER THE EFFECTIVE DATE OF THIS ARTI-
CLE, AND ANNUALLY THEREAFTER, THE DIVISION SHALL SUBMIT TO THE SENATE
AND THE ASSEMBLY A REPORT THAT INCLUDES A SUMMARY OF:
(I) THE TYPES OF INFORMATION THE DIVISION TRANSMITTED TO EXECUTIVE
AGENCIES UNDER PARAGRAPH (A) OF THIS SUBDIVISION DURING THE PREVIOUS
ONE-YEAR PERIOD; AND
(II) HOW SUCH INFORMATION RELATES TO FEDERAL OR STATE CIVIL RIGHTS
LAWS.
(C) IN TRANSMITTING INFORMATION UNDER PARAGRAPH (A) OF THIS SUBDIVI-
SION, THE DIVISION MAY CONSULT AND COORDINATE WITH, AND PROVIDE TECHNI-
CAL AND INVESTIGATIVE ASSISTANCE, AS APPROPRIATE, TO SUCH EXECUTIVE
AGENCY.
(D) THE DIVISION MAY IMPLEMENT THIS SUBDIVISION BY EXECUTING AGREE-
MENTS OR MEMORANDA OF UNDERSTANDING WITH THE APPROPRIATE EXECUTIVE AGEN-
CIES.
3. (A)(I) NOTWITHSTANDING ANY OTHER PROVISION OF LAW, NOT LATER THAN
TWO YEARS AFTER THE EFFECTIVE DATE OF THIS ARTICLE, AND ANNUALLY THERE-
AFTER, A LARGE DATA HOLDER THAT USES A COVERED ALGORITHM IN A MANNER
THAT POSES A CONSEQUENTIAL RISK OF HARM TO AN INDIVIDUAL OR GROUP OF
INDIVIDUALS, AND USES SUCH COVERED ALGORITHM SOLELY OR IN PART, TO
COLLECT, PROCESS, OR TRANSFER COVERED DATA SHALL CONDUCT AN IMPACT
ASSESSMENT OF SUCH ALGORITHM IN ACCORDANCE WITH SUBPARAGRAPH (II) OF
THIS PARAGRAPH.
(II) THE IMPACT ASSESSMENT REQUIRED UNDER SUBPARAGRAPH (I) OF THIS
PARAGRAPH SHALL PROVIDE THE FOLLOWING:
(A) A DETAILED DESCRIPTION OF THE DESIGN PROCESS AND METHODOLOGIES OF
THE COVERED ALGORITHM.
(B) A STATEMENT OF THE PURPOSE AND PROPOSED USES OF THE COVERED ALGO-
RITHM.
(C) A DETAILED DESCRIPTION OF THE DATA USED BY THE COVERED ALGORITHM,
INCLUDING THE SPECIFIC CATEGORIES OF DATA THAT WILL BE PROCESSED AS
INPUT AND ANY DATA USED TO TRAIN THE MODEL THAT THE COVERED ALGORITHM
RELIES ON, IF APPLICABLE.
(D) A DESCRIPTION OF THE OUTPUTS PRODUCED BY THE COVERED ALGORITHM.
(E) AN ASSESSMENT OF THE NECESSITY AND PROPORTIONALITY OF THE COVERED
ALGORITHM IN RELATION TO ITS STATED PURPOSE.
(F) A DETAILED DESCRIPTION OF STEPS THE LARGE DATA HOLDER HAS TAKEN OR
WILL TAKE TO MITIGATE POTENTIAL HARMS FROM THE COVERED ALGORITHM TO AN
INDIVIDUAL OR GROUP OF INDIVIDUALS, INCLUDING RELATED TO:
(I) COVERED MINORS;
A. 6319 26
(II) MAKING OR FACILITATING ADVERTISING FOR, OR DETERMINING ACCESS TO,
OR RESTRICTIONS ON THE USE OF HOUSING, EDUCATION, EMPLOYMENT, HEALTH-
CARE, INSURANCE, OR CREDIT OPPORTUNITIES;
(III) DETERMINING ACCESS TO, OR RESTRICTIONS ON THE USE OF, ANY PLACE
OF PUBLIC ACCOMMODATION, PARTICULARLY AS SUCH HARMS RELATE TO THE
PROTECTED CHARACTERISTICS OF INDIVIDUALS, INCLUDING RACE, COLOR, RELI-
GION, NATIONAL ORIGIN, SEX, OR DISABILITY;
(IV) DISPARATE IMPACT ON THE BASIS OF INDIVIDUALS' RACE, COLOR, RELI-
GION, NATIONAL ORIGIN, SEX, OR DISABILITY STATUS; OR
(V) DISPARATE IMPACT ON THE BASIS OF INDIVIDUALS' POLITICAL PARTY
REGISTRATION STATUS.
(B) NOTWITHSTANDING ANY OTHER PROVISION OF LAW, NOT LATER THAN TWO
YEARS AFTER THE EFFECTIVE DATE OF THIS ARTICLE, A COVERED ENTITY OR
SERVICE PROVIDER THAT KNOWINGLY DEVELOPS A COVERED ALGORITHM THAT IS
DESIGNED, SOLELY OR IN PART, TO COLLECT, PROCESS, OR TRANSFER COVERED
DATA IN FURTHERANCE OF A CONSEQUENTIAL DECISION SHALL PRIOR TO DEPLOYING
THE COVERED ALGORITHM IN INTERSTATE COMMERCE EVALUATE THE DESIGN, STRUC-
TURE, AND INPUTS OF THE COVERED ALGORITHM, INCLUDING ANY TRAINING DATA
USED TO DEVELOP THE COVERED ALGORITHM, TO REDUCE THE RISK OF THE POTEN-
TIAL HARMS IDENTIFIED UNDER SUBPARAGRAPH (II) OF PARAGRAPH (A) OF THIS
SUBDIVISION.
(C) (I) IN COMPLYING WITH PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION,
A COVERED ENTITY AND A SERVICE PROVIDER MAY FOCUS THE IMPACT ASSESSMENT
OR EVALUATION ON ANY COVERED ALGORITHM, OR PORTIONS OF A COVERED ALGO-
RITHM, THAT WILL BE PUT TO USE AND MAY REASONABLY CONTRIBUTE TO THE RISK
OF THE POTENTIAL HARMS IDENTIFIED UNDER SUBPARAGRAPH (II) OF PARAGRAPH
(A) OF THIS SUBDIVISION.
(II) (A) A COVERED ENTITY AND A SERVICE PROVIDER:
(I) SHALL, NOT LATER THAN THIRTY DAYS AFTER COMPLETING AN IMPACT
ASSESSMENT OR EVALUATION, SUBMIT THE IMPACT ASSESSMENT OR EVALUATION
CONDUCTED UNDER PARAGRAPHS (A) AND (B) OF THIS SUBDIVISION TO THE DIVI-
SION;
(II) SHALL, UPON REQUEST, MAKE SUCH IMPACT ASSESSMENT AND EVALUATION
AVAILABLE TO THE LEGISLATURE; AND
(III) MAY MAKE A SUMMARY OF SUCH IMPACT ASSESSMENT AND EVALUATION
PUBLICLY AVAILABLE IN A PLACE THAT IS EASILY ACCESSIBLE TO INDIVIDUALS.
(B) COVERED ENTITIES AND SERVICE PROVIDERS MAY REDACT AND SEGREGATE
ANY TRADE SECRET (AS DEFINED IN SECTION 1839 OF TITLE 18, UNITED STATES
CODE) OR OTHER CONFIDENTIAL OR PROPRIETARY INFORMATION FROM PUBLIC
DISCLOSURE UNDER THIS SUBPARAGRAPH AND THE DIVISION SHALL ABIDE BY ITS
OBLIGATIONS UNDER FEDERAL AND STATE LAW IN REGARD TO SUCH INFORMATION.
(III) THE DIVISION MAY NOT USE ANY INFORMATION OBTAINED SOLELY AND
EXCLUSIVELY THROUGH A COVERED ENTITY OR A SERVICE PROVIDER'S DISCLOSURE
OF INFORMATION TO THE DIVISION IN COMPLIANCE WITH THIS SECTION FOR ANY
PURPOSE OTHER THAN ENFORCING THIS ARTICLE WITH THE EXCEPTION OF ENFORC-
ING CONSENT ORDERS, INCLUDING THE STUDY AND REPORT PROVISIONS IN PARA-
GRAPH (F) OF THIS SUBDIVISION. THIS SUBPARAGRAPH DOES NOT PRECLUDE THE
DIVISION FROM PROVIDING THIS INFORMATION TO THE LEGISLATURE IN RESPONSE
TO A SUBPOENA.
(D) NOT LATER THAN TWO YEARS AFTER THE EFFECTIVE DATE OF THIS ARTICLE,
THE DIVISION SHALL, IN CONSULTATION WITH THE SECRETARY OF STATE, OR
THEIR RESPECTIVE DESIGNEES, PUBLISH GUIDANCE REGARDING COMPLIANCE WITH
THIS SECTION.
(E) THE DIVISION SHALL HAVE AUTHORITY TO PROMULGATE RULES AND REGU-
LATIONS AS NECESSARY TO ESTABLISH PROCESSES BY WHICH A LARGE DATA HOLD-
ER:
A. 6319 27
(I) SHALL SUBMIT AN IMPACT ASSESSMENT TO THE DIVISION UNDER ITEM (I)
OF CLAUSE (A) OF SUBPARAGRAPH (II) OF PARAGRAPH (C) OF THIS SUBDIVISION;
AND
(II) MAY EXCLUDE FROM THIS SUBDIVISION ANY COVERED ALGORITHM THAT
PRESENTS LOW OR MINIMAL CONSEQUENTIAL RISK OF HARM TO AN INDIVIDUAL OR
GROUP OF INDIVIDUALS.
(F) (I) THE DIVISION, IN CONSULTATION WITH THE SECRETARY OF STATE OR
THE SECRETARY'S DESIGNEE, SHALL CONDUCT A STUDY, TO REVIEW ANY IMPACT
ASSESSMENT OR EVALUATION SUBMITTED UNDER THIS SUBDIVISION. SUCH STUDY
SHALL INCLUDE AN EXAMINATION OF:
(A) BEST PRACTICES FOR THE ASSESSMENT AND EVALUATION OF COVERED ALGO-
RITHMS; AND
(B) METHODS TO REDUCE THE RISK OF HARM TO INDIVIDUALS THAT MAY BE
RELATED TO THE USE OF COVERED ALGORITHMS.
(II) (A) NOT LATER THAN THREE YEARS AFTER THE EFFECTIVE DATE OF THIS
ARTICLE, THE DIVISION, IN CONSULTATION WITH THE SECRETARY OR THE SECRE-
TARY'S DESIGNEE, SHALL SUBMIT TO THE GOVERNOR AND THE LEGISLATURE A
REPORT CONTAINING THE RESULTS OF THE STUDY CONDUCTED UNDER SUBPARAGRAPH
(I) OF THIS PARAGRAPH, TOGETHER WITH RECOMMENDATIONS FOR SUCH LEGIS-
LATION AND ADMINISTRATIVE ACTION AS THE DIVISION DETERMINES APPROPRIATE.
(B) NOT LATER THAN THREE YEARS AFTER SUBMISSION OF THE INITIAL REPORT
UNDER CLAUSE (A) OF THIS SUBPARAGRAPH, AND AS THE DIVISION DETERMINES
NECESSARY THEREAFTER, THE DIVISION SHALL SUBMIT TO THE GOVERNOR AND THE
LEGISLATURE AN UPDATED VERSION OF SUCH REPORT.
§ 1527. DATA SECURITY AND PROTECTION OF COVERED DATA. 1. (A) A COVERED
ENTITY OR SERVICE PROVIDER SHALL ESTABLISH, IMPLEMENT, AND MAINTAIN
REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECURITY PRAC-
TICES AND PROCEDURES TO PROTECT AND SECURE COVERED DATA AGAINST UNAU-
THORIZED ACCESS AND ACQUISITION.
(B) THE REASONABLE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL DATA SECU-
RITY PRACTICES REQUIRED UNDER PARAGRAPH (A) OF THIS SUBDIVISION SHALL BE
APPROPRIATE TO:
(I) THE SIZE AND COMPLEXITY OF THE COVERED ENTITY OR SERVICE PROVIDER;
(II) THE NATURE AND SCOPE OF THE COVERED ENTITY OR THE SERVICE PROVID-
ER'S COLLECTING, PROCESSING, OR TRANSFERRING OF COVERED DATA;
(III) THE VOLUME AND NATURE OF THE COVERED DATA COLLECTED, PROCESSED,
OR TRANSFERRED BY THE COVERED ENTITY OR SERVICE PROVIDER;
(IV) THE SENSITIVITY OF THE COVERED DATA COLLECTED, PROCESSED, OR
TRANSFERRED;
(V) THE CURRENT STATE OF THE ART (AND LIMITATIONS THEREOF) IN ADMINIS-
TRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS FOR PROTECTING SUCH COVERED
DATA; AND
(VI) THE COST OF AVAILABLE TOOLS TO IMPROVE SECURITY AND REDUCE
VULNERABILITIES TO UNAUTHORIZED ACCESS AND ACQUISITION OF SUCH COVERED
DATA IN RELATION TO THE RISKS AND NATURE OF THE COVERED DATA.
2. THE DATA SECURITY PRACTICES OF THE COVERED ENTITY AND OF THE
SERVICE PROVIDER REQUIRED UNDER SUBDIVISION ONE OF THIS SECTION SHALL
INCLUDE, FOR EACH RESPECTIVE ENTITY'S OWN SYSTEM OR SYSTEMS, AT A MINI-
MUM, THE FOLLOWING PRACTICES:
(A) IDENTIFYING AND ASSESSING ANY MATERIAL INTERNAL AND EXTERNAL RISK
TO, AND VULNERABILITY IN, THE SECURITY OF EACH SYSTEM MAINTAINED BY THE
COVERED ENTITY THAT COLLECTS, PROCESSES, OR TRANSFERS COVERED DATA, OR
SERVICE PROVIDER THAT COLLECTS, PROCESSES, OR TRANSFERS COVERED DATA ON
BEHALF OF THE COVERED ENTITY, INCLUDING UNAUTHORIZED ACCESS TO OR RISKS
TO SUCH COVERED DATA, HUMAN VULNERABILITIES, ACCESS RIGHTS, AND THE USE
OF SERVICE PROVIDERS. WITH RESPECT TO LARGE DATA HOLDERS, SUCH ACTIV-
A. 6319 28
ITIES SHALL INCLUDE A PLAN TO RECEIVE AND REASONABLY RESPOND TO UNSOLIC-
ITED REPORTS OF VULNERABILITIES BY ANY ENTITY OR INDIVIDUAL AND BY
PERFORMING A REASONABLE INVESTIGATION OF SUCH REPORTS.
(B) TAKING PREVENTIVE AND CORRECTIVE ACTION DESIGNED TO MITIGATE
REASONABLY FORESEEABLE RISKS OR VULNERABILITIES TO COVERED DATA IDENTI-
FIED BY THE COVERED ENTITY OR SERVICE PROVIDER, CONSISTENT WITH THE
NATURE OF SUCH RISK OR VULNERABILITY AND THE ENTITY'S ROLE IN COLLECT-
ING, PROCESSING, OR TRANSFERRING THE DATA. SUCH ACTION MAY INCLUDE
IMPLEMENTING ADMINISTRATIVE, TECHNICAL, OR PHYSICAL SAFEGUARDS OR CHANG-
ES TO DATA SECURITY PRACTICES OR THE ARCHITECTURE, INSTALLATION, OR
IMPLEMENTATION OF NETWORK OR OPERATING SOFTWARE, AMONG OTHER ACTIONS.
(C) EVALUATING AND MAKING REASONABLE ADJUSTMENTS TO THE ACTION
DESCRIBED IN PARAGRAPH (B) OF THIS SUBDIVISION IN LIGHT OF ANY MATERIAL
CHANGES IN TECHNOLOGY, INTERNAL OR EXTERNAL THREATS TO COVERED DATA, AND
THE COVERED ENTITY OR SERVICE PROVIDER'S OWN CHANGING BUSINESS ARRANGE-
MENTS OR OPERATIONS.
(D) DISPOSING OF COVERED DATA IN ACCORDANCE WITH A RETENTION SCHEDULE
THAT SHALL REQUIRE THE DELETION OF COVERED DATA WHEN SUCH DATA IS
REQUIRED TO BE DELETED BY LAW OR IS NO LONGER NECESSARY FOR THE PURPOSE
FOR WHICH THE DATA WAS COLLECTED, PROCESSED, OR TRANSFERRED, UNLESS AN
INDIVIDUAL HAS PROVIDED AFFIRMATIVE EXPRESS CONSENT TO SUCH RETENTION.
SUCH DISPOSAL SHALL INCLUDE DESTROYING, PERMANENTLY ERASING, OR OTHER-
WISE MODIFYING THE COVERED DATA TO MAKE SUCH DATA PERMANENTLY UNREADABLE
OR INDECIPHERABLE AND UNRECOVERABLE TO ENSURE ONGOING COMPLIANCE WITH
THIS SECTION. SERVICE PROVIDERS SHALL ESTABLISH PRACTICES TO DELETE OR
RETURN COVERED DATA TO A COVERED ENTITY AS REQUESTED AT THE END OF THE
PROVISION OF SERVICES UNLESS RETENTION OF THE COVERED DATA IS REQUIRED
BY LAW, CONSISTENT WITH PARAGRAPH (F) OF SUBDIVISION ONE OF SECTION
FIFTEEN HUNDRED FORTY-ONE OF THIS ARTICLE.
(E) TRAINING EACH EMPLOYEE WITH ACCESS TO COVERED DATA ON HOW TO SAFE-
GUARD COVERED DATA AND UPDATING SUCH TRAINING AS NECESSARY.
(F) DESIGNATING AN OFFICER, EMPLOYEE, OR EMPLOYEES TO MAINTAIN AND
IMPLEMENT SUCH PRACTICES.
(G) IMPLEMENTING PROCEDURES TO DETECT, RESPOND TO, OR RECOVER FROM
SECURITY INCIDENTS, INCLUDING BREACHES.
3. THE DIVISION MAY PROMULGATE TECHNOLOGY-NEUTRAL RULES AND REGU-
LATIONS TO ESTABLISH PROCESSES FOR COMPLYING WITH THIS SECTION. THE
DIVISION SHALL CONSULT WITH THE OFFICE OF INFORMATION TECHNOLOGY
SERVICES IN ESTABLISHING SUCH PROCESSES.
§ 1528. SMALL BUSINESS PROTECTIONS. 1. ANY COVERED ENTITY OR SERVICE
PROVIDER THAT CAN ESTABLISH THAT IT MET THE REQUIREMENTS DESCRIBED IN
SUBDIVISION TWO OF THIS SECTION FOR THE PERIOD OF THE THREE PRECEDING
CALENDAR YEARS (OR FOR THE PERIOD DURING WHICH THE COVERED ENTITY OR
SERVICE PROVIDER HAS BEEN IN EXISTENCE IF SUCH PERIOD IS LESS THAN THREE
YEARS) SHALL:
(A) BE EXEMPT FROM COMPLIANCE WITH PARAGRAPH (D) OF SUBDIVISION ONE OF
SECTION FIFTEEN HUNDRED TWENTY-TWO OF THIS TITLE, PARAGRAPHS (A), (B),
(C), (E), (F) AND (G) OF SUBDIVISION TWO OF SECTION FIFTEEN HUNDRED
TWENTY-SEVEN OF THIS TITLE, AND SUBDIVISION THREE OF SECTION FIFTEEN
HUNDRED FORTY OF THIS ARTICLE; AND
(B) AT THE COVERED ENTITY'S SOLE DISCRETION, HAVE THE OPTION OF
COMPLYING WITH PARAGRAPH (B) OF SUBDIVISION ONE OF SECTION FIFTEEN
HUNDRED TWENTY-TWO OF THIS TITLE BY, AFTER RECEIVING A VERIFIED REQUEST
FROM AN INDIVIDUAL TO CORRECT COVERED DATA OF THE INDIVIDUAL UNDER SUCH
SECTION, DELETING SUCH COVERED DATA IN ITS ENTIRETY INSTEAD OF MAKING
THE REQUESTED CORRECTION.
A. 6319 29
2. THE REQUIREMENTS OF THIS SUBDIVISION ARE, WITH RESPECT TO A COVERED
ENTITY OR A SERVICE PROVIDER, THE FOLLOWING:
(A) THE COVERED ENTITY OR SERVICE PROVIDER'S AVERAGE ANNUAL GROSS
REVENUES DURING THE PERIOD DID NOT EXCEED FORTY-ONE MILLION DOLLARS.
(B) THE COVERED ENTITY OR SERVICE PROVIDER, ON AVERAGE, DID NOT ANNU-
ALLY COLLECT OR PROCESS THE COVERED DATA OF MORE THAN TWO HUNDRED THOU-
SAND INDIVIDUALS DURING THE PERIOD BEYOND THE PURPOSE OF INITIATING,
RENDERING, BILLING FOR, FINALIZING, COMPLETING, OR OTHERWISE COLLECTING
PAYMENT FOR A REQUESTED SERVICE OR PRODUCT, SO LONG AS ALL COVERED DATA
FOR SUCH PURPOSE WAS DELETED OR DE-IDENTIFIED WITHIN NINETY DAYS, EXCEPT
WHEN NECESSARY TO INVESTIGATE FRAUD OR AS CONSISTENT WITH A COVERED
ENTITY'S RETURN POLICY.
(C) THE COVERED ENTITY OR SERVICE PROVIDER DID NOT DERIVE MORE THAN
FIFTY PERCENT OF ITS REVENUE FROM TRANSFERRING COVERED DATA DURING ANY
YEAR (OR PART OF A YEAR IF THE COVERED ENTITY HAS BEEN IN EXISTENCE FOR
LESS THAN ONE YEAR) THAT OCCURS DURING THE PERIOD.
3. FOR PURPOSES OF THIS SECTION, THE TERM "REVENUE" AS IT RELATES TO
ANY COVERED ENTITY OR SERVICE PROVIDER THAT IS NOT ORGANIZED TO CARRY ON
BUSINESS FOR ITS OWN PROFIT OR THAT OF ITS MEMBERS, MEANS THE GROSS
RECEIPTS THE COVERED ENTITY OR SERVICE PROVIDER RECEIVED IN WHATEVER
FORM FROM ALL SOURCES WITHOUT SUBTRACTING ANY COSTS OR EXPENSES, AND
INCLUDES CONTRIBUTIONS, GIFTS, GRANTS, DUES OR OTHER ASSESSMENTS, INCOME
FROM INVESTMENTS, OR PROCEEDS FROM THE SALE OF REAL OR PERSONAL PROPER-
TY.
§ 1529. UNIFIED OPT-OUT MECHANISMS. 1. FOR THE RIGHTS ESTABLISHED
UNDER SUBDIVISIONS TWO AND THREE OF SECTION FIFTEEN HUNDRED TWENTY-THREE
(EXCEPT AS PROVIDED FOR UNDER PARAGRAPH (P) OF SUBDIVISION TWO OF
SECTION FIFTEEN HUNDRED TEN OF THIS ARTICLE), AND SUBPARAGRAPH (III) OF
PARAGRAPH (C) OF SUBDIVISION TWO OF SECTION FIFTEEN HUNDRED TWENTY-FIVE
OF THIS TITLE, FOLLOWING PUBLIC NOTICE AND OPPORTUNITY TO COMMENT AND
NOT LATER THAN EIGHTEEN MONTHS AFTER THE EFFECTIVE DATE OF THIS ARTICLE,
THE DIVISION SHALL ESTABLISH OR RECOGNIZE ONE OR MORE ACCEPTABLE PRIVACY
PROTECTIVE, CENTRALIZED MECHANISMS, INCLUDING GLOBAL PRIVACY SIGNALS
SUCH AS BROWSER OR DEVICE PRIVACY SETTINGS, OTHER TOOLS OFFERED BY
COVERED ENTITIES OR SERVICE PROVIDERS, AND REGISTRIES OF IDENTIFIERS,
FOR INDIVIDUALS TO EXERCISE ALL SUCH RIGHTS THROUGH A SINGLE INTERFACE
FOR A COVERED ENTITY OR SERVICE PROVIDER TO UTILIZE TO ALLOW AN INDIVID-
UAL TO MAKE SUCH OPT OUT DESIGNATIONS WITH RESPECT TO COVERED DATA
RELATED TO SUCH INDIVIDUAL.
2. ANY SUCH CENTRALIZED OPT-OUT MECHANISM SHALL:
(A) REQUIRE COVERED ENTITIES OR SERVICE PROVIDERS ACTING ON BEHALF OF
COVERED ENTITIES TO INFORM INDIVIDUALS ABOUT THE CENTRALIZED OPT-OUT
CHOICE;
(B) NOT BE REQUIRED TO BE THE DEFAULT SETTING, BUT MAY BE THE DEFAULT
SETTING PROVIDED THAT IN ALL CASES THE MECHANISM CLEARLY REPRESENTS THE
INDIVIDUAL'S AFFIRMATIVE, FREELY GIVEN, AND UNAMBIGUOUS CHOICE TO OPT
OUT;
(C) BE CONSUMER-FRIENDLY, CLEARLY DESCRIBED, AND EASY-TO-USE BY A
REASONABLE INDIVIDUAL;
(D) PERMIT THE COVERED ENTITY OR SERVICE PROVIDER ACTING ON BEHALF OF
A COVERED ENTITY TO HAVE AN AUTHENTICATION PROCESS THE COVERED ENTITY OR
SERVICE PROVIDER ACTING ON BEHALF OF A COVERED ENTITY MAY USE TO DETER-
MINE IF THE MECHANISM REPRESENTS A LEGITIMATE REQUEST TO OPT OUT;
(E) BE PROVIDED IN ANY COVERED LANGUAGE IN WHICH THE COVERED ENTITY
PROVIDES PRODUCTS OR SERVICES SUBJECT TO THE OPT-OUT; AND
A. 6319 30
(F) BE PROVIDED IN A MANNER THAT IS REASONABLY ACCESSIBLE TO AND
USABLE BY INDIVIDUALS WITH DISABILITIES.
TITLE IV
CORPORATE ACCOUNTABILITY
SECTION 1540. EXECUTIVE RESPONSIBILITY.
1541. SERVICE PROVIDERS AND THIRD PARTIES.
1542. TECHNICAL COMPLIANCE PROGRAMS.
1543. DIVISION APPROVED COMPLIANCE GUIDELINES.
1544. DIGITAL CONTENT FORGERIES.
§ 1540. EXECUTIVE RESPONSIBILITY. 1. BEGINNING ONE YEAR AFTER THE
EFFECTIVE DATE OF THIS ARTICLE, AN EXECUTIVE OFFICER OF A LARGE DATA
HOLDER SHALL ANNUALLY CERTIFY, IN GOOD FAITH, TO THE DIVISION, IN A
MANNER SPECIFIED BY THE DIVISION THAT THE ENTITY MAINTAINS:
(A) INTERNAL CONTROLS REASONABLY DESIGNED TO COMPLY WITH THIS ARTICLE;
AND
(B) INTERNAL REPORTING STRUCTURES TO ENSURE THAT SUCH CERTIFYING EXEC-
UTIVE OFFICER IS INVOLVED IN AND RESPONSIBLE FOR THE DECISIONS THAT
IMPACT THE COMPLIANCE BY THE LARGE DATA HOLDER WITH THIS ARTICLE.
2. A CERTIFICATION SUBMITTED UNDER SUBDIVISION ONE OF THIS SECTION
SHALL BE BASED ON A REVIEW OF THE EFFECTIVENESS OF THE INTERNAL CONTROLS
AND REPORTING STRUCTURES OF THE LARGE DATA HOLDER THAT IS CONDUCTED BY
THE CERTIFYING EXECUTIVE OFFICER NOT MORE THAN NINETY DAYS BEFORE THE
SUBMISSION OF THE CERTIFICATION. A CERTIFICATION SUBMITTED UNDER SUBDI-
VISION ONE OF THIS SECTION IS MADE IN GOOD FAITH IF THE CERTIFYING OFFI-
CER HAD, AFTER A REASONABLE INVESTIGATION, REASONABLE GROUND TO BELIEVE
AND DID BELIEVE, AT THE TIME THAT CERTIFICATION WAS SUBMITTED, THAT THE
STATEMENTS THEREIN WERE TRUE AND THAT THERE WAS NO OMISSION TO STATE A
MATERIAL FACT REQUIRED TO BE STATED THEREIN OR NECESSARY TO MAKE THE
STATEMENTS THEREIN NOT MISLEADING.
3. (A) A COVERED ENTITY OR SERVICE PROVIDER THAT HAS MORE THAN FIFTEEN
EMPLOYEES, SHALL DESIGNATE:
(I) ONE OR MORE QUALIFIED EMPLOYEES AS PRIVACY OFFICERS; AND
(II) ONE OR MORE QUALIFIED EMPLOYEES (IN ADDITION TO ANY EMPLOYEE
DESIGNATED UNDER SUBPARAGRAPH (I) OF THIS PARAGRAPH) AS DATA SECURITY
OFFICERS.
(B) AN EMPLOYEE WHO IS DESIGNATED BY A COVERED ENTITY OR A SERVICE
PROVIDER AS A PRIVACY OFFICER OR A DATA SECURITY OFFICER PURSUANT TO
PARAGRAPH (A) OF THIS SUBDIVISION SHALL, AT A MINIMUM:
(I) IMPLEMENT A DATA PRIVACY PROGRAM AND DATA SECURITY PROGRAM TO
SAFEGUARD THE PRIVACY AND SECURITY OF COVERED DATA IN COMPLIANCE WITH
THE REQUIREMENTS OF THIS ARTICLE; AND
(II) FACILITATE THE COVERED ENTITY OR SERVICE PROVIDER'S ONGOING
COMPLIANCE WITH THIS ARTICLE.
(C) A LARGE DATA HOLDER SHALL DESIGNATE AT LEAST ONE OF THE OFFICERS
DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION TO REPORT DIRECTLY TO THE
HIGHEST OFFICIAL AT THE LARGE DATA HOLDER AS A PRIVACY PROTECTION OFFI-
CER WHO SHALL, IN ADDITION TO THE REQUIREMENTS IN PARAGRAPH (B) OF THIS
SUBDIVISION, EITHER DIRECTLY OR THROUGH A SUPERVISED DESIGNEE OR DESIG-
NEES:
(I) ESTABLISH PROCESSES TO PERIODICALLY REVIEW AND UPDATE THE PRIVACY
AND SECURITY POLICIES, PRACTICES, AND PROCEDURES OF THE LARGE DATA HOLD-
ER, AS NECESSARY;
(II) CONDUCT BIENNIAL AND COMPREHENSIVE AUDITS TO ENSURE THE POLICIES,
PRACTICES, AND PROCEDURES OF THE LARGE DATA HOLDER ENSURE THE LARGE DATA
A. 6319 31
HOLDER IS IN COMPLIANCE WITH THIS ARTICLE AND ENSURE SUCH AUDITS ARE
ACCESSIBLE TO THE DIVISION UPON REQUEST;
(III) DEVELOP A PROGRAM TO EDUCATE AND TRAIN EMPLOYEES ABOUT COMPLI-
ANCE REQUIREMENTS OF THIS ARTICLE;
(IV) MAINTAIN UPDATED, ACCURATE, CLEAR, AND UNDERSTANDABLE RECORDS OF
ALL MATERIAL PRIVACY AND DATA SECURITY PRACTICES UNDERTAKEN BY THE LARGE
DATA HOLDER; AND
(V) SERVE AS THE POINT OF CONTACT BETWEEN THE LARGE DATA HOLDER AND
ENFORCEMENT AUTHORITIES.
4. (A) NOT LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF THIS ARTI-
CLE OR ONE YEAR AFTER THE DATE ON WHICH A COVERED ENTITY FIRST MEETS THE
DEFINITION OF LARGE DATA HOLDER, WHICHEVER IS EARLIER, AND BIENNIALLY
THEREAFTER, EACH COVERED ENTITY THAT IS A LARGE DATA HOLDER SHALL
CONDUCT A PRIVACY IMPACT ASSESSMENT THAT WEIGHS THE BENEFITS OF THE
LARGE DATA HOLDER'S COVERED DATA COLLECTING, PROCESSING, AND TRANSFER
PRACTICES AGAINST THE POTENTIAL ADVERSE CONSEQUENCES OF SUCH PRACTICES,
INCLUDING SUBSTANTIAL PRIVACY RISKS, TO INDIVIDUAL PRIVACY.
(B) A PRIVACY IMPACT ASSESSMENT REQUIRED UNDER PARAGRAPH (A) OF THIS
SUBDIVISION SHALL BE:
(I) REASONABLE AND APPROPRIATE IN SCOPE GIVEN:
(A) THE NATURE OF THE COVERED DATA COLLECTED, PROCESSED, AND TRANS-
FERRED BY THE LARGE DATA HOLDER;
(B) THE VOLUME OF THE COVERED DATA COLLECTED, PROCESSED, AND TRANS-
FERRED BY THE LARGE DATA HOLDER; AND
(C) THE POTENTIAL MATERIAL RISKS POSED TO THE PRIVACY OF INDIVIDUALS
BY THE COLLECTING, PROCESSING, AND TRANSFER OF COVERED DATA BY THE LARGE
DATA HOLDER;
(II) DOCUMENTED IN WRITTEN FORM AND MAINTAINED BY THE LARGE DATA HOLD-
ER UNLESS RENDERED OUT OF DATE BY A SUBSEQUENT ASSESSMENT CONDUCTED
UNDER PARAGRAPH (A) OF THIS SUBDIVISION; AND
(III) APPROVED BY THE PRIVACY PROTECTION OFFICER DESIGNATED IN PARA-
GRAPH (C) OF SUBDIVISION THREE OF THIS SECTION OF THE LARGE DATA HOLDER,
AS APPLICABLE.
(C) IN ASSESSING THE PRIVACY RISKS, INCLUDING SUBSTANTIAL PRIVACY
RISKS, THE LARGE DATA HOLDER MUST INCLUDE REVIEWS OF THE MEANS BY WHICH
TECHNOLOGIES, INCLUDING BLOCKCHAIN AND DISTRIBUTED LEDGER TECHNOLOGIES
AND OTHER EMERGING TECHNOLOGIES, ARE USED TO SECURE COVERED DATA.
5. (A) NOT LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF THIS ARTI-
CLE, AND BIENNIALLY THEREAFTER, EACH COVERED ENTITY THAT IS NOT A LARGE
DATA HOLDER AND DOES NOT MEET THE REQUIREMENTS FOR COVERED ENTITIES
UNDER SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF THIS ARTICLE SHALL CONDUCT
A PRIVACY IMPACT ASSESSMENT. SUCH ASSESSMENT SHALL WEIGH THE BENEFITS OF
THE COVERED ENTITY'S COVERED DATA COLLECTING, PROCESSING, AND TRANSFER
PRACTICES THAT MAY CAUSE A SUBSTANTIAL PRIVACY RISK AGAINST THE POTEN-
TIAL MATERIAL ADVERSE CONSEQUENCES OF SUCH PRACTICES TO INDIVIDUAL
PRIVACY.
(B) A PRIVACY IMPACT ASSESSMENT REQUIRED UNDER PARAGRAPH (A) OF THIS
SUBDIVISION SHALL BE:
(I) REASONABLE AND APPROPRIATE IN SCOPE GIVEN:
(A) THE NATURE OF THE COVERED DATA COLLECTED, PROCESSED, AND TRANS-
FERRED BY THE COVERED ENTITY;
(B) THE VOLUME OF THE COVERED DATA COLLECTED, PROCESSED, AND TRANS-
FERRED BY THE COVERED ENTITY; AND
(C) THE POTENTIAL RISKS POSED TO THE PRIVACY OF INDIVIDUALS BY THE
COLLECTING, PROCESSING, AND TRANSFER OF COVERED DATA BY THE COVERED
ENTITY; AND
A. 6319 32
(II) DOCUMENTED IN WRITTEN FORM AND MAINTAINED BY THE COVERED ENTITY
UNLESS RENDERED OUT OF DATE BY A SUBSEQUENT ASSESSMENT CONDUCTED UNDER
PARAGRAPH (A) OF THIS SUBDIVISION.
(C) IN ASSESSING THE PRIVACY RISKS, INCLUDING SUBSTANTIAL PRIVACY
RISKS, THE COVERED ENTITY MAY INCLUDE REVIEWS OF THE MEANS BY WHICH
TECHNOLOGIES, INCLUDING BLOCKCHAIN AND DISTRIBUTED LEDGER TECHNOLOGIES
AND OTHER EMERGING TECHNOLOGIES, ARE USED TO SECURE COVERED DATA.
§ 1541. SERVICE PROVIDERS AND THIRD PARTIES. 1. A SERVICE PROVIDER:
(A) SHALL ADHERE TO THE INSTRUCTIONS OF A COVERED ENTITY AND ONLY
COLLECT, PROCESS, AND TRANSFER SERVICE PROVIDER DATA TO THE EXTENT
NECESSARY AND PROPORTIONATE TO PROVIDE A SERVICE REQUESTED BY THE
COVERED ENTITY, AS SET OUT IN THE CONTRACT REQUIRED BY SUBDIVISION TWO
OF THIS SECTION, AND THIS PARAGRAPH DOES NOT REQUIRE A SERVICE PROVIDER
TO COLLECT, PROCESS, OR TRANSFER COVERED DATA IF THE SERVICE PROVIDER
WOULD NOT OTHERWISE DO SO;
(B) MAY NOT COLLECT, PROCESS, OR TRANSFER SERVICE PROVIDER DATA IF THE
SERVICE PROVIDER HAS ACTUAL KNOWLEDGE THAT A COVERED ENTITY VIOLATED
THIS ARTICLE WITH RESPECT TO SUCH DATA;
(C) SHALL ASSIST A COVERED ENTITY IN RESPONDING TO A REQUEST MADE BY
AN INDIVIDUAL UNDER SECTION FIFTEEN HUNDRED TWENTY-TWO OR FIFTEEN
HUNDRED TWENTY-THREE OF THIS ARTICLE, BY EITHER:
(I) PROVIDING APPROPRIATE TECHNICAL AND ORGANIZATIONAL MEASURES,
TAKING INTO ACCOUNT THE NATURE OF THE PROCESSING AND THE INFORMATION
REASONABLY AVAILABLE TO THE SERVICE PROVIDER, FOR THE COVERED ENTITY TO
COMPLY WITH SUCH REQUEST FOR SERVICE PROVIDER DATA; OR
(II) FULFILLING A REQUEST BY A COVERED ENTITY TO EXECUTE AN INDIVIDUAL
RIGHTS REQUEST THAT THE COVERED ENTITY HAS DETERMINED SHOULD BE COMPLIED
WITH, BY EITHER:
(A) COMPLYING WITH THE REQUEST PURSUANT TO THE COVERED ENTITY'S
INSTRUCTIONS; OR
(B) PROVIDING WRITTEN VERIFICATION TO THE COVERED ENTITY THAT IT DOES
NOT HOLD COVERED DATA RELATED TO THE REQUEST, THAT COMPLYING WITH THE
REQUEST WOULD BE INCONSISTENT WITH ITS LEGAL OBLIGATIONS, OR THAT THE
REQUEST FALLS WITHIN AN EXCEPTION TO SECTION FIFTEEN HUNDRED TWENTY-TWO
OR FIFTEEN HUNDRED TWENTY-THREE OF THIS ARTICLE;
(D) MAY ENGAGE ANOTHER SERVICE PROVIDER FOR PURPOSES OF PROCESSING
SERVICE PROVIDER DATA ON BEHALF OF A COVERED ENTITY ONLY AFTER PROVIDING
THAT COVERED ENTITY WITH NOTICE AND PURSUANT TO A WRITTEN CONTRACT THAT
REQUIRES SUCH OTHER SERVICE PROVIDER TO SATISFY THE OBLIGATIONS OF THE
SERVICE PROVIDER WITH RESPECT TO SUCH SERVICE PROVIDER DATA, INCLUDING
THAT THE OTHER SERVICE PROVIDER BE TREATED AS A SERVICE PROVIDER UNDER
THIS ARTICLE;
(E) SHALL, UPON THE REASONABLE REQUEST OF THE COVERED ENTITY, MAKE
AVAILABLE TO THE COVERED ENTITY INFORMATION NECESSARY TO DEMONSTRATE THE
COMPLIANCE OF THE SERVICE PROVIDER WITH THE REQUIREMENTS OF THIS ARTI-
CLE, WHICH MAY INCLUDE MAKING AVAILABLE A REPORT OF AN INDEPENDENT
ASSESSMENT ARRANGED BY THE SERVICE PROVIDER ON TERMS AGREED TO BY THE
SERVICE PROVIDER AND THE COVERED ENTITY, PROVIDING INFORMATION NECESSARY
TO ENABLE THE COVERED ENTITY TO CONDUCT AND DOCUMENT A PRIVACY IMPACT
ASSESSMENT REQUIRED BY SUBDIVISION FOUR OR FIVE OF SECTION FIFTEEN
HUNDRED FORTY OF THIS TITLE, AND MAKING AVAILABLE THE REPORT REQUIRED
UNDER PARAGRAPH (B) OF SUBDIVISION THREE OF SECTION FIFTEEN HUNDRED
TWENTY-SIX OF THIS ARTICLE;
(F) SHALL, AT THE COVERED ENTITY'S DIRECTION, DELETE OR RETURN ALL
COVERED DATA TO THE COVERED ENTITY AS REQUESTED AT THE END OF THE
A. 6319 33
PROVISION OF SERVICES, UNLESS RETENTION OF THE COVERED DATA IS REQUIRED
BY LAW;
(G) SHALL DEVELOP, IMPLEMENT, AND MAINTAIN REASONABLE ADMINISTRATIVE,
TECHNICAL, AND PHYSICAL SAFEGUARDS THAT ARE DESIGNED TO PROTECT THE
SECURITY AND CONFIDENTIALITY OF COVERED DATA THE SERVICE PROVIDER PROC-
ESSES CONSISTENT WITH SECTION FIFTEEN HUNDRED TWENTY-SEVEN OF THIS ARTI-
CLE; AND
(H) SHALL ALLOW AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE
COVERED ENTITY OR THE COVERED ENTITY'S DESIGNATED ASSESSOR; ALTERNATIVE-
LY, THE SERVICE PROVIDER MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT
ASSESSOR TO CONDUCT AN ASSESSMENT OF THE SERVICE PROVIDER'S POLICIES AND
TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE OBLIGATIONS
UNDER THIS ARTICLE USING AN APPROPRIATE AND ACCEPTED CONTROL STANDARD OR
FRAMEWORK AND ASSESSMENT PROCEDURE FOR SUCH ASSESSMENTS. THE SERVICE
PROVIDER SHALL PROVIDE A REPORT OF SUCH ASSESSMENT TO THE COVERED ENTITY
UPON REQUEST.
2. (A) A PERSON OR ENTITY MAY ONLY ACT AS A SERVICE PROVIDER PURSUANT
TO A WRITTEN CONTRACT BETWEEN THE COVERED ENTITY AND THE SERVICE PROVID-
ER, OR A WRITTEN CONTRACT BETWEEN ONE SERVICE PROVIDER AND A SECOND
SERVICE PROVIDER AS DESCRIBED UNDER PARAGRAPH (D) OF SUBDIVISION ONE OF
THIS SECTION, IF THE CONTRACT:
(I) SETS FORTH THE DATA PROCESSING PROCEDURES OF THE SERVICE PROVIDER
WITH RESPECT TO COLLECTION, PROCESSING, OR TRANSFER PERFORMED ON BEHALF
OF THE COVERED ENTITY OR SERVICE PROVIDER;
(II) CLEARLY SETS FORTH:
(A) INSTRUCTIONS FOR COLLECTING, PROCESSING, OR TRANSFERRING DATA;
(B) THE NATURE AND PURPOSE OF COLLECTING, PROCESSING, OR TRANSFERRING;
(C) THE TYPE OF DATA SUBJECT TO COLLECTING, PROCESSING, OR TRANS-
FERRING;
(D) THE DURATION OF PROCESSING; AND
(E) THE RIGHTS AND OBLIGATIONS OF BOTH PARTIES, INCLUDING A METHOD BY
WHICH THE SERVICE PROVIDER SHALL NOTIFY THE COVERED ENTITY OF MATERIAL
CHANGES TO ITS PRIVACY PRACTICES;
(III) DOES NOT RELIEVE A COVERED ENTITY OR A SERVICE PROVIDER OF ANY
REQUIREMENT OR LIABILITY IMPOSED ON SUCH COVERED ENTITY OR SERVICE
PROVIDER UNDER THIS ARTICLE; AND
(IV) PROHIBITS:
(A) COLLECTING, PROCESSING, OR TRANSFERRING COVERED DATA IN CONTRAVEN-
TION TO SUBDIVISION ONE OF THIS SECTION; AND
(B) COMBINING SERVICE PROVIDER DATA WITH COVERED DATA WHICH THE
SERVICE PROVIDER RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR PERSONS
OR COLLECTS FROM THE INTERACTION OF THE SERVICE PROVIDER WITH AN INDI-
VIDUAL, PROVIDED THAT SUCH COMBINING IS NOT NECESSARY TO EFFECTUATE A
PURPOSE DESCRIBED IN PARAGRAPHS (A) THROUGH (O) OF SUBDIVISION TWO OF
SECTION FIFTEEN HUNDRED TEN OF THIS ARTICLE AND IS OTHERWISE PERMITTED
UNDER THE CONTRACT REQUIRED BY THIS SUBDIVISION.
(B) EACH SERVICE PROVIDER SHALL RETAIN COPIES OF PREVIOUS CONTRACTS
ENTERED INTO IN COMPLIANCE WITH THIS SUBDIVISION WITH EACH COVERED ENTI-
TY TO WHICH IT PROVIDES REQUESTED PRODUCTS OR SERVICES.
3. (A) DETERMINING WHETHER A PERSON IS ACTING AS A COVERED ENTITY OR
SERVICE PROVIDER WITH RESPECT TO A SPECIFIC PROCESSING OF COVERED DATA
IS A FACT-BASED DETERMINATION THAT DEPENDS UPON THE CONTEXT IN WHICH
SUCH DATA IS PROCESSED.
(B) A PERSON THAT IS NOT LIMITED IN ITS PROCESSING OF COVERED DATA
PURSUANT TO THE INSTRUCTIONS OF A COVERED ENTITY, OR THAT FAILS TO
ADHERE TO SUCH INSTRUCTIONS, IS A COVERED ENTITY AND NOT A SERVICE
A. 6319 34
PROVIDER WITH RESPECT TO A SPECIFIC PROCESSING OF COVERED DATA. A
SERVICE PROVIDER THAT CONTINUES TO ADHERE TO THE INSTRUCTIONS OF A
COVERED ENTITY WITH RESPECT TO A SPECIFIC PROCESSING OF COVERED DATA
REMAINS A SERVICE PROVIDER. IF A SERVICE PROVIDER BEGINS, ALONE OR
JOINTLY WITH OTHERS, DETERMINING THE PURPOSES AND MEANS OF THE PROCESS-
ING OF COVERED DATA, IT IS A COVERED ENTITY AND NOT A SERVICE PROVIDER
WITH RESPECT TO THE PROCESSING OF SUCH DATA.
(C) A COVERED ENTITY THAT TRANSFERS COVERED DATA TO A SERVICE PROVIDER
OR A SERVICE PROVIDER THAT TRANSFERS COVERED DATA TO A COVERED ENTITY OR
ANOTHER SERVICE PROVIDER, IN COMPLIANCE WITH THE REQUIREMENTS OF THIS
ARTICLE, IS NOT LIABLE FOR A VIOLATION OF THIS ARTICLE BY THE SERVICE
PROVIDER OR COVERED ENTITY TO WHOM SUCH COVERED DATA WAS TRANSFERRED, IF
AT THE TIME OF TRANSFERRING SUCH COVERED DATA, THE COVERED ENTITY OR
SERVICE PROVIDER DID NOT HAVE ACTUAL KNOWLEDGE THAT THE SERVICE PROVIDER
OR COVERED ENTITY WOULD VIOLATE THIS ARTICLE.
(D) A COVERED ENTITY OR SERVICE PROVIDER THAT RECEIVES COVERED DATA IN
COMPLIANCE WITH THE REQUIREMENTS OF THIS ARTICLE IS NOT IN VIOLATION OF
THIS ARTICLE AS A RESULT OF A VIOLATION BY A COVERED ENTITY OR SERVICE
PROVIDER FROM WHICH SUCH DATA WAS RECEIVED.
4. A THIRD PARTY:
(A) SHALL NOT PROCESS THIRD PARTY DATA FOR A PROCESSING PURPOSE OTHER
THAN, IN THE CASE OF SENSITIVE COVERED DATA, THE PROCESSING PURPOSE FOR
WHICH THE INDIVIDUAL GAVE AFFIRMATIVE EXPRESS CONSENT OR TO EFFECT A
PURPOSE ENUMERATED IN PARAGRAPH (A), (C), OR (E) OF SUBDIVISION TWO OF
SECTION FIFTEEN HUNDRED TEN OF THIS ARTICLE AND, IN THE CASE OF NON-SEN-
SITIVE DATA, THE PROCESSING PURPOSE FOR WHICH THE COVERED ENTITY MADE A
DISCLOSURE PURSUANT TO PARAGRAPH (D) OF SUBDIVISION TWO OF SECTION
FIFTEEN HUNDRED TWENTY-ONE OF THIS ARTICLE; AND
(B) FOR PURPOSES OF PARAGRAPH (A) OF THIS SUBDIVISION, MAY REASONABLY
RELY ON REPRESENTATIONS MADE BY THE COVERED ENTITY THAT TRANSFERRED THE
THIRD PARTY DATA IF THE THIRD PARTY CONDUCTS REASONABLE DUE DILIGENCE ON
THE REPRESENTATIONS OF THE COVERED ENTITY AND FINDS THOSE REPRESENTA-
TIONS TO BE CREDIBLE.
5. (A) A COVERED ENTITY OR SERVICE PROVIDER SHALL EXERCISE REASONABLE
DUE DILIGENCE IN:
(I) SELECTING A SERVICE PROVIDER; AND
(II) DECIDING TO TRANSFER COVERED DATA TO A THIRD PARTY.
(B) NOT LATER THAN TWO YEARS AFTER THE EFFECTIVE DATE OF THIS ARTICLE,
THE DIVISION SHALL PUBLISH GUIDANCE REGARDING COMPLIANCE WITH THIS
SUBDIVISION, TAKING INTO CONSIDERATION THE BURDENS ON LARGE DATA HOLD-
ERS, COVERED ENTITIES WHO ARE NOT LARGE DATA HOLDERS, AND COVERED ENTI-
TIES MEETING THE REQUIREMENTS OF SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF
THIS ARTICLE.
6. SOLELY FOR THE PURPOSES OF THIS SECTION, THE REQUIREMENTS FOR
SERVICE PROVIDERS TO CONTRACT WITH, ASSIST, AND FOLLOW THE INSTRUCTIONS
OF COVERED ENTITIES SHALL BE READ TO INCLUDE REQUIREMENTS TO CONTRACT
WITH, ASSIST, AND FOLLOW THE INSTRUCTIONS OF A GOVERNMENT ENTITY IF THE
SERVICE PROVIDER IS PROVIDING A SERVICE TO A GOVERNMENT ENTITY.
§ 1542. TECHNICAL COMPLIANCE PROGRAMS. 1. NOT LATER THAN THREE YEARS
AFTER THE EFFECTIVE DATE OF THIS ARTICLE, THE DIVISION SHALL PROMULGATE
RULES AND REGULATIONS TO ESTABLISH A PROCESS FOR THE PROPOSAL AND
APPROVAL OF TECHNICAL COMPLIANCE PROGRAMS UNDER THIS SECTION USED BY A
COVERED ENTITY TO COLLECT, PROCESS, OR TRANSFER COVERED DATA.
2. THE TECHNICAL COMPLIANCE PROGRAMS ESTABLISHED UNDER THIS SECTION
SHALL, WITH RESPECT TO A TECHNOLOGY, PRODUCT, SERVICE, OR METHOD USED BY
A COVERED ENTITY TO COLLECT, PROCESS, OR TRANSFER COVERED DATA:
A. 6319 35
(I) ESTABLISH PUBLICLY AVAILABLE GUIDELINES FOR COMPLIANCE WITH THIS
ARTICLE; AND
(II) MEET OR EXCEED THE REQUIREMENTS OF THIS ARTICLE.
3. (A) ANY REQUEST FOR APPROVAL, AMENDMENT, OR REPEAL OF A TECHNICAL
COMPLIANCE PROGRAM MAY BE SUBMITTED TO THE DIVISION BY ANY PERSON,
INCLUDING A COVERED ENTITY, A REPRESENTATIVE OF A COVERED ENTITY, AN
ASSOCIATION OF COVERED ENTITIES, OR A PUBLIC INTEREST GROUP OR ORGANIZA-
TION. WITHIN NINETY DAYS AFTER THE REQUEST IS MADE, THE DIVISION SHALL
PUBLISH THE REQUEST AND PROVIDE AN OPPORTUNITY FOR PUBLIC COMMENT ON THE
PROPOSAL.
(B) BEGINNING ONE YEAR AFTER THE EFFECTIVE DATE OF THIS ARTICLE, THE
DIVISION SHALL ACT UPON A REQUEST FOR THE PROPOSAL AND APPROVAL OF A
TECHNICAL COMPLIANCE PROGRAM NOT LATER THAN ONE YEAR AFTER THE FILING OF
THE REQUEST AND SHALL SET FORTH PUBLICLY IN WRITING THE CONCLUSIONS OF
THE DIVISION WITH REGARD TO SUCH REQUEST.
4. FINAL ACTION BY THE DIVISION ON A REQUEST FOR APPROVAL, AMENDMENT,
OR REPEAL OF A TECHNICAL COMPLIANCE PROGRAM, OR THE FAILURE TO ACT WITH-
IN THE ONE-YEAR PERIOD AFTER A REQUEST FOR APPROVAL, AMENDMENT, OR
REPEAL OF A TECHNICAL COMPLIANCE PROGRAM IS MADE UNDER SUBDIVISION THREE
OF THIS SECTION, MAY BE APPEALED TO A COURT OF APPROPRIATE JURISDICTION.
5. (A) PRIOR TO COMMENCING AN INVESTIGATION OR ENFORCEMENT ACTION
AGAINST ANY COVERED ENTITY UNDER THIS ARTICLE, THE DIVISION AND THE
ATTORNEY GENERAL SHALL CONSIDER THE COVERED ENTITY'S HISTORY OF COMPLI-
ANCE WITH ANY TECHNICAL COMPLIANCE PROGRAM APPROVED UNDER THIS SECTION
AND ANY ACTION TAKEN BY THE COVERED ENTITY TO REMEDY NONCOMPLIANCE WITH
SUCH PROGRAM. IF SUCH ENFORCEMENT ACTION DESCRIBED IN SECTION FIFTEEN
HUNDRED FIFTY-TWO OF THIS ARTICLE IS BROUGHT, THE COVERED ENTITY'S
HISTORY OF COMPLIANCE WITH ANY TECHNICAL COMPLIANCE PROGRAM APPROVED
UNDER THIS SECTION AND ANY ACTION TAKEN BY THE COVERED ENTITY TO REMEDY
NONCOMPLIANCE WITH SUCH PROGRAM SHALL BE TAKEN INTO CONSIDERATION WHEN
DETERMINING LIABILITY OR A PENALTY. THE COVERED ENTITY'S HISTORY OF
COMPLIANCE WITH ANY TECHNICAL COMPLIANCE PROGRAM SHALL NOT AFFECT ANY
BURDEN OF PROOF OR THE WEIGHT GIVEN TO EVIDENCE IN AN ENFORCEMENT OR
JUDICIAL PROCEEDING.
(B) APPROVAL OF A TECHNICAL COMPLIANCE PROGRAM SHALL NOT LIMIT THE
AUTHORITY OF THE DIVISION, INCLUDING THE DIVISION'S AUTHORITY TO
COMMENCE AN INVESTIGATION OR ENFORCEMENT ACTION AGAINST ANY COVERED
ENTITY UNDER THIS ARTICLE OR ANY OTHER PROVISION OF LAW.
(C) NOTHING IN THIS SUBDIVISION SHALL PROVIDE ANY INDIVIDUAL, CLASS OF
INDIVIDUALS, OR PERSON WITH ANY RIGHT TO SEEK DISCOVERY OF ANY NON-PUBL-
IC DIVISION DELIBERATION OR ACTIVITY OR IMPOSE ANY PLEADING REQUIREMENT
ON THE DIVISION IF THE DIVISION BRINGS AN ENFORCEMENT ACTION OF ANY
KIND.
§ 1543. DIVISION APPROVED COMPLIANCE GUIDELINES. 1. (A) A COVERED
ENTITY THAT IS NOT A THIRD-PARTY COLLECTING ENTITY AND MEETS THE
REQUIREMENTS OF SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF THIS ARTICLE, OR
A GROUP OF SUCH COVERED ENTITIES, MAY APPLY TO THE DIVISION FOR APPROVAL
OF ONE OR MORE SETS OF COMPLIANCE GUIDELINES GOVERNING THE COLLECTION,
PROCESSING, AND TRANSFER OF COVERED DATA BY THE COVERED ENTITY OR GROUP
OF COVERED ENTITIES.
(B) SUCH APPLICATION SHALL INCLUDE:
(I) A DESCRIPTION OF HOW THE PROPOSED GUIDELINES WILL MEET OR EXCEED
THE REQUIREMENTS OF THIS ARTICLE;
(II) A DESCRIPTION OF THE ENTITIES OR ACTIVITIES THE PROPOSED SET OF
COMPLIANCE GUIDELINES IS DESIGNED TO COVER;
A. 6319 36
(III) A LIST OF THE COVERED ENTITIES THAT MEET THE REQUIREMENTS OF
SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF THIS ARTICLE AND ARE NOT THIRD-
PARTY COLLECTING ENTITIES, IF ANY ARE KNOWN AT THE TIME OF APPLICATION,
THAT INTEND TO ADHERE TO THE COMPLIANCE GUIDELINES; AND
(IV) A DESCRIPTION OF HOW SUCH COVERED ENTITIES WILL BE INDEPENDENTLY
ASSESSED FOR ADHERENCE TO SUCH COMPLIANCE GUIDELINES, INCLUDING THE
INDEPENDENT ORGANIZATION NOT ASSOCIATED WITH ANY OF THE COVERED ENTITIES
THAT MAY PARTICIPATE IN GUIDELINES THAT WILL ADMINISTER SUCH GUIDELINES.
(C) (I)(A) WITHIN NINETY DAYS AFTER THE RECEIPT OF PROPOSED GUIDELINES
SUBMITTED PURSUANT TO PARAGRAPH (B) OF THIS SUBDIVISION, THE DIVISION
SHALL PUBLISH THE APPLICATION AND PROVIDE AN OPPORTUNITY FOR PUBLIC
COMMENT ON SUCH COMPLIANCE GUIDELINES.
(B) THE DIVISION SHALL APPROVE AN APPLICATION REGARDING PROPOSED
GUIDELINES UNDER PARAGRAPH (B) OF THIS SUBDIVISION IF THE APPLICANT
DEMONSTRATES THAT THE COMPLIANCE GUIDELINES:
(I) MEET OR EXCEED REQUIREMENTS OF THIS ARTICLE;
(II) PROVIDE FOR THE REGULAR REVIEW AND VALIDATION BY AN INDEPENDENT
ORGANIZATION NOT ASSOCIATED WITH ANY OF THE COVERED ENTITIES THAT MAY
PARTICIPATE IN THE GUIDELINES AND THAT IS APPROVED BY THE DIVISION TO
CONDUCT SUCH REVIEWS OF THE COMPLIANCE GUIDELINES OF THE COVERED ENTITY
OR ENTITIES TO ENSURE THAT THE COVERED ENTITY OR ENTITIES CONTINUE TO
MEET OR EXCEED THE REQUIREMENTS OF THIS ARTICLE; AND
(III) INCLUDE A MEANS OF ENFORCEMENT IF A COVERED ENTITY DOES NOT MEET
OR EXCEED THE REQUIREMENTS IN THE GUIDELINES, WHICH MAY INCLUDE REFERRAL
TO THE DIVISION FOR ENFORCEMENT CONSISTENT WITH SECTION FIFTEEN HUNDRED
FIFTY OF THIS ARTICLE OR REFERRAL TO THE ATTORNEY GENERAL FOR ENFORCE-
MENT CONSISTENT WITH SECTION FIFTEEN HUNDRED FIFTY-ONE OF THIS ARTICLE.
(C) WITHIN ONE YEAR AFTER RECEIVING AN APPLICATION REGARDING PROPOSED
GUIDELINES UNDER PARAGRAPH (B) OF THIS SUBDIVISION, THE DIVISION SHALL
ISSUE A DETERMINATION APPROVING OR DENYING THE APPLICATION AND PROVIDING
ITS REASONS FOR APPROVING OR DENYING SUCH APPLICATION.
(II) (A) IF THE INDEPENDENT ORGANIZATION ADMINISTERING A SET OF GUIDE-
LINES MAKES MATERIAL CHANGES TO GUIDELINES PREVIOUSLY APPROVED BY THE
DIVISION, THE INDEPENDENT ORGANIZATION SHALL SUBMIT THE UPDATED GUIDE-
LINES TO THE DIVISION FOR APPROVAL. AS SOON AS FEASIBLE, THE DIVISION
SHALL PUBLISH THE UPDATED GUIDELINES AND PROVIDE AN OPPORTUNITY FOR
PUBLIC COMMENT.
(B) THE DIVISION SHALL APPROVE OR DENY ANY MATERIAL CHANGE TO THE
GUIDELINES WITHIN ONE YEAR AFTER RECEIPT OF THE SUBMISSION FOR APPROVAL.
2. IF AT ANY TIME THE DIVISION DETERMINES THAT THE GUIDELINES PREVI-
OUSLY APPROVED NO LONGER MEET THE REQUIREMENTS OF THIS ARTICLE OR A
REGULATION PROMULGATED UNDER THIS ARTICLE OR THAT COMPLIANCE WITH THE
APPROVED GUIDELINES IS INSUFFICIENTLY ENFORCED BY THE INDEPENDENT ORGAN-
IZATION ADMINISTERING THE GUIDELINES, THE DIVISION SHALL NOTIFY THE
COVERED ENTITIES OR GROUP OF SUCH ENTITIES AND THE INDEPENDENT ORGANIZA-
TION OF THE DETERMINATION OF THE DIVISION TO WITHDRAW APPROVAL OF SUCH
GUIDELINES AND THE BASIS FOR DOING SO. WITHIN ONE HUNDRED EIGHTY DAYS
AFTER RECEIPT OF SUCH NOTICE, THE COVERED ENTITY OR GROUP OF SUCH ENTI-
TIES AND THE INDEPENDENT ORGANIZATION MAY CURE ANY ALLEGED DEFICIENCY
WITH THE GUIDELINES OR THE ENFORCEMENT OF SUCH GUIDELINES AND SUBMIT
EACH PROPOSED CURE TO THE DIVISION. IF THE DIVISION DETERMINES THAT SUCH
CURES ELIMINATE THE ALLEGED DEFICIENCY IN THE GUIDELINES, THEN THE DIVI-
SION MAY NOT WITHDRAW APPROVAL OF SUCH GUIDELINES ON THE BASIS OF SUCH
DETERMINATION.
3. A COVERED ENTITY THAT IS ELIGIBLE TO PARTICIPATE UNDER PARAGRAPH
(A) OF SUBDIVISION ONE OF THIS SECTION AND PARTICIPATES IN GUIDELINES
A. 6319 37
APPROVED UNDER THIS SECTION SHALL BE DEEMED IN COMPLIANCE WITH THE RELE-
VANT PROVISIONS OF THIS ARTICLE IF SUCH COVERED ENTITY IS IN COMPLIANCE
WITH SUCH GUIDELINES.
§ 1544. DIGITAL CONTENT FORGERIES. NOT LATER THAN ONE YEAR AFTER THE
EFFECTIVE DATE OF THIS ARTICLE, AND ANNUALLY THEREAFTER, THE SECRETARY
OF STATE OR THE SECRETARY'S DESIGNEE SHALL PUBLISH A REPORT REGARDING
DIGITAL CONTENT FORGERIES. EACH REPORT UNDER THIS SECTION SHALL INCLUDE
THE FOLLOWING:
1. A DEFINITION OF DIGITAL CONTENT FORGERIES ALONG WITH ACCOMPANYING
EXPLANATORY MATERIALS.
2. A DESCRIPTION OF THE COMMON SOURCES OF DIGITAL CONTENT FORGERIES IN
THE UNITED STATES AND COMMERCIAL SOURCES OF DIGITAL CONTENT FORGERY
TECHNOLOGIES.
3. AN ASSESSMENT OF THE USES, APPLICATIONS, AND HARMS OF DIGITAL
CONTENT FORGERIES.
4. AN ANALYSIS OF THE METHODS AND STANDARDS AVAILABLE TO IDENTIFY
DIGITAL CONTENT FORGERIES AS WELL AS A DESCRIPTION OF THE COMMERCIAL
TECHNOLOGICAL COUNTER-MEASURES THAT ARE, OR COULD BE, USED TO ADDRESS
CONCERNS WITH DIGITAL CONTENT FORGERIES, WHICH MAY INCLUDE THE PROVISION
OF WARNINGS TO VIEWERS OF SUSPECT CONTENT.
5. A DESCRIPTION OF THE TYPES OF DIGITAL CONTENT FORGERIES, INCLUDING
THOSE USED TO COMMIT FRAUD, CAUSE HARM, OR VIOLATE ANY PROVISION OF LAW.
6. ANY OTHER INFORMATION DETERMINED APPROPRIATE BY THE SECRETARY OF
STATE OR THE SECRETARY'S DESIGNEE.
TITLE V
ENFORCEMENT, APPLICABILITY, AND MISCELLANEOUS
SECTION 1550. ENFORCEMENT BY THE DIVISION OF CONSUMER PROTECTION.
1551. ENFORCEMENT BY THE ATTORNEY GENERAL.
1552. ENFORCEMENT BY PERSONS.
1553. CONSTRUCTION.
1554. SEVERABILITY.
§ 1550. ENFORCEMENT BY THE DIVISION OF CONSUMER PROTECTION. 1.(A) THE
DIVISION SHALL ESTABLISH WITHIN THE DIVISION A NEW BUREAU TO BE KNOWN AS
THE "BUREAU OF PRIVACY" ("THE BUREAU") RELATED TO CONSUMER PROTECTION
AND COMPETITION.
(B) THE MISSION OF THE BUREAU SHALL BE TO ASSIST THE DIVISION IN
CARRYING OUT THE DUTIES OF THE DIVISION UNDER THIS ARTICLE AND RELATED
DUTIES UNDER OTHER PROVISIONS OF LAW.
(C) THE BUREAU SHALL BE ESTABLISHED, STAFFED, AND FULLY OPERATIONAL
NOT LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF THIS ARTICLE.
2. THE DIRECTOR OF THE BUREAU SHALL ESTABLISH WITHIN THE BUREAU AN
OFFICE TO BE KNOWN AS THE "OFFICE OF BUSINESS MENTORSHIP" TO PROVIDE
GUIDANCE AND EDUCATION TO COVERED ENTITIES AND SERVICE PROVIDERS REGARD-
ING COMPLIANCE WITH THIS ARTICLE. COVERED ENTITIES OR SERVICE PROVIDERS
MAY REQUEST ADVICE FROM THE DIVISION OR THE OFFICE OF BUSINESS MENTOR-
SHIP WITH RESPECT TO A COURSE OF ACTION THAT THE COVERED ENTITY OR
SERVICE PROVIDER PROPOSES TO PURSUE AND THAT MAY RELATE TO THE REQUIRE-
MENTS OF THIS ARTICLE.
3. (A) A VIOLATION OF THIS ARTICLE OR OF A RULE OR REGULATION PROMUL-
GATED UNDER THIS ARTICLE SHALL BE TREATED AS A VIOLATION OF A RULE
DEFINING AN UNFAIR OR DECEPTIVE ACT OR PRACTICE.
(B) (I) EXCEPT AS PROVIDED IN PARAGRAPHS (C), (D), AND (E) OF THIS
SUBDIVISION, THE DIVISION SHALL ENFORCE THIS ARTICLE AND THE REGULATIONS
PROMULGATED UNDER THIS ARTICLE.
(II) ANY PERSON WHO VIOLATES THIS ARTICLE OR A RULE OR REGULATION
PROMULGATED UNDER THIS ARTICLE SHALL BE SUBJECT TO THE PENALTIES AND
A. 6319 38
ENTITLED TO THE PRIVILEGES AND IMMUNITIES PROVIDED IN THE FEDERAL TRADE
DIVISION ACT (15 U.S.C. 41 ET SEQ.).
(C) IF THE DIVISION BRINGS A CIVIL ACTION ALLEGING THAT AN ACT OR
PRACTICE VIOLATES THIS ARTICLE OR A REGULATION PROMULGATED UNDER THIS
ARTICLE, THE DIVISION MAY NOT SEEK A CEASE AND DESIST ORDER AGAINST THE
SAME DEFENDANT TO STOP THAT SAME ACT OR PRACTICE ON THE GROUNDS THAT
SUCH ACT OR PRACTICE CONSTITUTES AN UNFAIR OR DECEPTIVE ACT OR PRACTICE.
(D) NOTWITHSTANDING ANY JURISDICTIONAL LIMITATION OF THE DIVISION WITH
RESPECT TO CONSUMER PROTECTION OR PRIVACY, THE DIVISION SHALL ENFORCE
THIS ARTICLE AND THE RULES AND REGULATIONS PROMULGATED UNDER THIS ARTI-
CLE, IN THE SAME MANNER PROVIDED IN PARAGRAPHS (A), (B), (C), AND (E) OF
THIS SUBDIVISION, WITH RESPECT TO COMMON CARRIERS SUBJECT TO THE COMMU-
NICATIONS ACT OF 1934 (47 U.S.C. 151 ET SEQ.) AND ALL ACTS AMENDATORY
THEREOF AND SUPPLEMENTARY THERETO AND ORGANIZATIONS NOT ORGANIZED TO
CARRY ON BUSINESS FOR THEIR OWN PROFIT OR THAT OF THEIR MEMBERS.
(E) IN ANY JUDICIAL OR ADMINISTRATIVE ACTION TO ENFORCE THIS ARTICLE
OR A RULE OR REGULATION PROMULGATED UNDER THIS ARTICLE, THE AMOUNT OF
ANY CIVIL PENALTY OBTAINED AGAINST A COVERED ENTITY OR SERVICE PROVIDER,
OR ANY OTHER MONETARY RELIEF ORDERED TO BE PAID BY A COVERED ENTITY OR
SERVICE PROVIDER TO PROVIDE REDRESS, PAYMENT, COMPENSATION, OR OTHER
RELIEF TO INDIVIDUALS THAT CANNOT BE LOCATED OR THE PAYMENT OF WHICH
WOULD OTHERWISE NOT BE PRACTICABLE, SHALL BE DEPOSITED INTO THE PRIVACY
AND SECURITY VICTIMS RELIEF FUND ESTABLISHED BY SECTION EIGHTY-FIVE OF
THE STATE FINANCE LAW.
§ 1551. ENFORCEMENT BY THE ATTORNEY GENERAL. 1. IN ANY CASE IN WHICH
THE ATTORNEY GENERAL HAS REASON TO BELIEVE THAT AN INTEREST OF THE RESI-
DENTS OF THAT STATE HAS BEEN, MAY BE, OR IS ADVERSELY AFFECTED BY A
VIOLATION OF THIS ARTICLE OR OF A RULE OR REGULATION PROMULGATED UNDER
THIS ARTICLE BY A COVERED ENTITY OR SERVICE PROVIDER, THE ATTORNEY
GENERAL MAY BRING A CIVIL ACTION OR SPECIAL PROCEEDING TO RECOVER A
CIVIL PENALTY PROVIDED FOR BY THIS ARTICLE IN ANY COURT OF COMPETENT
JURISDICTION IN THIS STATE, IN THE NAME OF THE PEOPLE OF THE STATE OF
NEW YORK TO:
(A) ENJOIN SUCH ACT OR PRACTICE;
(B) ENFORCE COMPLIANCE WITH THIS ARTICLE OR SUCH RULE OR REGULATION;
(C) OBTAIN DAMAGES, CIVIL PENALTIES, RESTITUTION, OR OTHER COMPEN-
SATION ON BEHALF OF THE RESIDENTS OF THE STATE; OR
(D) OBTAIN REASONABLE ATTORNEYS' FEES AND OTHER LITIGATION COSTS
REASONABLY INCURRED.
2. (A) EXCEPT AS PROVIDED IN PARAGRAPH (B) OF THIS SUBDIVISION, THE
ATTORNEY GENERAL SHALL NOTIFY THE DIVISION IN WRITING PRIOR TO INITIAT-
ING A CIVIL ACTION UNDER SUBDIVISION ONE OF THIS SECTION. SUCH NOTIFICA-
TION SHALL INCLUDE A COPY OF THE COMPLAINT TO BE FILED TO INITIATE SUCH
ACTION. UPON RECEIVING SUCH NOTIFICATION, THE DIVISION MAY INTERVENE IN
SUCH ACTION AS A MATTER OF RIGHT.
(B) IF THE NOTIFICATION REQUIRED BY PARAGRAPH (A) OF THIS SECTION IS
NOT FEASIBLE, THE ATTORNEY GENERAL SHALL NOTIFY THE DIVISION IMMEDIATELY
AFTER INITIATING THE CIVIL ACTION.
3. IN ANY CASE IN WHICH A CIVIL ACTION IS INSTITUTED BY OR ON BEHALF
OF THE DIVISION FOR VIOLATION OF THIS ARTICLE OR OF A RULE OR REGULATION
PROMULGATED UNDER THIS ARTICLE, NO ATTORNEY GENERAL MAY, DURING THE
PENDENCY OF SUCH ACTION, INSTITUTE A CIVIL ACTION AGAINST ANY DEFENDANT
NAMED IN THE COMPLAINT IN THE ACTION INSTITUTED BY OR ON BEHALF OF THE
DIVISION FOR A VIOLATION OF THIS ARTICLE OR OF A RULE OR REGULATION
PROMULGATED UNDER THIS ARTICLE THAT IS ALLEGED IN SUCH COMPLAINT, IF
SUCH COMPLAINT ALLEGES SUCH VIOLATION AFFECTED THE RESIDENTS OF THE
A. 6319 39
STATE OR INDIVIDUALS NATIONWIDE. IF THE DIVISION BRINGS A CIVIL ACTION
AGAINST A COVERED ENTITY OR SERVICE PROVIDER FOR A VIOLATION OF THIS
ARTICLE OR OF A RULE OR REGULATION PROMULGATED UNDER THIS ARTICLE THAT
AFFECTS THE INTERESTS OF THE RESIDENTS OF THE STATE, THE ATTORNEY GENER-
AL MAY INTERVENE IN SUCH ACTION AS A MATTER OF RIGHT.
4. NOTHING IN THIS SECTION MAY BE CONSTRUED TO PREVENT THE ATTORNEY
GENERAL FROM EXERCISING THE POWERS CONFERRED ON THE ATTORNEY GENERAL TO
CONDUCT INVESTIGATIONS, TO ADMINISTER OATHS OR AFFIRMATIONS, OR TO
COMPEL THE ATTENDANCE OF WITNESSES OR THE PRODUCTION OF DOCUMENTARY OR
OTHER EVIDENCE.
5. EXCEPT AS PROVIDED IN SUBDIVISION THREE OF THIS SECTION, NOTHING IN
THIS SECTION MAY BE CONSTRUED AS ALTERING, LIMITING, OR AFFECTING THE
AUTHORITY OF THE ATTORNEY GENERAL TO EXERCISE THE POWERS CONFERRED ON
THE ATTORNEY GENERAL BY THE LAWS OF THE STATE, INCLUDING THE ABILITY TO
CONDUCT INVESTIGATIONS, ADMINISTER OATHS OR AFFIRMATIONS, OR COMPEL THE
ATTENDANCE OF WITNESSES OR THE PRODUCTION OF DOCUMENTARY OR OTHER
EVIDENCE.
§ 1552. ENFORCEMENT BY PERSONS. 1. (A) BEGINNING ON THE DATE THAT IS
TWO YEARS AFTER THE EFFECTIVE DATE OF THIS ARTICLE, ANY PERSON OR CLASS
OF PERSONS FOR A VIOLATION OF THIS ARTICLE OR OF A RULE OR REGULATION
PROMULGATED UNDER THIS ARTICLE BY A COVERED ENTITY OR SERVICE PROVIDER
MAY BRING A CIVIL ACTION AGAINST SUCH ENTITY IN ANY COURT OF COMPETENT
JURISDICTION.
(B) IN A CIVIL ACTION BROUGHT UNDER PARAGRAPH (A) OF THIS SUBDIVISION
IN WHICH A PLAINTIFF PREVAILS, THE COURT MAY AWARD THE PLAINTIFF:
(I) AN AMOUNT EQUAL TO THE SUM OF ANY COMPENSATORY DAMAGES;
(II) INJUNCTIVE RELIEF;
(III) DECLARATORY RELIEF; AND
(IV) REASONABLE ATTORNEY'S FEES AND LITIGATION COSTS.
(C) (I) PRIOR TO A PERSON BRINGING A CIVIL ACTION UNDER PARAGRAPH (A)
OF THIS SUBDIVISION, SUCH PERSON SHALL NOTIFY THE DIVISION AND THE
ATTORNEY GENERAL IN WRITING THAT SUCH PERSON INTENDS TO BRING SUCH CIVIL
ACTION. UPON RECEIVING SUCH NOTICE, THE DIVISION AND ATTORNEY GENERAL
SHALL EACH OR JOINTLY MAKE A DETERMINATION AND RESPOND TO SUCH PERSON
NOT LATER THAN SIXTY DAYS AFTER RECEIVING SUCH NOTICE, AS TO WHETHER
THEY WILL INTERVENE IN SUCH ACTION.
(II) SUBPARAGRAPH (I) OF THIS PARAGRAPH SHALL NOT BE CONSTRUED TO
LIMIT THE AUTHORITY OF THE DIVISION OR THE ATTORNEY GENERAL TO LATER
COMMENCE A PROCEEDING OR CIVIL ACTION OR INTERVENE BY MOTION IF THE
DIVISION OR THE ATTORNEY GENERAL DOES NOT COMMENCE A PROCEEDING OR CIVIL
ACTION WITHIN THE SIXTY-DAY PERIOD.
(III) ANY WRITTEN COMMUNICATION FROM COUNSEL FOR AN AGGRIEVED PARTY TO
A COVERED ENTITY OR SERVICE PROVIDER REQUESTING A MONETARY PAYMENT FROM
THAT COVERED ENTITY OR SERVICE PROVIDER REGARDING A SPECIFIC CLAIM
DESCRIBED IN A LETTER SENT PURSUANT TO SUBDIVISION FOUR OF THIS SECTION,
NOT INCLUDING FILINGS IN COURT PROCEEDINGS, ARBITRATIONS, MEDIATIONS,
JUDGMENT COLLECTION PROCESSES, OR OTHER COMMUNICATIONS RELATED TO PREVI-
OUSLY INITIATED LITIGATION OR ARBITRATIONS, SHALL BE CONSIDERED TO HAVE
BEEN SENT IN BAD FAITH AND SHALL BE UNLAWFUL AS DEFINED IN THIS ARTICLE,
IF THE WRITTEN COMMUNICATION WAS SENT PRIOR TO THE DATE THAT IS SIXTY
DAYS AFTER EITHER A STATE ATTORNEY GENERAL OR THE DIVISION HAS RECEIVED
THE NOTICE REQUIRED UNDER SUBPARAGRAPH (I) OF THIS PARAGRAPH.
(D) BEGINNING ON THE DATE THAT IS FIVE YEARS AFTER THE EFFECTIVE DATE
OF THIS ARTICLE AND EVERY FIVE YEARS THEREAFTER, THE DIVISION SHALL
CONDUCT A STUDY TO DETERMINE THE ECONOMIC IMPACTS IN THE UNITED STATES
OF DEMAND LETTERS SENT PURSUANT TO THIS SECTION AND THE SCOPE OF THE
A. 6319 40
RIGHTS OF A PERSON UNDER THIS SECTION TO BRING FORTH CIVIL ACTIONS
AGAINST COVERED ENTITIES AND SERVICE PROVIDERS. SUCH STUDY SHALL INCLUDE
THE FOLLOWING:
(I) THE IMPACT ON INSURANCE RATES IN THE STATE.
(II) THE IMPACT ON THE ABILITY OF COVERED ENTITIES TO OFFER NEW
PRODUCTS OR SERVICES.
(III) THE IMPACT ON THE CREATION AND GROWTH OF NEW STARTUP COMPANIES,
INCLUDING NEW TECHNOLOGY COMPANIES.
(IV) ANY EMERGING RISKS, BENEFITS, AND LONG-TERM TRENDS IN RELEVANT
MARKETPLACES, SUPPLY CHAINS, AND LABOR AVAILABILITY.
(V) THE IMPACT ON REDUCING, PREVENTING, OR REMEDIATING HARMS TO INDI-
VIDUALS, INCLUDING FROM FRAUD, IDENTITY THEFT, SPAM, DISCRIMINATION,
DEFECTIVE PRODUCTS, AND VIOLATIONS OF RIGHTS.
(VI) THE IMPACT ON THE VOLUME AND SEVERITY OF DATA SECURITY INCIDENTS,
AND THE ABILITY TO RESPOND TO DATA SECURITY INCIDENTS.
(VII) OTHER INTANGIBLE DIRECT AND INDIRECT COSTS AND BENEFITS TO INDI-
VIDUALS.
(E) NOT LATER THAN FIVE YEARS AFTER THE FIRST DAY ON WHICH PERSONS AND
CLASSES OF PERSONS ARE ABLE TO BRING CIVIL ACTIONS UNDER THIS SUBDIVI-
SION, AND EVERY FIVE YEARS THEREAFTER, THE DIVISION SHALL SUBMIT TO THE
GOVERNOR AND THE LEGISLATURE A REPORT THAT CONTAINS THE RESULTS OF THE
STUDY CONDUCTED UNDER PARAGRAPH (D) OF THIS SUBDIVISION.
2. (A) (I) NOTWITHSTANDING ANY OTHER PROVISION OF LAW, NO PRE-DISPUTE
ARBITRATION AGREEMENT WITH RESPECT TO AN INDIVIDUAL UNDER THE AGE OF
EIGHTEEN IS ENFORCEABLE WITH REGARD TO A DISPUTE ARISING UNDER THIS
ARTICLE.
(II) NOTWITHSTANDING ANY OTHER PROVISION OF LAW, NO PRE-DISPUTE ARBI-
TRATION AGREEMENT IS ENFORCEABLE WITH REGARD TO A DISPUTE ARISING UNDER
THIS ARTICLE CONCERNING A CLAIM RELATED TO GENDER OR PARTNER-BASED
VIOLENCE OR PHYSICAL HARM.
(B) NOTWITHSTANDING ANY OTHER PROVISION OF LAW, NO PRE-DISPUTE JOINT-
ACTION WAIVER WITH RESPECT TO AN INDIVIDUAL UNDER THE AGE OF EIGHTEEN IS
ENFORCEABLE WITH REGARD TO A DISPUTE ARISING UNDER THIS ARTICLE.
(C) FOR PURPOSES OF THIS SUBDIVISION:
(I) "PRE-DISPUTE ARBITRATION AGREEMENT" MEANS ANY AGREEMENT TO ARBI-
TRATE A DISPUTE THAT HAS NOT ARISEN AT THE TIME OF THE MAKING OF THE
AGREEMENT.
(II) "PRE-DISPUTE JOINT-ACTION WAIVER" MEANS AN AGREEMENT, WHETHER OR
NOT PART OF A PRE-DISPUTE ARBITRATION AGREEMENT, THAT WOULD PROHIBIT OR
WAIVE THE RIGHT OF ONE OF THE PARTIES TO THE AGREEMENT TO PARTICIPATE IN
A JOINT, CLASS, OR COLLECTIVE ACTION IN A JUDICIAL, ARBITRAL, ADMINIS-
TRATIVE, OR OTHER RELATED FORUM, CONCERNING A DISPUTE THAT HAS NOT YET
ARISEN AT THE TIME OF THE MAKING OF THE AGREEMENT.
3. (A) SUBJECT TO PARAGRAPH (C) OF THIS SUBDIVISION, WITH RESPECT TO A
CLAIM UNDER THIS SECTION FOR:
(I) INJUNCTIVE RELIEF; OR
(II) AN ACTION AGAINST A COVERED ENTITY OR SERVICE PROVIDER THAT MEETS
THE REQUIREMENTS OF SECTION FIFTEEN HUNDRED TWENTY-EIGHT OF THIS ARTI-
CLE, SUCH CLAIM MAY BE BROUGHT BY A PERSON OR CLASS OF PERSONS IF, PRIOR
TO ASSERTING SUCH CLAIM, THE PERSON OR CLASS OF PERSONS PROVIDES TO THE
COVERED ENTITY OR SERVICE PROVIDER FORTY-FIVE DAYS' WRITTEN NOTICE IDEN-
TIFYING THE SPECIFIC PROVISIONS OF THIS ARTICLE THE PERSON OR CLASS OF
PERSONS ALLEGES HAVE BEEN OR ARE BEING VIOLATED.
(B) SUBJECT TO PARAGRAPH (C) OF THIS SUBDIVISION, IN THE EVENT A CURE
IS POSSIBLE, IF WITHIN THE FORTY-FIVE DAYS THE COVERED ENTITY OR SERVICE
PROVIDER DEMONSTRATES TO THE COURT THAT IT HAS CURED THE NOTICED
A. 6319 41
VIOLATION OR VIOLATIONS AND PROVIDES THE PERSON OR CLASS OF PERSONS AN
EXPRESS WRITTEN STATEMENT THAT THE VIOLATION OR VIOLATIONS HAS BEEN
CURED AND THAT NO FURTHER VIOLATIONS SHALL OCCUR, A CLAIM FOR INJUNCTIVE
RELIEF SHALL NOT BE PERMITTED AND MAY BE REASONABLY DISMISSED.
(C) THE NOTICE DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION AND THE
REASONABLE DISMISSAL IN PARAGRAPH (B) OF THIS SUBDIVISION SHALL NOT
APPLY MORE THAN ONCE TO ANY ALLEGED UNDERLYING VIOLATION BY THE SAME
COVERED ENTITY.
4. IF A PERSON OR IDENTIFIED MEMBERS OF A CLASS OF PERSONS REPRESENTED
BY COUNSEL IN REGARD TO AN ALLEGED VIOLATION OR VIOLATIONS OF THE ARTI-
CLE AND HAS CORRESPONDENCE SENT TO A COVERED ENTITY OR SERVICE PROVIDER
BY COUNSEL ALLEGING A VIOLATION OR VIOLATIONS OF THE PROVISIONS OF THIS
ARTICLE AND REQUESTS A MONETARY PAYMENT, SUCH CORRESPONDENCE SHALL
INCLUDE THE FOLLOWING LANGUAGE: "PLEASE VISIT THE WEBSITE OF THE NEW
YORK STATE DIVISION OF CONSUMER PROTECTION FOR A GENERAL DESCRIPTION OF
YOUR RIGHTS UNDER THE NEW YORK DATA PRIVACY AND PROTECTION ACT" FOLLOWED
BY A HYPERLINK TO THE WEBPAGE OF THE DIVISION REQUIRED UNDER SECTION
FIFTEEN HUNDRED TWENTY OF THIS ARTICLE. IF SUCH CORRESPONDENCE DOES NOT
INCLUDE SUCH LANGUAGE AND HYPERLINK, A CIVIL ACTION BROUGHT UNDER THIS
SECTION BY SUCH PERSON OR IDENTIFIED MEMBERS OF THE CLASS OF PERSONS
REPRESENTED BY COUNSEL MAY BE DISMISSED WITHOUT PREJUDICE AND SHALL NOT
BE REINSTATED UNTIL SUCH PERSON OR PERSONS HAS COMPLIED WITH THIS SUBDI-
VISION.
5. (A) THIS SECTION SHALL ONLY APPLY TO A CLAIM ALLEGING A VIOLATION
OF SECTION FIFTEEN HUNDRED ELEVEN, FIFTEEN HUNDRED THIRTEEN, FIFTEEN
HUNDRED TWENTY-ONE, FIFTEEN HUNDRED TWENTY-TWO, FIFTEEN HUNDRED TWENTY-
THREE, SUBDIVISION ONE OR TWO OF SECTION FIFTEEN HUNDRED TWENTY-FOUR,
PARAGRAPH (III) OF SUBDIVISION TWO OF SECTION FIFTEEN HUNDRED TWENTY-
FIVE, SUBDIVISION ONE OF SECTION FIFTEEN HUNDRED TWENTY-SIX, SUBDIVISION
ONE OF SECTION FIFTEEN HUNDRED TWENTY-SEVEN, OR SECTION FIFTEEN HUNDRED
FORTY-ONE OF THIS ARTICLE, OR OF A RULE OR REGULATION PROMULGATED UNDER
ANY SUCH SECTION.
(B) THIS SECTION SHALL NOT APPLY TO ANY CLAIM AGAINST A COVERED ENTITY
THAT HAS LESS THAN TWENTY-FIVE MILLION DOLLARS PER YEAR IN REVENUE,
COLLECTS, PROCESSES, OR TRANSFERS THE COVERED DATA OF FEWER THAN FIFTY
THOUSAND INDIVIDUALS, AND DERIVES LESS THAN FIFTY PERCENT OF ITS REVENUE
FROM TRANSFERRING COVERED DATA.
§ 1553. CONSTRUCTION. 1. NOTHING IN THIS ARTICLE OR IN A RULE OR REGU-
LATION PROMULGATED UNDER THIS ARTICLE MAY BE CONSTRUED TO LIMIT THE
AUTHORITY OF THE DIVISION, OR ANY OTHER EXECUTIVE AGENCY, UNDER ANY
OTHER PROVISION OF LAW.
2. (A) NOTHING IN THIS ARTICLE OR IN A RULE OR REGULATION PROMULGATED
UNDER THIS ARTICLE MAY BE CONSTRUED TO MODIFY, IMPAIR OR SUPERSEDE THE
OPERATION OF THE ANTITRUST LAW OR ANY OTHER PROVISION OF LAW.
(B) NOTHING IN THIS ARTICLE OR IN A RULE OR REGULATION PROMULGATED
UNDER THIS ARTICLE SHALL BE CONSTRUED AS OPERATING TO LIMIT ANY LAW
DETERRING ANTICOMPETITIVE CONDUCT OR DIMINISHING THE NEED FOR FULL
APPLICATION OF THE FEDERAL ANTITRUST LAW. NOTHING IN THIS ARTICLE OR IN
A RULE OR REGULATION PROMULGATED UNDER THIS ARTICLE EXPLICITLY OR
IMPLICITLY PRECLUDES THE APPLICATION OF THE ANTITRUST LAW.
(C) FOR PURPOSES OF THIS SECTION, THE TERM ANTITRUST LAW HAS THE SAME
MEANING AS IN SUBSECTION (A) OF THE FIRST SECTION OF THE CLAYTON ACT (15
U.S.C. 12), EXCEPT THAT SUCH TERM INCLUDES SECTION 5 OF THE FEDERAL
TRADE DIVISION ACT (15 U.S.C. 45) TO THE EXTENT THAT SUCH SECTION 5
APPLIES TO UNFAIR METHODS OF COMPETITION.
A. 6319 42
3. (A) A COVERED ENTITY THAT IS REQUIRED TO COMPLY WITH TITLE V OF THE
GRAMM-LEACH-BLILEY ACT (15 U.S.C. 6801 ET SEQ.), THE HEALTH INFORMATION
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (42 U.S.C. 17931 ET
SEQ.), PART C OF TITLE XI OF THE SOCIAL SECURITY ACT (42 U.S.C. 1320D
ET SEQ.), THE FAIR CREDIT REPORTING ACT (15 U.S.C. 1681 ET SEQ.), THE
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (20 U.S.C. 1232G; PART 99 OF
TITLE 34, CODE OF FEDERAL REGULATIONS) TO THE EXTENT SUCH COVERED ENTITY
IS A SCHOOL AS DEFINED IN 20 U.S.C. 1232G(A)(3) OR 34 C.F.R. 99.1(A),
SECTION 444 OF THE GENERAL EDUCATION PROVISIONS ACT (COMMONLY KNOWN AS
THE "FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT OF 1974") (20 U.S.C.
1232G) AND PART 99 OF TITLE 34, CODE OF FEDERAL REGULATIONS (OR ANY
SUCCESSOR REGULATION), THE CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE
PATIENT RECORDS AT 42 U.S.C. 290DD-2 AND ITS IMPLEMENTING REGULATIONS AT
42 CFR PART 2, THE GENETIC INFORMATION NON-DISCRIMINATION ACT (GINA), OR
THE REGULATIONS PROMULGATED PURSUANT TO SECTION 264(C) OF THE HEALTH
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (42 U.S.C. 1320D-2
NOTE), AND IS IN COMPLIANCE WITH THE DATA PRIVACY REQUIREMENTS OF SUCH
REGULATIONS, PART, TITLE, OR ACT (AS APPLICABLE), SHALL BE DEEMED TO BE
IN COMPLIANCE WITH THE RELATED REQUIREMENTS OF THIS ARTICLE, EXCEPT FOR
SECTION FIFTEEN HUNDRED TWENTY-SEVEN OF THIS ARTICLE, SOLELY AND EXCLU-
SIVELY WITH RESPECT TO DATA SUBJECT TO THE REQUIREMENTS OF SUCH REGU-
LATIONS, PART, TITLE, OR ACT. NOT LATER THAN ONE YEAR AFTER THE EFFEC-
TIVE DATE OF THIS ARTICLE, THE DIVISION SHALL ISSUE GUIDANCE DESCRIBING
THE IMPLEMENTATION OF THIS PARAGRAPH.
(B) A COVERED ENTITY THAT IS REQUIRED TO COMPLY WITH TITLE V OF THE
GRAMM-LEACH-BLILEY ACT (15 U.S.C. 6801 ET SEQ.), THE HEALTH INFORMATION
TECHNOLOGY FOR ECONOMIC AND CLINICAL HEALTH ACT (42 U.S.C. 17931 ET
SEQ.), PART C OF TITLE XI OF THE SOCIAL SECURITY ACT (42 U.S.C. 1320D ET
SEQ.), OR THE REGULATIONS PROMULGATED PURSUANT TO SECTION 264(C) OF THE
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (42 U.S.C.
1320D-2 NOTE), AND IS IN COMPLIANCE WITH THE INFORMATION SECURITY
REQUIREMENTS OF SUCH REGULATIONS, PART, TITLE, OR ACT (AS APPLICABLE),
SHALL BE DEEMED TO BE IN COMPLIANCE WITH THE REQUIREMENTS OF SECTION
FIFTEEN HUNDRED TWENTY-SEVEN OF THIS ARTICLE, SOLELY AND EXCLUSIVELY
WITH RESPECT TO DATA SUBJECT TO THE REQUIREMENTS OF SUCH REGULATIONS,
PART, TITLE, OR ACT. NOT LATER THAN ONE YEAR AFTER THE EFFECTIVE DATE OF
THIS ARTICLE, THE DIVISION SHALL ISSUE GUIDANCE DESCRIBING THE IMPLEMEN-
TATION OF THIS PARAGRAPH.
4. NOTHING IN THIS ARTICLE, NOR ANY AMENDMENT, STANDARD, RULE,
REQUIREMENT, ASSESSMENT, OR REGULATION PROMULGATED UNDER THIS ARTICLE,
MAY BE CONSTRUED TO PREEMPT, DISPLACE, OR SUPPLANT ANY FEDERAL OR STATE
COMMON LAW RIGHTS OR REMEDIES, OR ANY STATUTE CREATING A REMEDY FOR
CIVIL RELIEF, INCLUDING ANY CAUSE OF ACTION FOR PERSONAL INJURY, WRONG-
FUL DEATH, PROPERTY DAMAGE, OR OTHER FINANCIAL, PHYSICAL, REPUTATIONAL,
OR PSYCHOLOGICAL INJURY BASED IN NEGLIGENCE, STRICT LIABILITY, PRODUCTS
LIABILITY, FAILURE TO WARN, AN OBJECTIVELY OFFENSIVE INTRUSION INTO THE
PRIVATE AFFAIRS OR CONCERNS OF THE INDIVIDUAL, OR ANY OTHER LEGAL THEORY
OF LIABILITY UNDER ANY FEDERAL OR STATE COMMON LAW, OR ANY STATE STATU-
TORY LAW.
§ 1554. SEVERABILITY. IF ANY PROVISION OF THIS ARTICLE, OR THE APPLI-
CATION THEREOF TO ANY PERSON OR CIRCUMSTANCE, IS HELD INVALID, THE
REMAINDER OF THIS ARTICLE, AND THE APPLICATION OF SUCH PROVISION TO
OTHER PERSONS NOT SIMILARLY SITUATED OR TO OTHER CIRCUMSTANCES, SHALL
NOT BE AFFECTED BY THE INVALIDATION.
§ 2. The state finance law is amended by adding a new section 85 to
read as follows:
A. 6319 43
§ 85. PRIVACY AND SECURITY VICTIMS RELIEF FUND. 1. THERE IS HEREBY
ESTABLISHED IN THE CUSTODY OF THE STATE COMPTROLLER A SPECIAL FUND TO BE
KNOWN AS THE PRIVACY AND SECURITY VICTIMS RELIEF FUND.
2. SUCH FUND SHALL CONSIST OF ALL MONEYS REQUIRED TO BE DEPOSITED IN
THE PRIVACY AND SECURITY VICTIMS RELIEF FUND PURSUANT TO THE PROVISIONS
OF SECTION FIFTEEN HUNDRED FIFTY OF THE GENERAL BUSINESS LAW, TOGETHER
WITH MONEYS APPROPRIATED FOR THE PURPOSE OF SUCH FUND, ALL MONEYS TRANS-
FERRED TO SUCH FUND PURSUANT TO LAW, CONTRIBUTIONS CONSISTING OF PROM-
ISES OR GRANTS OF ANY MONEY OR PROPERTY OF ANY KIND OR VALUE, OR ANY
OTHER THING OF VALUE, INCLUDING GRANTS OR OTHER FINANCIAL ASSISTANCE
FROM ANY AGENCY OF GOVERNMENT AND ALL MONEYS REQUIRED BY THE PROVISIONS
OF THIS SECTION OR ANY OTHER LAW TO BE PAID INTO OR CREDITED TO THIS
FUND.
3. MONEYS OF THE FUND, WHEN ALLOCATED, SHALL BE AVAILABLE TO THE
DIRECTOR OF THE DIVISION OF CONSUMER PROTECTION AND SHALL BE USED, WITH-
OUT FISCAL YEAR LIMITATION:
(A) TO PROVIDE REDRESS, PAYMENT, COMPENSATION, OR OTHER MONETARY
RELIEF TO INDIVIDUALS AFFECTED BY AN ACT OR PRACTICE FOR WHICH RELIEF
HAS BEEN OBTAINED UNDER ARTICLE FORTY-FIVE OF THE GENERAL BUSINESS LAW;
AND
(B) TO THE EXTENT THAT THE INDIVIDUALS DESCRIBED IN PARAGRAPH (A) OF
THIS SUBDIVISION CANNOT BE LOCATED OR SUCH REDRESS, PAYMENTS, COMPEN-
SATION, OR OTHER MONETARY RELIEF ARE OTHERWISE NOT PRACTICABLE, THE
DIVISION OF CONSUMER PROTECTION MAY USE SUCH FUNDS FOR THE PURPOSE OF:
(I) FUNDING THE ACTIVITIES OF THE OFFICE OF BUSINESS MENTORSHIP ESTAB-
LISHED UNDER SUBDIVISION TWO OF SECTION FIFTEEN HUNDRED FIFTY OF THE
GENERAL BUSINESS LAW; OR
(II) ENGAGING IN TECHNOLOGICAL RESEARCH THAT THE DIVISION OF CONSUMER
PROTECTION CONSIDERS NECESSARY TO ENFORCE OR ADMINISTER ARTICLE FORTY-
FIVE OF THE GENERAL BUSINESS LAW.
4. THE MONEYS WHEN ALLOCATED, SHALL BE PAID OUT OF THE FUND ON THE
AUDIT AND WARRANT OF THE COMPTROLLER ON VOUCHERS CERTIFIED OR APPROVED
BY THE DIRECTOR OF THE DIVISION OF CONSUMER PROTECTION, OR BY AN OFFICER
OR EMPLOYEE OF THE DIVISION OF CONSUMER PROTECTION DESIGNATED BY THE
DIRECTOR.
5. THE DIRECTOR OF THE DIVISION OF CONSUMER PROTECTION SHALL PROMUL-
GATE RULES AND REGULATIONS PERTAINING TO THE ALLOCATION OF MONEYS FROM
THIS FUND.
§ 3. This act shall take effect on the one hundred eightieth day after
it shall have become a law.
Comments
Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.
Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.
Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.