Alabama 2025 Regular Session

Alabama House Bill HB283 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	HB283INTRODUCED
2	2	Page 0
3	3	HB283
4	4	ZUVVKWR-1
5	5	By Representatives Shaw, Brown, Lipscomb, Moore (P), Lomax
6	6	RFD: Commerce and Small Business
7	7	First Read: 13-Feb-25
8	8	1
9	9	2
10	10	3
11	11	4
12	12	5 ZUVVKWR-1 02/03/2025 THR (L)THR 2024-3028
13	13	Page 1
14	14	First Read: 13-Feb-25
15	15	SYNOPSIS:
16	16	This bill would authorize a consumer to confirm
17	17	whether a controller is processing any of the
18	18	consumer's personal data, correct any inaccuracies in
19	19	the consumer's personal data, direct a controller to
20	20	delete the consumer's personal data, obtain a copy of
21	21	the consumer's personal data, and opt out of the
22	22	processing of the consumer's data.
23	23	This bill would require a controller to
24	24	establish a secure and reliable method for a consumer
25	25	to exercise the consumer's rights and to establish an
26	26	appeals process.
27	27	This bill would authorize a consumer to
28	28	designate an authorized agent to exercise the
29	29	consumer's rights.
30	30	This bill would regulate the manner in which a
31	31	controller may process consumer data.
32	32	This bill would also regulate the processing of
33	33	deidentified data.
34	34	A BILL
35	35	TO BE ENTITLED
36	36	AN ACT
37	37	1
38	38	2
39	39	3
40	40	4
41	41	5
42	42	6
43	43	7
44	44	8
45	45	9
46	46	10
47	47	11
48	48	12
49	49	13
50	50	14
51	51	15
52	52	16
53	53	17
54	54	18
55	55	19
56	56	20
57	57	21
58	58	22
59	59	23
60	60	24
61	61	25
62	62	26
63	63	27
64	64	28 HB283 INTRODUCED
65	65	Page 2
66	66	AN ACT
67	67	Relating to data privacy; to authorize a consumer to
68	68	take certain actions regarding the consumer's personal data;
69	69	to regulate the manner in which a controller may process
70	70	personal data; and to regulate the processing of deidentified
71	71	data.
72	72	BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
73	73	Section 1. For the purposes of this act, the following
74	74	terms have the following meanings:
75	75	(1) AFFILIATE. A legal entity that shares common
76	76	branding with another legal entity or that controls, is
77	77	controlled by, or is under common control with another legal
78	78	entity.
79	79	(2) AUTHENTICATE. To use reasonable methods to
80	80	determine that a request to exercise any of the consumer
81	81	rights afforded under Section 4 is being made by, or on behalf
82	82	of, a consumer who is entitled to exercise those consumer
83	83	rights with respect to the consumer's personal data at issue.
84	84	(3) BIOMETRIC DATA. Data generated by automatic
85	85	measurements of an individual's biological characteristics
86	86	that are used to identify a specific individual, including,
87	87	but not limited to, a fingerprint, voiceprint, retina, or
88	88	iris. The term does not include any of the following:
89	89	a. A digital or physical photograph.
90	90	b. An audio or video recording.
91	91	c. Any data generated from a. or b.
92	92	(4) CHILD. An individual under 13 years of age.
93	93	(5) CONSENT. A clear affirmative act signifying a
94	94	29
95	95	30
96	96	31
97	97	32
98	98	33
99	99	34
100	100	35
101	101	36
102	102	37
103	103	38
104	104	39
105	105	40
106	106	41
107	107	42
108	108	43
109	109	44
110	110	45
111	111	46
112	112	47
113	113	48
114	114	49
115	115	50
116	116	51
117	117	52
118	118	53
119	119	54
120	120	55
121	121	56 HB283 INTRODUCED
122	122	Page 3
123	123	(5) CONSENT. A clear affirmative act signifying a
124	124	consumer's freely given, specific, informed, and unambiguous
125	125	agreement to allow the processing of personal data relating to
126	126	the consumer, including, but not limited to, a written
127	127	statement or a statement by electronic means. The term does
128	128	not include any of the following:
129	129	a. Acceptance of a general or broad term of use or
130	130	similar document that contains descriptions of personal data
131	131	processing along with other unrelated information.
132	132	b. Hovering over, muting, pausing, or closing a given
133	133	piece of content.
134	134	c. An agreement obtained using dark patterns.
135	135	(6) CONSUMER. An individual who is a resident of this
136	136	state. The term does not include an individual acting in a
137	137	commercial or employment context or as an employee, owner,
138	138	director, officer, or contractor of a company, partnership,
139	139	sole proprietorship, nonprofit, or government agency whose
140	140	communications or transactions with the controller occur
141	141	solely within the context of that individual's role with the
142	142	company, partnership, sole proprietorship, nonprofit, or
143	143	government agency.
144	144	(7) CONTROL. Any of the following:
145	145	a. Ownership of or the power to vote more than 50
146	146	percent of the outstanding shares of any class of voting
147	147	security of a company.
148	148	b. Control in any manner over the election of a
149	149	majority of the directors or of individuals exercising similar
150	150	functions.
151	151	c. The power to exercise controlling influence over the
152	152	57
153	153	58
154	154	59
155	155	60
156	156	61
157	157	62
158	158	63
159	159	64
160	160	65
161	161	66
162	162	67
163	163	68
164	164	69
165	165	70
166	166	71
167	167	72
168	168	73
169	169	74
170	170	75
171	171	76
172	172	77
173	173	78
174	174	79
175	175	80
176	176	81
177	177	82
178	178	83
179	179	84 HB283 INTRODUCED
180	180	Page 4
181	181	c. The power to exercise controlling influence over the
182	182	management of a company.
183	183	(8) CONTROLLER. An individual or legal entity that,
184	184	alone or jointly with others, determines the purposes and
185	185	means of processing personal data.
186	186	(9) DARK PATTERN. A user interface designed or
187	187	manipulated with the effect of substantially subverting or
188	188	impairing user autonomy, decision-making, or choice.
189	189	(10) DEIDENTIFIED DATA. Data that cannot be used to
190	190	reasonably infer information about or otherwise be linked to
191	191	an identified or identifiable individual or a device linked to
192	192	an identified or identifiable individual if the controller
193	193	that possesses the data does all of the following:
194	194	a. Takes reasonable measures to ensure that the data
195	195	cannot be associated with an individual.
196	196	b. Publicly commits to process the data in a
197	197	deidentified fashion only and to not attempt to reidentify the
198	198	data.
199	199	c. Contractually obligates any recipients of the data
200	200	to satisfy the criteria set forth in Section 10(a) and (b).
201	201	(11) IDENTIFIABLE INDIVIDUAL. An individual who can be
202	202	readily identified, directly or indirectly.
203	203	(12) NONPROFIT ENTITY. As defined in Section
204	204	10A-1-1.03, Code of Alabama 1975.
205	205	(13) PERSONAL DATA. Any information that is linked or
206	206	reasonably linkable to an identified or identifiable
207	207	individual. The term does not include deidentified data or
208	208	publicly available information.
209	209	(14) PRECISE GEOLOCATION DATA. Information derived from
210	210	85
211	211	86
212	212	87
213	213	88
214	214	89
215	215	90
216	216	91
217	217	92
218	218	93
219	219	94
220	220	95
221	221	96
222	222	97
223	223	98
224	224	99
225	225	100
226	226	101
227	227	102
228	228	103
229	229	104
230	230	105
231	231	106
232	232	107
233	233	108
234	234	109
235	235	110
236	236	111
237	237	112 HB283 INTRODUCED
238	238	Page 5
239	239	(14) PRECISE GEOLOCATION DATA. Information derived from
240	240	technology, including, but not limited to, global positioning
241	241	system level latitude and longitude coordinates, which
242	242	directly identifies the specific location of an individual
243	243	with precision and accuracy within a radius of 1,750 feet. The
244	244	term does not include the content of communications or any
245	245	data generated by or connected to advanced utility metering
246	246	infrastructure systems or equipment for use by a utility.
247	247	(15) PROCESS. Any operation or set of operations,
248	248	whether by manual or automated means, performed on personal
249	249	data or on sets of personal data, including, but not limited
250	250	to, the collection, use, storage, disclosure, analysis,
251	251	deletion, or modification of personal data.
252	252	(16) PROCESSOR. An individual or legal entity that
253	253	processes personal data on behalf of a controller.
254	254	(17) PROFILING. Any form of automated processing
255	255	performed on personal data to evaluate, analyze, or predict
256	256	personal aspects related to an identified or identifiable
257	257	individual's economic situation, health, personal preferences,
258	258	interests, reliability, behavior, location, or movements.
259	259	(18) PSEUDONYMOUS DATA. Personal data that cannot be
260	260	attributed to a specific individual without the use of
261	261	additional information, provided the additional information is
262	262	kept separately and is subject to appropriate technical and
263	263	organizational measures to ensure that the personal data is
264	264	not attributable to an identified or identifiable individual.
265	265	(19) PUBLICLY AVAILABLE INFORMATION. Either of the
266	266	following:
267	267	a. Information that is lawfully made available through
268	268	113
269	269	114
270	270	115
271	271	116
272	272	117
273	273	118
274	274	119
275	275	120
276	276	121
277	277	122
278	278	123
279	279	124
280	280	125
281	281	126
282	282	127
283	283	128
284	284	129
285	285	130
286	286	131
287	287	132
288	288	133
289	289	134
290	290	135
291	291	136
292	292	137
293	293	138
294	294	139
295	295	140 HB283 INTRODUCED
296	296	Page 6
297	297	a. Information that is lawfully made available through
298	298	federal, state, or local government records or widely
299	299	distributed media.
300	300	b. Information that a controller has a reasonable basis
301	301	to believe a consumer has lawfully made available to the
302	302	public.
303	303	(20) SALE OF PERSONAL DATA. The exchange of personal
304	304	data for monetary or other valuable consideration by a
305	305	controller to a third party. The term does not include any of
306	306	the following:
307	307	a. The disclosure of personal data to a processor that
308	308	processes the personal data on behalf of the controller.
309	309	b. The disclosure of personal data to a third party for
310	310	the purposes of providing a product or service requested by
311	311	the consumer.
312	312	c. The disclosure or transfer of personal data to an
313	313	affiliate of the controller.
314	314	d. The disclosure of personal data in which the
315	315	consumer directs the controller to disclose the personal data
316	316	or intentionally uses the controller to interact with a third
317	317	party.
318	318	e. The disclosure of personal data that the consumer
319	319	intentionally made available to the public via a channel of
320	320	mass media and did not restrict to a specific audience.
321	321	f. The disclosure or transfer of personal data to a
322	322	third party as an asset that is part of a merger, acquisition,
323	323	bankruptcy, or other transaction, or a proposed merger,
324	324	acquisition, bankruptcy, or other transaction in which the
325	325	third party assumes control of all or part of the controller's
326	326	141
327	327	142
328	328	143
329	329	144
330	330	145
331	331	146
332	332	147
333	333	148
334	334	149
335	335	150
336	336	151
337	337	152
338	338	153
339	339	154
340	340	155
341	341	156
342	342	157
343	343	158
344	344	159
345	345	160
346	346	161
347	347	162
348	348	163
349	349	164
350	350	165
351	351	166
352	352	167
353	353	168 HB283 INTRODUCED
354	354	Page 7
355	355	third party assumes control of all or part of the controller's
356	356	assets.
357	357	(21) SENSITIVE DATA. Personal data that includes any of
358	358	the following:
359	359	a. Data revealing racial or ethnic origin, religious
360	360	beliefs, a mental or physical health condition or diagnosis,
361	361	information about an individual's sex life, sexual
362	362	orientation, or citizenship or immigration status.
363	363	b. The processing of genetic or biometric data for the
364	364	purpose of uniquely identifying an individual.
365	365	c. Personal data collected from a known child.
366	366	d. Precise geolocation data.
367	367	(22) SIGNIFICANT DECISION. A decision made by a
368	368	controller that results in the controller's provision or
369	369	denial of financial or lending services, housing, insurance,
370	370	education enrollment or opportunity, criminal justice,
371	371	employment opportunity, health care service, or access to
372	372	necessities such as food or water.
373	373	(23) TARGETED ADVERTISING. Displaying advertisements to
374	374	a consumer in which the advertisement is selected based on
375	375	personal data obtained or inferred from that consumer's
376	376	activities over time and across nonaffiliated Internet
377	377	websites or online applications to predict the consumer's
378	378	preferences or interests. The term does not include any of the
379	379	following:
380	380	a. Advertisements based on activities within a
381	381	controller's own Internet websites or online applications.
382	382	b. Advertisements based on the context of a consumer's
383	383	current search query or visit to any Internet website or
384	384	169
385	385	170
386	386	171
387	387	172
388	388	173
389	389	174
390	390	175
391	391	176
392	392	177
393	393	178
394	394	179
395	395	180
396	396	181
397	397	182
398	398	183
399	399	184
400	400	185
401	401	186
402	402	187
403	403	188
404	404	189
405	405	190
406	406	191
407	407	192
408	408	193
409	409	194
410	410	195
411	411	196 HB283 INTRODUCED
412	412	Page 8
413	413	current search query or visit to any Internet website or
414	414	online application.
415	415	c. Advertisements directed to a consumer in response to
416	416	the consumer's request for information or feedback.
417	417	d. Processing personal data solely to measure or report
418	418	advertising frequency, performance, or reach.
419	419	(24) THIRD PARTY. An individual or legal entity other
420	420	than a consumer, controller, processor, or an affiliate of the
421	421	controller or processor.
422	422	(25) TRADE SECRET. As defined in Section 8-27-2, Code
423	423	of Alabama 1975.
424	424	Section 2. The provisions of this act apply to persons
425	425	that conduct business in this state or persons that produce
426	426	products or services that are targeted to residents of this
427	427	state and that meet either of the following qualifications:
428	428	(1) Control or process the personal data of more than
429	429	50,000 consumers, excluding personal data controlled or
430	430	processes solely for the purpose of completing a payment
431	431	transaction.
432	432	(2) Control or process the personal data of more than
433	433	25,000 consumers and derive more than 25 percent of gross
434	434	revenue from the sale of personal data.
435	435	Section 3. (a) This act shall not apply to any of the
436	436	following:
437	437	(1) A political subdivision of the state.
438	438	(2) A nonprofit organization.
439	439	(3) A 2-year or 4-year institution of higher education.
440	440	(4) A national securities association that is
441	441	registered under 15 U.S.C. § 780.
442	442	197
443	443	198
444	444	199
445	445	200
446	446	201
447	447	202
448	448	203
449	449	204
450	450	205
451	451	206
452	452	207
453	453	208
454	454	209
455	455	210
456	456	211
457	457	212
458	458	213
459	459	214
460	460	215
461	461	216
462	462	217
463	463	218
464	464	219
465	465	220
466	466	221
467	467	222
468	468	223
469	469	224 HB283 INTRODUCED
470	470	Page 9
471	471	registered under 15 U.S.C. § 780.
472	472	(5) A financial institution or an affiliate of a
473	473	financial institution governed by 15 U.S.C. Chapter 94.
474	474	(6) Personal data collected, processed, sold, or
475	475	disclosed in accordance with 15 U.S.C. Chapter 94.
476	476	(7) A covered entity or business associate as defined
477	477	in the privacy regulations of 45 C.F.R. § 160.13.
478	478	(b) This act shall not apply to any of the following
479	479	information or data:
480	480	(1) Protected health information under the privacy
481	481	regulations of the federal Health Insurance Portability and
482	482	Accountability Act of 1996.
483	483	(2) Patient-identifying information for the purposes of
484	484	42 U.S.C. § 290dd2.
485	485	(3) Identifiable private information for the purposes
486	486	of 45 C.F.R. Part 46.
487	487	(4) Identifiable private information that is otherwise
488	488	collected as part of human subjects research pursuant to the
489	489	good clinical practice guidelines issued by the International
490	490	Council for Harmonisation of Technical Requirements for
491	491	Pharmaceuticals for Human Use.
492	492	(5) The protection of human subjects under 21 C.F.R.
493	493	Parts 6, 50, and 56, or personal data used or shared in
494	494	research as defined in the federal Health Insurance
495	495	Portability and Accountability Act of 1996 and 45 C.F.R. §
496	496	164.501, that is conducted in accordance with applicable law.
497	497	(6) Information or documents created for the purposes
498	498	of the federal Health Care Quality Improvement Act of 1986.
499	499	(7) Patient safety work products for the purposes of
500	500	225
501	501	226
502	502	227
503	503	228
504	504	229
505	505	230
506	506	231
507	507	232
508	508	233
509	509	234
510	510	235
511	511	236
512	512	237
513	513	238
514	514	239
515	515	240
516	516	241
517	517	242
518	518	243
519	519	244
520	520	245
521	521	246
522	522	247
523	523	248
524	524	249
525	525	250
526	526	251
527	527	252 HB283 INTRODUCED
528	528	Page 10
529	529	(7) Patient safety work products for the purposes of
530	530	the federal Patient Safety and Quality Improvement Act of
531	531	2005.
532	532	(8) Information derived from any of the health care
533	533	related information listed in this subsection which is
534	534	deidentified in accordance with the requirements for
535	535	deidentification pursuant to the privacy regulations of the
536	536	federal Health Insurance Portability and Accountability Act of
537	537	1996.
538	538	(9) Information derived from any of the health care
539	539	related information listed in this subsection which is
540	540	included in a limited data set as described in 45 C.F.R. §
541	541	164.514(e), to the extent that the information is used,
542	542	disclosed, and maintained in a manner specified in 45 C.F.R. §
543	543	164.514(e).
544	544	(10) Information originating from and intermingled to
545	545	be indistinguishable with or information treated in the same
546	546	manner as information exempt under this subsection which is
547	547	maintained by a covered entity or business associate as
548	548	defined in the privacy regulations of the federal Health
549	549	Insurance Portability and Accountability Act of 1996 or a
550	550	program or qualified service organization as specified in 42
551	551	U.S.C. § 290dd-2.
552	552	(11) Information used for public health activities and
553	553	purposes as authorized by the federal Health Insurance
554	554	Portability and Accountability Act of 1996, community health
555	555	activities, and population health activities.
556	556	(12) The collection, maintenance, disclosure, sale,
557	557	communication, or use of any personal information bearing on a
558	558	253
559	559	254
560	560	255
561	561	256
562	562	257
563	563	258
564	564	259
565	565	260
566	566	261
567	567	262
568	568	263
569	569	264
570	570	265
571	571	266
572	572	267
573	573	268
574	574	269
575	575	270
576	576	271
577	577	272
578	578	273
579	579	274
580	580	275
581	581	276
582	582	277
583	583	278
584	584	279
585	585	280 HB283 INTRODUCED
586	586	Page 11
587	587	communication, or use of any personal information bearing on a
588	588	consumer's credit worthiness, credit standing, credit
589	589	capacity, character, general reputation, personal
590	590	characteristics, or mode of living by a consumer reporting
591	591	agency, furnisher, or user that provides information for use
592	592	in a consumer report and by a user of a consumer report, but
593	593	only to the extent that the activity is regulated by and
594	594	authorized under the federal Fair Credit Reporting Act.
595	595	(13) Personal data collected, processed, sold, or
596	596	disclosed in compliance with the federal Driver's Privacy
597	597	Protection Act of 1994.
598	598	(14) Personal data regulated by the federal Family
599	599	Educational Rights and Privacy Act of 1974.
600	600	(15) Personal data collected, processed, sold, or
601	601	disclosed in compliance with the federal Farm Credit Act of
602	602	1971.
603	603	(16) Data processed or maintained by an individual
604	604	applying to, employed by, or acting as an agent or independent
605	605	contractor of a controller, processor, or third party to the
606	606	extent that the data is collected and used within the context
607	607	of that role.
608	608	(17) Data processed or maintained as the emergency
609	609	contact information of an individual under this act and used
610	610	for emergency contact purposes.
611	611	(18) Data processed or maintained that is necessary to
612	612	retain to administer benefits for another individual relating
613	613	to the individual who is the subject of the information under
614	614	this section and is used for the purposes of administering the
615	615	benefits.
616	616	281
617	617	282
618	618	283
619	619	284
620	620	285
621	621	286
622	622	287
623	623	288
624	624	289
625	625	290
626	626	291
627	627	292
628	628	293
629	629	294
630	630	295
631	631	296
632	632	297
633	633	298
634	634	299
635	635	300
636	636	301
637	637	302
638	638	303
639	639	304
640	640	305
641	641	306
642	642	307
643	643	308 HB283 INTRODUCED
644	644	Page 12
645	645	benefits.
646	646	(19) Personal data collected, processed, sold, or
647	647	disclosed in relation to price, route, or service, as these
648	648	terms are used in the federal Airline Deregulation Act of 1978
649	649	by an air carrier subject to the act.
650	650	(20) Data or information collected or processed to
651	651	comply with or in accordance with state law.
652	652	(c) Controllers and processors that comply with the
653	653	verifiable parental consent requirements of the federal
654	654	Children's Online Privacy Protection Act of 1998 are compliant
655	655	with any obligation to obtain parental consent pursuant to
656	656	this act.
657	657	Section 4. (a) A consumer has the affirmative right to
658	658	do all of the following:
659	659	(1) Confirm whether a controller is processing the
660	660	consumer's personal data and accessing any of the consumer's
661	661	personal data under the control of the controller, unless
662	662	confirmation or access would require the controller to reveal
663	663	a trade secret.
664	664	(2) Correct inaccuracies in the consumer's personal
665	665	data, considering the nature of the personal data and the
666	666	purposes of the processing of the consumer's personal data.
667	667	(3) Direct a controller to delete the consumer's
668	668	personal data.
669	669	(4) Obtain a copy of the consumer's personal data
670	670	previously provided by the consumer to a controller in a
671	671	portable and, to the extent technically feasible, readily
672	672	usable format that allows the consumer to transmit the
673	673	personal data to another controller without hindrance when the
674	674	309
675	675	310
676	676	311
677	677	312
678	678	313
679	679	314
680	680	315
681	681	316
682	682	317
683	683	318
684	684	319
685	685	320
686	686	321
687	687	322
688	688	323
689	689	324
690	690	325
691	691	326
692	692	327
693	693	328
694	694	329
695	695	330
696	696	331
697	697	332
698	698	333
699	699	334
700	700	335
701	701	336 HB283 INTRODUCED
702	702	Page 13
703	703	personal data to another controller without hindrance when the
704	704	processing is carried out by automated means, unless the
705	705	provision of the data would require the controller to reveal a
706	706	trade secret.
707	707	(5) Opt out of the processing of the consumer's
708	708	personal data for any of the following purposes:
709	709	a. Targeted advertising.
710	710	b. The sale of the consumer's personal data, except as
711	711	provided in Section 6.
712	712	c. Profiling in furtherance of solely automated
713	713	decisions that produce legal or similarly significant effects
714	714	concerning the consumer.
715	715	(b) A controller shall establish a secure and reliable
716	716	method for a consumer to exercise rights established by this
717	717	section and shall describe the method in the controller's
718	718	privacy notice.
719	719	(c)(1) A consumer may designate an authorized agent in
720	720	accordance with Section 5 to exercise the consumer's rights
721	721	established by this section.
722	722	(2) A parent or legal guardian of a known child may
723	723	exercise the consumer's rights on behalf of the known child
724	724	regarding the processing of personal data.
725	725	(3) A guardian or conservator of a consumer may
726	726	exercise the consumer's rights on behalf of the consumer
727	727	regarding the processing of personal data.
728	728	(d) Except as otherwise provided in this act, a
729	729	controller shall comply with a request by a consumer to
730	730	exercise the consumer's rights authorized by this section as
731	731	follows:
732	732	337
733	733	338
734	734	339
735	735	340
736	736	341
737	737	342
738	738	343
739	739	344
740	740	345
741	741	346
742	742	347
743	743	348
744	744	349
745	745	350
746	746	351
747	747	352
748	748	353
749	749	354
750	750	355
751	751	356
752	752	357
753	753	358
754	754	359
755	755	360
756	756	361
757	757	362
758	758	363
759	759	364 HB283 INTRODUCED
760	760	Page 14
761	761	follows:
762	762	(1)a. A controller shall respond to a consumer's
763	763	request within 45 days of receipt of the request.
764	764	b. A controller may extend the response period by 45
765	765	additional days, when reasonably necessary considering the
766	766	complexity and number of the consumer's requests, by notifying
767	767	the consumer of the extension and the reason for the extension
768	768	within the initial 45-day response period.
769	769	(2) If a controller declines to act regarding a
770	770	consumer's request, the controller shall inform the consumer
771	771	of the justification for declining to act within 45 days of
772	772	receipt of the request. The notification must also inform the
773	773	consumer of the controller's process for appealing the
774	774	decision.
775	775	(3) Information provided in response to a consumer
776	776	request must be provided by a controller, free of charge, once
777	777	for each consumer during any 12-month period. If a consumer's
778	778	requests are manifestly unfounded, excessive, technically
779	779	infeasible, or repetitive, the controller may charge the
780	780	consumer a reasonable fee to cover the administrative costs of
781	781	complying with a request or decline to act on a request. The
782	782	controller bears the burden of demonstrating the manifestly
783	783	unfounded, excessive, technically infeasible, or repetitive
784	784	nature of a request.
785	785	(4) If a controller is unable to authenticate a
786	786	consumer's request using commercially reasonable efforts, the
787	787	controller shall not be required to comply with a request to
788	788	initiate an action pursuant to this section and shall provide
789	789	notice to the consumer that the controller is unable to
790	790	365
791	791	366
792	792	367
793	793	368
794	794	369
795	795	370
796	796	371
797	797	372
798	798	373
799	799	374
800	800	375
801	801	376
802	802	377
803	803	378
804	804	379
805	805	380
806	806	381
807	807	382
808	808	383
809	809	384
810	810	385
811	811	386
812	812	387
813	813	388
814	814	389
815	815	390
816	816	391
817	817	392 HB283 INTRODUCED
818	818	Page 15
819	819	notice to the consumer that the controller is unable to
820	820	authenticate the request until the consumer provides
821	821	additional information reasonably necessary to authenticate
822	822	the consumer and the request. A controller is not required to
823	823	authenticate an opt-out request, but a controller may deny an
824	824	opt-out request if the controller has a good faith,
825	825	reasonable, and documented belief that the request is
826	826	fraudulent. If a controller denies an opt-out request because
827	827	the controller believes the request is fraudulent, the
828	828	controller shall send notice to the person who made the
829	829	request disclosing that the controller believes the request is
830	830	fraudulent and that the controller may not comply with the
831	831	request.
832	832	(5) A controller that has obtained personal data about
833	833	a consumer from a source other than the consumer is in
834	834	compliance with a consumer's request to delete the consumer's
835	835	data if the controller has done either of the following:
836	836	a. Retained a record of the deletion request and the
837	837	minimum data necessary for the purpose of ensuring the
838	838	consumer's personal data remains deleted from the controller's
839	839	records and refrains from using the retained data for any
840	840	other purpose.
841	841	b. Opted the consumer out of the processing of the
842	842	consumer's personal data for any purpose except for those
843	843	exempted pursuant to this act.
844	844	(e) A controller shall establish a process for a
845	845	consumer to appeal the controller's refusal to act on a
846	846	consumer's request. The appeal process must be conspicuously
847	847	available. Within 60 days of receipt of an appeal, a
848	848	393
849	849	394
850	850	395
851	851	396
852	852	397
853	853	398
854	854	399
855	855	400
856	856	401
857	857	402
858	858	403
859	859	404
860	860	405
861	861	406
862	862	407
863	863	408
864	864	409
865	865	410
866	866	411
867	867	412
868	868	413
869	869	414
870	870	415
871	871	416
872	872	417
873	873	418
874	874	419
875	875	420 HB283 INTRODUCED
876	876	Page 16
877	877	available. Within 60 days of receipt of an appeal, a
878	878	controller shall inform the consumer in writing of any action
879	879	taken or not taken in response to the appeal, including a
880	880	written explanation of the reason for the decision. If the
881	881	appeal is denied, the controller shall provide the consumer
882	882	with a method through which the consumer may contact the
883	883	Attorney General to submit a complaint.
884	884	Section 5. (a) A consumer may designate another person
885	885	to serve as the consumer's authorized agent and act on the
886	886	consumer's behalf to opt out of the processing of the
887	887	consumer's personal data for one or more of the purposes
888	888	specified in Section 4. The consumer may designate an
889	889	authorized agent by way of technology, including, but not
890	890	limited to, an Internet link, browser setting, browser
891	891	extension, or global device setting indicating a consumer's
892	892	intent to opt out of such processing.
893	893	(b) A controller shall comply with an opt-out request
894	894	received from an authorized agent if the controller is able to
895	895	verify, with commercially reasonable effort, the identity of
896	896	the consumer and the authorized agent's authority to act on
897	897	the consumer's behalf.
898	898	(c) An opt-out method must do both of the following:
899	899	(1) Provide a clear and conspicuous link on the
900	900	controller's Internet website to an Internet web page that
901	901	enables a consumer or an agent of the consumer to opt out of
902	902	the targeted advertising or sale of the consumer's personal
903	903	data.
904	904	(2) By no later than January 1, 2026, allow a consumer
905	905	or an agent of the consumer to opt out of any processing of
906	906	421
907	907	422
908	908	423
909	909	424
910	910	425
911	911	426
912	912	427
913	913	428
914	914	429
915	915	430
916	916	431
917	917	432
918	918	433
919	919	434
920	920	435
921	921	436
922	922	437
923	923	438
924	924	439
925	925	440
926	926	441
927	927	442
928	928	443
929	929	444
930	930	445
931	931	446
932	932	447
933	933	448 HB283 INTRODUCED
934	934	Page 17
935	935	or an agent of the consumer to opt out of any processing of
936	936	the consumer's personal data for the purposes of targeted
937	937	advertising, or any sale of such personal data through an
938	938	opt-out preference signal sent with the consumer's consent, to
939	939	the controller by a platform, technology, or mechanism that
940	940	does all of the following:
941	941	a. May not unfairly disadvantage another controller.
942	942	b. May not make use of a default setting, but require
943	943	the consumer to make an affirmative, freely given, and
944	944	unambiguous choice to opt out of any processing of a
945	945	customer's personal data pursuant to this act.
946	946	c. Must be consumer friendly and easy to use by the
947	947	average consumer.
948	948	d. Must be consistent with any federal or state law or
949	949	regulation.
950	950	e. Must allow the controller to accurately determine
951	951	whether the consumer is a resident of the state and whether
952	952	the consumer has made a legitimate request to opt out of any
953	953	sale of a consumer's personal data or targeted advertising.
954	954	(d)(1) If a consumer's decision to opt out of any
955	955	processing of the consumer's personal data for the purposes of
956	956	targeted advertising, or any sale of personal data, through an
957	957	opt-out preference signal sent in accordance with this section
958	958	conflicts with the consumer's existing controller-specific
959	959	privacy setting or voluntary participation in a controller's
960	960	bona fide loyalty, rewards, premium features, discounts, or
961	961	club card program, the controller shall comply with the
962	962	consumer's opt-out preference signal but may notify the
963	963	consumer of the conflict and provide the choice to confirm
964	964	449
965	965	450
966	966	451
967	967	452
968	968	453
969	969	454
970	970	455
971	971	456
972	972	457
973	973	458
974	974	459
975	975	460
976	976	461
977	977	462
978	978	463
979	979	464
980	980	465
981	981	466
982	982	467
983	983	468
984	984	469
985	985	470
986	986	471
987	987	472
988	988	473
989	989	474
990	990	475
991	991	476 HB283 INTRODUCED
992	992	Page 18
993	993	consumer of the conflict and provide the choice to confirm
994	994	controller-specific privacy settings or participation in such
995	995	a program.
996	996	(2) If a controller responds to consumer opt-out
997	997	requests received in accordance with this section by informing
998	998	the consumer of a charge for the use of any product or
999	999	service, the controller shall present the terms of any
1000	1000	financial incentive offered pursuant to this section for the
1001	1001	retention, use, sale, or sharing of the consumer's personal
1002	1002	data.
1003	1003	Section 6. (a) A controller shall do all of the
1004	1004	following:
1005	1005	(1) Limit the collection of personal data to what is
1006	1006	adequate, relevant, and reasonably necessary in relation to
1007	1007	the purposes for which the personal data is processed, as
1008	1008	disclosed to the consumer.
1009	1009	(2) Establish, implement, and maintain reasonable
1010	1010	administrative, technical, and physical data security
1011	1011	practices to protect the confidentiality, integrity, and
1012	1012	accessibility of personal data appropriate to the volume and
1013	1013	nature of the personal data at issue.
1014	1014	(3) Provide an effective mechanism for a consumer to
1015	1015	revoke the consumer's consent under this act that is at least
1016	1016	as easy as the mechanism by which the consumer provided the
1017	1017	consumer's consent and, on revocation of the consent, cease to
1018	1018	process the personal data as soon as practicable, but within
1019	1019	45 days of receipt of the request.
1020	1020	(b) A controller may not do any of the following:
1021	1021	(1) Except as provided in this act, process personal
1022	1022	477
1023	1023	478
1024	1024	479
1025	1025	480
1026	1026	481
1027	1027	482
1028	1028	483
1029	1029	484
1030	1030	485
1031	1031	486
1032	1032	487
1033	1033	488
1034	1034	489
1035	1035	490
1036	1036	491
1037	1037	492
1038	1038	493
1039	1039	494
1040	1040	495
1041	1041	496
1042	1042	497
1043	1043	498
1044	1044	499
1045	1045	500
1046	1046	501
1047	1047	502
1048	1048	503
1049	1049	504 HB283 INTRODUCED
1050	1050	Page 19
1051	1051	(1) Except as provided in this act, process personal
1052	1052	data for purposes that are not reasonably necessary to or
1053	1053	compatible with the disclosed purposes for which the personal
1054	1054	data is processed as disclosed to the consumer unless the
1055	1055	controller obtains the consumer's consent.
1056	1056	(2) Process sensitive data concerning a consumer
1057	1057	without obtaining the consumer's consent or, in the case of
1058	1058	the processing of sensitive data concerning a known child,
1059	1059	without processing the sensitive data in accordance with the
1060	1060	federal Children's Online Privacy Protection Act of 1998.
1061	1061	(3) Process personal data in violation of the laws of
1062	1062	this state or federal laws that prohibit unlawful
1063	1063	discrimination against consumers.
1064	1064	(4) Process the personal data of a consumer for the
1065	1065	purposes of targeted advertising or sell a consumer's personal
1066	1066	data without the consumer's consent under circumstances in
1067	1067	which a controller has actual knowledge that the consumer is
1068	1068	at least 13 years of age but younger than 16 years of age.
1069	1069	(5) Discriminate against a consumer for exercising any
1070	1070	of the consumer rights contained in this act, including
1071	1071	denying goods or services, charging different prices or rates
1072	1072	for goods or services, or providing a different level of
1073	1073	quality of goods or services to the consumer.
1074	1074	(c) Nothing in subsections (a) or (b) may be construed
1075	1075	to require a controller to provide a product or service that
1076	1076	requires the personal data of a consumer that the controller
1077	1077	does not collect or maintain or prohibit a controller from
1078	1078	offering a different price, rate, level, quality, or selection
1079	1079	of goods or services to a consumer, including offering goods
1080	1080	505
1081	1081	506
1082	1082	507
1083	1083	508
1084	1084	509
1085	1085	510
1086	1086	511
1087	1087	512
1088	1088	513
1089	1089	514
1090	1090	515
1091	1091	516
1092	1092	517
1093	1093	518
1094	1094	519
1095	1095	520
1096	1096	521
1097	1097	522
1098	1098	523
1099	1099	524
1100	1100	525
1101	1101	526
1102	1102	527
1103	1103	528
1104	1104	529
1105	1105	530
1106	1106	531
1107	1107	532 HB283 INTRODUCED
1108	1108	Page 20
1109	1109	of goods or services to a consumer, including offering goods
1110	1110	or services for no fee, if the consumer has exercised his or
1111	1111	her right to opt out pursuant to this act or the offering is
1112	1112	in connection with a consumer's voluntary participation in a
1113	1113	bona fide loyalty, rewards, premium features, discounts, or
1114	1114	club card program.
1115	1115	(d) If a controller sells personal data to third
1116	1116	parties or processes personal data for targeted advertising,
1117	1117	the controller shall clearly and conspicuously disclose the
1118	1118	processing, as well as the way a consumer may exercise the
1119	1119	right to opt out of the processing.
1120	1120	(e) A controller shall provide consumers with a
1121	1121	reasonably accurate, clear, and meaningful privacy notice that
1122	1122	includes all of the following:
1123	1123	(1) The categories of personal data processed by the
1124	1124	controller.
1125	1125	(2) The purpose for processing personal data.
1126	1126	(3) The categories of personal data that the controller
1127	1127	shares with third parties, if any.
1128	1128	(4) The categories of third parties, if any, with which
1129	1129	the controller shares personal data.
1130	1130	(5) An active email address or other mechanism that the
1131	1131	consumer may use to contact the controller.
1132	1132	(6) How consumers may exercise their consumer rights,
1133	1133	including a consumer may appeal a controller's decision
1134	1134	regarding the consumer's request.
1135	1135	(f)(1) A controller shall establish and describe in a
1136	1136	privacy notice one or more secure and reliable means for
1137	1137	consumers to submit a request to exercise their consumer
1138	1138	533
1139	1139	534
1140	1140	535
1141	1141	536
1142	1142	537
1143	1143	538
1144	1144	539
1145	1145	540
1146	1146	541
1147	1147	542
1148	1148	543
1149	1149	544
1150	1150	545
1151	1151	546
1152	1152	547
1153	1153	548
1154	1154	549
1155	1155	550
1156	1156	551
1157	1157	552
1158	1158	553
1159	1159	554
1160	1160	555
1161	1161	556
1162	1162	557
1163	1163	558
1164	1164	559
1165	1165	560 HB283 INTRODUCED
1166	1166	Page 21
1167	1167	consumers to submit a request to exercise their consumer
1168	1168	rights pursuant to this act considering the ways in which
1169	1169	consumers normally interact with the controller, the need for
1170	1170	secure and reliable communication of consumer requests, and
1171	1171	the ability of the controller to verify the identity of the
1172	1172	consumer making the request.
1173	1173	(2) A controller may not require a consumer to create a
1174	1174	new account to exercise consumer rights but may require a
1175	1175	consumer to use an existing account.
1176	1176	Section 7. (a) A processor shall adhere to the
1177	1177	instructions of a controller and shall assist the controller
1178	1178	in meeting the controller's obligations under this act,
1179	1179	including, but not limited to, all of the following:
1180	1180	(1) Considering the nature of processing and the
1181	1181	information available to the processor by appropriate
1182	1182	technical and organizational measures as much as reasonably
1183	1183	practicable to fulfill the controller's obligation to respond
1184	1184	to consumer rights requests.
1185	1185	(2) Considering the nature of processing and the
1186	1186	information available to the processor by assisting the
1187	1187	controller in meeting the controller's obligations in relation
1188	1188	to the security of processing the personal data and in
1189	1189	relation to the notification of a breach of security of the
1190	1190	system of the processor to meet the controller's obligations.
1191	1191	(3) Providing necessary information to enable the
1192	1192	controller to conduct and document data protection
1193	1193	assessments.
1194	1194	(b) A contract between a controller and a processor
1195	1195	must govern the processor's data processing procedures with
1196	1196	561
1197	1197	562
1198	1198	563
1199	1199	564
1200	1200	565
1201	1201	566
1202	1202	567
1203	1203	568
1204	1204	569
1205	1205	570
1206	1206	571
1207	1207	572
1208	1208	573
1209	1209	574
1210	1210	575
1211	1211	576
1212	1212	577
1213	1213	578
1214	1214	579
1215	1215	580
1216	1216	581
1217	1217	582
1218	1218	583
1219	1219	584
1220	1220	585
1221	1221	586
1222	1222	587
1223	1223	588 HB283 INTRODUCED
1224	1224	Page 22
1225	1225	must govern the processor's data processing procedures with
1226	1226	respect to processing performed on behalf of the controller.
1227	1227	The contract must be binding and clearly set forth
1228	1228	instructions for processing data, the nature and purpose of
1229	1229	processing, the type of data subject to processing, the
1230	1230	duration of processing, and the rights and obligations of both
1231	1231	parties. The contract must also require that the processor do
1232	1232	all of the following:
1233	1233	(1) Ensure that each person processing personal data is
1234	1234	subject to a duty of confidentiality with respect to the
1235	1235	personal data.
1236	1236	(2) At the controller's direction, delete or return all
1237	1237	personal data to the controller as requested at the end of the
1238	1238	provision of services, unless retention of the personal data
1239	1239	is required by law.
1240	1240	(3) Upon the reasonable request of the controller, make
1241	1241	available to the controller all information in the processor's
1242	1242	possession necessary to demonstrate the processor's compliance
1243	1243	with the obligations in this act.
1244	1244	(4) Engage any subcontractor pursuant to a written
1245	1245	contract that requires the subcontractor to meet the
1246	1246	obligations of the processor with respect to the personal
1247	1247	data.
1248	1248	(5) Allow and cooperate with reasonable assessments by
1249	1249	the controller or the controller's designated assessor, or the
1250	1250	processor may arrange for a qualified and independent assessor
1251	1251	to assess the processor's policies and technical and
1252	1252	organizational measures in support of the obligations under
1253	1253	this act using an appropriate and accepted control standard or
1254	1254	589
1255	1255	590
1256	1256	591
1257	1257	592
1258	1258	593
1259	1259	594
1260	1260	595
1261	1261	596
1262	1262	597
1263	1263	598
1264	1264	599
1265	1265	600
1266	1266	601
1267	1267	602
1268	1268	603
1269	1269	604
1270	1270	605
1271	1271	606
1272	1272	607
1273	1273	608
1274	1274	609
1275	1275	610
1276	1276	611
1277	1277	612
1278	1278	613
1279	1279	614
1280	1280	615
1281	1281	616 HB283 INTRODUCED
1282	1282	Page 23
1283	1283	this act using an appropriate and accepted control standard or
1284	1284	framework and assessment procedure for the assessments. The
1285	1285	processor shall provide a report of the assessment to the
1286	1286	controller on request.
1287	1287	(c) Nothing in this section may be construed to relieve
1288	1288	a controller or processor from the liabilities imposed on the
1289	1289	controller or processor by virtue of the controller's or
1290	1290	processor's role in the processing relationship as described
1291	1291	in this act.
1292	1292	(d) Determining whether a person is acting as a
1293	1293	controller or processor with respect to a specific processing
1294	1294	of data is a fact-based determination that depends on the
1295	1295	following context in which personal data is to be processed:
1296	1296	(1) A person who is not limited in the processing of
1297	1297	personal data pursuant to a controller's instructions or who
1298	1298	fails to adhere to a controller's instructions is a controller
1299	1299	and not a processor with respect to a specific processing of
1300	1300	data.
1301	1301	(2) A processor that continues to adhere to a
1302	1302	controller's instructions with respect to a specific
1303	1303	processing of personal data remains a processor.
1304	1304	(3) If a processor begins, alone or jointly with
1305	1305	others, determining the purposes and means of the processing
1306	1306	of personal data, the processor is a controller with respect
1307	1307	to the processing and may be subject to an enforcement action
1308	1308	under this act.
1309	1309	Section 8. (a) A controller shall conduct and document
1310	1310	a data protection assessment for each of the controller's
1311	1311	processing activities that presents a heightened risk of harm
1312	1312	617
1313	1313	618
1314	1314	619
1315	1315	620
1316	1316	621
1317	1317	622
1318	1318	623
1319	1319	624
1320	1320	625
1321	1321	626
1322	1322	627
1323	1323	628
1324	1324	629
1325	1325	630
1326	1326	631
1327	1327	632
1328	1328	633
1329	1329	634
1330	1330	635
1331	1331	636
1332	1332	637
1333	1333	638
1334	1334	639
1335	1335	640
1336	1336	641
1337	1337	642
1338	1338	643
1339	1339	644 HB283 INTRODUCED
1340	1340	Page 24
1341	1341	processing activities that presents a heightened risk of harm
1342	1342	to a consumer. For the purposes of this section, processing
1343	1343	that presents risk of harm to a consumer includes, but is not
1344	1344	limited to, all of the following:
1345	1345	(1) The processing of personal data for the purposes of
1346	1346	targeted advertising.
1347	1347	(2) The sale of personal data.
1348	1348	(3) The processing of personal data for the purposes of
1349	1349	profiling in which the profiling presents a reasonably
1350	1350	foreseeable risk of any of the following:
1351	1351	a. Unfair or deceptive treatment of or unlawful
1352	1352	disparate impact on consumers.
1353	1353	b. Financial, physical, or reputational injury to
1354	1354	consumers.
1355	1355	c. A physical or other form of intrusion on the
1356	1356	solitude or seclusion or the private affairs or concerns of
1357	1357	consumers in which the intrusion would be offensive to a
1358	1358	reasonable person.
1359	1359	d. Other substantial injury to consumers.
1360	1360	(4) The processing of sensitive data.
1361	1361	(b)(1) Data protection assessments conducted pursuant
1362	1362	to subsection (a) must identify and weigh the benefits that
1363	1363	may flow, directly or indirectly, from the processing to the
1364	1364	controller, the consumer, other stakeholders, and the public
1365	1365	against the potential risks to the rights of the consumer
1366	1366	associated with the processing as mitigated by safeguards that
1367	1367	may be employed by the controller to reduce these risks.
1368	1368	(2) The controller shall factor into any data
1369	1369	protection assessment the use of deidentified data and the
1370	1370	645
1371	1371	646
1372	1372	647
1373	1373	648
1374	1374	649
1375	1375	650
1376	1376	651
1377	1377	652
1378	1378	653
1379	1379	654
1380	1380	655
1381	1381	656
1382	1382	657
1383	1383	658
1384	1384	659
1385	1385	660
1386	1386	661
1387	1387	662
1388	1388	663
1389	1389	664
1390	1390	665
1391	1391	666
1392	1392	667
1393	1393	668
1394	1394	669
1395	1395	670
1396	1396	671
1397	1397	672 HB283 INTRODUCED
1398	1398	Page 25
1399	1399	protection assessment the use of deidentified data and the
1400	1400	reasonable expectations of consumers, as well as the context
1401	1401	of the processing and the relationship between the controller
1402	1402	and the consumer whose personal data will be processed.
1403	1403	(c)(1) The Attorney General may require that a
1404	1404	controller disclose any data protection assessment that is
1405	1405	relevant to an investigation conducted by the Attorney
1406	1406	General, and the controller shall make the data protection
1407	1407	assessment available to the Attorney General.
1408	1408	(2) The Attorney General may evaluate the data
1409	1409	protection assessment for compliance with the responsibilities
1410	1410	set forth in this act.
1411	1411	(3) Data protection assessments are confidential and
1412	1412	are exempt from disclosure under Article 3 of Chapter 12 of
1413	1413	Title 36, Code of Alabama 1975.
1414	1414	(4) To the extent any information contained in a data
1415	1415	protection assessment disclosed to the Attorney General
1416	1416	includes information subject to attorney-client privilege or
1417	1417	work product protection, the disclosure may not constitute a
1418	1418	waiver of the privilege or protection.
1419	1419	(d) A single data protection assessment may address a
1420	1420	comparable set of processing operations that include similar
1421	1421	activities.
1422	1422	(e) If a controller conducts a data protection
1423	1423	assessment for the purpose of complying with another
1424	1424	applicable law or regulation, the data protection assessment
1425	1425	must be considered to satisfy the requirements established in
1426	1426	this section if the data protection assessment is reasonably
1427	1427	similar in scope and the effect to the data protection
1428	1428	673
1429	1429	674
1430	1430	675
1431	1431	676
1432	1432	677
1433	1433	678
1434	1434	679
1435	1435	680
1436	1436	681
1437	1437	682
1438	1438	683
1439	1439	684
1440	1440	685
1441	1441	686
1442	1442	687
1443	1443	688
1444	1444	689
1445	1445	690
1446	1446	691
1447	1447	692
1448	1448	693
1449	1449	694
1450	1450	695
1451	1451	696
1452	1452	697
1453	1453	698
1454	1454	699
1455	1455	700 HB283 INTRODUCED
1456	1456	Page 26
1457	1457	similar in scope and the effect to the data protection
1458	1458	assessment that would otherwise be conducted pursuant to this
1459	1459	section.
1460	1460	(f) Data protection assessment requirements shall apply
1461	1461	to processing activities created or generated after January 1,
1462	1462	2026, and are not retroactive.
1463	1463	Section 9. (a) Any controller in possession of
1464	1464	deidentified data shall do all of the following:
1465	1465	(1) Take reasonable measures to ensure that the
1466	1466	identified data cannot be associated with an individual.
1467	1467	(2) Publicly commit to maintaining and using
1468	1468	deidentified data without attempting to reidentify the
1469	1469	deidentified data.
1470	1470	(3) Contractually obligate any recipients of the
1471	1471	deidentified data to comply with all provisions of this act.
1472	1472	(b) Nothing in this act may be construed to do either
1473	1473	of the following:
1474	1474	(1) Require a controller or processor to reidentify
1475	1475	deidentified data or pseudonymous data.
1476	1476	(2) Maintain data in identifiable form or collect,
1477	1477	obtain, retain, or access any data or technology to be capable
1478	1478	of associating an authenticated consumer request with personal
1479	1479	data.
1480	1480	(c) Nothing in this act may be construed to require a
1481	1481	controller or processor to comply with an authenticated
1482	1482	consumer rights request if the controller:
1483	1483	(1) Is not reasonably capable of associating the
1484	1484	request with the personal data or it would be unreasonably
1485	1485	burdensome for the controller to associate the request with
1486	1486	701
1487	1487	702
1488	1488	703
1489	1489	704
1490	1490	705
1491	1491	706
1492	1492	707
1493	1493	708
1494	1494	709
1495	1495	710
1496	1496	711
1497	1497	712
1498	1498	713
1499	1499	714
1500	1500	715
1501	1501	716
1502	1502	717
1503	1503	718
1504	1504	719
1505	1505	720
1506	1506	721
1507	1507	722
1508	1508	723
1509	1509	724
1510	1510	725
1511	1511	726
1512	1512	727
1513	1513	728 HB283 INTRODUCED
1514	1514	Page 27
1515	1515	burdensome for the controller to associate the request with
1516	1516	the personal data;
1517	1517	(2) Does not use the personal data to recognize or
1518	1518	respond to the specific consumer who is the subject of the
1519	1519	personal data or associate the personal data with other
1520	1520	personal data about the same specific consumer; and
1521	1521	(3) Does not sell the personal data to any third party
1522	1522	or otherwise voluntarily disclose the personal data to any
1523	1523	third party other than a processor, except as otherwise
1524	1524	permitted in this section.
1525	1525	(d) The rights afforded under Section 4 may not apply
1526	1526	to pseudonymous data in cases in which the controller is able
1527	1527	to demonstrate that any information necessary to identify the
1528	1528	consumer is kept separately and is subject to effective
1529	1529	technical and organizational controls that prevent the
1530	1530	controller from accessing the information.
1531	1531	(e) A controller that discloses pseudonymous data or
1532	1532	deidentified data shall exercise reasonable oversight to
1533	1533	monitor compliance with any contractual commitments to which
1534	1534	the pseudonymous data or deidentified data is subject and
1535	1535	shall take appropriate steps to address any breaches of those
1536	1536	contractual commitments.
1537	1537	Section 10. (a) Nothing in this act may be construed to
1538	1538	restrict a controller's or processor's ability to do any of
1539	1539	the following:
1540	1540	(1) Comply with federal, state, or local ordinances or
1541	1541	regulations.
1542	1542	(2) Comply with a civil, criminal, or regulatory
1543	1543	inquiry, investigation, subpoena, or summons by federal,
1544	1544	729
1545	1545	730
1546	1546	731
1547	1547	732
1548	1548	733
1549	1549	734
1550	1550	735
1551	1551	736
1552	1552	737
1553	1553	738
1554	1554	739
1555	1555	740
1556	1556	741
1557	1557	742
1558	1558	743
1559	1559	744
1560	1560	745
1561	1561	746
1562	1562	747
1563	1563	748
1564	1564	749
1565	1565	750
1566	1566	751
1567	1567	752
1568	1568	753
1569	1569	754
1570	1570	755
1571	1571	756 HB283 INTRODUCED
1572	1572	Page 28
1573	1573	inquiry, investigation, subpoena, or summons by federal,
1574	1574	state, local, or other government authority.
1575	1575	(3) Cooperate with law enforcement agencies concerning
1576	1576	conduct or activity that the controller or processor
1577	1577	reasonably and in good faith believes may violate federal,
1578	1578	state, or local ordinances, rules, or regulations.
1579	1579	(4) Investigate, establish, exercise, prepare for, or
1580	1580	defend legal claims.
1581	1581	(5) Provide a product or service specifically requested
1582	1582	by a consumer.
1583	1583	(6) Perform under a contract to which a consumer is a
1584	1584	party, including fulfilling the terms of a written warranty.
1585	1585	(7) Take steps at the request of a consumer prior to
1586	1586	entering a contract.
1587	1587	(8) Take immediate steps to protect an interest that is
1588	1588	essential for the life or physical safety of the consumer or
1589	1589	another individual and when the processing cannot be
1590	1590	manifestly based on another legal basis.
1591	1591	(9) Prevent, detect, protect against, or respond to
1592	1592	security incidents; identify theft, fraud, harassment,
1593	1593	malicious or deceptive activities, or any illegal activity;
1594	1594	preserve the integrity or security of systems; or investigate,
1595	1595	report, or prosecute those responsible for any of these
1596	1596	actions.
1597	1597	(10) Engage in public or peer-reviewed scientific or
1598	1598	statistical research in the public interest that adheres to
1599	1599	all other applicable ethics and privacy laws and is approved,
1600	1600	monitored, and governed by an institutional review board that
1601	1601	determines or similar independent oversight entities that
1602	1602	757
1603	1603	758
1604	1604	759
1605	1605	760
1606	1606	761
1607	1607	762
1608	1608	763
1609	1609	764
1610	1610	765
1611	1611	766
1612	1612	767
1613	1613	768
1614	1614	769
1615	1615	770
1616	1616	771
1617	1617	772
1618	1618	773
1619	1619	774
1620	1620	775
1621	1621	776
1622	1622	777
1623	1623	778
1624	1624	779
1625	1625	780
1626	1626	781
1627	1627	782
1628	1628	783
1629	1629	784 HB283 INTRODUCED
1630	1630	Page 29
1631	1631	determines or similar independent oversight entities that
1632	1632	determine all of the following:
1633	1633	a. Whether the deletion of the information is likely to
1634	1634	provide substantial benefits that do not exclusively accrue to
1635	1635	the controller.
1636	1636	b. The expected benefits of the research outweigh the
1637	1637	privacy risks.
1638	1638	c. Whether the controller has implemented reasonable
1639	1639	safeguards to mitigate privacy risks associated with research,
1640	1640	including any risks associated with reidentification.
1641	1641	(11) Assist another controller, processor, or third
1642	1642	party with any of the obligations under this act.
1643	1643	(12) Process personal data for reasons of public
1644	1644	interest in public health, community health, or population
1645	1645	health, but solely to the extent that the processing does both
1646	1646	of the following:
1647	1647	a. Subject to suitable and specific measures to
1648	1648	safeguard the rights of the consumer whose personal data is
1649	1649	being processed.
1650	1650	b. Under the responsibility of a professional subject
1651	1651	to confidentiality obligations under federal, state, or local
1652	1652	law.
1653	1653	(b) The obligations imposed on controllers or
1654	1654	processors under this act may not restrict a controller's or
1655	1655	processor's ability to collect, use, or retain personal data
1656	1656	for internal use to do any of the following:
1657	1657	(1) Conduct internal research to develop, improve, or
1658	1658	repair products, services, or technology.
1659	1659	(2) Effectuate a product recall.
1660	1660	785
1661	1661	786
1662	1662	787
1663	1663	788
1664	1664	789
1665	1665	790
1666	1666	791
1667	1667	792
1668	1668	793
1669	1669	794
1670	1670	795
1671	1671	796
1672	1672	797
1673	1673	798
1674	1674	799
1675	1675	800
1676	1676	801
1677	1677	802
1678	1678	803
1679	1679	804
1680	1680	805
1681	1681	806
1682	1682	807
1683	1683	808
1684	1684	809
1685	1685	810
1686	1686	811
1687	1687	812 HB283 INTRODUCED
1688	1688	Page 30
1689	1689	(2) Effectuate a product recall.
1690	1690	(3) Identify and repair technical errors that impair
1691	1691	existing or intended functionality.
1692	1692	(4) Perform internal operations that are reasonably
1693	1693	aligned with the expectations of the consumer or reasonably
1694	1694	anticipated based on the consumer's existing relationship with
1695	1695	the controller or are otherwise compatible with processing
1696	1696	data in furtherance of the provision of a product or service
1697	1697	specifically requested by a consumer or the performance of a
1698	1698	contract to which the consumer is a party.
1699	1699	(c) The obligations imposed on controllers or
1700	1700	processors under this act may not apply when compliance by the
1701	1701	controller with this act would violate an evidentiary
1702	1702	privilege under the laws of this state. Nothing in this act
1703	1703	may be construed to prevent a controller or processor from
1704	1704	providing personal data concerning a consumer to a person
1705	1705	covered by an evidentiary privilege under the laws of this
1706	1706	state as part of a privileged communication.
1707	1707	(d)(1) If, at the time a controller or processor
1708	1708	discloses personal data to a processor or third-party
1709	1709	controller in accordance with this act, the controller or
1710	1710	processor did not have actual knowledge that the processor or
1711	1711	third-party controller would violate this act, then the
1712	1712	controller or processor may not be considered to have violated
1713	1713	this act.
1714	1714	(2) A receiving processor or third-party controller
1715	1715	receiving personal data from a disclosing controller or
1716	1716	processor in compliance with this act is likewise not in
1717	1717	violation of this act for the transgressions of the disclosing
1718	1718	813
1719	1719	814
1720	1720	815
1721	1721	816
1722	1722	817
1723	1723	818
1724	1724	819
1725	1725	820
1726	1726	821
1727	1727	822
1728	1728	823
1729	1729	824
1730	1730	825
1731	1731	826
1732	1732	827
1733	1733	828
1734	1734	829
1735	1735	830
1736	1736	831
1737	1737	832
1738	1738	833
1739	1739	834
1740	1740	835
1741	1741	836
1742	1742	837
1743	1743	838
1744	1744	839
1745	1745	840 HB283 INTRODUCED
1746	1746	Page 31
1747	1747	violation of this act for the transgressions of the disclosing
1748	1748	controller or processor from which the receiving processor or
1749	1749	third-party controller receives the personal data.
1750	1750	(e) Nothing in this act may be construed to do either
1751	1751	of the following:
1752	1752	(1) Impose any obligation on a controller or processor
1753	1753	that adversely effects the rights or freedoms of any person.
1754	1754	(2) Apply to a person's processing of personal data
1755	1755	during the person's personal or household activities.
1756	1756	(f) Personal data processed by a controller pursuant to
1757	1757	this section may be processed to the extent that the
1758	1758	processing is both of the following:
1759	1759	(1) Reasonably necessary and proportionate to the
1760	1760	purposes listed in this section.
1761	1761	(2) Adequate, relevant, and limited to what is
1762	1762	necessary in relation to the specific purposes listed in this
1763	1763	section. The controller or processor must, when applicable,
1764	1764	consider the nature and purpose of the collection, use, or
1765	1765	retention of the personal data collected, used, or retained
1766	1766	pursuant to this section. The personal data must be subject to
1767	1767	reasonable administrative, technical, and physical measures to
1768	1768	protect the confidentiality, integrity, and accessibility of
1769	1769	the personal data and to reduce reasonably foreseeable risks
1770	1770	of harm to consumers relating to the collection, use, or
1771	1771	retention of personal data.
1772	1772	(g) If a controller processes personal data pursuant to
1773	1773	an exemption in this section, the controller bears the burden
1774	1774	of demonstrating that the processing qualifies for the
1775	1775	exemption and complies with the requirements in this section.
1776	1776	841
1777	1777	842
1778	1778	843
1779	1779	844
1780	1780	845
1781	1781	846
1782	1782	847
1783	1783	848
1784	1784	849
1785	1785	850
1786	1786	851
1787	1787	852
1788	1788	853
1789	1789	854
1790	1790	855
1791	1791	856
1792	1792	857
1793	1793	858
1794	1794	859
1795	1795	860
1796	1796	861
1797	1797	862
1798	1798	863
1799	1799	864
1800	1800	865
1801	1801	866
1802	1802	867
1803	1803	868 HB283 INTRODUCED
1804	1804	Page 32
1805	1805	exemption and complies with the requirements in this section.
1806	1806	(h) Processing personal data for the purposes expressly
1807	1807	identified in this section may not solely make a legal entity
1808	1808	a controller with respect to the processing.
1809	1809	Section 11. (a) The Attorney General has exclusive
1810	1810	authority to enforce violations of this act.
1811	1811	(b)(1) The Attorney General, prior to initiating any
1812	1812	action for a violation of any provision of this act, shall
1813	1813	issue a notice of violation to the controller.
1814	1814	(2) If the controller fails to correct the violation
1815	1815	within 60 days of receipt of the notice of violation, the
1816	1816	Attorney General may bring an action pursuant to this section.
1817	1817	(3) If within the 60-day period the controller corrects
1818	1818	the noticed violation and provides the Attorney General an
1819	1819	express written statement that the alleged violations have
1820	1820	been corrected and that no such further violations will occur,
1821	1821	no action may be initiated against the controller.
1822	1822	(c) Nothing in this act may be construed as providing
1823	1823	the basis for or be subject to a private right of action for
1824	1824	violations of this act or any other law.
1825	1825	Section 12. This act shall become effective on October
1826	1826	1, 2025.
1827	1827	869
1828	1828	870
1829	1829	871
1830	1830	872
1831	1831	873
1832	1832	874
1833	1833	875
1834	1834	876
1835	1835	877
1836	1836	878
1837	1837	879
1838	1838	880
1839	1839	881
1840	1840	882
1841	1841	883
1842	1842	884
1843	1843	885
1844	1844	886
1845	1845	887
1846	1846	888
1847	1847	889