AR
Arkansas Senate Bill SB258

Arkansas 2025 Regular Session

Arkansas Senate Bill SB258 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 Stricken language would be deleted from and underlined language would be added to present law.
22 *ANS146* 02/18/2025 3:16:09 PM ANS146
33 State of Arkansas 1
44 95th General Assembly A Bill 2
55 Regular Session, 2025 SENATE BILL 258 3
66 4
77 By: Senator C. Penzo 5
88 By: Representative S. Meeks 6
99 7
1010 For An Act To Be Entitled 8
1111 AN ACT TO CREATE THE ARKANSAS DIGITAL RESPONSIBILITY, 9
1212 SAFETY, AND TRUST ACT; AND FOR OTHER PURPOSES. 10
1313 11
1414 12
1515 Subtitle 13
1616 TO CREATE THE ARKANSAS DIGITAL 14
1717 RESPONSIBILITY, SAFETY, AND TRUST ACT. 15
1818 16
1919 BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 17
2020 18
2121 SECTION 1. Arkansas Code Title 4, is amended to add an additional 19
2222 chapter to read as follows: 20
2323 21
2424 CHAPTER 120 22
2525 ARKANSAS DIGITAL RESPONSIBILITY, SAFETY, AND TRUST ACT 23
2626 24
2727 Subchapter 1 — General Provisions 25
2828 26
2929 4-120-101. Title. 27
3030 This chapter shall be known and may be cited as the "Arkansas Digital 28
3131 Responsibility, Safety, and Trust Act". 29
3232 30
3333 4-120-102. Legislative findings. 31
3434 The General Assembly finds that: 32
3535 (1) Arkansans and Americans have long valued personal privacy as 33
3636 something that serves essential human needs of liberty, personal autonomy, 34
3737 seclusion, family, intimacy, and other relationships, and security; 35
3838 (2) Privacy safeguards foundational American values of self -36 SB258
3939
4040 2 02/18/2025 3:16:09 PM ANS146
4141 government; 1
4242 (3) The United States and Arkansas have long protected aspects 2
4343 of personal privacy since the nation’s founding, including through the First, 3
4444 Third, Fourth, Fifth, Ninth, and Fourteenth Amendments to the United States 4
4545 Constitution and Article 2, §§ 2, 6, 8, 10, 15, 21, and 24 of the Arkansas 5
4646 Constitution; 6
4747 (4)(A) The United States has a history of leadership in privacy 7
4848 rights, passing some of the first privacy laws as early as the eighteenth 8
4949 century and adopting one (1) of the first national privacy and data 9
5050 protection laws globally in addition to the “fair information practice 10
5151 principles” that have influenced laws and privacy practices around the world. 11
5252 (B) In this information age of the twenty -first century, 12
5353 in the absence of ongoing federal leadership in privacy, Arkansas should join 13
5454 over twenty (20) other states in leading privacy protection; 14
5555 (5)(A) The expansion of computers, internet connectivity, mobile 15
5656 telephones, and other digital information and communications technology has 16
5757 magnified the risks to an individual's privacy that can occur from the 17
5858 collection, processing, storage, or dissemination of personal information. 18
5959 (B) The overwhelming majority of Arkansans and Americans 19
6060 have smartphones equipped with powerful computers, immense storage capacity, 20
6161 arrays of sensors, and the capacity to transmit information around the world 21
6262 instantaneously. 22
6363 (C) Some people use these devices continuously and use 23
6464 them to store a digital record of nearly every aspect of their lives. 24
6565 (D) Arkansans increasingly have other “smart devices” such 25
6666 as automobiles, televisions, home appliances, and wearable accessories that 26
6767 collect, process, and transmit information linked to Arkansans and their 27
6868 activities to entities around the world; 28
6969 (6)(A) The personal information of Arkansans and Americans has 29
7070 been used against them to steal their identities, open financial and credit 30
7171 accounts in their names, and do other personal and financial harm. 31
7272 (B) Troves of Arkansan and American personal information 32
7373 lie in the hands of state adversaries and criminals; 33
7474 (7) The aggregation of an increasing volume of data among many 34
7575 different entities expands the exposure to malicious actors in cyberspace and 35
7676 the availability of personal information to such actors; 36 SB258
7777
7878 3 02/18/2025 3:16:09 PM ANS146
7979 (8)(A) The risks of harm from privacy violations are 1
8080 significant. 2
8181 (B) Unwanted or unexpected disclosure of personal 3
8282 information and loss of privacy can have devastating effects for individuals, 4
8383 including financial fraud and loss, identity theft, and the resulting loss of 5
8484 personal time and money, destruction of property, harassment, and even 6
8585 potential physical injury. 7
8686 (C) Other effects such as reputational or emotional damage 8
8787 can be equally or even more substantial; 9
8888 (9)(A) With the development of artificial intelligence and 10
8989 machine learning, the potential to use personal and other information in ways 11
9090 that replicate existing social problems has increased in scale. 12
9191 (B) Algorithms use personal and other information to guide 13
9292 decision-making related to critical issues, such as credit determination, 14
9393 housing advertisements, and hiring processes, and can result in differing 15
9494 accuracy rates; 16
9595 (10)(A) Individuals need to feel confident that data that 17
9696 relates to them will not be used or shared in ways that can harm themselves, 18
9797 their families, or society. 19
9898 (B) As such, organizations that collect, use, retain, and 20
9999 share personal information should be subject to meaningful and effective 21
100100 boundaries on such activities, obligated to take reasonable steps to protect 22
101101 the privacy and security of personal information, and required to mitigate 23
102102 privacy risks to the individuals whose data they steward; and 24
103103 (11)(A) The majority of governments around the world already 25
104104 impose such restrictions on businesses, but Arkansans do not yet have their 26
105105 right to privacy protected. 27
106106 (B) It is proper for the General Assembly to protect 28
107107 Arkansans’ privacy rights, enforce the rights against those who collect, use, 29
108108 retain, and share their personal information, and establish the legislative 30
109109 framework for responsible, safe, and trustworthy technology in Arkansas. 31
110110 32
111111 4-120-103. Definitions. 33
112112 As used in this chapter: 34
113113 (1) "Affiliate" means a legal entity that: 35
114114 (A) Controls, is controlled by, or is under common control 36 SB258
115115
116116 4 02/18/2025 3:16:09 PM ANS146
117117 with another legal entity; or 1
118118 (B) Shares common branding with another legal entity; 2
119119 (2) "Algorithmic discrimination" means a condition in which the 3
120120 use of an artificial intelligence system results in an unlawful differential 4
121121 treatment or impact that disfavors an individual or group of individuals on 5
122122 the basis of the individual's or group of individuals' actual or perceived 6
123123 age, color, disability status, ethnicity, genetic information, national 7
124124 origin, race, religion, sex, veteran status, or other classification 8
125125 protected under the laws of this state or federal law; 9
126126 (3) "Artificial intelligence system" means a machine -based 10
127127 system that, for any explicit or implicit objective, infers from the inputs 11
128128 the system receives how to generate outputs, including content, decisions, 12
129129 predictions, or recommendations, that can influence physical or virtual 13
130130 environments; 14
131131 (4) "Authenticate" means to verify through reasonable means that 15
132132 the consumer who is entitled to exercise the consumer’s right is the same 16
133133 consumer exercising those consumer rights with respect to the personal data 17
134134 at issue; 18
135135 (5)(A) "Biometric data" means data generated by automatic 19
136136 measurements of an individual’s biological characteristics. 20
137137 (B) "Biometric data" includes a fingerprint, voiceprint, 21
138138 eye retina or iris scans, or other unique biological pattern or 22
139139 characteristic that is used to identify a specific individual. 23
140140 (C) "Biometric data" does not include a physical or 24
141141 digital photograph or data generated from a physical or digital photograph, a 25
142142 video or audio recording or data generated from a video or audio recording, 26
143143 or information collected, used, or stored for healthcare treatment, payment, 27
144144 or operations under the Health Insurance Portability and Accountability Act 28
145145 of 1996, 42 U.S.C. § 1320d et seq., as it existed on January 1, 2025; 29
146146 (6) "Business associate" means the same as defined in the Health 30
147147 Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et 31
148148 seq., as it existed on January 1, 2025; 32
149149 (7) "Child" means an individual younger than thirteen (13) years 33
150150 of age; 34
151151 (8)(A) "Consent" means a clear affirmative act, if referring to 35
152152 a consumer, that signifies a consumer’s freely given, specific, informed, and 36 SB258
153153
154154 5 02/18/2025 3:16:09 PM ANS146
155155 unambiguous agreement to process personal data relating to the consumer. 1
156156 (B) "Consent" includes a written statement, including a 2
157157 statement written by electronic means, or any other unambiguous affirmative 3
158158 action. 4
159159 (C) "Consent" does not include: 5
160160 (i) An acceptance of a general or broad terms of use 6
161161 or similar document that contains descriptions of personal data processing 7
162162 along with other unrelated information; 8
163163 (ii) The hovering over, muting, pausing, or closing 9
164164 a given piece of content; or 10
165165 (iii) An agreement obtained through the use of dark 11
166166 patterns; 12
167167 (9)(A) "Consumer" means an individual who is a resident of this 13
168168 state acting only in an individual or household context. 14
169169 (B) "Consumer" does not include an individual acting in a 15
170170 commercial or employment context; 16
171171 (10) "Consumer health data" means information about a person’s 17
172172 health collected by a person or entity not subject to the Health Insurance 18
173173 Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it 19
174174 existed on January 1, 2025, including information gathered from wearable 20
175175 fitness devices, mobile phones, applications promoting personal physical, 21
176176 dental, or mental health, nutrition trackers, and similar applications 22
177177 generally available to the public; 23
178178 (11) "Control" means: 24
179179 (A) The ownership of, or power to vote, more than 25
180180 fifty percent (50%) of the outstanding shares of any class of voting security 26
181181 of a company; 27
182182 (B) The control in any manner over the election of a 28
183183 majority of the directors or of individuals exercising similar functions; or 29
184184 (C) The power to exercise controlling influence over 30
185185 the management of a company; 31
186186 (12) "Controller" means an individual or other person that, 32
187187 alone or jointly with others, determines the purpose and means of processing 33
188188 personal data; 34
189189 (13) "Covered entity" has the same meaning as defined in the 35
190190 Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 36 SB258
191191
192192 6 02/18/2025 3:16:09 PM ANS146
193193 1320d et seq., as it existed on January 1, 2025; 1
194194 (14)(A) "Dark pattern" means a user interface designed or 2
195195 manipulated with the effect of substantially subverting or impairing user 3
196196 autonomy, decision-making, or choice. 4
197197 (B) "Dark pattern" includes any practice that the Federal 5
198198 Trade Commission refers to as a dark pattern; 6
199199 (15) "Decision that produces a legal or similarly significant 7
200200 effect concerning a consumer" means a decision made by a controller that 8
201201 results in the provision or denial by the controller of: 9
202202 (A) Financial and lending services; 10
203203 (B) Housing, insurance, or healthcare services; 11
204204 (C) Education enrollment; 12
205205 (D) Employment opportunities; 13
206206 (E) Criminal justice; or 14
207207 (F) Access to basic necessities, such as food and water; 15
208208 (16) "Deidentified data" means data that cannot reasonably be 16
209209 linked to an identified or identifiable individual or a device linked to that 17
210210 individual; 18
211211 (17) "Deploy" means to use a high -risk artificial intelligence 19
212212 system; 20
213213 (18) "Deployer" means a person doing business in this state that 21
214214 deploys a high-risk artificial intelligence system; 22
215215 (19) "Developer" means a person doing business in this state 23
216216 that develops or intentionally and substantially modifies an artificial 24
217217 intelligence system; 25
218218 (20) "Full-time equivalent employee" means one (1) or more 26
219219 employees whose average weekly work hours exceed thirty -five (35) hours; 27
220220 (21)(A) "Health record" means a written, printed, or 28
221221 electronically recorded material maintained by a healthcare provider in the 29
222222 course of providing healthcare services to an individual that concerns the 30
223223 individual and the services provided. 31
224224 (B) "Health record" includes: 32
225225 (i) The substance of any communication made by an 33
226226 individual to a healthcare provider in confidence during or in connection 34
227227 with the provision of healthcare services; or 35
228228 (ii) Information otherwise acquired by the 36 SB258
229229
230230 7 02/18/2025 3:16:09 PM ANS146
231231 healthcare provider about an individual in confidence and in connection with 1
232232 healthcare services provided to the individual; 2
233233 (22) "Healthcare provider" means the same as defined in the 3
234234 Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 4
235235 1320d et seq., as it existed on January 1, 2025; 5
236236 (23) "Healthcare services" has the same meaning as provided in 6
237237 42 U.S.C. § 234(d)(2), as it existed on January 1, 2025; 7
238238 (24)(A) "High-risk artificial intelligence system" means an 8
239239 artificial intelligence system that, when deployed, makes, or is a 9
240240 substantial factor in making, a decision that produces a legal or similarly 10
241241 significant effect concerning a consumer. 11
242242 (B) "High-risk artificial intelligence system" does not 12
243243 include an artificial intelligence system if the artificial intelligence 13
244244 system is intended to: 14
245245 (i) Perform a narrow or procedural task; 15
246246 (ii) Detect decision -making patterns or deviations 16
247247 from prior decision-making patterns and is not intended to replace or 17
248248 influence a previously completed human assessment without sufficient human 18
249249 review; or 19
250250 (iii) Perform tasks that do not make, or are not a 20
251251 substantial factor in making, a decision that produces a legal or similarly 21
252252 significant effect concerning a consumer, including without limitation: 22
253253 (a) Anti-fraud technology that does not use 23
254254 facial recognition technology; 24
255255 (b) Anti-malware, anti-virus, artificial-25
256256 intelligence-enabled video games, calculators, cybersecurity, databases, data 26
257257 storage, firewall, internet domain registration, internet website loading, 27
258258 networking, spam- and robocall-filtering, spell-checking, spreadsheets, web 28
259259 caching, web hosting or any similar technology, or technology that 29
260260 communicates with consumers in natural language for the purpose of providing 30
261261 users with information, making referrals or recommendations, and answering 31
262262 questions; and 32
263263 (c) Is subject to an accepted use policy that 33
264264 prohibits generating content that is discriminatory or harmful, unless such 34
265265 technologies, when deployed, make or are a substantial factor in making, a 35
266266 decision that produces a legal or similarly significant effect concerning a 36 SB258
267267
268268 8 02/18/2025 3:16:09 PM ANS146
269269 consumer; 1
270270 (25) "Identified" means a consumer who can be readily 2
271271 identified, directly or indirectly; 3
272272 (26) "Institution of higher education" means: 4
273273 (A) A vocational or technical school governed by Arkansas 5
274274 Code Title 6, Subtitle 4; or 6
275275 (B) A postsecondary or higher education institution 7
276276 governed by Arkansas Code Title 6, Subtitle 5; 8
277277 (27)(A) "Intentional and substantial modification" means a 9
278278 deliberate change made to an artificial intelligence system that results in 10
279279 any new reasonably foreseeable risk of algorithmic discrimination. 11
280280 (B) "Intentional and substantial modification" does not 12
281281 include a change made to a high -risk artificial intelligence system, or the 13
282282 performance of a high -risk artificial intelligence system, if: 14
283283 (i) The high-risk artificial intelligence system 15
284284 continues to learn after the high -risk artificial intelligence system is 16
285285 offered, sold, leased, licensed, given, otherwise made available to a 17
286286 deployer, or is deployed; 18
287287 (ii) The change is made to the high -risk artificial 19
288288 intelligence system as a result of any learning described in subdivision 20
289289 (27)(B)(i) of this section; 21
290290 (iii) The change was predetermined by the deployer, 22
291291 or a third party contracted by the deployer, when the deployer or third party 23
292292 completed an initial impact assessment of the high -risk artificial 24
293293 intelligence system under § 4 -120-603; and 25
294294 (iv) The change is included in technical 26
295295 documentation for the high -risk artificial intelligence system; 27
296296 (28) "Known child" means a child under circumstances where a 28
297297 controller has actual knowledge of, or willfully disregards, the child’s age; 29
298298 (29) "Nonprofit organization" means: 30
299299 (A) A corporation governed by Arkansas Code Title 4, 31
300300 Chapter 28 or Chapter 33 to extent applicable to nonprofit corporations; 32
301301 (B) An organization exempt from federal taxation as 33
302302 a nonprofit entity under § 501(a) of the Internal Revenue Code, by being 34
303303 listed as an exempt organization under §§ 501(c)(3), 501(c)(4), 501(c)(6), 35
304304 501(c)(12), or 501(c)(19) of the Internal Revenue Code; or 36 SB258
305305
306306 9 02/18/2025 3:16:09 PM ANS146
307307 (C) A political organization; 1
308308 (30)(A) "Personal data" means any information, including 2
309309 sensitive data, that is linked or reasonably linkable to an identified or 3
310310 identifiable individual. 4
311311 (B) "Personal data" includes pseudonymous data when the 5
312312 data is used by a controller or processor in conjunction with additional 6
313313 information that reasonably links the data to an identified or identifiable 7
314314 individual. 8
315315 (C) "Personal data" does not include deidentified data or 9
316316 publicly available information; 10
317317 (31) "Political organization" means a party, committee, 11
318318 association, fund, or other organization, regardless of whether incorporated, 12
319319 that is organized and operated primarily for the purpose of influencing or 13
320320 attempting to influence: 14
321321 (A) The selection, nomination, election, or 15
322322 appointment of an individual to federal, state, or local public office or an 16
323323 office in a political organization, regardless of whether the individual is 17
324324 ultimately selected, nominated, elected, or appointed; or 18
325325 (B) The election of a presidential or vice -19
326326 presidential elector, regardless of whether the elector is ultimately 20
327327 selected, nominated, elected, or appointed; 21
328328 (32)(A) "Precise geolocation data" means information derived 22
329329 from technology, including Global Positioning System level latitude and 23
330330 longitude coordinates or other mechanisms, that directly identifies the 24
331331 specific location of an individual with precision and accuracy within a 25
332332 radius of one thousand seven hundred fifty feet (1,750'). 26
333333 (B) "Precise geolocation data" does not include the 27
334334 content of communications or any data generated by or connected to an 28
335335 advanced utility metering infrastructure system or to equipment for use by a 29
336336 utility; 30
337337 (33) "Process" means an operation or set of operations 31
338338 performed, whether by manual or automated means, on personal data or on sets 32
339339 of personal data, such as the collection, use, storage, disclosure, analysis, 33
340340 deletion, or modification of personal data; 34
341341 (34) "Processor" means a person who processes personal data on 35
342342 behalf of a controller; 36 SB258
343343
344344 10 02/18/2025 3:16:09 PM ANS146
345345 (35) "Profiling" means a form of automated processing performed 1
346346 on personal data to evaluate, analyze, or predict personal aspects related to 2
347347 an identified or identifiable individual’s economic situation, health, 3
348348 personal preferences, interests, reliability, behavior, location, or 4
349349 movements; 5
350350 (36) "Protected health information" means the same as defined 6
351351 under the Health Insurance Portability and Accountability Act of 1996, 42 7
352352 U.S.C. § 1320d et seq., as it existed on January 1, 2025; 8
353353 (37) "Pseudonymous data" means any information that cannot be 9
354354 attributed to a specific individual without the use of additional 10
355355 information, provided that the additional information is kept separately and 11
356356 is subject to appropriate technical and organizational measures to ensure 12
357357 that the personal data is not attributed to an identified or identifiable 13
358358 individual; 14
359359 (38) "Publicly available information" means information that is 15
360360 lawfully made available through government records, or information that a 16
361361 business has a reasonable basis to believe is lawfully made available to the 17
362362 general public through widely distributed media, by a consumer, or by a 18
363363 person to whom a consumer has disclosed the information, unless the consumer 19
364364 has restricted the information to a specific audience; 20
365365 (39)(A) "Sale of personal data" means the sharing, disclosing, 21
366366 or transferring of personal data for monetary or other valuable consideration 22
367367 by a controller to a third party. 23
368368 (B) "Sale of personal data" does not include: 24
369369 (i) The disclosure of personal data to a processor 25
370370 that processes the personal data on the controller’s behalf; 26
371371 (ii) The disclosure of personal data to a third 27
372372 party for purposes of providing a product or service requested by the 28
373373 consumer; 29
374374 (iii) The disclosure or transfer of personal data to 30
375375 an affiliate of a controller; 31
376376 (iv) The disclosure of information that the 32
377377 consumer: 33
378378 (a) Intentionally made available to the 34
379379 general public through a mass media channel; and 35
380380 (b) Did not restrict to a specific audience; 36 SB258
381381
382382 11 02/18/2025 3:16:09 PM ANS146
383383 or 1
384384 (v) The disclosure or transfer of personal data to a 2
385385 third party as an asset that is part of a merger or acquisition; 3
386386 (40)(A) "Sensitive data" means a category of personal data. 4
387387 (B) "Sensitive data" includes: 5
388388 (i) Personal data revealing racial or ethnic origin, 6
389389 religious beliefs, mental or physical health diagnosis, sexuality, or 7
390390 citizenship or immigration status; 8
391391 (ii) Genetic or biometric data that is processed for 9
392392 the purpose of uniquely identifying an individual; 10
393393 (iii) Personal data collected from a known child; 11
394394 (iv) Precise geolocation data; or 12
395395 (v) Data concerning personal or political 13
396396 affiliations, credentials to access online financial, healthcare, or other 14
397397 accounts that could be used to access a means of communication, Social 15
398398 Security number, driver's license number, or other government -issued 16
399399 identification number; 17
400400 (41) "State agency" means a department, commission, board, 18
401401 office, council, authority, or other agency in any branch of state government 19
402402 that is created by the Arkansas Constitution or a statute of this state, 20
403403 including a university system or institution of higher education as governed 21
404404 by Arkansas Code Title 6, Subtitles 4 or 5 that receives state funding or has 22
405405 directors appointed by the Governor; 23
406406 (42) "Substantial factor" means a factor that: 24
407407 (A) Assists in making a decision that produces a legal or 25
408408 similarly significant effect concerning a consumer; 26
409409 (B) Is capable of altering the outcome of a decision that 27
410410 produces a legal or similarly significant effect concerning a consumer; 28
411411 (C) Is generated by an artificial intelligence system; and 29
412412 (D) Includes any use of an artificial intelligence system 30
413413 to generate any content, decision, prediction, or recommendation concerning a 31
414414 consumer that is used as a basis to make a decision that produces a legal or 32
415415 similarly significant effect concerning a consumer; 33
416416 (43)(A) "Targeted advertising" means displaying to a consumer an 34
417417 advertisement that is selected based on personal data obtained from that 35
418418 consumer’s activities over time and across nonaffiliated websites or online 36 SB258
419419
420420 12 02/18/2025 3:16:09 PM ANS146
421421 applications to predict the consumer’s preferences or interests. 1
422422 (B) "Targeted advertising" does not include an 2
423423 advertisement that: 3
424424 (i) Is based on activities within a controller’s own 4
425425 websites or online applications; 5
426426 (ii) Is based on the context of a consumer’s current 6
427427 search query, visit to a website, or online application; 7
428428 (iii) Is directed to a consumer in response to the 8
429429 consumer’s request for information or feedback; or 9
430430 (iv) Is used for the processing of personal data 10
431431 solely for measuring or reporting advertising performance, reach, or 11
432432 frequency; 12
433433 (44) "Third party" means a person, other than the consumer, the 13
434434 controller, the processor, or an affiliate of the controller or processor; 14
435435 and 15
436436 (45) "Trade secret" means all forms and types of information, 16
437437 including business, scientific, technical, economic, or engineering 17
438438 information, and any formula, design, prototype, pattern, plan, compilation, 18
439439 program device, program, code, device, method, technique, process, procedure, 19
440440 financial data, or list of actual or potential customers or suppliers, 20
441441 whether tangible or intangible and irrespective of how stored, compiled, or 21
442442 memorialized physically, electronically, graphically, photographically, or in 22
443443 writing if: 23
444444 (A) The owner of the trade secret has taken reasonable 24
445445 measures under the circumstances to keep the information secret; and 25
446446 (B) The information derives independent economic value, 26
447447 actual or potential, from not being generally known to, and not being readily 27
448448 ascertainable through proper means by, another person who can obtain economic 28
449449 value from the disclosure or use of the information. 29
450450 30
451451 4-120-104. Applicability. 31
452452 (a) This chapter applies only to a person that: 32
453453 (1) Conducts business in this state or produces a product or 33
454454 service consumed by residents of this state; 34
455455 (2) Processes or engages in the sale of personal data; and 35
456456 (3) Is not a small business as defined by the United States 36 SB258
457457
458458 13 02/18/2025 3:16:09 PM ANS146
459459 Small Business Administration, as it existed on January 1, 2025, except to 1
460460 the extent that § 4-120-302(a) applies to a person described by this section. 2
461461 (b) This chapter shall only apply to nonprofit organizations whose 3
462462 annual receipts in any of the preceding five (5) calendar years exceeded 4
463463 fifteen million dollars ($15,000,000). 5
464464 (c) Notwithstanding subsections (a) and (b) of this section, an 6
465465 employer who employs fifty (50) or more full -time equivalent employees and 7
466466 uses a person’s data to train a high -risk artificial intelligence system, 8
467467 including when a high -risk artificial intelligence system continues learning 9
468468 based on the person’s data, § 4 -120-601 et seq. applies if the person: 10
469469 (1) Uses a high-risk artificial intelligence system outside the 11
470470 scope of the intended uses that are disclosed to the person; or 12
471471 (2) Fails to make available to consumers any impact assessment 13
472472 that a developer of a high -risk artificial intelligence system has completed 14
473473 and provided to the deployer. 15
474474 16
475475 4-120-105. Exemptions. 17
476476 Except as provided under § 4 -120-601 et seq., this chapter does not 18
477477 apply to: 19
478478 (1) A state agency or political subdivision of this state; 20
479479 (2) A financial institution or data subject to Title V, Gramm -21
480480 Leach-Bliley Act, Pub. L. No. 106 -102; 22
481481 (3) A covered entity or business associate governed by the 23
482482 privacy, security, and breach notification rules issued by the United States 24
483483 Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, 25
484484 established under the Health Insurance Portability and Accountability Act of 26
485485 1996, 42 U.S.C. § 1320d et seq., as it existed on January 1, 2025, and the 27
486486 Health Information Technology for Economic and Clinical Health Act, Division 28
487487 A, Title XIII, and Division B, Title IV, Pub. L. No. 111 -5; 29
488488 (4) An institution of higher education; 30
489489 (5) An electric utility governed by Arkansas Code Title 23, 31
490490 Chapter 18; 32
491491 (6) Protected health information under the Health Insurance 33
492492 Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it 34
493493 existed on January 1, 2025; 35
494494 (7) Health records; 36 SB258
495495
496496 14 02/18/2025 3:16:09 PM ANS146
497497 (8) Patient identifying information for purposes of 42 U.S.C. § 1
498498 290dd-2; 2
499499 (9) Identifiable private information: 3
500500 (A) For purposes of the federal policy for the protection 4
501501 of human subjects under 45 C.F.R. Part 46, as it existed on January 1, 2025; 5
502502 (B) Collected as part of human subjects research under the 6
503503 good clinical practice guidelines issued by the International Council for 7
504504 Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or 8
505505 of the protection of human subjects under 21 C.F.R. Parts 50 and 56, as it 9
506506 existed on January 1, 2025; or 10
507507 (C) That is personal data used or shared in research 11
508508 conducted according to the requirements stated in this chapter or other 12
509509 research conducted according to applicable law; 13
510510 (10) Information and documents created for purposes of the 14
511511 Health Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq., as it 15
512512 existed on January 1, 2025; 16
513513 (11) Patient safety work product for purposes of the Patient 17
514514 Safety and Quality Improvement Act of 2005, 42 U.S.C. § 299b -21 et seq., as 18
515515 it existed on January 1, 2025; 19
516516 (12) Information derived from any of the healthcare -related 20
517517 information listed in this section that is deidentified according to the 21
518518 requirements for deidentification under the Health Insurance Portability and 22
519519 Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it existed on 23
520520 January 1, 2025; 24
521521 (13) Information originating from, intermingled to be 25
522522 indistinguishable with, or information treated in the same manner as 26
523523 information exempt under this section that is maintained by a covered entity 27
524524 or business associate as defined by the Health Insurance Portability and 28
525525 Accountability Act of 1996, 42 U.S.C. Section 1320d et seq., or by a program 29
526526 or a qualified service organization as defined by 42 U.S.C. Section 290dd -2; 30
527527 (14) Information that is included in a limited data set as 31
528528 described by 45 C.F.R. Section 164.514(e), as it existed on January 1, 2025, 32
529529 to the extent that the information is used, disclosed, and maintained in the 33
530530 manner specified by 45 C.F.R. Section 164.514(e), as it existed on January 1, 34
531531 2025; 35
532532 (15) Information collected or used only for public health 36 SB258
533533
534534 15 02/18/2025 3:16:09 PM ANS146
535535 activities and purposes as authorized by the Health Insurance Portability and 1
536536 Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it existed on 2
537537 January 1, 2025; 3
538538 (16) The collection, maintenance, disclosure, sale, 4
539539 communication, or use of any personal information bearing on a consumer’s 5
540540 creditworthiness, credit standing, credit capacity, character, general 6
541541 reputation, personal characteristics, or mode of living by a consumer 7
542542 reporting agency or furnisher that provides information for use in a consumer 8
543543 report, and by a user of the consumer report, but only to the extent that the 9
544544 activity is regulated by and authorized under the Fair Credit Reporting Act, 10
545545 15 U.S.C. §§ 1681-1681t, as it existed on January 1, 2025; 11
546546 (17) Personal data collected, processed, sold, or disclosed in 12
547547 compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 13
548548 et seq., as it existed on January 1, 2025; 14
549549 (18) Personal data regulated by the Family Educational Rights 15
550550 and Privacy Act of 1974, 20 U.S.C. § 1232g, as it existed on January 1, 2025; 16
551551 (19) Personal data collected, processed, sold, or disclosed in 17
552552 compliance with the Farm Credit Act of 1971, 12 U.S.C. § 2001 et seq., as it 18
553553 existed on January 1, 2025; 19
554554 (20) Data processed or maintained in the course of an individual 20
555555 applying to, being employed by, or acting as an agent or independent 21
556556 contractor of a controller, processor, or third party, to the extent that the 22
557557 data is collected and used within the context of that role, except as 23
558558 specifically provided in § 4 -120-602; 24
559559 (21) Data processed or maintained as the emergency contact 25
560560 information of an individual under this chapter that is used only for 26
561561 emergency contact purposes; 27
562562 (22) Data that is processed or maintained and is necessary to 28
563563 retain to administer benefits for another individual that relates to an 29
564564 individual described in subdivision (20) of this section and used only for 30
565565 the purposes of administering those benefits; or 31
566566 (23) The processing of personal data by a person in the course 32
567567 of a purely personal or household activity. 33
568568 34
569569 4-120-106. Construction of chapter — Exceptions. 35
570570 (a) This chapter shall not be construed: 36 SB258
571571
572572 16 02/18/2025 3:16:09 PM ANS146
573573 (1) To restrict a controller’s or processor’s ability to: 1
574574 (A) Comply with state laws or rules, or federal or local 2
575575 laws, rules, or regulations; 3
576576 (B) Comply with a civil, criminal, or regulatory inquiry, 4
577577 investigation, subpoena, or summons by federal, state, local, or other 5
578578 governmental authorities; 6
579579 (C) Investigate, establish, exercise, prepare for, or 7
580580 defend legal claims; 8
581581 (D) Provide a product or service specifically requested by 9
582582 a consumer or the parent or guardian of a child, perform a contract to which 10
583583 the consumer is a party, including fulfilling the terms of a written 11
584584 warranty, or take steps at the request of the consumer before entering into a 12
585585 contract; 13
586586 (E) Take immediate steps to protect an interest that is 14
587587 essential for the life or physical safety of the consumer or of another 15
588588 individual and in which the processing cannot be manifestly based on another 16
589589 legal basis; 17
590590 (F) Prevent, detect, protect against, or respond to 18
591591 security incidents, identity theft, fraud, harassment, malicious or deceptive 19
592592 activities, or any illegal activity; 20
593593 (G) Preserve the integrity or security of systems and 21
594594 investigate, report, or prosecute those responsible for breaches of system 22
595595 security; 23
596596 (H) Engage in public or peer -reviewed scientific or 24
597597 statistical research in the public interest that adheres to all other 25
598598 applicable ethics and privacy laws and is approved, monitored, and governed 26
599599 by an institutional review board or similar independent oversight entity that 27
600600 determines: 28
601601 (i) If the deletion of the information is likely to 29
602602 provide substantial benefits that do not exclusively accrue to the 30
603603 controller; 31
604604 (ii) Whether or not the expected benefits of the 32
605605 research outweigh the privacy risks; and 33
606606 (iii) If the controller has implemented reasonable 34
607607 safeguards to mitigate privacy risks associated with research, including any 35
608608 risks associated with reidentification; or 36 SB258
609609
610610 17 02/18/2025 3:16:09 PM ANS146
611611 (I) Assist another controller, processor, or third party 1
612612 with any of the requirements under this section; 2
613613 (2) As imposing a requirement on controllers and processors that 3
614614 adversely affects the rights or freedoms of any person, including the right 4
615615 of free speech; or 5
616616 (3) As requiring a controller, processor, third party, or 6
617617 consumer to disclose a trade secret. 7
618618 (b) If personal data is subject to reasonable administrative, 8
619619 technical, and physical measures to protect the confidentiality, integrity, 9
620620 and accessibility of the personal data and to reduce reasonably foreseeable 10
621621 risks of harm to consumers relating to the collection, use, or retention of 11
622622 personal data, the requirements imposed on controllers and processors under 12
623623 this chapter may not restrict a controller’s or processor’s ability to 13
624624 collect, use, or retain data to: 14
625625 (1) Conduct internal research to develop, improve, or repair 15
626626 products, services, or technology; 16
627627 (2) Effect a product recall; 17
628628 (3) Identify and repair technical errors that impair existing or 18
629629 intended functionality; or 19
630630 (4) Perform internal operations that: 20
631631 (A) Are reasonably aligned with the expectations of the 21
632632 consumer; 22
633633 (B) Are reasonably anticipated based on the consumer’s 23
634634 existing relationship with the controller; or 24
635635 (C) Are otherwise compatible with processing data in 25
636636 furtherance of the provision of a product or service specifically requested 26
637637 by a consumer or the performance of a contract to which the consumer is a 27
638638 party. 28
639639 (c) A controller or processor that processes personal data under an 29
640640 exemption in this subchapter bears the burden of demonstrating that the 30
641641 processing of the personal data: 31
642642 (1) Qualifies for the exemption; and 32
643643 (2) Complies with the requirements of § 4 -120-306, § 4-120-405; 33
644644 and § 4-120-106(b). 34
645645 (d) The processing of personal data by an entity for the purposes 35
646646 described by this chapter does not solely make the entity a controller with 36 SB258
647647
648648 18 02/18/2025 3:16:09 PM ANS146
649649 respect to the processing of the data. 1
650650 (e) This chapter supersedes and preempts an ordinance, resolution, 2
651651 rule, or other regulation adopted by a political subdivision regarding the 3
652652 processing of personal data by a controller or processor. 4
653653 (f) A controller or processor that complies with the verifiable 5
654654 parental consent requirements of the Children’s Online Privacy Protection Act 6
655655 of 1998, 15 U.S.C. § 6501 et seq., as it existed on January 1, 2025, with 7
656656 respect to data collected online is considered to be in compliance with any 8
657657 requirement to obtain parental consent under this chapter. 9
658658 10
659659 4-120-107. Requirements for small businesses and nonprofit 11
660660 organizations. 12
661661 (a) A person that is a small business as described by § 4 -120-13
662662 104(a)(3) or a nonprofit organized as described by § 4 -120-104(b) shall not 14
663663 engage in the sale of personal data without receiving prior consent from the 15
664664 consumer. 16
665665 (b) A person who violates this section is subject to the penalty under 17
666666 § 4-120-701 et seq. 18
667667 19
668668 Subchapter 2 — Consumer Rights 20
669669 21
670670 4-120-201. Consumer’s personal data rights — Request to exercise 22
671671 rights. 23
672672 (a)(1) A consumer is entitled to exercise the consumer rights under 24
673673 this subchapter at any time by submitting a request to a controller 25
674674 specifying the consumer rights the consumer wishes to exercise. 26
675675 (2) With respect to the processing of personal data belonging to 27
676676 a known child, a parent or legal guardian of the child may exercise the 28
677677 consumer rights on behalf of the child. 29
678678 (b) A controller shall comply with an authenticated consumer request 30
679679 to exercise the right to: 31
680680 (1) Confirm whether a controller is processing the consumer’s 32
681681 personal data and to access the personal data; 33
682682 (2) Correct inaccuracies in the consumer’s personal data, taking 34
683683 into account the nature of the personal data and the purposes of the 35
684684 processing of the consumer’s personal data; 36 SB258
685685
686686 19 02/18/2025 3:16:09 PM ANS146
687687 (3) Delete personal data provided by or obtained about the 1
688688 consumer; 2
689689 (4) If the data is available in a digital format, obtain a copy 3
690690 of the consumer’s personal data that the consumer previously provided to the 4
691691 controller in a portable and, to the extent technically feasible, readily 5
692692 usable format that allows the consumer to transmit the data to another 6
693693 controller without hindrance; or 7
694694 (5) Opt out of the processing of the personal data for the 8
695695 purpose of: 9
696696 (A) Targeted advertising; 10
697697 (B) The sale of personal data; or 11
698698 (C) Profiling in furtherance of a decision that produces a 12
699699 legal or similarly significant effect concerning the consumer. 13
700700 14
701701 4-120-202. Waiver or limitation of consumer rights prohibited. 15
702702 A provision of a contract or agreement that waives or limits a consumer 16
703703 right described by §§ 4 -120-201, 4-120-204, and 4-120-205 is contrary to 17
704704 public policy and is void. 18
705705 19
706706 4-120-203. Methods for submitting consumer requests. 20
707707 (a)(1) A controller shall establish two (2) or more secure and 21
708708 reliable methods to enable consumers to submit a request to exercise their 22
709709 consumer rights under this chapter. 23
710710 (2) The methods shall take into account: 24
711711 (A) The ways in which consumers normally interact with the 25
712712 controller; 26
713713 (B) The necessity for secure and reliable communications 27
714714 of any request under subdivision (a)(1) of this section; and 28
715715 (C) The ability of the controller to authenticate the 29
716716 identity of the consumer making the request. 30
717717 (b) A controller may not require a consumer to create a new account to 31
718718 exercise the consumer’s rights under this chapter but may require a consumer 32
719719 to use an existing account. 33
720720 (c) Except as provided by subsection (d) of this section, if the 34
721721 controller maintains a website, the controller shall provide a mechanism on 35
722722 the website for consumers to submit requests for information required to be 36 SB258
723723
724724 20 02/18/2025 3:16:09 PM ANS146
725725 disclosed under this chapter. 1
726726 (d) A controller that operates exclusively online and has a direct 2
727727 relationship with a consumer from whom the controller collects personal 3
728728 information is only required to provide an email address for the submission 4
729729 of requests described by subsection (c) of this section. 5
730730 (e)(1) A consumer may designate: 6
731731 (A) Another person to serve as the consumer’s authorized 7
732732 agent and act on the consumer’s behalf to opt out of the processing of the 8
733733 consumer’s personal data under § 4 -120-201(b)(5)(A) and (B); or 9
734734 (B) An authorized agent using a technology, including a 10
735735 link to a website, a browser setting or an extension, or a global setting on 11
736736 an electronic device, which allows the consumer to indicate the consumer’s 12
737737 intent to opt out of the processing of the consumer's personal data. 13
738738 (2) A controller shall comply with an opt -out request received 14
739739 from an authorized agent under this section if the controller is able to 15
740740 verify, with commercially reasonable effort, the identity of the consumer and 16
741741 the authorized agent’s authority to act on the consumer’s behalf. 17
742742 (3) A controller is not required to comply with an opt -out 18
743743 request received from an authorized agent under this subsection if: 19
744744 (A) The authorized agent does not communicate the request 20
745745 to the controller in a clear and unambiguous manner; 21
746746 (B) The controller is not able to verify, with 22
747747 commercially reasonable effort, that the consumer is a resident of this 23
748748 state; 24
749749 (C) The controller does not possess the ability to process 25
750750 the request; or 26
751751 (D) The controller does not process similar or identical 27
752752 requests the controller receives from consumers for the purpose of complying 28
753753 with similar or identical laws or regulations of another state. 29
754754 (f) A technology described under subsection (e) of this section: 30
755755 (1) Shall not: 31
756756 (A) Unfairly disadvantage another controller; or 32
757757 (B) Make use of a default setting, but must require the 33
758758 consumer to consent and indicate the consumer’s intent to opt out of any 34
759759 processing of a consumer’s personal data; and 35
760760 (2) Shall be consumer -friendly and easy to use by the average 36 SB258
761761
762762 21 02/18/2025 3:16:09 PM ANS146
763763 consumer. 1
764764 2
765765 4-120-204. Controller response to consumer request. 3
766766 (a) Except as otherwise provided by this chapter, a controller shall 4
767767 comply with a request submitted by a consumer to exercise the consumer’s 5
768768 rights under § 4-120-201 as provided by this section. 6
769769 (b)(1) A controller shall respond to the consumer request without 7
770770 undue delay, which may not be later than the forty -fifth day after the date 8
771771 of receipt of the request. 9
772772 (2) The controller may extend the response period once by an 10
773773 additional forty-five (45) days when reasonably necessary, taking into 11
774774 account the complexity and number of the consumer’s requests, so long as the 12
775775 controller informs the consumer of the extension within the initial forty -13
776776 five-day response period, together with the reason for the extension. 14
777777 (c) If a controller declines to take action regarding the consumer’s 15
778778 request, the controller shall inform the consumer without undue delay, which 16
779779 shall not be later than the forty -fifth day after the date of receipt of the 17
780780 request, of the justification for declining to take action and provide 18
781781 instructions on how to appeal the decision according to § 4 -120-205. 19
782782 (d)(1) A controller shall provide information in response to a 20
783783 consumer request free of charge, at least twice annually per consumer. 21
784784 (2)(A) If a request from a consumer is manifestly unfounded, 22
785785 excessive, or repetitive, the controller may charge the consumer a reasonable 23
786786 fee to cover the administrative costs of complying with the request. 24
787787 (B) The controller bears the burden of demonstrating for 25
788788 purposes of this subsection that a request is manifestly unfounded, 26
789789 excessive, or repetitive. 27
790790 (e) If a controller is unable to authenticate the request using 28
791791 commercially reasonable efforts, the controller is not required to comply 29
792792 with a consumer request submitted under § 4 -120-201 and may request that the 30
793793 consumer provide additional information reasonably necessary to authenticate 31
794794 the consumer and the consumer’s request. 32
795795 (f) A controller that has obtained personal data about a consumer from 33
796796 a source other than the consumer is considered in compliance with a 34
797797 consumer’s request to delete the consumer's personal data under § 4 -120-35
798798 201(b)(3) by: 36 SB258
799799
800800 22 02/18/2025 3:16:09 PM ANS146
801801 (1) Retaining a record of the deletion request and the minimum 1
802802 data necessary for the purpose of ensuring the consumer’s personal data 2
803803 remains deleted form the business’s records and not using the retained data 3
804804 for any other purpose under this chapter; or 4
805805 (2) Opting the consumer out of the processing of that personal 5
806806 data for any purpose other than a purpose that is exempt under the provisions 6
807807 of this chapter. 7
808808 8
809809 4-120-205. Appeal. 9
810810 (a) A controller shall establish a process for a consumer to appeal 10
811811 the controller’s refusal to take action on the consumer's request under § 4 -11
812812 120-204(c). 12
813813 (b) The appeal process must be conspicuously available and similar to 13
814814 the process for initiating action to exercise consumer rights by submitting a 14
815815 request under § 4-120-201. 15
816816 (c) A controller shall inform the consumer in writing of any action 16
817817 taken or not taken in response to an appeal under this section not later than 17
818818 the sixtieth day after the date of receipt of the appeal, including a written 18
819819 explanation of the reason or reasons for the decision. 19
820820 (d) If the controller denies an appeal, the controller shall provide 20
821821 the consumer with the contact information of the Attorney General to submit a 21
822822 complaint. 22
823823 23
824824 Subchapter 3 — Controller Responsibilities 24
825825 25
826826 4-120-301. Notice of privacy practices. 26
827827 (a) A controller shall provide consumers with a reasonably accessible 27
828828 and clear privacy notice that includes: 28
829829 (1) The categories of personal data processed by the controller, 29
830830 including, if applicable, any sensitive data processed by the controller; 30
831831 (2) The purpose for processing personal data; 31
832832 (3) How consumers may exercise their consumer rights under § 4 -32
833833 120-201 et seq., including the process by which a consumer may appeal a 33
834834 controller’s decision with regard to the consumer’s request; 34
835835 (4) If applicable, the categories of personal data that the 35
836836 controller shares with third parties; 36 SB258
837837
838838 23 02/18/2025 3:16:09 PM ANS146
839839 (5) If applicable, the categories of third parties with whom the 1
840840 controller shares personal data; and 2
841841 (6) A description of the methods required under § 4 -120-201 3
842842 through which consumers can submit requests to exercise their consumer rights 4
843843 under this chapter. 5
844844 (b)(1) If a controller engages in the sale of personal data that is 6
845845 sensitive data, the controller shall include the following notice: 7
846846 "NOTICE: We may sell your sensitive personal data.". 8
847847 (2) The notice required under subdivision (b)(1) of this section 9
848848 shall be posted in the same location and in the same manner as the privacy 10
849849 notice described by subsection (a) of this section. 11
850850 (c)(1) If a controller engages in the sale of personal data that is 12
851851 biometric data, the controller shall include the following notice: 13
852852 “NOTICE: We may sell your biometric personal data.”. 14
853853 (2) The notice required under subdivision (c)(1) of this section 15
854854 shall be posted in the same location and in the same manner as the privacy 16
855855 notice described by subsection (a) of this section. 17
856856 (d)(1) If a controller sells personal data to third parties or 18
857857 processes personal data for targeted advertising, the controller shall 19
858858 clearly and conspicuously disclose the sale or process. 20
859859 (2) The controller shall provide the manner in which a consumer 21
860860 may exercise the right to opt out of the sale or process under subdivision 22
861861 (d)(1) of this section. 23
862862 24
863863 4-120-302. Lawful basis of processing. 25
864864 (a) A person described under § 4 -120-104 shall not engage in the sale 26
865865 of personal data that is sensitive data without receiving prior consent from 27
866866 the consumer. 28
867867 (b) A person described under § 4 -120-104 shall not otherwise process 29
868868 the personal information of a resident of this state without: 30
869869 (1) An identifiable, good faith, and legitimate interest in 31
870870 processing the personal data that is publicly disclosed to consumers in the 32
871871 notice required under § 4 -120-301(a)(2) and not outweighed by the rights and 33
872872 freedoms of consumers; 34
873873 (2) The consent of the individual consumer; 35
874874 (3) A contract which requires the processing of personal data; 36 SB258
875875
876876 24 02/18/2025 3:16:09 PM ANS146
877877 (4) A legal obligation to process the personal data; or 1
878878 (5) An overriding necessity to process the personal data of a 2
879879 person for the limited purpose of protecting the person's vital interests. 3
880880 (c) A person that is not a covered entity or business associate as 4
881881 defined by the Health Insurance Portability and Accountability Act of 1996, 5
882882 42 U.S.C. § 1320d et seq., as it existed on January 1, 2025, shall not 6
883883 collect or share any consumer health data except: 7
884884 (1) With consent from the consumer for cash collection for a 8
885885 specified purpose; or 9
886886 (2) To the extent necessary to provide a product or service that 10
887887 the consumer to whom the consumer health data relates has requested from the 11
888888 person. 12
889889 (d) Consent required under subsection (c) of this section shall be 13
890890 obtained before the collection or sharing, as applicable, of any consumer 14
891891 health data, and the request for consent shall clearly and conspicuously 15
892892 disclose: 16
893893 (1) The categories of consumer health data collected or shared; 17
894894 (2) The purpose of the collection or sharing of the consumer 18
895895 health data, including the specific ways in which it will be used; 19
896896 (3) The categories of entities with whom the consumer health 20
897897 data is shared; and 21
898898 (4) How the consumer can withdraw consent from future collection 22
899899 or sharing of the consumer’s health data. 23
900900 (e) A controller shall not process the sensitive data of a consumer 24
901901 without obtaining the consumer’s consent or, in the case of processing the 25
902902 sensitive data of a known child, without processing that data according to 26
903903 the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et 27
904904 seq., as it existed on January 1, 2025. 28
905905 29
906906 4-120-303. Dark patterns. 30
907907 (a) A controller that collects personal information via a website, 31
908908 mobile application, or similar technology shall not utilize dark patterns in 32
909909 its user interfaces. 33
910910 (b) A lawful basis for processing personal data described under § 4 -34
911911 120-302 obtained by use of a dark pattern is void. 35
912912 36 SB258
913913
914914 25 02/18/2025 3:16:09 PM ANS146
915915 4-120-304. Data minimization. 1
916916 (a) A controller shall limit the collection of personal data to what 2
917917 is adequate, relevant, and reasonably necessary in relation to the purposes 3
918918 for which that personal data is processed, as disclosed to the consumer. 4
919919 (b) A controller in possession of deidentified data shall: 5
920920 (1) Take reasonable measures to ensure that the data cannot be 6
921921 associated with an individual; 7
922922 (2) Publicly commit to maintaining and using deidentified data 8
923923 without attempting to reidentify the data; and 9
924924 (3) Contractually obligate any recipient of the deidentified 10
925925 data to comply with this section. 11
926926 (c) This section does not require a controller to: 12
927927 (1) Reidentify deidentified data or pseudonymous data; 13
928928 (2) Maintain data in identifiable form or obtain, retain, or 14
929929 access any data or technology for the purpose of allowing the controller or 15
930930 processor to associate a consumer request with personal data; or 16
931931 (3) Comply with an authenticated consumer rights request under § 17
932932 4-120-201, if the controller: 18
933933 (A) Is not reasonably capable of associating the request 19
934934 with the personal data or it would be unreasonably burdensome for the 20
935935 controller to associate the request with the personal data; 21
936936 (B) Does not use the personal data to recognize or respond 22
937937 to the specific consumer who is the subject of the personal data or associate 23
938938 the personal data with other personal data about the same consumer; and 24
939939 (C) Does not sell the personal data to a third party or 25
940940 otherwise voluntarily disclose the personal data to a third party other than 26
941941 a processor, except as otherwise permitted by this section. 27
942942 (d) A controller that discloses pseudonymous data or deidentified data 28
943943 shall exercise reasonable oversight to monitor compliance with any 29
944944 contractual commitments to which the pseudonymous data or deidentified data 30
945945 is subject and shall take appropriate steps to address any breach of the 31
946946 contractual commitments. 32
947947 (e) This section shall not be construed to require a controller to 33
948948 provide a product or service that requires the personal data of a consumer 34
949949 that the controller does not collect or maintain or to prohibit a controller 35
950950 from offering a different price, rate, level, quality, or selection of goods 36 SB258
951951
952952 26 02/18/2025 3:16:09 PM ANS146
953953 or services to a consumer, including offering goods or services for no fee, 1
954954 if the consumer has exercised the consumer’s right to opt out under § 4 -120-2
955955 201 or the offer is related to a consumer’s voluntary participation in a bona 3
956956 fide loyalty, rewards, premium features, discounts, or club card program. 4
957957 5
958958 4-120-305. Data security. 6
959959 A controller, for purposes of protecting the confidentiality, 7
960960 integrity, and accessibility of personal data, shall establish, implement, 8
961961 and maintain reasonable administrative, technical, and physical data security 9
962962 practices that are appropriate to the volume and nature of the personal data 10
963963 at issue. 11
964964 12
965965 4-120-306. Purpose limitation. 13
966966 Personal data processed by a controller under this chapter: 14
967967 (1) Shall not be processed for any purpose other than a purpose 15
968968 listed in this chapter unless otherwise allowed by this chapter; 16
969969 (2) May be processed to the extent that the processing of data 17
970970 is: 18
971971 (A) Reasonably necessary and proportionate to the purposes 19
972972 listed in this chapter; and 20
973973 (B) Adequate, relevant, and limited to what is necessary 21
974974 in relation to the specific purposes listed in this chapter; and 22
975975 (3) Except as otherwise provided by this subchapter, a 23
976976 controller shall not process personal data for a purpose that is neither 24
977977 reasonably necessary to nor compatible with the purpose for which the 25
978978 personal data is processed, as disclosed to the consumer, unless the 26
979979 controller obtains the consumer’s consent. 27
980980 28
981981 4-120-307. Sale of data to third parties and processing data for 29
982982 targeted advertising — Disclosure. 30
983983 If a controller sells personal data to third parties or processes 31
984984 personal data for targeted advertising, the controller shall clearly and 32
985985 conspicuously disclose the process and the manner in which a consumer may 33
986986 exercise the right to opt out of that process. 34
987987 35
988988 4-120-308. Data protection assessments. 36 SB258
989989
990990 27 02/18/2025 3:16:09 PM ANS146
991991 (a) A controller shall conduct and document a data protection 1
992992 assessment of each of the following processing activities involving personal 2
993993 data: 3
994994 (1) The processing of personal data for purposes of targeted 4
995995 advertising; 5
996996 (2) The sale of personal data; 6
997997 (3) The processing of personal data for purposes of profiling if 7
998998 the profiling presents a reasonably foreseeable risk of: 8
999999 (A) Unfair or deceptive treatment of or unlawful disparate 9
10001000 impact on consumers; 10
10011001 (B) Financial, physical, or reputational injury to 11
10021002 consumers; 12
10031003 (C) A physical or other intrusion on the solitude or 13
10041004 seclusion, or the private affairs or concerns, of consumers, if the intrusion 14
10051005 would be offensive to a reasonable person; or 15
10061006 (D) Other substantial injury to consumers; 16
10071007 (4) The processing of sensitive data; and 17
10081008 (5) Any processing activities involving personal data that 18
10091009 present a heightened risk of harm to consumers. 19
10101010 (b) A data protection assessment conducted under subsection (a) of 20
10111011 this section shall: 21
10121012 (1) Identify and weigh the direct or indirect benefits that may 22
10131013 flow from the processing to the controller, the consumer, other stakeholders, 23
10141014 and the public against the potential risks to the rights of the consumer 24
10151015 associated with that processing as mitigated by safeguards that can be 25
10161016 employed by the controller to reduce the risks; and 26
10171017 (2) Factor into the assessment: 27
10181018 (A) The use of deidentified data; 28
10191019 (B) The reasonable expectations of consumers; 29
10201020 (C) The context of the processing; and 30
10211021 (D) The relationship between the controller and the 31
10221022 consumer whose personal data will be processed. 32
10231023 (c) A controller shall make a data protection assessment requested 33
10241024 under § 4-120-701 et seq. available to the Attorney General under an Attorney 34
10251025 General’s subpoena under § 25 -16-705. 35
10261026 (d)(1) A data protection assessment is confidential and exempt from 36 SB258
10271027
10281028 28 02/18/2025 3:16:09 PM ANS146
10291029 public inspection and copying under the Freedom of Information Act of 1967, § 1
10301030 25-19-101 et seq. 2
10311031 (2) Disclosure of a data protection assessment in compliance 3
10321032 with a request from the Attorney General does not constitute a waiver of 4
10331033 attorney-client privilege or work product protection with respect to the 5
10341034 assessment and any information contained in the assessment. 6
10351035 (e) A single data protection assessment may address a comparable set 7
10361036 of processing operations that include similar activities. 8
10371037 (f) A data protection assessment conducted by a controller for the 9
10381038 purpose of compliance with other laws or regulations may constitute 10
10391039 compliance with the requirements of this section if the assessment has a 11
10401040 reasonably comparable scope and effect. 12
10411041 13
10421042 4-120-309. Pseudonymous data. 14
10431043 The consumer rights under § 4 -120-201 and controller duties under this 15
10441044 subchapter do not apply to pseudonymous data in cases in which the controller 16
10451045 is able to demonstrate any information necessary to identify the consumer is 17
10461046 kept separately and is subject to effective technical and organizational 18
10471047 controls that prevent the controller from accessing the information. 19
10481048 20
10491049 4-120-310. Miscellaneous prohibitions. 21
10501050 A controller shall not: 22
10511051 (1) Process personal data in violation of state and federal laws 23
10521052 that prohibit unlawful discrimination against consumers; or 24
10531053 (2) Discriminate against a consumer for exercising any of the 25
10541054 consumer rights contained in this chapter, including by denying goods or 26
10551055 services, charging different prices or rates for goods or services, or 27
10561056 providing a different level of quality of goods or services to the consumer. 28
10571057 29
10581058 Subchapter 4 — Processor Responsibilities 30
10591059 31
10601060 4-120-401. Compliance with contractual obligations. 32
10611061 (a) A processor shall adhere to the instructions of a controller and 33
10621062 shall assist the controller in meeting or complying with the controller’s 34
10631063 duties or requirements under this chapter, including without limitation: 35
10641064 (1) Assisting the controller in responding to consumer rights 36 SB258
10651065
10661066 29 02/18/2025 3:16:09 PM ANS146
10671067 requests submitted under § 4 -120-201 by using appropriate technical and 1
10681068 organizational measures, as reasonably practicable, taking into account the 2
10691069 nature of processing and the information available to the processor; 3
10701070 (2) Assisting the controller with regard to complying with the 4
10711071 requirement relating to the security of processing personal data and to the 5
10721072 notification of a breach of security of the processor’s system, taking into 6
10731073 account the nature of processing and the information available to the 7
10741074 processor; and 8
10751075 (3) Providing necessary information to enable the controller to 9
10761076 conduct and document data protection assessments under § 4 -120-308. 10
10771077 (b)(1) A contract between a controller and a processor shall govern 11
10781078 the processor’s data processing procedures with respect to processing 12
10791079 performed on behalf of the controller. 13
10801080 (2) The contract shall include: 14
10811081 (A) Clear instructions for processing data; 15
10821082 (B) The nature and purpose of processing; 16
10831083 (C) The type of data subject to processing; 17
10841084 (D) The duration of processing; 18
10851085 (E) The rights and obligations of both parties; and 19
10861086 (F) A requirement that the processor shall: 20
10871087 (i) Ensure that each person processing personal data 21
10881088 is subject to a duty of confidentiality with respect to the data; 22
10891089 (ii) At the controller’s direction, delete or return 23
10901090 all personal data to the controller as requested after the provision of the 24
10911091 service is completed, unless retention of the personal data is required by 25
10921092 law; 26
10931093 (iii) Make available to the controller, on 27
10941094 reasonable request, all information in the processor’s possession necessary 28
10951095 to demonstrate the processor’s compliance with the requirements of this 29
10961096 chapter; 30
10971097 (iv) Allow, and cooperate with, reasonable 31
10981098 assessments by the controller or the controller’s designated assessor; and 32
10991099 (v) Engage a subcontractor under a written contract 33
11001100 that requires the subcontractor to meet the requirements of the processor 34
11011101 with respect to the personal data. 35
11021102 (c)(1) Notwithstanding the requirement described by subdivision 36 SB258
11031103
11041104 30 02/18/2025 3:16:09 PM ANS146
11051105 (b)(2)(F) of this section, a processor, in the alternative, may arrange for a 1
11061106 qualified and independent assessor to conduct an assessment of the 2
11071107 processor’s policies and technical and organizational measures in support of 3
11081108 the requirements under this chapter using an appropriate and accepted control 4
11091109 standard or framework and assessment procedure. 5
11101110 (2) The processor shall provide a report of the assessment to 6
11111111 the controller on request. 7
11121112 (d) This section does not relieve a controller or a processor from the 8
11131113 liabilities imposed on the controller or processor by virtue of its role in 9
11141114 the processing relationship as described by this chapter. 10
11151115 (e)(1) A determination of whether a person is acting as a controller 11
11161116 or processor with respect to a specific processing of data is a fact -based 12
11171117 determination that depends on the context in which personal data is to be 13
11181118 processed. 14
11191119 (2) A processor that continues to adhere to a controller’s 15
11201120 instructions with respect to a specific processing of personal data remains 16
11211121 in the role of a processor. 17
11221122 18
11231123 4-120-402. Notice of privacy practices. 19
11241124 A processor shall provide consumers with a reasonably accessible and 20
11251125 clear privacy notice that includes: 21
11261126 (1) The categories of personal data processed by the processor, 22
11271127 including, if applicable, any sensitive data processed by the processor; 23
11281128 (2) The purpose for processing personal data; 24
11291129 (3) If applicable, the categories of personal data that the 25
11301130 processor shares with third parties; and 26
11311131 (4) If applicable, the categories of third parties with whom the 27
11321132 processor shares personal data. 28
11331133 29
11341134 4-120-403. Data minimization at collection. 30
11351135 (a) A processor shall limit the collection of personal data from a 31
11361136 controller to what is adequate, relevant, and reasonably necessary in 32
11371137 relation to the purposes for which the personal data is processed, as 33
11381138 disclosed to the consumer. 34
11391139 (b) A processor in possession of deidentified data shall: 35
11401140 (1) Take reasonable measures to ensure that the data cannot be 36 SB258
11411141
11421142 31 02/18/2025 3:16:09 PM ANS146
11431143 associated with an individual; 1
11441144 (2) Publicly commit to maintaining and using deidentified data 2
11451145 without attempting to reidentify the data; and 3
11461146 (3) Contractually obligate any recipient of the deidentified 4
11471147 data to comply with this chapter. 5
11481148 (c) This chapter does not require a processor to: 6
11491149 (1) Reidentify deidentified data or pseudonymous data; 7
11501150 (2) Maintain data in identifiable form or obtain, retain, or 8
11511151 access any data or technology for the purpose of allowing the processor to 9
11521152 associate a consumer request with personal data; or 10
11531153 (3) Comply with an authenticated consumer rights request under § 11
11541154 4-120-201 et seq., if the processor: 12
11551155 (A) Is not reasonably capable of associating the request 13
11561156 with the personal data or it would be unreasonably burdensome for the 14
11571157 processor to associate the request with the personal data; 15
11581158 (B) Does not use the personal data to recognize or respond 16
11591159 to the specific consumer who is the subject of the personal data or associate 17
11601160 the personal data with other personal data about the same consumer; and 18
11611161 (C) Does not sell the personal data to any third party or 19
11621162 otherwise voluntarily disclose the personal data to any third party other 20
11631163 than a processor, except as otherwise permitted by this section. 21
11641164 (d) The consumer rights under § 4 -120-201 and processor duties under 22
11651165 this subchapter do not apply to pseudonymous data in cases in which the 23
11661166 processor is able to demonstrate any information necessary to identify the 24
11671167 consumer is kept separately and is subject to effective technical and 25
11681168 organizational controls that prevent the controller from accessing the 26
11691169 information. 27
11701170 (e) A processor that discloses pseudonymous data or deidentified data 28
11711171 shall exercise reasonable oversight to monitor compliance with any 29
11721172 contractual commitments to which the pseudonymous data or deidentified data 30
11731173 is subject and shall take appropriate steps to address any breach of the 31
11741174 contractual commitments. 32
11751175 33
11761176 4-120-404. Data security. 34
11771177 A processor, for purposes of protecting the confidentiality, integrity, 35
11781178 and accessibility of personal data, shall establish, implement, and maintain 36 SB258
11791179
11801180 32 02/18/2025 3:16:09 PM ANS146
11811181 reasonable administrative, technical, and physical data security practices 1
11821182 that are appropriate to the volume and nature of the personal data at issue. 2
11831183 3
11841184 4-120-405. Purpose limitation. 4
11851185 (a) Personal data processed by a processor under this chapter shall 5
11861186 not be processed for any purpose other than a purpose listed in this chapter 6
11871187 unless otherwise allowed by this chapter. 7
11881188 (b) Personal data under subsection (a) of this section processed by a 8
11891189 processor under this subchapter may be processed to the extent that the 9
11901190 processing of data is: 10
11911191 (1) Reasonably necessary and proportionate to the purposes 11
11921192 listed in this chapter; and 12
11931193 (2) Adequate, relevant, and limited to what is necessary in 13
11941194 relation to the purposes of this chapter. 14
11951195 15
11961196 4-120-406. Data retention. 16
11971197 (a) A processor shall follow the instructions of the controller in the 17
11981198 retention and deletion of personal data. 18
11991199 (b) If the controller does not provide the processor instructions, a 19
12001200 processor shall delete all personal data within ninety (90) days of ceasing 20
12011201 processing the data for the controller unless law, statute, or regulation 21
12021202 requires a longer retention period. 22
12031203 23
12041204 4-120-407. Assisting controllers in honoring data subject rights. 24
12051205 (a) If a controller gives a processor notice that the controller has 25
12061206 received a consumer request regarding personal data the processed by the 26
12071207 processor for the controller, the processor shall follow the instructions of 27
12081208 the controller in complying with the consumer’s request. 28
12091209 (b) If a processor receives a request from a consumer regarding data 29
12101210 received from a controller, the processor shall: 30
12111211 (1) Notify the controller that they have received a consumer 31
12121212 data rights request; 32
12131213 (2) Notify the consumer that they have forwarded the request to 33
12141214 the controller; and 34
12151215 (3) Follow the instructions of the controller in complying with 35
12161216 the consumer’s request. 36 SB258
12171217
12181218 33 02/18/2025 3:16:09 PM ANS146
12191219 1
12201220 Subchapter 5 — Special Data Types 2
12211221 3
12221222 4-120-501. Biometrics. 4
12231223 (a)(1) A person in possession of biometric data shall develop a 5
12241224 written policy, made available to the public, establishing a retention 6
12251225 schedule and guidelines for permanently destroying biometric data when the 7
12261226 initial purpose for collecting or obtaining the biometric data has been 8
12271227 satisfied or within three (3) years, whichever occurs first. 9
12281228 (2) Absent a valid warrant or subpoena issued by a court of 10
12291229 competent jurisdiction, a private entity in possession of biometric data must 11
12301230 comply with the private entity's established retention schedule and 12
12311231 destruction guidelines. 13
12321232 (b) A private entity shall not collect, capture, purchase, receive 14
12331233 through trade, or otherwise obtain a person’s or a consumer’s biometric data, 15
12341234 unless the private entity first: 16
12351235 (1) Informs a consumer or the consumer’s legally authorized 17
12361236 representative in writing that biometric data is being collected or stored; 18
12371237 (2) Informs a consumer or the consumer’s legally authorized 19
12381238 representative in writing of the specific purpose and length of term for 20
12391239 which biometric data is being collected, stored, and used; and 21
12401240 (3) Receives a written release executed by a consumer. 22
12411241 (c) A person in possession of biometric data shall not: 23
12421242 (1) Sell, lease, trade, or otherwise profit from a person’s or a 24
12431243 consumer’s biometric data; or 25
12441244 (2) Disclose, redisclose, or otherwise disseminate a person’s or 26
12451245 a consumer’s biometric data unless: 27
12461246 (A) The subject of the biometric data or the subject’s 28
12471247 legally authorized representative consents to the disclosure, redisclosure, 29
12481248 or dissemination; 30
12491249 (B) The disclosure, redisclosure, or dissemination 31
12501250 completes a financial transaction requested or authorized by the subject of 32
12511251 the biometric data or the subject’s legally authorized representative; 33
12521252 (C) The disclosure, redisclosure, or dissemination is 34
12531253 required by state or federal law or an ordinance by a local government; or 35
12541254 (D) The disclosure is required under a valid warrant or 36 SB258
12551255
12561256 34 02/18/2025 3:16:09 PM ANS146
12571257 subpoena issued by a court of competent jurisdiction. 1
12581258 2
12591259 Subchapter 6 — Responsible Artificial Intelligence 3
12601260 4
12611261 4-120-601. Developer duties. 5
12621262 (a) A developer of a high -risk artificial intelligence system shall 6
12631263 use reasonable care to protect consumers from any known or reasonably 7
12641264 foreseeable risks of algorithmic discrimination arising from the intended and 8
12651265 contracted uses of the high -risk artificial intelligence system. 9
12661266 (b) A developer of a high -risk artificial intelligence system shall 10
12671267 make available to the deployer, another developer of the high -risk artificial 11
12681268 intelligence system, or the Attorney General upon the Attorney General’s 12
12691269 request subject to a civil investigative demand: 13
12701270 (1) A general statement describing the reasonably foreseeable 14
12711271 uses and known harmful or inappropriate uses of the high -risk artificial 15
12721272 intelligence system; 16
12731273 (2) Documentation disclosing: 17
12741274 (A) High-level summaries of the type of data used to train 18
12751275 the high-risk artificial intelligence system; 19
12761276 (B) Known or reasonably foreseeable limitations of the 20
12771277 high-risk artificial intelligence system, including known or reasonably 21
12781278 foreseeable risks of algorithmic discrimination arising from the intended 22
12791279 uses of the high-risk artificial intelligence system; 23
12801280 (C) The purpose of the high -risk artificial intelligence 24
12811281 system; 25
12821282 (D) The intended benefits and uses of the high-risk 26
12831283 artificial intelligence system; and 27
12841284 (E) All other information necessary to allow the deployer 28
12851285 to complete an impact assessment under § 4 -120-603; 29
12861286 (3) Documentation describing: 30
12871287 (A) The method by which the high -risk artificial 31
12881288 intelligence system was evaluated for performance and mitigation of 32
12891289 algorithmic discrimination before the high -risk artificial intelligence 33
12901290 system was offered, sold, leased, licensed, given, or otherwise made 34
12911291 available to the deployer; 35
12921292 (B) The data governance measures used to cover the 36 SB258
12931293
12941294 35 02/18/2025 3:16:09 PM ANS146
12951295 training datasets and the measures used to examine the suitability of data 1
12961296 sources, possible biases, and appropriate mitigation; 2
12971297 (C) The intended outputs of the high -risk artificial 3
12981298 intelligence system; 4
12991299 (D) The measures the developer has taken to mitigate known 5
13001300 or reasonably foreseeable risks of algorithmic discrimination that may arise 6
13011301 from the reasonably foreseeable deployment of the high -risk artificial 7
13021302 intelligence system; and 8
13031303 (E) The method by which the high -risk artificial 9
13041304 intelligence system should be used, should not be used, and be monitored by 10
13051305 an individual when the high -risk artificial intelligence system is used to 11
13061306 make, or is a substantial factor in making, a decision that produces a legal 12
13071307 or similarly significant effect concerning a consumer; and 13
13081308 (4) Any additional documentation that is reasonably necessary to 14
13091309 assist the deployer in understanding the outputs and monitor the performance 15
13101310 of the high-risk artificial intelligence system for risks of algorithmic 16
13111311 discrimination. 17
13121312 (c) Except as provided in subsection (g) of this section, a developer 18
13131313 that offers, sells, leases, licenses, gives, or otherwise makes available to 19
13141314 a deployer or other developer a high -risk artificial intelligence system 20
13151315 shall make available to the deployer or other developer, to the extent 21
13161316 feasible, the documentation and information, through artifacts such as model 22
13171317 cards, dataset cards, or other impact assessments, necessary for a deployer, 23
13181318 or for a third party contracted by a deployer, to complete an impact 24
13191319 assessment under § 4 -120-603. 25
13201320 (d) A developer shall make available, in a manner that is clear and 26
13211321 readily available on the developer’s website or in a public use case 27
13221322 inventory, a statement summarizing: 28
13231323 (1) The types of high -risk artificial intelligence systems that 29
13241324 the developer has developed or intentionally and substantially modified and 30
13251325 currently makes available to a deployer or other developer; and 31
13261326 (2) How the developer manages known or reasonably foreseeable 32
13271327 risks of algorithmic discrimination that may arise from the development or 33
13281328 intentional and substantial modification of the types of high -risk artificial 34
13291329 intelligence systems described according to subsection (d)(1) of this 35
13301330 section. 36 SB258
13311331
13321332 36 02/18/2025 3:16:09 PM ANS146
13331333 (e) A developer shall update the statement described in subsection (d) 1
13341334 of this section: 2
13351335 (1) As necessary to ensure that the statement remains accurate; 3
13361336 and 4
13371337 (2) No later than ninety (90) days after the developer 5
13381338 intentionally and substantially modifies any high -risk artificial 6
13391339 intelligence system described in subdivision (d)(1) of this section. 7
13401340 (f) A developer of a high -risk artificial intelligence system shall 8
13411341 disclose to the Attorney General and to all known deployers or other 9
13421342 developers of the high -risk artificial intelligence system any known or 10
13431343 reasonably foreseeable risks of algorithmic discrimination arising from the 11
13441344 intended uses of the high -risk artificial intelligence system without 12
13451345 unreasonable delay but no later than ninety (90) days after the date on 13
13461346 which: 14
13471347 (1) The developer discovers through the developer’s ongoing 15
13481348 testing and analysis that the developer’s high -risk artificial intelligence 16
13491349 system has been deployed and has caused or is reasonably likely to have 17
13501350 caused algorithmic discrimination; or 18
13511351 (2) The developer receives from a deployer a credible report 19
13521352 that the high-risk artificial intelligence system has been deployed and has 20
13531353 caused algorithmic discrimination. 21
13541354 (g)(1) This section shall not require a developer to disclose a trade 22
13551355 secret, information protected from disclosure by state or federal law, or 23
13561356 information that would create a security risk to the developer, except to the 24
13571357 Attorney General. 25
13581358 (2) In a disclosure to the Attorney General, the developer may 26
13591359 designate the statement or documentation as including proprietary information 27
13601360 or a trade secret. 28
13611361 29
13621362 4-120-602. Deployer duties. 30
13631363 (a)(1) A deployer of a high -risk artificial intelligence system shall 31
13641364 use reasonable care to protect consumers from any known or reasonably 32
13651365 foreseeable risks of algorithmic discrimination. 33
13661366 (2) In any enforcement action brought by the Attorney General 34
13671367 under § 4-120-701 et seq., there is a rebuttable presumption that a deployer 35
13681368 of a high-risk artificial intelligence system used reasonable care as 36 SB258
13691369
13701370 37 02/18/2025 3:16:09 PM ANS146
13711371 required under this section if the deployer complied with this section. 1
13721372 (b)(1) A deployer of high -risk artificial intelligence systems shall 2
13731373 implement a risk management policy and program to govern the deployer’s 3
13741374 deployment of one (1) or more high -risk artificial intelligence systems. 4
13751375 (2) The risk management policy and program shall specify and 5
13761376 incorporate principles, processes, and personnel that the deployer uses to 6
13771377 identify, document, and mitigate known or reasonably foreseeable risks of 7
13781378 algorithmic discrimination. 8
13791379 (3) The risk management policy and program shall be an 9
13801380 interactive process planned, implemented, and regularly and systematically 10
13811381 reviewed and updated over the lifecycle of a high -risk artificial 11
13821382 intelligence system, requiring regular, systematic review, and updates. 12
13831383 (4) A risk management policy and program implemented and 13
13841384 maintained under this subdivision (b)(1) of this section shall be reasonable 14
13851385 considering: 15
13861386 (A) The guidance and standards stated in the latest 16
13871387 version of the Artificial Intelligence Risk Management Framework published by 17
13881388 the National Institute of Standards and Technology of the United States 18
13891389 Department of Commerce, Standard ISO/IEC 42001 of the International 19
13901390 Organization for Standardization, or another nationally or internationally 20
13911391 recognized risk management framework for artificial intelligence systems, if 21
13921392 the standards are substantially equivalent to or more stringent than the 22
13931393 requirements of this subchapter; 23
13941394 (B) The size and complexity of the deployer; 24
13951395 (C) The nature and scope of the high -risk artificial 25
13961396 intelligence systems deployed by the deployer, including the intended uses of 26
13971397 the high-risk artificial intelligence systems; and 27
13981398 (D) The sensitivity and volume of data processed in 28
13991399 connection with the high -risk artificial intelligence systems deployed by the 29
14001400 deployer. 30
14011401 (c) A deployer or other developer that deploys, offers, sells, leases, 31
14021402 licenses, gives, or otherwise makes available an artificial intelligence 32
14031403 system that is intended to interact with consumers shall ensure the 33
14041404 disclosure to each consumer who interacts with the artificial intelligence 34
14051405 system that the consumer is interacting with an artificial intelligence 35
14061406 system, unless under the circumstances it would be obvious to a reasonable 36 SB258
14071407
14081408 38 02/18/2025 3:16:09 PM ANS146
14091409 person that the person is interacting with an artificial intelligence system. 1
14101410 (d) If a deployer deploys a high -risk artificial intelligence system 2
14111411 and subsequently discovers that the high -risk artificial intelligence system 3
14121412 has caused algorithmic discrimination, the deployer, without unreasonable 4
14131413 delay, but no later than ninety (90) days after the date of the discovery, 5
14141414 shall send to the Attorney General a notice disclosing the discovery. 6
14151415 7
14161416 4-120-603. Artificial intelligence impact assessments. 8
14171417 (a) Except as provided in subsections (d) and (e) of this section: 9
14181418 (1) A deployer, or a third party contracted by the deployer, 10
14191419 that deploys a high-risk artificial intelligence system shall complete an 11
14201420 impact assessment for the high -risk artificial intelligence system; and 12
14211421 (2) A deployer, or a third party contracted by the deployer, 13
14221422 shall complete an impact assessment for a deployed high -risk artificial 14
14231423 intelligence system at least annually and within ninety (90) days after any 15
14241424 intentional and substantial modification to the high -risk artificial 16
14251425 intelligence system is made available. 17
14261426 (b) An impact assessment completed under this subsection shall 18
14271427 include, at a minimum, and to the extent reasonably known by or available to 19
14281428 the deployer: 20
14291429 (1) A statement by the deployer disclosing the purpose, intended 21
14301430 use cases, deployment context of, and benefits afforded by the high -risk 22
14311431 artificial intelligence system; 23
14321432 (2) An analysis of whether the deployment of the high -risk 24
14331433 artificial intelligence system poses any known or reasonably foreseeable 25
14341434 risks of algorithmic discrimination and, if so, the nature of the algorithmic 26
14351435 discrimination and the steps that have been taken to mitigate the risks; 27
14361436 (3) A description of the categories of data the high -risk 28
14371437 artificial intelligence system processes as inputs and the outputs the high -29
14381438 risk artificial intelligence system produces; 30
14391439 (4) If the deployer used data to customize the high -risk 31
14401440 artificial intelligence system, an overview of the categories of data the 32
14411441 deployer used to customize the high -risk artificial intelligence system; 33
14421442 (5) Any metrics used to evaluate the performance and known 34
14431443 limitations of the high -risk artificial intelligence system; 35
14441444 (6) A description of any transparency measures taken concerning 36 SB258
14451445
14461446 39 02/18/2025 3:16:09 PM ANS146
14471447 the high-risk artificial intelligence system, including any measures taken to 1
14481448 disclose to a consumer that the high -risk artificial intelligence system is 2
14491449 in use when the high -risk artificial intelligence system is in use; and 3
14501450 (7) A description of the post -deployment monitoring and user 4
14511451 safeguards provided concerning the high -risk artificial intelligence system, 5
14521452 including the oversight, use, and learning process established by the 6
14531453 deployer to address issues arising rom the deployment of the high -risk 7
14541454 artificial intelligence system. 8
14551455 (c) In addition to the information required under subsection (b) of 9
14561456 this section, an impact assessment completed under this section following an 10
14571457 intentional and substantial modification to a high -risk artificial 11
14581458 intelligence system must include a statement disclosing the extent to which 12
14591459 the high-risk artificial intelligence system was used in a manner that was 13
14601460 consistent with, or varied from, the developer’s intended uses of the high -14
14611461 risk artificial intelligence system. 15
14621462 (d) A single impact assessment may address a comparable set of high -16
14631463 risk artificial intelligence systems deployed by a deployer. 17
14641464 (e) If a deployer or a third party contracted by the deployer 18
14651465 completes an impact assessment for the purpose of complying with another 19
14661466 applicable law or regulation, the impact assessment satisfies the 20
14671467 requirements established in this section if the impact assessment is 21
14681468 reasonably similar in scope and effect to the impact assessment that would 22
14691469 otherwise be completed under this section. 23
14701470 (f) A deployer shall maintain the most recently completed impact 24
14711471 assessment for a high -risk artificial intelligence system as required under 25
14721472 this section, all records concerning each impact assessment, and all prior 26
14731473 impact assessments, if any, for at least three (3) years following the final 27
14741474 deployment of the high -risk artificial intelligence system. 28
14751475 (g) On the effective date of this chapter, and at least annually 29
14761476 thereafter, a deployer, or a third party contracted by the deployer, shall 30
14771477 review the deployment of each high -risk artificial intelligence system 31
14781478 deployed by the deployer to ensure that the high -risk artificial intelligence 32
14791479 system is not causing algorithmic discrimination. 33
14801480 34
14811481 4-120-604. Consumer rights. 35
14821482 Deployers of high-risk artificial intelligence systems shall provide 36 SB258
14831483
14841484 40 02/18/2025 3:16:09 PM ANS146
14851485 consumers: 1
14861486 (1) Notice that the deployer has deployed a high -risk artificial 2
14871487 intelligence system to make, or be a substantial factor in making, a decision 3
14881488 that produces a legal or similarly significant effect concerning the 4
14891489 consumer; 5
14901490 (2) A statement disclosing the purpose of the high -risk 6
14911491 artificial intelligence system, the nature of the decision that produces a 7
14921492 legal or similarly significant effect concerning the consumer, the contact 8
14931493 information for the deployer, a description in plain language of the high -9
14941494 risk artificial intelligence system, and instructions on how to access the 10
14951495 statement required by subdivision (8) of this section; 11
14961496 (3) The right to opt out of the processing of personal data 12
14971497 concerning the consumer for purposes of profiling in furtherance of a 13
14981498 decision that produces a legal or similarly significant effect concerning the 14
14991499 consumer; 15
15001500 (4) If a high-risk artificial intelligence system makes an 16
15011501 adverse decision that produces a legal or similarly significant effect 17
15021502 concerning the consumer, a statement disclosing the principal reason or 18
15031503 reasons for the adverse decision, including without limitation: 19
15041504 (A) The degree to which, and manner in which, the high -20
15051505 risk artificial intelligence system contributed to the decision; 21
15061506 (B) The type of data that was processed by the high -risk 22
15071507 artificial intelligence system in making the decision; and 23
15081508 (C) The source or sources of the data described in 24
15091509 subdivision (4)(B) of this section; 25
15101510 (5) An opportunity to correct any incorrect personal data that 26
15111511 the high-risk artificial intelligence system processed in making, or as a 27
15121512 substantial factor in making, the decision; 28
15131513 (6) An opportunity to appeal the adverse decision concerning the 29
15141514 consumer arising from the deployment of the high -risk artificial intelligence 30
15151515 system, which allows for human review if technically feasible unless 31
15161516 providing the opportunity for appeal is not in the best interests of the 32
15171517 consumer, including in instances in which any delay might pose a risk to the 33
15181518 life or safety of the consumer; 34
15191519 (7) Notices, statements, and documents required by this 35
15201520 subchapter directly to the consumer in plain language and in a format that is 36 SB258
15211521
15221522 41 02/18/2025 3:16:09 PM ANS146
15231523 accessible to consumers with disabilities consistent with the requirements of 1
15241524 the Americans with Disabilities Act of 1990, 42 U.S.C. § 12101 et seq., as it 2
15251525 existed on January 1, 2025; and 3
15261526 (8) A statement on the deployer’s website that is clear, readily 4
15271527 available, and periodically updated that summarizes: 5
15281528 (A) The types of high -risk artificial intelligence systems 6
15291529 that are currently deployed by the deployer; 7
15301530 (B) How the deployer manages known or reasonably 8
15311531 foreseeable risks of algorithmic discrimination that may arise from the 9
15321532 deployment of each high -risk artificial intelligence system described 10
15331533 pursuant to this subdivision; and 11
15341534 (C) In detail, the nature, source, and extent of the 12
15351535 information collected and used by the deployer. 13
15361536 14
15371537 Subchapter 7 — Enforcement 15
15381538 16
15391539 4-120-701. Attorney General. 17
15401540 The Attorney General has exclusive authority to enforce this chapter. 18
15411541 19
15421542 4-120-702. Procedures. 20
15431543 The Attorney General shall post on the Attorney General’s website: 21
15441544 (1) Information relating to: 22
15451545 (A) The responsibilities of a controller under this 23
15461546 chapter; 24
15471547 (B) The responsibilities of a processor under this 25
15481548 chapter; 26
15491549 (C) The responsibilities of a deployer and developer of a 27
15501550 high-risk artificial intelligence system; and 28
15511551 (D) A consumer’s rights under this chapter; and 29
15521552 (2) An online mechanism through which a consumer may submit a 30
15531553 complaint under this chapter to the Attorney General. 31
15541554 32
15551555 4-120-703. Remedies. 33
15561556 (a)(1) If the Attorney General has reasonable cause to believe that a 34
15571557 person has engaged in or is engaging in a violation of this chapter, the 35
15581558 Attorney General may issue an Attorney General’s subpoena. 36 SB258
15591559
15601560 42 02/18/2025 3:16:09 PM ANS146
15611561 (2) The procedures established for the issuance of an Attorney 1
15621562 General’s subpoena under § 25 -16-705 apply to the same extent and manner to 2
15631563 the issuance of an Attorney General’s subpoena under this section. 3
15641564 (b)(1) The Attorney General may request, under an Attorney General’s 4
15651565 subpoena issued under subdivision (a)(1) of this section, that a person 5
15661566 governed by this chapter disclose to any data protection assessment or 6
15671567 artificial intelligence impact assessment that is relevant to an 7
15681568 investigation conducted by the Attorney General. 8
15691569 (2) The Attorney General may evaluate the data protection 9
15701570 assessment for compliance with the requirements under § 4 -120-308 or the 10
15711571 artificial intelligence impact assessment for compliance with the 11
15721572 requirements under § 4 -120-603. 12
15731573 (c) A violation of this chapter is an unfair and deceptive act or 13
15741574 practice, as defined by the Deceptive Trade Practices Act, § 4 -88-101 et seq. 14
15751575 (d) All remedies, penalties, and authority granted to the Attorney 15
15761576 General under the Deceptive Trade Practices Act, § 4 -88-101 et seq., shall be 16
15771577 available to the Attorney General for the enforcement of this chapter. 17
15781578 18
15791579 4-120-704. Private right of action. 19
15801580 This chapter does not provide a basis for, or being subject to, a 20
15811581 private right of action for a violation of this chapter or any other law. 21
15821582 22
15831583 Section 2. DO NOT CODIFY. Effective date. 23
15841584 (a) Sections 4-120-101 et seq. through sections § 4-120-401 et seq. 24
15851585 are effective on January 1, 2026. 25
15861586 (b) Section 4-120-601 et seq. is effective on July 1, 2026. 26
15871587 (c)(1) To the extent § 4 -120-701 et seq. applies to the enforcement of 27
15881588 § 4-120-101 et seq. — § 4-120-401 et seq. , it is effective on April 1, 2026. 28
15891589 (2) To the extent § 4 -120-701 et seq. applies to the enforcement 29
15901590 of § 4-120-601 et seq., it is effective on October 1, 2026. 30
15911591 31
15921592 32
15931593 33
15941594 34
15951595 35
15961596 36