Stricken language would be deleted from and underlined language would be added to present law.
*ANS146* 02/18/2025 3:16:09 PM ANS146
State of Arkansas 1
95th General Assembly A Bill 2
Regular Session, 2025 SENATE BILL 258 3
4
By: Senator C. Penzo 5
By: Representative S. Meeks 6
7
For An Act To Be Entitled 8
AN ACT TO CREATE THE ARKANSAS DIGITAL RESPONSIBILITY, 9
SAFETY, AND TRUST ACT; AND FOR OTHER PURPOSES. 10
11
12
Subtitle 13
TO CREATE THE ARKANSAS DIGITAL 14
RESPONSIBILITY, SAFETY, AND TRUST ACT. 15
16
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 17
18
SECTION 1. Arkansas Code Title 4, is amended to add an additional 19
chapter to read as follows: 20
21
CHAPTER 120 22
ARKANSAS DIGITAL RESPONSIBILITY, SAFETY, AND TRUST ACT 23
24
Subchapter 1 — General Provisions 25
26
4-120-101. Title. 27
This chapter shall be known and may be cited as the "Arkansas Digital 28
Responsibility, Safety, and Trust Act". 29
30
4-120-102. Legislative findings. 31
The General Assembly finds that: 32
(1) Arkansans and Americans have long valued personal privacy as 33
something that serves essential human needs of liberty, personal autonomy, 34
seclusion, family, intimacy, and other relationships, and security; 35
(2) Privacy safeguards foundational American values of self -36 SB258
2 02/18/2025 3:16:09 PM ANS146
government; 1
(3) The United States and Arkansas have long protected aspects 2
of personal privacy since the nation’s founding, including through the First, 3
Third, Fourth, Fifth, Ninth, and Fourteenth Amendments to the United States 4
Constitution and Article 2, §§ 2, 6, 8, 10, 15, 21, and 24 of the Arkansas 5
Constitution; 6
(4)(A) The United States has a history of leadership in privacy 7
rights, passing some of the first privacy laws as early as the eighteenth 8
century and adopting one (1) of the first national privacy and data 9
protection laws globally in addition to the “fair information practice 10
principles” that have influenced laws and privacy practices around the world. 11
(B) In this information age of the twenty -first century, 12
in the absence of ongoing federal leadership in privacy, Arkansas should join 13
over twenty (20) other states in leading privacy protection; 14
(5)(A) The expansion of computers, internet connectivity, mobile 15
telephones, and other digital information and communications technology has 16
magnified the risks to an individual's privacy that can occur from the 17
collection, processing, storage, or dissemination of personal information. 18
(B) The overwhelming majority of Arkansans and Americans 19
have smartphones equipped with powerful computers, immense storage capacity, 20
arrays of sensors, and the capacity to transmit information around the world 21
instantaneously. 22
(C) Some people use these devices continuously and use 23
them to store a digital record of nearly every aspect of their lives. 24
(D) Arkansans increasingly have other “smart devices” such 25
as automobiles, televisions, home appliances, and wearable accessories that 26
collect, process, and transmit information linked to Arkansans and their 27
activities to entities around the world; 28
(6)(A) The personal information of Arkansans and Americans has 29
been used against them to steal their identities, open financial and credit 30
accounts in their names, and do other personal and financial harm. 31
(B) Troves of Arkansan and American personal information 32
lie in the hands of state adversaries and criminals; 33
(7) The aggregation of an increasing volume of data among many 34
different entities expands the exposure to malicious actors in cyberspace and 35
the availability of personal information to such actors; 36 SB258
3 02/18/2025 3:16:09 PM ANS146
(8)(A) The risks of harm from privacy violations are 1
significant. 2
(B) Unwanted or unexpected disclosure of personal 3
information and loss of privacy can have devastating effects for individuals, 4
including financial fraud and loss, identity theft, and the resulting loss of 5
personal time and money, destruction of property, harassment, and even 6
potential physical injury. 7
(C) Other effects such as reputational or emotional damage 8
can be equally or even more substantial; 9
(9)(A) With the development of artificial intelligence and 10
machine learning, the potential to use personal and other information in ways 11
that replicate existing social problems has increased in scale. 12
(B) Algorithms use personal and other information to guide 13
decision-making related to critical issues, such as credit determination, 14
housing advertisements, and hiring processes, and can result in differing 15
accuracy rates; 16
(10)(A) Individuals need to feel confident that data that 17
relates to them will not be used or shared in ways that can harm themselves, 18
their families, or society. 19
(B) As such, organizations that collect, use, retain, and 20
share personal information should be subject to meaningful and effective 21
boundaries on such activities, obligated to take reasonable steps to protect 22
the privacy and security of personal information, and required to mitigate 23
privacy risks to the individuals whose data they steward; and 24
(11)(A) The majority of governments around the world already 25
impose such restrictions on businesses, but Arkansans do not yet have their 26
right to privacy protected. 27
(B) It is proper for the General Assembly to protect 28
Arkansans’ privacy rights, enforce the rights against those who collect, use, 29
retain, and share their personal information, and establish the legislative 30
framework for responsible, safe, and trustworthy technology in Arkansas. 31
32
4-120-103. Definitions. 33
As used in this chapter: 34
(1) "Affiliate" means a legal entity that: 35
(A) Controls, is controlled by, or is under common control 36 SB258
4 02/18/2025 3:16:09 PM ANS146
with another legal entity; or 1
(B) Shares common branding with another legal entity; 2
(2) "Algorithmic discrimination" means a condition in which the 3
use of an artificial intelligence system results in an unlawful differential 4
treatment or impact that disfavors an individual or group of individuals on 5
the basis of the individual's or group of individuals' actual or perceived 6
age, color, disability status, ethnicity, genetic information, national 7
origin, race, religion, sex, veteran status, or other classification 8
protected under the laws of this state or federal law; 9
(3) "Artificial intelligence system" means a machine -based 10
system that, for any explicit or implicit objective, infers from the inputs 11
the system receives how to generate outputs, including content, decisions, 12
predictions, or recommendations, that can influence physical or virtual 13
environments; 14
(4) "Authenticate" means to verify through reasonable means that 15
the consumer who is entitled to exercise the consumer’s right is the same 16
consumer exercising those consumer rights with respect to the personal data 17
at issue; 18
(5)(A) "Biometric data" means data generated by automatic 19
measurements of an individual’s biological characteristics. 20
(B) "Biometric data" includes a fingerprint, voiceprint, 21
eye retina or iris scans, or other unique biological pattern or 22
characteristic that is used to identify a specific individual. 23
(C) "Biometric data" does not include a physical or 24
digital photograph or data generated from a physical or digital photograph, a 25
video or audio recording or data generated from a video or audio recording, 26
or information collected, used, or stored for healthcare treatment, payment, 27
or operations under the Health Insurance Portability and Accountability Act 28
of 1996, 42 U.S.C. § 1320d et seq., as it existed on January 1, 2025; 29
(6) "Business associate" means the same as defined in the Health 30
Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et 31
seq., as it existed on January 1, 2025; 32
(7) "Child" means an individual younger than thirteen (13) years 33
of age; 34
(8)(A) "Consent" means a clear affirmative act, if referring to 35
a consumer, that signifies a consumer’s freely given, specific, informed, and 36 SB258
5 02/18/2025 3:16:09 PM ANS146
unambiguous agreement to process personal data relating to the consumer. 1
(B) "Consent" includes a written statement, including a 2
statement written by electronic means, or any other unambiguous affirmative 3
action. 4
(C) "Consent" does not include: 5
(i) An acceptance of a general or broad terms of use 6
or similar document that contains descriptions of personal data processing 7
along with other unrelated information; 8
(ii) The hovering over, muting, pausing, or closing 9
a given piece of content; or 10
(iii) An agreement obtained through the use of dark 11
patterns; 12
(9)(A) "Consumer" means an individual who is a resident of this 13
state acting only in an individual or household context. 14
(B) "Consumer" does not include an individual acting in a 15
commercial or employment context; 16
(10) "Consumer health data" means information about a person’s 17
health collected by a person or entity not subject to the Health Insurance 18
Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it 19
existed on January 1, 2025, including information gathered from wearable 20
fitness devices, mobile phones, applications promoting personal physical, 21
dental, or mental health, nutrition trackers, and similar applications 22
generally available to the public; 23
(11) "Control" means: 24
(A) The ownership of, or power to vote, more than 25
fifty percent (50%) of the outstanding shares of any class of voting security 26
of a company; 27
(B) The control in any manner over the election of a 28
majority of the directors or of individuals exercising similar functions; or 29
(C) The power to exercise controlling influence over 30
the management of a company; 31
(12) "Controller" means an individual or other person that, 32
alone or jointly with others, determines the purpose and means of processing 33
personal data; 34
(13) "Covered entity" has the same meaning as defined in the 35
Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 36 SB258
6 02/18/2025 3:16:09 PM ANS146
1320d et seq., as it existed on January 1, 2025; 1
(14)(A) "Dark pattern" means a user interface designed or 2
manipulated with the effect of substantially subverting or impairing user 3
autonomy, decision-making, or choice. 4
(B) "Dark pattern" includes any practice that the Federal 5
Trade Commission refers to as a dark pattern; 6
(15) "Decision that produces a legal or similarly significant 7
effect concerning a consumer" means a decision made by a controller that 8
results in the provision or denial by the controller of: 9
(A) Financial and lending services; 10
(B) Housing, insurance, or healthcare services; 11
(C) Education enrollment; 12
(D) Employment opportunities; 13
(E) Criminal justice; or 14
(F) Access to basic necessities, such as food and water; 15
(16) "Deidentified data" means data that cannot reasonably be 16
linked to an identified or identifiable individual or a device linked to that 17
individual; 18
(17) "Deploy" means to use a high -risk artificial intelligence 19
system; 20
(18) "Deployer" means a person doing business in this state that 21
deploys a high-risk artificial intelligence system; 22
(19) "Developer" means a person doing business in this state 23
that develops or intentionally and substantially modifies an artificial 24
intelligence system; 25
(20) "Full-time equivalent employee" means one (1) or more 26
employees whose average weekly work hours exceed thirty -five (35) hours; 27
(21)(A) "Health record" means a written, printed, or 28
electronically recorded material maintained by a healthcare provider in the 29
course of providing healthcare services to an individual that concerns the 30
individual and the services provided. 31
(B) "Health record" includes: 32
(i) The substance of any communication made by an 33
individual to a healthcare provider in confidence during or in connection 34
with the provision of healthcare services; or 35
(ii) Information otherwise acquired by the 36 SB258
7 02/18/2025 3:16:09 PM ANS146
healthcare provider about an individual in confidence and in connection with 1
healthcare services provided to the individual; 2
(22) "Healthcare provider" means the same as defined in the 3
Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 4
1320d et seq., as it existed on January 1, 2025; 5
(23) "Healthcare services" has the same meaning as provided in 6
42 U.S.C. § 234(d)(2), as it existed on January 1, 2025; 7
(24)(A) "High-risk artificial intelligence system" means an 8
artificial intelligence system that, when deployed, makes, or is a 9
substantial factor in making, a decision that produces a legal or similarly 10
significant effect concerning a consumer. 11
(B) "High-risk artificial intelligence system" does not 12
include an artificial intelligence system if the artificial intelligence 13
system is intended to: 14
(i) Perform a narrow or procedural task; 15
(ii) Detect decision -making patterns or deviations 16
from prior decision-making patterns and is not intended to replace or 17
influence a previously completed human assessment without sufficient human 18
review; or 19
(iii) Perform tasks that do not make, or are not a 20
substantial factor in making, a decision that produces a legal or similarly 21
significant effect concerning a consumer, including without limitation: 22
(a) Anti-fraud technology that does not use 23
facial recognition technology; 24
(b) Anti-malware, anti-virus, artificial-25
intelligence-enabled video games, calculators, cybersecurity, databases, data 26
storage, firewall, internet domain registration, internet website loading, 27
networking, spam- and robocall-filtering, spell-checking, spreadsheets, web 28
caching, web hosting or any similar technology, or technology that 29
communicates with consumers in natural language for the purpose of providing 30
users with information, making referrals or recommendations, and answering 31
questions; and 32
(c) Is subject to an accepted use policy that 33
prohibits generating content that is discriminatory or harmful, unless such 34
technologies, when deployed, make or are a substantial factor in making, a 35
decision that produces a legal or similarly significant effect concerning a 36 SB258
8 02/18/2025 3:16:09 PM ANS146
consumer; 1
(25) "Identified" means a consumer who can be readily 2
identified, directly or indirectly; 3
(26) "Institution of higher education" means: 4
(A) A vocational or technical school governed by Arkansas 5
Code Title 6, Subtitle 4; or 6
(B) A postsecondary or higher education institution 7
governed by Arkansas Code Title 6, Subtitle 5; 8
(27)(A) "Intentional and substantial modification" means a 9
deliberate change made to an artificial intelligence system that results in 10
any new reasonably foreseeable risk of algorithmic discrimination. 11
(B) "Intentional and substantial modification" does not 12
include a change made to a high -risk artificial intelligence system, or the 13
performance of a high -risk artificial intelligence system, if: 14
(i) The high-risk artificial intelligence system 15
continues to learn after the high -risk artificial intelligence system is 16
offered, sold, leased, licensed, given, otherwise made available to a 17
deployer, or is deployed; 18
(ii) The change is made to the high -risk artificial 19
intelligence system as a result of any learning described in subdivision 20
(27)(B)(i) of this section; 21
(iii) The change was predetermined by the deployer, 22
or a third party contracted by the deployer, when the deployer or third party 23
completed an initial impact assessment of the high -risk artificial 24
intelligence system under § 4 -120-603; and 25
(iv) The change is included in technical 26
documentation for the high -risk artificial intelligence system; 27
(28) "Known child" means a child under circumstances where a 28
controller has actual knowledge of, or willfully disregards, the child’s age; 29
(29) "Nonprofit organization" means: 30
(A) A corporation governed by Arkansas Code Title 4, 31
Chapter 28 or Chapter 33 to extent applicable to nonprofit corporations; 32
(B) An organization exempt from federal taxation as 33
a nonprofit entity under § 501(a) of the Internal Revenue Code, by being 34
listed as an exempt organization under §§ 501(c)(3), 501(c)(4), 501(c)(6), 35
501(c)(12), or 501(c)(19) of the Internal Revenue Code; or 36 SB258
9 02/18/2025 3:16:09 PM ANS146
(C) A political organization; 1
(30)(A) "Personal data" means any information, including 2
sensitive data, that is linked or reasonably linkable to an identified or 3
identifiable individual. 4
(B) "Personal data" includes pseudonymous data when the 5
data is used by a controller or processor in conjunction with additional 6
information that reasonably links the data to an identified or identifiable 7
individual. 8
(C) "Personal data" does not include deidentified data or 9
publicly available information; 10
(31) "Political organization" means a party, committee, 11
association, fund, or other organization, regardless of whether incorporated, 12
that is organized and operated primarily for the purpose of influencing or 13
attempting to influence: 14
(A) The selection, nomination, election, or 15
appointment of an individual to federal, state, or local public office or an 16
office in a political organization, regardless of whether the individual is 17
ultimately selected, nominated, elected, or appointed; or 18
(B) The election of a presidential or vice -19
presidential elector, regardless of whether the elector is ultimately 20
selected, nominated, elected, or appointed; 21
(32)(A) "Precise geolocation data" means information derived 22
from technology, including Global Positioning System level latitude and 23
longitude coordinates or other mechanisms, that directly identifies the 24
specific location of an individual with precision and accuracy within a 25
radius of one thousand seven hundred fifty feet (1,750'). 26
(B) "Precise geolocation data" does not include the 27
content of communications or any data generated by or connected to an 28
advanced utility metering infrastructure system or to equipment for use by a 29
utility; 30
(33) "Process" means an operation or set of operations 31
performed, whether by manual or automated means, on personal data or on sets 32
of personal data, such as the collection, use, storage, disclosure, analysis, 33
deletion, or modification of personal data; 34
(34) "Processor" means a person who processes personal data on 35
behalf of a controller; 36 SB258
10 02/18/2025 3:16:09 PM ANS146
(35) "Profiling" means a form of automated processing performed 1
on personal data to evaluate, analyze, or predict personal aspects related to 2
an identified or identifiable individual’s economic situation, health, 3
personal preferences, interests, reliability, behavior, location, or 4
movements; 5
(36) "Protected health information" means the same as defined 6
under the Health Insurance Portability and Accountability Act of 1996, 42 7
U.S.C. § 1320d et seq., as it existed on January 1, 2025; 8
(37) "Pseudonymous data" means any information that cannot be 9
attributed to a specific individual without the use of additional 10
information, provided that the additional information is kept separately and 11
is subject to appropriate technical and organizational measures to ensure 12
that the personal data is not attributed to an identified or identifiable 13
individual; 14
(38) "Publicly available information" means information that is 15
lawfully made available through government records, or information that a 16
business has a reasonable basis to believe is lawfully made available to the 17
general public through widely distributed media, by a consumer, or by a 18
person to whom a consumer has disclosed the information, unless the consumer 19
has restricted the information to a specific audience; 20
(39)(A) "Sale of personal data" means the sharing, disclosing, 21
or transferring of personal data for monetary or other valuable consideration 22
by a controller to a third party. 23
(B) "Sale of personal data" does not include: 24
(i) The disclosure of personal data to a processor 25
that processes the personal data on the controller’s behalf; 26
(ii) The disclosure of personal data to a third 27
party for purposes of providing a product or service requested by the 28
consumer; 29
(iii) The disclosure or transfer of personal data to 30
an affiliate of a controller; 31
(iv) The disclosure of information that the 32
consumer: 33
(a) Intentionally made available to the 34
general public through a mass media channel; and 35
(b) Did not restrict to a specific audience; 36 SB258
11 02/18/2025 3:16:09 PM ANS146
or 1
(v) The disclosure or transfer of personal data to a 2
third party as an asset that is part of a merger or acquisition; 3
(40)(A) "Sensitive data" means a category of personal data. 4
(B) "Sensitive data" includes: 5
(i) Personal data revealing racial or ethnic origin, 6
religious beliefs, mental or physical health diagnosis, sexuality, or 7
citizenship or immigration status; 8
(ii) Genetic or biometric data that is processed for 9
the purpose of uniquely identifying an individual; 10
(iii) Personal data collected from a known child; 11
(iv) Precise geolocation data; or 12
(v) Data concerning personal or political 13
affiliations, credentials to access online financial, healthcare, or other 14
accounts that could be used to access a means of communication, Social 15
Security number, driver's license number, or other government -issued 16
identification number; 17
(41) "State agency" means a department, commission, board, 18
office, council, authority, or other agency in any branch of state government 19
that is created by the Arkansas Constitution or a statute of this state, 20
including a university system or institution of higher education as governed 21
by Arkansas Code Title 6, Subtitles 4 or 5 that receives state funding or has 22
directors appointed by the Governor; 23
(42) "Substantial factor" means a factor that: 24
(A) Assists in making a decision that produces a legal or 25
similarly significant effect concerning a consumer; 26
(B) Is capable of altering the outcome of a decision that 27
produces a legal or similarly significant effect concerning a consumer; 28
(C) Is generated by an artificial intelligence system; and 29
(D) Includes any use of an artificial intelligence system 30
to generate any content, decision, prediction, or recommendation concerning a 31
consumer that is used as a basis to make a decision that produces a legal or 32
similarly significant effect concerning a consumer; 33
(43)(A) "Targeted advertising" means displaying to a consumer an 34
advertisement that is selected based on personal data obtained from that 35
consumer’s activities over time and across nonaffiliated websites or online 36 SB258
12 02/18/2025 3:16:09 PM ANS146
applications to predict the consumer’s preferences or interests. 1
(B) "Targeted advertising" does not include an 2
advertisement that: 3
(i) Is based on activities within a controller’s own 4
websites or online applications; 5
(ii) Is based on the context of a consumer’s current 6
search query, visit to a website, or online application; 7
(iii) Is directed to a consumer in response to the 8
consumer’s request for information or feedback; or 9
(iv) Is used for the processing of personal data 10
solely for measuring or reporting advertising performance, reach, or 11
frequency; 12
(44) "Third party" means a person, other than the consumer, the 13
controller, the processor, or an affiliate of the controller or processor; 14
and 15
(45) "Trade secret" means all forms and types of information, 16
including business, scientific, technical, economic, or engineering 17
information, and any formula, design, prototype, pattern, plan, compilation, 18
program device, program, code, device, method, technique, process, procedure, 19
financial data, or list of actual or potential customers or suppliers, 20
whether tangible or intangible and irrespective of how stored, compiled, or 21
memorialized physically, electronically, graphically, photographically, or in 22
writing if: 23
(A) The owner of the trade secret has taken reasonable 24
measures under the circumstances to keep the information secret; and 25
(B) The information derives independent economic value, 26
actual or potential, from not being generally known to, and not being readily 27
ascertainable through proper means by, another person who can obtain economic 28
value from the disclosure or use of the information. 29
30
4-120-104. Applicability. 31
(a) This chapter applies only to a person that: 32
(1) Conducts business in this state or produces a product or 33
service consumed by residents of this state; 34
(2) Processes or engages in the sale of personal data; and 35
(3) Is not a small business as defined by the United States 36 SB258
13 02/18/2025 3:16:09 PM ANS146
Small Business Administration, as it existed on January 1, 2025, except to 1
the extent that § 4-120-302(a) applies to a person described by this section. 2
(b) This chapter shall only apply to nonprofit organizations whose 3
annual receipts in any of the preceding five (5) calendar years exceeded 4
fifteen million dollars ($15,000,000). 5
(c) Notwithstanding subsections (a) and (b) of this section, an 6
employer who employs fifty (50) or more full -time equivalent employees and 7
uses a person’s data to train a high -risk artificial intelligence system, 8
including when a high -risk artificial intelligence system continues learning 9
based on the person’s data, § 4 -120-601 et seq. applies if the person: 10
(1) Uses a high-risk artificial intelligence system outside the 11
scope of the intended uses that are disclosed to the person; or 12
(2) Fails to make available to consumers any impact assessment 13
that a developer of a high -risk artificial intelligence system has completed 14
and provided to the deployer. 15
16
4-120-105. Exemptions. 17
Except as provided under § 4 -120-601 et seq., this chapter does not 18
apply to: 19
(1) A state agency or political subdivision of this state; 20
(2) A financial institution or data subject to Title V, Gramm -21
Leach-Bliley Act, Pub. L. No. 106 -102; 22
(3) A covered entity or business associate governed by the 23
privacy, security, and breach notification rules issued by the United States 24
Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, 25
established under the Health Insurance Portability and Accountability Act of 26
1996, 42 U.S.C. § 1320d et seq., as it existed on January 1, 2025, and the 27
Health Information Technology for Economic and Clinical Health Act, Division 28
A, Title XIII, and Division B, Title IV, Pub. L. No. 111 -5; 29
(4) An institution of higher education; 30
(5) An electric utility governed by Arkansas Code Title 23, 31
Chapter 18; 32
(6) Protected health information under the Health Insurance 33
Portability and Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it 34
existed on January 1, 2025; 35
(7) Health records; 36 SB258
14 02/18/2025 3:16:09 PM ANS146
(8) Patient identifying information for purposes of 42 U.S.C. § 1
290dd-2; 2
(9) Identifiable private information: 3
(A) For purposes of the federal policy for the protection 4
of human subjects under 45 C.F.R. Part 46, as it existed on January 1, 2025; 5
(B) Collected as part of human subjects research under the 6
good clinical practice guidelines issued by the International Council for 7
Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or 8
of the protection of human subjects under 21 C.F.R. Parts 50 and 56, as it 9
existed on January 1, 2025; or 10
(C) That is personal data used or shared in research 11
conducted according to the requirements stated in this chapter or other 12
research conducted according to applicable law; 13
(10) Information and documents created for purposes of the 14
Health Care Quality Improvement Act of 1986, 42 U.S.C. § 11101 et seq., as it 15
existed on January 1, 2025; 16
(11) Patient safety work product for purposes of the Patient 17
Safety and Quality Improvement Act of 2005, 42 U.S.C. § 299b -21 et seq., as 18
it existed on January 1, 2025; 19
(12) Information derived from any of the healthcare -related 20
information listed in this section that is deidentified according to the 21
requirements for deidentification under the Health Insurance Portability and 22
Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it existed on 23
January 1, 2025; 24
(13) Information originating from, intermingled to be 25
indistinguishable with, or information treated in the same manner as 26
information exempt under this section that is maintained by a covered entity 27
or business associate as defined by the Health Insurance Portability and 28
Accountability Act of 1996, 42 U.S.C. Section 1320d et seq., or by a program 29
or a qualified service organization as defined by 42 U.S.C. Section 290dd -2; 30
(14) Information that is included in a limited data set as 31
described by 45 C.F.R. Section 164.514(e), as it existed on January 1, 2025, 32
to the extent that the information is used, disclosed, and maintained in the 33
manner specified by 45 C.F.R. Section 164.514(e), as it existed on January 1, 34
2025; 35
(15) Information collected or used only for public health 36 SB258
15 02/18/2025 3:16:09 PM ANS146
activities and purposes as authorized by the Health Insurance Portability and 1
Accountability Act of 1996, 42 U.S.C. § 1320d et seq., as it existed on 2
January 1, 2025; 3
(16) The collection, maintenance, disclosure, sale, 4
communication, or use of any personal information bearing on a consumer’s 5
creditworthiness, credit standing, credit capacity, character, general 6
reputation, personal characteristics, or mode of living by a consumer 7
reporting agency or furnisher that provides information for use in a consumer 8
report, and by a user of the consumer report, but only to the extent that the 9
activity is regulated by and authorized under the Fair Credit Reporting Act, 10
15 U.S.C. §§ 1681-1681t, as it existed on January 1, 2025; 11
(17) Personal data collected, processed, sold, or disclosed in 12
compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 13
et seq., as it existed on January 1, 2025; 14
(18) Personal data regulated by the Family Educational Rights 15
and Privacy Act of 1974, 20 U.S.C. § 1232g, as it existed on January 1, 2025; 16
(19) Personal data collected, processed, sold, or disclosed in 17
compliance with the Farm Credit Act of 1971, 12 U.S.C. § 2001 et seq., as it 18
existed on January 1, 2025; 19
(20) Data processed or maintained in the course of an individual 20
applying to, being employed by, or acting as an agent or independent 21
contractor of a controller, processor, or third party, to the extent that the 22
data is collected and used within the context of that role, except as 23
specifically provided in § 4 -120-602; 24
(21) Data processed or maintained as the emergency contact 25
information of an individual under this chapter that is used only for 26
emergency contact purposes; 27
(22) Data that is processed or maintained and is necessary to 28
retain to administer benefits for another individual that relates to an 29
individual described in subdivision (20) of this section and used only for 30
the purposes of administering those benefits; or 31
(23) The processing of personal data by a person in the course 32
of a purely personal or household activity. 33
34
4-120-106. Construction of chapter — Exceptions. 35
(a) This chapter shall not be construed: 36 SB258
16 02/18/2025 3:16:09 PM ANS146
(1) To restrict a controller’s or processor’s ability to: 1
(A) Comply with state laws or rules, or federal or local 2
laws, rules, or regulations; 3
(B) Comply with a civil, criminal, or regulatory inquiry, 4
investigation, subpoena, or summons by federal, state, local, or other 5
governmental authorities; 6
(C) Investigate, establish, exercise, prepare for, or 7
defend legal claims; 8
(D) Provide a product or service specifically requested by 9
a consumer or the parent or guardian of a child, perform a contract to which 10
the consumer is a party, including fulfilling the terms of a written 11
warranty, or take steps at the request of the consumer before entering into a 12
contract; 13
(E) Take immediate steps to protect an interest that is 14
essential for the life or physical safety of the consumer or of another 15
individual and in which the processing cannot be manifestly based on another 16
legal basis; 17
(F) Prevent, detect, protect against, or respond to 18
security incidents, identity theft, fraud, harassment, malicious or deceptive 19
activities, or any illegal activity; 20
(G) Preserve the integrity or security of systems and 21
investigate, report, or prosecute those responsible for breaches of system 22
security; 23
(H) Engage in public or peer -reviewed scientific or 24
statistical research in the public interest that adheres to all other 25
applicable ethics and privacy laws and is approved, monitored, and governed 26
by an institutional review board or similar independent oversight entity that 27
determines: 28
(i) If the deletion of the information is likely to 29
provide substantial benefits that do not exclusively accrue to the 30
controller; 31
(ii) Whether or not the expected benefits of the 32
research outweigh the privacy risks; and 33
(iii) If the controller has implemented reasonable 34
safeguards to mitigate privacy risks associated with research, including any 35
risks associated with reidentification; or 36 SB258
17 02/18/2025 3:16:09 PM ANS146
(I) Assist another controller, processor, or third party 1
with any of the requirements under this section; 2
(2) As imposing a requirement on controllers and processors that 3
adversely affects the rights or freedoms of any person, including the right 4
of free speech; or 5
(3) As requiring a controller, processor, third party, or 6
consumer to disclose a trade secret. 7
(b) If personal data is subject to reasonable administrative, 8
technical, and physical measures to protect the confidentiality, integrity, 9
and accessibility of the personal data and to reduce reasonably foreseeable 10
risks of harm to consumers relating to the collection, use, or retention of 11
personal data, the requirements imposed on controllers and processors under 12
this chapter may not restrict a controller’s or processor’s ability to 13
collect, use, or retain data to: 14
(1) Conduct internal research to develop, improve, or repair 15
products, services, or technology; 16
(2) Effect a product recall; 17
(3) Identify and repair technical errors that impair existing or 18
intended functionality; or 19
(4) Perform internal operations that: 20
(A) Are reasonably aligned with the expectations of the 21
consumer; 22
(B) Are reasonably anticipated based on the consumer’s 23
existing relationship with the controller; or 24
(C) Are otherwise compatible with processing data in 25
furtherance of the provision of a product or service specifically requested 26
by a consumer or the performance of a contract to which the consumer is a 27
party. 28
(c) A controller or processor that processes personal data under an 29
exemption in this subchapter bears the burden of demonstrating that the 30
processing of the personal data: 31
(1) Qualifies for the exemption; and 32
(2) Complies with the requirements of § 4 -120-306, § 4-120-405; 33
and § 4-120-106(b). 34
(d) The processing of personal data by an entity for the purposes 35
described by this chapter does not solely make the entity a controller with 36 SB258
18 02/18/2025 3:16:09 PM ANS146
respect to the processing of the data. 1
(e) This chapter supersedes and preempts an ordinance, resolution, 2
rule, or other regulation adopted by a political subdivision regarding the 3
processing of personal data by a controller or processor. 4
(f) A controller or processor that complies with the verifiable 5
parental consent requirements of the Children’s Online Privacy Protection Act 6
of 1998, 15 U.S.C. § 6501 et seq., as it existed on January 1, 2025, with 7
respect to data collected online is considered to be in compliance with any 8
requirement to obtain parental consent under this chapter. 9
10
4-120-107. Requirements for small businesses and nonprofit 11
organizations. 12
(a) A person that is a small business as described by § 4 -120-13
104(a)(3) or a nonprofit organized as described by § 4 -120-104(b) shall not 14
engage in the sale of personal data without receiving prior consent from the 15
consumer. 16
(b) A person who violates this section is subject to the penalty under 17
§ 4-120-701 et seq. 18
19
Subchapter 2 — Consumer Rights 20
21
4-120-201. Consumer’s personal data rights — Request to exercise 22
rights. 23
(a)(1) A consumer is entitled to exercise the consumer rights under 24
this subchapter at any time by submitting a request to a controller 25
specifying the consumer rights the consumer wishes to exercise. 26
(2) With respect to the processing of personal data belonging to 27
a known child, a parent or legal guardian of the child may exercise the 28
consumer rights on behalf of the child. 29
(b) A controller shall comply with an authenticated consumer request 30
to exercise the right to: 31
(1) Confirm whether a controller is processing the consumer’s 32
personal data and to access the personal data; 33
(2) Correct inaccuracies in the consumer’s personal data, taking 34
into account the nature of the personal data and the purposes of the 35
processing of the consumer’s personal data; 36 SB258
19 02/18/2025 3:16:09 PM ANS146
(3) Delete personal data provided by or obtained about the 1
consumer; 2
(4) If the data is available in a digital format, obtain a copy 3
of the consumer’s personal data that the consumer previously provided to the 4
controller in a portable and, to the extent technically feasible, readily 5
usable format that allows the consumer to transmit the data to another 6
controller without hindrance; or 7
(5) Opt out of the processing of the personal data for the 8
purpose of: 9
(A) Targeted advertising; 10
(B) The sale of personal data; or 11
(C) Profiling in furtherance of a decision that produces a 12
legal or similarly significant effect concerning the consumer. 13
14
4-120-202. Waiver or limitation of consumer rights prohibited. 15
A provision of a contract or agreement that waives or limits a consumer 16
right described by §§ 4 -120-201, 4-120-204, and 4-120-205 is contrary to 17
public policy and is void. 18
19
4-120-203. Methods for submitting consumer requests. 20
(a)(1) A controller shall establish two (2) or more secure and 21
reliable methods to enable consumers to submit a request to exercise their 22
consumer rights under this chapter. 23
(2) The methods shall take into account: 24
(A) The ways in which consumers normally interact with the 25
controller; 26
(B) The necessity for secure and reliable communications 27
of any request under subdivision (a)(1) of this section; and 28
(C) The ability of the controller to authenticate the 29
identity of the consumer making the request. 30
(b) A controller may not require a consumer to create a new account to 31
exercise the consumer’s rights under this chapter but may require a consumer 32
to use an existing account. 33
(c) Except as provided by subsection (d) of this section, if the 34
controller maintains a website, the controller shall provide a mechanism on 35
the website for consumers to submit requests for information required to be 36 SB258
20 02/18/2025 3:16:09 PM ANS146
disclosed under this chapter. 1
(d) A controller that operates exclusively online and has a direct 2
relationship with a consumer from whom the controller collects personal 3
information is only required to provide an email address for the submission 4
of requests described by subsection (c) of this section. 5
(e)(1) A consumer may designate: 6
(A) Another person to serve as the consumer’s authorized 7
agent and act on the consumer’s behalf to opt out of the processing of the 8
consumer’s personal data under § 4 -120-201(b)(5)(A) and (B); or 9
(B) An authorized agent using a technology, including a 10
link to a website, a browser setting or an extension, or a global setting on 11
an electronic device, which allows the consumer to indicate the consumer’s 12
intent to opt out of the processing of the consumer's personal data. 13
(2) A controller shall comply with an opt -out request received 14
from an authorized agent under this section if the controller is able to 15
verify, with commercially reasonable effort, the identity of the consumer and 16
the authorized agent’s authority to act on the consumer’s behalf. 17
(3) A controller is not required to comply with an opt -out 18
request received from an authorized agent under this subsection if: 19
(A) The authorized agent does not communicate the request 20
to the controller in a clear and unambiguous manner; 21
(B) The controller is not able to verify, with 22
commercially reasonable effort, that the consumer is a resident of this 23
state; 24
(C) The controller does not possess the ability to process 25
the request; or 26
(D) The controller does not process similar or identical 27
requests the controller receives from consumers for the purpose of complying 28
with similar or identical laws or regulations of another state. 29
(f) A technology described under subsection (e) of this section: 30
(1) Shall not: 31
(A) Unfairly disadvantage another controller; or 32
(B) Make use of a default setting, but must require the 33
consumer to consent and indicate the consumer’s intent to opt out of any 34
processing of a consumer’s personal data; and 35
(2) Shall be consumer -friendly and easy to use by the average 36 SB258
21 02/18/2025 3:16:09 PM ANS146
consumer. 1
2
4-120-204. Controller response to consumer request. 3
(a) Except as otherwise provided by this chapter, a controller shall 4
comply with a request submitted by a consumer to exercise the consumer’s 5
rights under § 4-120-201 as provided by this section. 6
(b)(1) A controller shall respond to the consumer request without 7
undue delay, which may not be later than the forty -fifth day after the date 8
of receipt of the request. 9
(2) The controller may extend the response period once by an 10
additional forty-five (45) days when reasonably necessary, taking into 11
account the complexity and number of the consumer’s requests, so long as the 12
controller informs the consumer of the extension within the initial forty -13
five-day response period, together with the reason for the extension. 14
(c) If a controller declines to take action regarding the consumer’s 15
request, the controller shall inform the consumer without undue delay, which 16
shall not be later than the forty -fifth day after the date of receipt of the 17
request, of the justification for declining to take action and provide 18
instructions on how to appeal the decision according to § 4 -120-205. 19
(d)(1) A controller shall provide information in response to a 20
consumer request free of charge, at least twice annually per consumer. 21
(2)(A) If a request from a consumer is manifestly unfounded, 22
excessive, or repetitive, the controller may charge the consumer a reasonable 23
fee to cover the administrative costs of complying with the request. 24
(B) The controller bears the burden of demonstrating for 25
purposes of this subsection that a request is manifestly unfounded, 26
excessive, or repetitive. 27
(e) If a controller is unable to authenticate the request using 28
commercially reasonable efforts, the controller is not required to comply 29
with a consumer request submitted under § 4 -120-201 and may request that the 30
consumer provide additional information reasonably necessary to authenticate 31
the consumer and the consumer’s request. 32
(f) A controller that has obtained personal data about a consumer from 33
a source other than the consumer is considered in compliance with a 34
consumer’s request to delete the consumer's personal data under § 4 -120-35
201(b)(3) by: 36 SB258
22 02/18/2025 3:16:09 PM ANS146
(1) Retaining a record of the deletion request and the minimum 1
data necessary for the purpose of ensuring the consumer’s personal data 2
remains deleted form the business’s records and not using the retained data 3
for any other purpose under this chapter; or 4
(2) Opting the consumer out of the processing of that personal 5
data for any purpose other than a purpose that is exempt under the provisions 6
of this chapter. 7
8
4-120-205. Appeal. 9
(a) A controller shall establish a process for a consumer to appeal 10
the controller’s refusal to take action on the consumer's request under § 4 -11
120-204(c). 12
(b) The appeal process must be conspicuously available and similar to 13
the process for initiating action to exercise consumer rights by submitting a 14
request under § 4-120-201. 15
(c) A controller shall inform the consumer in writing of any action 16
taken or not taken in response to an appeal under this section not later than 17
the sixtieth day after the date of receipt of the appeal, including a written 18
explanation of the reason or reasons for the decision. 19
(d) If the controller denies an appeal, the controller shall provide 20
the consumer with the contact information of the Attorney General to submit a 21
complaint. 22
23
Subchapter 3 — Controller Responsibilities 24
25
4-120-301. Notice of privacy practices. 26
(a) A controller shall provide consumers with a reasonably accessible 27
and clear privacy notice that includes: 28
(1) The categories of personal data processed by the controller, 29
including, if applicable, any sensitive data processed by the controller; 30
(2) The purpose for processing personal data; 31
(3) How consumers may exercise their consumer rights under § 4 -32
120-201 et seq., including the process by which a consumer may appeal a 33
controller’s decision with regard to the consumer’s request; 34
(4) If applicable, the categories of personal data that the 35
controller shares with third parties; 36 SB258
23 02/18/2025 3:16:09 PM ANS146
(5) If applicable, the categories of third parties with whom the 1
controller shares personal data; and 2
(6) A description of the methods required under § 4 -120-201 3
through which consumers can submit requests to exercise their consumer rights 4
under this chapter. 5
(b)(1) If a controller engages in the sale of personal data that is 6
sensitive data, the controller shall include the following notice: 7
"NOTICE: We may sell your sensitive personal data.". 8
(2) The notice required under subdivision (b)(1) of this section 9
shall be posted in the same location and in the same manner as the privacy 10
notice described by subsection (a) of this section. 11
(c)(1) If a controller engages in the sale of personal data that is 12
biometric data, the controller shall include the following notice: 13
“NOTICE: We may sell your biometric personal data.”. 14
(2) The notice required under subdivision (c)(1) of this section 15
shall be posted in the same location and in the same manner as the privacy 16
notice described by subsection (a) of this section. 17
(d)(1) If a controller sells personal data to third parties or 18
processes personal data for targeted advertising, the controller shall 19
clearly and conspicuously disclose the sale or process. 20
(2) The controller shall provide the manner in which a consumer 21
may exercise the right to opt out of the sale or process under subdivision 22
(d)(1) of this section. 23
24
4-120-302. Lawful basis of processing. 25
(a) A person described under § 4 -120-104 shall not engage in the sale 26
of personal data that is sensitive data without receiving prior consent from 27
the consumer. 28
(b) A person described under § 4 -120-104 shall not otherwise process 29
the personal information of a resident of this state without: 30
(1) An identifiable, good faith, and legitimate interest in 31
processing the personal data that is publicly disclosed to consumers in the 32
notice required under § 4 -120-301(a)(2) and not outweighed by the rights and 33
freedoms of consumers; 34
(2) The consent of the individual consumer; 35
(3) A contract which requires the processing of personal data; 36 SB258
24 02/18/2025 3:16:09 PM ANS146
(4) A legal obligation to process the personal data; or 1
(5) An overriding necessity to process the personal data of a 2
person for the limited purpose of protecting the person's vital interests. 3
(c) A person that is not a covered entity or business associate as 4
defined by the Health Insurance Portability and Accountability Act of 1996, 5
42 U.S.C. § 1320d et seq., as it existed on January 1, 2025, shall not 6
collect or share any consumer health data except: 7
(1) With consent from the consumer for cash collection for a 8
specified purpose; or 9
(2) To the extent necessary to provide a product or service that 10
the consumer to whom the consumer health data relates has requested from the 11
person. 12
(d) Consent required under subsection (c) of this section shall be 13
obtained before the collection or sharing, as applicable, of any consumer 14
health data, and the request for consent shall clearly and conspicuously 15
disclose: 16
(1) The categories of consumer health data collected or shared; 17
(2) The purpose of the collection or sharing of the consumer 18
health data, including the specific ways in which it will be used; 19
(3) The categories of entities with whom the consumer health 20
data is shared; and 21
(4) How the consumer can withdraw consent from future collection 22
or sharing of the consumer’s health data. 23
(e) A controller shall not process the sensitive data of a consumer 24
without obtaining the consumer’s consent or, in the case of processing the 25
sensitive data of a known child, without processing that data according to 26
the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et 27
seq., as it existed on January 1, 2025. 28
29
4-120-303. Dark patterns. 30
(a) A controller that collects personal information via a website, 31
mobile application, or similar technology shall not utilize dark patterns in 32
its user interfaces. 33
(b) A lawful basis for processing personal data described under § 4 -34
120-302 obtained by use of a dark pattern is void. 35
36 SB258
25 02/18/2025 3:16:09 PM ANS146
4-120-304. Data minimization. 1
(a) A controller shall limit the collection of personal data to what 2
is adequate, relevant, and reasonably necessary in relation to the purposes 3
for which that personal data is processed, as disclosed to the consumer. 4
(b) A controller in possession of deidentified data shall: 5
(1) Take reasonable measures to ensure that the data cannot be 6
associated with an individual; 7
(2) Publicly commit to maintaining and using deidentified data 8
without attempting to reidentify the data; and 9
(3) Contractually obligate any recipient of the deidentified 10
data to comply with this section. 11
(c) This section does not require a controller to: 12
(1) Reidentify deidentified data or pseudonymous data; 13
(2) Maintain data in identifiable form or obtain, retain, or 14
access any data or technology for the purpose of allowing the controller or 15
processor to associate a consumer request with personal data; or 16
(3) Comply with an authenticated consumer rights request under § 17
4-120-201, if the controller: 18
(A) Is not reasonably capable of associating the request 19
with the personal data or it would be unreasonably burdensome for the 20
controller to associate the request with the personal data; 21
(B) Does not use the personal data to recognize or respond 22
to the specific consumer who is the subject of the personal data or associate 23
the personal data with other personal data about the same consumer; and 24
(C) Does not sell the personal data to a third party or 25
otherwise voluntarily disclose the personal data to a third party other than 26
a processor, except as otherwise permitted by this section. 27
(d) A controller that discloses pseudonymous data or deidentified data 28
shall exercise reasonable oversight to monitor compliance with any 29
contractual commitments to which the pseudonymous data or deidentified data 30
is subject and shall take appropriate steps to address any breach of the 31
contractual commitments. 32
(e) This section shall not be construed to require a controller to 33
provide a product or service that requires the personal data of a consumer 34
that the controller does not collect or maintain or to prohibit a controller 35
from offering a different price, rate, level, quality, or selection of goods 36 SB258
26 02/18/2025 3:16:09 PM ANS146
or services to a consumer, including offering goods or services for no fee, 1
if the consumer has exercised the consumer’s right to opt out under § 4 -120-2
201 or the offer is related to a consumer’s voluntary participation in a bona 3
fide loyalty, rewards, premium features, discounts, or club card program. 4
5
4-120-305. Data security. 6
A controller, for purposes of protecting the confidentiality, 7
integrity, and accessibility of personal data, shall establish, implement, 8
and maintain reasonable administrative, technical, and physical data security 9
practices that are appropriate to the volume and nature of the personal data 10
at issue. 11
12
4-120-306. Purpose limitation. 13
Personal data processed by a controller under this chapter: 14
(1) Shall not be processed for any purpose other than a purpose 15
listed in this chapter unless otherwise allowed by this chapter; 16
(2) May be processed to the extent that the processing of data 17
is: 18
(A) Reasonably necessary and proportionate to the purposes 19
listed in this chapter; and 20
(B) Adequate, relevant, and limited to what is necessary 21
in relation to the specific purposes listed in this chapter; and 22
(3) Except as otherwise provided by this subchapter, a 23
controller shall not process personal data for a purpose that is neither 24
reasonably necessary to nor compatible with the purpose for which the 25
personal data is processed, as disclosed to the consumer, unless the 26
controller obtains the consumer’s consent. 27
28
4-120-307. Sale of data to third parties and processing data for 29
targeted advertising — Disclosure. 30
If a controller sells personal data to third parties or processes 31
personal data for targeted advertising, the controller shall clearly and 32
conspicuously disclose the process and the manner in which a consumer may 33
exercise the right to opt out of that process. 34
35
4-120-308. Data protection assessments. 36 SB258
27 02/18/2025 3:16:09 PM ANS146
(a) A controller shall conduct and document a data protection 1
assessment of each of the following processing activities involving personal 2
data: 3
(1) The processing of personal data for purposes of targeted 4
advertising; 5
(2) The sale of personal data; 6
(3) The processing of personal data for purposes of profiling if 7
the profiling presents a reasonably foreseeable risk of: 8
(A) Unfair or deceptive treatment of or unlawful disparate 9
impact on consumers; 10
(B) Financial, physical, or reputational injury to 11
consumers; 12
(C) A physical or other intrusion on the solitude or 13
seclusion, or the private affairs or concerns, of consumers, if the intrusion 14
would be offensive to a reasonable person; or 15
(D) Other substantial injury to consumers; 16
(4) The processing of sensitive data; and 17
(5) Any processing activities involving personal data that 18
present a heightened risk of harm to consumers. 19
(b) A data protection assessment conducted under subsection (a) of 20
this section shall: 21
(1) Identify and weigh the direct or indirect benefits that may 22
flow from the processing to the controller, the consumer, other stakeholders, 23
and the public against the potential risks to the rights of the consumer 24
associated with that processing as mitigated by safeguards that can be 25
employed by the controller to reduce the risks; and 26
(2) Factor into the assessment: 27
(A) The use of deidentified data; 28
(B) The reasonable expectations of consumers; 29
(C) The context of the processing; and 30
(D) The relationship between the controller and the 31
consumer whose personal data will be processed. 32
(c) A controller shall make a data protection assessment requested 33
under § 4-120-701 et seq. available to the Attorney General under an Attorney 34
General’s subpoena under § 25 -16-705. 35
(d)(1) A data protection assessment is confidential and exempt from 36 SB258
28 02/18/2025 3:16:09 PM ANS146
public inspection and copying under the Freedom of Information Act of 1967, § 1
25-19-101 et seq. 2
(2) Disclosure of a data protection assessment in compliance 3
with a request from the Attorney General does not constitute a waiver of 4
attorney-client privilege or work product protection with respect to the 5
assessment and any information contained in the assessment. 6
(e) A single data protection assessment may address a comparable set 7
of processing operations that include similar activities. 8
(f) A data protection assessment conducted by a controller for the 9
purpose of compliance with other laws or regulations may constitute 10
compliance with the requirements of this section if the assessment has a 11
reasonably comparable scope and effect. 12
13
4-120-309. Pseudonymous data. 14
The consumer rights under § 4 -120-201 and controller duties under this 15
subchapter do not apply to pseudonymous data in cases in which the controller 16
is able to demonstrate any information necessary to identify the consumer is 17
kept separately and is subject to effective technical and organizational 18
controls that prevent the controller from accessing the information. 19
20
4-120-310. Miscellaneous prohibitions. 21
A controller shall not: 22
(1) Process personal data in violation of state and federal laws 23
that prohibit unlawful discrimination against consumers; or 24
(2) Discriminate against a consumer for exercising any of the 25
consumer rights contained in this chapter, including by denying goods or 26
services, charging different prices or rates for goods or services, or 27
providing a different level of quality of goods or services to the consumer. 28
29
Subchapter 4 — Processor Responsibilities 30
31
4-120-401. Compliance with contractual obligations. 32
(a) A processor shall adhere to the instructions of a controller and 33
shall assist the controller in meeting or complying with the controller’s 34
duties or requirements under this chapter, including without limitation: 35
(1) Assisting the controller in responding to consumer rights 36 SB258
29 02/18/2025 3:16:09 PM ANS146
requests submitted under § 4 -120-201 by using appropriate technical and 1
organizational measures, as reasonably practicable, taking into account the 2
nature of processing and the information available to the processor; 3
(2) Assisting the controller with regard to complying with the 4
requirement relating to the security of processing personal data and to the 5
notification of a breach of security of the processor’s system, taking into 6
account the nature of processing and the information available to the 7
processor; and 8
(3) Providing necessary information to enable the controller to 9
conduct and document data protection assessments under § 4 -120-308. 10
(b)(1) A contract between a controller and a processor shall govern 11
the processor’s data processing procedures with respect to processing 12
performed on behalf of the controller. 13
(2) The contract shall include: 14
(A) Clear instructions for processing data; 15
(B) The nature and purpose of processing; 16
(C) The type of data subject to processing; 17
(D) The duration of processing; 18
(E) The rights and obligations of both parties; and 19
(F) A requirement that the processor shall: 20
(i) Ensure that each person processing personal data 21
is subject to a duty of confidentiality with respect to the data; 22
(ii) At the controller’s direction, delete or return 23
all personal data to the controller as requested after the provision of the 24
service is completed, unless retention of the personal data is required by 25
law; 26
(iii) Make available to the controller, on 27
reasonable request, all information in the processor’s possession necessary 28
to demonstrate the processor’s compliance with the requirements of this 29
chapter; 30
(iv) Allow, and cooperate with, reasonable 31
assessments by the controller or the controller’s designated assessor; and 32
(v) Engage a subcontractor under a written contract 33
that requires the subcontractor to meet the requirements of the processor 34
with respect to the personal data. 35
(c)(1) Notwithstanding the requirement described by subdivision 36 SB258
30 02/18/2025 3:16:09 PM ANS146
(b)(2)(F) of this section, a processor, in the alternative, may arrange for a 1
qualified and independent assessor to conduct an assessment of the 2
processor’s policies and technical and organizational measures in support of 3
the requirements under this chapter using an appropriate and accepted control 4
standard or framework and assessment procedure. 5
(2) The processor shall provide a report of the assessment to 6
the controller on request. 7
(d) This section does not relieve a controller or a processor from the 8
liabilities imposed on the controller or processor by virtue of its role in 9
the processing relationship as described by this chapter. 10
(e)(1) A determination of whether a person is acting as a controller 11
or processor with respect to a specific processing of data is a fact -based 12
determination that depends on the context in which personal data is to be 13
processed. 14
(2) A processor that continues to adhere to a controller’s 15
instructions with respect to a specific processing of personal data remains 16
in the role of a processor. 17
18
4-120-402. Notice of privacy practices. 19
A processor shall provide consumers with a reasonably accessible and 20
clear privacy notice that includes: 21
(1) The categories of personal data processed by the processor, 22
including, if applicable, any sensitive data processed by the processor; 23
(2) The purpose for processing personal data; 24
(3) If applicable, the categories of personal data that the 25
processor shares with third parties; and 26
(4) If applicable, the categories of third parties with whom the 27
processor shares personal data. 28
29
4-120-403. Data minimization at collection. 30
(a) A processor shall limit the collection of personal data from a 31
controller to what is adequate, relevant, and reasonably necessary in 32
relation to the purposes for which the personal data is processed, as 33
disclosed to the consumer. 34
(b) A processor in possession of deidentified data shall: 35
(1) Take reasonable measures to ensure that the data cannot be 36 SB258
31 02/18/2025 3:16:09 PM ANS146
associated with an individual; 1
(2) Publicly commit to maintaining and using deidentified data 2
without attempting to reidentify the data; and 3
(3) Contractually obligate any recipient of the deidentified 4
data to comply with this chapter. 5
(c) This chapter does not require a processor to: 6
(1) Reidentify deidentified data or pseudonymous data; 7
(2) Maintain data in identifiable form or obtain, retain, or 8
access any data or technology for the purpose of allowing the processor to 9
associate a consumer request with personal data; or 10
(3) Comply with an authenticated consumer rights request under § 11
4-120-201 et seq., if the processor: 12
(A) Is not reasonably capable of associating the request 13
with the personal data or it would be unreasonably burdensome for the 14
processor to associate the request with the personal data; 15
(B) Does not use the personal data to recognize or respond 16
to the specific consumer who is the subject of the personal data or associate 17
the personal data with other personal data about the same consumer; and 18
(C) Does not sell the personal data to any third party or 19
otherwise voluntarily disclose the personal data to any third party other 20
than a processor, except as otherwise permitted by this section. 21
(d) The consumer rights under § 4 -120-201 and processor duties under 22
this subchapter do not apply to pseudonymous data in cases in which the 23
processor is able to demonstrate any information necessary to identify the 24
consumer is kept separately and is subject to effective technical and 25
organizational controls that prevent the controller from accessing the 26
information. 27
(e) A processor that discloses pseudonymous data or deidentified data 28
shall exercise reasonable oversight to monitor compliance with any 29
contractual commitments to which the pseudonymous data or deidentified data 30
is subject and shall take appropriate steps to address any breach of the 31
contractual commitments. 32
33
4-120-404. Data security. 34
A processor, for purposes of protecting the confidentiality, integrity, 35
and accessibility of personal data, shall establish, implement, and maintain 36 SB258
32 02/18/2025 3:16:09 PM ANS146
reasonable administrative, technical, and physical data security practices 1
that are appropriate to the volume and nature of the personal data at issue. 2
3
4-120-405. Purpose limitation. 4
(a) Personal data processed by a processor under this chapter shall 5
not be processed for any purpose other than a purpose listed in this chapter 6
unless otherwise allowed by this chapter. 7
(b) Personal data under subsection (a) of this section processed by a 8
processor under this subchapter may be processed to the extent that the 9
processing of data is: 10
(1) Reasonably necessary and proportionate to the purposes 11
listed in this chapter; and 12
(2) Adequate, relevant, and limited to what is necessary in 13
relation to the purposes of this chapter. 14
15
4-120-406. Data retention. 16
(a) A processor shall follow the instructions of the controller in the 17
retention and deletion of personal data. 18
(b) If the controller does not provide the processor instructions, a 19
processor shall delete all personal data within ninety (90) days of ceasing 20
processing the data for the controller unless law, statute, or regulation 21
requires a longer retention period. 22
23
4-120-407. Assisting controllers in honoring data subject rights. 24
(a) If a controller gives a processor notice that the controller has 25
received a consumer request regarding personal data the processed by the 26
processor for the controller, the processor shall follow the instructions of 27
the controller in complying with the consumer’s request. 28
(b) If a processor receives a request from a consumer regarding data 29
received from a controller, the processor shall: 30
(1) Notify the controller that they have received a consumer 31
data rights request; 32
(2) Notify the consumer that they have forwarded the request to 33
the controller; and 34
(3) Follow the instructions of the controller in complying with 35
the consumer’s request. 36 SB258
33 02/18/2025 3:16:09 PM ANS146
1
Subchapter 5 — Special Data Types 2
3
4-120-501. Biometrics. 4
(a)(1) A person in possession of biometric data shall develop a 5
written policy, made available to the public, establishing a retention 6
schedule and guidelines for permanently destroying biometric data when the 7
initial purpose for collecting or obtaining the biometric data has been 8
satisfied or within three (3) years, whichever occurs first. 9
(2) Absent a valid warrant or subpoena issued by a court of 10
competent jurisdiction, a private entity in possession of biometric data must 11
comply with the private entity's established retention schedule and 12
destruction guidelines. 13
(b) A private entity shall not collect, capture, purchase, receive 14
through trade, or otherwise obtain a person’s or a consumer’s biometric data, 15
unless the private entity first: 16
(1) Informs a consumer or the consumer’s legally authorized 17
representative in writing that biometric data is being collected or stored; 18
(2) Informs a consumer or the consumer’s legally authorized 19
representative in writing of the specific purpose and length of term for 20
which biometric data is being collected, stored, and used; and 21
(3) Receives a written release executed by a consumer. 22
(c) A person in possession of biometric data shall not: 23
(1) Sell, lease, trade, or otherwise profit from a person’s or a 24
consumer’s biometric data; or 25
(2) Disclose, redisclose, or otherwise disseminate a person’s or 26
a consumer’s biometric data unless: 27
(A) The subject of the biometric data or the subject’s 28
legally authorized representative consents to the disclosure, redisclosure, 29
or dissemination; 30
(B) The disclosure, redisclosure, or dissemination 31
completes a financial transaction requested or authorized by the subject of 32
the biometric data or the subject’s legally authorized representative; 33
(C) The disclosure, redisclosure, or dissemination is 34
required by state or federal law or an ordinance by a local government; or 35
(D) The disclosure is required under a valid warrant or 36 SB258
34 02/18/2025 3:16:09 PM ANS146
subpoena issued by a court of competent jurisdiction. 1
2
Subchapter 6 — Responsible Artificial Intelligence 3
4
4-120-601. Developer duties. 5
(a) A developer of a high -risk artificial intelligence system shall 6
use reasonable care to protect consumers from any known or reasonably 7
foreseeable risks of algorithmic discrimination arising from the intended and 8
contracted uses of the high -risk artificial intelligence system. 9
(b) A developer of a high -risk artificial intelligence system shall 10
make available to the deployer, another developer of the high -risk artificial 11
intelligence system, or the Attorney General upon the Attorney General’s 12
request subject to a civil investigative demand: 13
(1) A general statement describing the reasonably foreseeable 14
uses and known harmful or inappropriate uses of the high -risk artificial 15
intelligence system; 16
(2) Documentation disclosing: 17
(A) High-level summaries of the type of data used to train 18
the high-risk artificial intelligence system; 19
(B) Known or reasonably foreseeable limitations of the 20
high-risk artificial intelligence system, including known or reasonably 21
foreseeable risks of algorithmic discrimination arising from the intended 22
uses of the high-risk artificial intelligence system; 23
(C) The purpose of the high -risk artificial intelligence 24
system; 25
(D) The intended benefits and uses of the high-risk 26
artificial intelligence system; and 27
(E) All other information necessary to allow the deployer 28
to complete an impact assessment under § 4 -120-603; 29
(3) Documentation describing: 30
(A) The method by which the high -risk artificial 31
intelligence system was evaluated for performance and mitigation of 32
algorithmic discrimination before the high -risk artificial intelligence 33
system was offered, sold, leased, licensed, given, or otherwise made 34
available to the deployer; 35
(B) The data governance measures used to cover the 36 SB258
35 02/18/2025 3:16:09 PM ANS146
training datasets and the measures used to examine the suitability of data 1
sources, possible biases, and appropriate mitigation; 2
(C) The intended outputs of the high -risk artificial 3
intelligence system; 4
(D) The measures the developer has taken to mitigate known 5
or reasonably foreseeable risks of algorithmic discrimination that may arise 6
from the reasonably foreseeable deployment of the high -risk artificial 7
intelligence system; and 8
(E) The method by which the high -risk artificial 9
intelligence system should be used, should not be used, and be monitored by 10
an individual when the high -risk artificial intelligence system is used to 11
make, or is a substantial factor in making, a decision that produces a legal 12
or similarly significant effect concerning a consumer; and 13
(4) Any additional documentation that is reasonably necessary to 14
assist the deployer in understanding the outputs and monitor the performance 15
of the high-risk artificial intelligence system for risks of algorithmic 16
discrimination. 17
(c) Except as provided in subsection (g) of this section, a developer 18
that offers, sells, leases, licenses, gives, or otherwise makes available to 19
a deployer or other developer a high -risk artificial intelligence system 20
shall make available to the deployer or other developer, to the extent 21
feasible, the documentation and information, through artifacts such as model 22
cards, dataset cards, or other impact assessments, necessary for a deployer, 23
or for a third party contracted by a deployer, to complete an impact 24
assessment under § 4 -120-603. 25
(d) A developer shall make available, in a manner that is clear and 26
readily available on the developer’s website or in a public use case 27
inventory, a statement summarizing: 28
(1) The types of high -risk artificial intelligence systems that 29
the developer has developed or intentionally and substantially modified and 30
currently makes available to a deployer or other developer; and 31
(2) How the developer manages known or reasonably foreseeable 32
risks of algorithmic discrimination that may arise from the development or 33
intentional and substantial modification of the types of high -risk artificial 34
intelligence systems described according to subsection (d)(1) of this 35
section. 36 SB258
36 02/18/2025 3:16:09 PM ANS146
(e) A developer shall update the statement described in subsection (d) 1
of this section: 2
(1) As necessary to ensure that the statement remains accurate; 3
and 4
(2) No later than ninety (90) days after the developer 5
intentionally and substantially modifies any high -risk artificial 6
intelligence system described in subdivision (d)(1) of this section. 7
(f) A developer of a high -risk artificial intelligence system shall 8
disclose to the Attorney General and to all known deployers or other 9
developers of the high -risk artificial intelligence system any known or 10
reasonably foreseeable risks of algorithmic discrimination arising from the 11
intended uses of the high -risk artificial intelligence system without 12
unreasonable delay but no later than ninety (90) days after the date on 13
which: 14
(1) The developer discovers through the developer’s ongoing 15
testing and analysis that the developer’s high -risk artificial intelligence 16
system has been deployed and has caused or is reasonably likely to have 17
caused algorithmic discrimination; or 18
(2) The developer receives from a deployer a credible report 19
that the high-risk artificial intelligence system has been deployed and has 20
caused algorithmic discrimination. 21
(g)(1) This section shall not require a developer to disclose a trade 22
secret, information protected from disclosure by state or federal law, or 23
information that would create a security risk to the developer, except to the 24
Attorney General. 25
(2) In a disclosure to the Attorney General, the developer may 26
designate the statement or documentation as including proprietary information 27
or a trade secret. 28
29
4-120-602. Deployer duties. 30
(a)(1) A deployer of a high -risk artificial intelligence system shall 31
use reasonable care to protect consumers from any known or reasonably 32
foreseeable risks of algorithmic discrimination. 33
(2) In any enforcement action brought by the Attorney General 34
under § 4-120-701 et seq., there is a rebuttable presumption that a deployer 35
of a high-risk artificial intelligence system used reasonable care as 36 SB258
37 02/18/2025 3:16:09 PM ANS146
required under this section if the deployer complied with this section. 1
(b)(1) A deployer of high -risk artificial intelligence systems shall 2
implement a risk management policy and program to govern the deployer’s 3
deployment of one (1) or more high -risk artificial intelligence systems. 4
(2) The risk management policy and program shall specify and 5
incorporate principles, processes, and personnel that the deployer uses to 6
identify, document, and mitigate known or reasonably foreseeable risks of 7
algorithmic discrimination. 8
(3) The risk management policy and program shall be an 9
interactive process planned, implemented, and regularly and systematically 10
reviewed and updated over the lifecycle of a high -risk artificial 11
intelligence system, requiring regular, systematic review, and updates. 12
(4) A risk management policy and program implemented and 13
maintained under this subdivision (b)(1) of this section shall be reasonable 14
considering: 15
(A) The guidance and standards stated in the latest 16
version of the Artificial Intelligence Risk Management Framework published by 17
the National Institute of Standards and Technology of the United States 18
Department of Commerce, Standard ISO/IEC 42001 of the International 19
Organization for Standardization, or another nationally or internationally 20
recognized risk management framework for artificial intelligence systems, if 21
the standards are substantially equivalent to or more stringent than the 22
requirements of this subchapter; 23
(B) The size and complexity of the deployer; 24
(C) The nature and scope of the high -risk artificial 25
intelligence systems deployed by the deployer, including the intended uses of 26
the high-risk artificial intelligence systems; and 27
(D) The sensitivity and volume of data processed in 28
connection with the high -risk artificial intelligence systems deployed by the 29
deployer. 30
(c) A deployer or other developer that deploys, offers, sells, leases, 31
licenses, gives, or otherwise makes available an artificial intelligence 32
system that is intended to interact with consumers shall ensure the 33
disclosure to each consumer who interacts with the artificial intelligence 34
system that the consumer is interacting with an artificial intelligence 35
system, unless under the circumstances it would be obvious to a reasonable 36 SB258
38 02/18/2025 3:16:09 PM ANS146
person that the person is interacting with an artificial intelligence system. 1
(d) If a deployer deploys a high -risk artificial intelligence system 2
and subsequently discovers that the high -risk artificial intelligence system 3
has caused algorithmic discrimination, the deployer, without unreasonable 4
delay, but no later than ninety (90) days after the date of the discovery, 5
shall send to the Attorney General a notice disclosing the discovery. 6
7
4-120-603. Artificial intelligence impact assessments. 8
(a) Except as provided in subsections (d) and (e) of this section: 9
(1) A deployer, or a third party contracted by the deployer, 10
that deploys a high-risk artificial intelligence system shall complete an 11
impact assessment for the high -risk artificial intelligence system; and 12
(2) A deployer, or a third party contracted by the deployer, 13
shall complete an impact assessment for a deployed high -risk artificial 14
intelligence system at least annually and within ninety (90) days after any 15
intentional and substantial modification to the high -risk artificial 16
intelligence system is made available. 17
(b) An impact assessment completed under this subsection shall 18
include, at a minimum, and to the extent reasonably known by or available to 19
the deployer: 20
(1) A statement by the deployer disclosing the purpose, intended 21
use cases, deployment context of, and benefits afforded by the high -risk 22
artificial intelligence system; 23
(2) An analysis of whether the deployment of the high -risk 24
artificial intelligence system poses any known or reasonably foreseeable 25
risks of algorithmic discrimination and, if so, the nature of the algorithmic 26
discrimination and the steps that have been taken to mitigate the risks; 27
(3) A description of the categories of data the high -risk 28
artificial intelligence system processes as inputs and the outputs the high -29
risk artificial intelligence system produces; 30
(4) If the deployer used data to customize the high -risk 31
artificial intelligence system, an overview of the categories of data the 32
deployer used to customize the high -risk artificial intelligence system; 33
(5) Any metrics used to evaluate the performance and known 34
limitations of the high -risk artificial intelligence system; 35
(6) A description of any transparency measures taken concerning 36 SB258
39 02/18/2025 3:16:09 PM ANS146
the high-risk artificial intelligence system, including any measures taken to 1
disclose to a consumer that the high -risk artificial intelligence system is 2
in use when the high -risk artificial intelligence system is in use; and 3
(7) A description of the post -deployment monitoring and user 4
safeguards provided concerning the high -risk artificial intelligence system, 5
including the oversight, use, and learning process established by the 6
deployer to address issues arising rom the deployment of the high -risk 7
artificial intelligence system. 8
(c) In addition to the information required under subsection (b) of 9
this section, an impact assessment completed under this section following an 10
intentional and substantial modification to a high -risk artificial 11
intelligence system must include a statement disclosing the extent to which 12
the high-risk artificial intelligence system was used in a manner that was 13
consistent with, or varied from, the developer’s intended uses of the high -14
risk artificial intelligence system. 15
(d) A single impact assessment may address a comparable set of high -16
risk artificial intelligence systems deployed by a deployer. 17
(e) If a deployer or a third party contracted by the deployer 18
completes an impact assessment for the purpose of complying with another 19
applicable law or regulation, the impact assessment satisfies the 20
requirements established in this section if the impact assessment is 21
reasonably similar in scope and effect to the impact assessment that would 22
otherwise be completed under this section. 23
(f) A deployer shall maintain the most recently completed impact 24
assessment for a high -risk artificial intelligence system as required under 25
this section, all records concerning each impact assessment, and all prior 26
impact assessments, if any, for at least three (3) years following the final 27
deployment of the high -risk artificial intelligence system. 28
(g) On the effective date of this chapter, and at least annually 29
thereafter, a deployer, or a third party contracted by the deployer, shall 30
review the deployment of each high -risk artificial intelligence system 31
deployed by the deployer to ensure that the high -risk artificial intelligence 32
system is not causing algorithmic discrimination. 33
34
4-120-604. Consumer rights. 35
Deployers of high-risk artificial intelligence systems shall provide 36 SB258
40 02/18/2025 3:16:09 PM ANS146
consumers: 1
(1) Notice that the deployer has deployed a high -risk artificial 2
intelligence system to make, or be a substantial factor in making, a decision 3
that produces a legal or similarly significant effect concerning the 4
consumer; 5
(2) A statement disclosing the purpose of the high -risk 6
artificial intelligence system, the nature of the decision that produces a 7
legal or similarly significant effect concerning the consumer, the contact 8
information for the deployer, a description in plain language of the high -9
risk artificial intelligence system, and instructions on how to access the 10
statement required by subdivision (8) of this section; 11
(3) The right to opt out of the processing of personal data 12
concerning the consumer for purposes of profiling in furtherance of a 13
decision that produces a legal or similarly significant effect concerning the 14
consumer; 15
(4) If a high-risk artificial intelligence system makes an 16
adverse decision that produces a legal or similarly significant effect 17
concerning the consumer, a statement disclosing the principal reason or 18
reasons for the adverse decision, including without limitation: 19
(A) The degree to which, and manner in which, the high -20
risk artificial intelligence system contributed to the decision; 21
(B) The type of data that was processed by the high -risk 22
artificial intelligence system in making the decision; and 23
(C) The source or sources of the data described in 24
subdivision (4)(B) of this section; 25
(5) An opportunity to correct any incorrect personal data that 26
the high-risk artificial intelligence system processed in making, or as a 27
substantial factor in making, the decision; 28
(6) An opportunity to appeal the adverse decision concerning the 29
consumer arising from the deployment of the high -risk artificial intelligence 30
system, which allows for human review if technically feasible unless 31
providing the opportunity for appeal is not in the best interests of the 32
consumer, including in instances in which any delay might pose a risk to the 33
life or safety of the consumer; 34
(7) Notices, statements, and documents required by this 35
subchapter directly to the consumer in plain language and in a format that is 36 SB258
41 02/18/2025 3:16:09 PM ANS146
accessible to consumers with disabilities consistent with the requirements of 1
the Americans with Disabilities Act of 1990, 42 U.S.C. § 12101 et seq., as it 2
existed on January 1, 2025; and 3
(8) A statement on the deployer’s website that is clear, readily 4
available, and periodically updated that summarizes: 5
(A) The types of high -risk artificial intelligence systems 6
that are currently deployed by the deployer; 7
(B) How the deployer manages known or reasonably 8
foreseeable risks of algorithmic discrimination that may arise from the 9
deployment of each high -risk artificial intelligence system described 10
pursuant to this subdivision; and 11
(C) In detail, the nature, source, and extent of the 12
information collected and used by the deployer. 13
14
Subchapter 7 — Enforcement 15
16
4-120-701. Attorney General. 17
The Attorney General has exclusive authority to enforce this chapter. 18
19
4-120-702. Procedures. 20
The Attorney General shall post on the Attorney General’s website: 21
(1) Information relating to: 22
(A) The responsibilities of a controller under this 23
chapter; 24
(B) The responsibilities of a processor under this 25
chapter; 26
(C) The responsibilities of a deployer and developer of a 27
high-risk artificial intelligence system; and 28
(D) A consumer’s rights under this chapter; and 29
(2) An online mechanism through which a consumer may submit a 30
complaint under this chapter to the Attorney General. 31
32
4-120-703. Remedies. 33
(a)(1) If the Attorney General has reasonable cause to believe that a 34
person has engaged in or is engaging in a violation of this chapter, the 35
Attorney General may issue an Attorney General’s subpoena. 36 SB258
42 02/18/2025 3:16:09 PM ANS146
(2) The procedures established for the issuance of an Attorney 1
General’s subpoena under § 25 -16-705 apply to the same extent and manner to 2
the issuance of an Attorney General’s subpoena under this section. 3
(b)(1) The Attorney General may request, under an Attorney General’s 4
subpoena issued under subdivision (a)(1) of this section, that a person 5
governed by this chapter disclose to any data protection assessment or 6
artificial intelligence impact assessment that is relevant to an 7
investigation conducted by the Attorney General. 8
(2) The Attorney General may evaluate the data protection 9
assessment for compliance with the requirements under § 4 -120-308 or the 10
artificial intelligence impact assessment for compliance with the 11
requirements under § 4 -120-603. 12
(c) A violation of this chapter is an unfair and deceptive act or 13
practice, as defined by the Deceptive Trade Practices Act, § 4 -88-101 et seq. 14
(d) All remedies, penalties, and authority granted to the Attorney 15
General under the Deceptive Trade Practices Act, § 4 -88-101 et seq., shall be 16
available to the Attorney General for the enforcement of this chapter. 17
18
4-120-704. Private right of action. 19
This chapter does not provide a basis for, or being subject to, a 20
private right of action for a violation of this chapter or any other law. 21
22
Section 2. DO NOT CODIFY. Effective date. 23
(a) Sections 4-120-101 et seq. through sections § 4-120-401 et seq. 24
are effective on January 1, 2026. 25
(b) Section 4-120-601 et seq. is effective on July 1, 2026. 26
(c)(1) To the extent § 4 -120-701 et seq. applies to the enforcement of 27
§ 4-120-101 et seq. — § 4-120-401 et seq. , it is effective on April 1, 2026. 28
(2) To the extent § 4 -120-701 et seq. applies to the enforcement 29
of § 4-120-601 et seq., it is effective on October 1, 2026. 30
31
32
33
34
35
36