LCO No. 6348 1 of 33
General Assembly Raised Bill No. 1108
January Session, 2019
LCO No. 6348
Referred to Committee on GOVERNMENT ADMINISTRATION
AND ELECTIONS
Introduced by:
(GAE)
AN ACT CONCERNING CO NSUMER PRIVACY.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. (NEW) (Effective January 1, 2020) As used in this section 1
and sections 2 to 18, inclusive, of this act: 2
(1) "Aggregate consumer information" means information that 3
relates to a group or category of consumers, from which individual 4
consumer identities have been removed, that is not linked or 5
reasonably linkable to any consumer or household, including via a 6
device. "Aggregate consumer information" does not mean one or more 7
individual consumer records that have been deidentified. 8
(2) "Biometric information" means an individual's physiological, 9
biological or behavioral characteristics, including an individual's 10
deoxyribonucleic acid (DNA), that can be used, singly or in 11
combination with each other or with other identifying data, to 12
establish individual identity. "Biometric information" includes, but is 13
not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, 14 Raised Bill No. 1108
LCO No. 6348 2 of 33
vein patterns and voice recordings, from which an identifier template, 15
such as a faceprint, a minutiae template or a voiceprint, can be 16
extracted; and keystroke patterns or rhythms, gait patterns or rhythms; 17
and sleep, health or exercise data that contain identifying information. 18
(3) "Business" means: 19
(A) A sole proprietorship, partnership, limited liability company, 20
corporation, association or other legal entity that is organized or 21
operated for the profit or financial benefit of its shareholders or other 22
owners, that collects consumers' personal information, or on the behalf 23
of which such information is collected and that alone, or jointly with 24
others, determines the purposes and means of the processing of 25
consumers' personal information, that does business in this state, and 26
that satisfies one or more of the following thresholds: 27
(i) Has annual gross revenues in excess of twenty-five million 28
dollars, as adjusted pursuant to subsection (a) of section 15 of this act, 29
(ii) Alone or in combination, annually buys, receives for the 30
business' commercial purposes, sells or shares for commercial 31
purposes, alone or in combination, the personal information of fifty 32
thousand or more consumers, households or devices, or 33
(iii) Derives fifty per cent or more of its annual revenues from 34
selling consumers' personal information; and 35
(B) Any entity that controls or is controlled by a business and that 36
shares common branding with the business. "Control" or "controlled" 37
means (i) ownership of, or the power to vote, more than fifty per cent 38
of the outstanding shares of any class of voting security of a business; 39
(ii) control in any manner over the election of a majority of the 40
directors or of individuals exercising similar functions; or (iii) the 41
power to exercise a controlling influence over the management of a 42
company. "Common branding" means a shared name, servicemark or 43
trademark. 44 Raised Bill No. 1108
LCO No. 6348 3 of 33
(4) "Business purpose" means the use of personal information for the 45
business' or a service provider's operational purposes, or other notified 46
purposes, provided the use of personal information is reasonably 47
necessary and proportionate to achieve the operational purpose for 48
which the personal information was collected or processed or for 49
another operational purpose that is compatible with the context in 50
which the personal information was collected. "Business purposes" 51
include: 52
(A) Auditing related to a current interaction with the consumer and 53
concurrent transactions, including, but not limited to, counting ad 54
impressions to unique visitors, verifying positioning and quality of ad 55
impressions and auditing compliance with this specification and other 56
standards; 57
(B) Detecting security incidents, protecting against malicious, 58
deceptive, fraudulent or illegal activity and prosecuting those 59
responsible for that activity; 60
(C) Debugging to identify and repair errors that impair existing 61
intended functionality; 62
(D) Short-term, transient use, provided the personal information is 63
not disclosed to another third party and is not used to build a profile 64
about a consumer or otherwise alter an individual consumer's 65
experience outside the current interaction, including, but not limited 66
to, the contextual customization of ads shown as part of the same 67
interaction; 68
(E) Performing services on behalf of the business or service 69
provider, including maintaining or servicing accounts, providing 70
customer service, processing or fulfilling orders and transactions, 71
verifying customer information, processing payments, providing 72
financing, providing advertising or marketing services, providing 73
analytic services or providing similar services on behalf of the business 74
or service provider; 75 Raised Bill No. 1108
LCO No. 6348 4 of 33
(F) Undertaking internal research for technological development 76
and demonstration; and 77
(G) Undertaking activities to verify or maintain the quality or safety 78
of a service or device that is owned, manufactured, manufactured for 79
or controlled by the business, and to improve, upgrade or enhance the 80
service or device that is owned, manufactured, manufactured for or 81
controlled by the business. 82
(5) "Collects" or "collection" means buying, renting, gathering, 83
obtaining, receiving or accessing any personal information pertaining 84
to a consumer by any means, including, but not limited to, receiving 85
information from the consumer, either actively or passively, or by 86
observing the consumer's behavior. 87
(6) "Commercial purposes" means to advance a person's commercial 88
or economic interests, such as by inducing another person to buy, rent, 89
lease, join, subscribe to, provide or exchange products, goods, 90
property, information or services, or enabling or effecting, directly or 91
indirectly, a commercial transaction. "Commercial purposes" does not 92
include engaging in speech that state or federal courts have recognized 93
as noncommercial speech, including political speech and journalism. 94
(7) "Consumer" means a natural person who is a resident of this 95
state. 96
(8) "De-identified information" means information that cannot 97
reasonably identify, relate to, describe, be capable of being associated 98
with, or be linked, directly or indirectly, to a particular consumer, 99
provided a business that uses de-identified information: 100
(A) Has implemented technical safeguards that prohibit re-101
identification of the consumer to whom the information may pertain. 102
(B) Has implemented business processes that specifically prohibit 103
re-identification of the information. 104
(C) Has implemented business processes to prevent inadvertent 105 Raised Bill No. 1108
LCO No. 6348 5 of 33
release of de-identified information. 106
(D) Makes no attempt to re-identify the information. 107
(9) "Designated methods for submitting requests" means a mailing 108
address, email address, Internet web page, Internet web portal, toll-109
free telephone number or other applicable contact information, 110
whereby consumers may submit a request or direction under sections 111
1 to 18, inclusive, of this act, and any new, consumer-friendly means of 112
contacting a business, as approved by the Commissioner of Consumer 113
Protection pursuant to section 15 of this act. 114
(10) "Device" means any physical object that is capable of connecting 115
to the Internet, directly or indirectly, or to another device. 116
(11) "Health insurance information" means a consumer's insurance 117
policy number or subscriber identification number, any unique 118
identifier used by a health insurer to identify the consumer, or any 119
information in the consumer's application and claims history, 120
including any appeals records, if the information is linked or 121
reasonably linkable to a consumer or household, including via a 122
device, by a business or service provider. 123
(12) "Homepage" means the introductory page of an Internet web 124
site and any Internet web page where personal information is 125
collected. In the case of an online service, such as a mobile application, 126
"homepage" means the application's platform page or download page, 127
a link within the application or settings page, and any other location 128
that allows consumers to review the notice required by subdivision (a) 129
of section 15 of this act, including, but not limited to, before 130
downloading the application. 131
(13) "Infer" or "inference" means the derivation of information, data, 132
assumptions or conclusions from facts, evidence or another source of 133
information or data. 134
(14) "Person" means an individual, proprietorship, firm, 135 Raised Bill No. 1108
LCO No. 6348 6 of 33
partnership, joint venture, syndicate, business trust, company, 136
corporation, limited liability company, association, committee and any 137
other organization or group of persons acting in concert. 138
(15) (A) "Personal information" means information that identifies, 139
relates to, describes, is capable of being associated with, or could 140
reasonably be linked, directly or indirectly, with a particular consumer 141
or household. "Personal information" includes, but is not limited to, the 142
following: 143
(i) Identifiers such as a real name, alias, postal address, unique 144
personal identifier, online identifier Internet protocol address, email 145
address, account name, Social Security number, driver's license 146
number, passport number or other similar identifiers. 147
(ii) Characteristics of protected classifications under state or federal 148
law. 149
(iii) Commercial information, including records of personal 150
property, products or services purchased, obtained or considered, or 151
other purchasing or consuming histories or tendencies. 152
(iv) Biometric information. 153
(v) Internet or other electronic network activity information, 154
including, but not limited to, browsing history, search history and 155
information regarding a consumer's interaction with an Internet web 156
site, application or advertisement. 157
(vi) Geolocation data. 158
(vii) Audio, electronic, visual, thermal, olfactory or similar 159
information. 160
(viii) Professional or employment-related information. 161
(ix) Education information, defined as information that is not 162
publicly available, personally identifiable information, as defined in 163 Raised Bill No. 1108
LCO No. 6348 7 of 33
the Family Educational Rights and Privacy Act, 20 USC 1232g, as 164
amended from time to time. 165
(x) Inferences drawn from any of the information identified in this 166
subparagraph to create a profile about a consumer reflecting the 167
consumer's preferences, characteristics, psychological trends, 168
preferences, predispositions, behavior, attitudes, intelligence, abilities 169
and aptitudes. 170
(B) "Personal information" does not include publicly available 171
information. As used in this subparagraph, "publicly available" means 172
information that is lawfully made available from federal, state or local 173
government records. "Publicly available" does not mean biometric 174
information collected by a business about a consumer without the 175
consumer's knowledge. Information is not "publicly available" if that 176
data is used for a purpose that is not compatible with the purpose for 177
which the data is maintained and made available in the government 178
records or for which it is publicly maintained. "Publicly available" does 179
not include consumer information that is de-identified or aggregate 180
consumer information. 181
(16) "Probabilistic identifier" means the identification of a consumer 182
or a device to a degree of certainty of more probable than not, based on 183
any categories of personal information included in, or similar to, the 184
categories enumerated in the definition of personal information. 185
(17) "Processing" means any operation or set of operations that are 186
performed on personal data or on sets of personal data, whether or not 187
by automated means. 188
(18) "Pseudonymization" means the processing of personal 189
information in a manner that renders the personal information no 190
longer attributable to a specific consumer without the use of additional 191
information, provided the additional information is kept separately 192
and is subject to technical and organizational measures to ensure that 193
the personal information is not attributed to an identified or 194
identifiable consumer. 195 Raised Bill No. 1108
LCO No. 6348 8 of 33
(19) "Research" means scientific, systematic study and observation, 196
including, but not limited to, basic research or applied research that is 197
in the public interest and that adheres to all other applicable ethics and 198
privacy laws or studies conducted in the public interest in the area of 199
public health. Research with personal information that may have been 200
collected from a consumer in the course of the consumer's interactions 201
with a business' service or device for other purposes shall be: 202
(A) Compatible with the business purpose for which the personal 203
information was collected. 204
(B) Subsequently pseudonymized and de-identified, or de-identified 205
and in the aggregate, such that the information cannot reasonably 206
identify, relate to, describe, be capable of being associated with, or be 207
linked, directly or indirectly, to a particular consumer. 208
(C) Made subject to technical safeguards that prohibit re-209
identification of the consumer to whom the information may pertain. 210
(D) Subject to business processes that specifically prohibit re-211
identification of the information. 212
(E) Made subject to business processes to prevent inadvertent 213
release of de-identified information. 214
(F) Protected from any re-identification attempts. 215
(G) Used solely for research purposes that are compatible with the 216
context in which the personal information was collected. 217
(H) Not be used for any commercial purpose. 218
(I) Subjected by the business conducting the research to additional 219
security controls, limiting access to the research data to only those 220
individuals in a business as are necessary to carry out the research 221
purpose. 222
(20) "Sell" or "sale" 223 Raised Bill No. 1108
LCO No. 6348 9 of 33
(A) (i) Means selling, renting, releasing, disclosing, disseminating, 224
making available, transferring or otherwise communicating orally, in 225
writing, or by electronic or other means, a consumer's personal 226
information by the business to another business or a third party for 227
monetary or other valuable consideration. 228
(ii) Includes the business transfers to a third party of personal 229
information of a consumer as an asset that is part of a merger, 230
acquisition, bankruptcy or other transaction in which the third party 231
assumes control of all or part of the business, provided information is 232
used or shared consistently with sections 4 and 6 of this act. If a third 233
party materially alters how it uses or shares the personal information 234
of a consumer in a manner that is materially inconsistent with the 235
promises made at the time of collection, it shall provide prior notice of 236
the new or changed practice to the consumer. The notice shall be 237
sufficiently prominent to ensure that existing consumers can easily 238
exercise their choices consistently with section 7 of this act. This 239
subparagraph does not authorize a business to make material, 240
retroactive privacy policy changes or make other changes in their 241
privacy policy in a manner that would violate chapter 735a of the 242
general statutes. 243
(B) For purposes of sections 1 to 18, inclusive, of this act, a business 244
does not sell personal information when: 245
(i) A consumer uses or directs the business to intentionally disclose 246
personal information or uses the business to intentionally interact with 247
a third party, provided the third party does not also sell the personal 248
information, unless such disclosure would be consistent with the 249
provisions of sections 1 to 18, inclusive, of this act. An intentional 250
interaction occurs when the consumer intends to interact with the third 251
party via one or more deliberate interactions. Hovering over, muting, 252
pausing or closing a given piece of content does not constitute a 253
consumer's intent to interact with a third party. 254
(ii) The business uses or shares an identifier for a consumer, who 255 Raised Bill No. 1108
LCO No. 6348 10 of 33
has opted out of the sale of the consumer's personal information, for 256
the purposes of alerting third parties that the consumer has opted out 257
of the sale of the consumer's personal information. 258
(iii) The business uses or shares with a service provider personal 259
information of a consumer that is necessary to perform a business 260
purpose, provided the service provider also does not sell the personal 261
information. 262
(iv) The business has provided notice that information being used or 263
shared in its terms and conditions are consistent with section 9 of this 264
act. 265
(v) The service provider does not further collect, sell or use the 266
personal information of the consumer, except as necessary to perform 267
the business purpose. 268
(21) "Service" or "services" means work, labor and services, 269
including services furnished in connection with the sale or repair of 270
goods. 271
(22) "Service provider" means a sole proprietorship, partnership, 272
limited liability company, corporation, association or other legal entity 273
that is organized or operated for the profit or financial benefit of its 274
shareholders or other owners, that processes information on behalf of a 275
business and to which the business discloses a consumer's personal 276
information for a business purpose pursuant to a written contract, 277
provided the contract prohibits the entity receiving the information 278
from retaining, using or disclosing the personal information for any 279
purpose other than for the specific purpose of performing the services 280
specified in the contract for the business, or as otherwise permitted by 281
sections 1 to 18, inclusive, of this act, including retaining, using or 282
disclosing the personal information for a commercial purpose other 283
than providing the services specified in the contract with the business. 284
(23) "Third party" means a person who is not any of the following: 285 Raised Bill No. 1108
LCO No. 6348 11 of 33
(A) The business that collects personal information from consumers 286
under sections 1 to 18, inclusive, of this act. 287
(B) A person to whom the business discloses a consumer's personal 288
information for a business purpose pursuant to a written contract, 289
provided the contract: 290
(i) Prohibits the person receiving the personal information from: 291
(I) Selling the personal information. 292
(II) Retaining, using or disclosing the personal information for any 293
purpose other than for the specific purpose of performing the services 294
specified in the contract, including retaining, using or disclosing the 295
personal information for a commercial purpose other than providing 296
the services specified in the contract. 297
(III) Retaining, using or disclosing the information outside of the 298
direct business relationship between the person and the business. 299
(ii) Includes a certification made by the person receiving the 300
personal information that the person understands the restrictions in 301
subparagraph (B)(i) of this subdivision and will comply with them. 302
(24) "Unique identifier" or "unique personal identifier" means a 303
consistent identifier that can be used to recognize a consumer, a family 304
or a device that is linked to a consumer or family, over time and across 305
different services, including, but not limited to, (A) a device identifier; 306
(B) an Internet protocol address; (C) cookies, beacons, pixel tags, 307
mobile ad identifiers or similar technology; (D) customer number, 308
unique pseudonym or user alias; (E) telephone numbers; or (F) other 309
forms of persistent or probabilistic identifiers that can be used to 310
identify a particular consumer or device. For purposes of this 311
subdivision, "family" means a custodial parent or guardian and any 312
minor children over which the parent or guardian has custody. 313
(25) "Verifiable consumer request" means a request that is made by a 314
(A) consumer, (B) consumer on behalf of the consumer's minor child, 315 Raised Bill No. 1108
LCO No. 6348 12 of 33
or (C) natural person or a person registered with the Secretary of the 316
State, authorized by the consumer to act on the consumer's behalf, and 317
that the business can reasonably verify, pursuant to regulations 318
adopted by the Commissioner of Consumer Protection pursuant to 319
section 15 of this act, to be the consumer about whom the business has 320
collected personal information. A business is not obligated to provide 321
information to the consumer pursuant to sections 4 and 6 of this act if 322
the business cannot verify, pursuant this subdivision and such 323
regulations, that the consumer making the request is the consumer 324
about whom the business has collected information or is a person 325
authorized by the consumer to act on such consumer's behalf. 326
Sec. 2. (NEW) (Effective January 1, 2020) (a) A consumer has the right 327
to request that a business that collects a consumer's personal 328
information disclose to such consumer the categories and specific 329
pieces of personal information the business has collected. 330
(b) A business that collects a consumer's personal information shall, 331
at or before the point of collection, inform consumers as to the 332
categories of personal information to be collected and the purposes for 333
which the categories of personal information shall be used. A business 334
shall not collect additional categories of personal information or use 335
personal information collected for additional purposes without 336
providing the consumer with notice consistent with this section. 337
(c) A business shall provide the information specified in subsection 338
(a) of this section to a consumer only upon receipt of a verifiable 339
consumer request. 340
(d) A business that receives a verifiable consumer request from a 341
consumer to access personal information shall promptly take steps to 342
disclose and deliver, free of charge to the consumer, the personal 343
information required by this section. The information may be 344
delivered by mail or electronically, and, if provided electronically, the 345
information shall be in a portable and, to the extent technically 346
feasible, in a readily useable format that allows the consumer to 347 Raised Bill No. 1108
LCO No. 6348 13 of 33
transmit this information to another entity without hindrance. A 348
business may provide personal information to a consumer at any time, 349
but shall not be required to provide personal information to a 350
consumer more than twice in a twelve-month period. 351
Sec. 3. (NEW) (Effective January 1, 2020) (a) A consumer has the right 352
to request that a business delete any personal information about the 353
consumer which the business has collected from the consumer. 354
(b) A business that collects personal information about consumers 355
shall disclose, pursuant to subsection (a) of section 9 of this act, the 356
consumer's right to request the deletion of the consumer's personal 357
information. 358
(c) A business that receives a verifiable request from a consumer to 359
delete the consumer's personal information pursuant to subsection (a) 360
of this section shall delete the consumer's personal information from 361
its records and direct any service providers to delete the consumer's 362
personal information from their records. 363
(d) A business or a service provider shall not be required to comply 364
with a consumer's request to delete the consumer's personal 365
information if it is necessary for the business or service provider to 366
maintain the consumer's personal information in order to: 367
(1) Complete the transaction for which the personal information was 368
collected, provide a good or service requested by the consumer or 369
reasonably anticipated within the context of a business ongoing 370
business relationship with the consumer, or otherwise perform a 371
contract between the business and the consumer; 372
(2) Detect security incidents, protect against malicious, deceptive, 373
fraudulent or illegal activity or prosecute those responsible for such 374
activity; 375
(3) Debug to identify and repair errors that impair existing intended 376
functionality; 377 Raised Bill No. 1108
LCO No. 6348 14 of 33
(4) Exercise free speech, ensure the right of another consumer to 378
exercise his or her right of free speech, or exercise another right 379
provided for by law; 380
(5) Engage in public or peer-reviewed scientific, historical or 381
statistical research in the public interest that adheres to all other 382
applicable ethics and privacy laws, when the businesses' deletion of 383
the information is likely to render impossible or seriously impair the 384
achievement of such research, if the consumer has provided informed 385
consent; 386
(6) To enable solely internal uses that are reasonably aligned with 387
the expectations of the consumer based on the consumer's relationship 388
with the business; 389
(7) Comply with a legal obligation; or 390
(8) Otherwise use the consumer's personal information, internally, 391
in a lawful manner that is compatible with the context in which the 392
consumer provided the information. 393
Sec. 4. (NEW) (Effective January 1, 2020) (a) A consumer has the right 394
to request that a business that collects personal information about the 395
consumer disclose to the consumer the following: 396
(1) The categories of personal information it has collected about that 397
consumer; 398
(2) The categories of sources from which the personal information is 399
collected; 400
(3) The business or commercial purpose for collecting or selling 401
personal information; 402
(4) The categories of third parties with whom the business shares 403
personal information; and 404
(5) The specific pieces of personal information it has collected about 405 Raised Bill No. 1108
LCO No. 6348 15 of 33
that consumer. 406
(b) A business that collects personal information about a consumer 407
shall disclose to the consumer the information specified in subsection 408
(a) of this section upon receipt of a verifiable request from the 409
consumer. 410
(c) In complying with this section, a business shall: 411
(1) Identify the consumer, associate the information provided by the 412
consumer in the verifiable request to any personal information 413
previously collected by the business about the consumer. 414
(2) Identify by category or categories the personal information 415
collected about the consumer in the preceding twelve months by 416
reference to the enumerated category or categories of personal 417
information that most closely describes the personal information 418
collected. 419
Sec. 5. (NEW) (Effective January 1, 2020) Sections 2 and 3 of this act 420
shall not be construed to require a business to do the following: 421
(1) Retain any personal information about a consumer collected for 422
a single, one-time transaction if, in the ordinary course of business, 423
that information about the consumer is not retained; or 424
(2) Re-identify or otherwise link any data that, in the ordinary 425
course of business, is not maintained in a manner that would be 426
considered personal information. 427
Sec. 6. (NEW) (Effective January 1, 2020) (a) A consumer shall have 428
the right to request that a business that sells the consumer's personal 429
information, or that discloses it for a business purpose, disclose to that 430
consumer: 431
(1) The categories of personal information that the business 432
collected about the consumer. 433 Raised Bill No. 1108
LCO No. 6348 16 of 33
(2) The categories of personal information about the consumer that 434
the business sold and the categories of third parties to whom the 435
personal information was sold, by category or categories of personal 436
information for each third party to whom the personal information 437
was sold. 438
(3) The categories of personal information about the consumer that 439
the business disclosed for a business purpose. 440
(b) A business that sells personal information about a consumer, or 441
that discloses a consumer's personal information for a business 442
purpose, shall disclose, pursuant to section 9 of this act, the 443
information specified in subsection (a) of this section to the consumer 444
upon receipt of a verifiable request from the consumer. 445
(c) A business that sells consumers' personal information, or that 446
discloses consumers' personal information for a business purpose, 447
shall disclose, pursuant to section 9 of this act: 448
(1) The category or categories of consumers' personal information it 449
has sold, if applicable, or, if the business has not sold consumers' 450
personal information, a statement to such effect. 451
(2) The category or categories of consumers' personal information it 452
has disclosed for a business purpose, if applicable, or, if the business 453
has not disclosed the consumers' personal information for a business 454
purpose, a statement to such effect. 455
(d) In complying with the provisions of this section, a business shall: 456
(1) Identify the consumer and associate the information provided by 457
the consumer in the verifiable request to any personal information 458
previously collected by the business about the consumer. 459
(2) Identify by category or categories the personal information of the 460
consumer that the business sold in the preceding twelve months by 461
reference to the enumerated category in the definition of personal 462
information that most closely describes the personal information, and 463 Raised Bill No. 1108
LCO No. 6348 17 of 33
provide the categories of third parties to whom the consumer's 464
personal information was sold in the preceding twelve months by 465
reference to such enumerated categories that most closely describes the 466
personal information sold. The business shall disclose the information 467
in a list that is separate from a list generated for the purposes of 468
subdivision (1) of this subsection. 469
(3) Identify by category or categories the personal information of the 470
consumer that the business disclosed for a business purpose in the 471
preceding twelve months by reference to the enumerated category or 472
categories of personal information that most closely describes the 473
personal information, and provide the categories of third parties to 474
whom the consumer's personal information was disclosed for a 475
business purpose in the preceding twelve months by reference to the 476
enumerated category or categories that most closely describes the 477
personal information disclosed. The business shall disclose the 478
information in a list that is separate from a list generated for the 479
purposes of subdivision (2) of this subsection. 480
(e) A third party shall not sell personal information about a 481
consumer that has been sold to the third party by a business unless the 482
consumer has received explicit notice and is provided an opportunity 483
to exercise the right to opt out pursuant to section 7 of this act. 484
Sec. 7. (NEW) (Effective January 1, 2020) (a) A consumer has the right, 485
at any time, to opt out or direct a business that sells personal 486
information about the consumer to third parties not to sell the 487
consumer's personal information. 488
(b) A business that sells consumers' personal information to third 489
parties shall provide notice to consumers, pursuant to subsection (a) of 490
section 10 of this act, that this information may be sold and that 491
consumers have the right to opt out of the sale of their personal 492
information. 493
(c) A business that has received direction from a consumer not to 494
sell the consumer's personal information or, in the case of a minor 495 Raised Bill No. 1108
LCO No. 6348 18 of 33
consumer's personal information, has not received consent to sell the 496
minor consumer's personal information, shall be prohibited, pursuant 497
to subdivision (4) of subsection (a) of section 10 of this act, from selling 498
the consumer's personal information after its receipt of the consumer's 499
direction, unless the consumer subsequently provides express 500
authorization for the sale of the consumer's personal information. 501
(d) A business shall not sell the personal information of consumers 502
if the business has actual knowledge that the consumer is less than 503
sixteen years of age, unless the consumer, in the case of consumers 504
between thirteen and sixteen years of age, or the consumer's parent or 505
guardian, in the case of consumers who are less than thirteen years of 506
age, has affirmatively authorized the sale of the consumer's personal 507
information. A business that wilfully disregards the consumer's age 508
shall be deemed to have had actual knowledge of the consumer's age. 509
Sec. 8. (NEW) (Effective January 1, 2020) (a) (1) A business shall not 510
discriminate against a consumer because the consumer exercised any 511
of the consumer's rights under sections 1 to 18, inclusive, of this act, 512
including, but not limited to: 513
(A) Denying goods or services to the consumer. 514
(B) Charging different prices or rates for goods or services, 515
including through the use of discounts or other benefits or imposing 516
penalties. 517
(C) Providing a different level or quality of goods or services to the 518
consumer, if the consumer exercises the consumer's rights under 519
sections 1 to 18, inclusive, of this act. 520
(D) Suggesting that the consumer will receive a different price or 521
rate for goods or services or a different level or quality of goods or 522
services. 523
(2) Nothing in this subsection prohibits a business from charging a 524
consumer a different price or rate, or from providing a different level 525 Raised Bill No. 1108
LCO No. 6348 19 of 33
or quality of goods or services to the consumer, if that difference is 526
reasonably related to the value provided to the consumer by the 527
consumer's data. 528
(b) (1) A business may offer financial incentives, including 529
payments to consumers as compensation, for the collection of personal 530
information, the sale of personal information or the deletion of 531
personal information. A business may also offer a different price, rate, 532
level or quality of goods or services to the consumer if that price or 533
difference is directly related to the value provided to the consumer by 534
the consumer's data. 535
(2) A business that offers any financial incentives pursuant to 536
subsection (a) of this section shall notify consumers of the financial 537
incentives pursuant to section 9 of this act. 538
(3) A business may enter a consumer into a financial incentive 539
program only if (A) the consumer gives the business prior consent 540
pursuant to section 9 of this act, (B) the business clearly describes the 541
material terms of the financial incentive program, and (C) the 542
consumer may revoke the financial incentive program at any time. 543
(4) A business shall not use financial incentive practices that are 544
unjust, unreasonable, coercive or usurious in nature. 545
Sec. 9. (NEW) (Effective January 1, 2020) (a) In order to comply with 546
sections 2 to 4, inclusive, 6 and 8, of this act, in a form that is 547
reasonably accessible to consumers, a business shall: 548
(1) Make available to consumers two or more designated methods 549
for submitting requests for information required to be disclosed 550
pursuant to sections 4 and 6 of this act, including, at a minimum, a toll-551
free telephone number, and, if the business maintains an Internet web 552
site, an Internet web site address. 553
(2) Disclose and deliver the required information to a consumer free 554
of charge not later than forty-five days after receiving a verifiable 555 Raised Bill No. 1108
LCO No. 6348 20 of 33
request from the consumer. The business shall promptly take steps to 556
determine whether the request is a verifiable request, but this shall not 557
extend the business' duty to disclose and deliver the information 558
within forty-five days of receipt of the consumer's request. The time 559
period to provide the required information may be extended once by 560
an additional forty-five days when reasonably necessary, provided the 561
consumer is provided notice of the extension within the first forty-five-562
day period. The disclosure shall cover the twelve-month period 563
preceding the business' receipt of the verifiable request and shall be 564
made in writing and delivered through the consumer's account with 565
the business, if the consumer maintains an account with the business, 566
or by mail or electronically at the consumer's option if the consumer 567
does not maintain an account with the business, in a readily useable 568
format that allows the consumer to transmit this information from one 569
entity to another entity without hindrance. The business shall not 570
require the consumer to create an account with the business in order to 571
make a verifiable request. 572
(3) Disclose the following information in its online privacy policy or 573
policies if the business has an online privacy policy or policies and in 574
any state-specific description of consumers' privacy rights, or, if the 575
business does not maintain those policies, on its Internet web site, and 576
update that information at least once every twelve months: 577
(A) A description of a consumer's rights pursuant to sections 4, 6 578
and 8 of this act and one or more designated methods for submitting 579
requests. 580
(B) For purposes of subsection (b) of section 4 of this act, a list of the 581
categories of personal information it has collected about consumers in 582
the preceding twelve months by reference to the category or categories 583
enumerated in subsection (a) of section 4 of this act that most closely 584
describe the personal information collected. 585
(C) For purposes of subsection (c) of section 6 of this act, two 586
separate lists: 587 Raised Bill No. 1108
LCO No. 6348 21 of 33
(i) A list of the categories of personal information it has sold about 588
consumers in the preceding twelve months by reference to the 589
category or categories enumerated in subsection (c) of section 6 of this 590
act that most closely describe the personal information sold, if 591
applicable, or, if the business has not sold consumers' personal 592
information in the preceding twelve months, a statement to such effect. 593
(ii) A list of the categories of personal information it has disclosed 594
about consumers for a business purpose in the preceding twelve 595
months by reference to the category enumerated in subsection (c) of 596
section 6 of this act that most closely describe the personal information 597
disclosed, if applicable, or, if the business has not disclosed consumers' 598
personal information for a business purpose in the preceding twelve 599
months, a statement to such effect. 600
(4) Ensure that all individuals responsible for handling consumer 601
inquiries about the business' privacy practices or the business' 602
compliance with sections 1 to 18, inclusive, of this act are informed of 603
all requirements in this section and sections 4, 6 and 8 of this act, and 604
how to direct consumers to exercise their rights under those sections. 605
(5) Use any personal information collected from the consumer in 606
connection with the business' verification of the consumer's request 607
solely for the purposes of verification. 608
(b) A business is not obligated to provide the information required 609
by sections 4 and 6 of this act to the same consumer more than twice in 610
a twelve-month period. 611
(c) The categories of personal information required to be disclosed 612
pursuant to sections 4 and 6 of this act shall follow the definition of 613
personal information. 614
Sec. 10. (NEW) (Effective January 1, 2020) (a) A business that is 615
required to comply with section 7 of this act shall, in a form that is 616
reasonably accessible to consumers: 617 Raised Bill No. 1108
LCO No. 6348 22 of 33
(1) Provide a clear and conspicuous link on the business' Internet 618
homepage, titled "Do Not Sell My Personal Information", to an Internet 619
web page that enables a consumer, or a person authorized by the 620
consumer, to opt out of the sale of the consumer 's personal 621
information. A business shall not require a consumer to create an 622
account in order to direct the business not to sell the consumer's 623
personal information. 624
(2) Include a description of a consumer's rights pursuant to section 7 625
of this act, along with a separate link to the "Do Not Sell My Personal 626
Information" Internet web page in: 627
(A) Its online privacy policy or policies if the business has an online 628
privacy policy or policies; and 629
(B) Any Connecticut-specific description of consumers' privacy 630
rights. 631
(3) Ensure that all individuals responsible for handling consumer 632
inquiries about the business' privacy practices or the business' 633
compliance with sections 1 to 18, inclusive, of this act are informed of 634
all requirements in this section and section 7 of this act and how to 635
direct consumers to exercise their rights under those sections. 636
(4) For consumers who exercise their right to opt out of the sale of 637
their personal information, refrain from selling personal information 638
collected by the business about the consumer. 639
(5) For a consumer who has opted out of the sale of the consumer's 640
personal information, respect the consumer's decision to opt out for at 641
least twelve months before requesting that the consumer authorize the 642
sale of the consumer's personal information. 643
(6) Use any personal information collected from the consumer in 644
connection with the submission of the consumer's opt-out request 645
solely for the purposes of complying with the opt-out request. 646
(b) Nothing in sections 1 to 18, inclusive, of this act shall be 647 Raised Bill No. 1108
LCO No. 6348 23 of 33
construed to require a business to comply by including the required 648
links and text on the homepage that the business makes available to 649
the public generally, if the business maintains a separate and 650
additional homepage that is dedicated to consumers in this state and 651
that includes the required links and text, and the business takes 652
reasonable steps to ensure that consumers in this state are directed to 653
the homepage for consumers in this state and not the homepage made 654
available to the public generally. 655
(c) A consumer may authorize another person solely to opt out of 656
the sale of the consumer's personal information on the consumer's 657
behalf, and a business shall comply with an opt out request received 658
from a person authorized by the consumer to act on the consumer's 659
behalf, pursuant to regulations adopted by the Department of 660
Consumer Protection under section 15 of this act. 661
Sec. 11. (NEW) (Effective January 1, 2020) (a) The obligations imposed 662
on businesses by sections 1 to 18, inclusive, of this act shall not restrict 663
a business' ability to: 664
(1) Comply with federal, state or local laws. 665
(2) Comply with a civil, criminal or regulatory inquiry, 666
investigation, subpoena or summons by federal, state or local 667
authorities. 668
(3) Cooperate with law enforcement agencies concerning conduct or 669
activity that the business, service provider or third party reasonably 670
and in good faith believes may violate federal, state or local law. 671
(4) Exercise or defend legal claims. 672
(5) Collect, use, retain, sell or disclose consumer information that is 673
de-identified or in the aggregate consumer information. 674
(6) Collect or sell a consumer's personal information if every aspect 675
of that commercial conduct takes place wholly outside of the state. For 676
purposes of sections 1 to 18, inclusive, of this act, commercial conduct 677 Raised Bill No. 1108
LCO No. 6348 24 of 33
takes place wholly outside of the state if the business collected that 678
information while the consumer was outside of the state, no part of the 679
sale of the consumer's personal information occurred in the state and 680
no personal information was collected while the consumer was in the 681
state is sold. This subdivision shall not permit a business from storing, 682
including on a device, personal information about a consumer when 683
the consumer is in the state and then collecting that personal 684
information when the consumer and stored personal information is 685
outside of the state. 686
(b) The obligations imposed on businesses by sections 1 to 18, 687
inclusive, of this act shall not apply where compliance by the business 688
would violate an evidentiary privilege under state law and shall not 689
prevent a business from providing the personal information of a 690
consumer to a person covered by an evidentiary privilege under state 691
law as part of a privileged communication. 692
(c) The provisions of sections 1 to 18, inclusive, of this act shall not 693
apply to protected health information that is collected by a covered 694
entity governed by the privacy, security and breach notification rules 695
issued by the federal Department of Health and Human Services, 45 696
CFR Parts 160 and 164, as amended from time to time, established 697
pursuant to the Health Insurance Portability and Availability Act of 698
1996, as amended from time to time. For purposes of this subsection, 699
the definitions of "protected health information" and "covered entity" 700
from the federal privacy rule shall apply. 701
(d) Sections 1 to 18, inclusive, of this act shall not apply to the sale of 702
personal information to or from a consumer reporting agency if that 703
information is to be reported in, or used to generate, a consumer 704
report, as defined by 15 USC 1681a(d), as amended from time to time, 705
and use of that information is limited by the federal Fair Credit 706
Reporting Act, 15 USC 1681 et seq., as amended from time to time. 707
(e) Sections 1 to 18, inclusive, of this act shall not apply to personal 708
information collected, processed, sold or disclosed pursuant to the 709 Raised Bill No. 1108
LCO No. 6348 25 of 33
federal Gramm-Leach-Bliley Act, and implementing regulations, as 710
amended from time to time, if it is in conflict with that law. 711
(f) Sections 1 to 18, inclusive, of this act shall not apply to personal 712
information collected, processed, sold or disclosed pursuant to the 713
Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq., as 714
amended from time to time, if it is in conflict with that act. 715
(g) Notwithstanding a business' obligations to respond to and honor 716
consumer rights requests pursuant to sections 1 to 18, inclusive, of this 717
act: 718
(1) A time period for a business to respond to any verified consumer 719
request may be extended by up to ninety additional days where 720
necessary, taking into account the complexity and number of the 721
requests. The business shall inform the consumer of any such 722
extension within forty-five days of receipt of the request, together with 723
the reasons for the delay. 724
(2) If the business does not take action on the request of the 725
consumer, the business shall inform the consumer, without delay and 726
at the latest within the time period permitted of response by this 727
section, of the reasons for not taking action and any rights the 728
consumer may have to appeal the decision to the business. 729
(3) If requests from a consumer are manifestly unfounded or 730
excessive, in particular because of their repetitive character, a business 731
may either charge a reasonable fee, taking into account the 732
administrative costs of providing the information or communication or 733
taking the action requested, or refuse to act on the request and notify 734
the consumer of the reason for refusing the request. The business shall 735
bear the burden of demonstrating that any verified consumer request 736
is manifestly unfounded or excessive. 737
(h) A business that discloses personal information to a service 738
provider shall not be liable under sections 1 to 18, inclusive, of this act 739
if the service provider receiving the personal information uses it in 740 Raised Bill No. 1108
LCO No. 6348 26 of 33
violation of the restrictions set forth in sections 1 to 18, inclusive, of 741
this act, provided, at the time of disclosing the personal information, 742
the business does not have actual knowledge, or reason to believe, that 743
the service provider intends to commit such a violation. A service 744
provider shall likewise not be liable under sections 1 to 18, inclusive, of 745
this act for the obligations of a business for which it provides services 746
as set forth in sections 1 to 18, inclusive, of this act. 747
(i) Sections 1 to 18, inclusive, of this act shall not be construed to 748
require a business to re-identify or otherwise link information that is 749
not maintained in a manner that would be considered personal 750
information. 751
(j) The rights afforded to consumers and the obligations imposed on 752
the business in sections 1 to 18, inclusive, of this act shall not adversely 753
affect the rights and freedoms of other consumers. 754
Sec. 12. (NEW) (Effective January 1, 2020) (a) Any consumer whose 755
nonencrypted or nonredacted personal information is subject to an 756
unauthorized access and exfiltration, theft or disclosure as a result of 757
the business' violation of the duty to implement and maintain 758
reasonable security procedures and practices appropriate to the nature 759
of the information to protect the personal information may institute a 760
civil action for any of the following: (1) To recover damages in an 761
amount not less than one hundred dollars and not greater than seven 762
hundred fifty dollars, per consumer, per incident or actual damages, 763
whichever is greater; (2) injunctive or declaratory relief; or (3) any 764
other relief the court deems proper. 765
(b) In assessing the amount of statutory damages, the court shall 766
consider any one or more of the relevant circumstances presented by 767
any of the parties to the case, including, but not limited to, the nature 768
and seriousness of the misconduct, the number of violations, the 769
persistence of the misconduct, the length of time over which the 770
misconduct occurred, the willfulness of the defendant's misconduct 771
and the defendant's assets, liabilities and net worth. 772 Raised Bill No. 1108
LCO No. 6348 27 of 33
(c) Actions pursuant to this section may be brought by a consumer if 773
all of the following requirements are met: 774
(1) Prior to initiating any action against a business for statutory 775
damages on an individual or class-wide basis, a consumer shall 776
provide a business thirty days' written notice identifying the specific 777
provisions of sections 1 to 18, inclusive, of this act the consumer alleges 778
have been or are being violated. In the event a remedy is possible, if 779
within the thirty days the business actually remedies the noticed 780
violation and provides the consumer an express written statement that 781
the violations have been remedied and that no further violations shall 782
occur, no action for individual statutory damages or class-wide 783
statutory damages may be initiated against the business. No notice 784
shall be required prior to an individual consumer initiating an action 785
solely for actual pecuniary damages suffered as a result of the alleged 786
violations of sections 1 to 18, inclusive, of this act. If a business 787
continues to violate sections 1 to 18, inclusive, of this act in breach of 788
the express written statement provided to the consumer under this 789
section, the consumer may initiate an action against the business to 790
enforce the written statement and may pursue statutory damages for 791
each breach of the express written statement, as well as any other 792
violation of sections 1 to 18, inclusive, of this act that postdates the 793
written statement. 794
(2) A consumer bringing an action as defined in subdivision (1) of 795
this subsection shall notify the Attorney General within thirty days 796
that the action has been filed. 797
(3) The Attorney General, upon receiving such notice shall, within 798
thirty days, do one of the following: (A) Notify the consumer bringing 799
the action of the Attorney General's intent to prosecute an action 800
against the violation, provided, if the Attorney General does not 801
prosecute within six months, the consumer may proceed with the 802
action; (B) refrain from acting within the thirty-day period, allowing 803
the consumer bringing the action to proceed; or (C) notify the 804
consumer bringing the action that the consumer shall not proceed with 805 Raised Bill No. 1108
LCO No. 6348 28 of 33
the action. 806
(d) Nothing in sections 1 to 18, inclusive, of this act shall be 807
interpreted to serve as the basis for a private right of action under any 808
other law. This shall not be construed to relieve any party from any 809
duties or obligations imposed under federal or state law or the federal 810
or state Constitution. 811
Sec. 13. (NEW) (Effective January 1, 2020) (a) Notwithstanding the 812
provisions of section 3-125 of the general statutes, any business or third 813
party may seek the opinion of the Attorney General for guidance on 814
how to comply with the provisions of sections 1 to 18, inclusive, of this 815
act. 816
(b) A business shall be in violation of the provisions of sections 1 to 817
18, inclusive, of this act if it fails to remedy any alleged violation 818
within thirty days after being notified of alleged noncompliance. Any 819
business, service provider or other person that violates sections 1 to 18, 820
inclusive, of this act shall be liable for a civil penalty in a civil action 821
brought in the name of the people of the state by the Attorney General. 822
The civil penalties provided for in this section shall be exclusively 823
assessed and recovered in a civil action brought in the name of the 824
people of the state by the Attorney General. 825
(c) Any person, business or service provider that intentionally 826
violates sections 1 to 18, inclusive, of this act may be liable for a civil 827
penalty of up to seven thousand five hundred dollars for each 828
violation. 829
(d) Any civil penalty assessed pursuant to this section for a violation 830
of sections 1 to 18, inclusive, of this act, and the proceeds of any 831
settlement of an action brought pursuant to subsection (b) of this 832
section, shall be allocated as follows: 833
(1) Twenty per cent to the consumer privacy account, established 834
under section 13 of this act, with the intent to fully offset any costs 835
incurred by the state courts and the Attorney General in connection 836 Raised Bill No. 1108
LCO No. 6348 29 of 33
with sections 1 to 18, inclusive, of this act. 837
(2) Eighty per cent to the jurisdiction on whose behalf the action 838
leading to the civil penalty was brought. 839
(e) The percentages specified in subsection (d) of this section shall 840
be adjusted as necessary to ensure that any civil penalties assessed for 841
a violation of sections 1 to 18, inclusive, of this act fully offset any costs 842
incurred by the state courts and the Attorney General in connection 843
with sections 1 to 18, inclusive, of this act, including a sufficient 844
amount to cover any deficit from a prior fiscal year. 845
Sec. 14. (NEW) (Effective January 1, 2020) (a) There is established an 846
account to be known as the "consumer privacy account" which shall be 847
a separate, nonlapsing account within the General Fund. The account 848
shall contain any moneys required by law to be deposited in the 849
account. Moneys in the account shall be expended by (1) the Chief 850
Court Administrator for the purposes of offsetting any costs incurred 851
by the state courts in connection with actions brought to enforce 852
sections 1 to 18, inclusive, of this act, and (2) the Attorney General for 853
the purpose of offsetting any costs incurred by the Attorney General in 854
carrying out the Attorney General's duties under sections 1 to 18, 855
inclusive, of this act. 856
(b) Funds transferred to the consumer privacy account shall not be 857
subject to appropriation or transfer by the General Assembly for any 858
other purpose, unless the Secretary of the Office of Policy and 859
Management determines that the funds are in excess of the funding 860
needed to fully offset the costs incurred by the state courts and the 861
Attorney General in connection with sections 1 to 18, inclusive, of this 862
act, in which case the General Assembly may appropriate excess funds 863
for other purposes. 864
Sec. 15. (NEW) (Effective January 1, 2020) (a) The provisions of 865
sections 1 to 18, inclusive, of this act are not limited to information 866
collected electronically or over the Internet, but apply to the collection 867
and sale of all personal information collected by a business from 868 Raised Bill No. 1108
LCO No. 6348 30 of 33
consumers. Wherever possible, existing provisions of the general 869
statutes relating to consumers' personal information should be 870
construed to harmonize with the provisions of sections 1 to 18, 871
inclusive, of this act, but, in the event of a conflict between other 872
provisions of the general statutes and the provisions of sections 1 to 18, 873
inclusive, of this act, the provisions of the law that afford the greatest 874
protection for the right of privacy for consumers shall control. 875
(b) Sections 1 to 18, inclusive, of this act supersede and preempt all 876
rules, regulations, codes, ordinances and other laws adopted by a city, 877
county, city and county, municipality or local agency regarding the 878
collection and sale of consumers' personal information by a business. 879
(c) Sections 1 to 18, inclusive, of this act supplement federal and 880
state law, if permissible, but shall not apply if such application is 881
preempted by, or in conflict with, federal and state law or the state 882
Constitution. 883
Sec. 16. (NEW) (Effective January 1, 2020) (a) On or before January 1, 884
2020, the Commissioner of Consumer Protection, in consultation with 885
the Chief Information Officer, shall adopt regulations in accordance 886
with the provisions of chapter 54 of the general statutes to further the 887
purposes of sections 1 to 18, inclusive, of this act, including, but not 888
limited to, the following areas: 889
(1) Updating, as needed, categories of personal information in 890
addition to those enumerated in subdivision (15) of section 1 of this act 891
and section 9 of this act in order to address changes in technology, data 892
collection practices, obstacles to implementation and privacy concerns. 893
(2) Updating, as needed, the definition of unique identifiers to 894
address changes in technology, data collection, obstacles to 895
implementation and privacy concerns, and additional categories to the 896
definition of designated methods for submitting requests to facilitate a 897
consumer's ability to obtain information from a business pursuant to 898
section 9 of this act. 899 Raised Bill No. 1108
LCO No. 6348 31 of 33
(3) Establishing any exceptions necessary to comply with state or 900
federal law, including, but not limited to, those relating to trade secrets 901
and intellectual property rights, not later than January 1, 2021, and as 902
needed thereafter. 903
(4) Establishing rules and procedures for the following, not later 904
than January 1, 2021, and as needed thereafter: 905
(A) To facilitate and govern the submission of a request by a 906
consumer to opt out of the sale of personal information pursuant to 907
section 10 of this act. 908
(B) To govern business compliance with a consumer's opt-out 909
request. 910
(C) The development and use of a recognizable and uniform opt-out 911
logo or button by all businesses to promote consumer awareness of the 912
opportunity to opt out of the sale of personal information. 913
(5) Adjusting the monetary threshold in subparagraph (A)(i) of 914
subdivision (3) of section 1 of this act in January of every odd-915
numbered year to reflect any increase in the consumer price index. 916
(6) Establishing rules, procedures and any exceptions necessary to 917
ensure that the notices and information that businesses are required to 918
provide pursuant to sections 1 to 18, inclusive, of this act are provided 919
in a manner that may be easily understood by the average consumer, 920
are accessible to consumers with disabilities and are available in the 921
language primarily used to interact with the consumer, including 922
establishing rules and guidelines regarding financial incentive 923
offerings, not later than January 1, 2021, and as needed thereafter. 924
(7) Establishing rules and procedures to further the purposes of 925
sections 4 and 6 of this act and to facilitate a consumer's, or the 926
consumer's authorized agent's, ability to obtain information pursuant 927
to section 9 of this act, with the goal of minimizing the administrative 928
burden on consumers, taking into account available technology, 929 Raised Bill No. 1108
LCO No. 6348 32 of 33
security concerns and the burden on the business, to govern a business' 930
determination that a request for information received by a consumer is 931
a verifiable request, including treating a request submitted through a 932
password-protected account maintained by the consumer with the 933
business while the consumer is logged into the account as a verifiable 934
request and providing a mechanism for a consumer who does not 935
maintain an account with the business to request information through 936
the business' authentication of the consumer's identity, not later than 937
January 1, 2021, and as needed thereafter. 938
(b) The Commissioner of Consumer Protection may adopt 939
additional regulations to further the purposes of sections 1 to 18, 940
inclusive, of this act. 941
Sec. 17. (NEW) (Effective January 1, 2020) If a series of steps or 942
transactions were component parts of a single transaction intended 943
from the beginning to be taken with the intention of avoiding the reach 944
of sections 1 to 18, inclusive, of this act, including the disclosure of 945
information by a business to a third party in order to avoid the 946
definition of sale, a court shall disregard the intermediate steps or 947
transactions for purposes of effectuating the purposes of sections 1 to 948
18, inclusive, of this act. 949
Sec. 18. (NEW) (Effective January 1, 2020) Any provision of a contract 950
or agreement of any kind that purports to waive or limit in any way a 951
consumer's rights under this section and sections 1 to 17, inclusive, of 952
this act, including, but not limited to, any right to a remedy or means 953
of enforcement, shall be void and unenforceable. This section shall not 954
prevent a consumer from declining to request information from a 955
business, declining to opt out of a business' sale of the consumer's 956
personal information, or authorizing a business to sell the consumer's 957
personal information after previously opting out. 958
This act shall take effect as follows and shall amend the following
sections:
Section 1 January 1, 2020 New section Raised Bill No. 1108
LCO No. 6348 33 of 33
Sec. 2 January 1, 2020 New section
Sec. 3 January 1, 2020 New section
Sec. 4 January 1, 2020 New section
Sec. 5 January 1, 2020 New section
Sec. 6 January 1, 2020 New section
Sec. 7 January 1, 2020 New section
Sec. 8 January 1, 2020 New section
Sec. 9 January 1, 2020 New section
Sec. 10 January 1, 2020 New section
Sec. 11 January 1, 2020 New section
Sec. 12 January 1, 2020 New section
Sec. 13 January 1, 2020 New section
Sec. 14 January 1, 2020 New section
Sec. 15 January 1, 2020 New section
Sec. 16 January 1, 2020 New section
Sec. 17 January 1, 2020 New section
Sec. 18 January 1, 2020 New section
Statement of Purpose:
To require businesses to disclose the proposed use of any personal
information and to give consumers the right to discover what personal
information the business possesses and to opt out of the sale of such
information and to create a cause of action and penalties for violations
of such requirements.
[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline,
except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is
not underlined.]