LCO \\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-R03-
SB.docx
1 of 20
General Assembly Substitute Bill No. 893
January Session, 2021
AN ACT CONCERNING CO NSUMER PRIVACY.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. (NEW) (Effective January 1, 2023) As used in this section and 1
sections 2 to 11, inclusive, of this act, unless the context otherwise 2
requires: 3
(1) "Affiliate" means a legal entity that controls, is controlled by, or is 4
under common control with another legal entity or shares common 5
branding with another legal entity. For the purposes of this subdivision, 6
"control" or "controlled" means (A) ownership of, or the power to vote, 7
more than fifty per cent of the outstanding shares of any class of voting 8
security of a company, (B) control in any manner over the election of a 9
majority of the directors or of individuals exercising similar functions, 10
or (C) the power to exercise controlling influence over the management 11
of a company. 12
(2) "Authenticate" means to verify through reasonable means that the 13
consumer is the same consumer exercising such consumer rights with 14
respect to the personal data at issue. 15
(3) "Biometric data" means data generated by automatic 16
measurements of an individual's biological characteristics, such as a 17
fingerprint, voiceprint, eye retinas, irises or other unique biological 18 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
2 of 20
patterns or characteristics that are used to identify a specific individual. 19
"Biometric data" does not include a physical or digital photograph, a 20
video or audio recording or data generated therefrom, or information 21
collected, used or stored for health care treatment, payment or 22
operations under HIPAA. 23
(4) "Business associate" has the same meaning as provided in HIPAA. 24
(5) "Child" means any natural person less than thirteen years of age. 25
(6) "Consent" means a clear affirmative act signifying a consumer's 26
freely given, specific, informed and unambiguous agreement to allow 27
the processing of personal data relating to the consumer. "Consent" may 28
include a written statement, including by electronic means, or any other 29
unambiguous affirmative action. 30
(7) "Consumer" means a natural person who is a resident of this state 31
and acting only in an individual or household context. "Consumer" does 32
not include a natural person acting in a commercial or employment 33
context. 34
(8) "Controller" means a natural or legal person that, alone or jointly 35
with others, determines the purpose and means of processing personal 36
data. 37
(9) "Covered entity" has the same meaning as provided in HIPAA. 38
(10) "Decisions that produce legal or similarly significant effects 39
concerning a consumer" means decisions made by the controller that 40
result in the provision or denial by the controller of financial and 41
lending services, housing, insurance, education enrollment, criminal 42
justice, employment opportunities, health care services or access to basic 43
necessities, such as food and water. 44
(11) "De-identified data" means data that cannot reasonably be linked 45
to an identified or identifiable natural person, or a device linked to such 46
person. 47 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
3 of 20
(12) "Health record" means the health-related record of an individual, 48
and may include, but need not be limited to, continuity of care 49
documents, discharge summaries and other information or data relating 50
to a patient's demographics, medical history, medication, allergies, 51
immunizations, laboratory test results, radiology or other diagnostic 52
images, vital signs and statistics. 53
(13) "Health care provider" means any person, corporation, limited 54
liability company, facility or institution licensed by this state to provide 55
health care or professional services, or an officer, employee or agent 56
thereof acting in the course and scope of his or her employment. 57
(14) "HIPAA" means the Health Insurance Portability and 58
Accountability Act of 1996, 42 USC 1320d et seq. 59
(15) "Identified or identifiable natural person" means a person who 60
can be readily identified, directly or indirectly. 61
(16) "Institution of higher education" means any person, school, 62
board, association, limited liability company or corporation that is 63
licensed or accredited to offer one or more programs of higher learning 64
leading to one or more degrees. 65
(17) "Nonprofit organization" means any organization that is exempt 66
from taxation under Section 501(c)(3) of the Internal Revenue Code of 67
1986, or any subsequent corresponding internal revenue code of the 68
United States, as amended from time to time. 69
(18) "Personal data" means any information that is linked or 70
reasonably linkable to an identified or identifiable natural person. 71
"Personal data" does not include de-identified data or publicly available 72
information. 73
(19) "Precise geolocation data" means information derived from 74
technology, including, but not limited to, global positioning system 75
level latitude and longitude coordinates or other mechanisms, that 76
directly identify the specific location of a natural person with precision 77 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
4 of 20
and accuracy within a radius of one thousand seven hundred fifty feet. 78
"Precise geolocation data" does not include the content of 79
communications or any data generated by or connected to advanced 80
utility metering infrastructure systems or equipment for use by a utility. 81
(20) "Process" or "processing" means any operation or set of 82
operations performed, whether by manual or automated means, on 83
personal data or on sets of personal data, such as the collection, use, 84
storage, disclosure, analysis, deletion or modification of personal data. 85
(21) "Processor" means a natural or legal entity that processes 86
personal data on behalf of a controller. 87
(22) "Profiling" means any form of automated processing performed 88
on personal data to evaluate, analyze, or predict personal aspects related 89
to an identified or identifiable natural person's economic situation, 90
health, personal preferences, interests, reliability, behavior, location or 91
movements. 92
(23) "Protected health information" has the same meaning as 93
provided in HIPAA. 94
(24) "Pseudonymous data" means personal data that cannot be 95
attributed to a specific natural person without the use of additional 96
information, provided that such additional information is kept 97
separately and is subject to appropriate technical and organizational 98
measures to ensure that the personal data is not attributed to an 99
identified or identifiable natural person. 100
(25) "Publicly available information" means information that is 101
lawfully made available through federal, state or municipal government 102
records, or information that a business has a reasonable basis to believe 103
is lawfully made available to the general public through widely 104
distributed media, by the consumer, or by a person to whom the 105
consumer has disclosed the information, unless the consumer has 106
restricted the information to a specific audience. 107 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
5 of 20
(26) "Sale of personal data" means the exchange of personal data for 108
monetary consideration by the controller to a third party. "Sale of 109
personal data" does not include: (A) The disclosure of personal data to 110
a processor that processes the personal data on behalf of the controller, 111
(B) the disclosure of personal data to a third party for purposes of 112
providing a product or service requested by the consumer, (C) the 113
disclosure or transfer of personal data to an affiliate of the controller, (D) 114
the disclosure of information that the consumer (i) intentionally made 115
available to the general public via a channel of mass media, and (ii) did 116
not restrict to a specific audience, or (E) the disclosure or transfer of 117
personal data to a third party as an asset that is part of a merger, 118
acquisition, bankruptcy or other transaction in which the third party 119
assumes control of all or part of the controller's assets. 120
(27) "Sensitive data" means personal data that includes: (A) Data 121
revealing racial or ethnic origin, religious beliefs, mental or physical 122
health diagnosis, sexual orientation or citizenship or immigration 123
status, (B) the processing of genetic or biometric data for the purpose of 124
uniquely identifying a natural person, (C) personal data collected from 125
a known child, or (D) precise geolocation data. 126
(28) "Targeted advertising" means displaying advertisements to a 127
consumer where the advertisement is selected based on personal data 128
obtained from that consumer's activities over time and across 129
nonaffiliated Internet web sites or online applications to predict such 130
consumer's preferences or interests. "Targeted advertising" does not 131
include: (A) Advertisements based on activities within a controller's 132
own Internet web sites or online applications, (B) advertisements based 133
on the context of a consumer's current search query, visit to an Internet 134
web site or online application, (C) advertisements directed to a 135
consumer in response to the consumer's request for information or 136
feedback, or (D) the processing of personal data solely for measuring or 137
reporting advertising performance, reach or frequency. 138
(29) "Third party" means a natural or legal person, public authority, 139
agency or body other than the consumer, controller, processor or an 140 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
6 of 20
affiliate of the processor or the controller. 141
Sec. 2. (NEW) (Effective January 1, 2023) The provisions of sections 1 142
to 11, inclusive, of this act apply to persons that conduct business in this 143
state or persons that produce products or services that are targeted to 144
residents of this state and that: (1) During a calendar year, control or 145
process the personal data of not less than one hundred thousand 146
consumers, or (2) control or process the personal data of not less than 147
twenty-five thousand consumers and derive more than fifty per cent of 148
their gross revenue from the sale of personal data. 149
Sec. 3. (NEW) (Effective January 1, 2023) (a) The provisions of sections 150
1 to 11, inclusive, of this act shall not apply to any: (1) Body, authority, 151
board, bureau, commission, district or agency of this state or of any 152
political subdivision of this state, (2) financial institution or data subject 153
to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq., (3) 154
covered entity or business associate governed by the privacy, security 155
and breach notification rules issued by the United States Department of 156
Health and Human Services, 45 CFR 160 and 164, established pursuant 157
to HIPAA, and the Health Information Technology for Economic and 158
Clinical Health Act, (4) nonprofit organization, or (5) institution of 159
higher education. 160
(b) The following information and data is exempt from the provisions 161
of sections 1 to 11, inclusive, of this act: (1) Protected health information 162
under HIPAA, (2) health records, (3) patient identifying information for 163
purposes of 42 USC 290dd-2, (4) identifiable private information for 164
purposes of the federal policy for the protection of human subjects 165
under 45 CFR 46, (5) identifiable private information that is otherwise 166
information collected as part of human subjects research pursuant to the 167
good clinical practice guidelines issued by the International Council for 168
Harmonization of Technical Requirements for Pharmaceuticals for 169
Human Use, (6) the protection of human subjects under 21 CFR 6, 50 170
and 56, or personal data used or shared in research, as defined in 45 CFR 171
164.501, that is conducted in accordance with the standards set forth in 172
this subdivision and subdivisions (4) and (5) of this subsection, or other 173 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
7 of 20
research conducted in accordance with applicable law, (7) information 174
and documents created for purposes of the Health Care Quality 175
Improvement Act of 1986, 42 USC 11101 et seq., (8) patient safety work 176
product for purposes of the Patient Safety and Quality Improvement 177
Act, 42 USC 299b-21 et seq., (9) information derived from any of the 178
health care related information listed in this subsection that is de-179
identified in accordance with the requirements for de-identification 180
pursuant to HIPAA, (10) information originating from, and 181
intermingled to be indistinguishable with, or information treated in the 182
same manner as information exempt under this subsection that is 183
maintained by a covered entity or business associate, program or 184
qualified service organization, as specified in 42 USC 290dd-2, (11) 185
information used for public health activities and purposes as authorized 186
by HIPAA, (12) the collection, maintenance, disclosure, sale, 187
communication or use of any personal information bearing on a 188
consumer's credit worthiness, credit standing, credit capacity, character, 189
general reputation, personal characteristics or mode of living by a 190
consumer reporting agency, furnisher or user that provides information 191
for use in a consumer report, and by a user of a consumer report, but 192
only to the extent that such activity is regulated by and authorized 193
under the Fair Credit Reporting Act, 15 USC 1681 et seq., (13) personal 194
data collected, processed, sold or disclosed in compliance with the 195
Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq., (14) 196
personal data regulated by the Family Educational Rights and Privacy 197
Act, 20 USC 1232g et seq., (15) personal data collected, processed, sold 198
or disclosed in compliance with the Farm Credit Act, 12 USC 2001 et 199
seq., and (16) data processed or maintained (A) in the course of an 200
individual applying to, employed by, or acting as an agent or 201
independent contractor of, a controller, processor or third party, to the 202
extent that the data is collected and used within the context of that role; 203
(B) as the emergency contact information of an individual under 204
sections 1 to 11, inclusive, of this act used for emergency contact 205
purposes, or (C) that is necessary to retain to administer benefits for 206
another individual relating to the individual under subdivision (1) of 207
this subsection and used for the purposes of administering such 208 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
8 of 20
benefits. 209
(c) Controllers and processors that comply with the verifiable 210
parental consent requirements of the Children's Online Privacy 211
Protection Act, 15 USC 6501 et seq., shall be deemed compliant with any 212
obligation to obtain parental consent pursuant to sections 1 to 11, 213
inclusive, of this act. 214
Sec. 4. (NEW) (Effective January 1, 2023) (a) A consumer may invoke 215
the consumer rights authorized pursuant to this section at any time by 216
submitting a request to a controller specifying the consumer rights the 217
consumer wishes to invoke. A known child's parent or legal guardian 218
may invoke such consumer rights on behalf of the child regarding 219
processing personal data belonging to the known child. A controller 220
shall comply with an authenticated consumer request to exercise the 221
right to: (1) Confirm whether or not a controller is processing the 222
consumer's personal data and to access such personal data, (2) correct 223
inaccuracies in the consumer's personal data, taking into account the 224
nature of the personal data and the purposes of the processing of the 225
consumer's personal data, (3) delete personal data provided by, or 226
obtained about, the consumer, (4) obtain a copy of the consumer's 227
personal data that the consumer previously provided to the controller 228
in a portable and, to the extent technically feasible, readily usable format 229
that allows the consumer to transmit the data to another controller 230
without hindrance, where the processing is carried out by automated 231
means, and (5) opt out of the processing of the personal data for 232
purposes of (A) targeted advertising, (B) the sale of personal data, or (C) 233
profiling in furtherance of decisions that produce legal or similarly 234
significant effects concerning the consumer. 235
(b) Except as otherwise provided in sections 1 to 11, inclusive, of this 236
act, a controller shall comply with a request by a consumer to exercise 237
the consumer rights authorized pursuant to said sections as follows: 238
(1) A controller shall respond to the consumer without undue delay, 239
but not later than forty-five days after receipt of the request. The 240 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
9 of 20
response period may be extended once by forty-five additional days 241
when reasonably necessary, considering the complexity and number of 242
the consumer's requests, provided the controller informs the consumer 243
of any such extension within the initial forty-five-day response period, 244
together with the reason for the extension. 245
(2) If a controller declines to take action regarding the consumer's 246
request, the controller shall inform the consumer without undue delay, 247
but not later than forty-five days after receipt of the request, of the 248
justification for declining to take action and instructions for how to 249
appeal the decision. 250
(3) Information provided in response to a consumer request shall be 251
provided by a controller free of charge, up to twice annually per 252
consumer. If requests from a consumer are manifestly unfounded, 253
excessive or repetitive, the controller may charge the consumer a 254
reasonable fee to cover the administrative costs of complying with the 255
request or decline to act on the request. The controller bears the burden 256
of demonstrating the manifestly unfounded, excessive or repetitive 257
nature of the request. 258
(4) If a controller is unable to authenticate the request using 259
commercially reasonable efforts, the controller shall not be required to 260
comply with a request to initiate an action pursuant to this section and 261
may request that the consumer provide additional information 262
reasonably necessary to authenticate the consumer and the consumer's 263
request. 264
(c) A controller shall establish a process for a consumer to appeal the 265
controller's refusal to take action on a request within a reasonable period 266
of time after the consumer's receipt of the decision. The appeal process 267
shall be conspicuously available and similar to the process for 268
submitting requests to initiate action pursuant to this section. Not later 269
than sixty days after receipt of an appeal, a controller shall inform the 270
consumer in writing of any action taken or not taken in response to the 271
appeal, including a written explanation of the reasons for the decisions. 272 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
10 of 20
If the appeal is denied, the controller shall also provide the consumer 273
with an online mechanism, if available, or other method through which 274
the consumer may contact the Attorney General to submit a complaint. 275
Sec. 5. (NEW) (Effective January 1, 2023) (a) A controller shall: (1) Limit 276
the collection of personal data to what is adequate, relevant and 277
reasonably necessary in relation to the purposes for which such data is 278
processed, as disclosed to the consumer, (2) except as otherwise 279
provided in sections 1 to 11, inclusive, of this act, not process personal 280
data for purposes that are neither reasonably necessary to nor 281
compatible with the disclosed purposes for which such personal data is 282
processed, as disclosed to the consumer, unless the controller obtains 283
the consumer's consent, (3) establish, implement and maintain 284
reasonable administrative, technical and physical data security practices 285
to protect the confidentiality, integrity and accessibility of personal data 286
appropriate to the volume and nature of the personal data at issue, (4) 287
not process sensitive data concerning a consumer without obtaining the 288
consumer's consent, or, in the case of the processing of sensitive data 289
concerning a known child, without processing such data in accordance 290
with the federal Children's Online Privacy Protection Act, 15 USC 6501 291
et seq., and (5) not process personal data in violation of the laws of this 292
state and federal laws that prohibit unlawful discrimination against 293
consumers. A controller shall not discriminate against a consumer for 294
exercising any of the consumer rights contained in sections 1 to 11, 295
inclusive, of this act, including denying goods or services, charging 296
different prices or rates for goods or services or providing a different 297
level of quality of goods and services to the consumer. Nothing in this 298
subsection shall be construed to require a controller to provide a 299
product or service that requires the personal data of a consumer that the 300
controller does not collect or maintain or to prohibit a controller from 301
offering a different price, rate, level, quality or selection of goods or 302
services to a consumer, including offering goods or services for no fee, 303
if the consumer has exercised his right to opt out or the offer is related 304
to a consumer's voluntary participation in a bona fide loyalty, rewards, 305
premium features, discounts or club card program. 306 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
11 of 20
(b) Controllers shall provide consumers with a reasonably accessible, 307
clear, and meaningful privacy notice that includes: (1) The categories of 308
personal data processed by the controller, (2) the purpose for processing 309
personal data, (3) how consumers may exercise their consumer rights, 310
including how a consumer may appeal a controller's decision with 311
regard to the consumer's request, (4) the categories of personal data that 312
the controller shares with third parties, if any, and (5) the categories of 313
third parties, if any, with which the controller shares personal data. 314
(c) If a controller sells personal data to third parties or processes 315
personal data for targeted advertising, the controller shall clearly and 316
conspicuously disclose such processing, as well as the manner in which 317
a consumer may exercise the right to opt out of such processing. 318
(d) A controller shall establish, and shall describe in a privacy notice, 319
one or more secure and reliable means for consumers to submit a 320
request to exercise their consumer rights pursuant to sections 1 to 11, 321
inclusive, of this act. Such means shall take into account the ways in 322
which consumers normally interact with the controller, the need for 323
secure and reliable communication of such requests, and the ability of 324
the controller to authenticate the identity of the consumer making the 325
request. Controllers shall not require a consumer to create a new account 326
in order to exercise consumer rights, but may require a consumer to use 327
an existing account. 328
Sec. 6. (NEW) (Effective January 1, 2023) (a) A processor shall adhere 329
to the instructions of a controller and shall assist the controller in 330
meeting its obligations pursuant to sections 1 to 11, inclusive, of this act. 331
Such assistance shall include: (1) Taking into account the nature of 332
processing and the information available to the processor, by 333
appropriate technical and organizational measures, insofar as is 334
reasonably practicable, to fulfill the controller's obligation to respond to 335
consumer rights requests, (2) taking into account the nature of 336
processing and the information available to the processor, by assisting 337
the controller in meeting the controller's obligations in relation to the 338
security of processing the personal data and in relation to the 339 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
12 of 20
notification of a breach of security of the system of the processor, in 340
order to meet the controller's obligations, and (3) providing necessary 341
information to enable the controller to conduct and document data 342
protection assessments. 343
(b) A contract between a controller and a processor shall govern the 344
processor's data processing procedures with respect to processing 345
performed on behalf of the controller. The contract shall be binding and 346
clearly set forth instructions for processing data, the nature and purpose 347
of processing, the type of data subject to processing, the duration of 348
processing and the rights and obligations of both parties. The contract 349
shall also include requirements that the processor shall: (1) Ensure that 350
each person processing personal data is subject to a duty of 351
confidentiality with respect to the data, (2) at the controller's direction, 352
delete or return all personal data to the controller as requested at the 353
end of the provision of services, unless retention of the personal data is 354
required by law, (3) upon the reasonable request of the controller, make 355
available to the controller all information in its possession necessary to 356
demonstrate the processor's compliance with the obligations in sections 357
1 to 11, inclusive, of this act, (4) engage any subcontractor pursuant to a 358
written contract that requires the subcontractor to meet the obligations 359
of the processor with respect to the personal data, and (5) allow, and 360
cooperate with, reasonable assessments by the controller or the 361
controller's designated assessor, or the processor may arrange for a 362
qualified and independent assessor to conduct an assessment of the 363
processor's policies and technical and organizational measures in 364
support of the obligations under sections 1 to 11, inclusive, of this act, 365
using an appropriate and accepted control standard or framework and 366
assessment procedure for such assessments. The processor shall provide 367
a report of such assessment to the controller upon request. 368
(c) Nothing in this section shall be construed to relieve a controller or 369
a processor from the liabilities imposed on it by virtue of its role in the 370
processing relationship as defined in sections 1 to 11, inclusive, of this 371
act. 372 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
13 of 20
(d) Determining whether a person is acting as a controller or 373
processor with respect to a specific processing of data is a fact-based 374
determination that depends upon the context in which personal data is 375
to be processed. A processor that continues to adhere to a controller's 376
instructions with respect to a specific processing of personal data 377
remains a processor. 378
Sec. 7. (NEW) (Effective January 1, 2023) (a) A controller shall conduct 379
and document a data protection assessment of each of the following 380
processing activities involving personal data: (1) The processing of 381
personal data for purposes of targeted advertising, (2) the sale of 382
personal data, (3) the processing of personal data for purposes of 383
profiling, where such profiling presents a reasonably foreseeable risk of 384
(A) unfair or deceptive treatment of, or unlawful disparate impact on, 385
consumers, (B) financial, physical or reputational injury to consumers, 386
(C) a physical or other intrusion upon the solitude or seclusion, or the 387
private affairs or concerns, of consumers, where such intrusion would 388
be offensive to a reasonable person, or (D) other substantial injury to 389
consumers, (4) the processing of sensitive data, and (5) any processing 390
activities involving personal data that present a heightened risk of harm 391
to consumers. 392
(b) Data protection assessments conducted pursuant to subsection (a) 393
of this section shall identify and weigh the benefits that may flow, 394
directly and indirectly, from the processing to the controller, the 395
consumer, other stakeholders and the public against the potential risks 396
to the rights of the consumer associated with such processing, as 397
mitigated by safeguards that can be employed by the controller to 398
reduce such risks. The use of de-identified data and the reasonable 399
expectations of consumers, as well as the context of the processing and 400
the relationship between the controller and the consumer whose 401
personal data will be processed, shall be factored into this assessment 402
by the controller. 403
(c) The Attorney General may require that a controller disclose any 404
data protection assessment that is relevant to an investigation 405 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
14 of 20
conducted by the Attorney General, and the controller shall make the 406
data protection assessment available to the Attorney General. The 407
Attorney General may evaluate the data protection assessment for 408
compliance with the responsibilities set forth in sections 1 to 11, 409
inclusive, of this act. Data protection assessments shall be confidential 410
and shall be exempt from disclosure under the Freedom of Information 411
Act, as defined in section 1-200 of the general statutes. The disclosure of 412
a data protection assessment pursuant to a request from the Attorney 413
General shall not constitute a waiver of attorney-client privilege or work 414
product protection with respect to the assessment and any information 415
contained in the assessment. 416
(d) A single data protection assessment may address a comparable 417
set of processing operations that include similar activities. 418
(e) Data protection assessments conducted by a controller for the 419
purpose of compliance with other laws or regulations may comply 420
under this section if the assessments have a reasonably comparable 421
scope and effect. 422
(f) Data protection assessment requirements shall apply to processing 423
activities created or generated after January 1, 2023, and are not 424
retroactive. 425
Sec. 8. (NEW) (Effective January 1, 2023) (a) Any controller in 426
possession of de-identified data shall: (1) Take reasonable measures to 427
ensure that the data cannot be associated with a natural person, (2) 428
publicly commit to maintaining and using de-identified data without 429
attempting to re-identify the data, and (3) contractually obligate any 430
recipients of the de-identified data to comply with all provisions of 431
sections 1 to 11, inclusive, of this act. 432
(b) Nothing in sections 1 to 11, inclusive, of this act shall be construed 433
to (1) require a controller or processor to re-identify de-identified data 434
or pseudonymous data, or (2) maintain data in identifiable form, or 435
collect, obtain, retain or access any data or technology, in order to be 436 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
15 of 20
capable of associating an authenticated consumer request with personal 437
data. 438
(c) Nothing in sections 1 to 11, inclusive, of this act shall be construed 439
to require a controller or processor to comply with an authenticated 440
consumer rights request, if all of the following are true, if the controller: 441
(1) Is not reasonably capable of associating the request with the personal 442
data or it would be unreasonably burdensome for the controller to 443
associate the request with the personal data, (2) does not use the 444
personal data to recognize or respond to the specific consumer who is 445
the subject of the personal data, or associate the personal data with other 446
personal data about the same specific consumer, and (3) does not sell 447
the personal data to any third party or otherwise voluntarily disclose 448
the personal data to any third party other than a processor, except as 449
otherwise permitted in this section. 450
(d) Consumer rights shall not apply to pseudonymous data in cases 451
where the controller is able to demonstrate any information necessary 452
to identify the consumer is kept separately and is subject to effective 453
technical and organizational controls that prevent the controller from 454
accessing such information. 455
(e) A controller that discloses pseudonymous data or de-identified 456
data shall exercise reasonable oversight to monitor compliance with any 457
contractual commitments to which the pseudonymous data or de-458
identified data is subject and shall take appropriate steps to address any 459
breaches of those contractual commitments. 460
Sec. 9. (NEW) (Effective January 1, 2023) (a) Nothing in sections 1 to 11, 461
inclusive, of this act shall be construed to restrict a controller's or 462
processor's ability to: (1) Comply with federal, state or municipal 463
ordinances or regulations, (2) comply with a civil, criminal or regulatory 464
inquiry, investigation, subpoena or summons by federal, state, 465
municipal or other governmental authorities, (3) cooperate with law-466
enforcement agencies concerning conduct or activity that the controller 467
or processor reasonably and in good faith believes may violate federal, 468 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
16 of 20
state or municipal ordinances or regulations, (4) investigate, establish, 469
exercise, prepare for or defend legal claims, (5) provide a product or 470
service specifically requested by a consumer, (6) perform a contract to 471
which a consumer is a party, including fulfilling the terms of a written 472
warranty, (7) take steps at the request of a consumer prior to entering 473
into a contract, (8) take immediate steps to protect an interest that is 474
essential for the life or physical safety of the consumer or of another 475
natural person, and where the processing cannot be manifestly based on 476
another legal basis, (9) prevent, detect, protect against or respond to 477
security incidents, identity theft, fraud, harassment, malicious or 478
deceptive activities or any illegal activity, preserve the integrity or 479
security of systems or investigate, report or prosecute those responsible 480
for any such action, (10) engage in public or peer-reviewed scientific or 481
statistical research in the public interest that adheres to all other 482
applicable ethics and privacy laws and is approved, monitored and 483
governed by an institutional review board, or similar independent 484
oversight entities that determine (A) if the deletion of the information is 485
likely to provide substantial benefits that do not exclusively accrue to 486
the controller, (B) the expected benefits of the research outweigh the 487
privacy risks, and (C) if the controller has implemented reasonable 488
safeguards to mitigate privacy risks associated with research, including 489
any risks associated with re-identification, or (11) assist another 490
controller, processor, or third party with any of the obligations under 491
sections 1 to 11, inclusive, of this act. 492
(b) The obligations imposed on controllers or processors under 493
sections 1 to 11, inclusive, of this act shall not restrict a controller's or 494
processor's ability to collect, use, or retain data to: (1) Conduct internal 495
research to develop, improve, or repair products, services, or 496
technology, (2) effectuate a product recall, (3) identify and repair 497
technical errors that impair existing or intended functionality, or (4) 498
perform internal operations that are reasonably aligned with the 499
expectations of the consumer or reasonably anticipated based on the 500
consumer's existing relationship with the controller or are otherwise 501
compatible with processing data in furtherance of the provision of a 502 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
17 of 20
product or service specifically requested by a consumer or the 503
performance of a contract to which the consumer is a party. 504
(c) The obligations imposed on controllers or processors under 505
sections 1 to 11, inclusive, of this act shall not apply where compliance 506
by the controller or processor with said sections would violate an 507
evidentiary privilege under the laws of this state. Nothing in sections 1 508
to 11, inclusive, of this act shall be construed to prevent a controller or 509
processor from providing personal data concerning a consumer to a 510
person covered by an evidentiary privilege under the laws of the state 511
as part of a privileged communication. 512
(d) A controller or processor that discloses personal data to a third-513
party controller or processor, in compliance with the requirements of 514
sections 1 to 11, inclusive, of this act, is not in violation of said sections 515
if the third-party controller or processor that receives and processes 516
such personal data is in violation of said sections, provided, at the time 517
of disclosing the personal data, the disclosing controller or processor did 518
not have actual knowledge that the recipient intended to commit a 519
violation of said sections. A third-party controller or processor receiving 520
personal data from a controller or processor in compliance with the 521
requirements of sections 1 to 11, inclusive, of this act is likewise not in 522
violation of said sections for the transgressions of the controller or 523
processor from which it receives such personal data. 524
(e) Nothing in sections 1 to 11, inclusive, of this act shall be construed 525
as an obligation imposed on controllers and processors that adversely 526
affects the rights or freedoms of any persons, such as exercising the right 527
of free speech pursuant to the First Amendment to the United States 528
Constitution, or applies to the processing of personal data by a person 529
in the course of a purely personal or household activity. 530
(f) Personal data processed by a controller pursuant to sections 1 to 531
11, inclusive, of this act shall not be processed for any purpose other 532
than those expressly listed in this section unless otherwise allowed by 533
sections 1 to 11, inclusive, of this act. Personal data processed by a 534 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
18 of 20
controller pursuant to this section may be processed to the extent that 535
such processing is: (1) Reasonably necessary and proportionate to the 536
purposes listed in this section, and (2) adequate, relevant and limited to 537
what is necessary in relation to the specific purposes listed in this 538
section. Personal data collected, used, or retained pursuant to subsection 539
(b) of this section shall, where applicable, take into account the nature 540
and purpose or purposes of such collection, use, or retention. Such data 541
shall be subject to reasonable administrative, technical, and physical 542
measures to protect the confidentiality, integrity, and accessibility of the 543
personal data and to reduce reasonably foreseeable risks of harm to 544
consumers relating to such collection, use, or retention of personal data. 545
(g) If a controller processes personal data pursuant to an exemption 546
in this section, the controller bears the burden of demonstrating that 547
such processing qualifies for the exemption and complies with the 548
requirements in subsection (f) of this section. 549
(h) Processing personal data for the purposes expressly identified in 550
this section shall not solely make an entity a controller with respect to 551
such processing. 552
Sec. 10. (NEW) (Effective January 1, 2023) (a) The Attorney General 553
shall have exclusive authority to enforce violations of sections 1 to 11, 554
inclusive, of this act. 555
(b) Prior to initiating any action under sections 1 to 11, inclusive, of 556
this act, the Attorney General shall provide a controller or processor not 557
less than thirty days' written notice identifying the specific provisions 558
of said sections the Attorney General, on behalf of a consumer, alleges 559
have been or are being violated. If, prior to the expiration of such time 560
period, the controller or processor cures the noticed violation and 561
provides the Attorney General an express written statement that the 562
alleged violations have been cured and that no further violations shall 563
occur, no action for statutory damages shall be initiated against the 564
controller or processor. 565 Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
19 of 20
(c) If a controller or processor continues to violate sections 1 to 11, 566
inclusive, of this act in breach of an express written statement provided 567
to the consumer under this section, the Attorney General may initiate a 568
civil action in Superior Court and seek damages not exceeding seven 569
thousand five hundred dollars for each violation of sections 1 to 11, 570
inclusive, of this act. 571
(d) Nothing in sections 1 to 11, inclusive, of this act shall be construed 572
as providing the basis for, or be subject to, a private right of action for 573
violations of said sections or any other law. 574
Sec. 11. (NEW) (Effective January 1, 2023) (a) The Attorney General 575
shall have exclusive authority to enforce sections 1 to 10, inclusive, of 576
this act by bringing an action in the name of the state, or on behalf of 577
persons residing in this state. 578
(b) Any controller or processor that violates sections 1 to 10, inclusive, 579
of this act shall be liable for a civil penalty of not more than seven 580
thousand five hundred dollars for each violation. 581
(c) The Attorney General may recover reasonable expenses incurred 582
in investigating and preparing the case, including attorney fees, of any 583
action initiated under sections 1 to 10, inclusive, of this act. 584
This act shall take effect as follows and shall amend the following
sections:
Section 1 January 1, 2023 New section
Sec. 2 January 1, 2023 New section
Sec. 3 January 1, 2023 New section
Sec. 4 January 1, 2023 New section
Sec. 5 January 1, 2023 New section
Sec. 6 January 1, 2023 New section
Sec. 7 January 1, 2023 New section
Sec. 8 January 1, 2023 New section
Sec. 9 January 1, 2023 New section
Sec. 10 January 1, 2023 New section
Sec. 11 January 1, 2023 New section Substitute Bill No. 893
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
R03-SB.docx }
20 of 20
GL Joint Favorable Subst.
JUD Joint Favorable
APP Joint Favorable