Hawaii 2024 Regular Session

Hawaii Senate Bill SB2581 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	THE SENATE S.B. NO. 2581 THIRTY-SECOND LEGISLATURE, 2024 STATE OF HAWAII A BILL FOR AN ACT relating to privacy. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
2	2
3	3	THE SENATE S.B. NO. 2581
4	4	THIRTY-SECOND LEGISLATURE, 2024
5	5	STATE OF HAWAII
6	6
7	7	THE SENATE
8	8
9	9	S.B. NO.
10	10
11	11	2581
12	12
13	13	THIRTY-SECOND LEGISLATURE, 2024
14	14
15	15
16	16
17	17	STATE OF HAWAII
18	18
19	19
20	20
21	21
22	22
23	23
24	24
25	25
26	26
27	27
28	28
29	29
30	30
31	31	A BILL FOR AN ACT
32	32
33	33
34	34
35	35
36	36
37	37	relating to privacy.
38	38
39	39
40	40
41	41
42	42
43	43	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
44	44
45	45
46	46
47	47	SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows: "Chapter CONSUMER PRIVACY PART I. GENERAL PROVISIONS § -1 Definitions. As used in this chapter: "Aggregate consumer information" means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. "Aggregate consumer information" does not include one or more individual consumer records that have been deidentified. "Biometric information" means an individual's physiological, biological, or behavioral characteristics, including an individual's deoxyribonucleic acid, which can be used singly or in combination with each other or with other identifying data to establish individual identity. "Biometric information" includes imagery of the iris, retina, fingerprint, face, hand, palm, or vein patterns; voice recordings from which an identifier template, such as a faceprint, minutiae template, or voiceprint, can be extracted; and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information. "Business" has the same meaning as in section 487J‑1. "Collect", "collected", or "collection" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, including receiving information from the consumer, either actively or passively, or by observing the consumer's behavior. "Consumer" means an individual residing in the State. "Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship. "Data broker" does not include: (1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act, title 15 United States Code section 1681 et seq.; (2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations; or (3) An entity to the extent that it is covered by chapter 431, article 3A. "Deidentified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer. "Device" means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device. "Direct relationship" means a relationship, past or present, between a consumer and a business in which the consumer is: a customer, client, subscriber, or user of the business's goods or services; employee, contractor, or agent of the business; investor in the business; or donor to the business. "Direct relationship" does not include the following activities conducted by a business, or the collection and sale or licensing of personal information incidental to conducting these activities: (1) Developing or maintaining third-party e-commerce or application platforms; (2) Providing directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier; (3) Providing publicly available information related to a consumer's business or profession; and (4) Providing publicly available information via real-time or near real-time alert services for health or safety purposes. "Family" means a custodial parent or guardian and any minor children over which the parent or guardian has custody. "License" means to grant one's business' access to, or distribution of, data to another business in exchange for consideration. "License" does not include the sharing of data for the sole benefit of the business providing the data, where that business maintains sole control over the use of the data. "Office" means the office of consumer protection. "Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, or any other organization or group of persons acting in concert. "Personal information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes the following: (1) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers; (2) Personal information as defined in section 487N-1; (3) Characteristics of protected classifications under federal or state law; (4) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; (5) Biometric information; (6) Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement; (7) Geolocation information; (8) Audio, electronic, visual, thermal, olfactory, or similar information; (9) Professional or employment-related information; (10) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 C.F.R. part 99); and (11) Inferences drawn from any of the information identified in this chapter to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. "Publicly available" means available information from federal, state, or local government records, including any conditions associated with the information. "Publicly available" does not include: (1) Biometric information collected by a business about a consumer without the consumer's knowledge; and (2) Consumer information that is deidentified or aggregate consumer information. "Sell", "selling", "sale", or "sold" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration. "Unique personal identifier" means a persistent identifier that can be used to recognize a consumer, family, or device that is linked to a consumer or family, over time and across different services, including but not limited to a device identifier; an internet protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. "Verifiable consumer request" means a request made by a consumer, or on behalf of the consumer's minor child, whom the business verifies is a consumer of the business's services. part ii. data brokers § -21 Annual registration. (a) On or before January 31 of each year following a year in which a business meets the definition of data broker, a data broker shall: (1) Register with the office; (2) Pay a registration fee in an amount determined by the office, to be deposited into the data brokers' registry special fund; and (3) Provide the following information to the office: (A) The name and primary physical, electronic mail, and internet addresses of the data broker; (B) If the data broker permits a consumer to opt out of the data broker's collection of personal information, opt out of its databases, or opt out of certain sales of data: (i) The method for requesting an opt-out; (ii) Which activities and sales the opt-out applies to; and (iii) Whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf; (C) A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out; and (D) Any additional information or explanation the data broker chooses to provide concerning its data collection practices. (b) The office shall create a page on its website where the information provided by data brokers under this chapter shall be accessible to the public. (c) A data broker that fails to register with the office as required by this section shall be liable for administrative fines and costs in an administrative action brought by the office as follows: (1) An administrative fine as determined by the office for each day the data broker fails to register as required by this section; (2) An amount equal to the fees that were due during the period it failed to register; and (3) Expenses incurred by the office in the investigation and administration of the action as the court deems appropriate. (d) Any penalties, fines, fees, and expenses received pursuant to subsection (c) shall be deposited in the data brokers' registry special fund. § -22 Personal information; deletion. (a) The office shall establish an accessible deletion mechanism that: (1) Implements and maintains reasonable security procedures and practices, including but not limited to administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers' personal information from unauthorized use, disclosure, access, destruction, or modification; (2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor; (3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2); and (4) Allows a consumer to make a request to alter a previous request made under this subsection after at least forty-five days have passed since the consumer last made a request under this subsection. (b) The accessible deletion mechanism established pursuant to subsection (a) shall meet the following requirements: (1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request; (2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy‑protecting ways determined by the office to aid in the deletion request; (3) The accessible deletion mechanism shall allow data brokers registered with the office to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism, unless otherwise specified in this chapter; (4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the office; (5) The accessible deletion mechanism shall not charge a consumer to make a request as described in paragraph (1); (6) The accessible deletion mechanism shall allow a consumer to make a request as described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers; (7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities; (8) The accessible deletion mechanism shall support the ability of a consumer's authorized agents to aid in the deletion request; (9) The accessible deletion mechanism shall allow the consumer, or the consumer's authorized agent, to verify the status of the consumer's deletion request; and (10) The accessible deletion mechanism shall provide a description of all of the following: (A) The deletion permitted by this section, including but not limited to the actions required by subsections (c), (d), and (e); (B) The process for submitting a deletion request pursuant to this section; and (C) Examples of the types of information that may be deleted. (c) A data broker shall access the accessible deletion mechanism established pursuant to subsection (a) at least once every forty-five days and shall conduct the following: (1) Within forty-five days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section; (2) In cases where a data broker denies a consumer request to delete under this chapter because the request cannot be verified, process the request and refrain from selling or sharing the consumer's personal information or using or disclosing the consumer's sensitive personal information; provided that the data broker shall request, after at least twelve months after processing the consumer request, the consumer to authorize the sale or sharing of the consumer's personal information or the use and disclosure of the consumer's sensitive personal information; (3) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in paragraph (1); and (4) Direct all service providers or contractors associated with the data broker to process a request described by paragraph (2) as an opt-out of the sale or sharing of the consumer's personal information. (d) A data broker shall delete all personal information of a consumer at least once every forty-five days pursuant to this section after the consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to subsection (f). (e) A data broker shall not sell or share new personal information of the consumer after a consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section unless the consumer requests otherwise or selling or sharing the personal information is permitted under subsection (d). (f) Notwithstanding subsection (c), a data broker shall not be required to delete a consumer's personal information if either of the following apply: (1) It is reasonably necessary for the data broker to maintain the personal information to: (A) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer; (B) Help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes; (C) Debug to identify and repair errors that impair existing intended functionality; (D) Exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law; (E) Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the consumer has provided informed consent; (F) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information; or (G) Comply with a legal obligation; or (2) The deletion is not required to: (A) Comply with federal, state, or county laws or comply with a court order or subpoena to provide information; (B) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or county authorities; (C) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or county law; (D) Cooperate with a government agency request for emergency access to a consumer's personal information if a natural person is at risk or danger of death or serious physical injury; provided that: (i) The request is approved by the head of the entity for emergency access to a consumer's personal information; (ii) The request is based on the agency's good faith determination that it has a lawful basis to access the information on a nonemergency basis; and (iii) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted; (E) Exercise or defend legal claims; (F) Collect, use, retain, sell, share, or disclose consumers' personal information that is deidentified or aggregate consumer information; (G) Collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of the State; or (H) Comply with any federal or state law protecting medical or health information. (g) Personal information described in subsection (f) shall only be used for the purposes described in subsection (f) and shall not be used or disclosed for any other purpose, including but not limited to marketing purposes. (h) Beginning January 1, 2025, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section. The data broker shall submit a report resulting from the audit and any related materials to the office within five business days of a written request from the office. A data broker shall maintain the report and materials for at least six years following completion of the audit. (i) A data broker required to register under this chapter that fails to comply with the requirements of this section shall be liable for administrative fines and costs in an administrative action brought by the office as follows: (1) An administrative fine as determined by the office for each deletion request for each day the data broker fails to delete information pursuant to this section; and (2) Reasonable expenses incurred by the office in the investigation and administration of the action. (j) Any penalties, fines, fees, and expenses received pursuant to subsection (i) shall be deposited in the data brokers' registry special fund. § -23 Data brokers' registry special fund. (a) There is established in the state treasury the data brokers' registry special fund, into which shall be deposited: (1) Registration fees collected pursuant to section ‑21(a)(2); (2) Any penalties, fines, fees, and expenses received pursuant to sections -21(d) and -22(j); (3) Appropriations made by the legislature for deposit into the special fund; (4) Any grant or donation made to the special fund; and (5) Any interest earned on the balance of the special fund. (b) Moneys in the special fund shall be expended for: (1) The costs of establishing and maintaining the informational website described in section -21(b); (2) The costs incurred by the state courts and the office in connection with enforcing this chapter; and (3) The costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in section -22(a). § -24 Rules. The office shall adopt rules pursuant to chapter 91 necessary to effectuate this chapter. § -25 Limitation of administrative action. No administrative action brought pursuant to this chapter alleging a violation of any of the provisions of this chapter shall commence more than five years after the date on which the violation occurred." SECTION 2. This Act shall take effect upon its approval. INTRODUCED BY: _____________________________
48	48
49	49	SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
50	50
51	51	"Chapter
52	52
53	53	CONSUMER PRIVACY
54	54
55	55	PART I. GENERAL PROVISIONS
56	56
57	57	§ -1 Definitions. As used in this chapter:
58	58
59	59	"Aggregate consumer information" means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. "Aggregate consumer information" does not include one or more individual consumer records that have been deidentified.
60	60
61	61	"Biometric information" means an individual's physiological, biological, or behavioral characteristics, including an individual's deoxyribonucleic acid, which can be used singly or in combination with each other or with other identifying data to establish individual identity. "Biometric information" includes imagery of the iris, retina, fingerprint, face, hand, palm, or vein patterns; voice recordings from which an identifier template, such as a faceprint, minutiae template, or voiceprint, can be extracted; and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
62	62
63	63	"Business" has the same meaning as in section 487J‑1.
64	64
65	65	"Collect", "collected", or "collection" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means, including receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.
66	66
67	67	"Consumer" means an individual residing in the State.
68	68
69	69	"Data broker" means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the personal information of a consumer with whom the business does not have a direct relationship. "Data broker" does not include:
70	70
71	71	(1) An entity to the extent that it is covered by the federal Fair Credit Reporting Act, title 15 United States Code section 1681 et seq.;
72	72
73	73	(2) An entity to the extent that it is covered by the Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations; or
74	74
75	75	(3) An entity to the extent that it is covered by chapter 431, article 3A.
76	76
77	77	"Deidentified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
78	78
79	79	"Device" means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.
80	80
81	81	"Direct relationship" means a relationship, past or present, between a consumer and a business in which the consumer is: a customer, client, subscriber, or user of the business's goods or services; employee, contractor, or agent of the business; investor in the business; or donor to the business. "Direct relationship" does not include the following activities conducted by a business, or the collection and sale or licensing of personal information incidental to conducting these activities:
82	82
83	83	(1) Developing or maintaining third-party e-commerce or application platforms;
84	84
85	85	(2) Providing directory assistance or directory information services, including name, address, and telephone number, on behalf of or as a function of a telecommunications carrier;
86	86
87	87	(3) Providing publicly available information related to a consumer's business or profession; and
88	88
89	89	(4) Providing publicly available information via real-time or near real-time alert services for health or safety purposes.
90	90
91	91	"Family" means a custodial parent or guardian and any minor children over which the parent or guardian has custody.
92	92
93	93	"License" means to grant one's business' access to, or distribution of, data to another business in exchange for consideration. "License" does not include the sharing of data for the sole benefit of the business providing the data, where that business maintains sole control over the use of the data.
94	94
95	95	"Office" means the office of consumer protection.
96	96
97	97	"Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, or any other organization or group of persons acting in concert.
98	98
99	99	"Personal information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes the following:
100	100
101	101	(1) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier internet protocol address, electronic mail address, account name, social security number, driver's license number, passport number, or other similar identifiers;
102	102
103	103	(2) Personal information as defined in section 487N-1;
104	104
105	105	(3) Characteristics of protected classifications under federal or state law;
106	106
107	107	(4) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
108	108
109	109	(5) Biometric information;
110	110
111	111	(6) Internet or other electronic network activity information, including browsing history, search history, and information regarding a consumer's interaction with a website, application, or advertisement;
112	112
113	113	(7) Geolocation information;
114	114
115	115	(8) Audio, electronic, visual, thermal, olfactory, or similar information;
116	116
117	117	(9) Professional or employment-related information;
118	118
119	119	(10) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. 1232g; 34 C.F.R. part 99); and
120	120
121	121	(11) Inferences drawn from any of the information identified in this chapter to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
122	122
123	123	"Publicly available" means available information from federal, state, or local government records, including any conditions associated with the information. "Publicly available" does not include:
124	124
125	125	(1) Biometric information collected by a business about a consumer without the consumer's knowledge; and
126	126
127	127	(2) Consumer information that is deidentified or aggregate consumer information.
128	128
129	129	"Sell", "selling", "sale", or "sold" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.
130	130
131	131	"Unique personal identifier" means a persistent identifier that can be used to recognize a consumer, family, or device that is linked to a consumer or family, over time and across different services, including but not limited to a device identifier; an internet protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.
132	132
133	133	"Verifiable consumer request" means a request made by a consumer, or on behalf of the consumer's minor child, whom the business verifies is a consumer of the business's services.
134	134
135	135	part ii. data brokers
136	136
137	137	§ -21 Annual registration. (a) On or before January 31 of each year following a year in which a business meets the definition of data broker, a data broker shall:
138	138
139	139	(1) Register with the office;
140	140
141	141	(2) Pay a registration fee in an amount determined by the office, to be deposited into the data brokers' registry special fund; and
142	142
143	143	(3) Provide the following information to the office:
144	144
145	145	(A) The name and primary physical, electronic mail, and internet addresses of the data broker;
146	146
147	147	(B) If the data broker permits a consumer to opt out of the data broker's collection of personal information, opt out of its databases, or opt out of certain sales of data:
148	148
149	149	(i) The method for requesting an opt-out;
150	150
151	151	(ii) Which activities and sales the opt-out applies to; and
152	152
153	153	(iii) Whether the data broker permits a consumer to authorize a third party to perform the opt-out on the consumer's behalf;
154	154
155	155	(C) A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out; and
156	156
157	157	(D) Any additional information or explanation the data broker chooses to provide concerning its data collection practices.
158	158
159	159	(b) The office shall create a page on its website where the information provided by data brokers under this chapter shall be accessible to the public.
160	160
161	161	(c) A data broker that fails to register with the office as required by this section shall be liable for administrative fines and costs in an administrative action brought by the office as follows:
162	162
163	163	(1) An administrative fine as determined by the office for each day the data broker fails to register as required by this section;
164	164
165	165	(2) An amount equal to the fees that were due during the period it failed to register; and
166	166
167	167	(3) Expenses incurred by the office in the investigation and administration of the action as the court deems appropriate.
168	168
169	169	(d) Any penalties, fines, fees, and expenses received pursuant to subsection (c) shall be deposited in the data brokers' registry special fund.
170	170
171	171	§ -22 Personal information; deletion. (a) The office shall establish an accessible deletion mechanism that:
172	172
173	173	(1) Implements and maintains reasonable security procedures and practices, including but not limited to administrative, physical, and technical safeguards appropriate to the nature of the information and the purposes for which the personal information will be used and to protect consumers' personal information from unauthorized use, disclosure, access, destruction, or modification;
174	174
175	175	(2) Allows a consumer, through a single verifiable consumer request, to request that every data broker that maintains any personal information delete any personal information related to that consumer held by the data broker or associated service provider or contractor;
176	176
177	177	(3) Allows a consumer to selectively exclude specific data brokers from a request made under paragraph (2); and
178	178
179	179	(4) Allows a consumer to make a request to alter a previous request made under this subsection after at least forty-five days have passed since the consumer last made a request under this subsection.
180	180
181	181	(b) The accessible deletion mechanism established pursuant to subsection (a) shall meet the following requirements:
182	182
183	183	(1) The accessible deletion mechanism shall allow a consumer to request the deletion of all personal information related to that consumer through a single deletion request;
184	184
185	185	(2) The accessible deletion mechanism shall permit a consumer to securely submit information in one or more privacy‑protecting ways determined by the office to aid in the deletion request;
186	186
187	187	(3) The accessible deletion mechanism shall allow data brokers registered with the office to determine whether an individual has submitted a verifiable consumer request to delete the personal information related to that consumer as described in paragraph (1) and shall not allow the disclosure of any additional personal information when the data broker accesses the accessible deletion mechanism, unless otherwise specified in this chapter;
188	188
189	189	(4) The accessible deletion mechanism shall allow a consumer to make a request described in paragraph (1) using an internet service operated by the office;
190	190
191	191	(5) The accessible deletion mechanism shall not charge a consumer to make a request as described in paragraph (1);
192	192
193	193	(6) The accessible deletion mechanism shall allow a consumer to make a request as described in paragraph (1) in any language spoken by any consumer for whom personal information has been collected by data brokers;
194	194
195	195	(7) The accessible deletion mechanism shall be readily accessible and usable by consumers with disabilities;
196	196
197	197	(8) The accessible deletion mechanism shall support the ability of a consumer's authorized agents to aid in the deletion request;
198	198
199	199	(9) The accessible deletion mechanism shall allow the consumer, or the consumer's authorized agent, to verify the status of the consumer's deletion request; and
200	200
201	201	(10) The accessible deletion mechanism shall provide a description of all of the following:
202	202
203	203	(A) The deletion permitted by this section, including but not limited to the actions required by subsections (c), (d), and (e);
204	204
205	205	(B) The process for submitting a deletion request pursuant to this section; and
206	206
207	207	(C) Examples of the types of information that may be deleted.
208	208
209	209	(c) A data broker shall access the accessible deletion mechanism established pursuant to subsection (a) at least once every forty-five days and shall conduct the following:
210	210
211	211	(1) Within forty-five days after receiving a request made pursuant to this section, process all deletion requests made pursuant to this section and delete all personal information related to the consumers making the requests consistent with the requirements of this section;
212	212
213	213	(2) In cases where a data broker denies a consumer request to delete under this chapter because the request cannot be verified, process the request and refrain from selling or sharing the consumer's personal information or using or disclosing the consumer's sensitive personal information; provided that the data broker shall request, after at least twelve months after processing the consumer request, the consumer to authorize the sale or sharing of the consumer's personal information or the use and disclosure of the consumer's sensitive personal information;
214	214
215	215	(3) Direct all service providers or contractors associated with the data broker to delete all personal information in their possession related to the consumers making the requests described in paragraph (1); and
216	216
217	217	(4) Direct all service providers or contractors associated with the data broker to process a request described by paragraph (2) as an opt-out of the sale or sharing of the consumer's personal information.
218	218
219	219	(d) A data broker shall delete all personal information of a consumer at least once every forty-five days pursuant to this section after the consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section unless the consumer requests otherwise or the deletion is not required pursuant to subsection (f).
220	220
221	221	(e) A data broker shall not sell or share new personal information of the consumer after a consumer has submitted a deletion request and a data broker has deleted the consumer's data pursuant to this section unless the consumer requests otherwise or selling or sharing the personal information is permitted under subsection (d).
222	222
223	223	(f) Notwithstanding subsection (c), a data broker shall not be required to delete a consumer's personal information if either of the following apply:
224	224
225	225	(1) It is reasonably necessary for the data broker to maintain the personal information to:
226	226
227	227	(A) Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by the consumer, or reasonably anticipated by the consumer within the context of a business' ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;
228	228
229	229	(B) Help to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for those purposes;
230	230
231	231	(C) Debug to identify and repair errors that impair existing intended functionality;
232	232
233	233	(D) Exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided for by law;
234	234
235	235	(E) Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business' deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if the consumer has provided informed consent;
236	236
237	237	(F) Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information; or
238	238
239	239	(G) Comply with a legal obligation; or
240	240
241	241	(2) The deletion is not required to:
242	242
243	243	(A) Comply with federal, state, or county laws or comply with a court order or subpoena to provide information;
244	244
245	245	(B) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or county authorities;
246	246
247	247	(C) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or county law;
248	248
249	249	(D) Cooperate with a government agency request for emergency access to a consumer's personal information if a natural person is at risk or danger of death or serious physical injury; provided that:
250	250
251	251	(i) The request is approved by the head of the entity for emergency access to a consumer's personal information;
252	252
253	253	(ii) The request is based on the agency's good faith determination that it has a lawful basis to access the information on a nonemergency basis; and
254	254
255	255	(iii) The agency agrees to petition a court for an appropriate order within three days and to destroy the information if that order is not granted;
256	256
257	257	(E) Exercise or defend legal claims;
258	258
259	259	(F) Collect, use, retain, sell, share, or disclose consumers' personal information that is deidentified or aggregate consumer information;
260	260
261	261	(G) Collect, sell, or share a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of the State; or
262	262
263	263	(H) Comply with any federal or state law protecting medical or health information.
264	264
265	265	(g) Personal information described in subsection (f) shall only be used for the purposes described in subsection (f) and shall not be used or disclosed for any other purpose, including but not limited to marketing purposes.
266	266
267	267	(h) Beginning January 1, 2025, and every three years thereafter, a data broker shall undergo an audit by an independent third party to determine compliance with this section. The data broker shall submit a report resulting from the audit and any related materials to the office within five business days of a written request from the office. A data broker shall maintain the report and materials for at least six years following completion of the audit.
268	268
269	269	(i) A data broker required to register under this chapter that fails to comply with the requirements of this section shall be liable for administrative fines and costs in an administrative action brought by the office as follows:
270	270
271	271	(1) An administrative fine as determined by the office for each deletion request for each day the data broker fails to delete information pursuant to this section; and
272	272
273	273	(2) Reasonable expenses incurred by the office in the investigation and administration of the action.
274	274
275	275	(j) Any penalties, fines, fees, and expenses received pursuant to subsection (i) shall be deposited in the data brokers' registry special fund.
276	276
277	277	§ -23 Data brokers' registry special fund. (a) There is established in the state treasury the data brokers' registry special fund, into which shall be deposited:
278	278
279	279	(1) Registration fees collected pursuant to section ‑21(a)(2);
280	280
281	281	(2) Any penalties, fines, fees, and expenses received pursuant to sections -21(d) and -22(j);
282	282
283	283	(3) Appropriations made by the legislature for deposit into the special fund;
284	284
285	285	(4) Any grant or donation made to the special fund; and
286	286
287	287	(5) Any interest earned on the balance of the special fund.
288	288
289	289	(b) Moneys in the special fund shall be expended for:
290	290
291	291	(1) The costs of establishing and maintaining the informational website described in section -21(b);
292	292
293	293	(2) The costs incurred by the state courts and the office in connection with enforcing this chapter; and
294	294
295	295	(3) The costs of establishing, maintaining, and providing access to the accessible deletion mechanism described in section -22(a).
296	296
297	297	§ -24 Rules. The office shall adopt rules pursuant to chapter 91 necessary to effectuate this chapter.
298	298
299	299	§ -25 Limitation of administrative action. No administrative action brought pursuant to this chapter alleging a violation of any of the provisions of this chapter shall commence more than five years after the date on which the violation occurred."
300	300
301	301	SECTION 2. This Act shall take effect upon its approval.
302	302
303	303
304	304
305	305	INTRODUCED BY: _____________________________
306	306
307	307	INTRODUCED BY:
308	308
309	309	_____________________________
310	310
311	311
312	312
313	313
314	314
315	315	Report Title: Office of Consumer Protection; Consumers; Privacy; Data Brokers; Personal Information Description: Establishes provisions allowing for consumers to request data brokers that maintain their personal information to delete any personal information related to the consumer. The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.
316	316
317	317
318	318
319	319
320	320
321	321
322	322
323	323
324	324
325	325	Report Title:
326	326
327	327	Office of Consumer Protection; Consumers; Privacy; Data Brokers; Personal Information
328	328
329	329
330	330
331	331	Description:
332	332
333	333	Establishes provisions allowing for consumers to request data brokers that maintain their personal information to delete any personal information related to the consumer.
334	334
335	335
336	336
337	337
338	338
339	339
340	340
341	341	The summary description of legislation appearing on this page is for informational purposes only and is not legislation or evidence of legislative intent.