MD
Maryland House Bill HB807

Maryland 2023 Regular Session

Maryland House Bill HB807 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11
22
33 EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
44 [Brackets] indicate matter deleted from existing law.
55 *hb0807*
66
77 HOUSE BILL 807
88 I3 3lr1109
99 CF SB 698
1010 By: Delegate Love
1111 Introduced and read first time: February 8, 2023
1212 Assigned to: Economic Matters
1313
1414 A BILL ENTITLED
1515
1616 AN ACT concerning 1
1717
1818 Consumer Protection – Online and Biometric Data Privacy 2
1919
2020 FOR the purpose of regulating the manner in which a controller or a processor in possession 3
2121 of a consumer’s personal data may process the consumer’s personal data; authorizing 4
2222 a consumer to exercise certain rights in regards to the consumer’s personal data; 5
2323 requiring a controller of personal data to establish a method for a consumer to 6
2424 exercise certain rights in regards to the consumer’s personal data; requiring a 7
2525 controller to comply with a request by a consumer to exercise a certain right in a 8
2626 certain manner, except under certain circumstances; authorizing a consumer to 9
2727 designate an authorized agent to act on the consumer’s behalf to opt out of the 10
2828 processing of the consumer’s personal data; requiring a controller to provide a 11
2929 consumer with a certain privacy notice; requiring a controller that uses a processor 12
3030 to process the personal data of consumers to enter into a contract with the processor 13
3131 that governs the processor’s data processing procedures; requiring a controller to 14
3232 conduct and document a data protection assessment for consumer data processing 15
3333 activities that present a heightened risk of harm to a consumer; regulating the use 16
3434 of biometric data, including requiring controllers in possession of biometric data to 17
3535 develop a policy, made available to the public, establishing a retention schedule and 18
3636 destruction guidelines for biometric data; authorizing an individual alleging a 19
3737 violation of this Act to bring a civil action against the offending controller under 20
3838 certain circumstances; making a violation of this Act an unfair, abusive, or deceptive 21
3939 trade practice that is subject to enforcement and penalties under the Maryland 22
4040 Consumer Protection Act; establishing the Task Force to Study Online Data Privacy; 23
4141 and generally relating to online and biometric data privacy. 24
4242
4343 BY repealing and reenacting, with amendments, 25
4444 Article – Commercial Law 26
4545 Section 13–301(14)(xxxv) and 13–408 27
4646 Annotated Code of Maryland 28
4747 (2013 Replacement Volume and 2022 Supplement) 29
4848 2 HOUSE BILL 807
4949
5050
5151 BY repealing and reenacting, without amendments, 1
5252 Article – Commercial Law 2
5353 Section 13–301(14)(xxxvi) 3
5454 Annotated Code of Maryland 4
5555 (2013 Replacement Volume and 2022 Supplement) 5
5656
5757 BY adding to 6
5858 Article – Commercial Law 7
5959 Section 13–301(xxxvii); and 14–4501 through 14–4512 to be under the new subtitle 8
6060 “Subtitle 45. Online and Biometric Data Privacy Act” 9
6161 Annotated Code of Maryland 10
6262 (2013 Replacement Volume and 2022 Supplement) 11
6363
6464 SECTION 1. BE IT ENACTED BY THE GENERAL ASSE MBLY OF MARYLAND, 12
6565 That the Laws of Maryland read as follows: 13
6666
6767 Article – Commercial Law 14
6868
6969 13–301. 15
7070
7171 Unfair, abusive, or deceptive trade practices include any: 16
7272
7373 (14) Violation of a provision of: 17
7474
7575 (xxxv) Section 11–210 of the Education Article; [or] 18
7676
7777 (xxxvi) Title 14, Subtitle 44 of this article; or 19
7878
7979 (XXXVII) TITLE 14, SUBTITLE 45 OF THIS ARTICLE; OR 20
8080
8181 13–408. 21
8282
8383 (a) In addition to any action by the Division or Attorney General authorized by 22
8484 this title and any other action otherwise authorized by law, any person may bring an action 23
8585 to recover for injury or loss sustained by [him] THE PERSON as the result of a practice 24
8686 prohibited by this title. 25
8787
8888 (b) Any person who brings an action to recover for injury or loss under this section 26
8989 and who is awarded damages may also seek, and the court may award, reasonable 27
9090 attorney’s fees. 28
9191
9292 (c) If it appears to the satisfaction of the court, at any time, that an action is 29
9393 brought in bad faith or is of a frivolous nature, the court may order the offending party to 30
9494 pay to the other party reasonable attorney’s fees. 31
9595 HOUSE BILL 807 3
9696
9797
9898 (d) Notwithstanding any other provision of this section, a person may not bring 1
9999 an action under this section to recover for injuries sustained as a result of the professional 2
100100 services provided by a health care provider, as defined in § 3–2A–01 of the Courts Article. 3
101101
102102 SUBTITLE 45. ONLINE AND BIOMETRIC DATA PRIVACY ACT. 4
103103
104104 14–4501. 5
105105
106106 (A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 6
107107 INDICATED. 7
108108
109109 (B) “AFFILIATE” MEANS A PERSON THAT: 8
110110
111111 (1) SHARES COMMON BRANDIN G WITH ANOTHER PERSON; OR 9
112112
113113 (2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL 10
114114 WITH ANOTHER PERSON. 11
115115
116116 (C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 12
117117 THAT A REQUEST TO EX ERCISE A CONSUMER RIGHT IN ACCORDANCE WITH § 13
118118 14–4504 OF THIS SUBTITLE IS BEING MADE BY , OR ON BEHALF OF , AN INDIVIDUAL 14
119119 WHO IS ENTITLED TO E XERCISE THE CONSUMER RIGHT . 15
120120
121121 (D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 16
122122 MEASUREMENTS OF THE BIOLOGICAL CHARA CTERISTICS OF A CONSUMER THAT ARE 17
123123 USED TO IDENTIFY A S PECIFIC CONSUMER . 18
124124
125125 (2) “BIOMETRIC DATA ” INCLUDES: 19
126126
127127 (I) A FINGERPRINT ; 20
128128
129129 (II) A VOICE PRINT; 21
130130
131131 (III) EYE RETINAS OR IRISES; 22
132132
133133 (IV) BIOMETRIC SCANS CREAT ED FROM PHYSICAL OR DIGITAL 23
134134 PHOTOGRAPHS ; AND 24
135135
136136 (V) ANY OTHER UNIQUE BIOLOGICAL PA TTERNS OR 25
137137 CHARACTERISTICS . 26
138138
139139 (3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 27
140140
141141 (I) A PHYSICAL OR DIGITAL PHOTOGRAPH ; 28 4 HOUSE BILL 807
142142
143143
144144
145145 (II) A VIDEO OR AN AUDIO RECORDING; OR 1
146146
147147 (III) INFORMATION COLLECTED , USED, OR STORED FOR HEALTH 2
148148 CARE TREATMENT , PAYMENT, OR OPERATIONS UNDER THE FEDERAL HEALTH 3
149149 INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 4
150150
151151 (E) “BUSINESS ASSOCIATE ” HAS THE MEANING STATED I N THE FEDERAL 5
152152 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
153153
154154 (F) “CHILD” HAS THE MEANING STATED IN THE FEDERAL CHILDREN’S 7
155155 ONLINE PRIVACY PROTECTION ACT OF 1998. 8
156156
157157 (G) “CONFIDENTIAL DATA” MEANS INFORMATION THAT CAN BE USED TO 9
158158 UNIQUELY IDENTIFY A CONSUMER OR A CONS UMER’S ACCOUNT OR PROPERTY , 10
159159 INCLUDING: 11
160160
161161 (1) A GENETIC MARKER ; 12
162162
163163 (2) GENETIC TESTING INFOR MATION; 13
164164
165165 (3) A UNIQUE IDENTIFIER NU MBER TO LOCATE AN AC COUNT OR 14
166166 PROPERTY; 15
167167
168168 (4) AN ACCOUNT NUMBER ; 16
169169
170170 (5) A PERSONAL IDENTIFICAT ION NUMBER; 17
171171
172172 (6) A PASSCODE; 18
173173
174174 (7) A DRIVER’S LICENSE NUMBER ; AND 19
175175
176176 (8) A SOCIAL SECURITY NUMB ER. 20
177177
178178 (H) (1) “CONSENT” MEANS A SPECIFIC, DISCRETE, FREELY GIVEN , 21
179179 UNAMBIGUOUS , AND INFORMED AGREEME NT GIVEN BY A CONSUM ER WHO IS NOT 22
180180 UNDER ANY DURESS OR UNDUE INFLUENCE FROM A CONTROLLER OR PROC ESSOR 23
181181 TO ALLOW THE PROCESS ING OF THE CONSUMER ’S PERSONAL DATA FOR A 24
182182 PARTICULAR PURPOSE . 25
183183
184184 (2) “CONSENT” INCLUDES: 26
185185
186186 (I) A WRITTEN STATEMENT ; 27 HOUSE BILL 807 5
187187
188188
189189
190190 (II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; 1
191191
192192 (III) IN THE CONTEXT OF EMP LOYMENT, A RELEASE EXECUTED 2
193193 BY AN EMPLOYEE AS A CONDITION OF EMPLOYM ENT; AND 3
194194
195195 (IV) ANY OTHER UNAMBIGUOUS AF FIRMATIVE ACTION . 4
196196
197197 (3) “CONSENT” DOES NOT INCLUDE : 5
198198
199199 (I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 6
200200 SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 7
201201 PROCESSING ALONG WIT H OTHER UNRELATED INFORMATIO N; 8
202202
203203 (II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 9
204204 OF CONTENT; OR 10
205205
206206 (III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 11
207207 PATTERNS. 12
208208
209209 (I) “CONTROL” MEANS: 13
210210
211211 (1) OWNERSHIP OF , OR THE POWER TO VOTE , MORE THAN 50% OF 14
212212 THE OUTSTANDING SHAR ES OF ANY CLASS OF V OTING SECURITY OF A COMPAN Y; 15
213213
214214 (2) CONTROL IN ANY MANNER OVER THE ELECTION OF A MAJORITY 16
215215 OF THE DIRECTORS OF A COMPANY OR OF INDIVIDUALS EX ERCISING A SIMILAR 17
216216 FUNCTION; OR 18
217217
218218 (3) THE POWER TO EXERCISE CONTROLLING INFLUENC E OVER THE 19
219219 MANAGEMENT OF A COMP ANY. 20
220220
221221 (J) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 21
222222 STATE. 22
223223
224224 (2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING : 23
225225
226226 (I) IN A COMMERCIAL OR EMPLOY MENT CONTEXT ; OR 24
227227
228228 (II) AS AN EMPLOYEE , AN OWNER, A DIRECTOR, AN OFFICER, OR 25
229229 A CONTRACTOR OF A COMP ANY, A PARTNERSHIP , A SOLE PROPRIETORSHIP , A 26
230230 NONPROFIT ORGANIZATION , OR ANY GOVERNMENT AGENCY WH OSE 27
231231 COMMUNICATIONS OR TR ANSACTIONS WITH A CONTROLLER OCCUR ONLY WITHIN 28 6 HOUSE BILL 807
232232
233233
234234 THE CONTEXT OF TH E INDIVIDUAL’S ROLE WITH THE COMP ANY, PARTNERSHIP , 1
235235 SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATION , OR GOVERNMENT AGENCY . 2
236236
237237 (K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 3
238238 OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 4
239239
240240 (L) “COVERED ENTITY ” HAS THE MEANING STATED IN THE FEDERAL 5
241241 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
242242
243243 (M) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED TO 7
244244 SUBVERT OR IMPAIR , OR MANIPULATE WITH T HE SUBSTANTIAL EFFEC T OF 8
245245 SUBVERTING OR IMPAIR ING, USER AUTONOMY , DECISION MAKING, OR CHOICE. 9
246246
247247 (2) “DARK PATTERN ” INCLUDES ANY PRACTICE THE FEDERAL 10
248248 TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”. 11
249249
250250 (N) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 12
251251 EFFECTS CONCERNING THE CONSUMER ” MEANS DECISIONS MADE BY A 13
252252 CONTROLLER THAT RESU LT IN THE PROVISION OR DENIAL BY THE CON TROLLER OF: 14
253253
254254 (1) FINANCIAL OR LENDING SERVICES; 15
255255
256256 (2) HOUSING; 16
257257
258258 (3) INSURANCE; 17
259259
260260 (4) EDUCATION ENROLLMENT OR OPPORTUNITY ; 18
261261
262262 (5) CRIMINAL JUSTICE ; 19
263263
264264 (6) EMPLOYMENT OPPORTUNIT IES; 20
265265
266266 (7) HEALTH CARE SERVICES ; OR 21
267267
268268 (8) ACCESS TO ESSENTIAL G OODS OR SERVICES . 22
269269
270270 (O) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE 23
271271 USED TO INFER INFORM ATION ABOUT, OR OTHERWISE BE LINK ED TO: 24
272272
273273 (1) AN IDENTIFIED OR IDEN TIFIABLE INDIVIDUAL; OR 25
274274
275275 (2) A DEVICE LINKED TO AN IDENTIFIED OR IDE NTIFIABLE 26
276276 INDIVIDUAL. 27 HOUSE BILL 807 7
277277
278278
279279
280280 (P) “IDENTIFIED OR IDENTIF IABLE INDIVIDUAL ” MEANS A CONSUMER WHO 1
281281 CAN READILY BE IDENTIFIED, EITHER DIRECTLY OR INDIRECT LY. 2
282282
283283 (Q) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS LINKED OR 3
284284 CAN BE REASONABLY LINKED TO AN IDENTIFIED OR IDENTIFIABLE INDIVID UAL. 4
285285
286286 (2) “PERSONAL DATA ” DOES NOT INCLUDE : 5
287287
288288 (I) DE–IDENTIFIED DATA ; OR 6
289289
290290 (II) PUBLICLY AVAILABLE IN FORMATION. 7
291291
292292 (R) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION DE RIVED 8
293293 FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY THE 9
294294 SPECIFIC LOCATION OF A CONSUMER WITHIN A RADIUS OF 1,750 FEET. 10
295295
296296 (2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSITIONING 11
297297 SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIMILAR 12
298298 MECHANIS MS. 13
299299
300300 (3) “PRECISE GEOLOCATION D ATA” DOES NOT INCLUDE : 14
301301
302302 (I) THE CONTENT OF COMMUN ICATIONS DATA GENERATED BY 15
303303 OR CONNECTED TO AN ADVANCED UTILITY MET ERING INFRASTRUCTURE SYSTEM; 16
304304 OR 17
305305
306306 (II) EQUIPMENT USED BY A UTILITY COMPANY. 18
307307
308308 (S) (1) “PROCESS” MEANS AN OPERATION P ERFORMED BY MANUAL O R 19
309309 AUTOMATED MEANS ON P ERSONAL DATA . 20
310310
311311 (2) “PROCESS” INCLUDES COLLECTING, USING, STORING, 21
312312 DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 22
313313
314314 (T) “PROCESSOR” MEANS A PERSON THAT PROCESSES, STORES, OR 23
315315 OTHERWISE USES PERSONAL DATA ON BEH ALF OF A CONTROLLER . 24
316316
317317 (U) “PROFILING” MEANS AUTOMATED PROC ESSING PERFORMED ON 25
318318 PERSONAL DATA TO EVA LUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS 26
319319 RELATED TO AN IDENTI FIED OR IDENTIFIABLE INDIVIDUAL’S ECONOMIC SITUATION , 27
320320 HEALTH, PERSONAL PREFERENCES , INTERESTS, RELIABILITY, BEHAVIOR, 28
321321 LOCATION, OR MOVEMENTS . 29 8 HOUSE BILL 807
322322
323323
324324
325325 (V) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STATED IN 1
326326 THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 2
327327 1996. 3
328328
329329 (W) “PUBLICLY AVAILABLE IN FORMATION” MEANS INFORMATION TH AT: 4
330330
331331 (1) IS LAWFULLY MADE AVAI LABLE THROUGH : 5
332332
333333 (I) FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS ; OR 6
334334
335335 (II) WIDELY DISTRIBUTED ME DIA; AND 7
336336
337337 (2) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE A 8
338338 CONSUMER HAS LAWFULL Y MADE AVAILABLE TO THE GENERAL PUBLIC . 9
339339
340340 (X) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F PERSONAL 10
341341 DATA BY A CONTROLLER TO A THIRD PARTY FOR MONETARY OR OTHE R VALUABLE 11
342342 CONSIDERATION . 12
343343
344344 (2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 13
345345
346346 (I) THE DISCLOSURE OF P ERSONAL DATA TO A PR OCESSOR 14
347347 THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER ; 15
348348
349349 (II) THE DISCLOSURE OF P ERSONAL DATA TO A THIRD PARTY 16
350350 FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE REQUESTED BY THE 17
351351 CONSUMER ; 18
352352
353353 (III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 19
354354 AFFILIATE OF THE CON TROLLER; 20
355355
356356 (IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 21
357357 CONSUMER : 22
358358
359359 1. DIRECTS THE CONTROLLE R TO DISCLOSE THE 23
360360 PERSONAL DATA ; OR 24
361361
362362 2. INTENTIONALLY USES TH E CONTROLLER TO 25
363363 INTERACT WITH A THIR D PARTY; 26
364364
365365 (V) THE DISCLOSURE OF PER SONAL DATA THAT THE 27
366366 CONSUMER : 28 HOUSE BILL 807 9
367367
368368
369369
370370 1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL 1
371371 PUBLIC THROUGH A CHANNEL OF MASS ME DIA; AND 2
372372
373373 2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 3
374374
375375 (VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 4
376376 THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSED MERGER, 5
377377 ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PARTY 6
378378 ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 7
379379
380380 (Y) “SENSITIVE DATA ” MEANS PERSONAL DATA OF A CONSUMER , THAT 8
381381 INCLUDES: 9
382382
383383 (1) DATA REVEALING : 10
384384
385385 (I) RACIAL OR ETHNIC ORIG IN; 11
386386
387387 (II) RELIGIOUS BELIEFS ; 12
388388
389389 (III) MENTAL OR PHYSICAL HEALTH C ONDITION OR DIAGNOS ES; 13
390390
391391 (IV) SEX LIFE; 14
392392
393393 (V) SEXUAL ORIENTATION ; OR 15
394394
395395 (VI) CITIZENSHIP OR IMMIGR ATION STATUS; 16
396396
397397 (2) GENETIC OR BIOMETRIC DATA FO R THE PURPOSE OF UNI QUELY 17
398398 IDENTIFYING A CONSUMER ; 18
399399
400400 (3) PERSONAL DATA COLLECT ED FROM A KNOWN CHILD ; OR 19
401401
402402 (4) PRECISE GEOLOCATION D ATA. 20
403403
404404 (Z) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 21
405405 ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED 22
406406 BASED ON PERSONAL DA TA OBTAINED OR INFER RED FROM THE CONSUMER ’S 23
407407 ACTIVITIES OVER TIME AND ACROSS NONAFFILI ATED WEBSITES OR ONL INE 24
408408 APPLICATIONS IN ORDER TO PREDICT THE CONSUMER ’S PREFERENCES OR 25
409409 INTERESTS. 26
410410
411411 (2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 27 10 HOUSE BILL 807
412412
413413
414414
415415 (I) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A 1
416416 CONTROLLER ’S OWN WEBSITES OR ONLIN E APPLICATIONS ; 2
417417
418418 (II) ADVERTISEMENTS BASED ON THE CONTEXT OF A 3
419419 CONSUMER ’S SEARCH QUERY OR VISIT TO A WEBSITE OR ONLINE APPLICATIO N; 4
420420
421421 (III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 5
422422 RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 6
423423
424424 (IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 7
425425 REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 8
426426
427427 (AA) “THIRD PARTY” MEANS A PERSON OTHER THAN A CONSUMER , A 9
428428 CONTROLLER , A PROCESSOR, OR AN AFFILIATE OF T HE CONTROLLER OR 10
429429 PROCESSOR. 11
430430
431431 (BB) (1) “TRADE SECRET” MEANS INFORMATION TH AT: 12
432432
433433 (I) DERIVES INDEPENDENT ECONOMIC VALUE, ACTUAL OR 13
434434 POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 14
435435 ASCERTAINABLE BY PRO PER MEANS BY, OTHER PERSONS WHO COULD OBTAIN 15
436436 ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 16
437437
438438 (II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE 17
439439 UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFORMATION . 18
440440
441441 (2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN, 19
442442 COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS. 20
443443
444444 14–4502. 21
445445
446446 THIS SUBTITLE APPLIES TO A PERSON THAT : 22
447447
448448 (1) CONDUCTS BUSINESS IN THE STATE; OR 23
449449
450450 (2) (I) PRODUCES SERVICES OR PRODUCTS THAT ARE TARGETED 24
451451 TO RESIDENTS OF THE STATE; AND 25
452452
453453 (II) DURING THE IMMEDIATELY PRECEDING CALENDAR Y EAR: 26
454454
455455 1. CONTROLLED OR PROCESS ED THE PERSONAL DATA 27
456456 OF AT LEAST 100,000 CONSUMERS ; OR 28 HOUSE BILL 807 11
457457
458458
459459
460460 2. CONTROLLED OR PROCESS ED THE PERSONAL DATA 1
461461 OF AT LEAST 25,000 CONSUMERS AND DERIVE D MORE THAN 25% OF ITS GROSS 2
462462 REVENUE FROM TH E SALE OF PERSONAL D ATA. 3
463463
464464 14–4503. 4
465465
466466 (A) THIS SUBTITLE DOES NO T APPLY TO: 5
467467
468468 (1) A POLITICAL SUBDIVISIO N OR A UNIT OF A POLIT ICAL 6
469469 SUBDIVISION OF THE STATE; 7
470470
471471 (2) A STATE COURT , CLERK OF THE COURT , JUDGE, OR 8
472472 COMMISSIONER ; 9
473473
474474 (3) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 10
475475 UNDER 15 U.S.C. § 78O–3 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934; 11
476476
477477 (4) A COVERED ENTITY OR BU SINESS ASSOCIATE ; 12
478478
479479 (5) A PERSON THAT CONTROLS OR PROCESSES PERSONA L DATA 13
480480 SOLELY FOR THE PURPO SE OF COMPLETING A P AYMENT TRANSACTION ; OR 14
481481
482482 (6) AN ENTITY, OR AN AFFILIATE OF A N ENTITY, SUBJECT TO AN D IN 15
483483 COMPLIANCE WITH THE FEDERAL GRAMM–LEACH–BLILEY ACT. 16
484484
485485 (B) THE FOLLOWING INFORMA TION AND DATA IS EXE MPT FROM THIS 17
486486 SUBTITLE: 18
487487
488488 (1) PROTECTED HEALTH INFO RMATION UNDER THE FEDERAL 19
489489 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; 20
490490
491491 (2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 21
492492 U.S.C. § 290DD–2; 22
493493
494494 (3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 23
495495 PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN SUBJECTS 24
496496 UNDER 45 C.F.R. 46; 25
497497
498498 (4) IDENTIFIABLE PRIVATE INFORMATION THAT IS OTHERWISE 26
499499 INFORMATION COLLECTE D AS PART OF HUMAN S UBJECTS RESEARCH IN 27
500500 ACCORDANCE WITH THE GOOD CLINICAL PR ACTICE GUIDELINES IS SUED BY THE 28 12 HOUSE BILL 807
501501
502502
503503 INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 1
504504 FOR PHARMACEUTICALS FOR HUMAN USE; 2
505505
506506 (5) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 3
507507 SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 4
508508 ALSO KNOWN AS THE COMMON RULE, IN ACCORDANCE WITH G OOD CLINICAL 5
509509 PRACTICE GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL FOR 6
510510 HARMONISATION OF TECHNICAL REQUIREMENTS FOR PHARMACEUTICALS FOR 7
511511 HUMAN USE OR IN ACCORDANCE WIT H THE HUMAN SUBJECT PROTECTION 8
512512 REQUIREMENTS OF THE U.S. FOOD AND DRUG ADMINISTRATION ; 9
513513
514514 (6) INFORMATION AND DOCUM ENTS CREATED FOR PUR POSES OF THE 10
515515 FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986; 11
516516
517517 (7) PATIENT SAFETY WORK P RODUCT FOR PURPOSES OF THE 12
518518 FEDERAL PATIENT SAFETY AND QUALITY IMPROVEMENT ACT OF 2005; 13
519519
520520 (8) INFORMATION DERIVED F ROM AN Y OF THE HEALTH CARE 14
521521 RELATED INFORMATION LISTED IN THIS SUBSE CTION THAT IS DE –IDENTIFIED IN 15
522522 ACCORDANCE WITH THE REQUIREMENTS FOR DE –IDENTIFICATION IN ACCORDANCE 16
523523 WITH THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 17
524524 OF 1996; 18
525525
526526 (9) INFORMATIO N ORIGINATING FROM A ND INTERMINGLED TO B E 19
527527 INDISTINGUISHABLE FROM, OR INFORMATION TREAT ED IN THE SAME MANNE R AS, 20
528528 INFORMATION EXEMPT U NDER THIS SUBSECTION THAT IS MAINTAINED B Y A 21
529529 COVERED ENTITY OR BU SINESS ASSOCIATE , PROGRAM, OR QUALIFIED SERVICE 22
530530 ORGANIZATION , AS SPECIFIED IN 42 U.S.C. § 290DD–2; 23
531531
532532 (10) INFORMATION USED FOR PUBLIC HEALTH ACTIVI TIES AND 24
533533 PURPOSES AS AUTHORIZ ED BY THE FEDERAL HEALTH INSURANCE PORTABILITY 25
534534 AND ACCOUNTABILITY ACT OF 1996, COMMUNITY HEALTH ACT IVITIES, AND 26
535535 POPULATION HEALTH AC TIVITIES; 27
536536
537537 (11) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 28
538538 COMMUNICATION , OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 29
539539 CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 30
540540 REPUTATION, PERSONAL CHARACTERISTICS , OR MODE OF LIVING TO OR FROM A 31
541541 CONSUMER REPORTING A GENCY IF USE OF THE INFORMATI ON IS LIMITED BY AND 32
542542 AUTHORIZED UNDER THE FEDERAL FAIR CREDIT REPORTING ACT; 33
543543
544544 (12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 34
545545 IN COMPLIANCE WITH THE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 35 HOUSE BILL 807 13
546546
547547
548548
549549 (13) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 1
550550 EDUCATIONAL RIGHTS AND PRIVACY ACT; 2
551551
552552 (14) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 3
553553 IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 4
554554
555555 (15) DATA PROCESSED OR MAI NTAINED: 5
556556
557557 (I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 6
558558 EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CON TRACTOR OF A 7
559559 CONTROLLER , PROCESSOR, OR THIRD PARTY, TO THE EXTENT THAT T HE DATA IS 8
560560 COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE; 9
561561
562562 (II) AS THE EMERGENCY CONT ACT INFORMATION OF A 10
563563 CONSUMER USED FOR EMERGENCY C ONTACT PURPOSES ; OR 11
564564
565565 (III) THAT IS NECESSARY TO RETAIN TO ADMINISTER BENEFITS 12
566566 FOR ANOTHER INDIVIDU AL RELATING TO THE CONSUMER WHO IS THE SUBJECT O F 13
567567 THE INFORMATION UNDE R ITEM (I) OF THIS ITEM AND USED FOR THE PUR POSES OF 14
568568 ADMINISTERING THE BENEFITS; AND 15
569569
570570 (16) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 16
571571 IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SU BJECT TO THE 17
572572 FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THIS SUBTITLE IS 18
573573 PREEMPTED BY THE FEDERAL AIRLINE DEREGULATION ACT. 19
574574
575575 14–4504. 20
576576
577577 (A) A CONSUMER MAY EXERCISE THE FOL LOWING RIGHTS IN REL ATION TO 21
578578 THE CONSUMER ’S PERSONAL DATA : 22
579579
580580 (1) CONFIRM WHETHER A CONTROLLER IS PROCES SING THE 23
581581 CONSUMER ’S PERSONAL DATA ; 24
582582
583583 (2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 25
584584 DATA, ACCESS THE PERSONAL DATA ; 26
585585
586586 (3) CORRECT INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 27
587587
588588 (4) DELETE PERSONAL DATA PROVIDED BY , OR OBTAINED ABOUT , 28
589589 THE CONSUMER ; 29
590590 14 HOUSE BILL 807
591591
592592
593593 (5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC 1
594594 MEANS, OBTAIN A COPY OF THE CONSUM ER’S PERSONAL DATA PROC ESSED BY THE 2
595595 CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE , 3
596596 READILY USABLE FORMA T THAT ALLOWS THE CONSUMER TO EASILY TRANSMIT THE 4
597597 DATA TO ANOTHER CONT ROLLER; AND 5
598598
599599 (6) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 6
600600 OF: 7
601601
602602 (I) TARGETED ADVERTISING ; 8
603603
604604 (II) EXCEPT AS PROVIDED IN § 14–4507(D) OF THIS SUBTITLE , 9
605605 THE SALE OF PERSONAL DATA; OR 10
606606
607607 (III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED 11
608608 DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S 12
609609 CONCERNING THE CONSU MER. 13
610610
611611 (B) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE METHOD 14
612612 FOR A CONSUMER TO EX ERCISE A CONSUMER RI GHT UNDER THIS SECTION. 15
613613
614614 (C) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBTITLE , A 16
615615 CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXER CISE A 17
616616 CONSUMER RIGHT LISTED IN THIS SECTI ON. 18
617617
618618 (2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER REQUEST 19
619619 NOT LATER THAN 45 DAYS AFTER THE CONTROLLER RECEI VES THE CONSUMER 20
620620 REQUEST. 21
621621
622622 (II) A CONTROLLER MAY EXTEN D THE RESPONSE PERIO D BY AN 22
623623 ADDITIONAL 45 DAYS IF: 23
624624
625625 1. IT IS NECESSARY TO COMPLETE THE REQU EST BASED 24
626626 ON THE COMPLEXITY AND N UMBER OF THE CONSUME R’S REQUESTS; AND 25
627627
628628 2. THE CONTROLLER INFORM S THE CONSUMER OF THE 26
629629 EXTENSION AND THE REASON FOR T HE EXTENSION WITHIN THE INITIAL 45–DAY 27
630630 RESPONSE PERIOD . 28
631631
632632 (3) (I) IF A CONTROLLER DOES NOT TAKE ACTION REGARDIN G A 29
633633 CONSUMER ’S REQUEST, THE CONTROLLER SHALL : 30
634634 HOUSE BILL 807 15
635635
636636
637637 1. NOTIFY THE CONSUMER THAT THE CONTROLLER 1
638638 WILL NOT TAKE ACTION ON THE REQUEST ; AND 2
639639
640640 2. PROVIDE THE CONSUMER WITH: 3
641641
642642 A. THE JUSTIFICATION FOR DECLINING TO TAKE 4
643643 ACTION; AND 5
644644
645645 B. INSTRUCTIONS FOR HOW TO APPEAL THE DECISI ON. 6
646646
647647 (II) THE NOTIFICATION REQU IRED IN SUBPARAGRAPH (I) OF 7
648648 THIS PARAGRAPH SHALL BE: 8
649649
650650 1. SENT TO THE CONSUMER NOT LATER THAN 45 DAYS 9
651651 AFTER THE CONTROLLER RECEI VES THE CONSUMER ’S REQUEST; AND 10
652652
653653 2. IN WRITING. 11
654654
655655 (4) (I) EXCEPT AS PROVIDED IN THIS PARAGRAPH , A CONTROLLER 12
656656 SHALL PROVIDE A CONSUMER , FREE OF CHARGE , WITH THE INFORMATION THE 13
657657 CONSUMER REQUESTED . 14
658658
659659 (II) A CONTROLLER MAY NOT B E REQUIRED TO PROVID E A 15
660660 CONSUMER WITH THE INFORMATION REQUESTED MORE THAN TWICE DURING AN Y 16
661661 CONSECUTIVE 12–MONTH PERIOD . 17
662662
663663 (III) 1. IF REQUESTS FROM A CO NSUMER ARE UNFOUNDED , 18
664664 EXCESSIVE, OR REPETITIVE , A CONTROLLER MAY CHARG E THE CONSUMER A 19
665665 REASONABLE FEE TO CO VER THE ADMINISTRATI VE COSTS OF COMPLYIN G WITH THE 20
666666 REQUEST. 21
667667
668668 2. THE CONTROLLER HAS THE BURDEN OF 22
669669 DEMONSTRATING THE UNFOUNDED , EXCESSIVE, OR REPETITIVE NATURE OF THE 23
670670 REQUEST. 24
671671
672672 (5) (I) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A 25
673673 REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (A)(1) 26
674674 THROUGH (5) OF THIS SECTION USING COMMERCIALLY R EASONABLE EFFORTS , THE 27
675675 CONTROLLER MAY NOT BE REQUIRED TO C OMPLY WITH THE REQUEST. 28
676676
677677 (II) IF A CONTROLLER IS NO T ABLE TO AUTHENTICA TE A 29
678678 REQUEST USING COMMER CIALLY REASONABLE EF FORTS, THE CONTROLLER SHALL 30
679679 NOTIFY THE CONSUME R THAT THE CONTROLLE R IS UNABLE TO AUTHE NTICATE THE 31 16 HOUSE BILL 807
680680
681681
682682 REQUEST UNTIL THE CONSUMER PROVIDES AD DITIONAL INFORMATION 1
683683 REASONABLY NECESSARY TO AUTHENTICATE THE CONSUMER AND THE 2
684684 CONSUMER ’S REQUEST. 3
685685
686686 (6) (I) A CONTROLLER IS NOT REQUIRED TO AUTHENTI CATE AN 4
687687 OPT–OUT REQUEST UNDER SUBSECTION (A)(6) OF THIS SECTION. 5
688688
689689 (II) A CONTROLLER MAY DENY AN OPT–OUT REQUEST UNDER 6
690690 SUBSECTION (A)(6) OF THIS SECTION IF THE CONTROLLER HA S A GOOD FAITH , 7
691691 REASONABLE , AND DOCUMENTED BELIE F THAT THE REQUEST IS FRAUDULEN T. 8
692692
693693 (III) IF A CONTROLLER DENIES AN OPT–OUT REQUEST UNDER 9
694694 SUBSECTION (A)(6) OF THIS SECTION BECAUSE THE CONTROLL ER BELIEVES THE 10
695695 REQUEST IS FRAUDULEN T, THE CONTROLLER SHALL NOTIFY THE PERSON WHO 11
696696 MADE THE REQUEST: 12
697697
698698 1. THAT THE CONTROLLER BELIEVES THE REQUEST IS 13
699699 FRAUDULENT ; 14
700700
701701 2. WHY THE CONTROLLER BELIEVES THE REQUEST IS 15
702702 FRAUDULENT ; AND 16
703703
704704 3. THAT THE CONTROLLER WILL NOT COMPLY WITH THE 17
705705 REQUEST. 18
706706
707707 (7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 19
708708 CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER IS IN COMPLIANCE WITH 20
709709 A CONSUMER ’S REQUEST TO DELETE THE DATA IN ACCORDANCE WITH SUBSECTION 21
710710 (A)(4) OF THIS SECTION BY: 22
711711
712712 (I) RETAINING A RECORD OF THE DELETION REQUEST AND TH E 23
713713 MINIMUM DATA NECESSA RY FOR THE PURPOSE O F ENSURING THE CONSU MER’S 24
714714 PERSONAL DATA : 25
715715
716716 1. REMAINS DELETED FROM THE CONTROLLER ’S 26
717717 RECORDS; AND 27
718718
719719 2. IS NOT BEING USED FOR ANY OTHER PURPOS E; OR 28
720720
721721 (II) OPTING THE CONSUMER O UT OF THE PROCESSING OF THE 29
722722 PERSONAL DATA FOR AN Y PURPOSE EXCEPT FOR THOSE EXEMPTED BY THIS 30
723723 SUBTITLE. 31
724724 HOUSE BILL 807 17
725725
726726
727727 (D) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 1
728728 TO APPEAL A DECISION MADE UNDE R THIS SECTION. 2
729729
730730 (2) THE APPEAL PROCESS SHALL : 3
731731
732732 (I) BE CONSPICUOUSLY AVAILABL E TO A CONSUMER ; 4
733733
734734 (II) BE SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS 5
735735 TO INITIATE ACTION IN ACCORDANCE WITH THIS SECTION; AND 6
736736
737737 (III) ENSURE THAT A CONSUME R CAN APPEAL A DECISIO N 7
738738 WITHIN A REASONABLE TIME AFTER THE CONSUM ER RECEIVES THE DECI SION. 8
739739
740740 (3) NOT LATER THAN 60 DAYS AFTER RECEIPT O F AN APPEAL , A 9
741741 CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR 10
742742 NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF 11
743743 THE REASONS FOR THE DECISIO N. 12
744744
745745 (4) IF AN APPEAL IS DENIED , THE CONTROLLER SHALL PROVIDE THE 13
746746 CONSUMER WITH AN ONL INE MECHANISM , IF AVAILABLE, THROUGH WHICH THE 14
747747 CONSUMER MAY CONTACT THE DIVISION TO SUBMIT A COMPLAIN T. 15
748748
749749 (E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQU IRE A 16
750750 CONTROLLER OR A PROCESSOR TO COMPLY WITH AN AUTHENTICATE D CONSUMER 17
751751 REQUEST IF THE CONTR OLLER: 18
752752
753753 (1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQUEST 19
754754 WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE 20
755755 CONTROLLER TO ASSOCIATE T HE REQUEST WITH THE PERSONAL DATA ; 21
756756
757757 (2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND 22
758758 TO THE CONSUMER WHO IS THE SUBJECT OF TH E PERSONAL DATA OR A SSOCIATE 23
759759 THE PERSONAL DATA WI TH OTHER PERSONAL DA TA ABOUT THE CONSUME R; AND 24
760760
761761 (3) EXCEPT AS OTHERWISE A LLOWED IN THIS SECTI ON, DOES NOT 25
762762 SELL OR OTHERWISE VO LUNTARILY DISCLOSE T HE PERSONAL DATA TO A THIRD 26
763763 PARTY. 27
764764
765765 (F) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 28
766766 CONTROLLER TO REVEAL A TRADE SECRET . 29
767767
768768 14–4505. 30
769769 18 HOUSE BILL 807
770770
771771
772772 (A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PROH IBIT A 1
773773 CONTROLLER OR PROCES SOR FROM: 2
774774
775775 (1) COMPLYING WITH FEDERA L, STATE, OR LOCAL LAWS ; 3
776776
777777 (2) COMPLYING WITH A CIVI L, CRIMINAL, OR REGULATORY INQUIR Y, 4
778778 INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, OR LOCAL 5
779779 AUTHORITY; 6
780780
781781 (3) COOPERATING WITH LAW ENFORCEMENT AGENCIES 7
782782 CONCERNING CONDUCT O R ACTIVITY THAT THE CONTROLLER OR PROCES SOR 8
783783 REASONABLY AND IN GO OD FAITH BELIEVES MA Y VIOLATE A FEDERAL , STATE, OR 9
784784 LOCAL LAW; 10
785785
786786 (4) INVESTIGATING , ESTABLISHING , EXERCISING, PREPARING FOR , 11
787787 OR DEFENDING A LEGAL CLAIM; 12
788788
789789 (5) PROVIDING A PRODUCT O R SERVICE SPECIFICAL LY REQUESTED 13
790790 BY A CONSUMER ; 14
791791
792792 (6) PERFORMING UNDER A CO NTRACT TO WHICH A CO NSUMER IS A 15
793793 PARTY, INCLUDING FULFILLING THE TERMS OF A WRITTEN WARRANT Y; 16
794794
795795 (7) TAKING STEPS AT THE R EQUEST OF A CONSUMER BEFORE 17
796796 ENTERING INTO A CONT RACT; 18
797797
798798 (8) TAKING IMMEDIATE STEP S TO PROTECT AN INTE REST THAT IS 19
799799 ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER 20
800800 INDIVIDUAL; 21
801801
802802 (9) PREVENTING, DETECTING, PROTECTING AGAINST , OR 22
803803 RESPONDING TO A SECU RITY INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , 23
804804 MALICIOUS OR DECEPTI VE ACTIVITY, OR ANY ILLEGAL ACTIV ITY; 24
805805
806806 (10) PRESERVING THE INTEGR ITY OR SECURITY OF A SYSTEM, OR 25
807807 INVESTIGATING, REPORTING, OR PROSECUT ING A PERSON RESPONSIBLE FOR THE 26
808808 ACTION; 27
809809
810810 (11) ENGAGING IN PUBLIC OR PEER–REVIEWED SCIENTIFIC OR 28
811811 STATISTICAL RESEARCH IN THE PUBLIC INTERE ST THAT: 29
812812
813813 (I) ADHERES TO ALL OTHER APPLICABLE ETHICS AN D PRIVACY 30
814814 LAWS; AND 31 HOUSE BILL 807 19
815815
816816
817817
818818 (II) IS APPROVED , MONITORED , AND GOVERNED BY AN 1
819819 INSTITUTIONAL REVIEW BOARD, OR A SIMILAR INDEPEN DENT OVERSIGHT ENTIT Y, 2
820820 THAT DETERMINES WHET HER: 3
821821
822822 1. THE DELETION OF THE I NFORMATION IS LIKELY TO 4
823823 PROVIDE SUBSTANTIAL BENEFITS THAT DO NOT EXCLUSIVELY ACCRUE T O THE 5
824824 CONTROLLER ; 6
825825
826826 2. THE EXPECTED BENEFITS OF THE RESEARCH 7
827827 OUTWEIGH THE PRIVACY RISKS; AND 8
828828
829829 3. THE CONTROLLER HAS IM PLEMENTED REASONABLE 9
830830 SAFEGUARDS TO MITIGA TE PRIVACY RISKS ASS OCIATED WITH RESEARC H, 10
831831 INCLUDING ANY RISKS ASSOCIATED WITH RE –IDENTIFICATION ; 11
832832
833833 (12) ASSISTING ANOTHER CON TROLLER, PROCESSOR, OR 12
834834 THIRD PARTY WITH AN OBLIGA TION UNDER THIS SUBT ITLE; OR 13
835835
836836 (13) PROCESSING PERSONAL D ATA FOR REASONS OF P UBLIC 14
837837 INTEREST IN THE AREA OF PUBLIC HEALTH , COMMUNITY HEALTH , OR POPULATION 15
838838 HEALTH, IF THE PROCESSING IS : 16
839839
840840 (I) SUBJECT TO SUITABLE A ND SPECIFIC MEASURES TO 17
841841 SAFEGUARD THE RIGHTS OF A CONSUMER WHOSE PERSONAL DATA IS BEI NG 18
842842 PROCESSED; AND 19
843843
844844 (II) UNDER THE RESPONSIBIL ITY OF A PROFESSIONA L SUBJECT 20
845845 TO CONFIDENTIALITY O BLIGATIONS UNDER FED ERAL, STATE, OR LOCAL LAW. 21
846846
847847 (B) THE OBLIGATIONS IMPOS ED ON CONTROLLERS OR PROCESSORS UNDER 22
848848 THIS SUBTITLE MAY NO T RESTRICT A CONTROL LER’S OR PROCESSOR ’S ABILITY TO 23
849849 COLLECT, USE, OR RETAIN DATA FOR I NTERNAL USE TO : 24
850850
851851 (1) EFFECTUATE A PRODUCT RECALL; 25
852852
853853 (2) IDENTIFY AND REPAIR TECHNICAL ERRORS THA T IMPAIR 26
854854 EXISTING OR INTENDED FUNCTIONALITY ; OR 27
855855
856856 (3) PERFORM INTERNAL OPER ATIONS THAT ARE : 28
857857 20 HOUSE BILL 807
858858
859859
860860 (I) REASONABLY ALIGNED WI TH THE EXPECTATIONS OF THE 1
861861 CONSUMER OR REASONAB LY ANTICIPATED BASED ON THE CONSUMER ’S EXISTING 2
862862 RELATIONSHIP WITH T HE CONTROLLER ; OR 3
863863
864864 (II) OTHERWISE COMPATIBLE WITH PROCESSING DATA IN 4
865865 FURTHERANCE OF THE P ROVISION OF A PRODUC T OR SERVICE SPECIFI CALLY 5
866866 REQUESTED BY A CONSU MER OR THE PERFORMAN CE OF A CONTRACT TO WHICH THE 6
867867 CONSUMER IS A PARTY . 7
868868
869869 (C) (1) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREV ENT A 8
870870 CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA ABOUT A 9
871871 CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R THE 10
872872 LAWS OF THE STATE AS PART OF A PR IVILEGED COMMUNICATI ON. 11
873873
874874 (2) AN OBLIGATION IMPOSED ON A CO NTROLLER OR A PROCES SOR 12
875875 UNDER THIS SUBTITLE DOES NOT APPLY WHERE COMPLIANCE BY THE CO NTROLLER 13
876876 OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 14
877877 UNDER THE LAWS OF TH E STATE. 15
878878
879879 (D) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 16
880880
881881 (1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 17
882882 THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON ; OR 18
883883
884884 (2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA IN THE 19
885885 COURSE OF THE PERSON ’S PERSONAL OR HOUSEH OLD ACTIVITIES. 20
886886
887887 (E) IF A CONTROLLER PROCE SSES PERSONAL DATA I N ACCORDANCE WITH 21
888888 AN EXEMPTION UNDER T HIS SECTION, THE CONTROLLER SHALL DEMONSTRATE 22
889889 THAT THE PROCESSING : 23
890890
891891 (1) QUALIFIES FOR AN EXEM PTION; AND 24
892892
893893 (2) COMPLIES WITH THE REQ UIREMENTS IN SUBSECT ION (F) OF THIS 25
894894 SECTION. 26
895895
896896 (F) (1) PERSONAL DATA PROCESS ED BY A CONTROLLER I N ACCORDANCE 27
897897 WITH THIS SECTION MAY BE PROCESSED TO THE EXT ENT THAT THE PROCESS ING IS: 28
898898
899899 (I) REASONABLY NECESSARY AND PROPORTIONATE TO THE 29
900900 PURPOSES LISTED IN T HIS SECTION; AND 30
901901 HOUSE BILL 807 21
902902
903903
904904 (II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS 1
905905 NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 2
906906
907907 (2) PERSONAL DATA COLLECT ED, USED, OR RETAINED IN 3
908908 ACCORDANCE WITH SUBS ECTION (B) OF THIS SECTION SHAL L: 4
909909
910910 (I) WHERE APPROPRIATE , TAKE INTO ACCOUNT THE NATURE 5
911911 AND PURPOSE OF THE C OLLECTION, USE, OR RETENTION ; AND 6
912912
913913 (II) BE SUBJECT TO REASONA BLE ADMINISTRATIVE , 7
914914 TECHNICAL, AND PHYSICAL MEASURE S TO: 8
915915
916916 1. PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 9
917917 ACCESSIBILITY OF THE PERSONAL DATA ; AND 10
918918
919919 2. REDUCE REASONABLY FORESE EABLE RISKS OF HARM 11
920920 TO CONSUMERS RELATIN G TO THE COLLECTION , USE, OR RETENTION OF PERS ONAL 12
921921 DATA. 13
922922
923923 14–4506. 14
924924
925925 (A) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGENT TO ACT ON THE 15
926926 CONSUMER ’S BEHALF TO OPT OUT OF THE PROCESSING OF THE CONSUMER ’S 16
927927 PERSONAL DATA FOR TH E PURPOSES SPECIFIED IN § 14–4504(A) OF THIS SUBTITLE. 17
928928
929929 (B) THE CONSUMER MAY DESI GNATE AN AUTHORIZED AGENT BY: 18
930930
931931 (1) AN INTERNET LINK OR A BR OWSER SETTING ON A CONTROLLER ’S 19
932932 WEBSITE; OR 20
933933
934934 (2) A BROWSER EXTENSION OR GLOBAL DEVICE SETTING ON A 21
935935 CONTROLLER ’S WEBSITE INDICATING THE CONSUMER ’S INTENT TO OPT OUT OF THE 22
936936 PROCESSING. 23
937937
938938 (C) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED 24
939939 FROM AN AUTHORIZED A GENT IF THE CONTROLL ER IS ABLE TO VERIFY , USING 25
940940 COMMERCIALLY REASONA BLE EFFORT S: 26
941941
942942 (1) THE IDENTITY OF THE C ONSUMER; AND 27
943943
944944 (2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE 28
945945 CONSUMER ’S BEHALF. 29
946946 22 HOUSE BILL 807
947947
948948
949949 (D) THE FOLLOWING INDIVID UALS MAY EXERCISE TH E CONSUMER RIGHTS 1
950950 SPECIFIED IN THIS SUBTITLE ON BEHALF OF ANOTHER INDIVIDUAL W ITHOUT BEING 2
951951 DESIGNATED AS AN AUT HORIZED AGENT UNDER SUBSECTION (A) OF THIS SECTION: 3
952952
953953 (1) THE PARENT OR LEGAL G UARDIAN OF A KNOWN C HILD; 4
954954
955955 (2) IF A CONSUMER IS SUBJ ECT TO A GUARDIANSHI P, A 5
956956 CONSERVATORSHIP , OR ANY OTHER PROTECTIVE ARRANGEMENT , THE GUARDIAN 6
957957 OR CONSERVATOR OF TH E CONSUMER . 7
958958
959959 14–4507. 8
960960
961961 (A) A CONTROLLER MAY NOT : 9
962962
963963 (1) SELL, LEASE, OR TRADE A CONSUMER ’S BIOMETRIC DATA ; 10
964964
965965 (2) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, UNLESS 11
966966 THE CONTROLLER OBTAI NS THE CONSUMER ’S CONSENT, PROCESS PERSONAL DAT A 12
967967 FOR A PURPOSE THAT I S NEITHER REASONABLY NECESSARY TO , NOR COMPATIBLE 13
968968 WITH, THE DISCLOSED PURPOS ES FOR WHICH THE PER SONAL DATA IS PROCES SED, 14
969969 AS DISCLOSED TO THE CONSUMER ; 15
970970
971971 (3) PROCESS SENSITIVE DAT A CONCERNING A CONSU MER WITHOUT 16
972972 OBTAINING THE CONSUM ER’S CONSENT; 17
973973
974974 (4) PROCESS SENSITIVE DAT A OF A KNOWN CHILD W ITHOUT 18
975975 PROCESSING THE DATA IN ACCORDANCE WITH T HE FEDERAL CHILDREN’S ONLINE 19
976976 PRIVACY PROTECTION ACT OF 1998; 20
977977
978978 (5) PROCESS PERSONAL DATA IN VIOLATION OF FEDE RAL, STATE, OR 21
979979 LOCAL LAW THAT PROHI BITS UNLAWFUL DISCRI MINATION AGAINST A C ONSUMER; 22
980980 OR 23
981981
982982 (6) PROCESS THE PERSONAL DATA OF A CONSUMER T HAT THE 24
983983 PROCESSOR KNOWS IS A T LEAST 13 YEARS OLD AND UNDER THE AGE OF 16 YEARS 25
984984 WITHOUT THE CONSUMER ’S CONSENT FOR PURPOS ES OF: 26
985985
986986 (I) TARGETED ADVERTISING ; OR 27
987987
988988 (II) SELLING THE CONSUMER ’S PERSONAL DATA . 28
989989
990990 (B) A CONTROLLER SHALL : 29
991991 HOUSE BILL 807 23
992992
993993
994994 (1) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS: 1
995995
996996 (I) ADEQUATE, RELEVANT, AND REASONABLY NECES SARY TO 2
997997 COLLECT FOR THE PURPOSES FOR WHI CH THE DATA IS PROCESSED ; AND 3
998998
999999 (II) DISCLOSED TO THE CONS UMER; 4
10001000
10011001 (2) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 5
10021002 ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 6
10031003 PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 7
10041004 DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT 8
10051005 ISSUE; 9
10061006
10071007 (3) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO 10
10081008 REVOKE THE CONSU MER’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS 11
10091009 EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED THE CON SUMER’S 12
10101010 CONSENT; AND 13
10111011
10121012 (4) IF CONSENT IS REVOKED, STOP PROCESSING THE DATA AS SOON 14
10131013 AS PRACTICABLE , BUT NOT LATER THAN 15 DAYS AFTER THE RECEI PT OF THE 15
10141014 REQUEST. 16
10151015
10161016 (C) A CONTROLLER IN POSSES SION OF BIOMETRIC DA TA SHALL STORE , 17
10171017 TRANSMIT, AND PROTECT FROM DIS CLOSURE ALL BIOMETRI C DATA: 18
10181018
10191019 (1) USING THE REASONABLE STANDARD OF CARE WIT HIN THE 19
10201020 CONTROLLER ’S INDUSTRY; AND 20
10211021
10221022 (2) IN A MANNER THAT IS A S PROTECTIVE AS OR M ORE PROTECTIVE 21
10231023 THAN THE MANNER IN W HICH THE CONTROLLER STORES, TRANSMITS, AND 22
10241024 PROTECTS OTHER CONFI DENTIAL OR SENSITIVE DATA. 23
10251025
10261026 (D) (1) EXCEPT AS PROVIDED IN PARAGRAPH (2) OF THIS SUBSECTION , A 24
10271027 CONTROLLER THAT COLLEC TS BIOMETRIC DATA MA Y NOT COLLECT, USE, DISCLOSE, 25
10281028 REDISCLOSE, OR OTHERWISE DISSEMI NATE A CONTROLLER ’S BIOMETRIC DATA 26
10291029 UNLESS: 27
10301030
10311031 (I) THE CONTROLLER OR THE CONSUMER ’S AUTHORIZED 28
10321032 AGENT GIVES CONSENT TO THE PARTICULAR CATEGORY OF COLLECTION , USE, 29
10331033 DISCLOSURE, REDISCLOSURE , OR DISSEMINATION ; OR 30
10341034
10351035 (II) THE DISCLOSURE OR RED ISCLOSURE IS REQUIRE D: 31
10361036 24 HOUSE BILL 807
10371037
10381038
10391039 1. BY A VALID WARRANT OR SUBPOENA; 1
10401040
10411041 2. TO COMPLY WITH FEDERA L, STATE, OR LOCAL LAWS , 2
10421042 RULES, OR REGULATIONS ; OR 3
10431043
10441044 3. TO COOPERATE WITH LAW ENFORCEMENT 4
10451045 CONCERNING CONDUCT O R ACTIVITY THAT THE PRIVATE ENTITY OR TH E 5
10461046 PROCESSOR REASONABLY AND IN GOOD FAITH BE LIEVES VIOLATES A FE DERAL, 6
10471047 STATE, OR LOCAL LAW , RULE, OR REGULATION . 7
10481048
10491049 (2) (I) A CONTROLLER MAY COLLECT , USE, DISCLOSE, 8
10501050 REDISCLOSE, OR OTHERWISE DISSEMI NATE A CONSUMER ’S BIOMETRIC DATA 9
10511051 WITHOUT COMPLYING WI TH PARAGRAPH (1) OF THIS SUBSECTION IF THE 10
10521052 CONTROLLER : 11
10531053
10541054 1. COLLECTS, USES, DISCLOSES, REDISCLOSES, OR 12
10551055 OTHERWISE DISSEMINAT ES THE BIOMETRIC DATA FOR FRAUD PREVE NTION OR 13
10561056 SECURITY PURPOSES ; AND 14
10571057
10581058 2. SUBJECT TO SUBPARAGRAPH (III) OF THIS 15
10591059 PARAGRAPH : 16
10601060
10611061 A. FOR A CONTROLLER THAT COLLECTS BIOMETRIC 17
10621062 DATA AT A PHYSICAL P REMISES, POSTS CONSPICUOUS WR ITTEN NOTICE OF THE 18
10631063 COLLECTION OF BIOMET RIC DATA AT EACH POINT OF E NTRY; AND 19
10641064
10651065 B. FOR A CONTROLLER THAT COLLECTS BIOMETRIC 20
10661066 DATA OF A CONSUMER D URING AN ONLINE ENCO UNTER WITH THE CONSU MER, 21
10671067 POSTS CONSPICUOUS WR ITTEN NOTICE OF THE COLLECTION OF BIOMET RIC DATA 22
10681068 ON THE WEBSITE OF TH E CONTROLLER . 23
10691069
10701070 (II) 1. THE COLLECTION , USE, DISCLOSURE, 24
10711071 REDISCLOSURE , OR OTHER DISSEMINATI ON OF BIOMETRIC DATA UNDER THIS 25
10721072 SUBSECTION SHALL BE DIRECTLY TIED TO THE SERVICES BEING PROVI DED BY THE 26
10731073 CONTROLLER . 27
10741074
10751075 2. A CONTROLLER THAT COLLECTS , USES, DISCLOSES, 28
10761076 REDISCLOSES, OR OTHERWISE DISSEMINATE S BIOMETRIC DATA UND ER THIS 29
10771077 SUBSECTION MAY COLLE CT, USE, DISCLOSE, REDISCLOSE, OR OTHERWISE 30
10781078 DISSEMINATE ONLY WHA T IS STRICTLY NECESS ARY FOR FRAUD PREVEN TION AND 31
10791079 SECURITY PURPOSES . 32
10801080 HOUSE BILL 807 25
10811081
10821082
10831083 (III) THE NOTICE REQUIRED I N SUBPARAGRAPH (I) OF THIS 1
10841084 PARAGRAPH SHALL INFORM CONSUME RS OF: 2
10851085
10861086 1. THE CATEGORIES OF BIO METRIC DATA TO BE 3
10871087 COLLECTED; AND 4
10881088
10891089 2. THE PURPOSES FOR WHIC H THE CATEGORIES OF 5
10901090 BIOMETRIC DATA WILL BE USED. 6
10911091
10921092 (E) A CONTROLLER MAY NOT DISCRIMINATE AGA INST A CONSUMER FOR 7
10931093 EXERCISING A CONSUMER RIGHT AFF ORDED BY THIS SUBTITLE, INCLUDING: 8
10941094
10951095 (1) DENYING GOODS OR SERV ICES; 9
10961096
10971097 (2) CHARGING DIFFERENT PR ICES OR RATES FOR GO ODS OR 10
10981098 SERVICES; OR 11
10991099
11001100 (3) PROVIDING A DIFFERENT LEVEL OF QUALITY OF GOODS OR 12
11011101 SERVICES. 13
11021102
11031103 (F) NOTHING IN SUBSECTION (E) OF THIS SECTION MAY BE CONSTRUED TO : 14
11041104
11051105 (1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 15
11061106 THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER WHICH THE CONT ROLLER 16
11071107 DOES NOT COLLECT OR MAINTAIN; OR 17
11081108
11091109 (2) PROHIBIT A CONTROLLER FROM OFFERING A DIFF ERENT PRICE, 18
11101110 RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 19
11111111 INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N 20
11121112 CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 21
11131113 LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM . 22
11141114
11151115 (G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF 23
11161116 THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED ADVERTISING 24
11171117 OR THE SALE OF PERSONAL DAT A THROUGH AN OPT –OUT PREFERENCE SIGNA L 25
11181118 SENT IN ACCORDANCE W ITH § 14–4508(B)(4)(II) OF THIS SUBTITLE CONFLICTS WITH 26
11191119 THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC PRIVACY SET TING OR 27
11201120 VOLUNTARY PARTICIPAT ION IN A CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, 28
11211121 PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM , THE CONTROLLER 29
11221122 SHALL COMPLY WITH THE CONSUMER ’S OPT–OUT PREFERENCE SIGNA L. 30
11231123
11241124 (2) A CONTROLLER MAY: 31
11251125 26 HOUSE BILL 807
11261126
11271127
11281128 (I) NOTIFY A CONSUMER OF THE CONFLICT BETWEEN AN 1
11291129 OPT–OUT PREFERENCE SIGNA L AND A CONTROLLER ’S SPECIFIC PRIVACY S ETTING; 2
11301130 AND 3
11311131
11321132 (II) PROVIDE TO THE CONSUMER THE CHOICE TO CONFIRM THE 4
11331133 CONTROLLER –SPECIFIC PRIVACY SET TING OR PARTICIPATIO N IN THE PROGRAM . 5
11341134
11351135 (H) IF A CONTROLLER RESPO NDS TO A CONSUMER OP T–OUT REQUEST 6
11361136 RECEIVED IN ACCORDAN CE WITH SUBSECTION (G) OF THIS SECTION BY INFORMING 7
11371137 THE CONSUMER OF A CHARGE FOR THE USE O F ANY PRODUCT OR SER VICE, THE 8
11381138 CONTROLLER SHALL PRE SENT THE TERMS OF AN Y FINANCIAL INCENTIV E OFFERED 9
11391139 IN ACCORDANCE WITH S UBSECTION (F) OF THIS SECTION FOR THE RETENTION , USE, 10
11401140 SALE, OR SHARING OF THE CO NSUMER’S PERSONAL DATA . 11
11411141
11421142 (I) A CONTROLLER OR A PROCESSOR THAT COMPL IES WITH THE 12
11431143 VERIFIABLE PARENTAL CONSENT REQUIREMENTS OF THE FEDERAL CHILDREN’S 13
11441144 ONLINE PRIVACY PROTECTION ACT IS CONSIDERED TO BE COMPLIANT WITH AN Y 14
11451145 OBLIGATION TO OBTAIN PARENTAL CONSENT IN ACCORDANCE WITH THIS SUBTITLE. 15
11461146
11471147 (J) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 16
11481148 PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING, THE CONTROLLER 17
11491149 SHALL CLEARLY AND CO NSPICUOUSLY DISCLOSE : 18
11501150
11511151 (1) THE PROCESSING ; AND 19
11521152
11531153 (2) THE MANNER IN WHICH A CONSUMER MAY EXERCIS E THE RIGHT 20
11541154 TO OPT OUT OF THE PROCESSIN G. 21
11551155
11561156 14–4508. 22
11571157
11581158 (A) (1) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A 23
11591159 REASONABLY ACCESSIBL E, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT 24
11601160 INCLUDES: 25
11611161
11621162 (I) FOR BIOMETRIC DATA PR OCESSED BY THE CONTR OLLER, A 26
11631163 WRITTEN POLICY ESTAB LISHING A RETENTION SCHEDULE AND GUIDELI NES FOR 27
11641164 PERMANENTLY DESTROYI NG BIOMETRIC DATA ; 28
11651165
11661166 (II) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE 29
11671167 CONTROLLER ; 30
11681168
11691169 (III) THE PURPOSE S FOR PROCESSING PERSO NAL DATA; 31
11701170 HOUSE BILL 807 27
11711171
11721172
11731173 (IV) HOW A CONSUMER MAY EXERCIS E A CONSUMER RIGHT 1
11741174 UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 2
11751175 CONTROLLER ’S DECISION WITH REGA RD TO THE CONSUMER ’S REQUEST; 3
11761176
11771177 (V) THE CATEGORIES OF THI RD PARTIES WITH WHICH T HE 4
11781178 CONTROLLER SHARES PE RSONAL DATA ; 5
11791179
11801180 (VI) THE CATEGORIES OF PER SONAL DATA THAT THE 6
11811181 CONTROLLER SHARES WI TH THIRD PARTIES ; AND 7
11821182
11831183 (VII) AN ACTIVE E–MAIL ADDRESS OR OTHER ONL INE 8
11841184 MECHANISM THAT A CONSUMER MAY USE TO CONTACT THE CONTROLL ER. 9
11851185
11861186 (2) THE PRIVACY NOTICE IN PARAGRAPH (1) OF THIS SUBSECTION 10
11871187 SHALL BE MADE AVAILA BLE TO THE PUBLIC . 11
11881188
11891189 (B) (1) A CONTROLLER SHALL EST ABLISH AND DESCRIBE IN THE 12
11901190 PRIVACY NOTICE ONE O R MORE SECURE AND RE LIABLE METHODS FOR A CONSUMER 13
11911191 TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT UND ER THIS SUBTITLE. 14
11921192
11931193 (2) THE METHOD A CONTROLLER CHOOSES TO SATISFY PARAGRAPH 15
11941194 (1) OF THIS SUBSECTION SHALL TAKE INTO ACCO UNT: 16
11951195
11961196 (I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT 17
11971197 WITH THE CONTROLLER ; 18
11981198
11991199 (II) THE NEED FOR SECURE A ND RELIABLE COMMUNIC ATION 19
12001200 OF REQUESTS; AND 20
12011201
12021202 (III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 21
12031203 IDENTITY OF A CONSUMER MAKING THE REQUEST. 22
12041204
12051205 (3) (I) A CONTROLLER MAY NOT REQUIRE A CONSUM ER TO 23
12061206 CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT . 24
12071207
12081208 (II) A CONTROLLER MAY REQUIRE A CONSUMER T O USE AN 25
12091209 EXISTING ACCOUNT TO EXERCISE A CONSUM ER RIGHT. 26
12101210
12111211 (4) A CONTROLLER MAY CONSI DER THE FOLLOWING ME THODS TO 27
12121212 SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 28
12131213
12141214 (I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 29
12151215 CONTROLLER ’S WEBSITE TO A WEBPAGE THAT ALLOWS A CONSUMER , OR AN 30 28 HOUSE BILL 807
12161216
12171217
12181218 AUTHORIZED AGENT OF THE CONSUME R, TO OPT OUT OF THE TA RGETED 1
12191219 ADVERTISING OR THE SALE OF THE CONSUMER ’S PERSONAL DATA ; OR 2
12201220
12211221 (II) ALLOWING A CONSUMER TO OPT OU T OF ANY PROCESSING 3
12221222 OF THE CONSUMER ’S PERSONAL DATA F OR THE PURPOSES OF T ARGETED 4
12231223 ADVERTISING, OR ANY SALE OF PERSO NAL DATA, THROUGH AN OPT –OUT 5
12241224 PREFERENCE SIGNAL SE NT, WITH THE CONSUMER ’S CONSENT, BY A PLATFORM , A 6
12251225 TECHNOLOGY , OR A MECHANISM TO THE CON TROLLER INDICATING THE 7
12261226 CONSUMER ’S INTENT TO OPT OUT OF THE PROCESSING OR SALE . 8
12271227
12281228 (5) (I) A PLATFORM, A TECHNOLOGY , OR A MECHANISM USED IN 9
12291229 ACCORDANCE WITH PARAGRAPH (4) OF THIS SUBSECTION SHALL: 10
12301230
12311231 1. BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 11
12321232 AVERAGE CONSUMER ; 12
12331233
12341234 2. BE AS CONSISTENT AS P OSSIBLE WITH ANY OT HER 13
12351235 SIMILAR PLATFORM , TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR 14
12361236 STATE LAW OR REGULATI ON; AND 15
12371237
12381238 3. ENABLE THE CONTROLLER TO ACCURATELY 16
12391239 DETERMINE WHETHER TH E CONSUMER : 17
12401240
12411241 A. IS A RESIDENT OF THE STATE; AND 18
12421242
12431243 B. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 19
12441244 ANY SALE OF THE CONSUMER ’S PERSONAL DATA OR T ARGETED ADVERTISING . 20
12451245
12461246 (II) A PLATFORM, A TECHNOLOGY , OR A MECHANISM USED IN 21
12471247 ACCORDANCE WITH PARAGRAPH (4) OF THIS SUBSECTION : 22
12481248
12491249 1. SHALL REQUIRE THE CON SUMER TO MAKE AN 23
12501250 AFFIRMATIVE, FREELY GIVEN , AND UNAMBIGUOUS CHOI CE TO OPT OUT OF THE 24
12511251 PROCESSING OF THE CO NSUMER’S PERSONAL DATA IN ACCORDANCE WITH THIS 25
12521252 SUBTITLE; AND 26
12531253
12541254 2. MAY NOT: 27
12551255
12561256 A. UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; 28
12571257 OR 29
12581258
12591259 B. MAKE USE OF A DEFAULT SETTING . 30
12601260 HOUSE BILL 807 29
12611261
12621262
12631263 (C) (1) THIS SUBSECTION APPLI ES ONLY TO A CONTROLLER THAT 1
12641264 COLLECTS THE BIOMETRIC DATA OF CONSUMERS . 2
12651265
12661266 (2) EXCEPT AS PROVIDED IN PARAGRAPH S (4) AND (5) OF THIS 3
12671267 SUBSECTION, A CONTROLLER IN POSSESSION OF BIO METRIC DATA SHALL DE VELOP 4
12681268 A WRITTEN POLICY , MADE AVAILABLE TO TH E PUBLIC, ESTABLISHING A RETEN TION 5
12691269 SCHEDULE AND GUIDELI NES FOR PERMANENTLY DESTROYING BIOMETRIC DATA ON 6
12701270 THE EARLIEST OF THE FOLLOWING: 7
12711271
12721272 (I) THE DATE ON WHICH THE INITIAL PURPOSE FOR 8
12731273 COLLECTING OR OBTAIN ING THE BIOMETRIC DA TA HAS BEEN SATISFIE D; 9
12741274
12751275 (II) WITHIN 3 YEARS AFTER THE CONSUMER ’S LAST 10
12761276 INTERACTION WITH THE CONTROLLER IN POSSESSION OF THE BIOMETRIC DATA ; OR 11
12771277
12781278 (III) WITHIN 30 DAYS AFTER THE CONTROLLER RECEIVES A 12
12791279 VERIFIED REQUEST TO DELETE THE BIOMETRIC DATA SUBMITTED BY TH E 13
12801280 CONSUMER OR THE CONSUMER ’S AUTHORIZED AGENT . 14
12811281
12821282 (3) ABSENT A VALID WARRAN T OR SUBPOENA ISSUED BY A COURT OF 15
12831283 COMPETENT JURISDICTI ON, A CONTROLLER IN POSSESSION OF BIO METRIC DATA 16
12841284 SHALL COMPLY WIT H THE RETENTION SCHE DULE AND DESTRUCTION GUIDELINES 17
12851285 DEVELOPED UNDER PARA GRAPH (2) OF THIS SUBSECTION . 18
12861286
12871287 (4) A CONTROLLER IN POSSESSION OF BIO METRIC DATA FOR FRAU D 19
12881288 PREVENTION OR SECURI TY PURPOSES IS NOT R EQUIRED TO DESTROY A 20
12891289 CONSUMER ’S BIOMETRIC DATA IN ACCORDANCE WITH PARAGR APH (2)(II) AND (III) 21
12901290 OF THIS SUBSECTION I F THE CONSUMER IS PART OF THE STATE VOLUNTARY 22
12911291 EXCLUSION PROGRAM. 23
12921292
12931293 (5) A CONTROLLER MAY NOT BE REQUIRED TO MAKE PUBLICLY 24
12941294 AVAILABLE A WRITTEN POLICY DEVELOPED UND ER THIS SUBSECTION IF: 25
12951295
12961296 (I) THE CONTROLLER COLLECTS B IOMETRIC DATA ONLY FROM 26
12971297 THE CONTROLLER ’S EMPLOYEES; AND 27
12981298
12991299 (II) THE BIOMETRIC DATA I S USED SOLELY FOR IN TERNAL 28
13001300 COMPANY OPERATIONS . 29
13011301
13021302 14–4509. 30
13031303
13041304 (A) (1) IF A CONTROLLER USES A PR OCESSOR TO PROCESS T HE 31
13051305 PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 32 30 HOUSE BILL 807
13061306
13071307
13081308 ENTER INTO A CONTRAC T THAT GOVERNS THE PROCESSOR ’S DATA PROCESSING 1
13091309 PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 2
13101310 CONTROLLER . 3
13111311
13121312 (2) THE CONTRACT SHALL PR OVIDE CLEAR INSTRUCT IONS FOR: 4
13131313
13141314 (I) PROCESSING DATA ; 5
13151315
13161316 (II) THE NATURE AND PURPOS E OF PROCESSING ; 6
13171317
13181318 (III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 7
13191319
13201320 (IV) THE DURATION OF PROCE SSING; AND 8
13211321
13221322 (V) THE RIGHTS AND OBLIGA TIONS OF THE CONTROLLER AN D 9
13231323 THE PROCESSOR . 10
13241324
13251325 (3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: 11
13261326
13271327 (I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA 12
13281328 IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE D ATA; 13
13291329
13301330 (II) UNLESS RETENTION OF T HE PERSONAL DATA IS REQUIRED 14
13311331 BY LAW, AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN ALL PERSONAL 15
13321332 DATA TO THE CONTROLL ER AS REQUESTED AT T HE END OF THE PROVIS ION OF 16
13331333 SERVICE; 17
13341334
13351335 (III) MAKE AVAILABLE TO THE CONTROLLER ALL INFOR MATION 18
13361336 IN THE PROCESSOR ’S POSSESSION NECESSARY TO DEMONST RATE THE PROCESSOR ’S 19
13371337 COMPLIANCE WITH THE OBLIGATIONS IN THIS SUBTITLE; 20
13381338
13391339 (IV) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO 21
13401340 OBJECT, REQUIRE A SUBCONTRACTOR TO SIGN A CONTRACT A GREEING TO M EET 22
13411341 THE OBLIGATIONS OF T HE PROCESSOR WITH R ESPECT TO THE PERSON AL DATA; AND 23
13421342
13431343 (V) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS 24
13441344 BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 25
13451345 AND INDEPENDENT ASSE SSOR TO ASSESS THE PROCESSOR ’S POLICIES AND 26
13461346 TECHNICAL AND ORGANI ZATIONAL ME ASURES TO COMPLY WITH THE OBLIGATIONS 27
13471347 UNDER THIS SUBTITLE . 28
13481348 HOUSE BILL 807 31
13491349
13501350
13511351 (4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 1
13521352 OF AN ASSESSMENT REQUIRED BY PARAGRAP H (3)(V) OF THIS SUBSECTION TO THE 2
13531353 CONTROLLER . 3
13541354
13551355 (II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H 4
13561356 PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN 5
13571357 APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND 6
13581358 ASSESSMENT PROCEDURE FOR THE ASSESSMENTS . 7
13591359
13601360 (B) A PROCESSOR SHALL ADHE RE TO THE INSTRUCTIO NS OF A 8
13611361 CONTROLLER AND SHALL ASSIST THE CONTROLLER IN MEETIN G THE 9
13621362 CONTROLLER ’S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: 10
13631363
13641364 (1) TAKING INTO ACCOUNT T HE NATURE OF PROCESS ING AND THE 11
13651365 INFORMATION AVAILABL E TO THE PROCESSOR BY FULFILLING THE CONTROLLER ’S 12
13661366 OBLIGATION TO RESPON D TO CONSUMER RIGHTS REQUESTS; 13
13671367
13681368 (2) TAKING INTO ACCOUNT T HE NATURE OF PROCESS ING AND THE 14
13691369 INFORMATION AVAILABL E TO THE PROCESSOR , BY ASSISTING THE CON TROLLER IN 15
13701370 MEETING THE CONTROLL ER’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF 16
13711371 PROCESSING PERSONAL DATA AND THE NOTIFIC ATION OF A BREACH OF SECURITY 17
13721372 OF THE SYSTEM OF THE PROCESSOR, AS DEFINED IN § 14–3504 OF THIS TITLE, IN 18
13731373 ORDER TO MEET THE CO NTROLLER’S OBLIGATIONS; AND 19
13741374
13751375 (3) PROVIDING NECESSARY I NFORMATION TO ENABLE THE 20
13761376 CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMENTS . 21
13771377
13781378 (C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELI EVE A 22
13791379 CONTROLLER OR A PROCESSOR FROM THE L IABILITIES IMPOSED O N THE 23
13801380 CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S 24
13811381 ROLE IN THE PROCESSI NG RELATIONSHIP . 25
13821382
13831383 (D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 26
13841384 CONTROLLER OR A PROCESSOR WITH RESPE CT TO A SPECIFIC PRO CESSING OF DATA 27
13851385 IS A FACT–BASED DETERMINATION THAT DEPENDS UPON TH E CONTEXT IN WHICH 28
13861386 PERSONAL DATA IS BEING PROCESSED. 29
13871387
13881388 (2) A PERSON IS CONSIDERED TO BE A C ONTROLLER IF THE PER SON: 30
13891389
13901390 (I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 31
13911391 PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR 32
13921392 32 HOUSE BILL 807
13931393
13941394
13951395 (II) FAILS TO FOLLOW A CON TROLLER’S INSTRUCTIONS 1
13961396 REGARDING THE SPECIF IC PROCESSING OF PERSONAL DATA . 2
13971397
13981398 (3) IF A PROCESSOR, ALONE OR JOINTLY WIT H OTHERS, DETERMINES 3
13991399 THE PURPOSES AND MEA NS OF THE PROCESSING OF PERSONAL DATA , THE 4
14001400 PROCESSOR: 5
14011401
14021402 (I) IS A CONTROLLER WITH RESPECT TO THE PROCESSING; AND 6
14031403
14041404 (II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 7
14051405 THIS SUBTITLE. 8
14061406
14071407 14–4510. 9
14081408
14091409 (A) IN THIS SECTION , “PROCESSING ACTIVITIES THAT PRESENT A 10
14101410 HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 11
14111411
14121412 (1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 12
14131413 TARGETED ADVERTISING; 13
14141414
14151415 (2) THE SALE OF PERSONAL DATA; 14
14161416
14171417 (3) THE PROCESSING OF SEN SITIVE DATA; AND 15
14181418
14191419 (4) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 16
14201420 PROFILING, IN WHICH THE PROFILING PRESENTS A REASONABLY FORESEEAB LE 17
14211421 RISK OF: 18
14221422
14231423 (I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATMENT OF A 19
14241424 CONSUMER ; 20
14251425
14261426 (II) HAVING AN UNLAWFUL DISPARATE I MPACT ON A 21
14271427 CONSUMER ; 22
14281428
14291429 (III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 23
14301430 CONSUMER ; 24
14311431
14321432 (IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 25
14331433 SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER INTO WHICH 26
14341434 THE INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR 27
14351435
14361436 (V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER . 28
14371437 HOUSE BILL 807 33
14381438
14391439
14401440 (B) A CONTROLLER SHALL CONDUCT AND DOCUMENT A DATA PROTECTION 1
14411441 ASSESSMENT FOR EACH OF THE CONTROLLER ’S PROCESSING ACTIVIT IES THAT 2
14421442 PRESENT A HEIGHTENED RISK OF HARM TO A CO NSUMER. 3
14431443
14441444 (C) (1) A DATA PROTECTION ASSES SMENT CONDUCTED IN ACCORDANCE 4
14451445 WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS OF THE 5
14461446 PROCESSING TO THE CO NTROLLER, THE CONSUMER , OTHER STAKEHOLDERS , AND 6
14471447 THE PUBLIC AGAINST T HE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 7
14481448 ASSOCIATED WITH THE PROCESSING. 8
14491449
14501450 (2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION 9
14511451 ASSESSMENT : 10
14521452
14531453 (I) THE USE OF DE–IDENTIFIED DATA ; 11
14541454
14551455 (II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 12
14561456
14571457 (III) THE CONTEXT OF THE PR OCESSING; 13
14581458
14591459 (IV) THE RELATIONSHIP BETW EEN THE CONT ROLLER AND THE 14
14601460 CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED; AND 15
14611461
14621462 (V) THE SAFEGUARDS THAT C AN BE EMPLOYED BY TH E 16
14631463 CONTROLLER TO REDUCE THE RISKS AGAINST CO NSUMERS ASSOCIATED W ITH THE 17
14641464 PROCESSING. 18
14651465
14661466 (D) (1) THE DIVISION MAY REQUIRE THAT A C ONTROLLER MAKE 19
14671467 AVAILABLE TO THE DIVISION A DATA PROTECTION AS SESSMENT THAT IS REL EVANT 20
14681468 TO AN INVESTIGATION CONDUCTED BY THE DIVISION. 21
14691469
14701470 (2) THE DIVISION MAY EVALUATE A DATA PROTECTION ASSE SSMENT 22
14711471 FOR COMPLIANCE WITH THE RESPONSIBILITIES ESTABLISHED IN THIS SUBTITLE. 23
14721472
14731473 (E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY ADDRE SS A 24
14741474 COMPARABLE SET OF PR OCESSING OPERATIONS THAT INCLUDE SIMILAR 25
14751475 ACTIVITIES. 26
14761476
14771477 (F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 27
14781478 THE PURPOSE OF COMPL YING WITH ANOTHER LA W OR REGULATION , THE DATA 28
14791479 PROTECTION ASSESSMEN T SHALL SATISFY THE REQUIREM ENTS ESTABLISHED IN 29
14801480 THIS SECTION IF THE DATA PROTECTION ASSE SSMENT IS REASONABLY SIMILAR IN 30
14811481 SCOPE AND EFFECT TO THE DATA PROTECTION ASSESSMENT THAT WOUL D 31
14821482 OTHERWISE BE CONDUCT ED IN ACCORDANCE WITH THIS SECTION. 32 34 HOUSE BILL 807
14831483
14841484
14851485
14861486 (G) A DATA PROTECTION A SSESSMENT SHALL BE C ONFIDENTIAL AND 1
14871487 EXEMPT FROM DISCLOSU RE UNDER THE MARYLAND PUBLIC INFORMATION ACT. 2
14881488
14891489 14–4511. 3
14901490
14911491 (A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO : 4
14921492
14931493 (1) REQUIRE A CONTROLLER OR A PROCESSOR TO RE –IDENTIFY 5
14941494 DE–IDENTIFIED DATA ; 6
14951495
14961496 (2) MAINTAIN DATA IN AN IDENTIFIABLE FORM ; OR 7
14971497
14981498 (3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 8
14991499 TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTI CATED 9
15001500 CONSUMER REQUEST WIT H PERSONAL DATA . 10
15011501
15021502 (B) A CONTROLLER IN POSSES SION OF DE–IDENTIFIED DATA SHALL: 11
15031503
15041504 (1) TAKE REASONABLE MEASU RES TO ENSURE THAT T HE DATA 12
15051505 CANNOT BE ASSOCIATED WITH A CONSUMER ; 13
15061506
15071507 (2) PUBLICLY COMMIT TO MA INTAINING AND USING DE–IDENTIFIED 14
15081508 DATA WITHOUT ATTEMPT ING TO RE–IDENTIFY THE DATA ; AND 15
15091509
15101510 (3) CONTRACTUALLY OBLIGAT E A RECIPIEN T OF DE–IDENTIFIED 16
15111511 DATA TO COMPLY WITH ITEMS (1) AND (2) OF THIS SUBSECTION . 17
15121512
15131513 (C) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 18
15141514
15151515 (1) EXERCISE REASONABLE O VERSIGHT TO MONITOR COMPLIANCE 19
15161516 WITH A CONTRACTUAL COMMITME NT TO WHICH THE DE –IDENTIFIED DATA IS 20
15171517 SUBJECT; AND 21
15181518
15191519 (2) IF NECESSARY, TAKE APPROPRIATE STEP S TO ADDRESS A BREAC H 22
15201520 OF A CONTRACTUAL COMMITME NT. 23
15211521
15221522 (D) A CONTROLLER THAT POSS ESSES THE DE–IDENTIFIED DATA SHALL: 24
15231523
15241524 (1) TAKE REASONABLE MEASU RES TO ENSURE THAT T HE DATA 25
15251525 CANNOT BE ASSOCIATED WITH A CONSUMER ; 26
15261526
15271527 (2) PUBLICLY COMMIT TO : 27 HOUSE BILL 807 35
15281528
15291529
15301530
15311531 (I) PROCESS THE DATA ONLY IN A DE–IDENTIFIED MANNER ; 1
15321532 AND 2
15331533
15341534 (II) NOT ATTEMPT TO RE –IDENTIFY THE DATA ; AND 3
15351535
15361536 (3) CONTRACTUALLY OBLIGAT E A RECIPIENT OF THE DATA TO 4
15371537 SATISFY THE CRITERIA IN ITEMS (1) AND (2) OF THIS SUBSECTION . 5
15381538
15391539 14–4512. 6
15401540
15411541 (A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A 7
15421542 VIOLATION OF THIS SU BTITLE IS: 8
15431543
15441544 (1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE PRACTICE WITHI N 9
15451545 THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 10
15461546
15471547 (2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 11
15481548 CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 12
15491549
15501550 (B) IN ADDITION TO THE RE MEDIES AVAILABLE IN SUBSECTION (A) OF THIS 13
15511551 SECTION, A CONSUMER WHO IS AFFECTED BY A VIOLATION OF § 14–4507(A)(1) OF 14
15521552 THIS SUBTITLE MAY BR ING AN ACTION AGAINS T THE CONTROLLER IN ACCORDANCE 15
15531553 WITH § 13–408 OF THIS ARTICLE. 16
15541554
15551555 SECTION 2. AND BE IT FURTHER ENACTED, That: 17
15561556
15571557 (a) There is a Task Force to Study Online Data Privacy. 18
15581558
15591559 (b) The Task Force consists of the following members: 19
15601560
15611561 (1) two members of the Senate of Maryland, appointed by the President of 20
15621562 the Senate; 21
15631563
15641564 (2) two members of the House of Delegates, appointed by the Speaker of 22
15651565 the House; 23
15661566
15671567 (3) the Attorney General, or the Attorney General’s designee; 24
15681568
15691569 (4) the following members, appointed by the Governor: 25
15701570
15711571 (i) one representative of the business sector; 26
15721572
15731573 (ii) one representative of the academic sector; 27
15741574 36 HOUSE BILL 807
15751575
15761576
15771577 (iii) one representative from a consumer advocacy group; and 1
15781578
15791579 (iv) two attorneys with experience in privacy law. 2
15801580
15811581 (c) The Governor shall designate the chair of the Task Force. 3
15821582
15831583 (d) The State agencies represented on the Task Force shall provide staff for the 4
15841584 Task Force. 5
15851585
15861586 (e) A member of the Task Force: 6
15871587
15881588 (1) may not receive compensation as a member of the Task Force; but 7
15891589
15901590 (2) is entitled to reimbursement for expenses under the Standard State 8
15911591 Travel Regulations, as provided in the State budget. 9
15921592
15931593 (f) The Task Force shall: 10
15941594
15951595 (1) study and make recommendations regarding: 11
15961596
15971597 (i) information sharing among health care and social care providers; 12
15981598
15991599 (ii) algorithmic decision–making and the proper use of data to reduce 13
16001600 bias in algorithmic decision–making; 14
16011601
16021602 (iii) requiring an operator, upon a parent’s request, to delete the 15
16031603 account of a child and cease to collect, use or maintain, in retrievable form, the child’s 16
16041604 personal data on the operator’s website or online service directed to children, and provide 17
16051605 parents with an accessible, reasonable, and verifiable means to make the request; 18
16061606
16071607 (iv) methods of verifying the age of a child who creates a social media 19
16081608 account; 20
16091609
16101610 (v) issues concerning data colocation, including the impact that the 21
16111611 provisions of Section 1 of this Act may have on third parties that provide data storage and 22
16121612 colocation services; 23
16131613
16141614 (vi) issues surrounding additional persons or groups that are subject 24
16151615 to the provisions of Section 1 of this Act; and 25
16161616
16171617 (vii) other topics concerning online data privacy; and 26
16181618
16191619 (2) make recommendations for future data privacy legislation. 27
16201620
16211621 (g) On or before June 1, 2024, the Task Force shall report its findings and 28
16221622 recommendations to the Governor and, in accordance with § 2–1257 of the State 29 HOUSE BILL 807 37
16231623
16241624
16251625 Government Article, the Senate Finance Committee and the House Economic Matters 1
16261626 Committee. 2
16271627
16281628 SECTION 3. AND BE IT FURTHER ENACTED, That § 14–4510 of the Commercial 3
16291629 Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 4
16301630 prospectively and may not be applied or interpreted to have any effect on or application to 5
16311631 any personal data processing activities before the effective date of this Act. 6
16321632
16331633 SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 7
16341634 October 1, 2023. Section 2 of this Act shall remain effective for a period of 2 years and, at 8
16351635 the end of September 30, 2025, Section 2 of this Act, with no further action required by the 9
16361636 General Assembly, shall be abrogated and of no further force and effect. 10