EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*hb0807*
HOUSE BILL 807
I3 3lr1109
CF SB 698
By: Delegate Love
Introduced and read first time: February 8, 2023
Assigned to: Economic Matters
A BILL ENTITLED
AN ACT concerning 1
Consumer Protection – Online and Biometric Data Privacy 2
FOR the purpose of regulating the manner in which a controller or a processor in possession 3
of a consumer’s personal data may process the consumer’s personal data; authorizing 4
a consumer to exercise certain rights in regards to the consumer’s personal data; 5
requiring a controller of personal data to establish a method for a consumer to 6
exercise certain rights in regards to the consumer’s personal data; requiring a 7
controller to comply with a request by a consumer to exercise a certain right in a 8
certain manner, except under certain circumstances; authorizing a consumer to 9
designate an authorized agent to act on the consumer’s behalf to opt out of the 10
processing of the consumer’s personal data; requiring a controller to provide a 11
consumer with a certain privacy notice; requiring a controller that uses a processor 12
to process the personal data of consumers to enter into a contract with the processor 13
that governs the processor’s data processing procedures; requiring a controller to 14
conduct and document a data protection assessment for consumer data processing 15
activities that present a heightened risk of harm to a consumer; regulating the use 16
of biometric data, including requiring controllers in possession of biometric data to 17
develop a policy, made available to the public, establishing a retention schedule and 18
destruction guidelines for biometric data; authorizing an individual alleging a 19
violation of this Act to bring a civil action against the offending controller under 20
certain circumstances; making a violation of this Act an unfair, abusive, or deceptive 21
trade practice that is subject to enforcement and penalties under the Maryland 22
Consumer Protection Act; establishing the Task Force to Study Online Data Privacy; 23
and generally relating to online and biometric data privacy. 24
BY repealing and reenacting, with amendments, 25
Article – Commercial Law 26
Section 13–301(14)(xxxv) and 13–408 27
Annotated Code of Maryland 28
(2013 Replacement Volume and 2022 Supplement) 29
2 HOUSE BILL 807
BY repealing and reenacting, without amendments, 1
Article – Commercial Law 2
Section 13–301(14)(xxxvi) 3
Annotated Code of Maryland 4
(2013 Replacement Volume and 2022 Supplement) 5
BY adding to 6
Article – Commercial Law 7
Section 13–301(xxxvii); and 14–4501 through 14–4512 to be under the new subtitle 8
“Subtitle 45. Online and Biometric Data Privacy Act” 9
Annotated Code of Maryland 10
(2013 Replacement Volume and 2022 Supplement) 11
SECTION 1. BE IT ENACTED BY THE GENERAL ASSE MBLY OF MARYLAND, 12
That the Laws of Maryland read as follows: 13
Article – Commercial Law 14
13–301. 15
Unfair, abusive, or deceptive trade practices include any: 16
(14) Violation of a provision of: 17
(xxxv) Section 11–210 of the Education Article; [or] 18
(xxxvi) Title 14, Subtitle 44 of this article; or 19
(XXXVII) TITLE 14, SUBTITLE 45 OF THIS ARTICLE; OR 20
13–408. 21
(a) In addition to any action by the Division or Attorney General authorized by 22
this title and any other action otherwise authorized by law, any person may bring an action 23
to recover for injury or loss sustained by [him] THE PERSON as the result of a practice 24
prohibited by this title. 25
(b) Any person who brings an action to recover for injury or loss under this section 26
and who is awarded damages may also seek, and the court may award, reasonable 27
attorney’s fees. 28
(c) If it appears to the satisfaction of the court, at any time, that an action is 29
brought in bad faith or is of a frivolous nature, the court may order the offending party to 30
pay to the other party reasonable attorney’s fees. 31
HOUSE BILL 807 3
(d) Notwithstanding any other provision of this section, a person may not bring 1
an action under this section to recover for injuries sustained as a result of the professional 2
services provided by a health care provider, as defined in § 3–2A–01 of the Courts Article. 3
SUBTITLE 45. ONLINE AND BIOMETRIC DATA PRIVACY ACT. 4
14–4501. 5
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 6
INDICATED. 7
(B) “AFFILIATE” MEANS A PERSON THAT: 8
(1) SHARES COMMON BRANDIN G WITH ANOTHER PERSON; OR 9
(2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL 10
WITH ANOTHER PERSON. 11
(C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 12
THAT A REQUEST TO EX ERCISE A CONSUMER RIGHT IN ACCORDANCE WITH § 13
14–4504 OF THIS SUBTITLE IS BEING MADE BY , OR ON BEHALF OF , AN INDIVIDUAL 14
WHO IS ENTITLED TO E XERCISE THE CONSUMER RIGHT . 15
(D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 16
MEASUREMENTS OF THE BIOLOGICAL CHARA CTERISTICS OF A CONSUMER THAT ARE 17
USED TO IDENTIFY A S PECIFIC CONSUMER . 18
(2) “BIOMETRIC DATA ” INCLUDES: 19
(I) A FINGERPRINT ; 20
(II) A VOICE PRINT; 21
(III) EYE RETINAS OR IRISES; 22
(IV) BIOMETRIC SCANS CREAT ED FROM PHYSICAL OR DIGITAL 23
PHOTOGRAPHS ; AND 24
(V) ANY OTHER UNIQUE BIOLOGICAL PA TTERNS OR 25
CHARACTERISTICS . 26
(3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 27
(I) A PHYSICAL OR DIGITAL PHOTOGRAPH ; 28 4 HOUSE BILL 807
(II) A VIDEO OR AN AUDIO RECORDING; OR 1
(III) INFORMATION COLLECTED , USED, OR STORED FOR HEALTH 2
CARE TREATMENT , PAYMENT, OR OPERATIONS UNDER THE FEDERAL HEALTH 3
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 4
(E) “BUSINESS ASSOCIATE ” HAS THE MEANING STATED I N THE FEDERAL 5
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
(F) “CHILD” HAS THE MEANING STATED IN THE FEDERAL CHILDREN’S 7
ONLINE PRIVACY PROTECTION ACT OF 1998. 8
(G) “CONFIDENTIAL DATA” MEANS INFORMATION THAT CAN BE USED TO 9
UNIQUELY IDENTIFY A CONSUMER OR A CONS UMER’S ACCOUNT OR PROPERTY , 10
INCLUDING: 11
(1) A GENETIC MARKER ; 12
(2) GENETIC TESTING INFOR MATION; 13
(3) A UNIQUE IDENTIFIER NU MBER TO LOCATE AN AC COUNT OR 14
PROPERTY; 15
(4) AN ACCOUNT NUMBER ; 16
(5) A PERSONAL IDENTIFICAT ION NUMBER; 17
(6) A PASSCODE; 18
(7) A DRIVER’S LICENSE NUMBER ; AND 19
(8) A SOCIAL SECURITY NUMB ER. 20
(H) (1) “CONSENT” MEANS A SPECIFIC, DISCRETE, FREELY GIVEN , 21
UNAMBIGUOUS , AND INFORMED AGREEME NT GIVEN BY A CONSUM ER WHO IS NOT 22
UNDER ANY DURESS OR UNDUE INFLUENCE FROM A CONTROLLER OR PROC ESSOR 23
TO ALLOW THE PROCESS ING OF THE CONSUMER ’S PERSONAL DATA FOR A 24
PARTICULAR PURPOSE . 25
(2) “CONSENT” INCLUDES: 26
(I) A WRITTEN STATEMENT ; 27 HOUSE BILL 807 5
(II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; 1
(III) IN THE CONTEXT OF EMP LOYMENT, A RELEASE EXECUTED 2
BY AN EMPLOYEE AS A CONDITION OF EMPLOYM ENT; AND 3
(IV) ANY OTHER UNAMBIGUOUS AF FIRMATIVE ACTION . 4
(3) “CONSENT” DOES NOT INCLUDE : 5
(I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 6
SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 7
PROCESSING ALONG WIT H OTHER UNRELATED INFORMATIO N; 8
(II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 9
OF CONTENT; OR 10
(III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 11
PATTERNS. 12
(I) “CONTROL” MEANS: 13
(1) OWNERSHIP OF , OR THE POWER TO VOTE , MORE THAN 50% OF 14
THE OUTSTANDING SHAR ES OF ANY CLASS OF V OTING SECURITY OF A COMPAN Y; 15
(2) CONTROL IN ANY MANNER OVER THE ELECTION OF A MAJORITY 16
OF THE DIRECTORS OF A COMPANY OR OF INDIVIDUALS EX ERCISING A SIMILAR 17
FUNCTION; OR 18
(3) THE POWER TO EXERCISE CONTROLLING INFLUENC E OVER THE 19
MANAGEMENT OF A COMP ANY. 20
(J) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 21
STATE. 22
(2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING : 23
(I) IN A COMMERCIAL OR EMPLOY MENT CONTEXT ; OR 24
(II) AS AN EMPLOYEE , AN OWNER, A DIRECTOR, AN OFFICER, OR 25
A CONTRACTOR OF A COMP ANY, A PARTNERSHIP , A SOLE PROPRIETORSHIP , A 26
NONPROFIT ORGANIZATION , OR ANY GOVERNMENT AGENCY WH OSE 27
COMMUNICATIONS OR TR ANSACTIONS WITH A CONTROLLER OCCUR ONLY WITHIN 28 6 HOUSE BILL 807
THE CONTEXT OF TH E INDIVIDUAL’S ROLE WITH THE COMP ANY, PARTNERSHIP , 1
SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATION , OR GOVERNMENT AGENCY . 2
(K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 3
OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 4
(L) “COVERED ENTITY ” HAS THE MEANING STATED IN THE FEDERAL 5
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
(M) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED TO 7
SUBVERT OR IMPAIR , OR MANIPULATE WITH T HE SUBSTANTIAL EFFEC T OF 8
SUBVERTING OR IMPAIR ING, USER AUTONOMY , DECISION MAKING, OR CHOICE. 9
(2) “DARK PATTERN ” INCLUDES ANY PRACTICE THE FEDERAL 10
TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”. 11
(N) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 12
EFFECTS CONCERNING THE CONSUMER ” MEANS DECISIONS MADE BY A 13
CONTROLLER THAT RESU LT IN THE PROVISION OR DENIAL BY THE CON TROLLER OF: 14
(1) FINANCIAL OR LENDING SERVICES; 15
(2) HOUSING; 16
(3) INSURANCE; 17
(4) EDUCATION ENROLLMENT OR OPPORTUNITY ; 18
(5) CRIMINAL JUSTICE ; 19
(6) EMPLOYMENT OPPORTUNIT IES; 20
(7) HEALTH CARE SERVICES ; OR 21
(8) ACCESS TO ESSENTIAL G OODS OR SERVICES . 22
(O) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE 23
USED TO INFER INFORM ATION ABOUT, OR OTHERWISE BE LINK ED TO: 24
(1) AN IDENTIFIED OR IDEN TIFIABLE INDIVIDUAL; OR 25
(2) A DEVICE LINKED TO AN IDENTIFIED OR IDE NTIFIABLE 26
INDIVIDUAL. 27 HOUSE BILL 807 7
(P) “IDENTIFIED OR IDENTIF IABLE INDIVIDUAL ” MEANS A CONSUMER WHO 1
CAN READILY BE IDENTIFIED, EITHER DIRECTLY OR INDIRECT LY. 2
(Q) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS LINKED OR 3
CAN BE REASONABLY LINKED TO AN IDENTIFIED OR IDENTIFIABLE INDIVID UAL. 4
(2) “PERSONAL DATA ” DOES NOT INCLUDE : 5
(I) DE–IDENTIFIED DATA ; OR 6
(II) PUBLICLY AVAILABLE IN FORMATION. 7
(R) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION DE RIVED 8
FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY THE 9
SPECIFIC LOCATION OF A CONSUMER WITHIN A RADIUS OF 1,750 FEET. 10
(2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSITIONING 11
SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIMILAR 12
MECHANIS MS. 13
(3) “PRECISE GEOLOCATION D ATA” DOES NOT INCLUDE : 14
(I) THE CONTENT OF COMMUN ICATIONS DATA GENERATED BY 15
OR CONNECTED TO AN ADVANCED UTILITY MET ERING INFRASTRUCTURE SYSTEM; 16
OR 17
(II) EQUIPMENT USED BY A UTILITY COMPANY. 18
(S) (1) “PROCESS” MEANS AN OPERATION P ERFORMED BY MANUAL O R 19
AUTOMATED MEANS ON P ERSONAL DATA . 20
(2) “PROCESS” INCLUDES COLLECTING, USING, STORING, 21
DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 22
(T) “PROCESSOR” MEANS A PERSON THAT PROCESSES, STORES, OR 23
OTHERWISE USES PERSONAL DATA ON BEH ALF OF A CONTROLLER . 24
(U) “PROFILING” MEANS AUTOMATED PROC ESSING PERFORMED ON 25
PERSONAL DATA TO EVA LUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS 26
RELATED TO AN IDENTI FIED OR IDENTIFIABLE INDIVIDUAL’S ECONOMIC SITUATION , 27
HEALTH, PERSONAL PREFERENCES , INTERESTS, RELIABILITY, BEHAVIOR, 28
LOCATION, OR MOVEMENTS . 29 8 HOUSE BILL 807
(V) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STATED IN 1
THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 2
1996. 3
(W) “PUBLICLY AVAILABLE IN FORMATION” MEANS INFORMATION TH AT: 4
(1) IS LAWFULLY MADE AVAI LABLE THROUGH : 5
(I) FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS ; OR 6
(II) WIDELY DISTRIBUTED ME DIA; AND 7
(2) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE A 8
CONSUMER HAS LAWFULL Y MADE AVAILABLE TO THE GENERAL PUBLIC . 9
(X) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F PERSONAL 10
DATA BY A CONTROLLER TO A THIRD PARTY FOR MONETARY OR OTHE R VALUABLE 11
CONSIDERATION . 12
(2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 13
(I) THE DISCLOSURE OF P ERSONAL DATA TO A PR OCESSOR 14
THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER ; 15
(II) THE DISCLOSURE OF P ERSONAL DATA TO A THIRD PARTY 16
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE REQUESTED BY THE 17
CONSUMER ; 18
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 19
AFFILIATE OF THE CON TROLLER; 20
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 21
CONSUMER : 22
1. DIRECTS THE CONTROLLE R TO DISCLOSE THE 23
PERSONAL DATA ; OR 24
2. INTENTIONALLY USES TH E CONTROLLER TO 25
INTERACT WITH A THIR D PARTY; 26
(V) THE DISCLOSURE OF PER SONAL DATA THAT THE 27
CONSUMER : 28 HOUSE BILL 807 9
1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL 1
PUBLIC THROUGH A CHANNEL OF MASS ME DIA; AND 2
2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 3
(VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 4
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSED MERGER, 5
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PARTY 6
ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 7
(Y) “SENSITIVE DATA ” MEANS PERSONAL DATA OF A CONSUMER , THAT 8
INCLUDES: 9
(1) DATA REVEALING : 10
(I) RACIAL OR ETHNIC ORIG IN; 11
(II) RELIGIOUS BELIEFS ; 12
(III) MENTAL OR PHYSICAL HEALTH C ONDITION OR DIAGNOS ES; 13
(IV) SEX LIFE; 14
(V) SEXUAL ORIENTATION ; OR 15
(VI) CITIZENSHIP OR IMMIGR ATION STATUS; 16
(2) GENETIC OR BIOMETRIC DATA FO R THE PURPOSE OF UNI QUELY 17
IDENTIFYING A CONSUMER ; 18
(3) PERSONAL DATA COLLECT ED FROM A KNOWN CHILD ; OR 19
(4) PRECISE GEOLOCATION D ATA. 20
(Z) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 21
ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED 22
BASED ON PERSONAL DA TA OBTAINED OR INFER RED FROM THE CONSUMER ’S 23
ACTIVITIES OVER TIME AND ACROSS NONAFFILI ATED WEBSITES OR ONL INE 24
APPLICATIONS IN ORDER TO PREDICT THE CONSUMER ’S PREFERENCES OR 25
INTERESTS. 26
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 27 10 HOUSE BILL 807
(I) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A 1
CONTROLLER ’S OWN WEBSITES OR ONLIN E APPLICATIONS ; 2
(II) ADVERTISEMENTS BASED ON THE CONTEXT OF A 3
CONSUMER ’S SEARCH QUERY OR VISIT TO A WEBSITE OR ONLINE APPLICATIO N; 4
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 5
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 6
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 7
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 8
(AA) “THIRD PARTY” MEANS A PERSON OTHER THAN A CONSUMER , A 9
CONTROLLER , A PROCESSOR, OR AN AFFILIATE OF T HE CONTROLLER OR 10
PROCESSOR. 11
(BB) (1) “TRADE SECRET” MEANS INFORMATION TH AT: 12
(I) DERIVES INDEPENDENT ECONOMIC VALUE, ACTUAL OR 13
POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 14
ASCERTAINABLE BY PRO PER MEANS BY, OTHER PERSONS WHO COULD OBTAIN 15
ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 16
(II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE 17
UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFORMATION . 18
(2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN, 19
COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS. 20
14–4502. 21
THIS SUBTITLE APPLIES TO A PERSON THAT : 22
(1) CONDUCTS BUSINESS IN THE STATE; OR 23
(2) (I) PRODUCES SERVICES OR PRODUCTS THAT ARE TARGETED 24
TO RESIDENTS OF THE STATE; AND 25
(II) DURING THE IMMEDIATELY PRECEDING CALENDAR Y EAR: 26
1. CONTROLLED OR PROCESS ED THE PERSONAL DATA 27
OF AT LEAST 100,000 CONSUMERS ; OR 28 HOUSE BILL 807 11
2. CONTROLLED OR PROCESS ED THE PERSONAL DATA 1
OF AT LEAST 25,000 CONSUMERS AND DERIVE D MORE THAN 25% OF ITS GROSS 2
REVENUE FROM TH E SALE OF PERSONAL D ATA. 3
14–4503. 4
(A) THIS SUBTITLE DOES NO T APPLY TO: 5
(1) A POLITICAL SUBDIVISIO N OR A UNIT OF A POLIT ICAL 6
SUBDIVISION OF THE STATE; 7
(2) A STATE COURT , CLERK OF THE COURT , JUDGE, OR 8
COMMISSIONER ; 9
(3) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 10
UNDER 15 U.S.C. § 78O–3 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934; 11
(4) A COVERED ENTITY OR BU SINESS ASSOCIATE ; 12
(5) A PERSON THAT CONTROLS OR PROCESSES PERSONA L DATA 13
SOLELY FOR THE PURPO SE OF COMPLETING A P AYMENT TRANSACTION ; OR 14
(6) AN ENTITY, OR AN AFFILIATE OF A N ENTITY, SUBJECT TO AN D IN 15
COMPLIANCE WITH THE FEDERAL GRAMM–LEACH–BLILEY ACT. 16
(B) THE FOLLOWING INFORMA TION AND DATA IS EXE MPT FROM THIS 17
SUBTITLE: 18
(1) PROTECTED HEALTH INFO RMATION UNDER THE FEDERAL 19
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; 20
(2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 21
U.S.C. § 290DD–2; 22
(3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 23
PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN SUBJECTS 24
UNDER 45 C.F.R. 46; 25
(4) IDENTIFIABLE PRIVATE INFORMATION THAT IS OTHERWISE 26
INFORMATION COLLECTE D AS PART OF HUMAN S UBJECTS RESEARCH IN 27
ACCORDANCE WITH THE GOOD CLINICAL PR ACTICE GUIDELINES IS SUED BY THE 28 12 HOUSE BILL 807
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 1
FOR PHARMACEUTICALS FOR HUMAN USE; 2
(5) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 3
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 4
ALSO KNOWN AS THE COMMON RULE, IN ACCORDANCE WITH G OOD CLINICAL 5
PRACTICE GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL FOR 6
HARMONISATION OF TECHNICAL REQUIREMENTS FOR PHARMACEUTICALS FOR 7
HUMAN USE OR IN ACCORDANCE WIT H THE HUMAN SUBJECT PROTECTION 8
REQUIREMENTS OF THE U.S. FOOD AND DRUG ADMINISTRATION ; 9
(6) INFORMATION AND DOCUM ENTS CREATED FOR PUR POSES OF THE 10
FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986; 11
(7) PATIENT SAFETY WORK P RODUCT FOR PURPOSES OF THE 12
FEDERAL PATIENT SAFETY AND QUALITY IMPROVEMENT ACT OF 2005; 13
(8) INFORMATION DERIVED F ROM AN Y OF THE HEALTH CARE 14
RELATED INFORMATION LISTED IN THIS SUBSE CTION THAT IS DE –IDENTIFIED IN 15
ACCORDANCE WITH THE REQUIREMENTS FOR DE –IDENTIFICATION IN ACCORDANCE 16
WITH THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 17
OF 1996; 18
(9) INFORMATIO N ORIGINATING FROM A ND INTERMINGLED TO B E 19
INDISTINGUISHABLE FROM, OR INFORMATION TREAT ED IN THE SAME MANNE R AS, 20
INFORMATION EXEMPT U NDER THIS SUBSECTION THAT IS MAINTAINED B Y A 21
COVERED ENTITY OR BU SINESS ASSOCIATE , PROGRAM, OR QUALIFIED SERVICE 22
ORGANIZATION , AS SPECIFIED IN 42 U.S.C. § 290DD–2; 23
(10) INFORMATION USED FOR PUBLIC HEALTH ACTIVI TIES AND 24
PURPOSES AS AUTHORIZ ED BY THE FEDERAL HEALTH INSURANCE PORTABILITY 25
AND ACCOUNTABILITY ACT OF 1996, COMMUNITY HEALTH ACT IVITIES, AND 26
POPULATION HEALTH AC TIVITIES; 27
(11) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 28
COMMUNICATION , OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 29
CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 30
REPUTATION, PERSONAL CHARACTERISTICS , OR MODE OF LIVING TO OR FROM A 31
CONSUMER REPORTING A GENCY IF USE OF THE INFORMATI ON IS LIMITED BY AND 32
AUTHORIZED UNDER THE FEDERAL FAIR CREDIT REPORTING ACT; 33
(12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 34
IN COMPLIANCE WITH THE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 35 HOUSE BILL 807 13
(13) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 1
EDUCATIONAL RIGHTS AND PRIVACY ACT; 2
(14) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 3
IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 4
(15) DATA PROCESSED OR MAI NTAINED: 5
(I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 6
EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CON TRACTOR OF A 7
CONTROLLER , PROCESSOR, OR THIRD PARTY, TO THE EXTENT THAT T HE DATA IS 8
COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE; 9
(II) AS THE EMERGENCY CONT ACT INFORMATION OF A 10
CONSUMER USED FOR EMERGENCY C ONTACT PURPOSES ; OR 11
(III) THAT IS NECESSARY TO RETAIN TO ADMINISTER BENEFITS 12
FOR ANOTHER INDIVIDU AL RELATING TO THE CONSUMER WHO IS THE SUBJECT O F 13
THE INFORMATION UNDE R ITEM (I) OF THIS ITEM AND USED FOR THE PUR POSES OF 14
ADMINISTERING THE BENEFITS; AND 15
(16) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 16
IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SU BJECT TO THE 17
FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THIS SUBTITLE IS 18
PREEMPTED BY THE FEDERAL AIRLINE DEREGULATION ACT. 19
14–4504. 20
(A) A CONSUMER MAY EXERCISE THE FOL LOWING RIGHTS IN REL ATION TO 21
THE CONSUMER ’S PERSONAL DATA : 22
(1) CONFIRM WHETHER A CONTROLLER IS PROCES SING THE 23
CONSUMER ’S PERSONAL DATA ; 24
(2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 25
DATA, ACCESS THE PERSONAL DATA ; 26
(3) CORRECT INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 27
(4) DELETE PERSONAL DATA PROVIDED BY , OR OBTAINED ABOUT , 28
THE CONSUMER ; 29
14 HOUSE BILL 807
(5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC 1
MEANS, OBTAIN A COPY OF THE CONSUM ER’S PERSONAL DATA PROC ESSED BY THE 2
CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE , 3
READILY USABLE FORMA T THAT ALLOWS THE CONSUMER TO EASILY TRANSMIT THE 4
DATA TO ANOTHER CONT ROLLER; AND 5
(6) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 6
OF: 7
(I) TARGETED ADVERTISING ; 8
(II) EXCEPT AS PROVIDED IN § 14–4507(D) OF THIS SUBTITLE , 9
THE SALE OF PERSONAL DATA; OR 10
(III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED 11
DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S 12
CONCERNING THE CONSU MER. 13
(B) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE METHOD 14
FOR A CONSUMER TO EX ERCISE A CONSUMER RI GHT UNDER THIS SECTION. 15
(C) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBTITLE , A 16
CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXER CISE A 17
CONSUMER RIGHT LISTED IN THIS SECTI ON. 18
(2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER REQUEST 19
NOT LATER THAN 45 DAYS AFTER THE CONTROLLER RECEI VES THE CONSUMER 20
REQUEST. 21
(II) A CONTROLLER MAY EXTEN D THE RESPONSE PERIO D BY AN 22
ADDITIONAL 45 DAYS IF: 23
1. IT IS NECESSARY TO COMPLETE THE REQU EST BASED 24
ON THE COMPLEXITY AND N UMBER OF THE CONSUME R’S REQUESTS; AND 25
2. THE CONTROLLER INFORM S THE CONSUMER OF THE 26
EXTENSION AND THE REASON FOR T HE EXTENSION WITHIN THE INITIAL 45–DAY 27
RESPONSE PERIOD . 28
(3) (I) IF A CONTROLLER DOES NOT TAKE ACTION REGARDIN G A 29
CONSUMER ’S REQUEST, THE CONTROLLER SHALL : 30
HOUSE BILL 807 15
1. NOTIFY THE CONSUMER THAT THE CONTROLLER 1
WILL NOT TAKE ACTION ON THE REQUEST ; AND 2
2. PROVIDE THE CONSUMER WITH: 3
A. THE JUSTIFICATION FOR DECLINING TO TAKE 4
ACTION; AND 5
B. INSTRUCTIONS FOR HOW TO APPEAL THE DECISI ON. 6
(II) THE NOTIFICATION REQU IRED IN SUBPARAGRAPH (I) OF 7
THIS PARAGRAPH SHALL BE: 8
1. SENT TO THE CONSUMER NOT LATER THAN 45 DAYS 9
AFTER THE CONTROLLER RECEI VES THE CONSUMER ’S REQUEST; AND 10
2. IN WRITING. 11
(4) (I) EXCEPT AS PROVIDED IN THIS PARAGRAPH , A CONTROLLER 12
SHALL PROVIDE A CONSUMER , FREE OF CHARGE , WITH THE INFORMATION THE 13
CONSUMER REQUESTED . 14
(II) A CONTROLLER MAY NOT B E REQUIRED TO PROVID E A 15
CONSUMER WITH THE INFORMATION REQUESTED MORE THAN TWICE DURING AN Y 16
CONSECUTIVE 12–MONTH PERIOD . 17
(III) 1. IF REQUESTS FROM A CO NSUMER ARE UNFOUNDED , 18
EXCESSIVE, OR REPETITIVE , A CONTROLLER MAY CHARG E THE CONSUMER A 19
REASONABLE FEE TO CO VER THE ADMINISTRATI VE COSTS OF COMPLYIN G WITH THE 20
REQUEST. 21
2. THE CONTROLLER HAS THE BURDEN OF 22
DEMONSTRATING THE UNFOUNDED , EXCESSIVE, OR REPETITIVE NATURE OF THE 23
REQUEST. 24
(5) (I) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A 25
REQUEST TO EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (A)(1) 26
THROUGH (5) OF THIS SECTION USING COMMERCIALLY R EASONABLE EFFORTS , THE 27
CONTROLLER MAY NOT BE REQUIRED TO C OMPLY WITH THE REQUEST. 28
(II) IF A CONTROLLER IS NO T ABLE TO AUTHENTICA TE A 29
REQUEST USING COMMER CIALLY REASONABLE EF FORTS, THE CONTROLLER SHALL 30
NOTIFY THE CONSUME R THAT THE CONTROLLE R IS UNABLE TO AUTHE NTICATE THE 31 16 HOUSE BILL 807
REQUEST UNTIL THE CONSUMER PROVIDES AD DITIONAL INFORMATION 1
REASONABLY NECESSARY TO AUTHENTICATE THE CONSUMER AND THE 2
CONSUMER ’S REQUEST. 3
(6) (I) A CONTROLLER IS NOT REQUIRED TO AUTHENTI CATE AN 4
OPT–OUT REQUEST UNDER SUBSECTION (A)(6) OF THIS SECTION. 5
(II) A CONTROLLER MAY DENY AN OPT–OUT REQUEST UNDER 6
SUBSECTION (A)(6) OF THIS SECTION IF THE CONTROLLER HA S A GOOD FAITH , 7
REASONABLE , AND DOCUMENTED BELIE F THAT THE REQUEST IS FRAUDULEN T. 8
(III) IF A CONTROLLER DENIES AN OPT–OUT REQUEST UNDER 9
SUBSECTION (A)(6) OF THIS SECTION BECAUSE THE CONTROLL ER BELIEVES THE 10
REQUEST IS FRAUDULEN T, THE CONTROLLER SHALL NOTIFY THE PERSON WHO 11
MADE THE REQUEST: 12
1. THAT THE CONTROLLER BELIEVES THE REQUEST IS 13
FRAUDULENT ; 14
2. WHY THE CONTROLLER BELIEVES THE REQUEST IS 15
FRAUDULENT ; AND 16
3. THAT THE CONTROLLER WILL NOT COMPLY WITH THE 17
REQUEST. 18
(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 19
CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER IS IN COMPLIANCE WITH 20
A CONSUMER ’S REQUEST TO DELETE THE DATA IN ACCORDANCE WITH SUBSECTION 21
(A)(4) OF THIS SECTION BY: 22
(I) RETAINING A RECORD OF THE DELETION REQUEST AND TH E 23
MINIMUM DATA NECESSA RY FOR THE PURPOSE O F ENSURING THE CONSU MER’S 24
PERSONAL DATA : 25
1. REMAINS DELETED FROM THE CONTROLLER ’S 26
RECORDS; AND 27
2. IS NOT BEING USED FOR ANY OTHER PURPOS E; OR 28
(II) OPTING THE CONSUMER O UT OF THE PROCESSING OF THE 29
PERSONAL DATA FOR AN Y PURPOSE EXCEPT FOR THOSE EXEMPTED BY THIS 30
SUBTITLE. 31
HOUSE BILL 807 17
(D) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 1
TO APPEAL A DECISION MADE UNDE R THIS SECTION. 2
(2) THE APPEAL PROCESS SHALL : 3
(I) BE CONSPICUOUSLY AVAILABL E TO A CONSUMER ; 4
(II) BE SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS 5
TO INITIATE ACTION IN ACCORDANCE WITH THIS SECTION; AND 6
(III) ENSURE THAT A CONSUME R CAN APPEAL A DECISIO N 7
WITHIN A REASONABLE TIME AFTER THE CONSUM ER RECEIVES THE DECI SION. 8
(3) NOT LATER THAN 60 DAYS AFTER RECEIPT O F AN APPEAL , A 9
CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR 10
NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF 11
THE REASONS FOR THE DECISIO N. 12
(4) IF AN APPEAL IS DENIED , THE CONTROLLER SHALL PROVIDE THE 13
CONSUMER WITH AN ONL INE MECHANISM , IF AVAILABLE, THROUGH WHICH THE 14
CONSUMER MAY CONTACT THE DIVISION TO SUBMIT A COMPLAIN T. 15
(E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQU IRE A 16
CONTROLLER OR A PROCESSOR TO COMPLY WITH AN AUTHENTICATE D CONSUMER 17
REQUEST IF THE CONTR OLLER: 18
(1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQUEST 19
WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE 20
CONTROLLER TO ASSOCIATE T HE REQUEST WITH THE PERSONAL DATA ; 21
(2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND 22
TO THE CONSUMER WHO IS THE SUBJECT OF TH E PERSONAL DATA OR A SSOCIATE 23
THE PERSONAL DATA WI TH OTHER PERSONAL DA TA ABOUT THE CONSUME R; AND 24
(3) EXCEPT AS OTHERWISE A LLOWED IN THIS SECTI ON, DOES NOT 25
SELL OR OTHERWISE VO LUNTARILY DISCLOSE T HE PERSONAL DATA TO A THIRD 26
PARTY. 27
(F) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 28
CONTROLLER TO REVEAL A TRADE SECRET . 29
14–4505. 30
18 HOUSE BILL 807
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PROH IBIT A 1
CONTROLLER OR PROCES SOR FROM: 2
(1) COMPLYING WITH FEDERA L, STATE, OR LOCAL LAWS ; 3
(2) COMPLYING WITH A CIVI L, CRIMINAL, OR REGULATORY INQUIR Y, 4
INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, OR LOCAL 5
AUTHORITY; 6
(3) COOPERATING WITH LAW ENFORCEMENT AGENCIES 7
CONCERNING CONDUCT O R ACTIVITY THAT THE CONTROLLER OR PROCES SOR 8
REASONABLY AND IN GO OD FAITH BELIEVES MA Y VIOLATE A FEDERAL , STATE, OR 9
LOCAL LAW; 10
(4) INVESTIGATING , ESTABLISHING , EXERCISING, PREPARING FOR , 11
OR DEFENDING A LEGAL CLAIM; 12
(5) PROVIDING A PRODUCT O R SERVICE SPECIFICAL LY REQUESTED 13
BY A CONSUMER ; 14
(6) PERFORMING UNDER A CO NTRACT TO WHICH A CO NSUMER IS A 15
PARTY, INCLUDING FULFILLING THE TERMS OF A WRITTEN WARRANT Y; 16
(7) TAKING STEPS AT THE R EQUEST OF A CONSUMER BEFORE 17
ENTERING INTO A CONT RACT; 18
(8) TAKING IMMEDIATE STEP S TO PROTECT AN INTE REST THAT IS 19
ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER 20
INDIVIDUAL; 21
(9) PREVENTING, DETECTING, PROTECTING AGAINST , OR 22
RESPONDING TO A SECU RITY INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , 23
MALICIOUS OR DECEPTI VE ACTIVITY, OR ANY ILLEGAL ACTIV ITY; 24
(10) PRESERVING THE INTEGR ITY OR SECURITY OF A SYSTEM, OR 25
INVESTIGATING, REPORTING, OR PROSECUT ING A PERSON RESPONSIBLE FOR THE 26
ACTION; 27
(11) ENGAGING IN PUBLIC OR PEER–REVIEWED SCIENTIFIC OR 28
STATISTICAL RESEARCH IN THE PUBLIC INTERE ST THAT: 29
(I) ADHERES TO ALL OTHER APPLICABLE ETHICS AN D PRIVACY 30
LAWS; AND 31 HOUSE BILL 807 19
(II) IS APPROVED , MONITORED , AND GOVERNED BY AN 1
INSTITUTIONAL REVIEW BOARD, OR A SIMILAR INDEPEN DENT OVERSIGHT ENTIT Y, 2
THAT DETERMINES WHET HER: 3
1. THE DELETION OF THE I NFORMATION IS LIKELY TO 4
PROVIDE SUBSTANTIAL BENEFITS THAT DO NOT EXCLUSIVELY ACCRUE T O THE 5
CONTROLLER ; 6
2. THE EXPECTED BENEFITS OF THE RESEARCH 7
OUTWEIGH THE PRIVACY RISKS; AND 8
3. THE CONTROLLER HAS IM PLEMENTED REASONABLE 9
SAFEGUARDS TO MITIGA TE PRIVACY RISKS ASS OCIATED WITH RESEARC H, 10
INCLUDING ANY RISKS ASSOCIATED WITH RE –IDENTIFICATION ; 11
(12) ASSISTING ANOTHER CON TROLLER, PROCESSOR, OR 12
THIRD PARTY WITH AN OBLIGA TION UNDER THIS SUBT ITLE; OR 13
(13) PROCESSING PERSONAL D ATA FOR REASONS OF P UBLIC 14
INTEREST IN THE AREA OF PUBLIC HEALTH , COMMUNITY HEALTH , OR POPULATION 15
HEALTH, IF THE PROCESSING IS : 16
(I) SUBJECT TO SUITABLE A ND SPECIFIC MEASURES TO 17
SAFEGUARD THE RIGHTS OF A CONSUMER WHOSE PERSONAL DATA IS BEI NG 18
PROCESSED; AND 19
(II) UNDER THE RESPONSIBIL ITY OF A PROFESSIONA L SUBJECT 20
TO CONFIDENTIALITY O BLIGATIONS UNDER FED ERAL, STATE, OR LOCAL LAW. 21
(B) THE OBLIGATIONS IMPOS ED ON CONTROLLERS OR PROCESSORS UNDER 22
THIS SUBTITLE MAY NO T RESTRICT A CONTROL LER’S OR PROCESSOR ’S ABILITY TO 23
COLLECT, USE, OR RETAIN DATA FOR I NTERNAL USE TO : 24
(1) EFFECTUATE A PRODUCT RECALL; 25
(2) IDENTIFY AND REPAIR TECHNICAL ERRORS THA T IMPAIR 26
EXISTING OR INTENDED FUNCTIONALITY ; OR 27
(3) PERFORM INTERNAL OPER ATIONS THAT ARE : 28
20 HOUSE BILL 807
(I) REASONABLY ALIGNED WI TH THE EXPECTATIONS OF THE 1
CONSUMER OR REASONAB LY ANTICIPATED BASED ON THE CONSUMER ’S EXISTING 2
RELATIONSHIP WITH T HE CONTROLLER ; OR 3
(II) OTHERWISE COMPATIBLE WITH PROCESSING DATA IN 4
FURTHERANCE OF THE P ROVISION OF A PRODUC T OR SERVICE SPECIFI CALLY 5
REQUESTED BY A CONSU MER OR THE PERFORMAN CE OF A CONTRACT TO WHICH THE 6
CONSUMER IS A PARTY . 7
(C) (1) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREV ENT A 8
CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA ABOUT A 9
CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R THE 10
LAWS OF THE STATE AS PART OF A PR IVILEGED COMMUNICATI ON. 11
(2) AN OBLIGATION IMPOSED ON A CO NTROLLER OR A PROCES SOR 12
UNDER THIS SUBTITLE DOES NOT APPLY WHERE COMPLIANCE BY THE CO NTROLLER 13
OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 14
UNDER THE LAWS OF TH E STATE. 15
(D) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 16
(1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 17
THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON ; OR 18
(2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA IN THE 19
COURSE OF THE PERSON ’S PERSONAL OR HOUSEH OLD ACTIVITIES. 20
(E) IF A CONTROLLER PROCE SSES PERSONAL DATA I N ACCORDANCE WITH 21
AN EXEMPTION UNDER T HIS SECTION, THE CONTROLLER SHALL DEMONSTRATE 22
THAT THE PROCESSING : 23
(1) QUALIFIES FOR AN EXEM PTION; AND 24
(2) COMPLIES WITH THE REQ UIREMENTS IN SUBSECT ION (F) OF THIS 25
SECTION. 26
(F) (1) PERSONAL DATA PROCESS ED BY A CONTROLLER I N ACCORDANCE 27
WITH THIS SECTION MAY BE PROCESSED TO THE EXT ENT THAT THE PROCESS ING IS: 28
(I) REASONABLY NECESSARY AND PROPORTIONATE TO THE 29
PURPOSES LISTED IN T HIS SECTION; AND 30
HOUSE BILL 807 21
(II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS 1
NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 2
(2) PERSONAL DATA COLLECT ED, USED, OR RETAINED IN 3
ACCORDANCE WITH SUBS ECTION (B) OF THIS SECTION SHAL L: 4
(I) WHERE APPROPRIATE , TAKE INTO ACCOUNT THE NATURE 5
AND PURPOSE OF THE C OLLECTION, USE, OR RETENTION ; AND 6
(II) BE SUBJECT TO REASONA BLE ADMINISTRATIVE , 7
TECHNICAL, AND PHYSICAL MEASURE S TO: 8
1. PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 9
ACCESSIBILITY OF THE PERSONAL DATA ; AND 10
2. REDUCE REASONABLY FORESE EABLE RISKS OF HARM 11
TO CONSUMERS RELATIN G TO THE COLLECTION , USE, OR RETENTION OF PERS ONAL 12
DATA. 13
14–4506. 14
(A) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGENT TO ACT ON THE 15
CONSUMER ’S BEHALF TO OPT OUT OF THE PROCESSING OF THE CONSUMER ’S 16
PERSONAL DATA FOR TH E PURPOSES SPECIFIED IN § 14–4504(A) OF THIS SUBTITLE. 17
(B) THE CONSUMER MAY DESI GNATE AN AUTHORIZED AGENT BY: 18
(1) AN INTERNET LINK OR A BR OWSER SETTING ON A CONTROLLER ’S 19
WEBSITE; OR 20
(2) A BROWSER EXTENSION OR GLOBAL DEVICE SETTING ON A 21
CONTROLLER ’S WEBSITE INDICATING THE CONSUMER ’S INTENT TO OPT OUT OF THE 22
PROCESSING. 23
(C) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED 24
FROM AN AUTHORIZED A GENT IF THE CONTROLL ER IS ABLE TO VERIFY , USING 25
COMMERCIALLY REASONA BLE EFFORT S: 26
(1) THE IDENTITY OF THE C ONSUMER; AND 27
(2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE 28
CONSUMER ’S BEHALF. 29
22 HOUSE BILL 807
(D) THE FOLLOWING INDIVID UALS MAY EXERCISE TH E CONSUMER RIGHTS 1
SPECIFIED IN THIS SUBTITLE ON BEHALF OF ANOTHER INDIVIDUAL W ITHOUT BEING 2
DESIGNATED AS AN AUT HORIZED AGENT UNDER SUBSECTION (A) OF THIS SECTION: 3
(1) THE PARENT OR LEGAL G UARDIAN OF A KNOWN C HILD; 4
(2) IF A CONSUMER IS SUBJ ECT TO A GUARDIANSHI P, A 5
CONSERVATORSHIP , OR ANY OTHER PROTECTIVE ARRANGEMENT , THE GUARDIAN 6
OR CONSERVATOR OF TH E CONSUMER . 7
14–4507. 8
(A) A CONTROLLER MAY NOT : 9
(1) SELL, LEASE, OR TRADE A CONSUMER ’S BIOMETRIC DATA ; 10
(2) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, UNLESS 11
THE CONTROLLER OBTAI NS THE CONSUMER ’S CONSENT, PROCESS PERSONAL DAT A 12
FOR A PURPOSE THAT I S NEITHER REASONABLY NECESSARY TO , NOR COMPATIBLE 13
WITH, THE DISCLOSED PURPOS ES FOR WHICH THE PER SONAL DATA IS PROCES SED, 14
AS DISCLOSED TO THE CONSUMER ; 15
(3) PROCESS SENSITIVE DAT A CONCERNING A CONSU MER WITHOUT 16
OBTAINING THE CONSUM ER’S CONSENT; 17
(4) PROCESS SENSITIVE DAT A OF A KNOWN CHILD W ITHOUT 18
PROCESSING THE DATA IN ACCORDANCE WITH T HE FEDERAL CHILDREN’S ONLINE 19
PRIVACY PROTECTION ACT OF 1998; 20
(5) PROCESS PERSONAL DATA IN VIOLATION OF FEDE RAL, STATE, OR 21
LOCAL LAW THAT PROHI BITS UNLAWFUL DISCRI MINATION AGAINST A C ONSUMER; 22
OR 23
(6) PROCESS THE PERSONAL DATA OF A CONSUMER T HAT THE 24
PROCESSOR KNOWS IS A T LEAST 13 YEARS OLD AND UNDER THE AGE OF 16 YEARS 25
WITHOUT THE CONSUMER ’S CONSENT FOR PURPOS ES OF: 26
(I) TARGETED ADVERTISING ; OR 27
(II) SELLING THE CONSUMER ’S PERSONAL DATA . 28
(B) A CONTROLLER SHALL : 29
HOUSE BILL 807 23
(1) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS: 1
(I) ADEQUATE, RELEVANT, AND REASONABLY NECES SARY TO 2
COLLECT FOR THE PURPOSES FOR WHI CH THE DATA IS PROCESSED ; AND 3
(II) DISCLOSED TO THE CONS UMER; 4
(2) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 5
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 6
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 7
DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT 8
ISSUE; 9
(3) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO 10
REVOKE THE CONSU MER’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS 11
EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED THE CON SUMER’S 12
CONSENT; AND 13
(4) IF CONSENT IS REVOKED, STOP PROCESSING THE DATA AS SOON 14
AS PRACTICABLE , BUT NOT LATER THAN 15 DAYS AFTER THE RECEI PT OF THE 15
REQUEST. 16
(C) A CONTROLLER IN POSSES SION OF BIOMETRIC DA TA SHALL STORE , 17
TRANSMIT, AND PROTECT FROM DIS CLOSURE ALL BIOMETRI C DATA: 18
(1) USING THE REASONABLE STANDARD OF CARE WIT HIN THE 19
CONTROLLER ’S INDUSTRY; AND 20
(2) IN A MANNER THAT IS A S PROTECTIVE AS OR M ORE PROTECTIVE 21
THAN THE MANNER IN W HICH THE CONTROLLER STORES, TRANSMITS, AND 22
PROTECTS OTHER CONFI DENTIAL OR SENSITIVE DATA. 23
(D) (1) EXCEPT AS PROVIDED IN PARAGRAPH (2) OF THIS SUBSECTION , A 24
CONTROLLER THAT COLLEC TS BIOMETRIC DATA MA Y NOT COLLECT, USE, DISCLOSE, 25
REDISCLOSE, OR OTHERWISE DISSEMI NATE A CONTROLLER ’S BIOMETRIC DATA 26
UNLESS: 27
(I) THE CONTROLLER OR THE CONSUMER ’S AUTHORIZED 28
AGENT GIVES CONSENT TO THE PARTICULAR CATEGORY OF COLLECTION , USE, 29
DISCLOSURE, REDISCLOSURE , OR DISSEMINATION ; OR 30
(II) THE DISCLOSURE OR RED ISCLOSURE IS REQUIRE D: 31
24 HOUSE BILL 807
1. BY A VALID WARRANT OR SUBPOENA; 1
2. TO COMPLY WITH FEDERA L, STATE, OR LOCAL LAWS , 2
RULES, OR REGULATIONS ; OR 3
3. TO COOPERATE WITH LAW ENFORCEMENT 4
CONCERNING CONDUCT O R ACTIVITY THAT THE PRIVATE ENTITY OR TH E 5
PROCESSOR REASONABLY AND IN GOOD FAITH BE LIEVES VIOLATES A FE DERAL, 6
STATE, OR LOCAL LAW , RULE, OR REGULATION . 7
(2) (I) A CONTROLLER MAY COLLECT , USE, DISCLOSE, 8
REDISCLOSE, OR OTHERWISE DISSEMI NATE A CONSUMER ’S BIOMETRIC DATA 9
WITHOUT COMPLYING WI TH PARAGRAPH (1) OF THIS SUBSECTION IF THE 10
CONTROLLER : 11
1. COLLECTS, USES, DISCLOSES, REDISCLOSES, OR 12
OTHERWISE DISSEMINAT ES THE BIOMETRIC DATA FOR FRAUD PREVE NTION OR 13
SECURITY PURPOSES ; AND 14
2. SUBJECT TO SUBPARAGRAPH (III) OF THIS 15
PARAGRAPH : 16
A. FOR A CONTROLLER THAT COLLECTS BIOMETRIC 17
DATA AT A PHYSICAL P REMISES, POSTS CONSPICUOUS WR ITTEN NOTICE OF THE 18
COLLECTION OF BIOMET RIC DATA AT EACH POINT OF E NTRY; AND 19
B. FOR A CONTROLLER THAT COLLECTS BIOMETRIC 20
DATA OF A CONSUMER D URING AN ONLINE ENCO UNTER WITH THE CONSU MER, 21
POSTS CONSPICUOUS WR ITTEN NOTICE OF THE COLLECTION OF BIOMET RIC DATA 22
ON THE WEBSITE OF TH E CONTROLLER . 23
(II) 1. THE COLLECTION , USE, DISCLOSURE, 24
REDISCLOSURE , OR OTHER DISSEMINATI ON OF BIOMETRIC DATA UNDER THIS 25
SUBSECTION SHALL BE DIRECTLY TIED TO THE SERVICES BEING PROVI DED BY THE 26
CONTROLLER . 27
2. A CONTROLLER THAT COLLECTS , USES, DISCLOSES, 28
REDISCLOSES, OR OTHERWISE DISSEMINATE S BIOMETRIC DATA UND ER THIS 29
SUBSECTION MAY COLLE CT, USE, DISCLOSE, REDISCLOSE, OR OTHERWISE 30
DISSEMINATE ONLY WHA T IS STRICTLY NECESS ARY FOR FRAUD PREVEN TION AND 31
SECURITY PURPOSES . 32
HOUSE BILL 807 25
(III) THE NOTICE REQUIRED I N SUBPARAGRAPH (I) OF THIS 1
PARAGRAPH SHALL INFORM CONSUME RS OF: 2
1. THE CATEGORIES OF BIO METRIC DATA TO BE 3
COLLECTED; AND 4
2. THE PURPOSES FOR WHIC H THE CATEGORIES OF 5
BIOMETRIC DATA WILL BE USED. 6
(E) A CONTROLLER MAY NOT DISCRIMINATE AGA INST A CONSUMER FOR 7
EXERCISING A CONSUMER RIGHT AFF ORDED BY THIS SUBTITLE, INCLUDING: 8
(1) DENYING GOODS OR SERV ICES; 9
(2) CHARGING DIFFERENT PR ICES OR RATES FOR GO ODS OR 10
SERVICES; OR 11
(3) PROVIDING A DIFFERENT LEVEL OF QUALITY OF GOODS OR 12
SERVICES. 13
(F) NOTHING IN SUBSECTION (E) OF THIS SECTION MAY BE CONSTRUED TO : 14
(1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 15
THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER WHICH THE CONT ROLLER 16
DOES NOT COLLECT OR MAINTAIN; OR 17
(2) PROHIBIT A CONTROLLER FROM OFFERING A DIFF ERENT PRICE, 18
RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 19
INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N 20
CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 21
LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM . 22
(G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF 23
THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED ADVERTISING 24
OR THE SALE OF PERSONAL DAT A THROUGH AN OPT –OUT PREFERENCE SIGNA L 25
SENT IN ACCORDANCE W ITH § 14–4508(B)(4)(II) OF THIS SUBTITLE CONFLICTS WITH 26
THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC PRIVACY SET TING OR 27
VOLUNTARY PARTICIPAT ION IN A CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, 28
PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM , THE CONTROLLER 29
SHALL COMPLY WITH THE CONSUMER ’S OPT–OUT PREFERENCE SIGNA L. 30
(2) A CONTROLLER MAY: 31
26 HOUSE BILL 807
(I) NOTIFY A CONSUMER OF THE CONFLICT BETWEEN AN 1
OPT–OUT PREFERENCE SIGNA L AND A CONTROLLER ’S SPECIFIC PRIVACY S ETTING; 2
AND 3
(II) PROVIDE TO THE CONSUMER THE CHOICE TO CONFIRM THE 4
CONTROLLER –SPECIFIC PRIVACY SET TING OR PARTICIPATIO N IN THE PROGRAM . 5
(H) IF A CONTROLLER RESPO NDS TO A CONSUMER OP T–OUT REQUEST 6
RECEIVED IN ACCORDAN CE WITH SUBSECTION (G) OF THIS SECTION BY INFORMING 7
THE CONSUMER OF A CHARGE FOR THE USE O F ANY PRODUCT OR SER VICE, THE 8
CONTROLLER SHALL PRE SENT THE TERMS OF AN Y FINANCIAL INCENTIV E OFFERED 9
IN ACCORDANCE WITH S UBSECTION (F) OF THIS SECTION FOR THE RETENTION , USE, 10
SALE, OR SHARING OF THE CO NSUMER’S PERSONAL DATA . 11
(I) A CONTROLLER OR A PROCESSOR THAT COMPL IES WITH THE 12
VERIFIABLE PARENTAL CONSENT REQUIREMENTS OF THE FEDERAL CHILDREN’S 13
ONLINE PRIVACY PROTECTION ACT IS CONSIDERED TO BE COMPLIANT WITH AN Y 14
OBLIGATION TO OBTAIN PARENTAL CONSENT IN ACCORDANCE WITH THIS SUBTITLE. 15
(J) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 16
PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING, THE CONTROLLER 17
SHALL CLEARLY AND CO NSPICUOUSLY DISCLOSE : 18
(1) THE PROCESSING ; AND 19
(2) THE MANNER IN WHICH A CONSUMER MAY EXERCIS E THE RIGHT 20
TO OPT OUT OF THE PROCESSIN G. 21
14–4508. 22
(A) (1) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A 23
REASONABLY ACCESSIBL E, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT 24
INCLUDES: 25
(I) FOR BIOMETRIC DATA PR OCESSED BY THE CONTR OLLER, A 26
WRITTEN POLICY ESTAB LISHING A RETENTION SCHEDULE AND GUIDELI NES FOR 27
PERMANENTLY DESTROYI NG BIOMETRIC DATA ; 28
(II) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE 29
CONTROLLER ; 30
(III) THE PURPOSE S FOR PROCESSING PERSO NAL DATA; 31
HOUSE BILL 807 27
(IV) HOW A CONSUMER MAY EXERCIS E A CONSUMER RIGHT 1
UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 2
CONTROLLER ’S DECISION WITH REGA RD TO THE CONSUMER ’S REQUEST; 3
(V) THE CATEGORIES OF THI RD PARTIES WITH WHICH T HE 4
CONTROLLER SHARES PE RSONAL DATA ; 5
(VI) THE CATEGORIES OF PER SONAL DATA THAT THE 6
CONTROLLER SHARES WI TH THIRD PARTIES ; AND 7
(VII) AN ACTIVE E–MAIL ADDRESS OR OTHER ONL INE 8
MECHANISM THAT A CONSUMER MAY USE TO CONTACT THE CONTROLL ER. 9
(2) THE PRIVACY NOTICE IN PARAGRAPH (1) OF THIS SUBSECTION 10
SHALL BE MADE AVAILA BLE TO THE PUBLIC . 11
(B) (1) A CONTROLLER SHALL EST ABLISH AND DESCRIBE IN THE 12
PRIVACY NOTICE ONE O R MORE SECURE AND RE LIABLE METHODS FOR A CONSUMER 13
TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT UND ER THIS SUBTITLE. 14
(2) THE METHOD A CONTROLLER CHOOSES TO SATISFY PARAGRAPH 15
(1) OF THIS SUBSECTION SHALL TAKE INTO ACCO UNT: 16
(I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT 17
WITH THE CONTROLLER ; 18
(II) THE NEED FOR SECURE A ND RELIABLE COMMUNIC ATION 19
OF REQUESTS; AND 20
(III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 21
IDENTITY OF A CONSUMER MAKING THE REQUEST. 22
(3) (I) A CONTROLLER MAY NOT REQUIRE A CONSUM ER TO 23
CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT . 24
(II) A CONTROLLER MAY REQUIRE A CONSUMER T O USE AN 25
EXISTING ACCOUNT TO EXERCISE A CONSUM ER RIGHT. 26
(4) A CONTROLLER MAY CONSI DER THE FOLLOWING ME THODS TO 27
SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 28
(I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 29
CONTROLLER ’S WEBSITE TO A WEBPAGE THAT ALLOWS A CONSUMER , OR AN 30 28 HOUSE BILL 807
AUTHORIZED AGENT OF THE CONSUME R, TO OPT OUT OF THE TA RGETED 1
ADVERTISING OR THE SALE OF THE CONSUMER ’S PERSONAL DATA ; OR 2
(II) ALLOWING A CONSUMER TO OPT OU T OF ANY PROCESSING 3
OF THE CONSUMER ’S PERSONAL DATA F OR THE PURPOSES OF T ARGETED 4
ADVERTISING, OR ANY SALE OF PERSO NAL DATA, THROUGH AN OPT –OUT 5
PREFERENCE SIGNAL SE NT, WITH THE CONSUMER ’S CONSENT, BY A PLATFORM , A 6
TECHNOLOGY , OR A MECHANISM TO THE CON TROLLER INDICATING THE 7
CONSUMER ’S INTENT TO OPT OUT OF THE PROCESSING OR SALE . 8
(5) (I) A PLATFORM, A TECHNOLOGY , OR A MECHANISM USED IN 9
ACCORDANCE WITH PARAGRAPH (4) OF THIS SUBSECTION SHALL: 10
1. BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 11
AVERAGE CONSUMER ; 12
2. BE AS CONSISTENT AS P OSSIBLE WITH ANY OT HER 13
SIMILAR PLATFORM , TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR 14
STATE LAW OR REGULATI ON; AND 15
3. ENABLE THE CONTROLLER TO ACCURATELY 16
DETERMINE WHETHER TH E CONSUMER : 17
A. IS A RESIDENT OF THE STATE; AND 18
B. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 19
ANY SALE OF THE CONSUMER ’S PERSONAL DATA OR T ARGETED ADVERTISING . 20
(II) A PLATFORM, A TECHNOLOGY , OR A MECHANISM USED IN 21
ACCORDANCE WITH PARAGRAPH (4) OF THIS SUBSECTION : 22
1. SHALL REQUIRE THE CON SUMER TO MAKE AN 23
AFFIRMATIVE, FREELY GIVEN , AND UNAMBIGUOUS CHOI CE TO OPT OUT OF THE 24
PROCESSING OF THE CO NSUMER’S PERSONAL DATA IN ACCORDANCE WITH THIS 25
SUBTITLE; AND 26
2. MAY NOT: 27
A. UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; 28
OR 29
B. MAKE USE OF A DEFAULT SETTING . 30
HOUSE BILL 807 29
(C) (1) THIS SUBSECTION APPLI ES ONLY TO A CONTROLLER THAT 1
COLLECTS THE BIOMETRIC DATA OF CONSUMERS . 2
(2) EXCEPT AS PROVIDED IN PARAGRAPH S (4) AND (5) OF THIS 3
SUBSECTION, A CONTROLLER IN POSSESSION OF BIO METRIC DATA SHALL DE VELOP 4
A WRITTEN POLICY , MADE AVAILABLE TO TH E PUBLIC, ESTABLISHING A RETEN TION 5
SCHEDULE AND GUIDELI NES FOR PERMANENTLY DESTROYING BIOMETRIC DATA ON 6
THE EARLIEST OF THE FOLLOWING: 7
(I) THE DATE ON WHICH THE INITIAL PURPOSE FOR 8
COLLECTING OR OBTAIN ING THE BIOMETRIC DA TA HAS BEEN SATISFIE D; 9
(II) WITHIN 3 YEARS AFTER THE CONSUMER ’S LAST 10
INTERACTION WITH THE CONTROLLER IN POSSESSION OF THE BIOMETRIC DATA ; OR 11
(III) WITHIN 30 DAYS AFTER THE CONTROLLER RECEIVES A 12
VERIFIED REQUEST TO DELETE THE BIOMETRIC DATA SUBMITTED BY TH E 13
CONSUMER OR THE CONSUMER ’S AUTHORIZED AGENT . 14
(3) ABSENT A VALID WARRAN T OR SUBPOENA ISSUED BY A COURT OF 15
COMPETENT JURISDICTI ON, A CONTROLLER IN POSSESSION OF BIO METRIC DATA 16
SHALL COMPLY WIT H THE RETENTION SCHE DULE AND DESTRUCTION GUIDELINES 17
DEVELOPED UNDER PARA GRAPH (2) OF THIS SUBSECTION . 18
(4) A CONTROLLER IN POSSESSION OF BIO METRIC DATA FOR FRAU D 19
PREVENTION OR SECURI TY PURPOSES IS NOT R EQUIRED TO DESTROY A 20
CONSUMER ’S BIOMETRIC DATA IN ACCORDANCE WITH PARAGR APH (2)(II) AND (III) 21
OF THIS SUBSECTION I F THE CONSUMER IS PART OF THE STATE VOLUNTARY 22
EXCLUSION PROGRAM. 23
(5) A CONTROLLER MAY NOT BE REQUIRED TO MAKE PUBLICLY 24
AVAILABLE A WRITTEN POLICY DEVELOPED UND ER THIS SUBSECTION IF: 25
(I) THE CONTROLLER COLLECTS B IOMETRIC DATA ONLY FROM 26
THE CONTROLLER ’S EMPLOYEES; AND 27
(II) THE BIOMETRIC DATA I S USED SOLELY FOR IN TERNAL 28
COMPANY OPERATIONS . 29
14–4509. 30
(A) (1) IF A CONTROLLER USES A PR OCESSOR TO PROCESS T HE 31
PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 32 30 HOUSE BILL 807
ENTER INTO A CONTRAC T THAT GOVERNS THE PROCESSOR ’S DATA PROCESSING 1
PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 2
CONTROLLER . 3
(2) THE CONTRACT SHALL PR OVIDE CLEAR INSTRUCT IONS FOR: 4
(I) PROCESSING DATA ; 5
(II) THE NATURE AND PURPOS E OF PROCESSING ; 6
(III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 7
(IV) THE DURATION OF PROCE SSING; AND 8
(V) THE RIGHTS AND OBLIGA TIONS OF THE CONTROLLER AN D 9
THE PROCESSOR . 10
(3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: 11
(I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA 12
IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE D ATA; 13
(II) UNLESS RETENTION OF T HE PERSONAL DATA IS REQUIRED 14
BY LAW, AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN ALL PERSONAL 15
DATA TO THE CONTROLL ER AS REQUESTED AT T HE END OF THE PROVIS ION OF 16
SERVICE; 17
(III) MAKE AVAILABLE TO THE CONTROLLER ALL INFOR MATION 18
IN THE PROCESSOR ’S POSSESSION NECESSARY TO DEMONST RATE THE PROCESSOR ’S 19
COMPLIANCE WITH THE OBLIGATIONS IN THIS SUBTITLE; 20
(IV) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO 21
OBJECT, REQUIRE A SUBCONTRACTOR TO SIGN A CONTRACT A GREEING TO M EET 22
THE OBLIGATIONS OF T HE PROCESSOR WITH R ESPECT TO THE PERSON AL DATA; AND 23
(V) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS 24
BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 25
AND INDEPENDENT ASSE SSOR TO ASSESS THE PROCESSOR ’S POLICIES AND 26
TECHNICAL AND ORGANI ZATIONAL ME ASURES TO COMPLY WITH THE OBLIGATIONS 27
UNDER THIS SUBTITLE . 28
HOUSE BILL 807 31
(4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 1
OF AN ASSESSMENT REQUIRED BY PARAGRAP H (3)(V) OF THIS SUBSECTION TO THE 2
CONTROLLER . 3
(II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H 4
PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN 5
APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND 6
ASSESSMENT PROCEDURE FOR THE ASSESSMENTS . 7
(B) A PROCESSOR SHALL ADHE RE TO THE INSTRUCTIO NS OF A 8
CONTROLLER AND SHALL ASSIST THE CONTROLLER IN MEETIN G THE 9
CONTROLLER ’S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: 10
(1) TAKING INTO ACCOUNT T HE NATURE OF PROCESS ING AND THE 11
INFORMATION AVAILABL E TO THE PROCESSOR BY FULFILLING THE CONTROLLER ’S 12
OBLIGATION TO RESPON D TO CONSUMER RIGHTS REQUESTS; 13
(2) TAKING INTO ACCOUNT T HE NATURE OF PROCESS ING AND THE 14
INFORMATION AVAILABL E TO THE PROCESSOR , BY ASSISTING THE CON TROLLER IN 15
MEETING THE CONTROLL ER’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF 16
PROCESSING PERSONAL DATA AND THE NOTIFIC ATION OF A BREACH OF SECURITY 17
OF THE SYSTEM OF THE PROCESSOR, AS DEFINED IN § 14–3504 OF THIS TITLE, IN 18
ORDER TO MEET THE CO NTROLLER’S OBLIGATIONS; AND 19
(3) PROVIDING NECESSARY I NFORMATION TO ENABLE THE 20
CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMENTS . 21
(C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELI EVE A 22
CONTROLLER OR A PROCESSOR FROM THE L IABILITIES IMPOSED O N THE 23
CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S 24
ROLE IN THE PROCESSI NG RELATIONSHIP . 25
(D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 26
CONTROLLER OR A PROCESSOR WITH RESPE CT TO A SPECIFIC PRO CESSING OF DATA 27
IS A FACT–BASED DETERMINATION THAT DEPENDS UPON TH E CONTEXT IN WHICH 28
PERSONAL DATA IS BEING PROCESSED. 29
(2) A PERSON IS CONSIDERED TO BE A C ONTROLLER IF THE PER SON: 30
(I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 31
PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR 32
32 HOUSE BILL 807
(II) FAILS TO FOLLOW A CON TROLLER’S INSTRUCTIONS 1
REGARDING THE SPECIF IC PROCESSING OF PERSONAL DATA . 2
(3) IF A PROCESSOR, ALONE OR JOINTLY WIT H OTHERS, DETERMINES 3
THE PURPOSES AND MEA NS OF THE PROCESSING OF PERSONAL DATA , THE 4
PROCESSOR: 5
(I) IS A CONTROLLER WITH RESPECT TO THE PROCESSING; AND 6
(II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 7
THIS SUBTITLE. 8
14–4510. 9
(A) IN THIS SECTION , “PROCESSING ACTIVITIES THAT PRESENT A 10
HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 11
(1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 12
TARGETED ADVERTISING; 13
(2) THE SALE OF PERSONAL DATA; 14
(3) THE PROCESSING OF SEN SITIVE DATA; AND 15
(4) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 16
PROFILING, IN WHICH THE PROFILING PRESENTS A REASONABLY FORESEEAB LE 17
RISK OF: 18
(I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATMENT OF A 19
CONSUMER ; 20
(II) HAVING AN UNLAWFUL DISPARATE I MPACT ON A 21
CONSUMER ; 22
(III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 23
CONSUMER ; 24
(IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 25
SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER INTO WHICH 26
THE INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR 27
(V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER . 28
HOUSE BILL 807 33
(B) A CONTROLLER SHALL CONDUCT AND DOCUMENT A DATA PROTECTION 1
ASSESSMENT FOR EACH OF THE CONTROLLER ’S PROCESSING ACTIVIT IES THAT 2
PRESENT A HEIGHTENED RISK OF HARM TO A CO NSUMER. 3
(C) (1) A DATA PROTECTION ASSES SMENT CONDUCTED IN ACCORDANCE 4
WITH THIS SECTION SHALL IDENTIFY AND WEIGH THE BENEFITS OF THE 5
PROCESSING TO THE CO NTROLLER, THE CONSUMER , OTHER STAKEHOLDERS , AND 6
THE PUBLIC AGAINST T HE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 7
ASSOCIATED WITH THE PROCESSING. 8
(2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION 9
ASSESSMENT : 10
(I) THE USE OF DE–IDENTIFIED DATA ; 11
(II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 12
(III) THE CONTEXT OF THE PR OCESSING; 13
(IV) THE RELATIONSHIP BETW EEN THE CONT ROLLER AND THE 14
CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED; AND 15
(V) THE SAFEGUARDS THAT C AN BE EMPLOYED BY TH E 16
CONTROLLER TO REDUCE THE RISKS AGAINST CO NSUMERS ASSOCIATED W ITH THE 17
PROCESSING. 18
(D) (1) THE DIVISION MAY REQUIRE THAT A C ONTROLLER MAKE 19
AVAILABLE TO THE DIVISION A DATA PROTECTION AS SESSMENT THAT IS REL EVANT 20
TO AN INVESTIGATION CONDUCTED BY THE DIVISION. 21
(2) THE DIVISION MAY EVALUATE A DATA PROTECTION ASSE SSMENT 22
FOR COMPLIANCE WITH THE RESPONSIBILITIES ESTABLISHED IN THIS SUBTITLE. 23
(E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY ADDRE SS A 24
COMPARABLE SET OF PR OCESSING OPERATIONS THAT INCLUDE SIMILAR 25
ACTIVITIES. 26
(F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 27
THE PURPOSE OF COMPL YING WITH ANOTHER LA W OR REGULATION , THE DATA 28
PROTECTION ASSESSMEN T SHALL SATISFY THE REQUIREM ENTS ESTABLISHED IN 29
THIS SECTION IF THE DATA PROTECTION ASSE SSMENT IS REASONABLY SIMILAR IN 30
SCOPE AND EFFECT TO THE DATA PROTECTION ASSESSMENT THAT WOUL D 31
OTHERWISE BE CONDUCT ED IN ACCORDANCE WITH THIS SECTION. 32 34 HOUSE BILL 807
(G) A DATA PROTECTION A SSESSMENT SHALL BE C ONFIDENTIAL AND 1
EXEMPT FROM DISCLOSU RE UNDER THE MARYLAND PUBLIC INFORMATION ACT. 2
14–4511. 3
(A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO : 4
(1) REQUIRE A CONTROLLER OR A PROCESSOR TO RE –IDENTIFY 5
DE–IDENTIFIED DATA ; 6
(2) MAINTAIN DATA IN AN IDENTIFIABLE FORM ; OR 7
(3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 8
TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTI CATED 9
CONSUMER REQUEST WIT H PERSONAL DATA . 10
(B) A CONTROLLER IN POSSES SION OF DE–IDENTIFIED DATA SHALL: 11
(1) TAKE REASONABLE MEASU RES TO ENSURE THAT T HE DATA 12
CANNOT BE ASSOCIATED WITH A CONSUMER ; 13
(2) PUBLICLY COMMIT TO MA INTAINING AND USING DE–IDENTIFIED 14
DATA WITHOUT ATTEMPT ING TO RE–IDENTIFY THE DATA ; AND 15
(3) CONTRACTUALLY OBLIGAT E A RECIPIEN T OF DE–IDENTIFIED 16
DATA TO COMPLY WITH ITEMS (1) AND (2) OF THIS SUBSECTION . 17
(C) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 18
(1) EXERCISE REASONABLE O VERSIGHT TO MONITOR COMPLIANCE 19
WITH A CONTRACTUAL COMMITME NT TO WHICH THE DE –IDENTIFIED DATA IS 20
SUBJECT; AND 21
(2) IF NECESSARY, TAKE APPROPRIATE STEP S TO ADDRESS A BREAC H 22
OF A CONTRACTUAL COMMITME NT. 23
(D) A CONTROLLER THAT POSS ESSES THE DE–IDENTIFIED DATA SHALL: 24
(1) TAKE REASONABLE MEASU RES TO ENSURE THAT T HE DATA 25
CANNOT BE ASSOCIATED WITH A CONSUMER ; 26
(2) PUBLICLY COMMIT TO : 27 HOUSE BILL 807 35
(I) PROCESS THE DATA ONLY IN A DE–IDENTIFIED MANNER ; 1
AND 2
(II) NOT ATTEMPT TO RE –IDENTIFY THE DATA ; AND 3
(3) CONTRACTUALLY OBLIGAT E A RECIPIENT OF THE DATA TO 4
SATISFY THE CRITERIA IN ITEMS (1) AND (2) OF THIS SUBSECTION . 5
14–4512. 6
(A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A 7
VIOLATION OF THIS SU BTITLE IS: 8
(1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE PRACTICE WITHI N 9
THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 10
(2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 11
CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 12
(B) IN ADDITION TO THE RE MEDIES AVAILABLE IN SUBSECTION (A) OF THIS 13
SECTION, A CONSUMER WHO IS AFFECTED BY A VIOLATION OF § 14–4507(A)(1) OF 14
THIS SUBTITLE MAY BR ING AN ACTION AGAINS T THE CONTROLLER IN ACCORDANCE 15
WITH § 13–408 OF THIS ARTICLE. 16
SECTION 2. AND BE IT FURTHER ENACTED, That: 17
(a) There is a Task Force to Study Online Data Privacy. 18
(b) The Task Force consists of the following members: 19
(1) two members of the Senate of Maryland, appointed by the President of 20
the Senate; 21
(2) two members of the House of Delegates, appointed by the Speaker of 22
the House; 23
(3) the Attorney General, or the Attorney General’s designee; 24
(4) the following members, appointed by the Governor: 25
(i) one representative of the business sector; 26
(ii) one representative of the academic sector; 27
36 HOUSE BILL 807
(iii) one representative from a consumer advocacy group; and 1
(iv) two attorneys with experience in privacy law. 2
(c) The Governor shall designate the chair of the Task Force. 3
(d) The State agencies represented on the Task Force shall provide staff for the 4
Task Force. 5
(e) A member of the Task Force: 6
(1) may not receive compensation as a member of the Task Force; but 7
(2) is entitled to reimbursement for expenses under the Standard State 8
Travel Regulations, as provided in the State budget. 9
(f) The Task Force shall: 10
(1) study and make recommendations regarding: 11
(i) information sharing among health care and social care providers; 12
(ii) algorithmic decision–making and the proper use of data to reduce 13
bias in algorithmic decision–making; 14
(iii) requiring an operator, upon a parent’s request, to delete the 15
account of a child and cease to collect, use or maintain, in retrievable form, the child’s 16
personal data on the operator’s website or online service directed to children, and provide 17
parents with an accessible, reasonable, and verifiable means to make the request; 18
(iv) methods of verifying the age of a child who creates a social media 19
account; 20
(v) issues concerning data colocation, including the impact that the 21
provisions of Section 1 of this Act may have on third parties that provide data storage and 22
colocation services; 23
(vi) issues surrounding additional persons or groups that are subject 24
to the provisions of Section 1 of this Act; and 25
(vii) other topics concerning online data privacy; and 26
(2) make recommendations for future data privacy legislation. 27
(g) On or before June 1, 2024, the Task Force shall report its findings and 28
recommendations to the Governor and, in accordance with § 2–1257 of the State 29 HOUSE BILL 807 37
Government Article, the Senate Finance Committee and the House Economic Matters 1
Committee. 2
SECTION 3. AND BE IT FURTHER ENACTED, That § 14–4510 of the Commercial 3
Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 4
prospectively and may not be applied or interpreted to have any effect on or application to 5
any personal data processing activities before the effective date of this Act. 6
SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 7
October 1, 2023. Section 2 of this Act shall remain effective for a period of 2 years and, at 8
the end of September 30, 2025, Section 2 of this Act, with no further action required by the 9
General Assembly, shall be abrogated and of no further force and effect. 10