EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0698*
SENATE BILL 698
I3 3lr1613
CF HB 807
By: Senator Augustine
Introduced and read first time: February 6, 2023
Assigned to: Finance
A BILL ENTITLED
AN ACT concerning 1
Consumer Protection – Online and Biometric Data Privacy 2
FOR the purpose of regulating the manner in which a controller or a processor in possession 3
of a consumer’s personal data may process the consumer’s personal data; authorizing 4
a consumer to exercise certain rights in regards to the consumer’s personal data; 5
requiring a controller of personal data to establish a method for a consumer to 6
exercise certain rights in regards to the consumer’s personal data; requiring a 7
controller to comply with a request by a consumer to exercise a certain right in a 8
certain manner, except under certain circumstances; authorizing a consumer to 9
designate an authorized agent to act on the consumer’s behalf to opt out of the 10
processing of the consumer’s personal data; requiring a controller to provide a 11
consumer with a certain privacy notice; requiring a controller that uses a processor 12
to process the personal data of consumers to enter into a contract with the processor 13
that governs the processor’s data processing procedures; requiring a controller to 14
conduct and document a data protection assessment for consumer data processing 15
activities that present a heightened risk of harm to a consumer; regulating the use 16
of biometric data, including requiring controllers in possession of biometric data to 17
develop a policy, made available to the public, establishing a retention schedule and 18
destruction guidelines for biometric data; authorizing an individual alleging a 19
violation of this Act to bring a civil action against the offending controller under 20
certain circumstances; making a violation of this Act an unfair, abusive, or deceptive 21
trade practice that is subject to enforcement and penalties under the Maryland 22
Consumer Protection Act; establishing the Task Force to Study Online Data Privacy; 23
and generally relating to online and biometric data privacy. 24
BY repealing and reenacting, with amendments, 25
Article – Commercial Law 26
Section 13–301(14)(xxxv) and 13–408 27
Annotated Code of Maryland 28
(2013 Replacement Volume and 2022 Supplement) 29
2 SENATE BILL 698
BY repealing and reenacting, without amendments, 1
Article – Commercial Law 2
Section 13–301(14)(xxxvi) 3
Annotated Code of Maryland 4
(2013 Replacement Volume and 2022 Supplement) 5
BY adding to 6
Article – Commercial Law 7
Section 13–301(xxxvii); and 14–4501 through 14–4512 to be under the new subtitle 8
“Subtitle 45. Online and Biometric Data Privacy Act” 9
Annotated Code of Maryland 10
(2013 Replacement Volume and 2022 Supplement) 11
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 12
That the Laws of Maryland read as follows: 13
Article – Commercial Law 14
13–301. 15
Unfair, abusive, or deceptive trade practices include any: 16
(14) Violation of a provision of: 17
(xxxv) Section 11–210 of the Education Article; [or] 18
(xxxvi) Title 14, Subtitle 44 of this article; or 19
(XXXVII) TITLE 14, SUBTITLE 45 OF THIS ARTICLE; OR 20
13–408. 21
(a) In addition to any action by the Division or Attorney General authorized by 22
this title and any other action otherwise authorized by law, any person may bring an action 23
to recover for injury or loss sustained by [him] THE PERSON as the result of a practice 24
prohibited by this title. 25
(b) Any person who brings an action to recover for injury or loss under this section 26
and who is awarded damages may also seek, and the court may award, reasonable 27
attorney’s fees. 28
(c) If it appears to the satisfaction of the court, at any time, that an action is 29
brought in bad faith or is of a frivolous nature, the court may order the offending party to 30
pay to the other party reasonable attorney’s fees. 31
SENATE BILL 698 3
(d) Notwithstanding any other provision of this section, a person may not bring 1
an action under this section to recover for injuries sustained as a result of the professional 2
services provided by a health care provider, as defined in § 3–2A–01 of the Courts Article. 3
SUBTITLE 45. ONLINE AND BIOMETRIC DATA PRIVACY ACT. 4
14–4501. 5
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 6
INDICATED. 7
(B) “AFFILIATE” MEANS A PERSON THAT : 8
(1) SHARES COMMON BRANDIN G WITH ANOTHER PERSON; OR 9
(2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL 10
WITH ANOTHER PERSON . 11
(C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 12
THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH § 13
14–4504 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , AN INDIVIDUAL 14
WHO IS ENTITLED TO E XERCISE THE CONSUMER RIGHT. 15
(D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 16
MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT ARE 17
USED TO IDENTIFY A S PECIFIC CONSU MER. 18
(2) “BIOMETRIC DATA ” INCLUDES: 19
(I) A FINGERPRINT ; 20
(II) A VOICE PRINT; 21
(III) EYE RETINAS OR IRISES ; 22
(IV) BIOMETRIC SCANS CREAT ED FROM PHYSICAL OR DIGITAL 23
PHOTOGRAPHS ; AND 24
(V) ANY OTHER UNIQUE BIOL OGICAL PATTERNS OR 25
CHARACTERISTI CS. 26
(3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 27
(I) A PHYSICAL OR DIGITAL PHOTOGRAPH ; 28 4 SENATE BILL 698
(II) A VIDEO OR AN AUDIO RE CORDING; OR 1
(III) INFORMATION COLLECTED , USED, OR STORED FOR HEALTH 2
CARE TREATMENT , PAYMENT, OR OPERATIONS UNDER THE FEDERAL HEALTH 3
INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 4
(E) “BUSINESS ASSOCIATE ” HAS THE MEANING STAT ED IN THE FEDERAL 5
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
(F) “CHILD” HAS THE MEANING STAT ED IN THE FEDERAL CHILDREN’S 7
ONLINE PRIVACY PROTECTION ACT OF 1998. 8
(G) “CONFIDENTIAL DATA ” MEANS INFORMATION TH AT CAN BE USED TO 9
UNIQUELY IDENTIFY A CONSUMER OR A CONSUM ER’S ACCOUNT OR PROPERT Y, 10
INCLUDING: 11
(1) A GENETIC MARKER ; 12
(2) GENETIC TESTING INFOR MATION; 13
(3) A UNIQUE IDENTIFIER N UMBER TO LOCATE AN A CCOUNT OR 14
PROPERTY; 15
(4) AN ACCOUNT NUMBER ; 16
(5) A PERSONAL IDENTIFICAT ION NUMBER; 17
(6) A PASSCODE; 18
(7) A DRIVER’S LICENSE NUMBER ; AND 19
(8) A SOCIAL SECURITY NUMBER . 20
(H) (1) “CONSENT” MEANS A SPECIFIC , DISCRETE, FREELY GIVE N, 21
UNAMBIGUOUS , AND INFORMED AGREEME NT GIVEN BY A CONSUM ER WHO IS NOT 22
UNDER ANY DURESS OR UNDUE INFLUENCE FROM A CONTROLLER OR PROC ESSOR 23
TO ALLOW THE PROCESS ING OF THE CONSUMER ’S PERSONAL DATA FOR A 24
PARTICULAR PURPOSE . 25
(2) “CONSENT” INCLUDES: 26
(I) A WRITTEN STATEMENT ; 27 SENATE BILL 698 5
(II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; 1
(III) IN THE CONTEXT OF EMP LOYMENT, A RELEASE EXECUTED 2
BY AN EMPLOYEE AS A CONDITION OF EMPLOYM ENT; AND 3
(IV) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION . 4
(3) “CONSENT” DOES NOT INCLUDE: 5
(I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 6
SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 7
PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION; 8
(II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 9
OF CONTENT; OR 10
(III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 11
PATTERNS. 12
(I) “CONTROL” MEANS: 13
(1) OWNERSHIP OF , OR THE POWER TO VOTE , MORE THAN 50% OF 14
THE OUTSTANDING SHAR ES OF ANY CLASS OF V OTING SECURITY OF A COMPANY; 15
(2) CONTROL IN ANY MANNER OVER THE ELECTI ON OF A MAJORITY 16
OF THE DIRECTORS OF A COMPANY OR OF INDI VIDUALS EXERCISING A SIMILAR 17
FUNCTION; OR 18
(3) THE POWER TO EXERCISE CONTROLLING INFLUENC E OVER THE 19
MANAGEMENT OF A COMP ANY. 20
(J) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 21
STATE. 22
(2) “CONSUMER” DOES NOT INCLUDE AN INDIVIDUAL ACTING : 23
(I) IN A COMMERCIAL OR EM PLOYMENT CONTEXT ; OR 24
(II) AS AN EMPLOYEE , AN OWNER, A DIRECTOR, AN OFFICER, OR 25
A CONTRACTOR OF A CO MPANY, A PARTNERSHIP , A SOLE PROPRIETORSHI P, A 26
NONPROFIT ORGANIZATION , OR ANY GOVERNMENT AG ENCY WHOSE 27
COMMUNICATIONS OR TR ANSACTIONS WITH A CO NTROLLER OCCUR ONLY WITHIN 28 6 SENATE BILL 698
THE CONTEXT OF THE I NDIVIDUAL’S ROLE WITH THE COMP ANY, PARTNERSHIP , 1
SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR GOVERNMENT AGENCY . 2
(K) “CONTROLLER” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 3
OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 4
(L) “COVERED ENTITY ” HAS THE MEANING STAT ED IN THE FEDERAL 5
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
(M) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED TO 7
SUBVERT OR IMPAIR , OR MANIPULATE WITH T HE SUBSTANTIAL EFFEC T OF 8
SUBVERTING OR IMPAIR ING, USER AUTONOMY , DECISION MAKING , OR CHOICE. 9
(2) “DARK PATTERN ” INCLUDES ANY PRACTIC E THE FEDERAL 10
TRADE COMMISSION RE FERS TO AS A “DARK PATTERN ”. 11
(N) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 12
EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS MADE BY A 13
CONTROLLER THAT RESU LT IN THE PROVISION OR DENIAL BY THE CON TROLLER OF: 14
(1) FINANCIAL OR LENDING SERVICES; 15
(2) HOUSING; 16
(3) INSURANCE; 17
(4) EDUCATION ENROLLMENT OR OPPORTUNITY ; 18
(5) CRIMINAL JUSTICE ; 19
(6) EMPLOYMENT OPPORTUNIT IES; 20
(7) HEALTH CARE SERVICES ; OR 21
(8) ACCESS TO ESSENTIAL G OODS OR SERVICES . 22
(O) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANNOT REASONAB LY BE 23
USED TO INFER INFORM ATION ABOUT, OR OTHERWISE BE LINK ED TO: 24
(1) AN IDENTIFIED OR IDEN TIFIABLE INDIVIDUAL ; OR 25
(2) A DEVICE LINKED TO AN IDENTIFIED OR IDENTI FIABLE 26
INDIVIDUAL. 27 SENATE BILL 698 7
(P) “IDENTIFIED OR IDENTIF IABLE INDIVIDUAL ” MEANS A CONSUMER WHO 1
CAN READILY BE IDENT IFIED, EITHER DIRECTLY OR I NDIRECTLY. 2
(Q) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS LINKED OR 3
CAN BE REASONABLY LI NKED TO AN IDENTIFIE D OR IDENTIFIABLE IN DIVIDUAL. 4
(2) “PERSONAL DATA ” DOES NOT INCLUDE : 5
(I) DE–IDENTIFIED DATA ; OR 6
(II) PUBLICLY AVAILABLE IN FORMATION. 7
(R) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION DE RIVED 8
FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY TH E 9
SPECIFIC LOCATION OF A CONSUMER WITHIN A RADIUS OF 1,750 FEET. 10
(2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING 11
SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR 12
MECHANISMS . 13
(3) “PRECISE GEOLOCATION D ATA” DOES NOT INCLUDE : 14
(I) THE CONTENT OF COMMUN ICATIONS DATA GENERA TED BY 15
OR CONNECTED TO AN ADVA NCED UTILITY METERIN G INFRASTRUCTURE SYS TEM; 16
OR 17
(II) EQUIPMENT USED BY A U TILITY COMPANY . 18
(S) (1) “PROCESS” MEANS AN OPERATION P ERFORMED BY MANUAL O R 19
AUTOMATED MEANS ON P ERSONAL DATA . 20
(2) “PROCESS” INCLUDES COLLECTING , USING, STORING, 21
DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 22
(T) “PROCESSOR” MEANS A PERSON THAT PROCESSES, STORES, OR 23
OTHERWISE USES PERSO NAL DATA ON BEHALF O F A CONTROLLER . 24
(U) “PROFILING” MEANS AUTOMATED PROC ESSING PERFORMED ON 25
PERSONAL DATA TO EVALUATE , ANALYZE, OR PREDICT PERSONAL ASPECTS 26
RELATED TO AN IDENTI FIED OR IDENTIFIABLE INDIVIDUAL’S ECONOMIC SITUATION , 27
HEALTH, PERSONAL PREFERENCES , INTERESTS, RELIABILITY, BEHAVIOR, 28
LOCATION, OR MOVEMENTS . 29 8 SENATE BILL 698
(V) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STATED IN 1
THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 2
1996. 3
(W) “PUBLICLY AVAILABLE IN FORMATION” MEANS INFORMATION TH AT: 4
(1) IS LAWFULLY MADE AVAI LABLE THROUGH : 5
(I) FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS; OR 6
(II) WIDELY DISTRIBUTED ME DIA; AND 7
(2) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE A 8
CONSUMER HAS LAWFULL Y MADE AVAILABLE TO THE GENERAL PUBLIC . 9
(X) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F PERSONAL 10
DATA BY A CONTROLLER TO A THIRD PARTY FOR MONETARY OR OTHER VALUABLE 11
CONSIDERATION . 12
(2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 13
(I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR 14
THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER ; 15
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PARTY 16
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE REQUESTED BY THE 17
CONSUMER ; 18
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 19
AFFILIATE OF THE CON TROLLER; 20
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 21
CONSUMER : 22
1. DIRECTS THE CONTROLLER TO DIS CLOSE THE 23
PERSONAL DATA ; OR 24
2. INTENTIONALLY USES TH E CONTROLLER TO 25
INTERACT WITH A THIR D PARTY; 26
(V) THE DISCLOSURE OF PER SONAL DATA THAT THE 27
CONSUMER : 28 SENATE BILL 698 9
1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL 1
PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND 2
2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 3
(VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 4
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSE D MERGER, 5
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE TH E THIRD PARTY 6
ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 7
(Y) “SENSITIVE DATA ” MEANS PERSONAL DATA OF A CONSUMER , THAT 8
INCLUDES: 9
(1) DATA REVEALING : 10
(I) RACIAL OR ETHNIC ORIG IN; 11
(II) RELIGIOUS BELIEFS ; 12
(III) MENTAL OR PHYSICAL HEALTH COND ITION OR DIAGNOSES ; 13
(IV) SEX LIFE; 14
(V) SEXUAL ORIENTATION ; OR 15
(VI) CITIZENSHIP OR IMMIGR ATION STATUS; 16
(2) GENETIC OR BIOMETRIC DATA FOR THE PURPOSE OF UNIQUELY 17
IDENTIFYING A CONSUM ER; 18
(3) PERSONAL DATA COLLECT ED FROM A KNOWN CHILD ; OR 19
(4) PRECISE GEOLOCATION D ATA. 20
(Z) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 21
ADVERTISEMENTS TO A CONSUMER WHERE THE A DVERTISEMENT IS SELE CTED 22
BASED ON PERSONAL DA TA OBTAINED OR INFER RED FROM THE CONSUME R’S 23
ACTIVITIES OVER TIME AND ACROSS NONAFFILIATED WEBSITES OR ONLINE 24
APPLICATIONS IN ORDE R TO PREDICT THE CON SUMER’S PREFERENCES OR 25
INTERESTS. 26
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 27 10 SENATE BILL 698
(I) ADVERTISEMENTS BASED ON ACTIVITIES WITHIN A 1
CONTROLLER ’S OWN WEBSITES OR ON LINE APPLICATIONS; 2
(II) ADVERTISEMENTS BASED ON THE CONTEXT OF A 3
CONSUMER ’S SEARCH QUERY OR VI SIT TO A WEBSITE OR ONLINE APPLICATION ; 4
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 5
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 6
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 7
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 8
(AA) “THIRD PARTY ” MEANS A PERSON OTHER THAN A CONSUMER , A 9
CONTROLLER , A PROCESSOR , OR AN AFFILIATE OF T HE CONTROLLER OR 10
PROCESSOR. 11
(BB) (1) “TRADE SECRE T” MEANS INFORMATION TH AT: 12
(I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR 13
POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 14
ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN 15
ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 16
(II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE 17
UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION. 18
(2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN, 19
COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS. 20
14–4502. 21
THIS SUBTITLE APPLIES TO A PERSON THAT : 22
(1) CONDUCTS BUSINESS IN THE STATE; OR 23
(2) (I) PRODUCES SERVICES OR PRODUCTS THAT ARE TA RGETED 24
TO RESIDENTS OF THE STATE; AND 25
(II) DURING THE IMMEDIATEL Y PRECEDING CALENDAR YEAR: 26
1. CONTROLLED OR PROCESS ED THE PERSONAL DATA 27
OF AT LEAST 100,000 CONSUMERS ; OR 28 SENATE BILL 698 11
2. CONTROLLED OR PROCESS ED THE PERSONAL DATA 1
OF AT LEAST 25,000 CONSUMERS AND DERIVE D MORE THAN 25% OF ITS GROSS 2
REVENUE FROM THE SAL E OF PERSONAL DATA . 3
14–4503. 4
(A) THIS SUBTITLE DOES NOT AP PLY TO: 5
(1) A POLITICAL SUBDIVISIO N OR A UNIT OF A POL ITICAL 6
SUBDIVISION OF THE STATE; 7
(2) A STATE COURT , CLERK OF THE COURT , JUDGE, OR 8
COMMISSIONER ; 9
(3) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 10
UNDER 15 U.S.C. § 78O–3 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934; 11
(4) A COVERED ENTITY OR BU SINESS ASSOCIATE ; 12
(5) A PERSON THAT CONTROLS OR PROCESSES PERSONA L DATA 13
SOLELY FOR THE PURPO SE OF COMPLETING A P AYMENT TRANSACTION ; OR 14
(6) AN ENTITY, OR AN AFFILIATE OF AN ENTITY, SUBJECT TO AND IN 15
COMPLIANCE WITH THE FEDERAL GRAMM–LEACH–BLILEY ACT. 16
(B) THE FOLLOWING INFORMA TION AND DATA IS EXE MPT FROM THIS 17
SUBTITLE: 18
(1) PROTECTED HEALTH INFO RMATION UNDER THE FE DERAL 19
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996; 20
(2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 21
U.S.C. § 290DD–2; 22
(3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 23
PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS 24
UNDER 45 C.F.R. 46; 25
(4) IDENTIFIABLE PRI VATE INFORMATION THA T IS OTHERWISE 26
INFORMATION COLLECTE D AS PART OF HUMAN S UBJECTS RESEARCH IN 27
ACCORDANCE WITH THE GOOD CLINICAL PRACTI CE GUIDELINES ISSUED BY THE 28 12 SENATE BILL 698
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 1
FOR PHARMACEUTICALS FOR HUMAN USE; 2
(5) INFORMATION COLLECTED AS PART OF A CLINICA L TRIAL 3
SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 4
ALSO KNOWN AS THE COMMON RULE, IN ACCORDANCE WITH G OOD CLINICAL 5
PRACTICE GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL FOR 6
HARMONISATION OF TECHNICAL REQUIREMENTS FOR PHARMACEUTICALS FOR 7
HUMAN USE OR IN ACCORDANCE WITH THE HUMAN SUBJE CT PROTECTION 8
REQUIREMENTS OF THE U.S. FOOD AND DRUG ADMINISTRATION ; 9
(6) INFORMATION AND DOCUM ENTS CREATED FOR PUR POSES OF THE 10
FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986; 11
(7) PATIENT SAFETY WORK P RODUCT FOR PURPOSES OF THE 12
FEDERAL PATIENT SAFETY AND QUALITY IMPROVEMENT ACT OF 2005; 13
(8) INFORMATION DERIVED F ROM ANY OF THE HEALT H CARE 14
RELATED INFORMATION LISTED IN THIS SUBSE CTION THAT IS DE–IDENTIFIED IN 15
ACCORDANCE WITH THE REQUIREMENTS FOR DE –IDENTIFICATION IN AC CORDANCE 16
WITH THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 17
OF 1996; 18
(9) INFORMATION ORIGINATI NG FROM AND INTERMIN GLED TO BE 19
INDISTINGUISHABLE FR OM, OR INFORMATION TREATE D IN THE SAME MANNER AS, 20
INFORMATION EXEMPT U NDER THIS SUBSECTION THAT IS MAINTAINED B Y A 21
COVERED ENTITY OR BU SINESS ASSOCIATE , PROGRAM, OR QUALIFIED SERVICE 22
ORGANIZATION , AS SPECIFIED IN 42 U.S.C. § 290DD–2; 23
(10) INFORMATION USED FO R PUBLIC HEALTH ACTI VITIES AND 24
PURPOSES AS AUTHORIZ ED BY THE FEDERAL HEALTH INSURANCE PORTABILITY 25
AND ACCOUNTABILITY ACT OF 1996, COMMUNITY HEALTH ACT IVITIES, AND 26
POPULATION HEALTH AC TIVITIES; 27
(11) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 28
COMMUNIC ATION, OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 29
CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 30
REPUTATION, PERSONAL CHARACTERIS TICS, OR MODE OF LIVING TO OR FROM A 31
CONSUMER REPORTING A GENCY IF USE OF THE INFORMATION IS LIMITED BY AND 32
AUTHORIZED UNDER THE FEDERAL FAIR CREDIT REPORTING ACT; 33
(12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 34
IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 35 SENATE BILL 698 13
(13) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 1
EDUCATIONAL RIGHTS AND PRIVACY ACT; 2
(14) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 3
IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 4
(15) DATA PROCESSED OR MAI NTAINED: 5
(I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 6
EMPLOYED BY , OR ACTING AS AN AGENT OR INDEPENDENT CONTR ACTOR OF A 7
CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS 8
COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE; 9
(II) AS THE EMERGENCY CONT ACT INFORMATION OF A 10
CONSUMER USED FOR EM ERGENCY CONT ACT PURPOSES ; OR 11
(III) THAT IS NECESSARY TO RETAIN TO ADMINISTER BENEFITS 12
FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WHO IS THE S UBJECT OF 13
THE INFORMATION UNDE R ITEM (I) OF THIS ITEM AND USE D FOR THE PURPOSES O F 14
ADMINISTERING THE BE NEFITS; AND 15
(16) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 16
IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO T HE 17
FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS 18
PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT. 19
14–4504. 20
(A) A CONSUMER MAY EXERCIS E THE FOLLOWING RIGH TS IN RELATION TO 21
THE CONSUMER ’S PERSONAL DATA : 22
(1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE 23
CONSUMER ’S PERSONAL DATA ; 24
(2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 25
DATA, ACCESS THE PERSONAL DATA ; 26
(3) CORRECT INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 27
(4) DELETE PERSONAL DATA PROVIDED BY , OR OBTAINED ABOUT , 28
THE CONSUMER ; 29
14 SENATE BILL 698
(5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC 1
MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROCES SED BY THE 2
CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE , 3
READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE 4
DATA TO ANOTHER CONT ROLLER; AND 5
(6) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 6
OF: 7
(I) TARGETED ADVERTISING ; 8
(II) EXCEPT AS PROVIDED IN § 14–4507(D) OF THIS SUBTITLE , 9
THE SALE OF PERSONAL DATA; OR 10
(III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED 11
DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S 12
CONCERNING THE CONSUMER . 13
(B) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE METHOD 14
FOR A CONSUMER TO EX ERCISE A CONSUMER RI GHT UNDER THIS SECTI ON. 15
(C) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A 16
CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXERCISE A 17
CONSUMER RIGHT LISTE D IN THIS SECTION. 18
(2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER R EQUEST 19
NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE C ONSUMER 20
REQUEST. 21
(II) A CONTROLLER MAY EXTEN D THE RESPONSE PERIO D BY AN 22
ADDITIONAL 45 DAYS IF: 23
1. IT IS NECESSARY TO CO MPLETE THE REQUEST B ASED 24
ON THE COMPLEXITY AN D NUMBER OF THE CONS UMER’S REQUESTS; AND 25
2. THE CONTROLLER INFORM S THE CONSUMER OF TH E 26
EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN THE INITIA L 45–DAY 27
RESPONSE PERIOD . 28
(3) (I) IF A CONTROLLER DOES NOT TAKE ACTION REGA RDING A 29
CONSUMER ’S REQUEST, THE CONTROLLER SHALL : 30
SENATE BILL 698 15
1. NOTIFY THE CONSUMER T HAT THE CONTROLLER 1
WILL NOT TAKE ACTION ON THE REQUEST ; AND 2
2. PROVIDE THE CONSUMER WITH: 3
A. THE JUSTIFICATION FOR DECLINING TO TAKE 4
ACTION; AND 5
B. INSTRUCTIONS FOR HOW TO APPEAL THE DECISI ON. 6
(II) THE NOTIFICATION REQU IRED IN SUBPARAGRAPH (I) OF 7
THIS PARAGRAPH SHALL BE: 8
1. SENT TO THE CONSUMER NOT LATER THAN 45 DAYS 9
AFTER THE CONTRO LLER RECEIVES THE CO NSUMER’S REQUEST; AND 10
2. IN WRITING. 11
(4) (I) EXCEPT AS PROVIDED IN THIS PARAGRAPH , A CONTROLLER 12
SHALL PROVIDE A CONS UMER, FREE OF CHARGE , WITH THE INFORMATION THE 13
CONSUMER REQUESTED . 14
(II) A CONTROLLER MAY NOT B E REQUIRED TO PROVIDE A 15
CONSUMER WITH THE IN FORMATION REQUESTED MORE THAN TWICE DURI NG ANY 16
CONSECUTIVE 12–MONTH PERIOD . 17
(III) 1. IF REQUESTS FROM A CO NSUMER ARE UNFOUNDED , 18
EXCESSIVE, OR REPETITIVE , A CONTROLLER MAY CHA RGE THE CONSUMER A 19
REASONABLE FEE TO CO VER THE ADMINISTRATI VE COSTS OF COMPLYIN G WITH THE 20
REQUEST. 21
2. THE CONTROLLER HAS TH E BURDEN OF 22
DEMONSTRATING THE UN FOUNDED, EXCESSIVE, OR REPETITIVE NATURE OF THE 23
REQUEST. 24
(5) (I) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A 25
REQUEST TO EXERCISE A CONSUMER RIGHT AFF ORDED UNDER SUBSECTI ON (A)(1) 26
THROUGH (5) OF THIS SECTION USIN G COMMERCIALLY REASO NABLE EFFORTS , THE 27
CONTROLLE R MAY NOT BE REQUIRE D TO COMPLY WITH THE REQUEST. 28
(II) IF A CONTROLLER IS NO T ABLE TO AUTHENTICA TE A 29
REQUEST USING COMMER CIALLY REASONABLE EF FORTS, THE CONTROLLER SHALL 30
NOTIFY THE CONSUMER THAT THE CONTROLLER IS UNABLE TO AUTHENT ICATE THE 31 16 SENATE BILL 698
REQUEST UNTIL THE CONSUMER PROVIDE S ADDITIONAL INFORMA TION 1
REASONABLY NECESSARY TO AUTHENTICATE THE CONSUMER AND THE 2
CONSUMER ’S REQUEST. 3
(6) (I) A CONTROLLER IS NOT RE QUIRED TO AUTHENTICA TE AN 4
OPT–OUT REQUEST UNDER SU BSECTION (A)(6) OF THIS SECTION. 5
(II) A CONTROLLER MAY DENY AN OP T–OUT REQUEST UNDER 6
SUBSECTION (A)(6) OF THIS SECTION IF T HE CONTROLLER HAS A GOOD FAITH, 7
REASONABLE , AND DOCUMENTED BELIE F THAT THE REQUEST I S FRAUDULENT . 8
(III) IF A CONTROLLER DENIE S AN OPT–OUT REQUEST UNDER 9
SUBSECTION (A)(6) OF THIS SECTION BECAUSE THE CONTROLLER BELIE VES THE 10
REQUEST IS FRAUDULEN T, THE CONTROLLER SHALL NOTIFY THE PERSON WH O 11
MADE THE REQUEST : 12
1. THAT THE CONTROLLER B ELIEVES THE REQUEST IS 13
FRAUDULENT ; 14
2. WHY THE CONTROLLER BE LIEVES THE REQUEST I S 15
FRAUDULE NT; AND 16
3. THAT THE CONTROLLER W ILL NOT COMPLY WITH THE 17
REQUEST. 18
(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 19
CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER IS IN COMPLIA NCE WITH 20
A CONSUMER ’S REQUEST TO DELETE THE DATA IN ACCORDAN CE WITH SUBSECTION 21
(A)(4) OF THIS SECTION BY : 22
(I) RETAINING A RECORD OF THE DELETION REQUEST AND THE 23
MINIMUM DATA NECESSA RY FOR THE PURPOSE O F ENSURING THE CONSU MER’S 24
PERSONAL DATA : 25
1. REMAINS DELETED FROM THE CONTROLLER ’S 26
RECORDS; AND 27
2. IS NOT BEING USED FOR ANY O THER PURPOSE ; OR 28
(II) OPTING THE CONSUMER O UT OF THE PROCESSING OF THE 29
PERSONAL DATA FOR AN Y PURPOSE EXCEPT FOR THOSE EXEMPTED BY TH IS 30
SUBTITLE. 31
SENATE BILL 698 17
(D) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 1
TO APPEAL A DECISION MADE UNDER THIS SECTIO N. 2
(2) THE APPEAL PROCESS SH ALL: 3
(I) BE CONSPICUOUSLY AVAI LABLE TO A CONSUMER ; 4
(II) BE SIMILAR TO THE PRO CESS FOR SUBMITTING REQUESTS 5
TO INITIATE ACTION I N ACCORDANCE WITH TH IS SECTION; AND 6
(III) ENSURE THAT A CONSUME R CAN APPEAL A DECISION 7
WITHIN A REASONABLE TIME AFTER THE CONSU MER RECEIVES THE DEC ISION. 8
(3) NOT LATER THAN 60 DAYS AFTER RECEIPT O F AN APPEAL , A 9
CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR 10
NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN E XPLANATION OF 11
THE REASONS FOR THE DECISION. 12
(4) IF AN APPEAL IS DENIE D, THE CONTROLLER SHALL PROVIDE THE 13
CONSUMER WITH AN ONL INE MECHANISM , IF AVAILABLE, THROUGH WHICH THE 14
CONSUMER MAY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. 15
(E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 16
CONTROLLER OR A PROC ESSOR TO COMPLY WITH AN AUTHENTICATED CON SUMER 17
REQUEST IF THE CONTR OLLER: 18
(1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQUEST 19
WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOME FO R THE 20
CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ; 21
(2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND 22
TO THE CONSUMER WHO IS THE SUBJECT OF TH E PERSONAL DATA OR A SSOCIATE 23
THE PERSONAL DATA WI TH OTHER PERSONAL D ATA ABOUT THE CONSUM ER; AND 24
(3) EXCEPT AS OTHERWISE A LLOWED IN THIS SECTI ON, DOES NOT 25
SELL OR OTHERWISE VO LUNTARILY DISCLOSE T HE PERSONAL DATA TO A THIRD 26
PARTY. 27
(F) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 28
CONTROLLER TO REVEAL A TRADE SECRET. 29
14–4505. 30
18 SENATE BILL 698
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PROHIBIT A 1
CONTROLLER OR PROCES SOR FROM: 2
(1) COMPLYING WITH FEDERA L, STATE, OR LOCAL LAWS ; 3
(2) COMPLYING WITH A CIVI L, CRIMINAL, OR REGULATORY INQUIR Y, 4
INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDERAL , STATE, OR LOCAL 5
AUTHORITY; 6
(3) COOPERATING WITH LAW ENFORCEMENT AGENCIES 7
CONCERNING CONDUCT O R ACTIVITY THAT THE CONTROLLER OR PROCES SOR 8
REASONABLY AND IN GO OD FAITH BELIEVES MA Y VIOLATE A FEDERAL , STATE, OR 9
LOCAL LAW; 10
(4) INVESTIGATING, ESTABLISHING , EXERCISING, PREPARING FOR , 11
OR DEFENDING A LEGAL CLAIM; 12
(5) PROVIDING A PRODUCT O R SERVICE SPECIFICAL LY REQUESTED 13
BY A CONSUMER ; 14
(6) PERFORMING UNDER A CO NTRACT TO WHICH A CO NSUMER IS A 15
PARTY, INCLUDING FULFILLING THE TERMS OF A WRITTEN WARRANTY ; 16
(7) TAKING STEPS AT THE R EQUEST OF A CONSUMER BEFORE 17
ENTERING INTO A CONT RACT; 18
(8) TAKING IMMEDIATE STEP S TO PROTECT AN INTE REST THAT IS 19
ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER 20
INDIVIDUAL; 21
(9) PREVENTING, DETECTING, PROTECTING AGAINST , OR 22
RESPONDING TO A SECU RITY INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , 23
MALICIOUS OR DECEPTI VE ACTIVITY, OR ANY ILLEGAL ACTIV ITY; 24
(10) PRESERVING THE INTEGR ITY OR SECURITY OF A SYSTEM, OR 25
INVESTIGATING , REPORTING, OR PROSECUTING A PERSON RESPONSIBLE FOR THE 26
ACTION; 27
(11) ENGAGING IN PUBLIC OR PEER–REVIEWED SCIENTIFIC OR 28
STATISTICAL RESEARCH IN THE PUBLIC INTERE ST THAT: 29
(I) ADHERES TO ALL OTHER APPLICABLE ETHICS AN D PRIVACY 30
LAWS; AND 31 SENATE BILL 698 19
(II) IS APPROVED , MONITORED , AND GOVERNED BY AN 1
INSTITUTIONAL REVIEW BOARD, OR A SIMILAR INDEPEN DENT OVERSIGHT ENTIT Y, 2
THAT DETERMINES WHET HER: 3
1. THE DELETION OF THE I NFORMATION IS LIKELY TO 4
PROVIDE SUBSTANTIAL BENEFITS THAT DO NOT EXCLUSIVELY ACCRUE T O THE 5
CONTROLLER ; 6
2. THE EXPECTED BENEFITS OF THE RESEARCH 7
OUTWEIGH THE PRIVACY RISKS; AND 8
3. THE CONTROLLER HAS IM PLEMENTED REASONABLE 9
SAFEGUARDS TO MITIGA TE PRIVACY RISKS ASS OCIATED WITH RESEARC H, 10
INCLUDING ANY RISKS ASSOCIATED WITH RE –IDENTIFICATION ; 11
(12) ASSISTING ANOTHER CON TROLLER, PROCESSOR, OR 12
THIRD PARTY WITH AN OBLIGATION UNDER THI S SUBTITLE; OR 13
(13) PROCESSING PERSONAL D ATA FOR REASONS OF P UBLIC 14
INTEREST IN THE AREA OF PUBLIC HEALTH , COMMUNITY HEALTH , OR POPULATION 15
HEALTH, IF THE PROCESSING IS : 16
(I) SUBJECT TO SUITABLE A ND SPECIFIC MEASURES TO 17
SAFEGUARD THE RIGHTS OF A CONSUMER WHOSE PERSONAL DATA IS BEI NG 18
PROCESSED; AND 19
(II) UNDER THE RESPONSIBIL ITY OF A PROFESSIONA L SUBJECT 20
TO CONFIDENTIALITY O BLIGATIONS UNDER FED ERAL, STATE, OR LOCAL LAW. 21
(B) THE OBLIGATIONS IMPOS ED ON CONTROLLERS OR PROCESSORS UNDER 22
THIS SUBTITLE MAY NO T RESTRICT A CONTROL LER’S OR PROCESSOR ’S ABILITY TO 23
COLLECT, USE, OR RETAIN DATA FOR I NTERNAL USE TO : 24
(1) EFFECTUATE A PRODUCT RECALL; 25
(2) IDENTIFY AND REPAIR TECHNICAL ERRORS THA T IMPAIR 26
EXISTING OR INTENDED FUNCTIONALITY ; OR 27
(3) PERFORM INTERNAL OPER ATIONS THAT ARE : 28
20 SENATE BILL 698
(I) REASONABLY ALIGNED WI TH THE EXPECTATIONS OF THE 1
CONSUMER OR REASONAB LY ANTICIPATED BASED ON THE CONSUMER ’S EXISTING 2
RELATIONSHIP WITH T HE CONTROLLER ; OR 3
(II) OTHERWISE COMPATIBLE WITH PROCESSING DATA IN 4
FURTHERANCE OF THE P ROVISION OF A PRODUC T OR SERVICE SPECIFI CALLY 5
REQUESTED BY A CONSU MER OR THE PERFORMAN CE OF A CONTRACT TO WHICH THE 6
CONSUMER IS A PARTY . 7
(C) (1) NOTHING IN THIS SUBTITLE MAY BE CONS TRUED TO PREVENT A 8
CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA ABOUT A 9
CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R THE 10
LAWS OF THE STATE AS PART OF A PR IVILEGED COMMUNICATI ON. 11
(2) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PR OCESSOR 12
UNDER THIS SUBTITLE DOES NOT APPLY WHERE COMPLIANCE BY THE CO NTROLLER 13
OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 14
UNDER THE LAWS OF TH E STATE. 15
(D) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 16
(1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 17
THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON ; OR 18
(2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA IN THE 19
COURSE OF THE PERSON ’S PERSONAL OR HOUSEH OLD ACTIVITIES. 20
(E) IF A CONTROLLE R PROCESSES PERSONAL DATA IN ACCORDANCE W ITH 21
AN EXEMPTION UNDER T HIS SECTION, THE CONTROLLER SHALL DEMONSTRATE 22
THAT THE PROCESSING : 23
(1) QUALIFIES FOR AN EXEM PTION; AND 24
(2) COMPLIES WITH THE REQ UIREMENTS IN SUBSECT ION (F) OF THIS 25
SECTION. 26
(F) (1) PERSONAL DATA PROCESS ED BY A CONTROLLER I N ACCORDANCE 27
WITH THIS SECTION MA Y BE PROCESSED TO TH E EXTENT THAT THE PR OCESSING IS: 28
(I) REASONABLY NECESSARY AND PROPORTIONATE TO THE 29
PURPOSES LISTED IN T HIS SECTION; AND 30
SENATE BILL 698 21
(II) ADEQUATE, RELEVANT, AND LIMIT ED TO WHAT IS 1
NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 2
(2) PERSONAL DATA COLLECT ED, USED, OR RETAINED IN 3
ACCORDANCE WITH SUBS ECTION (B) OF THIS SECTION SHAL L: 4
(I) WHERE APPROPRIATE , TAKE INTO ACCOUNT TH E NATURE 5
AND PURPOSE OF THE COLLE CTION, USE, OR RETENTION ; AND 6
(II) BE SUBJECT TO REASONA BLE ADMINISTRATIVE , 7
TECHNICAL, AND PHYSICAL MEASURE S TO: 8
1. PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 9
ACCESSIBILITY OF THE PERSONAL DATA ; AND 10
2. REDUCE REASONABLY F ORESEEABLE RISKS OF HARM 11
TO CONSUMERS RELATIN G TO THE COLLECTION , USE, OR RETENTION OF PERS ONAL 12
DATA. 13
14–4506. 14
(A) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT TO ACT ON THE 15
CONSUMER ’S BEHALF TO OPT OUT OF THE PROCESSING OF THE CONSUMER ’S 16
PERSONAL DATA FOR THE PURPOSES SPE CIFIED IN § 14–4504(A) OF THIS SUBTITLE. 17
(B) THE CONSUMER MAY DESI GNATE AN AUTHORIZED AGENT BY: 18
(1) AN INTERNET LINK OR A BR OWSER SETTING ON A C ONTROLLER ’S 19
WEBSITE; OR 20
(2) A BROWSER EXTENSION OR GLOBAL DEVICE SETTIN G ON A 21
CONTROLLER ’S WEBSITE INDICATING THE CONSUMER ’S INTENT TO OPT OUT OF THE 22
PROCESSING. 23
(C) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED 24
FROM AN AUTHORIZED A GENT IF THE CONTROLL ER IS ABLE TO VE RIFY, USING 25
COMMERCIALLY REASONA BLE EFFORTS: 26
(1) THE IDENTITY OF THE C ONSUMER; AND 27
(2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE 28
CONSUMER ’S BEHALF. 29
22 SENATE BILL 698
(D) THE FOLLOWING INDIVID UALS MAY EXERCISE TH E CONSUMER RIGHTS 1
SPECIFIED IN THIS SU BTITLE ON BEHALF OF ANOTHER IND IVIDUAL WITHOUT BEIN G 2
DESIGNATED AS AN AUT HORIZED AGENT UNDER SUBSECTION (A) OF THIS SECTION: 3
(1) THE PARENT OR LEGAL G UARDIAN OF A KNOWN C HILD; 4
(2) IF A CONSUMER IS SUBJ ECT TO A GUARDIANSHI P, A 5
CONSERVATORSHIP , OR ANY OTHER PROTECTIVE ARRANGEME NT, THE GUARDIAN 6
OR CONSERVATOR OF TH E CONSUMER . 7
14–4507. 8
(A) A CONTROLLER MAY NOT : 9
(1) SELL, LEASE, OR TRADE A CONSUMER ’S BIOMETRIC DATA ; 10
(2) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, UNLESS 11
THE CONTROLLER OBTAI NS THE CONSUMER’S CONSENT, PROCESS PERSONAL DAT A 12
FOR A PURPOSE THAT I S NEITHER REASONABLY NECESSARY TO , NOR COMPATIBLE 13
WITH, THE DISCLOSED PURPOS ES FOR WHICH THE PER SONAL DATA IS PROCES SED, 14
AS DISCLOSED TO THE CONSUMER ; 15
(3) PROCESS SENSITIVE DAT A CONCERNING A CON SUMER WITHOUT 16
OBTAINING THE CONSUM ER’S CONSENT; 17
(4) PROCESS SENSITIVE DAT A OF A KNOWN CHILD W ITHOUT 18
PROCESSING THE DATA IN ACCORDANCE WITH T HE FEDERAL CHILDREN’S ONLINE 19
PRIVACY PROTECTION ACT OF 1998; 20
(5) PROCESS PERSONAL DATA IN VIOLATION OF FEDE RAL, STATE, OR 21
LOCAL LAW THAT PROHI BITS UNLAWFUL DISCRI MINATION AGAINST A C ONSUMER; 22
OR 23
(6) PROCESS THE PERSONAL DATA OF A CONSUMER T HAT THE 24
PROCESSOR KNOWS IS A T LEAST 13 YEARS OLD AND UNDER THE AGE OF 16 YEARS 25
WITHOUT THE CONSUMER ’S CONSENT FOR PURPOS ES OF: 26
(I) TARGETED ADVERTISING ; OR 27
(II) SELLING THE CONSUMER ’S PERSONAL DATA . 28
(B) A CONTROLLER SHALL : 29
SENATE BILL 698 23
(1) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS: 1
(I) ADEQUATE, RELEVANT, AND REASONABLY NECES SARY TO 2
COLLECT FOR THE PURP OSES FOR WHICH THE D ATA IS PROCESSED ; AND 3
(II) DISCLOSED TO THE CONS UMER; 4
(2) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 5
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PR ACTICES TO 6
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 7
DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT 8
ISSUE; 9
(3) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO 10
REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT LEAST AS 11
EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED THE CON SUMER’S 12
CONSENT; AND 13
(4) IF CONSENT IS REVOKED , STOP PROCESSING THE DATA AS SOON 14
AS PRACTICABLE , BUT NOT LATER THAN 15 DAYS AFTER THE RECEI PT OF THE 15
REQUEST. 16
(C) A CONTROLLER IN POSSESSION OF BIOMETRIC DATA SH ALL STORE, 17
TRANSMIT, AND PROTECT FROM DIS CLOSURE ALL BIOMETRI C DATA: 18
(1) USING THE REASONABLE STANDARD OF CARE WIT HIN THE 19
CONTROLLER ’S INDUSTRY; AND 20
(2) IN A MANNER THAT IS A S PROTECTIVE AS OR M ORE PROTECTIVE 21
THAN THE MANNER IN W HICH THE CONTROLLER STORES, TRANSMITS, AND 22
PROTECTS OTHER CONFI DENTIAL OR SENSITIVE DATA. 23
(D) (1) EXCEPT AS PROVIDED IN PARAGRAPH (2) OF THIS SUBSECTION , A 24
CONTROLLER THAT COLL ECTS BIOMETRIC DATA MAY NOT COLLECT , USE, DISCLOSE, 25
REDISCLOSE, OR OTHERWISE DISSEMI NATE A CONTROLLER ’S BIOMETRIC DATA 26
UNLESS: 27
(I) THE CONTROLLER OR THE CONSUMER ’S AUTHORIZED 28
AGENT GIVES CONSENT TO THE PARTICULAR CA TEGORY OF COLLECTION , USE, 29
DISCLOSURE, REDISCLOSURE , OR DISSEMINATION ; OR 30
(II) THE DISCLOSU RE OR REDISCLOSURE I S REQUIRED: 31
24 SENATE BILL 698
1. BY A VALID WARRANT OR SUBPOENA; 1
2. TO COMPLY WITH FEDERA L, STATE, OR LOCAL LAWS , 2
RULES, OR REGULATIONS ; OR 3
3. TO COOPERATE WITH LAW ENFORCEMENT 4
CONCERNING CONDUCT O R ACTIVITY THAT THE PRIVATE ENTITY OR TH E 5
PROCESSOR REASONABLY AND IN GOOD FAITH BE LIEVES VIOLATES A FE DERAL, 6
STATE, OR LOCAL LAW , RULE, OR REGULATION . 7
(2) (I) A CONTROLLER MAY COLLE CT, USE, DISCLOSE, 8
REDISCLOSE, OR OTHERWISE DISSEMI NATE A CONSUMER ’S BIOMETRIC DATA 9
WITHOUT COMPLYING WI TH PARAGRAPH (1) OF THIS SUBSECTION I F THE 10
CONTROLLER : 11
1. COLLECTS, USES, DISCLOSES, REDISCLOSES, OR 12
OTHERWISE DISSEMINAT ES THE BIOMETRIC DAT A FOR FRAUD PREVENTI ON OR 13
SECURITY PURPOSES ; AND 14
2. SUBJECT TO SUBPARAGRA PH (III) OF THIS 15
PARAGRAPH : 16
A. FOR A CONTROLLER THAT COLLECTS BIOMETRIC 17
DATA AT A PHYSICAL P REMISES, POSTS CONSPICUOUS WR ITTEN NOTICE OF THE 18
COLLECTION OF BIOMET RIC DATA AT EACH POI NT OF ENTRY; AND 19
B. FOR A CONTROLLER THAT COLLECTS BIOMETRIC 20
DATA OF A CONSUMER D URING AN ONLINE EN COUNTER WITH THE CON SUMER, 21
POSTS CONSPICUOUS WR ITTEN NOTICE OF THE COLLECTION OF BIOMET RIC DATA 22
ON THE WEBSITE OF TH E CONTROLLER . 23
(II) 1. THE COLLECTION , USE, DISCLOSURE, 24
REDISCLOSURE , OR OTHER DISSEMINATI ON OF BIOMETRIC DATA UNDER THIS 25
SUBSECTION SHAL L BE DIRECTLY TIED T O THE SERVICES BEING PROVIDED BY THE 26
CONTROLLER . 27
2. A CONTROLLER THAT COLL ECTS, USES, DISCLOSES, 28
REDISCLOSES, OR OTHERWISE DISSEMI NATES BIOMETRIC DATA UNDER THIS 29
SUBSECTION MAY COLLE CT, USE, DISCLOSE, REDISCLOSE, OR OTHERWISE 30
DISSEMINATE ONLY WHAT IS STRICTLY NECESSARY F OR FRAUD PREVENTION AND 31
SECURITY PURPOSES . 32
SENATE BILL 698 25
(III) THE NOTICE REQUIRED I N SUBPARAGRAPH (I) OF THIS 1
PARAGRAPH SHALL INFO RM CONSUMERS OF : 2
1. THE CATEGORIES OF BIO METRIC DATA TO BE 3
COLLECTED; AND 4
2. THE PURPOSES FOR WHICH T HE CATEGORIES OF 5
BIOMETRIC DATA WILL BE USED. 6
(E) A CONTROLLER MAY NOT D ISCRIMINATE AGAINST A CONSUMER FOR 7
EXERCISING A CONSUME R RIGHT AFFORDED BY THIS SUBTITLE, INCLUDING: 8
(1) DENYING GOODS OR SERV ICES; 9
(2) CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR 10
SERVICES; OR 11
(3) PROVIDING A DIFFERENT LEVEL OF QUALITY OF GOODS OR 12
SERVICES. 13
(F) NOTHING IN SUBSECTION (E) OF THIS SECTION MAY BE CONSTRUED TO : 14
(1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 15
THAT REQUIRES THE PERSONAL DATA OF A C ONSUMER WHICH THE CO NTROLLER 16
DOES NOT COLLECT OR MAINTAIN; OR 17
(2) PROHIBIT A CONTROLLER FROM OFFERING A DIFF ERENT PRICE, 18
RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 19
INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N 20
CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 21
LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM . 22
(G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF 23
THE CONSUMER ’S PERSONAL DATA FOR THE PURPO SES OF TARGETED ADVE RTISING 24
OR THE SALE OF PERSO NAL DATA THROUGH AN OPT–OUT PREFERENCE SIGNA L 25
SENT IN ACCORDANCE W ITH § 14–4508(B)(4)(II) OF THIS SUBTITLE CON FLICTS WITH 26
THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC PRIVACY SET TING OR 27
VOLUNTARY PARTICIPATION IN A CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, 28
PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM , THE CONTROLLER 29
SHALL COMPLY WITH TH E CONSUMER ’S OPT–OUT PREFERENCE SIGNA L. 30
(2) A CONTROLLER MAY : 31
26 SENATE BILL 698
(I) NOTIFY A CONSUMER OF THE CONFL ICT BETWEEN AN 1
OPT–OUT PREFERENCE SIGNA L AND A CONTROLLER ’S SPECIFIC PRIVACY S ETTING; 2
AND 3
(II) PROVIDE TO THE CONSUM ER THE CHOICE TO CON FIRM THE 4
CONTROLLER –SPECIFIC PRIVACY SET TING OR PARTICIPATIO N IN THE PROGRAM . 5
(H) IF A CONTROLLER RESPO NDS TO A CONSUMER OPT –OUT REQUEST 6
RECEIVED IN ACCORDAN CE WITH SUBSECTION (G) OF THIS SECTION BY I NFORMING 7
THE CONSUMER OF A CH ARGE FOR THE USE OF ANY PRODUCT OR SERVI CE, THE 8
CONTROLLER SHALL PRE SENT THE TERMS OF AN Y FINANCIAL INCENTIV E OFFERED 9
IN ACCORDANCE WITH S UBSECTION (F) OF THIS SECTION FOR THE RETENTION , USE, 10
SALE, OR SHARING OF THE CO NSUMER’S PERSONAL DATA . 11
(I) A CONTROLLER OR A PROC ESSOR THAT COMPLIES WITH THE 12
VERIFIABLE PARENTAL CONSENT REQUIREMENTS OF THE FEDERAL CHILDREN’S 13
ONLINE PRIVACY PROTECTION ACT IS CONSIDERED TO B E COMPLIANT WITH ANY 14
OBLIGATION TO OBTAIN PARENTAL CONSENT IN ACCORDANCE WITH THIS SUBTITLE. 15
(J) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 16
PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING, THE CONTROLLER 17
SHALL CLEARLY AN D CONSPICUOUSLY DISC LOSE: 18
(1) THE PROCESSING ; AND 19
(2) THE MANNER IN WHICH A CONSUMER MAY EXERCIS E THE RIGHT 20
TO OPT OUT OF THE PR OCESSING. 21
14–4508. 22
(A) (1) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A 23
REASONABLY ACCESSIBL E, CLEAR, AND MEANINGFUL PRIVACY NOTICE THAT 24
INCLUDES: 25
(I) FOR BIOMETRIC DATA PR OCESSED BY THE CONTR OLLER, A 26
WRITTEN POLICY ESTAB LISHING A RETENTION SCHEDULE AND GUIDELI NES FOR 27
PERMANENTLY DESTROYI NG BIOMETRIC DATA ; 28
(II) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE 29
CONTROLLER; 30
(III) THE PURPOSES FOR PROC ESSING PERSONAL DATA ; 31
SENATE BILL 698 27
(IV) HOW A CONSUMER MAY EX ERCISE A CONSUMER RI GHT 1
UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 2
CONTROLLER ’S DECISION WITH REGA RD TO THE CONSUMER ’S REQUEST; 3
(V) THE CATEGORI ES OF THIRD PARTIES WITH WHICH THE 4
CONTROLLER SHARES PE RSONAL DATA ; 5
(VI) THE CATEGORIES OF PER SONAL DATA THAT THE 6
CONTROLLER SHARES WI TH THIRD PARTIES ; AND 7
(VII) AN ACTIVE E –MAIL ADDRESS OR OTHE R ONLINE 8
MECHANISM THAT A CON SUMER MAY USE TO CON TACT THE CONTROLLER . 9
(2) THE PRIVACY NOTICE IN PARAGRAPH (1) OF THIS SUBSECTION 10
SHALL BE MADE AVAILA BLE TO THE PUBLIC . 11
(B) (1) A CONTROLLER SHALL EST ABLISH AND DESCRIBE IN THE 12
PRIVACY NOTICE ONE O R MORE SECURE AND RE LIABLE METHODS FOR A CONSUMER 13
TO SUBMIT A REQUEST TO EXERCIS E A CONSUMER RIGHT U NDER THIS SUBTITLE . 14
(2) THE METHOD A CONTROLL ER CHOOSES TO SATISF Y PARAGRAPH 15
(1) OF THIS SUBSECTION S HALL TAKE INTO ACCOU NT: 16
(I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT 17
WITH THE CONTROLLER ; 18
(II) THE NEED FOR SECURE AND RELIABLE COMMUNICATI ON 19
OF REQUESTS; AND 20
(III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 21
IDENTITY OF A CONSUM ER MAKING THE REQUES T. 22
(3) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO 23
CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT . 24
(II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN 25
EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. 26
(4) A CONTROLLER MAY CONSI DER THE FOLLOWING ME THODS TO 27
SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 28
(I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 29
CONTROLLER ’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN 30 28 SENATE BILL 698
AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED 1
ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR 2
(II) ALLOWING A CONSUMER T O OPT OUT OF ANY PRO CESSING 3
OF THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED 4
ADVERTISING, OR ANY SALE OF PERSO NAL DATA, THROUGH AN OPT –OUT 5
PREFERENCE SIGNAL SE NT, WITH THE CONSUMER ’S CONSENT, BY A PLATFORM , A 6
TECHNOLOGY , OR A MECHANISM TO TH E CONTROLLER INDICAT ING THE 7
CONSUMER ’S INTENT TO OPT OUT OF THE PROCESSING OR SALE. 8
(5) (I) A PLATFORM, A TECHNOLOGY , OR A MECHANISM USED IN 9
ACCORDANCE WITH PARA GRAPH (4) OF THIS SUBSECTION S HALL: 10
1. BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 11
AVERAGE CONSUMER ; 12
2. BE AS CONSISTENT AS POSS IBLE WITH ANY OTHER 13
SIMILAR PLATFORM , TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR 14
STATE LAW OR REGULATI ON; AND 15
3. ENABLE THE CONTROLLER TO ACCURATELY 16
DETERMINE WHETHER TH E CONSUMER : 17
A. IS A RESIDENT OF THE STATE; AND 18
B. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 19
ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING . 20
(II) A PLATFORM, A TECHNOLOGY , OR A MECHANISM USED IN 21
ACCORDANCE WITH PARA GRAPH (4) OF THIS SUBSECTION : 22
1. SHALL REQUIRE THE CON SUMER TO MAKE AN 23
AFFIRMATIVE, FREELY GIVEN , AND UNAMBIGUOUS CHOI CE TO OPT OUT OF THE 24
PROCESSING OF THE CO NSUMER’S PERSONAL DATA IN A CCORDANCE WITH THIS 25
SUBTITLE; AND 26
2. MAY NOT: 27
A. UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; 28
OR 29
B. MAKE USE OF A DEFAULT SETTING. 30
SENATE BILL 698 29
(C) (1) THIS SUBSECTION APPLI ES ONLY TO A CONTROL LER THAT 1
COLLECTS THE BIOMETR IC DATA OF CONSUMERS . 2
(2) EXCEPT AS PROVIDED IN PARAGRAPHS (4) AND (5) OF THIS 3
SUBSECTION, A CONTROLLER IN POSS ESSION OF BIOMETRIC DATA SHALL DEVELOP 4
A WRITTEN POLICY , MADE AVAILABLE TO TH E PUBLIC, ESTABLISHING A RETEN TION 5
SCHEDULE AND GUIDELI NES FOR PERMANENTLY DESTROYING BIOMETRIC DATA ON 6
THE EARLIEST OF THE FOLLOWING: 7
(I) THE DATE ON WHICH THE INITIAL PURPOSE FOR 8
COLLECTING OR OBTAINING THE BIOMET RIC DATA HAS BEEN SA TISFIED; 9
(II) WITHIN 3 YEARS AFTER THE CONS UMER’S LAST 10
INTERACTION WITH THE CONTROLLER IN POSSES SION OF THE BIOMETRI C DATA; OR 11
(III) WITHIN 30 DAYS AFTER THE CONTR OLLER RECEIVES A 12
VERIFIED REQUEST TO DELETE T HE BIOMETRIC DATA SU BMITTED BY THE 13
CONSUMER OR THE CONS UMER’S AUTHORIZED AGENT . 14
(3) ABSENT A VALID WARRAN T OR SUBPOENA ISSUED BY A COURT OF 15
COMPETENT JURISDICTI ON, A CONTROLLER IN POSS ESSION OF BIOMETRIC DATA 16
SHALL COMPLY WITH TH E RETENTION SCHEDULE AND DESTRUCTION GUIDELIN ES 17
DEVELOPED UNDER PARA GRAPH (2) OF THIS SUBSECTION . 18
(4) A CONTROLLER IN POSSES SION OF BIOMETRIC DA TA FOR FRAUD 19
PREVENTION OR SECURI TY PURPOSES IS NOT R EQUIRED TO DESTROY A 20
CONSUMER ’S BIOMETRIC DATA IN ACCORDANCE WITH PARA GRAPH (2)(II) AND (III) 21
OF THIS SUBSECTION I F THE CONSUMER IS PA RT OF THE STATE VOLUNTARY 22
EXCLUSION PROGRAM. 23
(5) A CONTROLLER MAY NOT B E REQUIRED TO MAKE P UBLICLY 24
AVAILABLE A WRITTEN POLICY DEVELOPED UND ER THIS SUBSECTION I F: 25
(I) THE CONTROLLER COLLEC TS BIOMETRIC DATA ONLY FROM 26
THE CONTROLLER ’S EMPLOYEES; AND 27
(II) THE BIOMETRIC DATA IS USED SOLELY FOR INTE RNAL 28
COMPANY OPERATIONS . 29
14–4509. 30
(A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 31
PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 32 30 SENATE BILL 698
ENTER INTO A CONTRAC T THAT GOVERNS THE P ROCESSOR’S DATA PROCESSING 1
PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 2
CONTROLLER . 3
(2) THE CONTRACT SHALL PR OVIDE CLEAR INSTRUCT IONS FOR: 4
(I) PROCESSING DATA ; 5
(II) THE NATURE AN D PURPOSE OF PROCESS ING; 6
(III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 7
(IV) THE DURATION OF PROCE SSING; AND 8
(V) THE RIGHTS AND OBLIGA TIONS OF THE CONTROL LER AND 9
THE PROCESSOR . 10
(3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: 11
(I) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA 12
IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE D ATA; 13
(II) UNLESS RETENTION OF T HE PERSONAL DATA IS REQUIRED 14
BY LAW, AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN ALL PERSONAL 15
DATA TO THE CONTR OLLER AS REQUESTED A T THE END OF THE PRO VISION OF 16
SERVICE; 17
(III) MAKE AVAILABLE TO THE CONTROLLER ALL INFOR MATION 18
IN THE PROCESSOR ’S POSSESSION NECESSA RY TO DEMONSTRATE TH E PROCESSOR’S 19
COMPLIANCE WITH THE OBLIGATIONS IN THIS SUBTITLE; 20
(IV) AFTER PROVIDING THE CONTROLL ER AN OPPORTUNITY TO 21
OBJECT, REQUIRE A SUBCONTRAC TOR TO SIGN A CONTRA CT AGREEING TO MEET 22
THE OBLIGATIONS OF T HE PROCESSOR WITH RE SPECT TO THE PERSONA L DATA; AND 23
(V) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS 24
BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 25
AND INDEPENDENT ASSE SSOR TO ASSESS THE P ROCESSOR’S POLICIES AND 26
TECHNICAL AND ORGANI ZATIONAL MEASURES TO COMPLY WITH THE OBLI GATIONS 27
UNDER THIS SUBTITLE . 28
SENATE BILL 698 31
(4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 1
OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE 2
CONTROLLER . 3
(II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H 4
PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN 5
APPROPRIATE AND ACCE PTED CONTROL STANDA RD OR FRAMEWORK AND 6
ASSESSMENT PROCEDURE FOR THE ASSESSMENTS . 7
(B) A PROCESSOR SHALL ADHE RE TO THE INSTRUCTIO NS OF A 8
CONTROLLER AND SHALL ASSIST THE CONTROLLE R IN MEETING THE 9
CONTROLLER ’S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING: 10
(1) TAKING INTO ACCO UNT THE NATURE OF PR OCESSING AND THE 11
INFORMATION AVAILABL E TO THE PROCESSOR B Y FULFILLING THE CON TROLLER’S 12
OBLIGATION TO RESPON D TO CONSUMER RIGHTS REQUESTS; 13
(2) TAKING INTO ACCOUNT T HE NATURE OF PROCESS ING AND THE 14
INFORMATION AVAILABL E TO THE PROCESSOR , BY ASSISTING THE CON TROLLER IN 15
MEETING THE CONTROLL ER’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF 16
PROCESSING PERSONAL DATA AND THE NOTIFIC ATION OF A BREACH OF SECURITY 17
OF THE SYSTEM OF THE PROCESSOR, AS DEFINED IN § 14–3504 OF THIS TITLE, IN 18
ORDER TO ME ET THE CONTROLLER ’S OBLIGATIONS; AND 19
(3) PROVIDING NECESSARY I NFORMATION TO ENABLE THE 20
CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMEN TS. 21
(C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A 22
CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON THE 23
CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S 24
ROLE IN THE PROCESSI NG RELATIONSHIP . 25
(D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 26
CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA 27
IS A FACT–BASED DETERMINATION THAT DEPENDS UPON TH E CONTEXT IN WHICH 28
PERSONAL DATA IS BEI NG PROCESSED . 29
(2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON: 30
(I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 31
PERSONAL DATA IN ACC ORDANCE WITH A CONTROL LER’S INSTRUCTIONS ; OR 32
32 SENATE BILL 698
(II) FAILS TO FOLLOW A CON TROLLER’S INSTRUCTIONS 1
REGARDING THE SPECIF IC PROCESSING OF PER SONAL DATA. 2
(3) IF A PROCESSOR, ALONE OR JOINTLY WIT H OTHERS, DETERMINES 3
THE PURPOSES AND MEA NS OF THE PROCESSING OF PERSONAL DATA , THE 4
PROCESSOR: 5
(I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND 6
(II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 7
THIS SUBTITLE. 8
14–4510. 9
(A) IN THIS SECTION , “PROCESSING ACTIVITIE S THAT PRESENT A 10
HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 11
(1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 12
TARGETED ADVERTISING ; 13
(2) THE SALE OF PERSONAL DATA; 14
(3) THE PROCESSING OF SEN SITIVE DATA; AND 15
(4) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 16
PROFILING, IN WHICH THE PROFILING PRESENTS A REASONABL Y FORESEEABLE 17
RISK OF: 18
(I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A 19
CONSUMER ; 20
(II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A 21
CONSUMER ; 22
(III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 23
CONSUMER ; 24
(IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 25
SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I NTO WHICH 26
THE INTRUSION WOULD BE OFFENSIVE TO A RE ASONABLE PERSON ; OR 27
(V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER . 28
SENATE BILL 698 33
(B) A CONTROLLER S HALL CONDUCT AND DOC UMENT A DATA PROTECT ION 1
ASSESSMENT FOR EACH OF THE CONTROLLER ’S PROCESSING ACTIVIT IES THAT 2
PRESENT A HEIGHTENED RISK OF HARM TO A CO NSUMER. 3
(C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE 4
WITH THIS SECTION SH ALL IDENTIFY AND WEIGH THE BENEFI TS OF THE 5
PROCESSING TO THE CO NTROLLER, THE CONSUMER , OTHER STAKEHOLDERS , AND 6
THE PUBLIC AGAINST T HE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 7
ASSOCIATED WITH THE PROCESSING. 8
(2) THE CONTROLLER SHALL FACTOR INTO A DATA PROTECTION 9
ASSESSMENT : 10
(I) THE USE OF DE–IDENTIFIED DATA ; 11
(II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 12
(III) THE CONTEXT OF THE PR OCESSING; 13
(IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE 14
CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED; AND 15
(V) THE SAFEGUARDS THAT C AN BE EMPLOYED BY TH E 16
CONTROLLER TO REDUCE THE RISKS AGAINST CO NSUMERS ASSOCIATED W ITH THE 17
PROCESSING. 18
(D) (1) THE DIVISION MAY REQUIRE THAT A CONTROLLER MA KE 19
AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT 20
TO AN INVESTIGATION CONDUCTED BY THE DIVISION. 21
(2) THE DIVISION MAY EVALUATE A DATA PROTECTION AS SESSMENT 22
FOR COMPLIANCE WITH THE RESPONSIBILITIES ESTABLISHED IN THIS SUBTITLE. 23
(E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A 24
COMPARABLE SET OF PROCESSI NG OPERATIONS THAT I NCLUDE SIMILAR 25
ACTIVITIES. 26
(F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 27
THE PURPOSE OF COMPL YING WITH ANOTHER LA W OR REGULATION , THE DATA 28
PROTECTION ASSESSMEN T SHALL SATISFY THE REQUIREMENTS ESTABL ISHED IN 29
THIS SECTION IF THE DATA PROTECTION ASSE SSMENT IS REASONABLY SIMILAR IN 30
SCOPE AND EFFECT TO THE DATA PROTECTION ASSESSMENT THAT WOUL D 31
OTHERWISE BE CONDUCT ED IN ACCORDANCE WIT H THIS SECTION. 32 34 SENATE BILL 698
(G) A DATA PROTECTION ASSE SSMENT SHALL BE CONF IDENTIAL AND 1
EXEMPT FROM DISCLOSU RE UNDER THE MARYLAND PUBLIC INFORMATION ACT. 2
14–4511. 3
(A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO: 4
(1) REQUIRE A CONTROLLER OR A PROCESSOR TO RE –IDENTIFY 5
DE–IDENTIFIED DATA ; 6
(2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR 7
(3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 8
TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTI CATED 9
CONSUMER REQUEST WIT H PERSONAL DATA . 10
(B) A CONTROLLER IN POSSES SION OF DE–IDENTIFIED DATA SHAL L: 11
(1) TAKE REASONABLE MEASU RES TO ENSURE THAT THE DATA 12
CANNOT BE ASSOCIATED WITH A CONSUMER ; 13
(2) PUBLICLY COMMIT TO MA INTAINING AND USING DE–IDENTIFIED 14
DATA WITHOUT ATTEMPT ING TO RE–IDENTIFY THE DATA ; AND 15
(3) CONTRACTUALLY OBLIGAT E A RECIPIENT OF DE –IDENTIFIED 16
DATA TO COMPLY WITH ITEMS (1) AND (2) OF THIS SUBSECTION . 17
(C) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 18
(1) EXERCISE REASONABLE O VERSIGHT TO MONITOR COMPLIANCE 19
WITH A CONTRACTUAL C OMMITMENT TO WHICH T HE DE–IDENTIFIED DATA IS 20
SUBJECT; AND 21
(2) IF NECESSARY, TAKE APPROPRIATE STEPS TO ADDRESS A BREACH 22
OF A CONTRACTUAL COM MITMENT. 23
(D) A CONTROLLER THAT POSS ESSES THE DE–IDENTIFIED DATA SHAL L: 24
(1) TAKE REASONABLE MEASU RES TO ENSURE THAT T HE DATA 25
CANNOT BE ASSOCIATED WITH A CONSUMER ; 26
(2) PUBLICLY COMMIT TO : 27 SENATE BILL 698 35
(I) PROCESS THE DATA ONLY IN A DE–IDENTIFIED MANNER ; 1
AND 2
(II) NOT ATTEMPT TO RE –IDENTIFY THE DATA ; AND 3
(3) CONTRACTUALLY OBLIGAT E A RECIPIENT OF THE DATA TO 4
SATISFY THE CRITERIA IN ITEMS (1) AND (2) OF THIS SUBSECTION . 5
14–4512. 6
(A) EXCEPT AS PROVIDED IN SUBSECTI ON (B) OF THIS SECTION , A 7
VIOLATION OF THIS SU BTITLE IS: 8
(1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE WITHIN 9
THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 10
(2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 11
CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 12
(B) IN ADDITION TO THE RE MEDIES AVAILABLE IN SUBSECTION (A) OF THIS 13
SECTION, A CONSUMER WHO IS AF FECTED BY A VIOLATIO N OF § 14–4507(A)(1) OF 14
THIS SUBTITLE MAY BR ING AN ACTION AGAINS T THE CONTR OLLER IN ACCORDANCE 15
WITH § 13–408 OF THIS ARTICLE. 16
SECTION 2. AND BE IT FURTHER ENACTED, That: 17
(a) There is a Task Force to Study Online Data Privacy. 18
(b) The Task Force consists of the following members: 19
(1) two members of the Senate of Maryland, appointed by the President of 20
the Senate; 21
(2) two members of the House of Delegates, appointed by the Speaker of 22
the House; 23
(3) the Attorney General, or the Attorney General’s designee; and 24
(4) the following members, appointed by the Governor: 25
(i) one representative of the business sector; 26
(ii) one representative of the academic sector; 27
36 SENATE BILL 698
(iii) one representative from a consumer advocacy group; and 1
(iv) two attorneys with experience in privacy law. 2
(c) The Governor shall designate the chair of the Task Force. 3
(d) The State agencies represented on the Task Force shall provide staff for the 4
Task Force. 5
(e) A member of the Task Force: 6
(1) may not receive compensation as a member of the Task Force; but 7
(2) is entitled to reimbursement for expenses under the Standard State 8
Travel Regulations, as provided in the State budget. 9
(f) The Task Force shall: 10
(1) study and make recommendations regarding: 11
(i) information sharing among health care and social care providers; 12
(ii) algorithmic decision–making and the proper use of data to reduce 13
bias in algorithmic decision–making; 14
(iii) requiring an operator, upon a parent’s request, to delete the 15
account of a child and cease to collect, use or maintain, in retrievable form, the child’s 16
personal data on the operator’s website or online service directed to children, and provide 17
parents with an accessible, reasonable, and verifiable means to make the request; 18
(iv) methods of verifying the age of a child who creates a social media 19
account; 20
(v) issues concerning data colocation, including the impact that the 21
provisions of Section 1 of this Act may have on third parties that provide data storage and 22
colocation services; 23
(vi) issues surrounding additional persons or groups that are subject 24
to the provisions of Section 1 of this Act; and 25
(vii) other topics concerning online data privacy; and 26
(2) make recommendations for future data privacy legislation. 27
(g) On or before June 1, 2024, the Task Force shall report its findings and 28
recommendations to the Governor and, in accordance with § 2 –1257 of the State 29 SENATE BILL 698 37
Government Article, the Senate Finance Committee and the House Economic Matters 1
Committee. 2
SECTION 3. AND BE IT FURTHER ENACTED, That § 14 –4510 of the Commercial 3
Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 4
prospectively and may not be applied or interpreted to have any effect on or application to 5
any personal data processing activities before the effective date of this Act. 6
SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 7
October 1, 2023. Section 2 of this Act shall remain effective for a period of 2 years and, at 8
the end of September 30, 2025, Section 2 of this Act, with no further action required by the 9
General Assembly, shall be abrogated and of no further force and effect. 10