EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
*sb0541*
SENATE BILL 541
I3 4lr1200
CF HB 567
By: Senators Gile, Hester, Augustine, Feldman, Beidle, and Ellis
Introduced and read first time: January 24, 2024
Assigned to: Finance
A BILL ENTITLED
AN ACT concerning 1
Maryland Online Data Privacy Act of 2024 2
FOR the purpose of regulating the manner in which a controller or a processor in possession 3
of a consumer’s personal data may process the consumer’s personal data; authorizing 4
a consumer to exercise certain rights in regards to the consumer’s personal data; 5
requiring a controller of personal data to establish a method for a consumer to 6
exercise certain rights in regards to the consumer’s personal data; requiring a 7
controller to comply with a request by a consumer to exercise a certain right in a 8
certain manner, except under certain circumstances; authorizing a consumer to 9
designate an authorized agent to act on the consumer’s behalf to opt out of the 10
processing of the consumer’s personal data; requiring a controller to provide a 11
consumer with a certain privacy notice; requiring a controller that uses a processor 12
to process the personal data of consumers to enter into a contract with the processor 13
that governs the processor’s data processing procedures; requiring a controller to 14
conduct and document a data protection assessment for consumer data processing 15
activities that present a heightened risk of harm to a consumer; making a violation 16
of this Act an unfair, abusive, or deceptive trade practice that is subject to 17
enforcement and penalties under the Maryland Consumer Protection Act; and 18
generally relating to online data privacy. 19
BY repealing and reenacting, with amendments, 20
Article – Commercial Law 21
Section 13–301(14)(xl) 22
Annotated Code of Maryland 23
(2013 Replacement Volume and 2023 Supplement) 24
BY repealing and reenacting, without amendments, 25
Article – Commercial Law 26
Section 13–301(14)(xli) 27
Annotated Code of Maryland 28
(2013 Replacement Volume and 2023 Supplement) 29 2 SENATE BILL 541
BY adding to 1
Article – Commercial Law 2
Section 13–301(14)(xlii); and 14–4601 through 14–4613 to be under the new subtitle 3
“Subtitle 46. Online Data Privacy Act” 4
Annotated Code of Maryland 5
(2013 Replacement Volume and 2023 Supplement) 6
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 7
That the Laws of Maryland read as follows: 8
Article – Commercial Law 9
13–301. 10
Unfair, abusive, or deceptive trade practices include any: 11
(14) Violation of a provision of: 12
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 13
(xli) Title 14, Subtitle 45 of this article; or 14
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 15
SUBTITLE 46. ONLINE DATA PRIVACY ACT. 16
14–4601. 17
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 18
INDICATED. 19
(B) “AFFILIATE” MEANS A PERSON THAT : 20
(1) SHARES COMMON BRANDIN G WITH ANOTHER PE RSON; OR 21
(2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL 22
WITH ANOTHER PERSON . 23
(C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 24
THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH § 14-4605 25
OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO IS 26
ENTITLED TO EXERCISE THE CONSUMER RIGHT W ITH RESPECT TO THE P ERSONAL 27
DATA AT ISSUE. 28
SENATE BILL 541 3
(D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 1
MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN 2
BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY. 3
(2) “BIOMETRIC DATA ” INCLUDES: 4
(I) A FINGERPRINT ; 5
(II) A VOICE PRINT; 6
(III) AN EYE RETINA OR IRIS IMAGE; AND 7
(IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT 8
CAN BE USED TO UNIQUELY AUTHENTICAT E A CONSUMER ’S IDENTITY. 9
(3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 10
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 11
(II) AN AUDIO OR VIDEO REC ORDING; OR 12
(III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL 13
PHOTOGRAPH OR AN AUD IO OR VIDE O RECORDING , UNLESS THE DATA IS 14
GENERATED TO IDENTIF Y A SPECIFIC CONSUME R. 15
(E) “BUSINESS ASSOCIATE ” HAS THE MEANING STAT ED IN HIPAA. 16
(F) “CHILD” HAS THE MEANING STAT ED IN COPPA. 17
(G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A 18
CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS 19
AGREEMENT TO ALLOW T HE PROCESSING OF PER SONAL DATA RELATING TO THE 20
CONSUMER FOR A PARTI CULAR PURPOSE . 21
(2) “CONSENT” INCLUDES: 22
(I) A WRITTEN STATEMENT ; 23
(II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR 24
(III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION . 25
(3) “CONSENT” DOES NOT INCLUDE : 26 4 SENATE BILL 541
(I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 1
SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 2
PROCESSING ALONG WIT H OTHER UNRELATED INFORMATION ; 3
(II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 4
OF CONTENT; OR 5
(III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 6
PATTERNS. 7
(H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 8
STATE. 9
(2) “CONSUMER” DOES NOT INCLU DE: 10
(I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR 11
EMPLOYMENT CONTEXT ; OR 12
(II) AN INDIVIDUAL ACTING AS AN EMPLOYEE , AN OWNER, A 13
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE 14
PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GO VERNMENT AL UNIT 15
WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY 16
WITHIN THE CONTEXT O F THE INDIVIDUAL ’S ROLE WITH THE COMP ANY, 17
PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR 18
GOVERNMENT AL UNIT. 19
(I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A 20
CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH 21
STATUS. 22
(2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO: 23
(I) GENDER–AFFIRMING CARE ; OR 24
(II) REPRODUCTIVE OR SEXUA L HEALTH CARE . 25
(J) “CONTROL” MEANS: 26
(1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 27
OUTSTANDING SHARES O F ANY CLASS OF VOTIN G SECURITY OF A BUSI NESS; 28
SENATE BILL 541 5
(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 1
OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR 2
FUNCTIONS; OR 3
(3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE 4
MANAGEMENT OF A BUSI NESS. 5
(K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 6
OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 7
(L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY 8
PROTECTION ACT OF 1998. 9
(2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE 10
FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998. 11
(M) “COVERED ENTITY ” HAS THE MEANING STAT ED IN HIPAA. 12
(N) (1) “DARK PATTERN” MEANS A USER INTERFA CE DESIGNED OR 13
MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY, 14
DECISION MAKING , OR CHOICE. 15
(2) “DARK PATTERN ” INCLUDES ANY PRACTIC E THE FEDERAL 16
TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”. 17
(O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 18
EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE 19
PROVISION OR DENIAL OF: 20
(1) FINANCIAL OR LENDING SERVICES; 21
(2) HOUSING; 22
(3) INSURANCE; 23
(4) EDUCATION ENROLLMENT OR OPPORTUNITY ; 24
(5) CRIMINAL JUSTICE ; 25
(6) EMPLOYMENT OPPORTUNIT IES; 26
(7) HEALTH CARE SERVICES ; OR 27
6 SENATE BILL 541
(8) ACCESS TO ESSENTIAL G OODS OR SERVICES . 1
(P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE 2
USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN ID ENTIFIED 3
OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED 4
OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT 5
INFORMATION : 6
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 7
INFORMATION CANNOT B E LINKED WITH A CONSUMER ; 8
(2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN 9
A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE I NFORMATION 10
IN DE–IDENTIFIED FORM ; AND 11
(3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E 12
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION . 13
(Q) (1) “GENETIC DATA” MEANS DATA IN ANY FO RMAT THAT CONCERNS 14
THE GENETIC CHARACTE RISTICS OF A CONSUME R. 15
(2) “GENETIC DATA” INCLUDES: 16
(I) RAW SEQUENCE DATA THA T RESULTS FROM SEQUE NCING 17
OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S 18
COMPLETE EXTRACTED DNA; 19
(II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT 20
RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ; 21
(III) INFORMATION EXTRAPOLA TED, DERIVED, OR INFERRED 22
FROM THE ANALYSIS OF RAW SEQUENCE DATA ; AND 23
(IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A 24
DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING 25
THE CONSUMER ’S HEALTH CONDITIONS : 26
1. THAT IS USED FOR SCIE NTIFIC RESEARCH OR 27
PRODUCT DEVELOPMENT ; AND 28
2. ANALYZED IN CONNECTIO N WITH THE CONSUMER ’S 29
RAW SEQUENCE DATA . 30
SENATE BILL 541 7
(R) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A 1
VIRTUAL GEOGRAPHICAL BOUNDARY. 2
(2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED 3
OR MONITORED THROUGH THE USE OF: 4
(I) GLOBAL POSITIONING TECHN OLOGY; 5
(II) CELL TOWER CONNECTIVI TY; 6
(III) CELLULAR DATA ; 7
(IV) RADIO FREQUENCY IDENT IFICATION; 8
(V) WIRELESS FIDELITY TEC HNOLOGY; OR 9
(VI) ANY OTHER FORM OF LOC ATION DETERMINATION 10
TECHNOLOGY . 11
(S) “HIPAA” MEANS THE FE DERAL HEALTH INSURANCE PORTABILITY 12
AND ACCOUNTABILITY ACT OF 1996. 13
(T) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER WHO 14
CAN READILY BE IDENT IFIED, EITHER DIRECTLY OR I NDIRECTLY. 15
(U) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN 16
WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL 17
HEALTH SERVICES . 18
(V) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS LINKED OR 19
CAN BE REASONABLY LI NKED TO AN IDENTIFIE D OR IDENTIFIABLE CO NSUMER. 20
(2) “PERSONAL DATA ” DOES NOT INCLUD E: 21
(I) DE–IDENTIFIED DATA ; OR 22
(II) PUBLICLY AVAILABLE IN FORMATION. 23
(W) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION DE RIVED 24
FROM TECHNOLOGY THAT CAN PRECISELY AND AC CURATELY IDENTIFY TH E 25
SPECIFIC LOCATION OF A CONSUMER WITHIN A RADIUS OF 1,750 FEET. 26
8 SENATE BILL 541
(2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING 1
SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR 2
MECHANISMS . 3
(3) “PRECISE GEOLOCATION D ATA” DOES NOT INCLUDE : 4
(I) THE CONTENT OF COMMUN ICATIONS DATA GENERA TED BY 5
OR CONNECTED TO AN AD VANCED UTILITY METER ING INFRASTRUCTURE S YSTEM; 6
OR 7
(II) EQUIPMENT USED BY A U TILITY COMPANY . 8
(X) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS 9
PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA . 10
(2) “PROCESS” INCLUDES COLLECTING , USING, STORING, 11
DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 12
(Y) “PROCESSOR” MEANS A PERSON THAT PROCESSES PERSONAL D ATA ON 13
BEHALF OF A CONTROLL ER. 14
(Z) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING 15
PERFORMED ON PERSONAL DATA TO EVA LUATE, ANALYZE, OR PREDICT PERSONAL 16
ASPECTS RELATED TO A N IDENTIFIED OR IDEN TIFIABLE CONSUMER ’S ECONOMIC 17
SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES , 18
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 19
(AA) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STAT ED IN 20
HIPAA. 21
(BB) (1) “PUBLICLY AVAILABLE IN FORMATION” MEANS INFORMATION 22
THAT: 23
(I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL 24
PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR 25
(II) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE 26
THAT A CONSUMER HAS LAWFULLY MADE AVAILA BLE TO THE GENERAL P UBLIC 27
THROUGH WIDELY DISTR IBUTED MEDIA. 28
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 29
BIOMETRIC DATA COLLE CTED BY A BUSINESS A BOUT A CONSUMER WITHO UT THE 30
CONSUMER ’S KNOWLEDGE . 31 SENATE BILL 541 9
(CC) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE 1
RELATED TO A CONSUME R’S REPRODUCTIVE SYSTE M OR SEXUAL WELL –BEING. 2
(2) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” INCLUDES: 3
(I) A SERVICE OR PRODUCT PROVIDED RELATED TO AN 4
INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR 5
TREATMENT ; 6
(II) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL , OR MEDICAL 7
INTERVENTION ; 8
(III) A SURGERY OR PROCEDURE ; 9
(IV) THE PURCHASE OR USE O F A MEDICATION; 10
(V) A SERVICE OR PRODUCT R ELATED TO A BODILY F UNCTION, 11
VITAL SIGN, OR MEASUREMENT THERE OF; 12
(VI) AN ABORTION, WHETHER SURGICAL OR MEDICAL; AND 13
(VII) A SERVICE RELATED TO A N ABORTION. 14
(DD) “REPRODUCTIVE OR SEXUA L HEALTH CARE FACILITY” MEANS A 15
HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE 16
REPRODUCTIVE OR SEXU AL HEALTH CARE SERVI CES. 17
(EE) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F PERSONAL 18
DATA BY A CONTROLLER TO A THIRD PARTY FOR MONETARY OR OTHER VA LUABLE 19
CONSIDERATION. 20
(2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 21
(I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR 22
THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO 23
THE PURPOSES OF THE PROCESSING; 24
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PARTY 25
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE AFFIRMATIVELY 26
REQUESTED BY THE CON SUMER; 27
10 SENATE BILL 541
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 1
AFFILIATE OF THE CON TROLLER FOR THE PURP OSE OF PROVIDING A P RODUCT OR 2
SERVICE AFFIRMATIVEL Y REQUESTED BY THE CONS UMER; 3
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 4
CONSUMER : 5
1. DIRECTS THE CONTROLLE R TO DISCLOSE THE 6
PERSONAL DATA ; OR 7
2. INTENTIONALLY USES TH E CONTROLLER TO 8
INTERACT WITH A THIR D PARTY; 9
(V) THE DISCLOSURE OF PER SONAL DATA THAT THE 10
CONSUMER : 11
1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL 12
PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND 13
2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 14
(VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 15
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSE D MERGER, 16
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y 17
ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 18
(FF) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES : 19
(1) DATA REVEALING : 20
(I) RACIAL OR ETHNIC ORIG IN; 21
(II) RELIGIOUS BELIEFS ; 22
(III) CONSUMER HEALTH DATA ; 23
(IV) SEX LIFE; 24
(V) SEXUAL ORIENTATION ; 25
(VI) STATUS AS TRANSGENDER OR NONBINARY ; 26
(VII) NATIONAL ORIGIN ; OR 27 SENATE BILL 541 11
(VIII) CITIZENSHIP OR IMMIGR ATION STATUS; 1
(2) GENETIC DATA OR BIOME TRIC DATA; 2
(3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS 3
OR HAS REASON TO KNO W IS A CHILD; OR 4
(4) PRECISE GEOLOCATION D ATA. 5
(GG) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 6
ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE 7
IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA 8
OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND 9
ACROSS WEBSITES OR ONLINE AP PLICATIONS THAT ARE UNAFFILIATED WITH EA CH 10
OTHER, IN ORDER TO PREDICT THE CONSUMER ’S PREFERENCES OR INT ERESTS. 11
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 12
(I) ADVERTISEMENTS BASED ON THE CONTEXT IN WH ICH THE 13
ADVERTISEMENT APPEAR S AND DOES NOT VARY BASED ON WHO IS VIEW ING THE 14
ADVERTISEMENT ; 15
(II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES 16
WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS; 17
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 18
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORMATION OR FEEDBACK ; OR 19
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 20
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 21
(HH) “THIRD PARTY ” MEANS A PERSON OTHER THAN THE RELEVANT 22
CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF TH E CONTROLLER OR 23
PROCESSOR OF RELEVAN T PERSONAL DATA . 24
(II) (1) “TRADE SECRET” MEANS INFORMATION TH AT: 25
(I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR 26
POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 27
ASCERTAINABLE BY PRO PER MEANS B Y, OTHER PERSONS WHO CO ULD OBTAIN 28
ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 29
12 SENATE BILL 541
(II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE 1
UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION. 2
(2) “TRADE SECRET ” INCLUDES A FORMU LA, PATTERN, 3
COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS. 4
14–4602. 5
THIS SUBTITLE APPLIES TO A PERSON THAT : 6
(1) CONDUCTS BUSINESS IN THE STATE; OR 7
(2) (I) PRODUCES SERVICES OR PRODUCTS THAT ARE TA RGETED 8
TO RESIDENTS OF THE STATE; AND 9
(II) DURING THE IMMEDIATEL Y PRECEDING CALENDAR YEAR: 10
1. CONTROLLED OR PROCESS ED THE PERSONAL DATA 11
OF AT LEAST 35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR 12
PROCESSED SOLELY FOR THE PURPOSE OF COMPL ETING A PAYMENT TRAN SACTION; 13
OR 14
2. CONTROLLED OR PROCESS ED THE PERSONAL DATA 15
OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS 16
REVENUE FROM THE SAL E OF PERSONAL DATA . 17
14–4603. 18
(A) THIS SUBTITLE DOES NO T APPLY TO: 19
(1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE, 20
APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OF THE STATE, INCLUDING A BOARD , 21
BUREAU, COMMISSION, OR UNIT OF THE STATE OR A POLITICAL SUBDIVISION OF 22
THE STATE; 23
(2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 24
UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A 25
REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF 26
THE FEDERAL COMMODITY EXCHANGE ACT; OR 27
(3) A FINANCIAL INSTITUTIO N OR AFFILIATE OF A FINANCIAL 28
INSTITUTION THAT IS SUBJECT TO TITLE V OF THE FEDERAL 29
GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T. 30 SENATE BILL 541 13
(B) THE FOLLOWING INFORMA TION AND DATA ARE EX EMPT FROM THIS 1
SUBTITLE: 2
(1) PROTECTED HEALTH INFO RMATION UNDER HIPAA; 3
(2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 4
U.S.C. § 290DD–2; 5
(3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 6
PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS IN 7
ACCORDANCE WITH 45 C.F.R. § 46; 8
(4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS 9
COLLECTED AND USED A S PART OF HUMAN SUBJECTS RESEA RCH IN ACCORDANCE 10
WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE 11
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 12
FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN 13
SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56; 14
(5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED 15
FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WIT H 42 16
C.F.R. § 3, ESTABLISHED IN ACCOR DANCE WITH 42 U.S.C. §§ 299B–21 THROUGH 17
299B–26; 18
(6) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC HEAL TH, 19
COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND PURPO SES, AS 20
AUTHORIZED BY HIPAA, WHEN PROVIDED BY OR TO A COVERED ENTITY OR WHEN 21
PROVIDED BY OR TO A BUSINESS ASSOCIATE I N ACCORDANCE WITH TH E BUSINESS 22
ASSOCIATE AGREEMENT WITH A COVERED ENTITY ; 23
(7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 24
COMMUNICATION , OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 25
CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 26
REPUTATION, PERSONAL CHARACTERIS TICS, OR MODE OF LIVING BY A C ONSUMER 27
REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR US E 28
IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO 29
THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE 30
FEDERAL FAIR CREDIT REPORTING ACT; 31
(8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 32
IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 33
14 SENATE BILL 541
(9) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 1
EDUCATIONAL RIGHTS AND PRIVACY ACT; 2
(10) PERSONAL DATA COLLECTED , PROCESSED, SOLD, OR DISCLOSED 3
IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 4
(11) DATA PROCESSED OR MAI NTAINED: 5
(I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 6
EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CON TRACTOR OF A 7
CONTROLLER, PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS 8
COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE; 9
(II) AS THE EMERGENCY CONT ACT INFORMATION OF A 10
CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR 11
(III) THAT IS: 12
1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S 13
FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WHO IS THE S UBJECT OF 14
THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND 15
2. USED FOR THE PURPOSES OF ADMINISTERING THE 16
BENEFITS; AND 17
(12) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED 18
IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO T HE 19
FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS 20
PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT. 21
(C) CONTROLLERS AND PROCE SSORS THAT COMPLY WI TH THE VERIFIABLE 22
PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED 23
COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN A CCORDANCE 24
WITH THIS SUBTITLE W ITH RESPECT TO A CON SUMER WHO IS A CHILD . 25
14–4604. 26
A PERSON MAY NOT: 27
(1) PROVIDE AN EMPLOYEE O R A CONTRACTOR ACCESS TO 28
CONSUMER HEALTH DATA UNLESS THE EMPLOYEE OR CONTRACTOR IS SUB JECT TO 29
A CONTRACTUAL OR STA TUTORY DUTY OF CONFI DENTIALITY; 30
SENATE BILL 541 15
(2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA 1
UNLESS THE PERSON P ROVIDING ACCESS TO T HE CONSUMER HEALTH D ATA AND 2
THE PROCESSOR COMPLY WITH § 14–4607 OF THIS SUBTITLE; 3
(3) USE A GEOFENCE : 4
(I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A 5
NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH 6
DATA; AND 7
(II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR 8
REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR 9
(4) SELL OR OFFER TO SELL CONSUMER HEALTH DATA WITHOUT THE 10
CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO 11
BE SOLD. 12
14–4605. 13
(A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 14
CONTROLLER TO REVEAL A TRADE SECRET . 15
(B) A CONSUMER SHALL HAVE THE RIGHT TO: 16
(1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE 17
CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIR E THE 18
DISCLOSURE OF A TRAD E SECRET; 19
(2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 20
DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLE SS THAT ACCESS WOULD 21
REQUIRE THE DISCLOSU RE OF A TRADE SECRET ; 22
(3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL 23
DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT 24
INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 25
(4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED 26
BY, OR OBTAINED ABOUT , THE CONSUMER ; 27
(5) IF THE PROCESSING OF PERSONAL DATA IS DONE BY AUTOMATIC 28
MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROC ESSED BY THE 29
CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE , 30 16 SENATE BILL 541
READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE 1
DATA TO ANOTHER CONT ROLLER WITHOUT HINDR ANCE; 2
(6) OBTAIN A LIST OF THE CATEGORIES OF THIRD PARTIES TO WHICH 3
THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF 4
THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED 5
ANY CONSUMER ’S PERSONAL DATA IF THE CONTROLL ER DOES NOT MAINTAIN THIS 6
INFORMATION IN A FOR MAT SPECIFIC TO THE CONSUMER ; AND 7
(7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 8
OF: 9
(I) TARGETED ADVERTISING ; 10
(II) THE SALE OF PERSONAL DATA; OR 11
(III) PROFILING IN FURTHERANCE OF SO LELY AUTOMATED 12
DECISIONS THAT PRODU CE LEGAL OR SIMILARL Y SIGNIFICANT EFFECT S 13
CONCERNING THE CONSU MER. 14
(C) (1) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE 15
METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION. 16
(2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS 17
SECTION BY THE METHO D ESTABLISHED BY THE CONTROLLER UNDER PAR AGRAPH 18
(1) OF THIS SUBSECTION . 19
(D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN 20
ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCESSIN G 21
OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION 22
ON BEHALF OF A CONSU MER. 23
(2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EXERCISE A 24
CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S 25
BEHALF REGARDING THE PROC ESSING OF PERSONAL D ATA. 26
(3) A GUARDIAN OR CONSERVA TOR OF A CONSUMER SU BJECT TO A 27
GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTECTIVE ARRANGEMENT MAY 28
EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE 29
CONSUMER ’S BEHALF REGARDING THE PROCESSING OF PERSON AL DATA. 30
SENATE BILL 541 17
(E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A 1
CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXER CISE A 2
CONSUMER RIGHT LISTE D IN THIS SECTION. 3
(2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER REQUEST 4
NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE C ONSUMER 5
REQUEST. 6
(II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY 7
AN ADDITIONAL 45 DAYS IF: 8
1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E 9
REQUEST BASED ON THE COMPLEXITY AND NUMBER OF THE CONSUMER ’S 10
REQUESTS; AND 11
2. THE CONTROLLER INFORM S THE CONSUMER OF TH E 12
EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN THE INITIA L 45–DAY 13
RESPONSE PERIOD . 14
(III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30 15
DAYS AFTER COMPLYING WITH THE C ONSUMER’S REQUEST THAT THE C ONTROLLER 16
HAS COMPLIED WITH TH E CONSUMER ’S REQUEST. 17
(3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S 18
REQUEST, THE CONTROLLER SHALL : 19
(I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT 20
LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATION FOR 21
DECLINING TO ACT ; AND 22
(II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E 23
DECISION. 24
(4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A 25
CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EX ERCISE RIGHTS UNDER 26
THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD . 27
(II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y 28
UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A 29
CONTROLLER MAY : 30
1. CHARGE THE CONSUMER A REASONABLE FE E TO 31
COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST ; OR 32 18 SENATE BILL 541
2. DECLINE TO ACT ON THE REQUEST. 1
(III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTR ATING 2
THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR 3
REPETITIVE NATURE OF THE REQUEST. 4
(5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO 5
EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) 6
OF THIS SECTION USIN G COMMERCIALLY REASO NABLE EFFORTS , THE 7
CONTROLLER : 8
(I) MAY NOT BE REQUIRED T O COMPLY WITH A REQUEST TO 9
INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND 10
(II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE 11
CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT 12
UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABL Y 13
NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO 14
EXERCISE THE CONSUME R’S RIGHTS. 15
(6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHEN TICATE AN 16
OPT–OUT REQUEST . 17
(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 18
CONSUMER FROM A SO URCE OTHER THAN THE CONSUMER SHALL BE CO NSIDERED 19
COMPLIANT WITH THE C ONSUMER’S REQUEST TO DELETE THE CONSUMER ’S DATA IN 20
ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD 21
OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR T HE 22
PURPOSE OF ENSURING T HAT THE CONSUMER ’S PERSONAL DATA : 23
(I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS; 24
AND 25
(II) IS NOT BEING USED FOR ANY OTHER PURPOSE . 26
(F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 27
TO APPEAL THE CONTRO LLER’S REFUSAL TO ACT ON A CO NSUMER RIGHTS REQUES T 28
WITHIN A REASONABLE PERIOD AFTER THE CON SUMER RECEIVES THE D ECISION. 29
(2) THE APPEAL PROCESS SH ALL BE: 30
(I) CONSPICUOUSLY AVAILAB LE; AND 31 SENATE BILL 541 19
(II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO 1
INITIATE AN ACTION IN ACCORDANCE WITH THIS SECTION . 2
(3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A 3
CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR 4
NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF 5
THE REASONS FOR THE DECISIONS. 6
(4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL 7
PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH 8
WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. 9
14–4606. 10
(A) (1) A CONSUMER MAY DESIGNATE AN INDIVID UAL TO SERVE AS THE 11
CONSUMER ’S AUTHORIZED AGENT A ND ACT ON THE CONSUM ER’S BEHALF TO OPT 12
OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ONE OR MORE 13
OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. 14
(2) A CONSUMER MAY DESIGNATE AN AUTHORIZED AGENT BY AN 15
INTERNET LINK OR A BR OWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE 16
SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUME R’S INTENT TO 17
OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA . 18
(B) A CONTROLLER SHALL COMPLY W ITH AN OPT–OUT REQUEST RECEIVED 19
FROM AN AUTHORIZED A GENT IF, USING COMMERCIALLY R EASONABLE EFFORTS , 20
THE CONTROLLER IS AB LE TO AUTHENTICATE : 21
(1) THE IDENTITY OF THE CONSU MER; AND 22
(2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE 23
CONSUMER’S BEHALF. 24
14–4607. 25
(A) A CONTROLLER MAY NOT : 26
(1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT 27
PERSONALIZATION OR M ARKETING WITHOUT THE CONSENT OF THE CONSU MER 28
WHOSE PERSONAL DATA IS COLLECTED; 29
20 SENATE BILL 541
(2) EXCEPT WHERE THE COLL ECTION OR PR OCESSING IS STRICTLY 1
NECESSARY TO PROVIDE OR MAINTAIN A SPECIF IC PRODUCT OR SERVIC E 2
REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND 3
UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT, 4
PROCESS, OR SHARE SENSITIVE D ATA CONCERNING A CONSUMER ; 5
(3) SELL SENSITIVE DATA ; 6
(4) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR FEDERAL 7
LAWS THAT PROHIBIT U NLAWFUL DISCRIMINATI ON; 8
(5) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE 9
PURPOSES OF TARGETED ADVERTISING IF THE C ONTROLLER KNEW OR SHOULD 10
HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE 11
OF 18 YEARS; 12
(6) SELL THE PERSONAL DAT A OF A CONSUMER WITH OUT THE 13
CONSUMER ’S CONSENT IF THE CON TROLLER KNEW OR SHOU LD HAVE KNOWN THAT 14
THE CONSUMER IS AT L EAST 13 YEARS OLD AND UNDER THE AG E OF 18 YEARS; 15
(7) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A 16
CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DENYING GO ODS OR 17
SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR 18
PROVIDING A DIFFEREN T LEVEL OF QUALITY OF GO ODS OR SERVICES TO T HE 19
CONSUMER ; 20
(8) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR PUBLICLY 21
AVAILABLE DATA IN A MANNER THAT UNLAWFUL LY DISCRIMINATES IN OR 22
OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS 23
OR SERVICES ON THE BASIS OF R ACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX, 24
SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE 25
COLLECTION, PROCESSING, OR TRANSFER OF PERSO NAL DATA IS FOR: 26
(I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R 27
MITIGATE UNLAWFU L DISCRIMINATION ; 28
(II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT, 29
PARTICIPANT, OR CUSTOMER POOL ; OR 30
(III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PU BLIC, AS 31
DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR 32
SENATE BILL 541 21
(9) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S CONSENT, 1
PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER REASONABL Y 2
NECESSARY TO , NOR COMPATIBLE WITH , THE DISCLOSED PURPOS ES FOR WHICH 3
THE PERSONAL DATA IS PROCESSED, AS DISCLOSED TO THE CONSUMER . 4
(B) (1) A CONTROLLER SHALL : 5
(I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS 6
REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A 7
SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE 8
DATA PERTAINS ; 9
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 10
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 11
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 12
DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT 13
ISSUE; AND 14
(III) PROVIDE AN EFFECTIVE MECHANISM F OR A CONSUMER TO 15
REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS 16
EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED THE CON SUMER’S 17
CONSENT. 18
(2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE 19
CONTROLLER SHALL STO P PROCESSING THE CONSUMER ’S PERSONAL DATA AS S OON 20
AS PRACTICABLE , BUT NOT LATER THAN 15 DAYS AFTER RECEIVING THE REQUEST . 21
(C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE 22
CONSTRUED TO : 23
(1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 24
THAT REQUIRES THE PERSONA L DATA OF A CONSUMER THAT THE CONTROLLER 25
DOES NOT COLLECT OR MAINTAIN; OR 26
(2) PROHIBIT A CONTROLLER FROM OFFERING A DIFF ERENT PRICE, 27
RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 28
INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE , IF THE OFFERING IS I N 29
CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 30
LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM . 31
(D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY 32
ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT INCLU DES: 33
22 SENATE BILL 541
(1) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE 1
CONTROLLER , INCLUDING SENSITIVE DATA; 2
(2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ; 3
(3) HOW A CONSUMER MAY EX ERCISE THE CONSUMER ’S RIGHTS 4
UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 5
CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE 6
CONSENT; 7
(4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE 8
CONTROLLER SHARES PE RSONAL DATA WITH A L EVEL OF DETAIL THAT ENABLES A 9
CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTI TY EACH THIRD PARTY IS AND, TO 10
THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROCESS THE PERS ONAL 11
DATA; 12
(5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE 13
DATA, THAT THE CONTROLLER SHARES WITH THI RD PARTIES; AND 14
(6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM 15
THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER . 16
(E) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 17
PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES 18
OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS THAT PR ODUCE 19
LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY 20
AND CONSPICUOUSLY DI SCLOSE THE PROCESSIN G, AS WELL AS THE MANNE R IN 21
WHICH A CONSUMER MAY EXERCISE THE RIGHT T O OPT OUT OF THE PROCESSING . 22
(F) (1) THE PRIVACY NOTICE UN DER SUBSECTION (D) OF THIS SECTION 23
SHALL ESTABLISH ONE OR MORE SECURE AND R ELIABLE METHODS FOR A 24
CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN 25
ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT: 26
(I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT 27
WITH THE CONTROLLER ; 28
(II) THE NEED FOR SECURE A ND RELIABLE COMMUNIC ATION 29
OF CONSUMER REQUESTS ; AND 30
(III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 31
IDENTITY OF A CONSUM ER MAKING THE REQUES T. 32
SENATE BILL 541 23
(2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO 1
CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT . 2
(II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN 3
EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. 4
(3) A CONTROLLER MAY UTILI ZE THE FOLLOWING METHODS TO 5
SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 6
(I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 7
CONTROLLER ’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN 8
AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED 9
ADVERTISING OR THE SALE OF THE CONS UMER’S PERSONAL DATA ; OR 10
(II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER 11
TO OPT OUT OF ANY PR OCESSING OF THE CONS UMER’S PERSONAL DATA FOR THE 12
PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA, 13
THROUGH AN OPT –OUT PREFERENCE SIGNAL SE NT, WITH THE CONSUMER ’S 14
CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER 15
INDICATING THE CONSU MER’S INTENT TO OPT OUT OF THE PROCESSING OR SALE. 16
(4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 17
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL: 18
(I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 19
AVERAGE CONSUMER ; 20
(II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS 21
LANGUAGE; 22
(III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR 23
PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRED BY ANY FEDERAL OR STATE 24
LAW OR REGULATION ; 25
(IV) ENABLE THE CONTROLLER TO REASONABLY DETERM INE 26
WHETHER THE CONSUMER : 27
1. IS A RESIDENT OF THE STATE; AND 28
2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 29
ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING ; AND 30
24 SENATE BILL 541
(V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE , 1
UNAMBIGUOUS , AND VOLUNTARY CHOICE IN ORDER TO OPT OUT OF ANY 2
PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 3
(5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 4
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION M AY NOT: 5
(I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR 6
(II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY 7
PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 8
(G) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF THE 9
CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED ADVERTISING , OR 10
THE SALE OF PERSONAL DATA THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT IN 11
ACCORDANCE WITH SUBS ECTION (F)(3) OF THIS SECTION CONF LICTS WITH THE 12
CONSUMER ’S EXISTING CONTROLLER –SPECIFIC PRIVACY SET TING OR THE 13
CONSUMER ’S VOLUNTARY PARTICIP ATION IN A CONTROLLE R’S BONA FIDE LOYALTY , 14
REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM , THE 15
CONTROLLER MAY NOTIF Y THE CONSUMER OF A CONFLICT AND PROVIDE THE 16
CHOICE TO CO NFIRM CONTROLLER –SPECIFIC PRIVACY SET TINGS OR 17
PARTICIPATION IN A P ROGRAM LISTED IN THI S PARAGRAPH . 18
14–4608. 19
(A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 20
PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 21
ENTER INTO A CONTRAC T THAT GOVERNS THE PRO CESSOR’S DATA PROCESSING 22
PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 23
CONTROLLER . 24
(2) THE CONTRACT SHALL BE BINDING AND SHALL CLEARLY SET 25
FORTH INSTRUCTIONS F OR: 26
(I) PROCESSING DATA ; 27
(II) THE NATURE AND PU RPOSE OF PROCESSING ; 28
(III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 29
(IV) THE DURATION OF PROCE SSING; AND 30
(V) THE RIGHTS AND OBLIGA TIONS OF BOTH PARTIE S. 31 SENATE BILL 541 25
(3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: 1
(I) ENSURE THAT EACH PERS ON PROCESSING PERSONAL DATA 2
IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL 3
DATA; 4
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 5
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 6
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 7
DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA ; 8
(III) STOP PROCESSING DATA ON REQUEST BY THE CO NTROLLER 9
MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST; 10
(IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN 11
ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE 12
PROVISION OF SERVICE , UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED 13
BY LAW; 14
(V) ON THE REASONABLE REQ UEST OF THE CONTROLL ER, 15
MAKE AVAILABLE TO TH E CONTROLLER ALL INFORMATION IN T HE PROCESSOR ’S 16
POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH 17
THE OBLIGATIONS IN T HIS SUBTITLE; 18
(VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO 19
OBJECT, ENGAGE A SUBCONTRACT OR TO ASSIST WITH PR OCESSING PER SONAL DATA 20
ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT 21
THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSOR ’S OBLIGATIONS 22
REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE 23
CONTROLLER ; AND 24
(VII) ALLOW AND COO PERATE WITH REASONAB LE ASSESSMENTS 25
BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 26
AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE PROCESSOR TO ASS ESS THE 27
PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIO NAL MEASURES IN 28
SUPPORT OF THE OBLIGATIONS UNDER TH IS SUBTITLE. 29
(4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 30
OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE 31
CONTROLLER . 32
26 SENATE BILL 541
(II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H 1
PARAGRAPH (3)(V) OF THIS S UBSECTION SHALL BE C ONDUCTED USING AN 2
APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND 3
ASSESSMENT PROCEDURE FOR THE ASSESSMENTS . 4
(B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 5
PERSONAL DATA OF CON SUMERS, THE CONTROLLER SHALL PROVIDE TH E 6
PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA . 7
(2) A PROCESSOR SHALL : 8
(I) ADHERE TO THE CONTRAC T AND INSTRUCTIONS O F A 9
CONTROLLER ; 10
(II) ASSIST THE CONTROLLER IN MEETING THE CONTR OLLER’S 11
OBLIGATIONS UNDER TH IS SUBTITLE, INCLUDING, CONSIDERING THE NATU RE OF 12
PROCESSING AND THE I NFORMATION AVAILABLE TO THE PROCESSOR : 13
1. BY APPROPRIATE TECHNI CAL AND ORGANIZATION AL 14
MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE 15
CONTROLLER ’S OBLIGATION TO RESP OND TO CONSUMER RIGH TS REQUESTS; AND 16
2. BY ASSISTING THE CONT ROLLER IN MEETING TH E 17
CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF PROCESSING THE 18
PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE 19
SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND 20
(III) PROVIDE NECESSARY INF ORMATION TO ENABLE T HE 21
CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMEN TS. 22
(C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A 23
CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E 24
CONTROLLER OR PROCESSOR B Y VIRTUE OF THE CONT ROLLER’S OR PROCESSOR ’S 25
ROLE IN THE PROCESSI NG RELATIONSHIP IN A CCORDANCE WITH THIS SECTION. 26
(D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 27
CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA 28
IS A FACT–BASED DETERMINATION THAT DEPENDS ON THE CONTEXT IN WHICH 29
PERSONAL DATA IS BEI NG PROCESSED . 30
(2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON: 31
SENATE BILL 541 27
(I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 1
PERSONAL DATA IN ACCORDANCE WITH A CO NTROLLER’S INSTRUCTIONS ; OR 2
(II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS 3
WITH RESPECT TO A SP ECIFIC PROCESSING OF PERSONAL DATA . 4
(3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S 5
INSTRUCTIONS WITH RE SPECT TO A SPE CIFIC PROCESSING OF PERSONAL DATA 6
REMAINS A PROCESSOR . 7
(4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY 8
WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF 9
PERSONAL DATA , THE PROCESSOR : 10
(I) IS A CONTROLLER WITH RESPECT TO THE PROCESSING ; AND 11
(II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 12
THIS SUBTITLE. 13
(E) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO ALTER A 14
CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA 15
OR TO TAKE STEPS TO ENSURE THAT A PR OCESSOR ADHERES TO T HE CONTROLLER ’S 16
INSTRUCTIONS . 17
14–4609. 18
(A) IF A THIRD PARTY USES OR SHARES A CONSUMER ’S INFORMATION IN A 19
MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF 20
COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN 21
AFFECTED CONSUMER WI TH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE 22
IMPLEMENTING THE NEW OR CHANGED PRACTICE . 23
(B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION 24
SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO 25
ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE . 26
14–4610. 27
(A) IN THIS SECTION , “PROCESSING ACTIVITIE S THAT PRESENT A 28
HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 29
(1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 30
TARGETED ADVERTISI NG; 31 28 SENATE BILL 541
(2) THE SALE OF PERSONAL DATA; 1
(3) THE PROCESSING OF SEN SITIVE DATA; AND 2
(4) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 3
PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE 4
RISK OF: 5
(I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATMENT OF A 6
CONSUMER ; 7
(II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A 8
CONSUMER ; 9
(III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 10
CONSUMER ; 11
(IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 12
SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER IN W HICH THE 13
INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR 14
(V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER . 15
(B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR 16
BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S 17
PROCESSING ACTIVITIE S THAT PRESENT A HEI GHTENED RISK OF HARM TO A 18
CONSUMER , INCLUDING AN ASSESSM ENT FOR EACH ALGORIT HM THAT IS USED. 19
(C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE 20
WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FL OW 21
DIRECTLY AND INDIREC TLY FROM THE PROCESS ING TO THE CONTROLLE R, THE 22
CONSUMER , OTHER INTERESTED PAR TIES, AND THE PUBLIC AGAIN ST: 23
(I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 24
ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS THAT MAY B E 25
EMPLOYED BY THE CONT ROLLER TO REDUCE THE SE RISKS; AND 26
(II) THE NECESSITY AND PRO PORTIONALITY OF PROC ESSING IN 27
RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING. 28
(2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION 29
ASSESSMENT : 30 SENATE BILL 541 29
(I) THE USE OF DE–IDENTIFIED DATA ; 1
(II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 2
(III) THE CONTEXT OF THE PR OCESSING; AND 3
(IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE 4
CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED. 5
(D) (1) THE DIVISION MAY REQUIRE T HAT A CONTROLLER MAK E 6
AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT 7
TO AN INVESTIGATION CONDUCTED BY THE DIVISION. 8
(2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION 9
ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS 10
SUBTITLE. 11
(II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE 12
USED IN AN ACTION TO ENFORCE THIS SUBTITL E. 13
(3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS 14
EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT 15
OR THE PUBLIC INFORMATION ACT. 16
(E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A 17
COMPARABLE SET OF PR OCESSING OPERATIONS THAT INCLUDE SIMILAR 18
ACTIVITIES. 19
(F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 20
THE PURPOSE OF CO MPLYING WITH ANOTHER APPLICABLE LAW OR RE GULATION, 21
THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISF Y THE 22
REQUIREMENTS ESTABLI SHED IN THIS SECTION IF THE DATA PROTECTI ON 23
ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA 24
PROTECTION ASSESSMENT THAT WOUL D OTHERWISE BE CONDU CTED IN 25
ACCORDANCE WITH THIS SECTION. 26
(G) TO THE EXTENT THAT AN Y INFORMATION CONTAI NED IN A DATA 27
PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION 28
SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECTION , THE 29
DISCLOSURE MAY NOT C ONSTITUTE A WAIVER O F THAT PRIVILEGE OR PROTECTION. 30
14–4611. 31 30 SENATE BILL 541
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 1
CONTROLLER OR A PROC ESSOR TO: 2
(1) RE–IDENTIFY DE–IDENTIFIED DATA ; 3
(2) MAINTAIN DATA IN AN IDENTIFIABLE F ORM; OR 4
(3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 5
TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTI CATED 6
CONSUMER REQUEST WIT H PERSONAL DATA . 7
(B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 8
CONTROLLE R OR PROCESSOR TO CO MPLY WITH AN AUTHENT ICATED CONSUMER 9
RIGHTS REQUEST IF TH E CONTROLLER : 10
(1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQUEST 11
WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE 12
CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DA TA; 13
(2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND 14
TO THE SPECIFIC CONS UMER WHO IS THE SUBJ ECT OF THE PERSONAL DATA OR 15
ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME 16
SPECIFIC CONSUMER ; AND 17
(3) DOES NOT SELL THE PERSONA L DATA TO A THIRD PA RTY OR 18
OTHERWISE VOLUNTARIL Y DISCLOSE THE PERSO NAL DATA TO A THIRD PARTY 19
OTHER THAN A PROCESS OR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE. 20
(C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 21
(I) EXERCISE REASONABLE O VERSIGHT TO MONITOR 22
COMPLIANCE WITH ANY CONTRACTUAL COMMITME NTS TO WHICH THE 23
DE–IDENTIFIED DATA IS S UBJECT; AND 24
(II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF 25
ANY CONTRACTUAL COMM ITMENTS. 26
(2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE 27
AND WHETHER APPROPRI ATE STEPS WERE TAKEN IN ACCORDANCE WITH 28
PARAGRAPH (1) OF THIS SUBSECTION S HALL TAKE INTO ACCOU NT WHETHER THE 29
DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF 30
THE DATA WERE RE –IDENTIFIED. 31 SENATE BILL 541 31
14–4612. 1
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRICT A 2
CONTROLLER ’S OR PROCESSOR ’S ABILITY TO: 3
(1) COMPLY WITH FEDERAL , STATE, OR LOCAL LAWS OR 4
REGULATIONS ; 5
(2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIRY, 6
INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER 7
GOVERNMENTAL AUTHORI TY; 8
(3) COOPERATE WITH LAW EN FORCEMENT AGENCIES C ONCERNING 9
CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONA BLY AND 10
IN GOOD FAITH BELIEV ES MAY VIOLATE FEDERAL , STATE, OR LOCAL LAWS OR 11
REGULATIONS ; 12
(4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND 13
A LEGAL CLAIM; 14
(5) PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY 15
A CONSUMER ; 16
(6) PERFORM UNDER A CONTR ACT TO WHICH A CON SUMER IS A 17
PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ; 18
(7) TAKE STEPS AT THE REQ UEST OF A CONSUMER B EFORE 19
ENTERING INTO A CONT RACT; 20
(8) TAKE IMMEDIATE STEPS TO PROTECT AN INTERE ST THAT IS 21
ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR ANOTHE R 22
INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON 23
ANOTHER LEGAL BASIS ; 24
(9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE, 25
PROSECUTE THOSE RESP ONSIBLE, OR OTHERWISE RESPOND TO A SECURITY 26
INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE 27
ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ; 28
(10) PRESERVE THE INTEGRIT Y OR SECURITY OF SYS TEMS; OR 29
32 SENATE BILL 541
(11) ASSIST ANOTHER CONTRO LLER, PROCESSOR, OR THIRD PARTY 1
WITH AN OBLIGATION U NDER THIS SUBTITLE . 2
(B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION 3
REQUIRED UNDER § 14–4611 OF THIS SUBTITLE. 4
(2) AN OBLIGATION IMPOSED ON A CONTROLLER OR P ROCESSOR 5
UNDER THIS SUBTITLE MAY NOT RESTRICT A C ONTROLLER ’S OR PROCESSOR ’S 6
ABILITY TO COLLECT , USE, OR RETAIN PERS ONAL DATA FOR INTERN AL USE TO: 7
(I) EFFECTUATE A PRODUCT RECALL; 8
(II) IDENTIFY AND REPAIR T ECHNICAL ERRORS THAT IMPAIR 9
EXISTING OR INTENDED FUNCTIONALITY ; OR 10
(III) PERFORM INTERNAL OPER ATIONS THAT ARE : 11
1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF 12
THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S 13
EXISTING RELATIONSHI P WITH THE CONTROLLE R; OR 14
2. OTHERWISE COMPATIBLE WITH PROCESSING DATA IN 15
FURTHERANCE OF : 16
A. THE PROVISION OF A PR ODUCT OR SERVICE 17
SPECIFICALLY REQUESTED BY A C ONSUMER; OR 18
B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E 19
CONSUMER IS A PARTY . 20
(C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR 21
UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CO NTROLLER 22
OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 23
UNDER STATE LAW. 24
(2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREVENT A 25
CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA CONCERN ING A 26
CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R STATE 27
LAW AS PART OF A PRI VILEGED COMMUNICATIO N. 28
(D) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES 29
PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS 30
SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT 31 SENATE BILL 541 33
MISCONDUCT O F THE CONTROLLER OR PROCESSOR FROM WHICH THE 1
THIRD–PARTY CONTROLLER OR PROCESSOR RECEIVED T HE PERSONAL DATA . 2
(E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 3
(1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 4
THAT ADVERSELY AFFEC TS THE RIGHTS OR FREEDOMS OF ANY P ERSON, INCLUDING 5
THE RIGHTS OF A PERS ON TO FREEDOM OF SPE ECH OR FREEDOM OF TH E PRESS AS 6
GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR 7
(2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING 8
THE PERSON’S PERSONAL O R HOUSEHOLD ACTIVITI ES. 9
(F) IF A CONTROLLER PROCE SSES PERSONAL DATA I N ACCORDANCE WITH 10
AN EXEMPTION UNDER T HIS SECTION, THE CONTROLLER SHALL DEMONSTRATE 11
THAT THE PROCESSING : 12
(1) QUALIFIES FOR AN EXEM PTION; AND 13
(2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECTION (G) OF THIS 14
SECTION. 15
(G) PERSONAL DATA PROCESS ED BY A CONTROLLER I N ACCORDANCE WITH 16
THIS SECTION: 17
(1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE, 18
TECHNICAL, AND PHYSICAL MEASURE S TO: 19
(I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 20
ACCESSIBILITY OF THE P ERSONAL DATA ; AND 21
(II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO 22
CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL 23
DATA; AND 24
(2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS: 25
(I) REASONABLY NEC ESSARY AND PROPORTIO NATE TO THE 26
PURPOSES LISTED IN T HIS SECTION; AND 27
(II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS 28
NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 29
34 SENATE BILL 541
(H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE 1
EXPRESSLY IDENTIFIED IN TH IS SECTION MAY NOT B E CONSIDERED A CONTR OLLER 2
SOLELY BASED ON THE PROCESSING OF PERSON AL DATA. 3
14–4613. 4
(A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A 5
VIOLATION OF THIS SU BTITLE IS: 6
(1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE PRAC TICE WITHIN 7
THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 8
(2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 9
CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 10
(B) THIS SECTION DOES NOT PREVENT A CONSUMER FROM PURSUING ANY 11
OTHER REMEDY PROVIDE D BY LAW. 12
SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial 13
Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 14
prospectively and may not be applied or interpreted to have any effect on or application to 15
any personal data processing activities before April 1, 2025. 16
SECTION 3. AND BE IT FURTHER ENACTED, That this Act shall take effect 17
October 1, 2024. 18