EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
*sb0541*
SENATE BILL 541
I3 4lr1200
CF HB 567
By: Senators Gile, Hester, Augustine, Feldman, Beidle, and Ellis
Introduced and read first time: January 24, 2024
Assigned to: Finance
Committee Report: Favorable with amendments
Senate action: Adopted
Read second time: February 26, 2024
CHAPTER ______
AN ACT concerning 1
Maryland Online Data Privacy Act of 2024 2
FOR the purpose of regulating the manner in which a controller or a processor in possession 3
of a consumer’s personal data may process the consumer’s personal data; authorizing 4
a consumer to exercise certain rights in regards to the consumer’s personal data; 5
requiring a controller of personal data to establish a method for a consumer to 6
exercise certain rights in regards to the consumer’s personal data; requiring a 7
controller to comply with a request by a consumer to exercise a certain right in a 8
certain manner, except under certain circumstances; authorizing a consumer to 9
designate an authorized agent to act on the consumer’s behalf to opt out of the 10
processing of the consumer’s personal data; requiring a controller to provide a 11
consumer with a certain privacy notice; requiring a controller that uses a processor 12
to process the personal data of consumers to enter into a contract with the processor 13
that governs the processor’s data processing procedures; requiring a controller to 14
conduct and document a data protection assessment for consumer data processing 15
activities that present a heightened risk of harm to a consumer; making a violation 16
of this Act an unfair, abusive, or deceptive trade practice that is subject to 17
enforcement and penalties under the Maryland Consumer Protection Act; and 18
generally relating to online data privacy. 19
BY repealing and reenacting, with amendments, 20
Article – Commercial Law 21
Section 13–301(14)(xl) 22
Annotated Code of Maryland 23
(2013 Replacement Volume and 2023 Supplement) 24 2 SENATE BILL 541
BY repealing and reenacting, without amendments, 1
Article – Commercial Law 2
Section 13–301(14)(xli) 3
Annotated Code of Maryland 4
(2013 Replacement Volume and 2023 Supplement) 5
BY adding to 6
Article – Commercial Law 7
Section 13–301(14)(xlii); and 14–4601 through 14–4613 14–4614 to be under the new 8
subtitle “Subtitle 46. Online Data Privacy Act” 9
Annotated Code of Maryland 10
(2013 Replacement Volume and 2023 Supplement) 11
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 12
That the Laws of Maryland read as follows: 13
Article – Commercial Law 14
13–301. 15
Unfair, abusive, or deceptive trade practices include any: 16
(14) Violation of a provision of: 17
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 18
(xli) Title 14, Subtitle 45 of this article; or 19
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 20
SUBTITLE 46. ONLINE DATA PRIVACY ACT. 21
14–4601. 22
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 23
INDICATED. 24
(B) “AFFILIATE” MEANS A PERSON THAT , DIRECTLY OR INDIRECT LY 25
THROUGH ONE OR MORE INTERMEDIARIES , CONTROLS, IS CONTROLLED BY , OR IS 26
UNDER COMMON CONTROL WITH ANOTHER PERSON , SUCH THAT THE PERSON : 27
(1) SHARES COMMON BRANDIN G WITH ANOTHER PERSO N; OR 28
(2) CONTROLS, IS CONTROLLED BY , OR IS UNDER COMMON C ONTROL 29
WITH ANOTHER PERSON . 30 SENATE BILL 541 3
(1) OWNS OR HAS THE POWER TO VOTE MORE THAN 50% OF THE 1
OUTSTANDING SHARES O F ANY VOTING CLASS O F THE OTHER PERSON ’S SECURITIES; 2
(2) HAS THE POWER TO ELEC T OR INFLUENCE THE E LECTION OF A 3
MAJORITY OF THE DIRE CTORS, MEMBERS, OR MANAGERS OF THE O THER PERSON; 4
(3) HAS THE POWER TO DIRE CT THE MANAGEMENT OF THE OTHER 5
PERSON; OR 6
(4) IS SUBJECT TO THE OTH ER PERSON’S EXERCISE OF THE PO WERS 7
DESCRIBED IN ITEM (1), (2), OR (3) OF THIS SUBSECTION . 8
(C) “AUTHENTICATE ” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 9
THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH § 10
14–4605 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO 11
IS ENTITLED TO EXERC ISE THE CONSUMER RIG HT WITH RESPECT T O THE PERSONAL 12
DATA AT ISSUE. 13
(D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 14
MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN 15
BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY. 16
(2) “BIOMETRIC DATA ” INCLUDES: 17
(I) A FINGERPRINT ; 18
(II) A VOICE PRINT; 19
(III) AN EYE RETINA OR IRIS IMAGE; AND 20
(IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT 21
CAN BE ARE USED TO UNIQUELY AUT HENTICATE A CONSUMER ’S IDENTITY. 22
(3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 23
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 24
(II) AN AUDIO OR VIDEO REC ORDING; OR 25
(III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL 26
PHOTOGRAPH OR AN AUD IO OR VIDEO RECORDIN G, UNLESS THE DATA IS 27
GENERATED TO IDENTIF Y A SPECIFIC CONSUME R. 28
(E) “BUSINESS ASSOCIATE” HAS THE MEANING STAT ED IN HIPAA. 29 4 SENATE BILL 541
(F) “CHILD” HAS THE MEANING STAT ED IN COPPA. 1
(G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A 2
CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS 3
AGREEMENT TO ALLOW T HE PROCESSING OF PER SONAL DATA RELATING T O THE 4
CONSUMER FOR A PARTI CULAR PURPOSE . 5
(2) “CONSENT” INCLUDES: 6
(I) A WRITTEN STATEMENT ; 7
(II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR 8
(III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION . 9
(3) “CONSENT” DOES NOT INCLUDE : 10
(I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 11
SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 12
PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION; 13
(II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 14
OF CONTENT; OR 15
(III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 16
PATTERNS. 17
(H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 18
STATE. 19
(2) “CONSUMER” DOES NOT INCLUDE : 20
(I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR 21
EMPLOYMENT CONTEXT ; OR 22
(II) AN INDIVIDUAL ACTING AS AN EMPLOYE E, AN OWNER, A 23
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE 24
PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GOVERNMENTAL UN IT 25
WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY 26
WITHIN THE CONTE XT OF THE INDIVIDUAL ’S ROLE WITH THE COMP ANY, 27
PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR 28
GOVERNMENTAL UNIT . 29
SENATE BILL 541 5
(I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A 1
CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH 2
STATUS. 3
(2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO: 4
(I) GENDER–AFFIRMING CARE TREATMENT ; OR 5
(II) REPRODUCTIVE OR SEXUA L HEALTH CARE . 6
(J) “CONTROL” MEANS: 7
(1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 8
OUTSTANDING SHARES O F ANY CLASS OF VOTING SECURITY OF A BUSINE SS; 9
(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 10
OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR 11
FUNCTIONS; OR 12
(3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE 13
MANAGEMENT OF A BUSI NESS. 14
(K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 15
OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 16
(L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY 17
PROTECTION ACT OF 1998 AND THE REGUL ATIONS, RULES, GUIDANCE, AND 18
EXEMPTIONS ADOPTED U NDER THE ACT, AND AS THE ACT AND THE REGULATIO NS, 19
RULES, GUIDANCE, AND EXEMPTIONS MAY B E AMENDED. 20
(2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE 21
FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998. 22
(M) “COVERED ENTITY ” HAS THE MEANING STAT ED IN HIPAA. 23
(N) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR 24
MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY, 25
DECISION MAKING , OR CHOICE. 26
(2) “DARK PATTERN ” INCLUDES ANY PRACT ICE THE FEDERAL 27
TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”. 28
6 SENATE BILL 541
(O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 1
EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE 2
PROVISION OR DENIAL OF: 3
(1) FINANCIAL OR LENDING SERVICES; 4
(2) HOUSING; 5
(3) INSURANCE; 6
(4) (3) EDUCATION ENROLLMENT OR OPPORTUNITY ; 7
(5) (4) CRIMINAL JUSTICE ; 8
(6) (5) EMPLOYMENT OPPORTUNIT IES; 9
(7) (6) HEALTH CARE SERVICES ; OR 10
(8) (7) ACCESS TO ESSENTIAL G OODS OR SERVICES . 11
(P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE 12
USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN IDENTIFIED 13
OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED 14
OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT 15
INFORMATION : 16
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 17
INFORMATION CANNOT B E LINKED WITH A CONS UMER; 18
(2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN 19
A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE I NFORMATI ON 20
IN DE–IDENTIFIED FORM ; AND 21
(3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E 22
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION HAS THE 23
MEANING STATED IN § 14–4401 OF THIS TITLE. 24
(Q) “GENDER–AFFIRMING TREATMENT ” HAS THE MEANING STAT ED IN § 25
15–151(A) OF THE HEALTH – GENERAL ARTICLE. 26
(Q) (R) (1) “GENETIC DATA ” MEANS DATA IN ANY FO RMAT THAT 27
CONCERNS THE GENETIC CHARACTE RISTICS OF A CONSUME R. 28
(2) “GENETIC DATA” INCLUDES: 29
SENATE BILL 541 7
(I) RAW SEQUENCE DATA THA T RESULTS FROM SEQUE NCING 1
OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S 2
COMPLETE EXTRACTED DNA; 3
(II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT 4
RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ; 5
(III) INFORMATION EXTRAPOLA TED, DERIVED, OR INFERRED 6
FROM THE ANALYSIS OF RAW SEQUENCE DATA ; AND 7
(IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A 8
DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING 9
THE CONSUMER ’S HEALTH CONDITIONS : 10
1. THAT IS USED FOR SCIE NTIFIC RESEARCH OR 11
PRODUCT DEVELOPMENT ; AND 12
2. ANALYZED IN CONNECTIO N WITH THE CONSUMER ’S 13
RAW SEQUENCE DATA HAS THE MEANING STAT ED IN § 14–4401 OF THIS TITLE. 14
(R) (S) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A 15
VIRTUAL GEOGRAPHICAL BOUNDARY. 16
(2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED 17
OR MONITORED THROUGH THE USE OF: 18
(I) GLOBAL POSITIONING TE CHNOLOGY; 19
(II) CELL TOWER CONNECTIVI TY; 20
(III) CELLULAR DATA ; 21
(IV) RADIO FREQUENCY IDENT IFICATION; 22
(V) WIRELESS FIDELITY TEC HNOLOGY; OR 23
(VI) ANY OTHER FORM OF LOCATION DETERMINATI ON 24
TECHNOLOGY . 25
(S) (T) “HIPAA” MEANS THE FEDERAL HEALTH INSURANCE 26
PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 27
(T) (U) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER 28
WHO CAN READILY BE I DENTIFIED, EITHER DIRECTLY OR INDIRECTLY. 29
8 SENATE BILL 541
(U) (V) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN 1
WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL 2
HEALTH SERVICES . 3
(V) (W) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS 4
LINKED OR CAN BE REA SONABLY LINKE D TO AN IDENTIFIED O R IDENTIFIABLE 5
CONSUMER . 6
(2) “PERSONAL DATA ” DOES NOT INCLUDE : 7
(I) DE–IDENTIFIED DATA ; OR 8
(II) PUBLICLY AVAILABLE IN FORMATION. 9
(W) (X) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION 10
DERIVED FROM TECHNOL OGY THAT CAN PRECISELY AND ACCURA TELY IDENTIFY 11
THE SPECIFIC LOCATIO N OF A CONSUMER WITH IN A RADIUS OF 1,750 FEET. 12
(2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING 13
SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR 14
MECHANISMS . 15
(3) “PRECISE GEOLOCATION DATA ” DOES NOT INCLUDE : 16
(I) THE CONTENT OF COMMUN ICATIONS DATA; 17
(II) DATA GENERATED BY OR CONN ECTED TO AN ADVANCED 18
UTILITY METERING INF RASTRUCTURE SYSTEM ; OR 19
(II) (III) EQUIPMENT DATA GENERATED BY EQU IPMENT USED 20
BY A UTILITY COMPANY. 21
(X) (Y) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS 22
PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA . 23
(2) “PROCESS” INCLUDES COLLECTING , USING, STORING, 24
DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 25
(Y) (Z) “PROCESSOR” MEANS A PERSON THAT PROCESSES PERSONAL 26
DATA ON BEHALF OF A CONTROLLER . 27
(Z) (AA) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING 28
PERFORMED ON PERSONA L DATA TO EVALUATE , ANALYZE, OR PREDICT PERSONAL 29
ASPECTS RELATED TO A N IDENTIFIED OR IDEN TIFIABLE CONSUMER ’S ECONOMIC 30 SENATE BILL 541 9
SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES , 1
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 2
(AA) (BB) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STAT ED 3
IN HIPAA. 4
(BB) (CC) (1) “PUBLICLY AVAILABLE INFORMATIO N” MEANS 5
INFORMATION THAT A PERSON: 6
(I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL 7
PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR 8
(II) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE 9
THAT A CONSUMER HAS LAWFULLY MADE AVAILA BLE TO THE GENERAL P UBLIC 10
THROUGH WIDELY DISTR IBUTED MEDIA. 11
(I) LAWFULLY OBTAINS FROM A RECORD OF A GOVERN MENTAL 12
ENTITY; 13
(II) REASONABLY BELIEVES A CONSUMER OR WIDELY 14
DISTRIBUTED MEDIA HA VE LAWFULLY MADE AVA ILABLE TO THE GENERA L PUBLIC; 15
OR 16
(III) IF THE CONSUMER HAS N OT RESTRICTED THE 17
INFORMATION TO A SPE CIFIC AUDIENCE , OBTAINS FROM A PERSO N TO WHOM THE 18
CONSUMER DISCLOSED T HE INFORMATION . 19
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 20
BIOMETRIC DATA COLLE CTED BY A BUSINESS ABOUT A CON SUMER WITHOUT THE 21
CONSUMER ’S KNOWLEDGE . 22
(CC) (DD) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE 23
RELATED TO A HEALTH CARE –RELATED SERVICE OR P RODUCT RENDERED OR 24
PROVIDED CONCERNING A CONSUMER ’S REPRODUCTIVE SYSTE M OR SEXUAL 25
WELL–BEING., INCLUDING: 26
(2) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” INCLUDES: 27
(I) (1) A SERVICE OR PRODUCT P ROVIDED RELATED TO A N 28
INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR 29
TREATMENT ; 30
(II) (2) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL , OR 31
MEDICAL INTERVENTION ; 32 10 SENATE BILL 541
(III) (3) A SURGERY OR PROCEDURE ; 1
(IV) (4) THE PURCHASE OR USE O F A MEDICATION , 2
INCLUDING A MEDICATI ON PURCHASED OR USED FOR THE PURPOSES OF AN 3
ABORTION; 4
(V) (5) A SERVICE OR PRODUCT R ELATED TO A BODILY 5
FUNCTION, VITAL SIGN, OR MEASUREMENT THEREOF SYMPTOM; 6
(6) A MEASUREMENT OF A BOD ILY FUNCTION , VITAL SIGN, OR 7
SYMPTOM; AND 8
(VI) (7) AN ABORTION , WHETHER SURGICAL OR MEDICAL; 9
AND 10
(VII) A SERVICE RELATED TO A N ABORTION AND MEDICAL AND 11
NONMEDICAL SERVICES, PRODUCTS, DIAGNOSTICS, COUNSELING , AND FOLLOW –UP 12
SERVICES FOR AN ABOR TION. 13
(DD) (EE) “REPRODUCTIVE OR SEXUA L HEALTH CARE FACILI TY” MEANS A 14
HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE 15
REPRODUCTIVE OR SEXU AL HEALTH CARE S ERVICES. 16
(EE) (FF) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F 17
PERSONAL DATA BY A C ONTROLLER , A PROCESSOR , OR AN AFFILIATE OF A 18
CONTROLLER OR PROCES SER TO A THIRD PARTY FOR MONETARY OR OTHER 19
VALUABLE CONSIDERATI ON. 20
(2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 21
(I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR 22
THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO 23
THE PURPOSES OF THE PROCESSING; 24
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIR D PARTY 25
FOR PURPOSES OF PROV IDING A PRODUCT OR SERVI CE AFFIRMATIVELY 26
REQUESTED BY THE CON SUMER; 27
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 28
AFFILIATE OF THE CON TROLLER FOR THE PURPOSE OF P ROVIDING A PRODUCT O R 29
SERVICE AFFIRMATIVEL Y REQUESTED BY THE C ONSUMER; 30
SENATE BILL 541 11
(IV) THE DISCLOSURE OF PERSON AL DATA WHERE THE 1
CONSUMER : 2
1. DIRECTS THE CONTROLLE R TO DISCLOSE THE 3
PERSONAL DATA ; OR 4
2. INTENTIONALLY USES TH E CONTROLLER TO 5
INTERACT WITH A THIR D PARTY; 6
(V) THE DISCLOSURE OF PER SONAL DATA THAT THE 7
CONSUMER : 8
1. INTENTIONALLY MADE AVA ILABLE TO THE GENERA L 9
PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND 10
2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 11
(VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 12
THIRD PARTY AS AN AS SET THAT IS PART OF AN ACTUAL OR PROPOSE D MERGER, 13
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y 14
ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 15
(FF) (GG) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES : 16
(1) DATA REVEALING : 17
(I) RACIAL OR ETHNIC ORIG IN; 18
(II) RELIGIOUS BELIEFS ; 19
(III) CONSUMER HEALTH DATA ; 20
(IV) SEX LIFE; 21
(V) SEXUAL ORIENTATION ; 22
(VI) STATUS AS TRANSGENDER OR NONBINARY ; 23
(VII) NATIONAL ORIGIN ; OR 24
(VIII) CITIZENSHIP OR IMMIGR ATION STATUS; 25
(2) GENETIC DATA OR BIOMETRIC DATA ; 26
12 SENATE BILL 541
(3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS 1
OR HAS REASON TO KNO W IS A CHILD; OR 2
(4) PRECISE GEOLOCATION D ATA. 3
(GG) (HH) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 4
ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE 5
IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA 6
OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND 7
ACROSS NONAFFILIATED WEBSITES OR ONLINE A PPLICATIONS THAT ARE 8
UNAFFILIATED WITH EA CH OTHER, IN ORDER TO PREDICT THE CONSUMER ’S 9
PREFERENCES OR INTER ESTS. 10
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 11
(I) ADVERTISEMENTS BASED ON THE CONTEXT IN WHICH THE 12
ADVERTISEM ENT APPEARS AND DOES NOT VARY BASED ON WH O IS VIEWING THE 13
ADVERTISEMENT OF A CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO A WEBSITE, 14
OR ONLINE APPLICATIO N; 15
(II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES 16
WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS; 17
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 18
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 19
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 20
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 21
(HH) (II) “THIRD PARTY” MEANS A PERSON OTHER THAN THE RELEVANT 22
CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF THE CONTROLLER OR 23
PROCESSOR OF RELEVAN T PERSONAL DATA . 24
(II) (JJ) (1) “TRADE SECRET” MEANS INFORMATION TH AT: 25
(I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR 26
POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 27
ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN 28
ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 29
(II) IS THE SUBJECT OF EFF ORTS THAT ARE REASONABLE 30
UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION. 31
SENATE BILL 541 13
(2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN, 1
COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS HAS THE 2
MEANING STATED IN § 11–1201 OF THIS ARTICLE. 3
14–4602. 4
THIS SUBTITLE APPLIES TO A PERSON THAT : 5
(1) (I) CONDUCTS BUSINESS IN THE STATE; OR 6
(2) (I) (II) PRODUCES PROVIDES SERVICES OR PRODUCTS THAT 7
ARE TARGETED TO RESI DENTS OF THE STATE; AND 8
(II) (2) DURING THE IMMEDIATEL Y PRECEDING CALENDAR 9
YEAR: 10
1. (I) CONTROLLED OR PROCESS ED THE PERSONAL DATA 11
OF AT LEAST 35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR 12
PROCESSED SOLELY FOR THE PURPOSE OF COMPL ETING A PAYMENT TRAN SACTION; 13
OR 14
2. (II) CONTROLLED OR PROCESS ED THE PERSONAL DATA 15
OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS 16
REVENUE FROM THE SAL E OF PERSONAL DATA . 17
14–4603. 18
(A) THIS SUBTITLE DOES NO T APPLY TO: 19
(1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE, 20
APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OR INSTRUM ENTALITY OF THE 21
STATE, INCLUDING A BOARD , BUREAU, COMMISSION, OR UNIT OF THE STATE OR A 22
POLITICAL SUBDIVISIO N OF THE STATE; 23
(2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 24
UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A 25
REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF 26
THE FEDERAL COMMODITY EXCHANGE ACT; OR 27
(3) A FINANCIAL INSTITUTIO N OR, AN AFFILIATE OF A FINAN CIAL 28
INSTITUTION, OR DATA THAT IS SUBJECT TO TITLE V OF THE FEDERAL 29
GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T; OR 30
14 SENATE BILL 541
(4) A NONPROFIT CONTROLLER THAT PROCESSES OR SH ARES 1
PERSONAL DATA SOLELY FOR THE PURPOSES OF ASSISTING: 2
(I) LAW ENFORCEMENT AGENC IES IN INVESTIGATING 3
CRIMINAL OR FRAUDULE NT ACTS RELATING TO INSURANCE; OR 4
(II) FIRST RESPONDERS IN R ESPONDING TO CATASTR OPHIC 5
EVENTS. 6
(B) THE FOLLOWING INFORMA TION AND DATA ARE EX EMPT FROM THIS 7
SUBTITLE: 8
(1) PROTECTED HEALTH INFO RMATION UNDER HIPAA; 9
(2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 10
U.S.C. § 290DD–2; 11
(3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 12
PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS IN 13
ACCORDA NCE WITH 45 C.F.R. § 46; 14
(4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS 15
COLLECTED AND USED A S PART OF HUMAN SUBJ ECTS RESEARCH IN ACC ORDANCE 16
WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE 17
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 18
FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN 19
SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56; 20
(5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED 21
FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WIT H 42 22
C.F.R. § 3, ESTABLISHED IN ACCOR DANCE WITH 42 U.S.C. §§ 299B–21 THROUGH 23
299B–26; 24
(6) (I) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC 25
HEALTH, COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND 26
PURPOSES, AS AUTHORIZED BY HIPAA, WHEN PROVIDED BY OR TO A COVERED 27
ENTITY OR WHEN PROVI DED BY OR TO A BUSIN ESS ASSOCIATE IN ACC ORDANCE WITH 28
THE BUSINESS ASSOCIA TE AGREEMENT WITH A COVERED ENTITY ; 29
(II) INFORMATION THAT IS A MEDICAL RECORD UNDER § 4–301 30
OF THE HEALTH – GENERAL ARTICLE IF: 31
SENATE BILL 541 15
1. THE INFORMATION IS HELD BY AN ENTITY THAT IS A 1
COVERED ENTITY OR BU SINESS ASSOCIATE UND ER HIPAA BECAUSE IT COLLECTS , 2
USES, OR DISCLOSES PROTECT ED HEALTH INFORMATIO N; AND 3
2. THE ENTITY APPLIES TH E SAME STANDARDS FOR THE 4
COLLECTION, USE, AND DISCLOSURE OF T HE INFORMATION AS RE QUIRED FOR 5
PROTECTED HEALTH INF ORMATION UNDER HIPAA AND MEDICAL RECORDS UNDER 6
§ 4–301 OF THE HEALTH – GENERAL ARTICLE, INCLUDING SPECIFIC S TANDARDS 7
REGARDING LEGALLY PR OTECTED HEALTH CARE ; AND 8
(III) INFORMATION THAT IS D E–IDENTIFIED IN ACCORDANCE 9
WITH THE REQUIREMENT S FOR DE–IDENTIFICATION SET F ORTH IN 45 C.F.R. 10
164.514 THAT IS DERIVED FROM INDIVIDUALLY IDENTIF IABLE HEALTH 11
INFORMATION AS DESCR IBED IN HIPAA OR PERSONAL INFORMAT ION CONSISTENT 12
WITH THE HUMAN SUBJE CT PROTECTION REQUIR EMENTS OF THE U.S. FOOD AND 13
DRUG ADMINISTRATION ; 14
(7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 15
COMMUNICATION , OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 16
CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 17
REPUTATION, PERSONAL CHARACTERISTI CS, OR MODE OF LIVING BY A CONSUMER 18
REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR US E 19
IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO 20
THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE 21
FEDERAL FAIR CREDIT REPORTING ACT; 22
(8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 23
IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 24
(9) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 25
EDUCATIONAL RIGHTS AND PRIVACY ACT; 26
(10) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 27
IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 28
(11) DATA PROCESSED OR MAI NTAINED: 29
(I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 30
EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPENDENT CONTRACTOR O F A 31
CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS 32
COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE; 33
(II) AS THE EMERGENCY CONT ACT INFORMATION OF A 34
CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR 35 16 SENATE BILL 541
(III) THAT IS: 1
1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S 2
FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WHO IS THE S UBJECT OF 3
THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND 4
2. USED FOR THE PURPOSES OF ADMINISTERING THE 5
BENEFITS; AND 6
(12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 7
IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO T HE 8
FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS 9
PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT; AND 10
(13) PERSONAL DATA TO THE EXTENT IT IS COLLECT ED FOR, 11
PROVIDED TO, OR USED BY A PERSON REGULATED UNDER THE INSURANCE ARTICLE 12
OR AN AFFILIATE OF S UCH A PERSON , IN FURTHERANCE OF TH E BUSINESS OF 13
INSURANCE. 14
(C) CONTROLLERS AND PROCE SSORS THAT COMPLY WITH THE VERIFIABLE 15
PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED 16
COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN A CCORDANCE 17
WITH THIS SUBTITLE W ITH RESPECT TO A CON SUMER WHO IS A CHILD . 18
14–4604. 19
A PERSON MAY NOT : 20
(1) PROVIDE AN EMPLOYEE O R A CONTRACTOR ACCES S TO 21
CONSUMER HEALTH DATA UNLESS THE: 22
(I) THE EMPLOYEE OR CONTRACT OR IS SUBJECT TO A 23
CONTRACTUAL OR STATU TORY DUTY OF CONFIDE NTIALITY; OR 24
(II) CONFIDENTIALITY IS RE QUIRED AS A CONDITIO N OF 25
EMPLOYMENT OF THE EMPLOYEE; 26
(2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA 27
UNLESS THE PERSON PR OVIDING ACCESS TO TH E CONSUMER HEALTH DA TA AND 28
THE PROCESSOR COMPLY WITH § 14–4607 14–4608 OF THIS SUBTITLE; OR 29
(3) USE A GEOFENCE : 30
SENATE BILL 541 17
(I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A 1
NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH 2
DATA; AND 3
(II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR 4
REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR 5
(4) SELL OR OFFER TO SELL CONSUMER HEALTH DAT A WITHOUT THE 6
CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO 7
BE SOLD TO ESTABLISH A VIRTU AL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY 8
MENTAL HEALTH FACILI TY OR REPRODUCTIVE O R SEXUAL HEALTH FACI LITY FOR 9
THE PURPOSE OF IDENT IFYING, TRACKING, OR COLLECTING DATA F ROM OR 10
SENDING ANY NOTIFICA TION TO A CONSUMER R EGARDING THE CONSUME R’S 11
CONSUMER HEALTH DATA . 12
14–4605. 13
(A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 14
CONTROLLER TO REVEAL A TRADE SECRET . 15
(B) A CONSUMER SHALL HAVE THE RIGHT TO: 16
(1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE 17
CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIRE T HE 18
DISCLOSURE OF A TRAD E SECRET; 19
(2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 20
DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLESS THAT ACCESS W OULD 21
REQUIRE THE DISCLOSU RE OF A TRADE SECRET ; 22
(3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL 23
DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT 24
INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 25
(4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED 26
BY, OR OBTAINED ABOUT , THE CONSUMER UNLESS RETENTION OF THE PERSONAL 27
DATA IS REQUIRED BY LAW; 28
(5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC 29
MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROCESSED BY THE 30
CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE , 31
READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE 32
DATA TO ANOTHER CONT ROLLER WITHOUT HINDR ANCE; 33
18 SENATE BILL 541
(6) OBTAIN A LIST OF THE CATEGORIES OF THIR D PARTIES TO WHICH 1
THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF 2
THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED 3
ANY CONSUMER ’S PERSONAL DATA IF T HE CONTROLLER DOES N OT MAINTAIN THIS 4
INFORMATION IN A FOR MAT SPECIFIC TO THE CONSUM ER; AND 5
(7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 6
OF: 7
(I) TARGETED ADVERTISING ; 8
(II) THE SALE OF PERSONAL DATA; OR 9
(III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED 10
DECISIONS THAT PRODU CE LEGAL OR SIMILARLY SIGNIFICAN T EFFECTS 11
CONCERNING THE CONSU MER. 12
(C) (1) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE 13
METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION. 14
(2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS 15
SECTION BY THE METHOD ESTABLISH ED BY THE CONTROLLER UNDER PARAGRAPH 16
(1) OF THIS SUBSECTION . 17
(D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN 18
ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCE SSING 19
OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION 20
ON BEHALF OF A CONSU MER. 21
(2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EXERCISE A 22
CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S 23
BEHALF REGARDING THE PROCESSING OF PERSON AL DATA. 24
(3) A GUARDIAN OR CONSERVATOR OF A CONSUMER SUBJECT T O A 25
GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTECTIVE ARRANGEMENT MAY 26
EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE 27
CONSUMER ’S BEHALF REGARDING T HE PROCESSING OF PER SONAL DATA. 28
(E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A 29
CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXER CISE A 30
CONSUMER RIGHT LISTE D IN THIS SECTION. 31
SENATE BILL 541 19
(2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER R EQUEST 1
NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE CONS UMER 2
REQUEST. 3
(II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY 4
AN ADDITIONAL 45 DAYS IF: 5
1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E 6
REQUEST BASED ON THE COMPLEXITY AND NUMBE R OF THE CONSUMER ’S 7
REQUESTS; AND 8
2. THE CONTROLLER INFORMS T HE CONSUMER OF THE 9
EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN THE INITIA L 45–DAY 10
RESPONSE PERIOD . 11
(III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30 12
DAYS AFTER COMPLYING WITH THE CONSUMER ’S REQUEST THAT THE C ONTROLLER 13
HAS COMPLIED WITH THE CO NSUMER’S REQUEST. 14
(3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S 15
REQUEST, THE CONTROLLER SHALL : 16
(I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT 17
LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATIO N FOR 18
DECLINING TO ACT ; AND 19
(II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E 20
DECISION. 21
(4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A 22
CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EXERCIS E RIGHTS UNDER 23
THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD . 24
(II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y 25
UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A 26
CONTROLLER MAY : 27
1. CHARGE THE CONSUMER A REASONABLE FEE TO 28
COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST; OR 29
2. DECLINE TO ACT ON THE REQUEST. 30
20 SENATE BILL 541
(III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTR ATING 1
THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR 2
REPETITIVE NATURE OF THE REQUEST . 3
(5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO 4
EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) 5
OF THIS SECTION USIN G COMMERCIALLY REASO NABLE EFFORTS , THE 6
CONTROLLER : 7
(I) MAY NOT BE REQUIRED T O COMPLY WITH A REQU EST TO 8
INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND 9
(II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE 10
CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT 11
UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABL Y 12
NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO 13
EXERCISE THE CONSUME R’S RIGHTS. 14
(6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHEN TICATE AN 15
OPT–OUT REQUEST . 16
(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 17
CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER SHALL BE CONS IDERED 18
COMPLIANT WITH THE CONSUMER ’S REQUEST TO DELETE THE CONSUMER ’S DATA IN 19
ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD 20
OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR T HE 21
PURPOSE OF ENSURING THAT THE CONSUMER ’S PERSONAL DATA : 22
(I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS; 23
AND 24
(II) IS NOT BEING USED FOR ANY OTHER PURPOSE . 25
(F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 26
TO APPEAL THE CONTRO LLER’S REFUSAL TO ACT ON A CONSUMER RIGHTS RE QUEST 27
WITHIN A REASONABLE PERIOD AF TER THE CONSUMER REC EIVES THE DECISION . 28
(2) THE APPEAL PROCESS SH ALL BE: 29
(I) CONSPICUOUSLY AVAILAB LE; AND 30
(II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO 31
INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION. 32
SENATE BILL 541 21
(3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A 1
CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR 2
NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF 3
THE REASONS FOR THE DECISIONS. 4
(4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL 5
PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH 6
WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. 7
14–4606. 8
(A) (1) A CONSUMER MAY DESIGNA TE AN INDIVIDUAL TO SERVE AS THE 9
CONSUMER ’S AUTHORIZED AGENT AND ACT O N THE CONSUMER ’S BEHALF TO OPT 10
OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ONE OR MORE 11
OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. 12
(2) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT BY AN 13
INTERNET LINK OR A BROWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE 14
SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUME R’S INTENT TO 15
OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA . 16
(B) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED 17
FROM AN AUTHORIZED AGENT IF, USING COMMERCIALLY R EASONABLE EFFORTS , 18
THE CONTROLLER IS AB LE TO AUTHENTICATE : 19
(1) THE IDENTITY OF THE C ONSUMER; AND 20
(2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE 21
CONSUMER ’S BEHALF. 22
14–4607. 23
(A) A CONTROLLER MAY NOT : 24
(1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT 25
PERSONALIZATION OR M ARKETING WITHOUT THE CONSENT OF THE CONSU MER 26
WHOSE PERSONAL DATA IS COLLECTED; 27
(2) (1) EXCEPT WHERE THE COLL ECTION OR PROCESSING IS 28
STRICTLY NECESSARY T O PROVIDE OR MAINTAI N A SPECIFIC PRODUCT OR SERVICE 29
REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND 30
UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT, 31
PROCESS, OR SHARE SENSITIVE DATA CONCERNING A CONSUME R; 32
22 SENATE BILL 541
(3) (2) SELL SENSITIVE DATA ; 1
(4) (3) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR 2
FEDERAL LAWS THAT PR OHIBIT UNLAWFUL DISC RIMINATION; 3
(5) (4) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE 4
PURPOSES OF TARGETED ADVERTISING IF THE C ONTROLLER KNEW OR SH OULD 5
HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE 6
OF 18 YEARS; 7
(6) (5) SELL THE PERSONAL DAT A OF A CONSUMER WITH OUT THE 8
CONSUMER ’S CONSENT IF THE CON TROLLER KNEW OR SHOU LD HAVE KNOWN THAT 9
THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE OF 18 YEARS; 10
(7) (6) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A 11
CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DENYING GOODS OR 12
SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR 13
PROVIDING A DIFFEREN T LEVEL OF QUALITY O F GOODS OR SERVICES TO THE 14
CONSUMER ; 15
(8) (7) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR 16
PUBLICLY AVAILABLE D ATA IN A MANNER THAT UNLAWFULLY D ISCRIMINATES IN OR 17
OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS 18
OR SERVICES ON THE B ASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX, 19
SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE 20
COLLECTION, PROCESSING, OR TRANSFER OF PERSO NAL DATA IS FOR: 21
(I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R 22
MITIGATE UNLAWFUL DI SCRIMINATION ; 23
(II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT, 24
PARTICIPANT, OR CUSTOMER POOL ; OR 25
(III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PU BLIC, AS 26
DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR 27
(9) (8) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S 28
CONSENT, PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER 29
REASONABLY NECESSARY TO, NOR COMPATIBLE WITH , THE DISCLOSED PURPOSES 30
FOR WHICH THE PERSON AL DATA IS PROCESSED , AS DISCLOSED TO THE CONSUMER . 31
(B) (1) A CONTROLLER SHALL : 32
SENATE BILL 541 23
(I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS 1
REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A 2
SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO W HOM THE 3
DATA PERTAINS ; 4
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 5
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 6
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 7
DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT 8
ISSUE; AND 9
(III) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO 10
REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS 11
EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVID ED THE CONSUMER ’S 12
CONSENT. 13
(2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE 14
CONTROLLER SHALL STO P PROCESSING THE CON SUMER’S PERSONAL DATA AS S OON 15
AS PRACTICABLE , BUT NOT LATER THAN 15 30 DAYS AFTER RECEIVING THE 16
REQUEST. 17
(C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE 18
CONSTRUED TO : 19
(1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 20
THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER THAT THE CONTR OLLER 21
DOES NOT COLLECT OR MAINTAIN; OR 22
(2) PROHIBIT A CONTROLLER FROM OFFE RING A DIFFERENT PRI CE, 23
RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 24
INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N 25
CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 26
LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM . 27
(D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY 28
ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT INCLU DES: 29
(1) THE CATEGORIES OF PER SONAL DATA PROCESSED BY THE 30
CONTROLLER , INCLUDING SENSI TIVE DATA; 31
(2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ; 32
(3) HOW A CONSUMER MAY EX ERCISE THE CONSUMER ’S RIGHTS 33
UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 34 24 SENATE BILL 541
CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE 1
CONSENT; 2
(4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE 3
CONTROLLER SHARES PE RSONAL DATA WITH A L EVEL OF DETAIL THAT ENABLES A 4
CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTITY EACH THIRD PARTY IS AND, TO 5
THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROC ESS THE PERSONAL 6
DATA THE TYPE OF, BUSINESS MODEL OF , OR PROCESSING CONDUC TED BY EACH 7
THIRD PARTY; 8
(5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE 9
DATA, THAT THE CONTROLLER SHARES WITH THIRD PA RTIES; AND 10
(6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM 11
THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER . 12
(E) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 13
PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES 14
OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS TH AT PRODUCE 15
LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY 16
AND CONSPICUOUSLY DI SCLOSE THE SALE OR PROCESSING, AS WELL AS THE 17
MANNER IN WHICH A CO NSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE 18
SALE OR PROCESSING. 19
(F) (1) THE PRIVACY NOTICE UNDER SUBSECT ION (D) OF THIS SECTION 20
SHALL ESTABLISH ONE OR MORE SECURE AND R ELIABLE METHODS FOR A 21
CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN 22
ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT : 23
(I) THE WAYS IN WHICH CON SUMERS NORMALLY INTERACT 24
WITH THE CONTROLLER ; 25
(II) THE NEED FOR SECURE A ND RELIABLE COMMUNIC ATION 26
OF CONSUMER REQUESTS ; AND 27
(III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 28
IDENTITY OF A CONSUM ER MAKING THE REQUES T. 29
(2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO 30
CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIGHT . 31
(II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN 32
EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. 33
SENATE BILL 541 25
(3) A CONTROLLER MAY UTILI ZE THE FOLLOWING MET HODS TO 1
SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 2
(I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 3
CONTROLLER ’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN 4
AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED 5
ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR 6
(II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER 7
TO OPT OUT OF ANY PR OCESSING OF THE CONS UMER’S PERSONAL DATA FOR THE 8
PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA, 9
THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT, WITH THE CONSUME R’S 10
CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER 11
INDICATING THE CONSU MER’S INTENT TO OPT OUT OF THE PROCESSING OR SALE. 12
(4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 13
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL: 14
(I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 15
AVERAGE CONSUMER ; 16
(II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS 17
LANGUAGE; 18
(III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR 19
PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR STATE 20
LAW OR REGULATION ; 21
(IV) ENABLE THE CONTROLLER TO REASONABLY DETERM INE 22
WHETHER THE CONSUMER : 23
1. IS A RESIDENT OF THE STATE; AND 24
2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 25
ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING; AND 26
(V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE , 27
UNAMBIGUOUS , AND VOLUNTARY CHOICE IN ORDER TO OPT OUT OF ANY 28
PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 29
(5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 30
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION MA Y NOT: 31
(I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR 32 26 SENATE BILL 541
(II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY 1
PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 2
(G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF 3
THE CONSUMER’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED 4
ADVERTISING, OR THE SALE OF PERSO NAL DATA THROUGH AN OPT–OUT 5
PREFERENCE SIGNAL SE NT IN ACCORDANCE WIT H SUBSECTION (F)(3) OF THIS 6
SECTION CONFLICTS WI TH THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC 7
PRIVACY SETTING OR THE CONSU MER’S VOLUNTARY PARTICIP ATION IN A 8
CONTROLLER ’S BONA FIDE LOYALTY , REWARDS, PREMIUM FEATURES , DISCOUNTS, 9
OR CLUB CARD PROGRAM , THE CONTROLLER MAY N OTIFY THE CONSUMER O F A 10
CONFLICT AND PROVIDE THE CHOICE TO CONFIR M CONTROLLER –SPECIFIC 11
PRIVACY SETTINGS OR P ARTICIPATION IN A PR OGRAM LISTED IN THIS PARAGRAPH . 12
(2) A CONTROLLER THAT RECO GNIZES SIGNALS APPRO VED BY 13
OTHER STATES SHALL B E CONSIDERED IN COMP LIANCE WITH THIS SEC TION. 14
14–4608. 15
(A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCESS THE 16
PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 17
ENTER INTO A CONTRAC T THAT GOVERNS THE P ROCESSOR’S DATA PROCESSING 18
PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 19
CONTROLLER . 20
(2) THE CONTRACT SHALL BE BINDING AND SHALL CLEARL Y SET 21
FORTH INSTRUCTIONS FOR : 22
(I) PROCESSING INSTRUCTIONS FOR PROC ESSING DATA; 23
(II) THE NATURE AND PURPOS E OF PROCESSING ; 24
(III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 25
(IV) THE DURATION OF PROCE SSING; AND 26
(V) THE RIGHTS AND OBLIGATIO NS OF BOTH PARTIES . 27
(3) THE CONTRACT SHALL RE QUIRE THAT THE PROCE SSOR: 28
(I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA 29
IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL 30
DATA; 31 SENATE BILL 541 27
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 1
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 2
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 3
DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA ; 4
(III) STOP PROCESSING DATA ON REQUEST BY THE CON TROLLER 5
MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST; 6
(IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN 7
ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE 8
PROVISION OF SERVICE , UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED 9
BY LAW; 10
(V) ON THE REASONABLE REQ UEST OF THE CONTROLL ER, 11
MAKE AVAILABLE TO TH E CONTROLLER ALL INF ORMATION IN THE PROC ESSOR’S 12
POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH 13
THE OBLIGATIONS IN T HIS SUBTITLE; 14
(VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO 15
OBJECT, ENGAGE A SUBCONTRACT OR TO ASSIST WITH PR OCESSING PERSONAL DA TA 16
ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT 17
THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSO R’S OBLIGATIONS 18
REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE 19
CONTROLLER ; AND 20
(VII) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS 21
BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 22
AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE P ROCESSOR TO ASSESS T HE 23
PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIO NAL MEASURES IN 24
SUPPORT OF THE OBLIG ATIONS UNDER THIS SU BTITLE. 25
(4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 26
OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE 27
CONTROLLER . 28
(II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WIT H 29
PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN 30
APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND 31
ASSESSMENT PROCEDURE FOR THE ASSESSM ENTS. 32
(B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 33
PERSONAL DATA OF CON SUMERS, THE CONTROLLER SHALL PROVIDE THE 34
PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA . 35 28 SENATE BILL 541
(2) A PROCESSOR SHALL : 1
(I) (1) ADHERE TO THE CONTRAC T AND INSTRUCTIONS OF A 2
CONTROLLER ; 3
(II) (2) ASSIST THE CONTROLLER IN MEETING THE 4
CONTROLLER ’S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING, CONSIDERING 5
THE NATURE OF PROCESSING AND THE I NFORMATION AVAILABLE TO THE 6
PROCESSOR: 7
1. (I) BY APPROPRIATE TECHNI CAL AND ORGANIZATIONA L 8
MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE 9
CONTROLLER ’S OBLIGATION TO RESP OND TO CONSUMER RIGH TS REQUESTS , 10
CONSIDERING THE NATU RE OF PROCESSING AND THE INFORMATION AVAI LABLE TO 11
THE PROCESSOR ; AND 12
2. (II) BY ASSISTING THE CONTROLLER IN MEETING THE 13
CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SECURIT Y OF PROCESSING THE 14
PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE 15
SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND 16
(III) (3) PROVIDE NECESSARY INFORM ATION TO ENABLE THE 17
CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMEN TS. 18
(C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A 19
CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E 20
CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLE R’S OR PROCESSOR ’S 21
ROLE IN THE PROCESSI NG RELATIONSHIP IN A CCORDANCE WITH THIS SECTION. 22
(D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 23
CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA 24
IS A FACT–BASED DETERMINATION THA T DEPENDS ON THE CON TEXT IN WHICH 25
PERSONAL DATA IS BEI NG PROCESSED . 26
(2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON: 27
(I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 28
PERSONAL DATA IN ACC ORDANCE WITH A CONTROLLER ’S INSTRUCTIONS ; OR 29
(II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS 30
WITH RESPECT TO A SP ECIFIC PROCESSING OF PERSONAL DATA . 31
SENATE BILL 541 29
(3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S 1
INSTRUCTIONS WITH RE SPECT TO A SPECIFIC PROCESSING O F PERSONAL DATA 2
REMAINS A PROCESSOR . 3
(4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY 4
WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF 5
PERSONAL DATA , THE PROCESSOR : 6
(I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND 7
(II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 8
THIS SUBTITLE. 9
(E) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO ALTER A 10
CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA 11
OR TO TAKE STEPS TO ENSURE THAT A PROCES SOR ADHERES TO THE CONTROLLER ’S 12
INSTRUCTIONS . 13
14–4609. 14
(A) IF A THIRD PARTY USES OR SHARES A CONSUMER ’S INFORMATION IN A 15
MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF 16
COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN 17
AFFECTED CON SUMER WITH NOTICE OF THE NEW OR CHANGED P RACTICE BEFORE 18
IMPLEMENTING THE NEW OR CHANGED PRACTICE . 19
(B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION 20
SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO 21
ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVID ED UNDER THIS SUBTIT LE. 22
14–4610. 23
(A) IN THIS SECTION , “PROCESSING ACTIVITIE S THAT PRESENT A 24
HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 25
(1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 26
TARGETED ADVERTISING ; 27
(2) THE SALE OF PERSONAL DATA ; 28
(3) THE PROCESSING OF SEN SITIVE DATA; AND 29
30 SENATE BILL 541
(4) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 1
PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE 2
RISK OF: 3
(I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A 4
CONSUMER; 5
(II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A 6
CONSUMER ; 7
(III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 8
CONSUMER ; 9
(IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 10
SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I N WHICH THE 11
INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR 12
(V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER . 13
(B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR 14
BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S 15
PROCESSING ACTIV ITIES THAT PRESENT A HEIGHTENED RISK OF H ARM TO A 16
CONSUMER , INCLUDING AN ASSESSM ENT FOR EACH ALGORIT HM THAT IS USED. 17
(C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE 18
WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FLOW 19
DIRECTLY AND INDIRECTLY FR OM THE PROCESSING TO THE CONTROLLER , THE 20
CONSUMER , OTHER INTERESTED PAR TIES, AND THE PUBLIC AGAIN ST: 21
(I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 22
ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS TH AT MAY BE 23
EMPLOYE D BY THE CONTROLLER TO REDUCE THESE RISK S; AND 24
(II) THE NECESSITY AND PRO PORTIONALITY OF PROC ESSING IN 25
RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING. 26
(2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION 27
ASSESSMENT : 28
(I) THE USE OF DE–IDENTIFIED DATA; 29
(II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 30
(III) THE CONTEXT OF THE PR OCESSING; AND 31 SENATE BILL 541 31
(IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE 1
CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED. 2
(D) (1) THE DIVISION MAY REQUIRE THAT A CON TROLLER MAKE 3
AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT 4
TO AN INVESTIGATION CONDUCTED BY THE DIVISION. 5
(2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION 6
ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS 7
SUBTITLE. 8
(II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE 9
USED IN AN ACTION TO ENFORCE THIS SUBTITL E. 10
(3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS 11
EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT 12
OR THE PUBLIC INFORMATION ACT. 13
(E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A 14
COMPARABLE SET OF PR OCESSING OPERATIONS THAT INCLUDE SIMILAR 15
ACTIVITIES. 16
(F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 17
THE PURPOSE OF COMPL YING WITH ANOTHER AP PLICABLE LAW OR REGULATION , 18
THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERED TO SATISF Y THE 19
REQUIREMENTS ESTABLI SHED IN THIS SECTION IF THE DATA PROTECTI ON 20
ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA 21
PROTECTION ASSESSMEN T THAT WOULD OTHERW ISE BE CONDUCTED IN 22
ACCORDANCE WITH THIS SECTION. 23
(G) TO THE EXTENT THAT AN Y INFORMATION CONTAI NED IN A DATA 24
PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION 25
SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECT ION, THE 26
DISCLOSURE MAY NOT CONSTITU TE A WAIVER OF THAT PRIVILEGE OR PROTECT ION. 27
(H) A DATA PROTECTION ASSE SSMENT CONDUCTED UND ER THIS SECTION: 28
(1) SHALL APPLY TO PROCES SING ACTIVITIES THAT OCCUR ON OR 29
AFTER OCTOBER 1, 2025; AND 30
(2) IS NOT REQUIRED FOR P ROCESSING ACTIVITIES THAT OCCU R 31
BEFORE OCTOBER 1, 2025. 32
32 SENATE BILL 541
14–4611. 1
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 2
CONTROLLER OR A PROC ESSOR TO: 3
(1) RE–IDENTIFY DE–IDENTIFIED DATA ; 4
(2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR 5
(3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 6
TECHNOLOGY IN ORDER TO BE CAPABLE OF ASS OCIATING AN AUTHENTI CATED 7
CONSUMER REQUEST WIT H PERSONAL DATA . 8
(B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 9
CONTROLLER OR PROCES SOR TO COMPLY WITH A N AUTHENTICATED CO NSUMER 10
RIGHTS REQUEST IF TH E CONTROLLER : 11
(1) IS NOT REASONABLY CAP ABLE OF ASSOCIATING THE REQUEST 12
WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE 13
CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ; 14
(2) DOES NOT USE THE PERSONAL DATA TO REC OGNIZE OR RESPOND 15
TO THE SPECIFIC CONS UMER WHO IS THE SUBJ ECT OF THE PERSONAL DATA OR 16
ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME 17
SPECIFIC CONSUMER ; AND 18
(3) DOES NOT SELL THE PER SONAL DATA TO A THIR D PARTY OR 19
OTHERWISE VOLUNTARIL Y DISCLOSE THE PERSO NAL DATA TO A THIRD PARTY 20
OTHER THAN A PROCESS OR, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE. 21
(C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 22
(I) EXERCISE REASONABLE O VERSIGHT TO MONITOR 23
COMPLIANCE WITH ANY CONTRAC TUAL COMMITMENTS TO WHICH THE 24
DE–IDENTIFIED DATA IS S UBJECT; AND 25
(II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF 26
ANY CONTRACTUAL COMM ITMENTS. 27
(2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE 28
AND WHETHER APPROPRIATE STEPS WE RE TAKEN IN ACCORDAN CE WITH 29
PARAGRAPH (1) OF THIS SUBSECTION S HALL TAKE INTO ACCOU NT WHETHER THE 30
DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF 31
THE DATA WERE RE –IDENTIFIED. 32 SENATE BILL 541 33
14–4612. 1
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRICT A 2
CONTROLLER ’S OR PROCESSOR ’S ABILITY TO: 3
(1) COMPLY WITH FEDERAL , STATE, OR LOCAL LAWS OR 4
REGULATIONS ; 5
(2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIR Y, 6
INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER 7
GOVERNMENTAL AUTHORI TY COMPLY WITH A CIVIL O R CRIMINAL SUBPOENA OR 8
SUMMONS BY A FEDERAL , STATE, LOCAL, OR OTHER JUDICIAL BO DY; 9
(3) COOPERATE WITH LAW EN FORCEMENT AGENCIES C ONCERNING 10
CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR R EASONABLY AND 11
IN GOOD FAITH BELIEV ES MAY VIOLATE FEDER AL, STATE, OR LOCAL LAWS OR 12
REGULATIONS ; 13
(4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND 14
A LEGAL CLAIM; 15
(5) PROVIDE A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY 16
A CONSUMER ; 17
(6) PERFORM UNDER A CONTR ACT TO WHICH A CONSU MER IS A 18
PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ; 19
(7) TAKE STEPS AT THE REQ UEST OF A CONSUMER B EFORE 20
ENTERING INTO A CONT RACT; 21
(8) TAKE IMMEDIATE STEPS TO PROTECT AN INTERE ST THAT IS 22
ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER 23
INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON 24
ANOTHER LEGAL BASIS ; 25
(9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE, 26
PROSECUTE THOSE RESP ONSIBLE, OR OTHERWISE RESPOND TO A SECURITY 27
INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE 28
ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ; 29
(10) PRESERVE THE INTEGRIT Y OR SECURITY OF SYS TEMS; OR 30
34 SENATE BILL 541
(11) ASSIST ANOTHER CONTRO LLER, PROCESSOR, OR THIRD PARTY 1
WITH AN OBLIGATION UNDER THIS SUBTITLE. 2
(B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION 3
REQUIRED UNDER § 14–4611 OF THIS SUBTITLE. 4
(2) AN OBLIGATION IMPOSED ON A CONTROLLER OR P ROCESSOR 5
UNDER THIS SUBTITLE MAY NOT RESTRICT A C ONTROLLER ’S OR PROCES SOR’S 6
ABILITY TO COLLECT , USE, OR RETAIN PERSONAL D ATA FOR INTERNAL USE TO: 7
(I) EFFECTUATE A PRODUCT RECALL; 8
(II) IDENTIFY AND REPAIR T ECHNICAL ERRORS THAT IMPAIR 9
EXISTING OR INTENDED FUNCTIONALITY ; OR 10
(III) PERFORM INTERNAL OPER ATIONS THAT ARE : 11
1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF 12
THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S 13
EXISTING RELATIONSHI P WITH THE CONTROLLE R; OR 14
2. OTHERWISE COMPATIBLE WITH PROCESSING DATA IN 15
FURTHERANCE OF : 16
A. THE PROVISION OF A PRODU CT OR SERVICE 17
SPECIFICALLY REQUEST ED BY A CONSUMER ; OR 18
B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E 19
CONSUMER IS A PARTY . 20
(C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR 21
UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CONTROLL ER 22
OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 23
UNDER STATE LAW. 24
(2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREVENT A 25
CONTROLLER OR PROCES SOR FROM PROVIDING P ERSONAL DATA CONCERN ING A 26
CONSUMER TO A PERS ON COVERED BY AN EVI DENTIARY PRIVILEGE U NDER STATE 27
LAW AS PART OF A PRI VILEGED COMMUNICATIO N. 28
(D) (1) A CONTROLLER OR PROCES SOR THAT DISCLOSES P ERSONAL 29
DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH THIS 30
SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE IF THE PROCESS OR OR 31
THIRD–PARTY CONTROLLER THA T RECEIVES THE PERSO NAL DATA VIOLATES TH IS 32 SENATE BILL 541 35
SUBTITLE AND , AT THE TIME THE DISC LOSING CONTROLLER OR PROCESSOR 1
DISCLOSED THE PERSON AL DATA, THE DISCLOSING CONTR OLLER OR PROCESSOR 2
DID NOT HAVE ACTUAL KNOWLEDGE THAT THE R ECEIVING PROCESSOR O R 3
THIRD–PARTY CONTROLLER WOU LD VIOLATE THIS SUBT ITLE. 4
(2) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES 5
PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS 6
SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT 7
MISCONDUCT OF THE CO NTROLLER OR PROCESSO R FROM WHICH THE 8
THIRD–PARTY CONTROLLER OR PROC ESSOR RECEIVED THE P ERSONAL DATA . 9
(E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 10
(1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 11
THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON , INCLUDING 12
THE RIGHTS OF A PERS ON TO FREEDOM OF SPE ECH OR FREEDOM OF TH E PRESS AS 13
GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR 14
(2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING 15
THE PERSON’S PERSONAL OR HOUSEH OLD ACTIVITIES. 16
(F) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL D ATA IN 17
ACCORDANCE WITH AN E XEMPTION UNDER THIS SECTION, THE CONTROLLER OR 18
PROCESSOR SHALL DEMONSTRATE TH AT THE PROCESSING : 19
(1) QUALIFIES FOR AN EXEM PTION; AND 20
(2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECT ION (G) OF THIS 21
SECTION. 22
(G) PERSONAL DATA PROCESS ED BY A CONTROLLER OR PROCESSOR IN 23
ACCORDANCE WITH THIS SECTION: 24
(1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE, 25
TECHNICAL, AND PHYSICAL MEASURE S TO: 26
(I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 27
ACCESSIBILITY OF THE PERSONAL DATA ; AND 28
(II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO 29
CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL 30
DATA; AND 31
(2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS: 32 36 SENATE BILL 541
(I) REASONABLY N ECESSARY AND PROPORT IONATE TO THE 1
PURPOSES LISTED IN T HIS SECTION; AND 2
(II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS 3
NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 4
(H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE 5
EXPRESSLY IDENTIFIED IN THIS SECTION MAY NOT BE CONSIDERED A CONT ROLLER 6
SOLELY BASED ON THE PROCESSING OF PERSON AL DATA. 7
14–4613. 8
(A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A 9
VIOLATION OF THIS SU BTITLE IS: 10
(1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE PRAC TICE WITHIN 11
THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 12
(2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 13
CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 14
(B) THIS SECTION DOES NOT PREVENT A CONSUMER FROM PURSUING ANY 15
OTHER REMEDY PROVIDE D BY LAW. 16
14–4614. 17
(A) THIS SECTION APPLIES TO AN ENFORCEMENT AC TION UNDER § 14–4613 18
OF THIS SUBTITLE FOR AN ALLEGED VIOLATION THAT OCCURS ON OR BE FORE APRIL 19
1, 2027. 20
(B) BEFORE INITIATING ANY ACTION UNDER § 14–4613 OF THIS SUBTITLE , 21
THE DIVISION MAY ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER OR 22
PROCESSOR IF THE DIVISION DETERMINES T HAT A CURE IS POSSIB LE. 23
(C) (1) IF THE DIVISION ISSUES A NOT ICE OF VIOLATION UND ER 24
SUBSECTION (B) OF THIS SECTION, THE CONTR OLLER OR PROCESSOR S HALL HAVE 25
AT LEAST 60 DAYS TO CURE THE VIO LATION AFTER RECEIPT OF THE NOTICE. 26
(2) IF THE CONTROLLER OR PROCESSOR FAILS TO C URE THE 27
VIOLATION WITHIN THE TIME PERIOD SPECIFIE D BY THE DIVISION, THE DIVISION 28
MAY BRING AN ENFORCE MENT ACTION UNDER § 14–4613 OF THIS SUBTITLE. 29
SENATE BILL 541 37
(D) IN DETERMINING WHETHE R TO GRANT A CONTROL LER OR PROCESSOR 1
AN OPPORTUNITY TO CU RE AN ALLEGED VIOLAT ION, THE DIVISION MAY CONSIDER 2
THE FOLLOWING FACTORS: 3
(1) THE NUMBER OF VIOLATI ONS; 4
(2) THE SIZE AND COMPLEXITY OF THE CO NTROLLER OR PROCESSO R; 5
(3) THE NATURE AND EXTENT OF THE CONTROLLER ’S OR 6
PROCESSOR’S PROCESSING ACTIVIT IES; 7
(4) THE LIKELIHOOD OF INJ URY TO THE PUBLIC ; 8
(5) THE SAFETY OF PERSONS OR PROPERTY ; 9
(6) WHETHER THE ALLEGED V IOLATION WAS LIKELY CAUSED BY A 10
HUMAN OR TECHNICAL E RROR; AND 11
(7) THE EXTENT TO WHICH T HE CONTROLLER OR PRO CESSOR HAS 12
VIOLATED THIS SUBTIT LE OR SIMILAR LAWS I N THE PAST. 13
SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial 14
Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 15
prospectively and may not be applied or interpreted to have any effect on or application to 16
any personal data processing activities before April 1, 2025 2026. 17
SECTION 3. AND BE IT FURTHER E NACTED, That this Act shall take effect 18
October 1, 2024 2025. 19
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.