EXPLANATION: CAPITALS INDICATE MAT TER ADDED TO EXISTIN G LAW.
[Brackets] indicate matter deleted from existing law.
Underlining indicates amendments to bill.
Strike out indicates matter stricken from the bill by amendment or deleted from the law by
amendment.
Italics indicate opposite chamber/conference committee amendments.
*sb0541*
SENATE BILL 541
I3 (4lr1200)
ENROLLED BILL
— Finance/Economic Matters —
Introduced by Senators Gile, Hester, Augustine, Feldman, Beidle, and Ellis
Read and Examined by Proofreaders:
_______________________________________________
Proofreader.
_______________________________________________
Proofreader.
Sealed with the Great Seal and presented to the Governor, for his approval this
_______ day of _______________ at ________________________ o’clock, ________M.
______________________________________________
President.
CHAPTER ______
AN ACT concerning 1
Maryland Online Data Privacy Act of 2024 2
FOR the purpose of regulating the manner in which a controller or a processor in possession 3
of a consumer’s personal data may process the consumer’s personal data; authorizing 4
a consumer to exercise certain rights in regards to the consumer’s personal data; 5
requiring a controller of personal data to establish a method for a consumer to 6
exercise certain rights in regards to the consumer’s personal data; requiring a 7
controller to comply with a request by a consumer to exercise a certain right in a 8
certain manner, except under certain circumstances; authorizing a consumer to 9
designate an authorized agent to act on the consumer’s behalf to opt out of the 10
processing of the consumer’s personal data; requiring a controller to provide a 11
consumer with a certain privacy notice; requiring a controller that uses a processor 12
to process the personal data of consumers to enter into a contract with the processor 13
that governs the processor’s data processing procedures; requiring a controller to 14
conduct and document a data protection assessment for consumer data processing 15 2 SENATE BILL 541
activities that present a heightened risk of harm to a consumer; making a violation 1
of this Act an unfair, abusive, or deceptive trade practice that is subject to 2
enforcement and penalties under the Maryland Consumer Protection Act; and 3
generally relating to online data privacy. 4
BY repealing and reenacting, with amendments, 5
Article – Commercial Law 6
Section 13–301(14)(xl) 7
Annotated Code of Maryland 8
(2013 Replacement Volume and 2023 Supplement) 9
BY repealing and reenacting, without amendments, 10
Article – Commercial Law 11
Section 13–301(14)(xli) 12
Annotated Code of Maryland 13
(2013 Replacement Volume and 2023 Supplement) 14
BY adding to 15
Article – Commercial Law 16
Section 13–301(14)(xlii); and 14–4601 through 14–4613 14–4614 to be under the new 17
subtitle “Subtitle 46. Online Data Privacy Act” 18
Annotated Code of Maryland 19
(2013 Replacement Volume and 2023 Supplement) 20
SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND, 21
That the Laws of Maryland read as follows: 22
Article – Commercial Law 23
13–301. 24
Unfair, abusive, or deceptive trade practices include any: 25
(14) Violation of a provision of: 26
(xl) Title 14, Subtitle 13 of the Public Safety Article; [or] 27
(xli) Title 14, Subtitle 45 of this article; or 28
(XLII) TITLE 14, SUBTITLE 46 OF THIS ARTICLE; OR 29
SUBTITLE 46. ONLINE DATA PRIVACY ACT. 30
14–4601. 31
SENATE BILL 541 3
(A) IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS 1
INDICATED. 2
(B) “AFFILIATE” MEANS A PERSON THAT , DIRECTLY OR INDIRECT LY 3
THROUGH ONE OR MORE INTERMEDIARIES , CONTROLS, IS CONTROLLED BY , OR IS 4
UNDER COMMON CONTROL WITH ANOTHER PERSON , SUCH THAT THE PERSON : 5
(1) SHARES COMMON BRANDIN G WITH ANOTHER PERSO N; OR 6
(2) CONTROLS, IS CONTROLLED B Y, OR IS UNDER COMMON C ONTROL 7
WITH ANOTHER PERSON . 8
(1) OWNS OR HAS THE POWER TO VOTE MORE THAN 50% OF THE 9
OUTSTANDING SHARES O F ANY VOTING CLASS O F THE OTHER PERSON ’S SECURITIES; 10
(2) HAS THE POWER TO ELEC T OR INFLUENCE THE E LECTION OF A 11
MAJORITY OF THE DIRECTORS , MEMBERS, OR MANAGERS OF THE O THER PERSON ; 12
(3) HAS THE POWER TO DIRE CT THE MANAGEMENT OF THE OTHER 13
PERSON; OR 14
(4) IS SUBJECT TO THE OTH ER PERSON’S EXERCISE OF THE PO WERS 15
DESCRIBED IN ITEM (1), (2), OR (3) OF THIS SUBSECTION . 16
(C) “AUTHENTICATE” MEANS TO USE REASONA BLE MEANS TO DETERMI NE 17
THAT A REQUEST TO EX ERCISE A CONSUMER RI GHT IN ACCORDANCE WI TH § 18
14–4605 OF THIS SUBTITLE IS BEING MADE BY, OR ON BEHALF OF , A CONSUMER WHO 19
IS ENTITLED TO EXERC ISE THE CONSUMER RIG HT WITH RESPECT TO T HE PERSONAL 20
DATA AT ISSUE. 21
(D) (1) “BIOMETRIC DATA ” MEANS DATA GENERATED BY AUTOMATIC 22
MEASUREMENTS OF THE BIOLOGICAL CHARACTER ISTICS OF A CONSUMER THAT CAN 23
BE USED TO UNIQUELY AUTHENTICATE A CONSU MER’S IDENTITY. 24
(2) “BIOMETRIC DATA ” INCLUDES: 25
(I) A FINGERPRINT ; 26
(II) A VOICE PRINT; 27
(III) AN EYE RETINA OR IRIS IMAGE; AND 28
(IV) ANY OTHER UNIQUE BIOL OGICAL CHARACTERISTI CS THAT 29
CAN BE ARE CAN BE USED TO UNIQUELY AUT HENTICATE A CONSUMER ’S IDENTITY. 30 4 SENATE BILL 541
(3) “BIOMETRIC DATA ” DOES NOT INCLUDE : 1
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH ; 2
(II) AN AUDIO OR VIDEO REC ORDING; OR 3
(III) ANY DATA GENERATED FR OM A DIGITAL OR PHYS ICAL 4
PHOTOGRAPH OR AN AUD IO OR VIDEO RECORDIN G, UNLESS THE DATA IS 5
GENERATED TO IDENTIF Y A SPECIFIC CONSUME R. 6
(E) “BUSINESS ASSOCIATE” HAS THE MEANING STAT ED IN HIPAA. 7
(F) “CHILD” HAS THE MEANING STAT ED IN COPPA. 8
(G) (1) “CONSENT” MEANS A CLEAR AFFIRM ATIVE ACT SIGNIFYING A 9
CONSUMER ’S FREELY GIVEN , SPECIFIC, INFORMED, AND UNAMBIGUOUS 10
AGREEMENT TO ALLOW T HE PROCESSING OF PER SONAL DATA RELATING T O THE 11
CONSUMER FOR A PARTI CULAR PURPOSE . 12
(2) “CONSENT” INCLUDES: 13
(I) A WRITTEN STATEMENT ; 14
(II) A WRITTEN STATEMENT BY ELECTRONIC MEANS ; OR 15
(III) ANY OTHER UNAMBIGUOUS AFFIRMATIVE ACTION . 16
(3) “CONSENT” DOES NOT INCLUDE : 17
(I) ACCEPTANCE OF A GENER AL OR BROAD TERMS OF USE OR 18
SIMILAR DOCUMENT THA T CONTAINS DESCRIPTI ONS OF PERSONAL DATA 19
PROCESSING ALONG WIT H OTHER UNRELATED IN FORMATION; 20
(II) HOVERING OVER , MUTING, PAUSING, OR CLOSING A PIECE 21
OF CONTENT; OR 22
(III) AGREEMENT OBTAINED TH ROUGH THE USE OF DAR K 23
PATTERNS. 24
(H) (1) “CONSUMER” MEANS AN INDIVIDUAL WHO IS A RESIDENT OF THE 25
STATE. 26
(2) “CONSUMER” DOES NOT INCLUDE : 27 SENATE BILL 541 5
(I) AN INDIVIDUAL ACTING IN A COMMERCIAL OR 1
EMPLOYMENT CONTEXT ; OR 2
(II) AN INDIVIDUAL ACTING AS AN EMPLOYE E, AN OWNER, A 3
DIRECTOR, AN OFFICER, OR A CONTRACTOR OF A COMPANY, A PARTNERSHIP , A SOLE 4
PROPRIETORSHIP , A NONPROFIT ORGANIZA TION, OR A GOVERNMENTAL UN IT 5
WHOSE COMMUNICATIONS OR TRANSACTIONS WITH A CONTROLLER OCCUR O NLY 6
WITHIN THE CONTE XT OF THE INDIVIDUAL ’S ROLE WITH THE COMP ANY, 7
PARTNERSHIP , SOLE PROPRIETORSHIP , NONPROFIT ORGANIZATI ON, OR 8
GOVERNMENTAL UNIT . 9
(I) (1) “CONSUMER HEALTH DATA ” MEANS PERSONAL DATA THAT A 10
CONTROLLER USES TO I DENTIFY A CONSUMER ’S PHYSICAL OR MENTAL HEALTH 11
STATUS. 12
(2) “CONSUMER HEALTH DATA ” INCLUDES DATA RELATE D TO: 13
(I) GENDER–AFFIRMING CARE TREATMENT ; OR 14
(II) REPRODUCTIVE OR SEXUA L HEALTH CARE . 15
(J) “CONTROL” MEANS: 16
(1) OWNERSHIP OF OR THE P OWER TO VOTE MORE TH AN 50% OF THE 17
OUTSTANDING SHARES O F ANY CLASS OF VOTING SECURITY OF A BUSINE SS; 18
(2) ANY MANNER OF CONTROL OVER THE ELECTION OF A MAJORITY 19
OF THE DIRECTORS OF A BUSINESS, OR INDIVIDUALS EXERC ISING SIMILAR 20
FUNCTIONS; OR 21
(3) THE POWER TO EXERCISE A CONTROLLING INFLUE NCE OVER THE 22
MANAGEMENT OF A BUSI NESS. 23
(K) “CONTROLLER ” MEANS A PERSON THAT , ALONE OR JOINTLY WIT H 24
OTHERS, DETERMINES THE PURPO SE AND MEANS OF PROC ESSING PERSONAL DATA . 25
(L) (1) “COPPA” MEANS THE FEDERAL CHILDREN’S ONLINE PRIVACY 26
PROTECTION ACT OF 1998 AND THE REGULATIONS , RULES, GUIDANCE, AND 27
EXEMPTIONS ADOPTED U NDER THE ACT, AND AS THE ACT AND THE REGULATIO NS, 28
RULES, GUIDANCE, AND EXEMPTIONS MAY B E AMENDED. 29
(2) “COPPA” INCLUDES REGULATIONS ADOPTED UNDER THE 30
FEDERAL CHILDREN’S ONLINE PRIVACY PROTECTION ACT OF 1998. 31 6 SENATE BILL 541
(M) “COVERED ENTITY ” HAS THE MEANING STAT ED IN HIPAA. 1
(N) (1) “DARK PATTERN ” MEANS A USER INTERFA CE DESIGNED OR 2
MANIPULATED WITH THE SUBSTANTIAL EFFECT O F SUBVERTING USER AU TONOMY, 3
DECISION MAKING , OR CHOICE. 4
(2) “DARK PATTERN ” INCLUDES ANY PRACTICE THE FEDERAL 5
TRADE COMMISSION REFERS TO AS A “DARK PATTERN ”. 6
(O) “DECISIONS THAT PRODUC E LEGAL OR SIMILARLY SIGNIFICANT 7
EFFECTS CONCERNING T HE CONSUMER ” MEANS DECISIONS THAT RESULT IN THE 8
PROVISION OR DENIAL OF: 9
(1) FINANCIAL OR LENDING SERVICES; 10
(2) HOUSING; 11
(3) INSURANCE; 12
(4) (3) EDUCATION ENROLLMENT OR OPPORTUNITY ; 13
(5) (4) CRIMINAL JUSTICE ; 14
(6) (5) EMPLOYMENT OPPORTUNIT IES; 15
(7) (6) HEALTH CARE SERVICES ; OR 16
(8) (7) ACCESS TO ESSENTIAL G OODS OR SERVICES . 17
(P) “DE–IDENTIFIED DATA ” MEANS DATA THAT CANN OT REASONABLY BE 18
USED TO INFER INFORM ATION ABOUT OR OTHER WISE BE LINKED TO AN IDENTIFIED 19
OR IDENTIFIABLE CONS UMER, OR A DEVICE THAT MAY BE LINKED TO AN IDEN TIFIED 20
OR IDENTIFIABLE CONS UMER, IF THE CONTROLLER TH AT POSSESSES THAT 21
INFORMATION : 22
(1) TAKES REASONABLE MEAS URES TO ENSURE THAT THE 23
INFORMATION CANNOT B E LINKED WITH A CONS UMER; 24
(2) COMMITS IN PUBLICLY A VAILABLE TERMS AND C ONDITIONS OR IN 25
A PUBLICLY AVAILABLE PRIVACY POLICY TO MA INTAIN AND USE THE I NFORMATION 26
IN DE–IDENTIFIED FORM ; AND 27
SENATE BILL 541 7
(3) CONTRACTUALLY OBLIGES ANY RECIPIENTS OF TH E 1
INFORMATION TO COMPL Y WITH ALL PROVISION S OF THIS SUBSECTION HAS THE 2
MEANING STATED IN § 14–4401 OF THIS TITLE. 3
(Q) “GENDER–AFFIRMING TREATMENT ” HAS THE MEANING STAT ED IN § 4
15–151(A) OF THE HEALTH – GENERAL ARTICLE. 5
(Q) (R) (1) “GENETIC DATA ” MEANS DATA IN ANY FO RMAT THAT 6
CONCERNS THE GENETIC CHARACTE RISTICS OF A CONSUME R. 7
(2) “GENETIC DATA” INCLUDES: 8
(I) RAW SEQUENCE DATA THA T RESULTS FROM SEQUE NCING 9
OF A CONSUMER ’S COMPLETE EXTRACTED DNA OR A PORTION OF THE CONSUMER ’S 10
COMPLETE EXTRACTED DNA; 11
(II) GENOTYPIC AND PHENOTY PIC INFORMATION THAT 12
RESULTS FROM ANALYZI NG RAW SEQUENCE DATA ; 13
(III) INFORMATION EXTRAPOLA TED, DERIVED, OR INFERRED 14
FROM THE ANALYSIS OF RAW SEQUENCE DATA ; AND 15
(IV) SELF–REPORTED HEALTH INFO RMATION SUBMITTED TO A 16
DIRECT–TO–CONSUMER GENETIC TES TING COMPANY BY A CO NSUMER REGARDING 17
THE CONSUMER ’S HEALTH CONDITIONS : 18
1. THAT IS USED FOR SCIE NTIFIC RESEARCH OR 19
PRODUCT DEVELOPMENT ; AND 20
2. ANALYZED IN CONNECTIO N WITH THE CONSUMER ’S 21
RAW SEQUENCE DATA HAS THE MEANING STAT ED IN § 14–4401 OF THIS TITLE. 22
(R) (S) (1) “GEOFENCE” MEANS TECHNOLOGY THA T ESTABLISHES A 23
VIRTUAL GEOGRAPHICAL BOUNDARY. 24
(2) “GEOFENCE” INCLUDES BOUNDARIES THAT ARE ESTABLISHED 25
OR MONITORED THROUGH THE USE OF: 26
(I) GLOBAL POSITIONING TE CHNOLOGY; 27
(II) CELL TOWER CONNECTIVI TY; 28
(III) CELLULAR DATA ; 29
8 SENATE BILL 541
(IV) RADIO FREQUENCY IDENT IFICATION; 1
(V) WIRELESS FIDELITY TEC HNOLOGY; OR 2
(VI) ANY OTHER FORM OF LOCATION DET ERMINATION 3
TECHNOLOGY . 4
(S) (T) “HIPAA” MEANS THE FEDERAL HEALTH INSURANCE 5
PORTABILITY AND ACCOUNTABILITY ACT OF 1996. 6
(T) (U) “IDENTIFIED OR IDENTIF IABLE CONSUMER ” MEANS A CONSUMER 7
WHO CAN READILY BE I DENTIFIED, EITHER DIRECTLY OR I NDIRECTLY. 8
(U) (V) “MENTAL HEALTH FACILIT Y” MEANS A HEALTH CARE FACILITY IN 9
WHICH NOT LESS THAN 70% OF HEALTH CARE SERVI CES OFFERED ARE MENT AL 10
HEALTH SERVICES . 11
(V) (W) (1) “PERSONAL DATA ” MEANS ANY INFORMATIO N THAT IS 12
LINKED OR CAN BE REA SONABLY LINKED TO AN IDENTIFIED OR IDENTIFIABLE 13
CONSUMER . 14
(2) “PERSONAL DATA ” DOES NOT INCLUDE : 15
(I) DE–IDENTIFIED DATA ; OR 16
(II) PUBLICLY AVAILABLE IN FORMATION. 17
(W) (X) (1) “PRECISE GEOLOCATION D ATA” MEANS INFORMATION 18
DERIVED FROM TECHNOL OGY THAT CAN PRECISELY AND ACCURA TELY IDENTIFY 19
THE SPECIFIC LOCATIO N OF A CONSUMER WITH IN A RADIUS OF 1,750 FEET. 20
(2) “PRECISE GEOLOCATION D ATA” INCLUDES GLOBAL POSI TIONING 21
SYSTEM LEVEL LATITUD E AND LONGITUDE COOR DINATES OR OTHER SIM ILAR 22
MECHANISMS . 23
(3) “PRECISE GEOLOCATION DATA ” DOES NOT INCLUDE : 24
(I) THE CONTENT OF COMMUN ICATIONS DATA; 25
(II) DATA GENERATED BY OR CONN ECTED TO AN ADVANCED 26
UTILITY METERING INF RASTRUCTURE SYSTEM ; OR 27
(II) (III) EQUIPMENT DATA GENERATED BY EQU IPMENT USED 28
BY A UTILITY COMPANY. 29 SENATE BILL 541 9
(X) (Y) (1) “PROCESS” MEANS AN OPERATION O R SET OF OPERATIONS 1
PERFORMED BY MANUAL OR AUTOMATED MEANS O N PERSONAL DATA . 2
(2) “PROCESS” INCLUDES COLLECTING , USING, STORING, 3
DISCLOSING, ANALYZING, DELETING, OR MODIFYING PERSONA L DATA. 4
(Y) (Z) “PROCESSOR” MEANS A PERSON THAT PROCESSES PERSONAL 5
DATA ON BEHALF OF A CONTROLLER . 6
(Z) (AA) “PROFILING” MEANS ANY FORM OF AU TOMATED PROCESSING 7
PERFORMED ON PERSONA L DATA TO EVALUATE , ANALYZE, OR PREDICT PERSONAL 8
ASPECTS RELATED TO A N IDENTIFIED OR IDENTIFIABLE CONSUME R’S ECONOMIC 9
SITUATION, HEALTH, DEMOGRAPHIC CHARACTE RISTICS, PERSONAL PREFERENCES , 10
INTERESTS, RELIABILITY, BEHAVIOR, LOCATION, OR MOVEMENTS . 11
(AA) (BB) “PROTECTED HEALTH INFO RMATION” HAS THE MEANING STAT ED 12
IN HIPAA. 13
(BB) (CC) (1) “PUBLICLY AVAILABLE INF ORMATION” MEANS 14
INFORMATION THAT A PERSON: 15
(I) IS LAWFULLY MADE READ ILY AVAILABLE TO THE GENERAL 16
PUBLIC THROUGH FEDER AL, STATE, OR LOCAL GOVERNMENT RECORDS; OR 17
(II) A CONTROLLER HAS A REA SONABLE BASIS TO BEL IEVE 18
THAT A CONSUMER HAS LAWFULLY MADE AV AILABLE TO THE GENER AL PUBLIC 19
THROUGH WIDELY DISTR IBUTED MEDIA. 20
(I) LAWFULLY OBTAINS FROM A RECORD OF A GOVERN MENTAL 21
ENTITY; 22
(II) REASONABLY BELIEVES A CONSUMER OR WIDELY 23
DISTRIBUTED MEDIA HA VE LAWFULLY MADE AVA ILABLE TO THE GE NERAL PUBLIC ; 24
OR 25
(III) IF THE CONSUMER HAS N OT RESTRICTED THE 26
INFORMATION TO A SPE CIFIC AUDIENCE , OBTAINS FROM A PERSO N TO WHOM THE 27
CONSUMER DISCLOSED T HE INFORMATION . 28
(2) “PUBLICLY AVAILABLE IN FORMATION” DOES NOT INCLUDE 29
BIOMETRIC DATA COLLE CTED BY A BUSINESS ABOUT A CONSUMER WITHOUT THE 30
CONSUMER ’S KNOWLEDGE . 31
10 SENATE BILL 541
(CC) (DD) (1) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” MEANS CARE 1
RELATED TO A HEALTH CARE –RELATED SERVICE OR P RODUCT RENDERED OR 2
PROVIDED CONCERNING A CONSUMER ’S REPRODUCTIVE SYSTE M OR SEXUAL 3
WELL–BEING., INCLUDING: 4
(2) “REPRODUCTIVE OR SEXUA L HEALTH CARE ” INCLUDES: 5
(I) (1) A SERVICE OR PRODUCT P ROVIDED RELATED TO A N 6
INDIVIDUAL HEALTH CO NDITION, STATUS, DISEASE, DIAGNOSIS, TEST, OR 7
TREATMENT ; 8
(II) (2) A SOCIAL, PSYCHOLOGICAL , BEHAVIORAL, OR 9
MEDICAL INTERVENTION ; 10
(III) (3) A SURGERY OR PROCEDURE ; 11
(IV) (4) THE PURCHASE OR USE O F A MEDICATION , 12
INCLUDING A MEDICATI ON PURCHASED OR USED FOR THE PURPOSES OF AN 13
ABORTION; 14
(V) (5) A SERVICE OR PRODUCT R ELATED TO A BODILY 15
FUNCTION, VITAL SIGN, OR MEASUREMENT THEREOF SYMPTOM; 16
(6) A MEASUREMENT OF A BOD ILY FUNCTION , VITAL SIGN, OR 17
SYMPTOM; AND 18
(VI) (7) AN ABORTION,, WHETHER SURGICAL OR MEDICAL; 19
AND 20
(VII) A SERVICE RELATED T O AN ABORTION AND MEDICAL AND 21
NONMEDICAL SERVICES , PRODUCTS, DIAGNOSTICS, COUNSELING , AND FOLLOW –UP 22
SERVICES FOR AN ABOR TION. 23
(DD) (EE) “REPRODUCTIVE OR SEXUA L HEALTH CARE FACILI TY” MEANS A 24
HEALTH CARE FACILITY WHERE NOT LESS THAN 70% OF SERVICES OFFERED ARE 25
REPRODUCTIVE OR SEXU AL HEALTH CARE SERVI CES. 26
(EE) (FF) (1) “SALE OF PERSONAL DATA ” MEANS THE EXCHANGE O F 27
PERSONAL DATA BY A C ONTROLLER , A PROCESSOR , OR AN AFFILIATE OF A 28
CONTROLLER OR PROCES SER TO A THIRD PARTY FOR MONETARY OR OTHER 29
VALUABLE CONSIDE RATION. 30
(2) “SALE OF PERSONAL DATA ” DOES NOT INCLUDE : 31
SENATE BILL 541 11
(I) THE DISCLOSURE OF PER SONAL DATA TO A PROC ESSOR 1
THAT PROCESSES PERSO NAL DATA ON BEHALF O F A CONTROLLER IF LI MITED TO 2
THE PURPOSES OF THE PROCESSING; 3
(II) THE DISCLOSURE OF PER SONAL DATA TO A THIRD PARTY 4
FOR PURPOSES OF PROV IDING A PRODUCT OR S ERVICE AFFIRMATIVELY 5
REQUESTED BY THE CON SUMER; 6
(III) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO AN 7
AFFILIATE OF THE CON TROLLER FOR THE PURPOSE OF P ROVIDING A PRODUCT O R 8
SERVICE AFFIRMATIVEL Y REQUESTED BY THE CON SUMER; 9
(IV) THE DISCLOSURE OF PER SONAL DATA WHERE THE 10
CONSUMER : 11
1. DIRECTS THE CONTROLLE R TO DISCLOSE THE 12
PERSONAL DATA ; OR 13
2. INTENTIONALLY USES TH E CONTROLLER TO 14
INTERACT WITH A THIR D PARTY; 15
(V) THE DISCLOSURE OF PERSONAL DATA THAT T HE 16
CONSUMER : 17
1. INTENTIONALLY MADE AV AILABLE TO THE GENER AL 18
PUBLIC THROUGH A CHA NNEL OF MASS MEDIA ; AND 19
2. DID NOT RESTRICT TO A SPECIFIC AUDIENCE ; OR 20
(VI) THE DISCLOSURE OR TRA NSFER OF PERSONAL DA TA TO A 21
THIRD PARTY AS AN ASSET THAT IS PART O F AN ACTUAL OR PROPO SED MERGER , 22
ACQUISITION, BANKRUPTCY , OR OTHER TRANSACTION WHERE THE THIRD PART Y 23
ASSUMES CONTROL OF A LL OR PART OF THE CO NTROLLER’S ASSETS. 24
(FF) (GG) “SENSITIVE DATA” MEANS PERSONAL DATA THAT INCLUDES : 25
(1) DATA REVEALING: 26
(I) RACIAL OR ETHNIC ORIG IN; 27
(II) RELIGIOUS BELIEFS ; 28
(III) CONSUMER HEALTH DATA ; 29
12 SENATE BILL 541
(IV) SEX LIFE; 1
(V) SEXUAL ORIENTATION ; 2
(VI) STATUS AS TRANSGENDER OR NONBINARY ; 3
(VII) NATIONAL ORIGIN ; OR 4
(VIII) CITIZENSHIP OR IMMIGRATION STATUS ; 5
(2) GENETIC DATA OR BIOME TRIC DATA; 6
(3) PERSONAL DATA OF A CO NSUMER THAT THE CONT ROLLER KNOWS 7
OR HAS REASON TO KNO W IS A CHILD; OR 8
(4) PRECISE GEOLOCATION D ATA. 9
(GG) (HH) (1) “TARGETED ADVERTISING ” MEANS DISPLAYING 10
ADVERTISEMENTS TO A CONSUMER OR ON A DEV ICE IDENTIFIED BY A UNIQUE 11
IDENTIFIER, WHERE THE ADVERTISEM ENT IS SELECTED BASE D ON PERSONAL DATA 12
OBTAINED OR INFERRED FROM THE CONSUMER ’S ACTIVITIES OVER TI ME AND 13
ACROSS NONAFFILIATED WEBSITES OR ONLINE A PPLICATIONS THAT ARE 14
UNAFFILIATED WITH EA CH OTHER, IN ORDER TO PREDICT THE CONSUMER ’S 15
PREFERENCES OR INTER ESTS. 16
(2) “TARGETED ADVERTISING ” DOES NOT INCLUDE : 17
(I) ADVERTISEMENTS BASED ON THE CONTEXT IN WHICH THE 18
ADVERTISEM ENT APPEARS AND DOES NOT VARY BASED ON WH O IS VIEWING THE 19
ADVERTISEMENT OF A CONSUMER ’S CURRENT SEARCH QUE RY, VISIT TO A WEBSITE, 20
OR ONLINE APPLICATIO N; 21
(II) ADVERTISEMENTS BASED ON A CONSUMER ’S ACTIVITIES 22
WITHIN A CONTROLLER ’S WEBSITES OR ONLINE APPLICATIONS; 23
(III) ADVERTISEMENTS DIRECT ED TO A CONSUMER IN 24
RESPONSE TO THE CONS UMER’S REQUEST FOR INFORM ATION OR FEEDBACK ; OR 25
(IV) PROCESSING PERSONAL D ATA SOLELY TO MEASUR E OR 26
REPORT ADVERTISING F REQUENCY, PERFORMANCE , OR REACH. 27
(HH) (II) “THIRD PARTY” MEANS A PERSON OTHER THAN THE RELEVANT 28
CONSUMER , CONTROLLER , PROCESSOR, OR AFFILIATE OF THE CONTROLLER OR 29
PROCESSOR OF RELEVAN T PERSONAL DATA . 30 SENATE BILL 541 13
(II) (JJ) (1) “TRADE SECRET” MEANS INFORMATION TH AT: 1
(I) DERIVES INDEPENDENT E CONOMIC VALUE , ACTUAL OR 2
POTENTIAL, FROM NOT BEING GENER ALLY KNOWN TO , AND NOT BEING READIL Y 3
ASCERTAINABLE BY PRO PER MEANS BY , OTHER PERSONS WHO CO ULD OBTAIN 4
ECONOMIC VALUE FROM THE INFORMATION ’S DISCLOSURE OR USE ; AND 5
(II) IS THE SUBJECT OF EFF ORTS THAT ARE REASON ABLE 6
UNDER THE CIRCUMSTAN CES TO MAINTAIN THE SECRECY OF THE INFOR MATION. 7
(2) “TRADE SECRET ” INCLUDES A FORMULA , PATTERN, 8
COMPILATION , PROGRAM, DEVICE, METHOD, TECHNIQUE, OR PROCESS HAS THE 9
MEANING STATED IN § 11–1201 OF THIS ARTICLE. 10
14–4602. 11
THIS SUBTITLE APPLIES TO A PERSO N THAT: 12
(1) (I) CONDUCTS BUSINESS IN THE STATE; OR 13
(2) (I) (II) PRODUCES PROVIDES SERVICES OR PRODUCTS THAT 14
ARE TARGETED TO RESI DENTS OF THE STATE; AND 15
(II) (2) DURING THE IMMEDIATEL Y PRECEDING CALENDAR 16
YEAR: 17
1. (I) CONDUCTS BUSINESS IN THE STATE OR PROVIDES 18
PRODUCTS OR SERVICES THAT ARE TARGETED TO RESIDENTS OF THE STATE, AND 19
THAT DURING THE PREC EDING CALENDAR YEAR DID ANY OF THE FOLLO WING: 20
(1) CONTROLLED OR PROCESS ED THE PERSONAL DATA OF AT LEAST 21
35,000 CONSUMERS , EXCLUDING PERSONAL D ATA CONTROLLED OR PR OCESSED 22
SOLELY FOR THE PURPO SE OF COMPLETING A P AYMENT TRANSACTION ; OR 23
2. (II) (2) CONTROLLED OR PROCESS ED THE PERSONAL 24
DATA OF AT LEAST 10,000 CONSUMERS AND DERIVE D MORE THAN 20% OF ITS GROSS 25
REVENUE FROM THE SALE OF PER SONAL DATA. 26
14–4603. 27
(A) THIS SUBTITLE DOES NO T APPLY TO: 28
14 SENATE BILL 541
(1) A REGULATORY , ADMINISTRATIVE , ADVISORY, EXECUTIVE, 1
APPOINTIVE, LEGISLATIVE, OR JUDICIAL BODY OR INSTRUMENTALITY OF THE 2
STATE, INCLUDING A BOARD , BUREAU, COMMISSION, OR UNIT OF THE STATE OR A 3
POLITICAL SUBDIVISIO N OF THE STATE; 4
(2) A NATIONAL SECURITIES ASSOCIATION THAT IS REGISTERED 5
UNDER § 15 OF THE FEDERAL SECURITIES EXCHANGE ACT OF 1934 OR A 6
REGISTERED FUTURES A SSOCIATION DESIGNATE D IN ACCORDANCE WITH § 17 OF 7
THE FEDERAL COMMODITY EXCHANGE ACT; OR 8
(3) A FINANCIAL INSTITUTIO N OR, AN AFFILIATE OF A FINAN CIAL 9
INSTITUTION, OR DATA THAT IS SUBJECT TO TITLE V OF THE FEDERAL 10
GRAMM–LEACH–BLILEY ACT AND REGULATIONS A DOPTED UNDER THAT AC T; OR 11
(4) A NONPROFIT CONTROLLER THAT PROCESSES OR SH ARES 12
PERSONAL DATA SOLELY FOR THE PURPOSES OF ASSISTING: 13
(I) LAW ENFORCEMENT AGENC IES IN INVESTIGATING 14
CRIMINAL OR FRAUDULE NT ACTS RELATING TO INSURANCE; OR 15
(II) FIRST RESPONDERS IN R ESPONDING TO CATASTR OPHIC 16
EVENTS. 17
(B) THE FOLLOWING INFORMA TION AND DATA ARE EX EMPT FROM THIS 18
SUBTITLE: 19
(1) PROTECTED HEALTH INFO RMATION UNDER HIPAA; 20
(2) PATIENT–IDENTIFYING INFORMAT ION FOR PURPOSES OF 42 21
U.S.C. § 290DD–2; 22
(3) IDENTIFIABLE PRIVATE INFORMATION THAT IS USED FOR 23
PURPOSES OF THE FEDE RAL POLICY FOR THE P ROTECTION OF HUMAN S UBJECTS IN 24
ACCORDANCE WITH 45 C.F.R. § 46; 25
(4) IDENTIFIABLE PRIVATE INFORMATION TO THE E XTENT THAT IT IS 26
COLLECTED AND USED A S PART OF HUMAN SUBJ ECTS RESEARCH IN ACC ORDANCE 27
WITH THE ICH 36 GOOD CLINICAL PRACTICE GUIDELINES ISSUED BY THE 28
INTERNATIONAL COUNCIL FOR HARMONISATION OF TECHNICAL REQUIREMENTS 29
FOR PHARMACEUTICALS FOR HUMAN USE OR THE PROTECTION OF HUMAN 30
SUBJECTS UNDER 21 C.F.R. §§ 50 AND 56; 31
(5) PATIENT SAFETY WORK P RODUCT THAT IS CREAT ED AND USED 32
FOR PURPOSES OF PATI ENT SAFETY IMPROVEME NT IN ACCORDANCE WIT H 42 33 SENATE BILL 541 15
C.F.R. § 3, ESTABLISHED IN ACCOR DANCE WITH 42 U.S.C. §§ 299B–21 THROUGH 1
299B–26; 2
(6) (I) INFORMATION TO THE EX TENT IT IS USED FOR PUBLIC 3
HEALTH, COMMUNITY HEALTH , OR POPULATION HEALTH ACTIVITIES AND 4
PURPOSES, AS AUTHORIZED BY HIPAA, WHEN PROVIDED BY O R TO A COVERED 5
ENTITY OR WHEN PROVI DED BY OR TO A BUSIN ESS ASSOCIATE IN ACC ORDANCE WITH 6
THE BUSINESS ASSOCIA TE AGREEMENT WITH A COVERED ENTITY ; 7
(II) INFORMATION THAT IS A MEDICAL RECORD UNDER § 4–301 8
OF THE HEALTH – GENERAL ARTICLE IF: 9
1. THE INFORMATION IS HELD BY A N ENTITY THAT IS A 10
COVERED ENTITY OR BU SINESS ASSOCIATE UND ER HIPAA BECAUSE IT COLLECTS , 11
USES, OR DISCLOSES PROTECT ED HEALTH INFORMATIO N; AND 12
2. THE ENTITY APPLIES TH E SAME STANDARDS FOR THE 13
COLLECTION, USE, AND DISCLOSURE OF TH E INFORMATION AS REQUI RED FOR 14
PROTECTED HEALTH INF ORMATION UNDER HIPAA AND MEDICAL RECORDS UNDER 15
§ 4–301 OF THE HEALTH – GENERAL ARTICLE, INCLUDING SPECIFIC S TANDARDS 16
REGARDING LEGALLY PR OTECTED HEALTH CARE ; AND 17
(III) INFORMATION THAT IS D E–IDENTIFIED IN ACCORDANCE 18
WITH THE REQUIREMENT S FOR DE–IDENTIFICATION SET F ORTH IN 45 C.F.R. 19
164.514 THAT IS DERIVED FROM INDIVIDUALLY IDENTIF IABLE HEALTH 20
INFORMATION AS DESCR IBED IN HIPAA OR PERSONAL INFORMAT ION CONSISTENT 21
WITH THE HUMAN SUBJE CT PROTECTION REQUIR EMENTS OF THE U.S. FOOD AND 22
DRUG ADMINISTRATION ; 23
(7) THE COLLECTION , MAINTENANCE , DISCLOSURE, SALE, 24
COMMUNICATION , OR USE OF PERSONAL I NFORMATION BEARING O N A CONSUMER ’S 25
CREDITWORTHINESS , CREDIT STANDING , CREDIT CAPACITY , CHARACTER , GENERAL 26
REPUTATION, PERSONAL CHARACTERISTICS , OR MODE OF LIVING BY A CONSUMER 27
REPORTING AGENCY , FURNISHER, OR USER THAT PROVIDE S INFORMATION FOR US E 28
IN A CONSUMER REPORT , AND BY A USER OF A C ONSUMER REPORT , BUT ONLY TO 29
THE EXTENT THAT THE ACTIVITY IS REGULATE D BY AND AUTHORIZED UNDER THE 30
FEDERAL FAIR CREDIT REPORTING ACT; 31
(8) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 32
IN COMPLIANCE WITH T HE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 33
(9) PERSONAL DATA REGULAT ED BY THE FEDERAL FAMILY 34
EDUCATIONAL RIGHTS AND PRIVACY ACT; 35
16 SENATE BILL 541
(10) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 1
IN COMPLIANCE WITH T HE FEDERAL FARM CREDIT ACT; 2
(11) DATA PROCESSED OR MAI NTAINED: 3
(I) IN THE COURSE OF AN I NDIVIDUAL APPLYING T O, 4
EMPLOYED BY , OR ACTING AS AN AGEN T OR INDEPEN DENT CONTRACTOR OF A 5
CONTROLLER , PROCESSOR, OR THIRD PARTY , TO THE EXTENT THAT T HE DATA IS 6
COLLECTED AND USED W ITHIN THE CONTEXT OF THE ROLE; 7
(II) AS THE EMERGENCY CONT ACT INFORMATION OF A 8
CONSUMER IF THE DATA IS USED FOR EMERGENC Y CONTACT PURPOSES ; OR 9
(III) THAT IS: 10
1. NECESSARY TO RETAIN T O ADMINISTER BENEFIT S 11
FOR ANOTHER INDIVIDU AL RELATING TO THE C ONSUMER WHO IS THE S UBJECT OF 12
THE INFORMATION UNDE R ITEM (I) OF THIS ITEM; AND 13
2. USED FOR THE PURPOSES OF ADMINISTERING THE 14
BENEFITS; AND 15
(12) PERSONAL DATA COLLECT ED, PROCESSED, SOLD, OR DISCLOSED 16
IN RELATION TO PRICE , ROUTE, OR SERVICE BY AN AIR CARRIER SUBJECT TO T HE 17
FEDERAL AIRLINE DEREGULATION ACT TO THE EXTENT THI S SUBTITLE IS 18
PREEMPTED BY THE FED ERAL AIRLINE DEREGULATION ACT; AND 19
(13) PERSONAL DATA TO THE EXTENT IT IS COLLECTED FOR, 20
PROVIDED TO, OR USED BY BY OR ON BEHALF OF A PERSON REGULATED U NDER THE 21
INSURANCE ARTICLE OR AN AFFILIA TE OF SUCH A PERSON , IN FURTHERANCE OF 22
THE BUSINESS OF INSU RANCE. 23
(C) CONTROLLERS AND PROCE SSORS THAT COMPLY WITH THE VERIFIABLE 24
PARENTAL CONSENT REQ UIREMENTS OF COPPA SHALL BE CONSIDERED 25
COMPLIANT WITH AN OB LIGATION TO OBTAIN P ARENTAL CONSENT IN A CCORDANCE 26
WITH THIS SUBTITLE W ITH RESPECT TO A CON SUMER WHO IS A CHILD . 27
14–4604. 28
A PERSON MAY NOT : 29
(1) PROVIDE AN EMPLOYEE O R A CONTRACTOR ACCES S TO 30
CONSUMER HEALTH DATA UNLESS THE: 31
SENATE BILL 541 17
(I) THE EMPLOYEE OR CONTRACT OR IS SUBJECT TO A 1
CONTRACTUAL OR STATU TORY DUTY OF CONFIDE NTIALITY; OR 2
(II) CONFIDENTIALITY IS RE QUIRED AS A CONDITIO N OF 3
EMPLOYMENT OF THE EMPLOYEE ; 4
(2) PROVIDE A PROCESSOR A CCESS TO CONSUMER HE ALTH DATA 5
UNLESS THE PERSON PR OVIDING ACCESS TO TH E CONSUMER HEALTH DA TA AND 6
THE PROCESSOR COMPLY WITH § 14–4607 14–4608 OF THIS SUBTITLE; OR 7
(3) USE A GEOFENCE : 8
(I) TO IDENTIFY, TRACK, COLLECT DATA FROM , OR SEND A 9
NOTIFICATION TO A CO NSUMER REGARDING THE CONSUMER ’S CONSUMER HEALTH 10
DATA; AND 11
(II) WITHIN 1,750 FEET OF A MENTAL HEA LTH FACILITY OR 12
REPRODUCTIVE OR SEXU AL HEALTH FACILITY ; OR 13
(4) SELL OR OFFER TO SELL CONSUMER HEALTH DAT A WITHOUT THE 14
CONSENT OF THE CONSU MER WHOSE HEALTH DAT A IS TO BE SOLD OR O FFERED TO 15
BE SOLD TO ESTABLISH A VIRTU AL BOUNDARY THAT IS WITHIN 1,750 FEET OF ANY 16
MENTAL HEALTH FACILI TY OR REPRODUCTIVE O R SEXUAL HEALTH FACI LITY FOR 17
THE PURPOSE OF IDENT IFYING, TRACKING, OR COLLECTING DATA F ROM, OR 18
SENDING ANY NOTIFICA TION TO A CONSUMER R EGARDING THE CONSUME R’S 19
CONSUMER HEALTH DATA . 20
14–4605. 21
(A) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO REQUIRE A 22
CONTROLLER TO REVEAL A TRADE SECRET . 23
(B) A CONSUMER SHALL HAVE THE RIGHT TO: 24
(1) CONFIRM WHETHER A CON TROLLER IS PROCESSIN G THE 25
CONSUMER ’S PERSONAL DATA , UNLESS THAT CONFIRMA TION WOULD REQUIRE T HE 26
DISCLOSURE OF A TRAD E SECRET; 27
(2) IF A CONTROLLER IS PR OCESSING A CONSUMER ’S PERSONAL 28
DATA, ACCESS THE CONSUMER ’S PERSONAL DATA UNLESS THAT ACCESS W OULD 29
REQUIRE THE DISCLOSU RE OF A TRADE SECRET ; 30
18 SENATE BILL 541
(3) CONSIDERING THE NATUR E OF THE CONSUMER ’S PERSONAL 1
DATA AND THE PURPOSE S OF THE PROCESSING OF THE PERSONAL DATA , CORRECT 2
INACCURACIES IN THE CONSUMER ’S PERSONAL DATA ; 3
(4) REQUIRE A CONTROLLER TO DELETE PERSONAL D ATA PROVIDED 4
BY, OR OBTAINED ABOUT , THE CONSUMER UNLESS RETENTION OF THE PERSONAL 5
DATA IS REQUIRED BY LAW; 6
(5) IF THE PROCESSING OF PERSONAL DATA IS DON E BY AUTOMATIC 7
MEANS, OBTAIN A COPY OF THE CONSUMER ’S PERSONAL DATA PROCESSE D BY THE 8
CONTROLLER IN A PORT ABLE AND, TO THE EXTENT TECHNI CALLY FEASIBLE , 9
READILY USABLE FORMA T THAT ALLOWS THE CO NSUMER TO EASILY TRA NSMIT THE 10
DATA TO ANOTHER CONT ROLLER WITHOUT HINDR ANCE; 11
(6) OBTAIN A LIST OF THE CATEGORIES OF THI RD PARTIES TO WHICH 12
THE CONTROLLER HAS D ISCLOSED THE CONSUME R’S PERSONAL DATA OR A LIST OF 13
THE CATEGORIES OF TH IRD PARTIES TO WHICH THE CONTROLLER HAS D ISCLOSED 14
ANY CONSUMER ’S PERSONAL DATA IF T HE CONTROLLER DOES N OT MAINTAIN THIS 15
INFORMATION IN A FOR MAT SPECIFIC TO THE CONSU MER; AND 16
(7) OPT OUT OF THE PROCES SING OF PERSONAL DAT A FOR PURPOSES 17
OF: 18
(I) TARGETED ADVERTISING ; 19
(II) THE SALE OF PERSONAL DATA; OR 20
(III) PROFILING IN FURTHERA NCE OF SOLELY AUTOMA TED 21
DECISIONS THAT PRODU CE LEGAL OR SIMILARLY SIGNIFICAN T EFFECTS 22
CONCERNING THE CONSU MER. 23
(C) (1) A CONTROLLER SHALL EST ABLISH A SECURE AND RELIABLE 24
METHOD FOR A CONSUME R TO EXERCISE A CONS UMER RIGHT UNDER THI S SECTION. 25
(2) A CONSUMER MAY EXERCIS E A CONSUMER RIGHT U NDER THIS 26
SECTION BY THE METHOD ESTABLISH ED BY THE CONTROLLER UNDER PARAGRAPH 27
(1) OF THIS SUBSECTION . 28
(D) (1) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT IN 29
ACCORDANCE WITH § 14–4606 OF THIS SUBTITLE TO OPT OUT OF THE PROCE SSING 30
OF THE CONSUMER ’S PERSONAL DATA UNDE R SUBSECTION (B)(7) OF THIS SECTION 31
ON BEHALF OF A CONSU MER. 32
SENATE BILL 541 19
(2) A PARENT OR LEGAL GUAR DIAN OF A CHILD MAY EXERCISE A 1
CONSUMER RIGHT LISTE D IN SUBSECTION (B) OF THIS SECTION ON T HE CHILD’S 2
BEHALF REGARDING THE PROCESSING OF PERSON AL DATA. 3
(3) A GUARDIAN OR CONSERVATOR OF A CONSUMER SUBJECT T O A 4
GUARDIANSHIP , CONSERVATORSHIP , OR OTHER PROTECTIVE ARRANGEMENT MAY 5
EXERCISE A CONSUMER RIGHT LISTED IN SUBS ECTION (B) OF THIS SECTION ON T HE 6
CONSUMER ’S BEHALF REGARDING T HE PROCESSING OF PER SONAL DATA. 7
(E) (1) EXCEPT AS OTHERWISE P ROVIDED IN THIS SUBT ITLE, A 8
CONTROLLER SHALL COM PLY WITH A REQUEST B Y A CONSUMER TO EXER CISE A 9
CONSUMER RIGHT LISTE D IN THIS SECTION. 10
(2) (I) A CONTROLLER SHALL RES POND TO A CONSUMER R EQUEST 11
NOT LATER THAN 45 DAYS AFTER THE CONTR OLLER RECEIVES THE CONS UMER 12
REQUEST. 13
(II) A CONTROLLER MAY EXTEN D THE COMPLETION PER IOD BY 14
AN ADDITIONAL 45 DAYS IF: 15
1. IT IS REASONABLY NECE SSARY TO COMPLETE TH E 16
REQUEST BASED ON THE COMPLEXITY AND NUMBE R OF THE CONSUMER ’S 17
REQUESTS; AND 18
2. THE CONTROLLER INFORMS T HE CONSUMER OF THE 19
EXTENSION AND THE RE ASON FOR THE EXTENSI ON WITHIN THE INITIA L 45–DAY 20
RESPONSE PERIOD . 21
(III) A CONTROLLER SHALL NOT IFY THE CONSUMER WIT HIN 30 22
DAYS AFTER COMPLYING WITH THE CONSUMER ’S REQUEST THAT THE C ONTROLLER 23
HAS COMPLIED WITH THE CO NSUMER’S REQUEST. 24
(3) IF A CONTROLLER DECLI NES TO ACT REGARDING A CONSUMER ’S 25
REQUEST, THE CONTROLLER SHALL : 26
(I) INFORM THE CONSUMER W ITHOUT UNDUE DELAY , BUT NOT 27
LATER THAN 45 DAYS AFTER RECEIVING THE REQUEST , OF THE JUSTIFICATIO N FOR 28
DECLINING TO ACT ; AND 29
(II) PROVIDE INSTRUCTIONS FOR HOW TO APPEAL TH E 30
DECISION. 31
20 SENATE BILL 541
(4) (I) A CONTROLLER SHALL PRO VIDE INFORMATION TO A 1
CONSUMER IN RESPONSE TO A CONSUMER ’S REQUEST TO EXERCIS E RIGHTS UNDER 2
THIS SUBTITLE FREE O F CHARGE ONCE DURING ANY 12–MONTH PERIOD . 3
(II) IF REQUESTS FROM A CO NSUMER ARE MANIFESTL Y 4
UNFOUNDED , EXCESSIVE, TECHNICALLY INFEASIB LE, OR REPETITIVE , A 5
CONTROLLER MAY : 6
1. CHARGE THE CONSUMER A REASONABLE FEE TO 7
COVER THE ADMINISTRA TIVE COSTS OF COMPLY ING WITH THE REQUEST; OR 8
2. DECLINE TO ACT ON THE REQUEST. 9
(III) THE CONTROLLER HAS TH E BURDEN OF DEMONSTR ATING 10
THE MANIFESTLY UNFOU NDED, EXCESSIVE, TECHNICALLY INFEASIB LE, OR 11
REPETITIVE NATURE OF THE REQUEST . 12
(5) IF A CONTROLLER IS UN ABLE TO AUTHENTICATE A REQUEST TO 13
EXERCISE A CONSUMER RIGHT AFFORDED UNDER SUBSECTION (B)(1) THROUGH (5) 14
OF THIS SECTION USIN G COMMERCIALLY REASO NABLE EFFORTS , THE 15
CONTROLLER : 16
(I) MAY NOT BE REQUIRED T O COMPLY WITH A REQU EST TO 17
INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION; AND 18
(II) SHALL PROVIDE NOTICE TO THE CONSUMER THAT THE 19
CONTROLLER IS UNABLE TO AUTHENTICATE THE REQUEST TO EXERCISE THE RIGHT 20
UNTIL THE CONSUMER P ROVIDES ADDITIONAL I NFORMATION REASONABL Y 21
NECESSARY TO AUTHENT ICATE THE CONSUMER A ND THE CONSUMER ’S REQUEST TO 22
EXERCISE THE CONSUME R’S RIGHTS. 23
(6) A CONTROLLER MAY NOT B E REQUIRED TO AUTHEN TICATE AN 24
OPT–OUT REQUEST . 25
(7) A CONTROLLER THAT HAS OBTAINED PERSONAL DA TA ABOUT A 26
CONSUMER FROM A SOUR CE OTHER THAN THE CO NSUMER SHALL BE CONS IDERED 27
COMPLIANT WITH THE CONSUMER ’S REQUEST TO DELETE THE CONSUMER ’S DATA IN 28
ACCORDANCE WITH SUBS ECTION (B)(4) OF THIS SECTION BY R ETAINING A RECORD 29
OF THE DELETION REQU EST AND THE MINIMUM DATA NECESSARY FOR T HE 30
PURPOSE OF ENSURING THAT THE CONSUMER ’S PERSONAL DATA : 31
(I) REMAINS DELETED FROM THE CONTROLLER ’S RECORDS; 32
AND 33
SENATE BILL 541 21
(II) IS NOT BEING USED FOR ANY OTHER PURPOSE . 1
(F) (1) A CONTROLLER SHALL EST ABLISH A PROCESS FOR A CONSUMER 2
TO APPEAL THE CONTRO LLER’S REFUSAL TO ACT ON A CONSUMER RIGHTS RE QUEST 3
WITHIN A REASONAB LE PERIOD AFTER THE CONSUMER RECEIVES TH E DECISION. 4
(2) THE APPEAL PROCESS SH ALL BE: 5
(I) CONSPICUOUSLY AVAILAB LE; AND 6
(II) SIMILAR TO THE PROCES S FOR SUBMITTING REQ UESTS TO 7
INITIATE AN ACTION I N ACCORDANCE WITH TH IS SECTION. 8
(3) NOT LATER THAN 60 DAYS AFTER RECEIVING AN APPEAL, A 9
CONTROLLER SHALL INF ORM THE CONSUMER IN WRITING OF ANY ACTIO N TAKEN OR 10
NOT TAKEN IN RESPONS E TO THE APPEAL, INCLUDING A WRITTEN EXPLANATION OF 11
THE REASONS FOR THE DECISIONS. 12
(4) IF A CONTROLLER DENIE S AN APPEAL, THE CONTROLLER SHALL 13
PROVIDE THE CONSUMER WITH AN ONLINE MECHA NISM, IF AVAILABLE, THROUGH 14
WHICH THE CONSUMER M AY CONTACT THE DIVISION TO SUBMIT A COMPLAINT. 15
14–4606. 16
(A) (1) A CONSUMER MAY DESIGNA TE AN INDIVIDUAL TO SERVE AS THE 17
CONSUMER ’S AUTHORIZED A GENT AND ACT ON THE CONSUMER’S BEHALF TO OPT 18
OUT OF THE PROCESSIN G OF THE CONSUMER ’S PERSONAL DATA FOR ONE OR MORE 19
OF THE PURPOSES SPEC IFIED IN § 14–4605(B)(7) OF THIS SUBTITLE. 20
(2) A CONSUMER MAY DESIGNA TE AN AUTHORIZED AGE NT BY AN 21
INTERNET LINK OR A B ROWSER SETTING , BROWSER EXTENSION , GLOBAL DEVICE 22
SETTING, OR OTHER SIMILAR TEC HNOLOGY, INDICATING A CONSUME R’S INTENT TO 23
OPT OUT OF THE PROCE SSING OF THE CONSUME R’S PERSONAL DATA . 24
(B) A CONTROLLER SHALL COM PLY WITH AN OPT–OUT REQUEST RECEIVED 25
FROM AN AUT HORIZED AGENT IF , USING COMMERCIALLY R EASONABLE EFFORTS , 26
THE CONTROLLER IS AB LE TO AUTHENTICATE : 27
(1) THE IDENTITY OF THE C ONSUMER; AND 28
(2) THE AUTHORIZED AGENT ’S AUTHORITY TO ACT O N THE 29
CONSUMER ’S BEHALF. 30
14–4607. 31 22 SENATE BILL 541
(A) A CONTROLLER MAY NOT : 1
(1) COLLECT PERSONAL DATA FOR THE SOLE PURPOSE OF CONTENT 2
PERSONALIZATION OR M ARKETING WITHOUT THE CONSENT OF THE CONSU MER 3
WHOSE PERSONAL DATA IS COLLECTED; 4
(2) (1) EXCEPT WHERE THE COLL ECTION OR PROCESSING IS 5
STRICTLY NECESSARY T O PROVIDE OR MAINTAI N A SPECIFIC PRODUCT OR SER VICE 6
REQUESTED BY THE CON SUMER TO WHOM THE PE RSONAL DATA PERTAINS AND 7
UNLESS THE CONTROLLE R OBTAINS THE CONSUM ER’S CONSENT , COLLECT, 8
PROCESS, OR SHARE SENSITIVE D ATA CONCERNING A CON SUMER; 9
(3) (2) SELL SENSITIVE DATA ; 10
(4) (3) PROCESS PERSONAL DATA IN VIOLATION OF STATE OR 11
FEDERAL LAWS THAT PR OHIBIT UNLAWFUL DISC RIMINATION; 12
(5) (4) PROCESS THE PERSONAL DATA OF A CONSUMER F OR THE 13
PURPOSES OF TARGETED ADVERTISING IF THE C ONTROLLER KNEW OR SH OULD 14
HAVE KNOWN THAT THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE 15
OF 18 YEARS; 16
(6) (5) SELL THE PERSONAL DAT A OF A CONSUMER WITHOUT THE 17
CONSUMER ’S CONSENT IF THE CONTROLLER KN EW OR SHOULD HAVE KN OWN THAT 18
THE CONSUMER IS AT LEAST 13 YEARS OLD AND UNDER THE AGE OF 18 YEARS; 19
(7) (6) DISCRIMINATE AGAINST A CONSUMER FOR EXERC ISING A 20
CONSUMER RIGHT CONTA INED IN THIS SUBTITL E, INCLUDING DENYING GO ODS OR 21
SERVICES, CHARGING DIFFERENT P RICES OR RATES FOR G OODS OR SERVICES , OR 22
PROVIDING A DIFFEREN T LEVEL OF QUALITY O F GOODS OR SERVICES TO THE 23
CONSUMER ; 24
(8) (7) COLLECT, PROCESS, OR TRANSFER PERSONAL DATA OR 25
PUBLICLY AVAILABLE D ATA IN A MANNER THAT UNLAWFULLY DISCRIMIN ATES IN OR 26
OTHERWISE UNLAWFULLY MAKES UNAVAILABLE TH E EQUAL ENJOYMENT OF GOODS 27
OR SERVICES ON THE B ASIS OF RACE, COLOR, RELIGION, NATIONAL ORIGIN , SEX, 28
SEXUAL ORIENTATION , GENDER IDENTITY , OR DISABILITY , UNLESS THE 29
COLLECTION, PROCESSING, OR TRANSFER OF PERSO NAL DATA IS FOR: 30
(I) THE CONTROLLER ’S SELF–TESTING TO PREVENT O R 31
MITIGATE UNLAWFUL DI SCRIMINATION ; 32
SENATE BILL 541 23
(II) THE CONTROLLER ’S DIVERSIFYING OF AN APPLICANT, 1
PARTICIPANT, OR CUSTOMER POOL ; OR 2
(III) A PRIVATE CLUB OR GROU P NOT OPEN TO THE PU BLIC, AS 3
DESCRIBED IN § 201(E) OF THE CIVIL RIGHTS ACT OF 1964; OR 4
(9) (8) UNLESS THE CONTROLLER OBTAINS THE CONSUMER ’S 5
CONSENT, PROCESS PERSONAL DAT A FOR A PURPOSE THAT IS NEITHER 6
REASONABLY NECESSARY TO, NOR COMPATIBLE WITH , THE DISCLOSED PURPOS ES 7
FOR WHICH THE PERSON AL DATA IS PROCESSED , AS DISCLOSED TO THE CONSUMER . 8
(B) (1) A CONTROLLER SHALL : 9
(I) LIMIT THE COLLECTION OF PERSONAL DATA TO WHAT IS 10
REASONABLY NECESSARY AND PROPORTIONATE TO PROVIDE OR MAINTAIN A 11
SPECIFIC PRODUCT OR SERVICE REQUESTED BY THE CONSUMER TO WHOM THE 12
DATA PERTAINS ; 13
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 14
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRACTICES TO 15
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 16
DATA APPROPRIATE TO THE VOLUME AND NATUR E OF THE PERSONAL DA TA AT 17
ISSUE; AND 18
(III) PROVIDE AN EFFECTIVE MECHANISM FOR A CONS UMER TO 19
REVOKE THE CONSUMER ’S CONSENT UNDER THIS SECTION THAT IS AT L EAST AS 20
EASY AS THE MECHANIS M BY WHICH THE CONSU MER PROVIDED THE CON SUMER’S 21
CONSENT. 22
(2) IF A CONSUMER REVOKES CONSENT UNDER THIS S ECTION, THE 23
CONTROLLER SHALL STO P PROCESSING THE CON SUMER’S PERSONAL DATA AS S OON 24
AS PRACTICABLE , BUT NOT LATER THAN 15 30 DAYS AFTER RECEIVING THE 25
REQUEST. 26
(C) NOTHING IN SUBSECTION (A) OR (B) OF THIS SECTION MAY BE 27
CONSTRUED TO : 28
(1) REQUIRE A CONTROLLER TO PROVIDE A PRODUCT OR SERVICE 29
THAT REQUIRES THE PE RSONAL DATA OF A CON SUMER THAT THE CONTR OLLER 30
DOES NOT COLLECT OR MAINTAIN; OR 31
(2) PROHIBIT A CONTROLLER FROM OFFERING A DIFF ERENT PRICE, 32
RATE, LEVEL, QUALITY, OR SELECTION OF GOOD S OR SERVICES TO A C ONSUMER, 33
INCLUDING OFFERING G OODS OR SERVICES FOR NO FEE, IF THE OFFERING IS I N 34 24 SENATE BILL 541
CONNECTION WITH A CO NSUMER’S VOLUNTARY PARTICIP ATION IN A BONA FIDE 1
LOYALTY, REWARDS, PREMIUM FEATURES , DISCOUNTS, OR CLUB CARD PROGRAM, 2
PROVIDED THAT THE SE LLING OF PERSONAL DA TA IS NOT A CONDITIO N OF 3
PARTICIPATION IN THE PROGRAM. 4
(D) A CONTROLLER SHALL PRO VIDE A CONSUMER WITH A REASONABLY 5
ACCESSIBLE, CLEAR, AND MEANINGFUL PRIVA CY NOTICE THAT INCLU DES: 6
(1) THE CATEGORIES OF P ERSONAL DATA PROCESS ED BY THE 7
CONTROLLER , INCLUDING SENSITIVE DATA; 8
(2) THE CONTROLLER ’S PURPOSE FOR PROCES SING PERSONAL DATA ; 9
(3) HOW A CONSUMER MAY EX ERCISE THE CONSUMER ’S RIGHTS 10
UNDER THIS SUBTITLE , INCLUDING HOW A CONS UMER MAY APPEAL A 11
CONTROLLER ’S DECISION REGARDING THE CONSUMER ’S REQUEST OR MAY REV OKE 12
CONSENT; 13
(4) THE CATEGORIES OF THI RD PARTIES WITH WHIC H THE 14
CONTROLLER SHARES PE RSONAL DATA WITH A L EVEL OF DETAIL THAT ENABLES A 15
CONSUMER TO UNDERSTA ND WHAT TYPE OF ENTITY EACH THIRD PARTY IS AND, TO 16
THE EXTENT POSSIBLE , HOW EACH THIRD PARTY MAY PROCESS THE PERS ONAL 17
DATA THE TYPE OF, BUSINESS MODEL OF , OR PROCESSING CONDUC TED BY EACH 18
THIRD PARTY; 19
(5) THE CATEGORIES OF PER SONAL DATA , INCLUDING SENSITIVE 20
DATA, THAT THE CONTROLLER SHARES WITH THIRD PARTIE S; AND 21
(6) AN ACTIVE E–MAIL ADDRESS OR OTHE R ONLINE MECHANISM 22
THAT A CONSUMER MAY USE TO CONTACT THE C ONTROLLER . 23
(E) (1) IF A CONTROLLER SELLS PERSONAL DATA TO THI RD PARTIES OR 24
PROCESSES PERSONAL D ATA FOR TARGETED ADV ERTISING OR FOR THE PURPOSES 25
OF PROFILING THE CON SUMER IN FURTHERANCE OF DECISIONS THAT PR ODUCE 26
LEGAL OR SIMILARLY S IGNIFICANT EFFECTS , THE CONTROLLER SHALL CLEARLY 27
AND CONSPICUOUSLY DI SCLOSE THE SALE OR PROCESSING, AS WELL AS THE 28
MANNER IN WHICH A CO NSUMER MAY EXERCISE THE RIGHT TO OPT OUT OF THE 29
SALE OR PROCESSING. 30
(2) THE DISCLOSURE REQUIR ED UNDER PARAGRAPH (1) OF THIS 31
SUBSECTION SHALL BE PROMINENTLY DISPLA YED, AND USE CLEAR , EASY TO 32
UNDERSTAND , AND UNAMBIGUOUS LANG UAGE, TO STATE WHETHER THE 33
CONSUMER’S INFORMATION WILL B E SOLD OR SHARED WIT H A THIRD PARTY. 34
SENATE BILL 541 25
(F) (1) THE PRIVACY NOTICE UN DER SUBSECTION (D) OF THIS SECTION 1
SHALL ESTABLISH ONE OR MORE SECURE AND RELIABLE METHODS FOR A 2
CONSUMER TO SUBMIT A REQUEST TO EXERCISE A CONSUMER RIGHT IN 3
ACCORDANCE WITH THIS SUBTITLE THAT TAKE I NTO ACCOUNT : 4
(I) THE WAYS IN WHICH CON SUMERS NORMALLY INTE RACT 5
WITH THE CONTROLLER ; 6
(II) THE NEED FOR SECURE A ND RELIABLE COMMUNICATI ON 7
OF CONSUMER REQUESTS ; AND 8
(III) THE ABILITY OF THE CO NTROLLER TO VERIFY T HE 9
IDENTITY OF A CONSUM ER MAKING THE REQUES T. 10
(2) (I) A CONTROLLER MAY NOT R EQUIRE A CONSUMER TO 11
CREATE A NEW ACCOUNT IN ORDER TO EXERCISE A CONSUMER RIG HT. 12
(II) A CONTROLLER MAY REQUI RE A CONSUMER TO USE AN 13
EXISTING ACCOUNT TO EXERCISE A CONSUMER RIGHT. 14
(3) A CONTROLLER MAY UTILI ZE THE FOLLOWING MET HODS TO 15
SATISFY PARAGRAPH (1) OF THIS SUBSECTION : 16
(I) PROVIDING A CLEAR AND CONSPICUOUS LINK ON THE 17
CONTROLLER ’S WEBSITE TO A WEBPA GE THAT ALLOWS A CON SUMER, OR AN 18
AUTHORIZED AGENT OF THE CONSUMER , TO OPT OUT OF THE TA RGETED 19
ADVERTISING OR THE S ALE OF THE CONSUMER ’S PERSONAL DATA ; OR 20
(II) ON OR BEFORE OCTOBER 1, 2025, ALLOWING A CONSUMER 21
TO OPT OUT OF ANY PROCESSING OF THE CONSUMER ’S PERSONAL DATA FOR THE 22
PURPOSES OF TARGETED ADVERTISING, OR ANY SALE OF PERSO NAL DATA, 23
THROUGH AN OPT –OUT PREFERENCE SIGNA L SENT, WITH THE CONSUMER ’S 24
CONSENT, BY A PLATFORM , TECHNOLOGY , OR MECHANISM TO THE CONTROLLER 25
INDICATING THE CONSUME R’S INTENT TO OPT OUT OF THE PROCESSING OR SALE. 26
(4) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 27
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION S HALL: 28
(I) BE CONSUMER –FRIENDLY AND EASY TO USE BY THE 29
AVERAGE CONSUMER ; 30
(II) USE CLEAR, EASY TO UNDERSTAND , AND UNAMBIGUOUS 31
LANGUAGE; 32
26 SENATE BILL 541
(III) BE AS CONSISTENT AS P OSSIBLE WITH ANY OTH ER SIMILAR 1
PLATFORM, TECHNOLOGY , OR MECHANISM REQUIRE D BY ANY FEDERAL OR STATE 2
LAW OR REGULATION ; 3
(IV) ENABLE THE CONTROLLER TO REASONABLY DETER MINE 4
WHETHER THE CONSUMER : 5
1. IS A RESIDENT OF THE STATE; AND 6
2. HAS MADE A LEGITIMATE REQUEST TO OPT OUT O F 7
ANY SALE OF THE CONS UMER’S PERSONAL DATA OR T ARGETED ADVERTISING ; AND 8
(V) REQUIRE A CONSUMER TO MAKE AN AFFIRMATIVE , 9
UNAMBIGUOUS , AND VOLUNTARY CHOICE IN ORDER TO OPT OUT OF ANY 10
PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 11
(5) A PLATFORM, TECHNOLOGY , OR MECHANISM USED IN 12
ACCORDANCE WITH PARA GRAPH (3) OF THIS SUBSECTION M AY NOT: 13
(I) UNFAIRLY DISADVANTAGE ANOTHER CONTROLLER ; OR 14
(II) USE A DEFAULT SETTING TO OPT A CONSUMER OU T OF ANY 15
PROCESSING OF THE CO NSUMER’S PERSONAL DATA . 16
(G) (1) IF A CONSUMER ’S DECISION TO OPT OU T OF THE PROCESSING OF 17
THE CONSUMER ’S PERSONAL DATA FOR THE PURPOSES OF TARG ETED 18
ADVERTISING, OR THE SALE OF PER SONAL DATA THROUGH A N OPT–OUT 19
PREFERENCE SIGNAL SE NT IN ACCORDANCE WIT H SUBSECTION (F)(3) OF THIS 20
SECTION CONFLICTS WI TH THE CONSUMER ’S EXISTING CONTROLLE R–SPECIFIC 21
PRIVACY SETTING OR T HE CONSUMER ’S VOLUNTARY PARTICIP ATION IN A 22
CONTROLLER ’S BONA FIDE LOYAL TY, REWARDS, PREMIUM FEATURES , DISCOUNTS, 23
OR CLUB CARD PROGRAM , THE CONTROLLER MAY N OTIFY THE CONSUMER O F A 24
CONFLICT AND PROVIDE THE CHOICE TO CONFIR M CONTROLLER –SPECIFIC 25
PRIVACY SETTINGS OR PARTICIPATION IN A P ROGRAM LISTED IN THI S PARAGRAPH . 26
(2) A CONTROLLER THAT RECOGNI ZES SIGNALS APPROVED BY 27
OTHER STATES SHALL B E CONSIDERED IN COMP LIANCE WITH THIS SEC TION. 28
14–4608. 29
(A) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 30
PERSONAL DATA OF CON SUMERS, THE CONTROLLER AND T HE PROCESSOR SHALL 31
ENTER INTO A CONTRACT THAT GOVE RNS THE PROCESSOR ’S DATA PROCESSING 32 SENATE BILL 541 27
PROCEDURES WITH RESP ECT TO PROCESSING PE RFORMED ON BEHALF OF THE 1
CONTROLLER . 2
(2) THE CONTRACT SHALL BE BINDING AND SHALL CL EARLY SET 3
FORTH INSTRUCTIONS FOR : 4
(I) PROCESSING INSTRUCTIONS FOR PROCESSING DATA; 5
(II) THE NATURE AND PURPOS E OF PROCESSING ; 6
(III) THE TYPE OF DATA SUBJ ECT TO PROCESSING ; 7
(IV) THE DURATION OF PROCE SSING; AND 8
(V) THE RIGHTS AND OBLIGA TIONS OF BOTH PARTIE S. 9
(3) THE CONTRACT SHALL RE QUIRE THAT THE PROCESSOR: 10
(I) ENSURE THAT EACH PERS ON PROCESSING PERSON AL DATA 11
IS SUBJECT TO A DUTY OF CONFIDENTIALITY W ITH RESPECT TO THE P ERSONAL 12
DATA; 13
(II) ESTABLISH, IMPLEMENT, AND MAINTAIN REASONA BLE 14
ADMINISTRATIVE , TECHNICAL, AND PHYSICAL DATA SE CURITY PRAC TICES TO 15
PROTECT THE CONFIDEN TIALITY, INTEGRITY, AND ACCESSIBILITY OF PERSONAL 16
DATA, CONSIDERING THE VOLU ME AND NATURE OF THE PERSONAL DATA ; 17
(III) STOP PROCESSING DATA ON REQUEST BY THE CO NTROLLER 18
MADE IN ACCORDANCE W ITH A CONSUMER ’S AUTHENTICATED REQU EST; 19
(IV) AT THE CONTROLLER ’S DIRECTION, DELETE OR RETURN 20
ALL PERSONAL DATA TO THE CONTROLLER AS RE QUESTED AT THE END O F THE 21
PROVISION OF SERVICE , UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED 22
BY LAW; 23
(V) ON THE REASONABLE REQ UEST OF THE CONTROLLER , 24
MAKE AVAILABLE TO TH E CONTROLLER ALL INF ORMATION IN THE PROC ESSOR’S 25
POSSESSION NECESSARY TO DEMONSTRATE THE P ROCESSOR’S COMPLIANCE WITH 26
THE OBLIGATIONS IN T HIS SUBTITLE; 27
(VI) AFTER PROVIDING THE C ONTROLLER AN OPPORTU NITY TO 28
OBJECT, ENGAGE A SUBCONTRACTOR TO ASS IST WITH PROCESSING PERSONAL DATA 29
ON THE CONTROLLER ’S BEHALF ONLY IN ACC ORDANCE WITH A WRITT EN CONTRACT 30
THAT REQUIRES THE SU BCONTRACTOR TO MEET THE PROCESSOR ’S OBLIGATIONS 31 28 SENATE BILL 541
REGARDING THE PERSON AL DATA UNDER THE PR OCESSOR’S CONTRACT WITH THE 1
CONTROLLER ; AND 2
(VII) ALLOW AND COOPERATE W ITH REASONABLE ASSES SMENTS 3
BY THE CONTROLLER , THE CONTROLLER ’S DESIGNATED ASSESSO R, OR A QUALIFIED 4
AND INDEPENDENT ASSE SSOR ARRANGED FOR BY THE PROCESSOR TO ASS ESS THE 5
PROCESSOR’S POLICIES AND TECHN ICAL AND ORGANIZATIONAL ME ASURES IN 6
SUPPORT OF THE OBLIG ATIONS UNDER THIS SU BTITLE. 7
(4) (I) ON REQUEST, THE PROCESSOR SHALL PROVIDE A REPORT 8
OF AN ASSESSMENT REQ UIRED BY PARAGRAPH (3)(V) OF THIS SUBSECTION T O THE 9
CONTROLLER . 10
(II) AN ASSESSMENT CONDUCT ED IN ACCORDANCE WITH 11
PARAGRAPH (3)(V) OF THIS SUBSECTION S HALL BE CONDUCTED US ING AN 12
APPROPRIATE AND ACCE PTED CONTROL STANDAR D OR FRAMEWORK AND 13
ASSESSMENT PROCEDURE FOR THE ASSESSMENTS . 14
(B) (1) IF A CONTROLLER USES A PROCESSOR TO PROCE SS THE 15
PERSONAL DATA O F CONSUMERS , THE CONTROLLER SHALL PROVIDE THE 16
PROCESSOR WITH INSTR UCTIONS ON HOW TO PR OCESS PERSONAL DATA . 17
(2) A PROCESSOR SHALL : 18
(I) (1) ADHERE TO THE CONTRAC T AND INSTRUCTIONS O F A 19
CONTROLLER ; 20
(II) (2) ASSIST THE CONTROLLER IN MEETING THE 21
CONTROLLER ’S OBLIGATIONS UNDER THIS SUBTITLE, INCLUDING, CONSIDERING 22
THE NATURE OF PROCESSING AND THE I NFORMATION AVAILABLE TO THE 23
PROCESSOR: 24
1. (I) BY APPROPRIATE TECHNI CAL AND ORGANIZATION AL 25
MEASURES AS MUCH AS REASONABLY PRACTICAB LE TO FULFILL THE 26
CONTROLLER ’S OBLIGATION TO RESP OND TO CONSUMER RIGH TS REQUESTS , 27
CONSIDERING THE NATU RE OF PROCESSING AND THE INFORMATION AVAI LABLE TO 28
THE PROCESSOR ; AND 29
2. (II) BY ASSISTING THE CONT ROLLER IN MEETING TH E 30
CONTROLLER ’S OBLIGATIONS IN REL ATION TO THE SEC URITY OF PROCESSING THE 31
PERSONAL DATA AND IN RELATION TO THE NOTI FICATION OF A BREACH OF THE 32
SECURITY OF A SYSTEM , AS DEFINED IN § 14–3504 OF THIS TITLE; AND 33
SENATE BILL 541 29
(III) (3) PROVIDE NECESSARY INF ORMATION TO ENABLE T HE 1
CONTROLLER TO CONDUC T AND DOCUMENT DATA PROTECTION ASSESSMEN TS. 2
(C) NOTHING IN THIS SECTI ON MAY BE CONSTRUED TO RELIEVE A 3
CONTROLLER OR A PROC ESSOR FROM THE LIABI LITIES IMPOSED ON TH E 4
CONTROLLER OR PROCES SOR BY VIRTUE OF THE CONTROLLER ’S OR PROCESSOR ’S 5
ROLE IN THE PROCESSI NG RELATIONSHIP IN ACCORDANCE WITH THIS SECTION. 6
(D) (1) THE DETERMINATION OF WHETHER A PERSON IS ACTING AS A 7
CONTROLLER OR A PROC ESSOR WITH RESPECT T O A SPECIFIC PROCESS ING OF DATA 8
IS A FACT–BASED DETERMINATION THAT DEPENDS ON THE CONTEXT IN WHICH 9
PERSONAL DATA IS BEI NG PROCESSED. 10
(2) A PERSON IS CONSIDERED TO BE A CONTROLLER I F THE PERSON: 11
(I) IS NOT LIMITED IN THE PERSON’S PROCESSING OF SPEC IFIC 12
PERSONAL DATA IN ACC ORDANCE WITH A CONTR OLLER’S INSTRUCTIONS ; OR 13
(II) FAILS TO ADHERE TO A CONTROLLER ’S INSTRUCTIONS 14
WITH RESPECT TO A SP ECIFIC PROCESSING OF PERSONAL DATA . 15
(3) A PROCESSOR THAT CONTI NUES TO ADHERE TO A CONTROLLER ’S 16
INSTRUCTIONS WITH RE SPECT TO A SPECIFIC PROCESSING OF PERSON AL DATA 17
REMAINS A PROCESSOR . 18
(4) IF A PROCESSOR OR THI RD PARTY BEGINS , ALONE OR JOINTLY 19
WITH OTHERS , DETERMINING THE PURP OSES AND MEANS OF TH E PROCESSING OF 20
PERSONAL DATA , THE PROCESSOR : 21
(I) IS A CONTROLLER WITH RESPECT TO THE PROCE SSING; AND 22
(II) MAY BE SUBJECT TO AN ENFORCEMENT ACTION U NDER 23
THIS SUBTITLE. 24
(E) NOTHING IN THIS SECTION MAY BE CONSTRUED TO ALTE R A 25
CONTROLLER ’S OBLIGATION TO LIMI T A PERSON’S PROCESSING OF PERS ONAL DATA 26
OR TO TAKE STEPS TO ENSURE THAT A PROCES SOR ADHERES TO THE C ONTROLLER ’S 27
INSTRUCTIONS . 28
14–4609. 29
(A) IF A THIRD PARTY USES OR SHARES A CON SUMER’S INFORMATION IN A 30
MANNER INCONSISTENT WITH PROMISES MADE T O THE CONSUMER AT TH E TIME OF 31
COLLECTION OF THE IN FORMATION, THE THIRD PARTY SHAL L PROVIDE AN 32 30 SENATE BILL 541
AFFECTED CONSUMER WI TH NOTICE OF THE NEW OR CHANGED PRACTICE BEFORE 1
IMPLEMENTING THE NEW OR CHANGED PRACTICE. 2
(B) THE NOTICE PROVIDED U NDER SUBSECTION (A) OF THIS SECTION 3
SHALL BE PROVIDED IN A MANNER AND AT A TI ME REASONABLY CALCUL ATED TO 4
ALLOW A CONSUMER TO EXERCISE THE RIGHTS PROVIDED UNDER THIS SUBTITLE. 5
14–4610. 6
(A) IN THIS SECTION , “PROCESSING ACTIVITIES THAT PRESENT A 7
HEIGHTENED RISK OF H ARM TO A CONSUMER ” MEANS: 8
(1) THE PROCESSING OF PER SONAL DATA FOR THE P URPOSES OF 9
TARGETED ADVERTISING ; 10
(2) THE SALE OF PERSONAL DATA; 11
(3) THE PROCESSING OF SEN SITIVE DATA; AND 12
(4) THE PROCESSING OF PERSON AL DATA FOR THE PURP OSES OF 13
PROFILING, IN WHICH THE PROFILI NG PRESENTS A REASON ABLY FORESEEABLE 14
RISK OF: 15
(I) UNFAIR, ABUSIVE, OR DECEPTIVE TREATME NT OF A 16
CONSUMER ; 17
(II) HAVING AN UNLAWFUL DI SPARATE IMPACT ON A 18
CONSUMER ; 19
(III) FINANCIAL, PHYSICAL, OR REPUTATIONAL INJU RY TO A 20
CONSUMER ; 21
(IV) A PHYSICAL OR OTHER IN TRUSION ON THE SOLIT UDE OR 22
SECLUSION OR THE PRI VATE AFFAIRS OR CONC ERNS OF A CONSUMER I N WHICH THE 23
INTRUSION WOULD BE O FFENSIVE TO A REASON ABLE PERSON; OR 24
(V) OTHER SUBSTANTIAL INJ URY TO A CONSUMER . 25
(B) A CONTROLLER SHALL CON DUCT AND DOCUMENT , ON A REGULAR 26
BASIS, A DATA PROTECTION AS SESSMENT FOR EACH OF THE CONTROLLER ’S 27
PROCESSING ACTIVITIE S THAT PRESENT A HEI GHTENED RISK OF HARM TO A 28
CONSUMER , INCLUDING AN ASSESSMENT FOR EACH ALGORITHM THAT IS US ED. 29
SENATE BILL 541 31
(C) (1) A DATA PROTECTION ASSE SSMENT CONDUCTED IN ACCORDANCE 1
WITH THIS SECTION SH ALL IDENTIFY AND WEI GH THE BENEFITS THAT MAY FLOW 2
DIRECTLY AND INDIREC TLY FROM THE PROCESS ING TO THE CONTROLLE R, THE 3
CONSUMER , OTHER INTERESTED PART IES, AND THE PUBLIC AGAIN ST: 4
(I) THE POTENTIAL RISKS T O THE RIGHTS OF THE CONSUMER 5
ASSOCIATED WITH THE PROCESSING AS MITIGA TED BY SAFEGUARDS TH AT MAY BE 6
EMPLOYED BY THE CONT ROLLER TO REDUCE THE SE RISKS; AND 7
(II) THE NECESSITY AN D PROPORTIONALITY OF PROCESSING IN 8
RELATION TO THE STAT ED PURPOSE OF THE PR OCESSING. 9
(2) THE CONTROLLER SHALL FACTOR INTO A DATA P ROTECTION 10
ASSESSMENT : 11
(I) THE USE OF DE–IDENTIFIED DATA ; 12
(II) THE REASONABLE EXPECT ATIONS OF CONSUMERS ; 13
(III) THE CONTEXT OF THE PR OCESSING; AND 14
(IV) THE RELATIONSHIP BETW EEN THE CONTROLLER A ND THE 15
CONSUMER WHOSE PERSO NAL DATA WILL BE PRO CESSED. 16
(D) (1) THE DIVISION MAY REQUIRE THAT A CONTROLLER MA KE 17
AVAILABLE TO THE DIVISION A DATA PROTE CTION ASSESSMENT THA T IS RELEVANT 18
TO AN INVESTIGATION CONDUCTED BY THE DIVISION. 19
(2) (I) THE DIVISION MAY EVALUATE A DATA PROTECTION 20
ASSESSMENT FOR COMPL IANCE WITH THE RESPO NSIBILITIES ESTABLIS HED IN THIS 21
SUBTITLE. 22
(II) A CONTROLLER ’S DATA PROTECTION AS SESSMENT MAY BE 23
USED IN AN ACTION TO ENFORCE THIS SUBTITL E. 24
(3) A DATA PROTECTION ASSE SSMENT IS CONFIDENTI AL AND IS 25
EXEMPT FROM DISCLOSU RE UNDER THE FEDERAL FREEDOM OF INFORMATION ACT 26
OR THE PUBLIC INFORMATION ACT. 27
(E) A SINGLE DATA PROTECTI ON ASSESSMENT MAY AD DRESS A 28
COMPARABLE SET OF PR OCESSING OPERATIONS THAT INCLUDE SIMILAR 29
ACTIVITIES. 30
32 SENATE BILL 541
(F) IF A CONTROLLER CONDU CTS A DATA PROTECTIO N ASSESSMENT FOR 1
THE PURPOSE OF COMPL YING WITH ANOTHER AP PLICABLE LAW OR REGU LATION, 2
THE DATA PROTECTION ASSESSMENT SHALL BE CONSIDERE D TO SATISFY THE 3
REQUIREMENTS ESTABLI SHED IN THIS SECTION IF THE DATA PROTECTI ON 4
ASSESSMENT IS REASON ABLY SIMILAR IN SCOP E AND EFFECT TO THE DATA 5
PROTECTION ASSESSMEN T THAT WOULD OTHERWI SE BE CONDUCTED IN 6
ACCORDANCE WITH THIS SECTION. 7
(G) TO THE EXTENT T HAT ANY INFORMATION CONTAINED IN A DATA 8
PROTECTION ASSESSMEN T DISCLOSED TO THE DIVISION INCLUDES INF ORMATION 9
SUBJECT TO ATTORNEY –CLIENT PRIVILEGE OR WORK PRODUCT PROTECT ION, THE 10
DISCLOSURE MAY NOT C ONSTITUTE A WAIVER O F THAT PRIVILEGE OR PROTECTION. 11
(H) A DATA PROTECTION ASSE SSMENT CONDUCTED UND ER THIS SECTION: 12
(1) SHALL APPLY TO PROCES SING ACTIVITIES THAT OCCUR ON OR 13
AFTER OCTOBER 1, 2025; AND 14
(2) IS NOT REQUIRED FOR P ROCESSING ACTIVITIES THAT OCCUR 15
BEFORE OCTOBER 1, 2025. 16
14–4611. 17
(A) NOTHING IN THIS SUBTITLE MAY BE CONSTRUED TO REQU IRE A 18
CONTROLLER OR A PROC ESSOR TO: 19
(1) RE–IDENTIFY DE–IDENTIFIED DATA ; 20
(2) MAINTAIN DATA IN AN I DENTIFIABLE FORM ; OR 21
(3) COLLECT, OBTAIN, RETAIN, OR ACCESS ANY DATA O R 22
TECHNOLOGY IN ORDER TO BE CAPABLE OF ASSOCIATING AN AUTHE NTICATED 23
CONSUMER REQUEST WIT H PERSONAL DATA . 24
(B) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO REQUIRE A 25
CONTROLLER OR PROCES SOR TO COMPLY WITH A N AUTHENTICATED CONS UMER 26
RIGHTS REQUEST IF TH E CONTROLLER : 27
(1) IS NOT REASONABLY CAPABLE OF ASSOCIATI NG THE REQUEST 28
WITH THE PERSONAL DA TA OR IT WOULD BE UN REASONABLY BURDENSOM E FOR THE 29
CONTROLLER TO ASSOCI ATE THE REQUEST WITH THE PERSONAL DATA ; 30
(2) DOES NOT USE THE PERS ONAL DATA TO RECOGNI ZE OR RESPOND 31
TO THE SPECIFIC CONS UMER WHO IS THE SUBJECT OF TH E PERSONAL DATA OR 32 SENATE BILL 541 33
ASSOCIATE THE PERSON AL DATA WITH OTHER P ERSONAL DATA ABOUT T HE SAME 1
SPECIFIC CONSUMER ; AND 2
(3) DOES NOT SELL THE PER SONAL DATA TO A THIR D PARTY OR 3
OTHERWISE VOLUNTARIL Y DISCLOSE THE PERSO NAL DATA TO A THIRD PARTY 4
OTHER THAN A PROCESSO R, EXCEPT AS OTHERWISE ALLOWED IN THIS SUBT ITLE. 5
(C) (1) A CONTROLLER THAT DISC LOSES DE–IDENTIFIED DATA SHAL L: 6
(I) EXERCISE REASONABLE O VERSIGHT TO MONITOR 7
COMPLIANCE WITH ANY CONTRACTUAL COMMITME NTS TO WHICH THE 8
DE–IDENTIFIED DA TA IS SUBJECT; AND 9
(II) TAKE APPROPRIATE STEP S TO ADDRESS ANY BRE ACHES OF 10
ANY CONTRACTUAL COMM ITMENTS. 11
(2) THE DETERMINATION OF WHETHER OVERSIGHT IS REASONABLE 12
AND WHETHER APPROPRI ATE STEPS WERE TAKEN IN ACCORDANCE WITH 13
PARAGRAPH (1) OF THIS SUBSECT ION SHALL TAKE INTO ACCOUNT WHETHER THE 14
DISCLOSED DATA INCLU DES DATA THAT WOULD BE CONSIDERED SENSIT IVE DATA IF 15
THE DATA WERE RE –IDENTIFIED. 16
14–4612. 17
(A) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO RESTRICT A 18
CONTROLLER ’S OR PROCESSOR ’S ABILITY TO: 19
(1) COMPLY WITH FEDERAL , STATE, OR LOCAL LAWS OR 20
REGULATIONS ; 21
(2) COMPLY WITH A CIVIL , CRIMINAL, OR REGULATORY INQUIR Y, 22
INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, STATE, LOCAL, OR OTHER 23
GOVERNMENTAL AUTHORI TY COMPLY WITH A CIVIL OR CRIMINAL SUBPOENA OR 24
SUMMONS BY A FEDERAL , STATE, LOCAL, OR OTHER JUDICIAL BO DY, CRIMINAL, OR 25
REGULATORY INQUIRY , INVESTIGATION , SUBPOENA, OR SUMMONS BY A FEDE RAL, 26
STATE, LOCAL, OR OTHER GOVERNMENTA L AUTHORITY; 27
(3) COOPERATE WITH LAW EN FORCEMENT AGENCIES C ONCERNING 28
CONDUCT OR ACTIVITY THAT THE CONTROLLER OR PROCESSOR REASONA BLY AND 29
IN GOOD FAITH BELIEV ES MAY VIOLATE FEDER AL, STATE, OR LOCAL LAWS OR 30
REGULATIONS ; 31
(4) INVESTIGATE, ESTABLISH, EXERCISE, PREPARE FOR , OR DEFEND 32
A LEGAL CLAIM; 33 34 SENATE BILL 541
(5) PROVIDE A PRODUCT OR SERVICE SPECIFICA LLY REQUESTED BY 1
A CONSUMER ; 2
(6) PERFORM UNDER A CONTR ACT TO WHICH A CONSU MER IS A 3
PARTY, INCLUDING FULFILLING THE TERMS OF A WRITT EN WARRANTY ; 4
(7) TAKE STEPS AT THE REQ UEST OF A CONSUMER B EFORE 5
ENTERING INTO A CONT RACT; 6
(8) TAKE IMMEDIATE STEPS TO PROTECT AN INTERE ST THAT IS 7
ESSENTIAL FOR THE LI FE OR PHYSICAL SAFET Y OF A CONSUMER OR A NOTHER 8
INDIVIDUAL AND WHEN THE PROCESSING CANNO T BE MANIFESTLY BASE D ON 9
ANOTHER LEGAL BASIS ; 10
(9) PREVENT, DETECT, PROTECT AGAINST , INVESTIGATE, 11
PROSECUTE THOSE RESP ONSIBLE, OR OTHERWISE RESPOND TO A SECURITY 12
INCIDENT, IDENTITY THEFT , FRAUD, HARASSMENT , MALICIOUS OR DECEPTI VE 13
ACTIVITY, OR ANY OTHER TYPE OF ILLEGAL ACTIVITY ; 14
(10) PRESERVE THE INTEGRIT Y OR SECURITY OF SYS TEMS; OR 15
(11) ASSIST ANOTHER CONTROLLER , PROCESSOR, OR THIRD PARTY 16
WITH AN OBLIGATION U NDER THIS SUBTITLE . 17
(B) (1) THIS SUBSECTION DOES NOT APPLY TO AN OBLI GATION 18
REQUIRED UNDER § 14–4611 OF THIS SUBTITLE. 19
(2) AN OBLIGATION IMPOSED ON A CONTROLLER OR P ROCESSOR 20
UNDER THIS SUBTITLE MAY NOT RES TRICT A CONTROLLER ’S OR PROCESSOR ’S 21
ABILITY TO COLLECT , USE, OR RETAIN PERSONAL D ATA FOR INTERNAL USE TO: 22
(I) EFFECTUATE A PRODUCT RECALL; 23
(II) IDENTIFY AND REPAIR T ECHNICAL ERRORS THAT IMPAIR 24
EXISTING OR INTENDED FUNCTIONALITY ; OR 25
(III) PERFORM INTERNAL OPER ATIONS THAT ARE : 26
1. REASONABLY ALIGNED WI TH THE EXPECTATIONS OF 27
THE CONSUMER OR CAN BE REASONABLY ANTICI PATED BASED ON THE C ONSUMER’S 28
EXISTING RELATIONSHI P WITH THE CONTROLLE R; OR 29
SENATE BILL 541 35
2. OTHERWISE COMPATIBLE WITH PROCESSING DATA IN 1
FURTHERANCE OF : 2
A. THE PROVISION OF A PR ODUCT OR SERVICE 3
SPECIFICALLY REQUEST ED BY A CONSUMER ; OR 4
B. THE PERFORMANCE OF A CONTRACT TO WHICH TH E 5
CONSUMER IS A PARTY . 6
(C) (1) AN OBLIGATION IMPOSED ON A CONTROLLER OR A PROCESSOR 7
UNDER THIS SUBTITLE DOES NOT APPLY WHEN COMPLIANCE BY THE CO NTROLLER 8
OR PROCESSOR WITH TH E SUBTITLE WOULD VIO LATE AN EVIDENTIARY PRIVILEGE 9
UNDER STATE LAW. 10
(2) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO PREVENT A 11
CONTROLLER OR PROCES SOR FROM PROVIDING PERSONAL D ATA CONCERNING A 12
CONSUMER TO A PERSON COVERED BY AN EVIDEN TIARY PRIVILEGE UNDE R STATE 13
LAW AS PART OF A PRI VILEGED COMMUNICATIO N. 14
(D) (1) A CONTROLLER OR PROCES SOR THAT DISCLOSES P ERSONAL 15
DATA TO A PROCESSOR OR A THIRD–PARTY CONTROLLER IN COMPLIANCE WITH T HIS 16
SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE IF THE PROCESS OR OR 17
THIRD–PARTY CONTROLLER THA T RECEIVES THE PERSO NAL DATA VIOLATES TH IS 18
SUBTITLE AND,: 19
(I) AT THE TIME THE DISC LOSING CONTROLLER OR 20
PROCESSOR DISCLOSED THE PERSONAL DATA , THE DISCLOSING CONTR OLLER OR 21
PROCESSOR DID NOT HA VE ACTUAL KNOWLEDGE THAT THE RECEIVING P ROCESSOR 22
OR THIRD–PARTY CONTROLLER WOU LD VIOLATE THIS SUBT ITLE; AND 23
(II) THE DISCLOSING CONTR OLLER WAS, AND REMAINED , IN 24
COMPLIANCE WITH ITS OBLIGATIONS AS THE DISCLOSE R OF THE PERSONAL DA TA. 25
(2) A THIRD–PARTY CONTROLLER OR PROCESSOR THAT RECEI VES 26
PERSONAL DATA FROM A CONTROLLER OR PROCES SOR IN COMPLIANCE WI TH THIS 27
SUBTITLE IS NOT IN V IOLATION OF THIS SUB TITLE FOR THE INDEPE NDENT 28
MISCONDUCT OF THE CO NTROLLER OR PROCESSO R FROM WHICH THE 29
THIRD–PARTY CONTROLLER OR PROCES SOR RECEIVED THE PER SONAL DATA. 30
(E) NOTHING IN THIS SUBTI TLE MAY BE CONSTRUED TO: 31
(1) IMPOSE AN OBLIGATION ON A CONTROLLER OR A PROCESSOR 32
THAT ADVERSELY AFFEC TS THE RIGHTS OR FRE EDOMS OF ANY PERSON , INCLUDING 33 36 SENATE BILL 541
THE RIGHTS OF A PERS ON TO FREEDOM OF SPEE CH OR FREEDOM OF THE PRESS AS 1
GUARANTEED IN THE FIRST AMENDMENT TO THE U.S. CONSTITUTION; OR 2
(2) APPLY TO A PERSON ’S PROCESSING OF PERS ONAL DATA DURING 3
THE PERSON’S PERSONAL OR HOUSEH OLD ACTIVITIES. 4
(F) IF A CONTROLLER OR PROCESSOR PROCESSES PERSONAL D ATA IN 5
ACCORDANCE WITH AN E XEMPTION UNDER THIS SECTION, THE CONTROLLER OR 6
PROCESSOR SHALL DEMONSTRATE TH AT THE PROCESSING : 7
(1) QUALIFIES FOR AN EXEM PTION; AND 8
(2) COMPLIES WITH THE REQ UIREMENTS OF SUBSECT ION (G) OF THIS 9
SECTION. 10
(G) PERSONAL DATA PROCESS ED BY A CONTROLLER OR PROCESSOR IN 11
ACCORDANCE WITH THIS SECTION: 12
(1) SHALL BE SUBJECT TO R EASONABLE ADMINISTRA TIVE, 13
TECHNICAL, AND PHYSICAL MEASURE S TO: 14
(I) PROTECT THE CONFIDENT IALITY, INTEGRITY, AND 15
ACCESSIBILITY OF THE PERSONAL DATA ; AND 16
(II) REDUCE REASONABLY FOR ESEEABLE RISKS OF HA RM TO 17
CONSUMERS RELATING T O THE COLLECTION , USE, OR RETENTION OF PERS ONAL 18
DATA; AND 19
(2) MAY BE PROCESSED TO T HE EXTENT THAT THE P ROCESSING IS: 20
(I) REASONABLY NECESSARY AND PROPORTIONATE TO THE 21
PURPOSES LISTED IN T HIS SECTION; AND 22
(II) ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS 23
NECESSARY IN RELATIO N TO THE SPECIFIC PU RPOSES LISTED IN THI S SECTION. 24
(H) A PERSON THAT PROCESSE S PERSONAL DATA FOR A PURPOSE 25
EXPRESSLY IDENTIF IED IN THIS SECTION MAY NOT BE CONSIDERE D A CONTROLLER 26
SOLELY BASED ON THE PROCESSING OF PERSON AL DATA. 27
14–4613. 28
(A) EXCEPT AS PROVIDED IN SUBSECTION (B) OF THIS SECTION , A 29
VIOLATION OF THIS SU BTITLE IS: 30 SENATE BILL 541 37
(1) AN UNFAIR, ABUSIVE, OR DECEPTIVE TRADE P RACTICE WITHIN 1
THE MEANING OF TITLE 13 OF THIS ARTICLE; AND 2
(2) SUBJECT TO THE ENFORC EMENT AND PENALTY PR OVISIONS 3
CONTAINED IN TITLE 13 OF THIS ARTICLE, EXCEPT FOR § 13–408 OF THIS ARTICLE. 4
(B) THIS SECTION DOES NOT PREVENT A CONSUMER F ROM PURSUING ANY 5
OTHER REMEDY PROVIDE D BY LAW. 6
14–4614. 7
(A) THIS SECTION APPLIES TO AN ENFORCEMENT AC TION UNDER § 14–4613 8
OF THIS SUBTITLE FOR AN ALLEGED VIOLATION THAT OCCURS ON OR BE FORE APRIL 9
1, 2027. 10
(B) BEFORE INITIATING ANY ACTION UNDER § 14–4613 OF THIS SUBTITL E, 11
THE DIVISION MAY ISSUE A NOTICE OF VIOLATION TO THE CONTROLLER OR 12
PROCESSOR IF THE DIVISION DETERMINES T HAT A CURE IS POSSIB LE. 13
(C) (1) IF THE DIVISION ISSUES A NOT ICE OF VIOLATION UND ER 14
SUBSECTION (B) OF THIS SECTION, THE CONTROLLER OR PR OCESSOR SHALL HAVE 15
AT LEAST 60 DAYS TO CURE THE VIO LATION AFTER RECEIPT OF THE NOTICE. 16
(2) IF THE CONTROLLER OR PROCESSOR FAILS TO C URE THE 17
VIOLATION WITHIN THE TIME PERIOD SPECIFIE D BY THE DIVISION, THE DIVISION 18
MAY BRING AN ENFORCE MENT ACTION UNDER § 14–4613 OF THIS SUBTITLE. 19
(D) IN DETERMINING WHETHE R TO GRANT A CONTROL LER OR PROCESSOR 20
AN OPPORTUNITY TO CU RE AN ALLEGED VIOLAT ION, THE DIVISION MAY CONSIDER 21
THE FOLLOWING FACTOR S: 22
(1) THE NUMBER OF VIOLATI ONS; 23
(2) THE SIZE AND COMPLEXI TY OF THE CONTROLLE R OR PROCESSOR ; 24
(3) THE NATURE AND EXTENT OF THE CONTROLLER ’S OR 25
PROCESSOR’S PROCESSING ACTIVIT IES; 26
(4) THE LIKELIHOOD OF INJ URY TO THE PUBLIC ; 27
(5) THE SAFETY OF PERSONS OR PROPERTY ; 28
38 SENATE BILL 541
(6) WHETHER THE ALLEGED V IOLATION WAS LIKELY CAUSED BY A 1
HUMAN OR TECHNICAL ERROR ; AND 2
(7) THE EXTENT TO WHICH T HE CONTROLLER OR PRO CESSOR HAS 3
VIOLATED THIS SUBTIT LE OR SIMILAR LAWS I N THE PAST. 4
SECTION 2. AND BE IT FURTHER ENACTED, That § 14 –4612 of the Commercial 5
Law Article, as enacted by Section 1 of this Act, shall be construed to apply only 6
prospectively and may not be applied or interpreted to have any effect on or application to 7
any personal data processing activities before April 1, 2025 2026. 8
SECTION 3. AND BE IT FURTHER ENACTED, That, if any provision of this Act or 9
the application thereof to any person or circumstance is held invalid for any reason in a 10
court of competent jurisdiction, the invalidity does not affect other provisions or any other 11
application of this Act that can be given effect without the invalid provision or application, 12
and for this purpose the provisions of this Act are declared severable. 13
SECTION 4. AND BE IT FURTHER ENACTED, That this Act shall take effect 14
October 1, 2024 2025. 15
Approved:
________________________________________________________________________________
Governor.
________________________________________________________________________________
President of the Senate.
________________________________________________________________________________
Speaker of the House of Delegates.