NM
New Mexico House Bill HB410

New Mexico 2025 Regular Session

New Mexico House Bill HB410 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 underscored material = new
22 [bracketed material] = delete
33 1
44 2
55 3
66 4
77 5
88 6
99 7
1010 8
1111 9
1212 10
1313 11
1414 12
1515 13
1616 14
1717 15
1818 16
1919 17
2020 18
2121 19
2222 20
2323 21
2424 22
2525 23
2626 24
2727 25
2828 HOUSE BILL 410
2929 57
3030 TH LEGISLATURE
3131 -
3232
3333 STATE
3434
3535 OF
3636
3737 NEW
3838
3939 MEXICO
4040
4141 -
4242 FIRST SESSION
4343 ,
4444
4545 2025
4646 INTRODUCED BY
4747 Linda Serrato
4848 AN ACT
4949 RELATING TO DATA; ENACTING THE CONSUMER INFORMATION AND DATA
5050 PROTECTION ACT; PROVIDING PROCESSES FOR THE COLLECTION AND
5151 PROTECTION OF DATA; PROVIDING EXCEPTIONS; PROVIDING
5252 INVESTIGATIVE AUTHORITY; PROVIDING CIVIL PENALTIES.
5353 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:
5454 SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be
5555 cited as the "Consumer Information and Data Protection Act".
5656 SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the
5757 Consumer Information and Data Protection Act:
5858 A. "affiliate" means a legal entity that shares
5959 common branding with another legal entity or controls, is
6060 controlled by or is under common control with another legal
6161 entity. For the purposes of this subsection, "control" and
6262 "controlled" mean:
6363 .230052.1ms underscored material = new
6464 [bracketed material] = delete
6565 1
6666 2
6767 3
6868 4
6969 5
7070 6
7171 7
7272 8
7373 9
7474 10
7575 11
7676 12
7777 13
7878 14
7979 15
8080 16
8181 17
8282 18
8383 19
8484 20
8585 21
8686 22
8787 23
8888 24
8989 25
9090 (1) ownership of, or the power to vote, more
9191 than fifty percent of the outstanding shares of any class of
9292 voting security of a company;
9393 (2) control in any manner over the election of
9494 a majority of the directors or of individuals exercising
9595 similar functions; or
9696 (3) the power to exercise controlling
9797 influence over the management of a company;
9898 B. "authenticate" means to use reasonable means to
9999 determine that a request to exercise any of the rights afforded
100100 under Section 3 of the Consumer Information and Data Protection
101101 Act is being made by, or on behalf of, the consumer who is
102102 entitled to exercise such consumer rights with respect to the
103103 personal data at issue;
104104 C. "biometric data" means data generated by
105105 automatic measurements of an individual's biological
106106 characteristics, such as a fingerprint, a voiceprint, eye
107107 retinas, irises or other unique biological patterns or
108108 characteristics that are used to identify a specific
109109 individual. "Biometric data" does not include:
110110 (1) a digital or physical photograph;
111111 (2) an audio or video recording; or
112112 (3) any data generated from a digital or
113113 physical photograph, or an audio or video recording, unless
114114 such data is generated to identify a specific individual;
115115 .230052.1ms
116116 - 2 - underscored material = new
117117 [bracketed material] = delete
118118 1
119119 2
120120 3
121121 4
122122 5
123123 6
124124 7
125125 8
126126 9
127127 10
128128 11
129129 12
130130 13
131131 14
132132 15
133133 16
134134 17
135135 18
136136 19
137137 20
138138 21
139139 22
140140 23
141141 24
142142 25
143143 D. "business associate" has the same meaning as
144144 provided in HIPAA;
145145 E. "child" means a person under the age of
146146 thirteen;
147147 F. "consent" means a clear affirmative act
148148 signifying a consumer's freely given, specific, informed and
149149 unambiguous agreement to allow the processing of personal data
150150 relating to the consumer. "Consent" may include a written
151151 statement, including by electronic means, or any other
152152 unambiguous affirmative action. "Consent" does not include:
153153 (1) acceptance of a general or broad terms of
154154 use or similar document that contains descriptions of personal
155155 data processing along with other, unrelated information;
156156 (2) hovering over, muting, pausing or closing
157157 a given piece of content; or
158158 (3) agreement obtained through the use of dark
159159 patterns;
160160 G. "consumer" means an individual who is a resident
161161 of this state. "Consumer" does not include an individual
162162 acting in a commercial or employment context or as an employee,
163163 owner, director, officer or contractor of a company,
164164 partnership, sole proprietorship, nonprofit or government
165165 agency whose communications or transactions with the controller
166166 occur solely within the context of that individual's role with
167167 the company, partnership, sole proprietorship, nonprofit or
168168 .230052.1ms
169169 - 3 - underscored material = new
170170 [bracketed material] = delete
171171 1
172172 2
173173 3
174174 4
175175 5
176176 6
177177 7
178178 8
179179 9
180180 10
181181 11
182182 12
183183 13
184184 14
185185 15
186186 16
187187 17
188188 18
189189 19
190190 20
191191 21
192192 22
193193 23
194194 24
195195 25
196196 government agency;
197197 H. "consumer health data" means any personal data
198198 that a controller uses to identify a consumer's physical or
199199 mental health condition or diagnosis and includes, but is not
200200 limited to, gender-affirming health data and reproductive or
201201 sexual health data;
202202 I. "controller" means a person who, alone or
203203 jointly with others, determines the purpose and means of
204204 processing personal data;
205205 J. "covered entity" has the same meaning as
206206 provided in HIPAA;
207207 K. "dark pattern" means a user interface designed
208208 or manipulated with the substantial effect of subverting or
209209 impairing user autonomy, decision making or choice and includes
210210 any practice the federal trade commission refers to as a "dark
211211 pattern";
212212 L. "decisions that produce legal or similarly
213213 significant effects concerning the consumer" means decisions
214214 made by the controller that result in the provision or denial
215215 by the controller of financial or lending services, housing,
216216 insurance, education enrollment or opportunity, criminal
217217 justice, employment opportunities, health care services or
218218 access to essential goods or services;
219219 M. "de-identified data" means data that cannot
220220 reasonably be used to infer information about, or otherwise be
221221 .230052.1ms
222222 - 4 - underscored material = new
223223 [bracketed material] = delete
224224 1
225225 2
226226 3
227227 4
228228 5
229229 6
230230 7
231231 8
232232 9
233233 10
234234 11
235235 12
236236 13
237237 14
238238 15
239239 16
240240 17
241241 18
242242 19
243243 20
244244 21
245245 22
246246 23
247247 24
248248 25
249249 linked to, an identified or identifiable individual, or a
250250 device linked to such individual, if the controller that
251251 possesses such data:
252252 (1) takes reasonable measures to ensure that
253253 such data cannot be associated with an individual;
254254 (2) publicly commits to process such data only
255255 in a de-identified fashion and not attempt to re-identify such
256256 data; and
257257 (3) contractually obligates any recipients of
258258 such data to satisfy the criteria set forth in Paragraphs (1)
259259 and (2) of this subsection;
260260 N. "geofence" means any technology that uses global
261261 positioning coordinates, cell tower connectivity, cellular
262262 data, radio frequency identification, wireless fidelity
263263 technology data or any other form of location detection, or any
264264 combination of such coordinates, connectivity, data,
265265 identification or other form of location detection, to
266266 establish a virtual boundary;
267267 O. "HIPAA" means the federal Health Insurance
268268 Portability and Accountability Act of 1996, 42 USC 1320d et
269269 seq.;
270270 P. "identified or identifiable individual" means an
271271 individual who can be readily identified, directly or
272272 indirectly;
273273 Q. "institution of higher education" means any
274274 .230052.1ms
275275 - 5 - underscored material = new
276276 [bracketed material] = delete
277277 1
278278 2
279279 3
280280 4
281281 5
282282 6
283283 7
284284 8
285285 9
286286 10
287287 11
288288 12
289289 13
290290 14
291291 15
292292 16
293293 17
294294 18
295295 19
296296 20
297297 21
298298 22
299299 23
300300 24
301301 25
302302 individual who, or school, board, association, limited
303303 liability company or corporation that, is licensed or
304304 accredited to offer one or more programs of higher learning
305305 leading to one or more degrees;
306306 R. "mental health facility" means any health care
307307 facility in which at least seventy percent of the health care
308308 services provided in such facility are mental health services;
309309 S. "nonprofit organization" means any organization
310310 that is exempt from taxation under Section 501(c)(3),
311311 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code
312312 of 1986, or any subsequent corresponding Internal Revenue Code
313313 of the United States, as amended from time to time;
314314 T. "person" means an individual, association,
315315 company, limited liability company, corporation, partnership,
316316 sole proprietorship, trust or other legal entity;
317317 U. "personal data" means any information that is
318318 linked or reasonably linkable to an identified or identifiable
319319 individual. "Personal data" does not include de-identified
320320 data or publicly available information;
321321 V. "precise geolocation data" means information
322322 derived from technology, including global positioning system
323323 level latitude and longitude coordinates or other mechanisms,
324324 that directly identifies the specific location of an individual
325325 with precision and accuracy within a radius of one thousand
326326 seven hundred fifty feet. "Precise geolocation data" does not
327327 .230052.1ms
328328 - 6 - underscored material = new
329329 [bracketed material] = delete
330330 1
331331 2
332332 3
333333 4
334334 5
335335 6
336336 7
337337 8
338338 9
339339 10
340340 11
341341 12
342342 13
343343 14
344344 15
345345 16
346346 17
347347 18
348348 19
349349 20
350350 21
351351 22
352352 23
353353 24
354354 25
355355 include the content of communications or any data generated by
356356 or connected to advanced utility metering infrastructure
357357 systems or equipment for use by a utility;
358358 W. "process" means any operation or set of
359359 operations performed, whether by manual or automated means, on
360360 personal data or on sets of personal data, such as the
361361 collection, use, storage, disclosure, analysis, deletion or
362362 modification of personal data;
363363 X. "processor" means a person who processes
364364 personal data on behalf of a controller;
365365 Y. "profiling" means any form of automated
366366 processing performed on personal data to evaluate, analyze or
367367 predict personal aspects related to an identified or
368368 identifiable individual's economic situation, health, personal
369369 preferences, interests, reliability, behavior, location or
370370 movements;
371371 Z. "protected health information" has the same
372372 meaning as provided in HIPAA;
373373 AA. "pseudonymous data" means personal data that
374374 cannot be attributed to a specific individual without the use
375375 of additional information; provided that such additional
376376 information is kept separately and is subject to appropriate
377377 technical and organizational measures to ensure that the
378378 personal data is not attributed to an identified or
379379 identifiable individual;
380380 .230052.1ms
381381 - 7 - underscored material = new
382382 [bracketed material] = delete
383383 1
384384 2
385385 3
386386 4
387387 5
388388 6
389389 7
390390 8
391391 9
392392 10
393393 11
394394 12
395395 13
396396 14
397397 15
398398 16
399399 17
400400 18
401401 19
402402 20
403403 21
404404 22
405405 23
406406 24
407407 25
408408 BB. "publicly available information" means
409409 information that:
410410 (1) is lawfully made available through
411411 federal, state or municipal government records or widely
412412 distributed media; and
413413 (2) a controller has a reasonable basis to
414414 believe a consumer has lawfully made available to the general
415415 public;
416416 CC. "reproductive or sexual health care" means any
417417 health care-related services or products rendered or provided
418418 concerning a consumer's reproductive system or sexual well-
419419 being, including any such service or product rendered or
420420 provided concerning:
421421 (1) an individual health condition, status,
422422 disease, diagnosis, diagnostic test or treatment;
423423 (2) a social, psychological, behavioral or
424424 medical intervention;
425425 (3) a surgery or procedure, including an
426426 abortion;
427427 (4) a use or purchase of a medication,
428428 including, but not limited to, a medication used or purchased
429429 for the purposes of an abortion;
430430 (5) a bodily function, vital sign or symptom;
431431 (6) a measurement of a bodily function, vital
432432 sign or symptom; or
433433 .230052.1ms
434434 - 8 - underscored material = new
435435 [bracketed material] = delete
436436 1
437437 2
438438 3
439439 4
440440 5
441441 6
442442 7
443443 8
444444 9
445445 10
446446 11
447447 12
448448 13
449449 14
450450 15
451451 16
452452 17
453453 18
454454 19
455455 20
456456 21
457457 22
458458 23
459459 24
460460 25
461461 (7) an abortion, including medical or
462462 nonmedical services, products, diagnostics, counseling or
463463 follow-up services for an abortion;
464464 DD. "reproductive or sexual health facility" means
465465 any health care facility in which at least seventy percent of
466466 the health care-related services or products rendered or
467467 provided in such facility are reproductive or sexual health
468468 care;
469469 EE. "sale of personal data" means the exchange of
470470 personal data for monetary or other valuable consideration by
471471 the controller to a third party. "Sale of personal data" does
472472 not include:
473473 (1) the disclosure of personal data to a
474474 processor that processes the personal data on behalf of the
475475 controller;
476476 (2) the disclosure of personal data to a third
477477 party for purposes of providing a product or service requested
478478 by the consumer;
479479 (3) the disclosure or transfer of personal
480480 data to an affiliate of the controller;
481481 (4) the disclosure of personal data where the
482482 consumer directs the controller to disclose the personal data
483483 or intentionally uses the controller to interact with a third
484484 party;
485485 (5) the disclosure of personal data that the
486486 .230052.1ms
487487 - 9 - underscored material = new
488488 [bracketed material] = delete
489489 1
490490 2
491491 3
492492 4
493493 5
494494 6
495495 7
496496 8
497497 9
498498 10
499499 11
500500 12
501501 13
502502 14
503503 15
504504 16
505505 17
506506 18
507507 19
508508 20
509509 21
510510 22
511511 23
512512 24
513513 25
514514 consumer intentionally made available to the general public via
515515 a channel of mass media and did not restrict to a specific
516516 audience; or
517517 (6) the disclosure or transfer of personal
518518 data to a third party as an asset that is part of a merger,
519519 acquisition, bankruptcy or other transaction, or a proposed
520520 merger, acquisition, bankruptcy or other transaction, in which
521521 the third party assumes control of all or part of the
522522 controller's assets;
523523 FF. "sensitive data" means personal data that
524524 includes:
525525 (1) data revealing racial or ethnic origin,
526526 religious beliefs, mental or physical health condition or
527527 diagnosis, sex life, sexual orientation or citizenship or
528528 immigration status;
529529 (2) consumer health data;
530530 (3) the processing of genetic or biometric
531531 data for the purpose of uniquely identifying an individual;
532532 (4) personal data collected from a known
533533 child;
534534 (5) data concerning an individual's status as
535535 a victim of crime; or
536536 (6) precise geolocation data;
537537 GG. "targeted advertising" means displaying
538538 advertisements to a consumer where the advertisement is
539539 .230052.1ms
540540 - 10 - underscored material = new
541541 [bracketed material] = delete
542542 1
543543 2
544544 3
545545 4
546546 5
547547 6
548548 7
549549 8
550550 9
551551 10
552552 11
553553 12
554554 13
555555 14
556556 15
557557 16
558558 17
559559 18
560560 19
561561 20
562562 21
563563 22
564564 23
565565 24
566566 25
567567 selected based on personal data obtained or inferred from that
568568 consumer's activities over time and across nonaffiliated
569569 internet websites or online applications to predict such
570570 consumer's preferences or interests. "Targeted advertising"
571571 does not include:
572572 (1) advertisements based on activities within
573573 a controller's own internet website or online applications;
574574 (2) advertisements based on the context of a
575575 consumer's current search query, visit to an internet website
576576 or online application;
577577 (3) advertisements directed to a consumer in
578578 response to the consumer's request for information or feedback;
579579 or
580580 (4) processing personal data solely to measure
581581 or report advertising frequency, performance or reach; and
582582 HH. "third party" means a person, such as a public
583583 authority, agency or body, other than the consumer, controller
584584 or processor or an affiliate of the processor or the
585585 controller.
586586 SECTION 3. [NEW MATERIAL] SCOPE OF ACT--EXEMPTIONS.--
587587 A. The Consumer Information and Data Protection Act
588588 applies to persons that conduct business in this state and
589589 persons that produce products or services that are targeted to
590590 residents of this state.
591591 B. No person shall:
592592 .230052.1ms
593593 - 11 - underscored material = new
594594 [bracketed material] = delete
595595 1
596596 2
597597 3
598598 4
599599 5
600600 6
601601 7
602602 8
603603 9
604604 10
605605 11
606606 12
607607 13
608608 14
609609 15
610610 16
611611 17
612612 18
613613 19
614614 20
615615 21
616616 22
617617 23
618618 24
619619 25
620620 (1) provide any employee or contractor with
621621 access to consumer health data unless the employee or
622622 contractor is subject to a contractual or statutory duty of
623623 confidentiality;
624624 (2) provide any processor with access to
625625 consumer health data unless such person and processor comply
626626 with Section 6 of the Consumer Information and Data Protection
627627 Act;
628628 (3) use a geofence to establish a virtual
629629 boundary that is within one thousand seven hundred fifty feet
630630 of any mental health facility or reproductive or sexual health
631631 facility for the purpose of identifying, tracking, collecting
632632 data from or sending any notification to a consumer regarding
633633 the consumer's consumer health data; or
634634 (4) sell, or offer to sell, consumer health
635635 data without first obtaining the consumer's consent.
636636 C. The provisions of the Consumer Information and
637637 Data Protection Act shall not apply to any:
638638 (1) body, authority, board, bureau,
639639 commission, district or agency of the state or of any political
640640 subdivision of the state;
641641 (2) financial institution or data subject to
642642 Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C.
643643 Section 6801 et seq.);
644644 (3) covered entity or business associate
645645 .230052.1ms
646646 - 12 - underscored material = new
647647 [bracketed material] = delete
648648 1
649649 2
650650 3
651651 4
652652 5
653653 6
654654 7
655655 8
656656 9
657657 10
658658 11
659659 12
660660 13
661661 14
662662 15
663663 16
664664 17
665665 18
666666 19
667667 20
668668 21
669669 22
670670 23
671671 24
672672 25
673673 governed by the privacy, security and breach notification rules
674674 issued by the federal department of health and human services,
675675 45 C.F.R. Parts 160 and 164 established pursuant to HIPAA, and
676676 the Health Information Technology for Economic and Clinical
677677 Health Act (P.L. 111-5);
678678 (4) nonprofit organization; or
679679 (5) institution of higher education.
680680 D. The following information and data are exempt
681681 from the Consumer Information and Data Protection Act:
682682 (1) protected health information under HIPAA;
683683 (2) patient identifying information for
684684 purposes of 42 U.S.C. Section 290dd-2;
685685 (3) identifiable private information for
686686 purposes of the federal policy for the protection of human
687687 subjects under 45 C.F.R. Part 46; identifiable private
688688 information that is otherwise information collected as part of
689689 human subjects research pursuant to the good clinical practice
690690 guidelines issued by the international council for
691691 harmonization of technical requirements for pharmaceuticals for
692692 human use; the protection of human subjects under 21 C.F.R.
693693 Parts 6, 50 and 56; or personal data used or shared in research
694694 conducted in accordance with the requirements set forth in the
695695 Consumer Information and Data Protection Act or other research
696696 conducted in accordance with applicable law;
697697 (4) information and documents created for
698698 .230052.1ms
699699 - 13 - underscored material = new
700700 [bracketed material] = delete
701701 1
702702 2
703703 3
704704 4
705705 5
706706 6
707707 7
708708 8
709709 9
710710 10
711711 11
712712 12
713713 13
714714 14
715715 15
716716 16
717717 17
718718 18
719719 19
720720 20
721721 21
722722 22
723723 23
724724 24
725725 25
726726 purposes of the federal Health Care Quality Improvement Act of
727727 1986 (42 U.S.C. Section 11101 et seq.);
728728 (5) patient safety work product for purposes
729729 of the federal Patient Safety and Quality Improvement Act of
730730 2005 (42 U.S.C. Section 299b-21 et seq.);
731731 (6) information derived from any of the health
732732 care-related information listed in this subsection that is de-
733733 identified in accordance with the requirements for de-
734734 identification pursuant to HIPAA;
735735 (7) information originating from, and
736736 intermingled to be indistinguishable with, or information
737737 treated in the same manner as information exempt under this
738738 subsection that is maintained by a covered entity or business
739739 associate as defined by HIPAA or a program or a qualified
740740 service organization as defined by 42 U.S.C. Section 290dd-2;
741741 (8) information used only for public health
742742 activities and purposes as authorized by HIPAA;
743743 (9) the collection, maintenance, disclosure,
744744 sale, communication or use of any personal information bearing
745745 on a consumer's credit worthiness, credit standing, credit
746746 capacity, character, general reputation, personal
747747 characteristics or mode of living by a consumer reporting
748748 agency or furnisher that provides information for use in a
749749 consumer report and by a user of a consumer report but only to
750750 the extent that such activity is regulated by and authorized
751751 .230052.1ms
752752 - 14 - underscored material = new
753753 [bracketed material] = delete
754754 1
755755 2
756756 3
757757 4
758758 5
759759 6
760760 7
761761 8
762762 9
763763 10
764764 11
765765 12
766766 13
767767 14
768768 15
769769 16
770770 17
771771 18
772772 19
773773 20
774774 21
775775 22
776776 23
777777 24
778778 25
779779 under the federal Fair Credit Reporting Act (15 U.S.C. Section
780780 1681 et seq.);
781781 (10) personal data collected, processed, sold
782782 or disclosed in compliance with the federal Driver's Privacy
783783 Protection Act of 1994 (18 U.S.C. Section 2721 et seq.);
784784 (11) personal data regulated by the federal
785785 Family Educational Rights and Privacy Act of 1974 (20 U.S.C.
786786 Section 1232g et seq.);
787787 (12) personal data collected, processed, sold
788788 or disclosed in compliance with the federal Farm Credit Act of
789789 1971 (12 U.S.C. Section 2001 et seq.); and
790790 (13) data processed or maintained:
791791 (a) in the course of an individual
792792 applying to, employed by or acting as an agent or independent
793793 contractor of a controller, processor or third party, to the
794794 extent that the data is collected and used within the context
795795 of that role;
796796 (b) as the emergency contact information
797797 of an individual under the Consumer Information and Data
798798 Protection Act used for emergency contact purposes; or
799799 (c) that is necessary to retain to
800800 administer benefits for another individual relating to the
801801 individual under Subparagraph (a) of this paragraph and used
802802 for the purposes of administering those benefits.
803803 SECTION 4. [NEW MATERIAL] CONSUMER RIGHTS.--
804804 .230052.1ms
805805 - 15 - underscored material = new
806806 [bracketed material] = delete
807807 1
808808 2
809809 3
810810 4
811811 5
812812 6
813813 7
814814 8
815815 9
816816 10
817817 11
818818 12
819819 13
820820 14
821821 15
822822 16
823823 17
824824 18
825825 19
826826 20
827827 21
828828 22
829829 23
830830 24
831831 25
832832 A. A consumer may invoke the consumer rights
833833 authorized pursuant to this section at any time by submitting a
834834 request to a controller specifying the consumer rights the
835835 consumer wishes to invoke. A known child's parent or legal
836836 guardian may invoke such consumer rights on behalf of the child
837837 regarding processing personal data belonging to the known
838838 child. A controller shall comply with an authenticated
839839 consumer request to exercise the right:
840840 (1) to confirm whether or not a controller is
841841 processing the consumer's personal data and to access such
842842 personal data;
843843 (2) to correct inaccuracies in the consumer's
844844 personal data, taking into account the nature of the personal
845845 data and the purposes of the processing of the consumer's
846846 personal data;
847847 (3) to delete personal data provided by or
848848 obtained about the consumer;
849849 (4) to obtain a copy of the consumer's
850850 personal data that the consumer previously provided to the
851851 controller in a portable and, to the extent technically
852852 feasible, readily usable format that allows the consumer to
853853 transmit the data to another controller without hindrance,
854854 where the processing is carried out by automated means; and
855855 (5) to opt out of the processing of the
856856 personal data for purposes of targeted advertising, the sale of
857857 .230052.1ms
858858 - 16 - underscored material = new
859859 [bracketed material] = delete
860860 1
861861 2
862862 3
863863 4
864864 5
865865 6
866866 7
867867 8
868868 9
869869 10
870870 11
871871 12
872872 13
873873 14
874874 15
875875 16
876876 17
877877 18
878878 19
879879 20
880880 21
881881 22
882882 23
883883 24
884884 25
885885 personal data or profiling in furtherance of decisions that
886886 produce legal or similarly significant effects concerning the
887887 consumer.
888888 B. A consumer may exercise rights under this
889889 section by a secure and reliable means established by the
890890 controller and described to the consumer in the controller's
891891 privacy notice. In the case of processing personal data of a
892892 known child, the parent or legal guardian may exercise such
893893 consumer rights on the child's behalf. In the case of
894894 processing personal data concerning a consumer subject to a
895895 guardianship, conservatorship or other protective arrangement,
896896 the guardian or the conservator of the consumer may exercise
897897 such rights on the consumer's behalf.
898898 C. Except as otherwise provided in the Consumer
899899 Information and Data Protection Act, a controller shall comply
900900 with a request by a consumer to exercise the consumer rights
901901 authorized pursuant to Subsection A of this section as follows:
902902 (1) a controller shall respond to the consumer
903903 without undue delay, but in all cases within forty-five days of
904904 receipt of the request submitted pursuant to the methods
905905 described in Subsection A of this section. The response period
906906 may be extended once by forty-five additional days when
907907 reasonably necessary, taking into account the complexity and
908908 number of the consumer's requests, so long as the controller
909909 informs the consumer of any such extension within the initial
910910 .230052.1ms
911911 - 17 - underscored material = new
912912 [bracketed material] = delete
913913 1
914914 2
915915 3
916916 4
917917 5
918918 6
919919 7
920920 8
921921 9
922922 10
923923 11
924924 12
925925 13
926926 14
927927 15
928928 16
929929 17
930930 18
931931 19
932932 20
933933 21
934934 22
935935 23
936936 24
937937 25
938938 forty-five-day response period, together with the reason for
939939 the extension;
940940 (2) if a controller declines to take action
941941 regarding the consumer's request, the controller shall inform
942942 the consumer without undue delay, but in all cases and at the
943943 latest within forty-five days of receipt of the request, of the
944944 justification for declining to take action and instructions for
945945 how to appeal the decision pursuant to Subsection D of this
946946 section;
947947 (3) information provided in response to a
948948 consumer request shall be provided by a controller free of
949949 charge, up to twice annually per consumer. If requests from a
950950 consumer are manifestly unfounded, excessive or repetitive, the
951951 controller may charge the consumer a reasonable fee to cover
952952 the administrative costs of complying with the request or
953953 decline to act on the request. The controller bears the burden
954954 of demonstrating the manifestly unfounded, excessive or
955955 repetitive nature of the request;
956956 (4) if a controller is unable to authenticate
957957 the request using commercially reasonable efforts, the
958958 controller shall not be required to comply with a request to
959959 initiate an action under Subsection A of this section and may
960960 request that the consumer provide additional information
961961 reasonably necessary to authenticate the consumer and the
962962 consumer's request; and
963963 .230052.1ms
964964 - 18 - underscored material = new
965965 [bracketed material] = delete
966966 1
967967 2
968968 3
969969 4
970970 5
971971 6
972972 7
973973 8
974974 9
975975 10
976976 11
977977 12
978978 13
979979 14
980980 15
981981 16
982982 17
983983 18
984984 19
985985 20
986986 21
987987 22
988988 23
989989 24
990990 25
991991 (5) a controller that has obtained personal
992992 data about a consumer from a source other than the consumer
993993 shall be deemed in compliance with a consumer's request to
994994 delete such data pursuant to Paragraph (2) of Subsection A of
995995 this section by either:
996996 (a) retaining a record of the deletion
997997 request and the minimum data necessary for the purpose of
998998 ensuring the consumer's personal data remains deleted from the
999999 business's records and not using such retained data for any
10001000 other purpose pursuant to the provisions of the Consumer
10011001 Information and Data Protection Act; or
10021002 (b) opting the consumer out of the
10031003 processing of such personal data for any purpose except for
10041004 those exempted pursuant to the provisions of the Consumer
10051005 Information and Data Protection Act.
10061006 D. A controller shall establish a process for a
10071007 consumer to appeal the controller's refusal to take action on a
10081008 request within a reasonable period of time after the consumer's
10091009 receipt of the decision pursuant to Paragraph (2) of Subsection
10101010 C of this section. The appeal process shall be conspicuously
10111011 available and similar to the process for submitting requests to
10121012 initiate action pursuant to Subsection A of this section.
10131013 Within sixty days of receipt of an appeal, a controller shall
10141014 inform the consumer in writing of any action taken or not taken
10151015 in response to the appeal, including a written explanation of
10161016 .230052.1ms
10171017 - 19 - underscored material = new
10181018 [bracketed material] = delete
10191019 1
10201020 2
10211021 3
10221022 4
10231023 5
10241024 6
10251025 7
10261026 8
10271027 9
10281028 10
10291029 11
10301030 12
10311031 13
10321032 14
10331033 15
10341034 16
10351035 17
10361036 18
10371037 19
10381038 20
10391039 21
10401040 22
10411041 23
10421042 24
10431043 25
10441044 the reasons for the decisions. If the appeal is denied, the
10451045 controller shall also provide the consumer with an online
10461046 mechanism, if available, or other method through which the
10471047 consumer may contact the attorney general to submit a
10481048 complaint.
10491049 SECTION 5. [NEW MATERIAL] DATA CONTROLLER
10501050 RESPONSIBILITIES--TRANSPARENCY.--
10511051 A. A controller shall:
10521052 (1) limit the collection of personal data to
10531053 what is adequate, relevant and reasonably necessary in relation
10541054 to the purposes for which such data is processed, as disclosed
10551055 to the consumer;
10561056 (2) except as otherwise provided in the
10571057 Consumer Information and Data Protection Act, not process
10581058 personal data for purposes that are neither reasonably
10591059 necessary to nor compatible with the disclosed purposes for
10601060 which such personal data is processed, as disclosed to the
10611061 consumer, unless the controller obtains the consumer's consent;
10621062 (3) establish, implement and maintain
10631063 reasonable administrative, technical and physical data security
10641064 practices to protect the confidentiality, integrity and
10651065 accessibility of personal data. Data security practices shall
10661066 be appropriate to the volume and nature of the personal data at
10671067 issue;
10681068 (4) not process personal data in violation of
10691069 .230052.1ms
10701070 - 20 - underscored material = new
10711071 [bracketed material] = delete
10721072 1
10731073 2
10741074 3
10751075 4
10761076 5
10771077 6
10781078 7
10791079 8
10801080 9
10811081 10
10821082 11
10831083 12
10841084 13
10851085 14
10861086 15
10871087 16
10881088 17
10891089 18
10901090 19
10911091 20
10921092 21
10931093 22
10941094 23
10951095 24
10961096 25
10971097 state and federal laws that prohibit unlawful discrimination
10981098 against consumers. A controller shall not discriminate against
10991099 a consumer for exercising any of the consumer rights contained
11001100 in the Consumer Information and Data Protection Act, including
11011101 denying goods or services, charging different prices or rates
11021102 for goods or services or providing a different level of quality
11031103 of goods and services to the consumer. However, nothing in
11041104 this subsection shall be construed to require a controller to
11051105 provide a product or service that requires the personal data of
11061106 a consumer that the controller does not collect or maintain or
11071107 to prohibit a controller from offering a different price, rate,
11081108 level, quality or selection of goods or services to a consumer,
11091109 including offering goods or services for no fee, if the
11101110 consumer has exercised the consumer's right to opt out pursuant
11111111 to Section 4 of the Consumer Information and Data Protection
11121112 Act or the offer is related to a consumer's voluntary
11131113 participation in a bona fide loyalty, rewards, premium
11141114 features, discounts or club card program; and
11151115 (5) not process sensitive data concerning a
11161116 consumer without obtaining the consumer's consent or, in the
11171117 case of the processing of sensitive data concerning a known
11181118 child, without processing such data in accordance with the
11191119 federal Children's Online Privacy Protection Act of 1998 (15
11201120 U.S.C. Section 6501 et seq.).
11211121 B. Any provision of a contract or agreement of any
11221122 .230052.1ms
11231123 - 21 - underscored material = new
11241124 [bracketed material] = delete
11251125 1
11261126 2
11271127 3
11281128 4
11291129 5
11301130 6
11311131 7
11321132 8
11331133 9
11341134 10
11351135 11
11361136 12
11371137 13
11381138 14
11391139 15
11401140 16
11411141 17
11421142 18
11431143 19
11441144 20
11451145 21
11461146 22
11471147 23
11481148 24
11491149 25
11501150 kind that purports to waive or limit in any way consumer rights
11511151 pursuant to the Consumer Information and Data Protection Act
11521152 shall be deemed contrary to public policy and shall be void and
11531153 unenforceable.
11541154 C. A controller shall provide consumers with a
11551155 reasonably accessible, clear and meaningful privacy notice that
11561156 includes:
11571157 (1) the categories of personal data processed
11581158 by the controller;
11591159 (2) the purpose for processing personal data;
11601160 (3) how consumers may exercise their consumer
11611161 rights, including how a consumer may appeal a controller's
11621162 decision with regard to the consumer's request;
11631163 (4) the categories of personal data that the
11641164 controller shares with third parties, if any;
11651165 (5) the categories of third parties, if any,
11661166 with which the controller shares personal data; and
11671167 (6) an active electronic mail address or other
11681168 online mechanism that the consumer may use to contact the
11691169 controller.
11701170 D. If a controller sells personal data to third
11711171 parties or processes personal data for targeted advertising,
11721172 the controller shall clearly and conspicuously disclose such
11731173 processing, as well as the manner in which a consumer may
11741174 exercise the right to opt out of such processing.
11751175 .230052.1ms
11761176 - 22 - underscored material = new
11771177 [bracketed material] = delete
11781178 1
11791179 2
11801180 3
11811181 4
11821182 5
11831183 6
11841184 7
11851185 8
11861186 9
11871187 10
11881188 11
11891189 12
11901190 13
11911191 14
11921192 15
11931193 16
11941194 17
11951195 18
11961196 19
11971197 20
11981198 21
11991199 22
12001200 23
12011201 24
12021202 25
12031203 E. A controller shall establish, and shall describe
12041204 in a privacy notice, one or more secure and reliable means for
12051205 consumers to submit a request to exercise their consumer rights
12061206 under the Consumer Information and Data Protection Act. Such
12071207 means shall take into account the ways in which consumers
12081208 normally interact with the controller, the need for secure and
12091209 reliable communication of such requests and the ability of the
12101210 controller to authenticate the identity of the consumer making
12111211 the request. Controllers shall not require a consumer to
12121212 create a new account in order to exercise consumer rights
12131213 pursuant to Section 4 of the Consumer Information and Data
12141214 Protection Act but may require a consumer to use an existing
12151215 account.
12161216 F. Subject to the consent requirement established
12171217 by Section 4 of the Consumer Information and Data Protection
12181218 Act, no controller shall process any personal data collected
12191219 from a known child:
12201220 (1) for the purposes of targeted advertising,
12211221 the sale of such personal data or profiling in furtherance of
12221222 decisions that produce legal or similarly significant effects
12231223 concerning a consumer;
12241224 (2) unless such processing is reasonably
12251225 necessary to provide the online service, product or feature;
12261226 (3) for any processing purpose other than the
12271227 processing purpose that the controller disclosed at the time
12281228 .230052.1ms
12291229 - 23 - underscored material = new
12301230 [bracketed material] = delete
12311231 1
12321232 2
12331233 3
12341234 4
12351235 5
12361236 6
12371237 7
12381238 8
12391239 9
12401240 10
12411241 11
12421242 12
12431243 13
12441244 14
12451245 15
12461246 16
12471247 17
12481248 18
12491249 19
12501250 20
12511251 21
12521252 22
12531253 23
12541254 24
12551255 25
12561256 such controller collected such personal data or that is
12571257 reasonably necessary for and compatible with such disclosed
12581258 purpose; or
12591259 (4) for longer than is reasonably necessary to
12601260 provide the online service, product, or feature.
12611261 G. Subject to the consent requirement established
12621262 by Section 4 of the Consumer Information and Data Protection
12631263 Act, no controller shall collect precise geolocation data from
12641264 a known child unless:
12651265 (1) such precise geolocation data is
12661266 reasonably necessary for the controller to provide an online
12671267 service, product or feature and, if such data is necessary to
12681268 provide such online service, product or feature, such
12691269 controller shall only collect such data for the time necessary
12701270 to provide such online service, product or feature; and
12711271 (2) the controller provides to the known child
12721272 a signal indicating that such controller is collecting such
12731273 precise geolocation data, which signal shall be available to
12741274 such known child for the entire duration of such collection.
12751275 H. No controller shall engage in the activities
12761276 described in Subsections F and G of Section 4 of the Consumer
12771277 Information and Data Protection Act unless the controller
12781278 obtains consent from the child's parent or legal guardian in
12791279 accordance with the federal Children's Online Privacy
12801280 Protection Act of 1998 (15 U.S.C. Section 6501 et seq.).
12811281 .230052.1ms
12821282 - 24 - underscored material = new
12831283 [bracketed material] = delete
12841284 1
12851285 2
12861286 3
12871287 4
12881288 5
12891289 6
12901290 7
12911291 8
12921292 9
12931293 10
12941294 11
12951295 12
12961296 13
12971297 14
12981298 15
12991299 16
13001300 17
13011301 18
13021302 19
13031303 20
13041304 21
13051305 22
13061306 23
13071307 24
13081308 25
13091309 SECTION 6. [NEW MATERIAL] RESPONSIBILITIES OF CONTROLLER
13101310 AND PROCESSOR.--
13111311 A. A processor shall adhere to the instructions of
13121312 a controller and shall assist the controller in meeting its
13131313 obligations under the Consumer Information and Data Protection
13141314 Act. Such assistance shall include:
13151315 (1) taking into account the nature of
13161316 processing and the information available to the processor, by
13171317 appropriate technical and organizational measures, insofar as
13181318 this is reasonably practicable, to fulfill the controller's
13191319 obligation to respond to consumer rights requests pursuant to
13201320 Section 4 of the Consumer Information and Data Protection Act;
13211321 (2) taking into account the nature of
13221322 processing and the information available to the processor, by
13231323 assisting the controller in meeting the controller's
13241324 obligations in relation to the security of processing the
13251325 personal data and in relation to the notification of a breach
13261326 of security of the system of the processor pursuant to the
13271327 Consumer Information and Data Protection Act in order to meet
13281328 the controller's obligations; and
13291329 (3) providing necessary information to enable
13301330 the controller to conduct and document data protection
13311331 assessments pursuant to the Consumer Information and Data
13321332 Protection Act.
13331333 B. A contract between a controller and a processor
13341334 .230052.1ms
13351335 - 25 - underscored material = new
13361336 [bracketed material] = delete
13371337 1
13381338 2
13391339 3
13401340 4
13411341 5
13421342 6
13431343 7
13441344 8
13451345 9
13461346 10
13471347 11
13481348 12
13491349 13
13501350 14
13511351 15
13521352 16
13531353 17
13541354 18
13551355 19
13561356 20
13571357 21
13581358 22
13591359 23
13601360 24
13611361 25
13621362 shall govern the processor's data processing procedures with
13631363 respect to processing performed on behalf of the controller.
13641364 The contract shall be binding and clearly set forth
13651365 instructions for processing data, the nature and purpose of
13661366 processing, the type of data subject to processing, the
13671367 duration of processing and the rights and obligations of both
13681368 parties. The contract shall also include requirements that the
13691369 processor shall:
13701370 (1) ensure that each person processing
13711371 personal data is subject to a duty of confidentiality with
13721372 respect to the data;
13731373 (2) at the controller's direction, delete or
13741374 return all personal data to the controller as requested at the
13751375 end of the provision of services, unless retention of the
13761376 personal data is required by law;
13771377 (3) upon the reasonable request of the
13781378 controller, make available to the controller all information in
13791379 its possession necessary to demonstrate the processor's
13801380 compliance with the obligations in the Consumer Information and
13811381 Data Protection Act;
13821382 (4) allow, and cooperate with, reasonable
13831383 assessments by the controller or the controller's designated
13841384 assessor; alternatively, the processor may arrange for a
13851385 qualified and independent assessor to conduct an assessment of
13861386 the processor's policies and technical and organizational
13871387 .230052.1ms
13881388 - 26 - underscored material = new
13891389 [bracketed material] = delete
13901390 1
13911391 2
13921392 3
13931393 4
13941394 5
13951395 6
13961396 7
13971397 8
13981398 9
13991399 10
14001400 11
14011401 12
14021402 13
14031403 14
14041404 15
14051405 16
14061406 17
14071407 18
14081408 19
14091409 20
14101410 21
14111411 22
14121412 23
14131413 24
14141414 25
14151415 measures in support of the obligations under the Consumer
14161416 Information and Data Protection Act using an appropriate and
14171417 accepted control standard or framework and assessment procedure
14181418 for such assessments. The processor shall provide a report of
14191419 such assessment to the controller upon request; and
14201420 (5) engage any subcontractor pursuant to a
14211421 written contract in accordance with this section that requires
14221422 the subcontractor to meet the obligations of the processor with
14231423 respect to the personal data.
14241424 C. Nothing in this section shall be construed to
14251425 relieve a controller or a processor from the liabilities
14261426 imposed on it by virtue of its role in the processing
14271427 relationship as defined by the Consumer Information and Data
14281428 Protection Act.
14291429 D. Determining whether a person is acting as a
14301430 controller or processor with respect to a specific processing
14311431 of data is a fact-based determination that depends upon the
14321432 context in which personal data is to be processed. A processor
14331433 that continues to adhere to a controller's instructions with
14341434 respect to a specific processing of personal data remains a
14351435 processor.
14361436 SECTION 7. [NEW MATERIAL] DATA PROTECTION ASSESSMENTS.--
14371437 A. A controller shall conduct and document a data
14381438 protection assessment of each of the following processing
14391439 activities involving personal data:
14401440 .230052.1ms
14411441 - 27 - underscored material = new
14421442 [bracketed material] = delete
14431443 1
14441444 2
14451445 3
14461446 4
14471447 5
14481448 6
14491449 7
14501450 8
14511451 9
14521452 10
14531453 11
14541454 12
14551455 13
14561456 14
14571457 15
14581458 16
14591459 17
14601460 18
14611461 19
14621462 20
14631463 21
14641464 22
14651465 23
14661466 24
14671467 25
14681468 (1) the processing of personal data for
14691469 purposes of targeted advertising;
14701470 (2) the sale of personal data;
14711471 (3) the processing of personal data for
14721472 purposes of profiling, where such profiling presents a
14731473 reasonably foreseeable risk of:
14741474 (a) unfair or deceptive treatment of, or
14751475 unlawful disparate impact on, consumers;
14761476 (b) financial, physical or reputational
14771477 injury to consumers;
14781478 (c) a physical or other intrusion upon
14791479 the solitude or seclusion, or the private affairs or concerns,
14801480 of consumers, where such intrusion would be offensive to a
14811481 reasonable person; or
14821482 (d) other substantial injury to
14831483 consumers;
14841484 (4) the processing of sensitive data; and
14851485 (5) any processing activities involving
14861486 personal data that present a heightened risk of harm to
14871487 consumers.
14881488 B. Data protection assessments conducted pursuant
14891489 to Subsection A of this section shall identify and weigh the
14901490 benefits that may flow, directly and indirectly, from the
14911491 processing to the controller, the consumer, other stakeholders
14921492 and the public against the potential risks to the rights of the
14931493 .230052.1ms
14941494 - 28 - underscored material = new
14951495 [bracketed material] = delete
14961496 1
14971497 2
14981498 3
14991499 4
15001500 5
15011501 6
15021502 7
15031503 8
15041504 9
15051505 10
15061506 11
15071507 12
15081508 13
15091509 14
15101510 15
15111511 16
15121512 17
15131513 18
15141514 19
15151515 20
15161516 21
15171517 22
15181518 23
15191519 24
15201520 25
15211521 consumer associated with such processing, as mitigated by
15221522 safeguards that can be employed by the controller to reduce
15231523 such risks. The use of de-identified data and the reasonable
15241524 expectations of consumers, as well as the context of the
15251525 processing and the relationship between the controller and the
15261526 consumer whose personal data will be processed, shall be
15271527 factored into this assessment by the controller.
15281528 C. The attorney general may request, pursuant to a
15291529 civil investigative demand, that a controller disclose any data
15301530 protection assessment that is relevant to an investigation
15311531 conducted by the attorney general, and the controller shall
15321532 make the data protection assessment available to the attorney
15331533 general. The attorney general may evaluate the data protection
15341534 assessment for compliance with the responsibilities set forth
15351535 in Subsection A of this section. Data protection assessments
15361536 shall be confidential and exempt from public inspection and
15371537 copying under the Inspection of Public Records Act. The
15381538 disclosure of a data protection assessment pursuant to a
15391539 request from the attorney general shall not constitute a waiver
15401540 of attorney-client privilege or work product protection with
15411541 respect to the assessment and any information contained in the
15421542 assessment.
15431543 D. A single data protection assessment may address
15441544 a comparable set of processing operations that include similar
15451545 activities.
15461546 .230052.1ms
15471547 - 29 - underscored material = new
15481548 [bracketed material] = delete
15491549 1
15501550 2
15511551 3
15521552 4
15531553 5
15541554 6
15551555 7
15561556 8
15571557 9
15581558 10
15591559 11
15601560 12
15611561 13
15621562 14
15631563 15
15641564 16
15651565 17
15661566 18
15671567 19
15681568 20
15691569 21
15701570 22
15711571 23
15721572 24
15731573 25
15741574 E. Data protection assessments conducted by a
15751575 controller for the purpose of compliance with other laws or
15761576 regulations may comply under this section if the assessments
15771577 have a reasonably comparable scope and effect.
15781578 F. Data protection assessment requirements shall
15791579 apply to processing activities created or generated after the
15801580 effective date of the Consumer Information and Data Protection
15811581 Act and are not retroactive.
15821582 SECTION 8. [NEW MATERIAL] PROCESSING DE-IDENTIFIED
15831583 DATA.--
15841584 A. The controller in possession of de-identified
15851585 data shall:
15861586 (1) take reasonable measures to ensure that
15871587 the data cannot be associated with a natural person;
15881588 (2) publicly commit to maintaining and using
15891589 de-identified data without attempting to re-identify the data;
15901590 and
15911591 (3) contractually obligate any recipients of
15921592 the de-identified data to comply with all provisions of the
15931593 Consumer Information and Data Protection Act.
15941594 B. Nothing in the Consumer Information and Data
15951595 Protection Act shall be construed to require a controller or
15961596 processor to re-identify de-identified data or pseudonymous
15971597 data or maintain data in identifiable form, or collect, obtain,
15981598 retain or access any data or technology, in order to be capable
15991599 .230052.1ms
16001600 - 30 - underscored material = new
16011601 [bracketed material] = delete
16021602 1
16031603 2
16041604 3
16051605 4
16061606 5
16071607 6
16081608 7
16091609 8
16101610 9
16111611 10
16121612 11
16131613 12
16141614 13
16151615 14
16161616 15
16171617 16
16181618 17
16191619 18
16201620 19
16211621 20
16221622 21
16231623 22
16241624 23
16251625 24
16261626 25
16271627 of associating an authenticated consumer request with personal
16281628 data.
16291629 C. Nothing in the Consumer Information and Data
16301630 Protection Act shall be construed to require a controller or
16311631 processor to comply with an authenticated consumer rights
16321632 request, pursuant to Section 4 of the Consumer Information and
16331633 Data Protection Act, if all of the following are true:
16341634 (1) the controller is not reasonably capable
16351635 of associating the request with the personal data or it would
16361636 be unreasonably burdensome for the controller to associate the
16371637 request with the personal data;
16381638 (2) the controller does not use the personal
16391639 data to recognize or respond to the specific consumer who is
16401640 the subject of the personal data or associate the personal data
16411641 with other personal data about the same specific consumer; and
16421642 (3) the controller does not sell the personal
16431643 data to any third party or otherwise voluntarily disclose the
16441644 personal data to any third party other than a processor, except
16451645 as otherwise permitted in this section.
16461646 D. The consumer rights contained in Section 4 of
16471647 the Consumer Information and Data Protection Act shall not
16481648 apply to pseudonymous data in cases where the controller is
16491649 able to demonstrate any information necessary to identify the
16501650 consumer is kept separately and is subject to effective
16511651 technical and organizational controls that prevent the
16521652 .230052.1ms
16531653 - 31 - underscored material = new
16541654 [bracketed material] = delete
16551655 1
16561656 2
16571657 3
16581658 4
16591659 5
16601660 6
16611661 7
16621662 8
16631663 9
16641664 10
16651665 11
16661666 12
16671667 13
16681668 14
16691669 15
16701670 16
16711671 17
16721672 18
16731673 19
16741674 20
16751675 21
16761676 22
16771677 23
16781678 24
16791679 25
16801680 controller from accessing such information.
16811681 E. A controller that discloses pseudonymous data or
16821682 de-identified data shall exercise reasonable oversight to
16831683 monitor compliance with any contractual commitments to which
16841684 the pseudonymous data or de-identified data is subject and
16851685 shall take appropriate steps to address any breaches of those
16861686 contractual commitments.
16871687 SECTION 9. [NEW MATERIAL] LIMITATIONS.--
16881688 A. Nothing in the Consumer Information and Data
16891689 Protection Act shall be construed to restrict a controller's or
16901690 processor's ability to:
16911691 (1) comply with federal, state or local laws,
16921692 rules or regulations;
16931693 (2) comply with a civil, criminal or
16941694 regulatory inquiry, investigation, subpoena or summons by
16951695 federal, state, local or other governmental authorities;
16961696 (3) cooperate with law enforcement agencies
16971697 concerning conduct or activity that the controller or processor
16981698 reasonably and in good faith believes may violate federal,
16991699 state or local laws, rules or regulations;
17001700 (4) investigate, establish, exercise, prepare
17011701 for or defend legal claims;
17021702 (5) provide a product or service specifically
17031703 requested by a consumer, perform a contract to which the
17041704 consumer is a party, including fulfilling the terms of a
17051705 .230052.1ms
17061706 - 32 - underscored material = new
17071707 [bracketed material] = delete
17081708 1
17091709 2
17101710 3
17111711 4
17121712 5
17131713 6
17141714 7
17151715 8
17161716 9
17171717 10
17181718 11
17191719 12
17201720 13
17211721 14
17221722 15
17231723 16
17241724 17
17251725 18
17261726 19
17271727 20
17281728 21
17291729 22
17301730 23
17311731 24
17321732 25
17331733 written warranty, or take steps at the request of the consumer
17341734 prior to entering into a contract;
17351735 (6) take immediate steps to protect an
17361736 interest that is essential for the life or physical safety of
17371737 the consumer or of another natural person and where the
17381738 processing cannot be manifestly based on another legal basis;
17391739 (7) prevent, detect, protect against or
17401740 respond to security incidents, identity theft, fraud,
17411741 harassment, malicious or deceptive activities or any illegal
17421742 activity; preserve the integrity or security of systems; or
17431743 investigate, report or prosecute those responsible for any such
17441744 action;
17451745 (8) engage in public or peer-reviewed
17461746 scientific or statistical research in the public interest that
17471747 adheres to all other applicable ethics and privacy laws and is
17481748 approved, monitored and governed by an institutional review
17491749 board or similar independent oversight entities that determine:
17501750 (a) if the deletion of the information
17511751 is likely to provide substantial benefits that do not
17521752 exclusively accrue to the controller;
17531753 (b) the expected benefits of the
17541754 research outweigh the privacy risks; and
17551755 (c) if the controller has implemented
17561756 reasonable safeguards to mitigate privacy risks associated with
17571757 research, including any risks associated with re-
17581758 .230052.1ms
17591759 - 33 - underscored material = new
17601760 [bracketed material] = delete
17611761 1
17621762 2
17631763 3
17641764 4
17651765 5
17661766 6
17671767 7
17681768 8
17691769 9
17701770 10
17711771 11
17721772 12
17731773 13
17741774 14
17751775 15
17761776 16
17771777 17
17781778 18
17791779 19
17801780 20
17811781 21
17821782 22
17831783 23
17841784 24
17851785 25
17861786 identification; or
17871787 (9) assist another controller, processor or
17881788 third party with any of the obligations under this subsection.
17891789 B. The obligations imposed on controllers or
17901790 processors under the Consumer Information and Data Protection
17911791 Act shall not restrict a controller's or processor's ability to
17921792 collect, use or retain data to:
17931793 (1) conduct internal research to develop,
17941794 improve or repair products, services or technology;
17951795 (2) effectuate a product recall;
17961796 (3) identify and repair technical errors that
17971797 impair existing or intended functionality; or
17981798 (4) perform internal operations that are
17991799 reasonably aligned with the expectations of the consumer or
18001800 reasonably anticipated based on the consumer's existing
18011801 relationship with the controller or are otherwise compatible
18021802 with processing data in furtherance of the provision of a
18031803 product or service specifically requested by a consumer or the
18041804 performance of a contract to which the consumer is a party.
18051805 C. The obligations imposed on controllers or
18061806 processors under the Consumer Information and Data Protection
18071807 Act shall not apply where compliance by the controller or
18081808 processor with that act would violate an evidentiary privilege
18091809 under the laws of the state. Nothing in that act shall be
18101810 construed to prevent a controller or processor from providing
18111811 .230052.1ms
18121812 - 34 - underscored material = new
18131813 [bracketed material] = delete
18141814 1
18151815 2
18161816 3
18171817 4
18181818 5
18191819 6
18201820 7
18211821 8
18221822 9
18231823 10
18241824 11
18251825 12
18261826 13
18271827 14
18281828 15
18291829 16
18301830 17
18311831 18
18321832 19
18331833 20
18341834 21
18351835 22
18361836 23
18371837 24
18381838 25
18391839 personal data concerning a consumer to a person covered by an
18401840 evidentiary privilege under the laws of the state as part of a
18411841 privileged communication.
18421842 D. A controller or processor that discloses
18431843 personal data to a third-party controller or processor, in
18441844 compliance with the requirements of the Consumer Information
18451845 and Data Protection Act, is not in violation of that act if the
18461846 third-party controller or processor that receives and processes
18471847 such personal data is in violation of that act; provided that,
18481848 at the time of disclosing the personal data, the disclosing
18491849 controller or processor did not have actual knowledge that the
18501850 recipient intended to commit a violation. A third-party
18511851 controller or processor receiving personal data from a
18521852 controller or processor in compliance with the requirements of
18531853 that act is likewise not in violation of that act for the
18541854 transgressions of the controller or processor from which it
18551855 receives such personal data.
18561856 E. Nothing in the Consumer Information and Data
18571857 Protection Act shall be construed as an obligation imposed on
18581858 controllers and processors that adversely affects the rights or
18591859 freedoms of any persons, such as exercising the right of free
18601860 speech pursuant to the first amendment to the United States
18611861 constitution, or applies to the processing of personal data by
18621862 a person in the course of a purely personal or household
18631863 activity.
18641864 .230052.1ms
18651865 - 35 - underscored material = new
18661866 [bracketed material] = delete
18671867 1
18681868 2
18691869 3
18701870 4
18711871 5
18721872 6
18731873 7
18741874 8
18751875 9
18761876 10
18771877 11
18781878 12
18791879 13
18801880 14
18811881 15
18821882 16
18831883 17
18841884 18
18851885 19
18861886 20
18871887 21
18881888 22
18891889 23
18901890 24
18911891 25
18921892 F. Personal data processed by a controller pursuant
18931893 to this section shall not be processed for any purpose other
18941894 than those expressly listed in this section unless otherwise
18951895 allowed by the Consumer Information and Data Protection Act.
18961896 Personal data processed by a controller pursuant to this
18971897 section may be processed to the extent that such processing is:
18981898 (1) reasonably necessary and proportionate to
18991899 the purposes listed in this section; and
19001900 (2) adequate, relevant and limited to what is
19011901 necessary in relation to the specific purposes listed in this
19021902 section. Personal data collected, used or retained pursuant to
19031903 Subsection B of this section shall, where applicable, take into
19041904 account the nature and purpose or purposes of such collection,
19051905 use or retention. Such data shall be subject to reasonable
19061906 administrative, technical and physical measures to protect the
19071907 confidentiality, integrity and accessibility of the personal
19081908 data and to reduce reasonably foreseeable risks of harm to
19091909 consumers relating to such collection, use or retention of
19101910 personal data.
19111911 G. If a controller processes personal data pursuant
19121912 to an exemption in this section, the controller bears the
19131913 burden of demonstrating that such processing qualifies for the
19141914 exemption and complies with the requirements in Subsection F of
19151915 this section.
19161916 H. Processing personal data for the purposes
19171917 .230052.1ms
19181918 - 36 - underscored material = new
19191919 [bracketed material] = delete
19201920 1
19211921 2
19221922 3
19231923 4
19241924 5
19251925 6
19261926 7
19271927 8
19281928 9
19291929 10
19301930 11
19311931 12
19321932 13
19331933 14
19341934 15
19351935 16
19361936 17
19371937 18
19381938 19
19391939 20
19401940 21
19411941 22
19421942 23
19431943 24
19441944 25
19451945 expressly identified in Subsection A of this section shall not
19461946 solely make an entity a controller with respect to such
19471947 processing.
19481948 SECTION 10. [NEW MATERIAL] INVESTIGATIVE AUTHORITY.--
19491949 Whenever the attorney general has reasonable cause to believe
19501950 that any person has engaged in, is engaging in or is about to
19511951 engage in any violation of the Consumer Information and Data
19521952 Protection Act, the attorney general is empowered to issue a
19531953 civil investigative demand.
19541954 SECTION 11. [NEW MATERIAL] ENFORCEMENT--CIVIL
19551955 PENALTIES.--
19561956 A. The attorney general shall have exclusive
19571957 authority to enforce the provisions of the Consumer Information
19581958 and Data Protection Act.
19591959 B. Prior to initiating any action under the
19601960 Consumer Information and Data Protection Act, the attorney
19611961 general shall provide a controller or processor thirty days'
19621962 written notice identifying the specific provisions of the
19631963 Consumer Information and Data Protection Act the attorney
19641964 general alleges have been or are being violated. If within the
19651965 thirty-day period the controller or processor cures the noticed
19661966 violation and provides the attorney general an express written
19671967 statement that the alleged violations have been cured and that
19681968 no further violations shall occur, no action shall be initiated
19691969 against the controller or processor.
19701970 .230052.1ms
19711971 - 37 - underscored material = new
19721972 [bracketed material] = delete
19731973 1
19741974 2
19751975 3
19761976 4
19771977 5
19781978 6
19791979 7
19801980 8
19811981 9
19821982 10
19831983 11
19841984 12
19851985 13
19861986 14
19871987 15
19881988 16
19891989 17
19901990 18
19911991 19
19921992 20
19931993 21
19941994 22
19951995 23
19961996 24
19971997 25
19981998 C. If a controller or processor continues to
19991999 violate the Consumer Information and Data Protection Act
20002000 following the cure period in Subsection B of this section or
20012001 breaches an express written statement provided to the attorney
20022002 general under that subsection, the attorney general may
20032003 initiate an action and may seek an injunction to restrain any
20042004 violations of that act and civil penalties of up to ten
20052005 thousand dollars ($10,000) for each violation under that act.
20062006 D. The attorney general may recover reasonable
20072007 expenses incurred in investigating and preparing the case,
20082008 including attorney fees, in any action initiated under the
20092009 Consumer Information and Data Protection Act.
20102010 E. Nothing in the Consumer Information and Data
20112011 Protection Act shall be construed as providing the basis for,
20122012 or be subject to, a private right of action for violations of
20132013 that act or under any other law.
20142014 - 38 -
20152015 .230052.1ms