Senate Bill S3044

                             
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   3044
 
                        2025-2026 Regular Sessions
 
                             I N  S E N A T E
 
                             January 23, 2025
                                ___________
 
 Introduced  by Sen. GONZALEZ -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT to amend the general business law, in relation to the  management
   and oversight of personal data
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. Short title. This act shall be known and may  be  cited  as
 the "New York privacy act".
   §  2.  Legislative  intent.  1.  Privacy is a fundamental right and an
 essential element of freedom. Advances in technology have produced ramp-
 ant growth in the amount and categories of personal  data  being  gener-
 ated,   collected,  stored,  analyzed,  and  potentially  shared,  which
 presents both promise and peril. Companies collect, use  and  share  our
 personal  data  in  ways that can be difficult for ordinary consumers to
 understand. Opaque data processing policies make it impossible to evalu-
 ate risks  and  compare  privacy-related  protections  across  services,
 stifling  competition.  Algorithms  quietly make decisions with critical
 consequences for New York consumers, often with no human accountability.
 Behavioral advertising generates profits by turning people into products
 and their activity into assets. New York consumers deserve  more  notice
 and more control over their data and their digital privacy.
   2. This act seeks to help New York consumers regain their privacy.  It
 gives New York consumers the ability to exercise more control over their
 personal data and requires businesses to be responsible, thoughtful, and
 accountable  managers  of  that  information.  To achieve this, this act
 provides New York consumers a number  of  new  rights,  including  clear
 notice of how their data is being used, processed and shared; the abili-
 ty  to  access  and obtain a copy of their data in a commonly used elec-
 tronic format, with the ability to transfer  it  between  services;  the
 ability  to  correct inaccurate data and to delete their data.  This act
 also imposes obligations upon businesses  to  maintain  reasonable  data
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.
                                                            LBD02963-02-5
              

 S. 3044                             2
 
 security  for personal data, to notify New York consumers of foreseeable
 harms arising from use of their data and to obtain specific consent  for
 that  use, and to conduct regular assessments to ensure that data is not
 being  used  for  unacceptable  purposes.  These data assessments can be
 obtained and evaluated by the New York State Attorney  General,  who  is
 empowered  to  obtain  penalties  for violations of this act and prevent
 future violations.
   § 3. The general business law is amended by adding a new article  42-A
 to read as follows:
                               ARTICLE 42-A
                           NEW YORK PRIVACY ACT
 SECTION 1200. DEFINITIONS.
         1201. JURISDICTIONAL SCOPE.
         1202. CONSUMER RIGHTS.
         1203. CONTROLLER, PROCESSOR, AND THIRD PARTY RESPONSIBILITIES.
         1204. DATA BROKERS.
         1205. LIMITATIONS.
         1206. ENFORCEMENT.
         1207. MISCELLANEOUS.
   §  1200. DEFINITIONS. THE FOLLOWING DEFINITIONS APPLY FOR THE PURPOSES
 OF THIS ARTICLE UNLESS THE CONTEXT CLEARLY REQUIRES OTHERWISE:
   1. "BIOMETRIC INFORMATION" MEANS ANY PERSONAL DATA GENERATED FROM  THE
 MEASUREMENT  OR  SPECIFIC TECHNOLOGICAL PROCESSING OF A NATURAL PERSON'S
 BIOLOGICAL, PHYSICAL, OR PHYSIOLOGICAL CHARACTERISTICS  THAT  ALLOWS  OR
 CONFIRMS  THE UNIQUE IDENTIFICATION OF A NATURAL PERSON, INCLUDING FING-
 ERPRINTS, VOICE PRINTS, IRIS OR RETINA SCANS, FACIAL SCANS OR TEMPLATES,
 AND GAIT.  "BIOMETRIC INFORMATION" DOES NOT INCLUDE A DIGITAL  OR  PHYS-
 ICAL PHOTOGRAPH, AN AUDIO OR VIDEO RECORDING, OR ANY DATA GENERATED FROM
 A DIGITAL OR PHYSICAL PHOTOGRAPH, OR AN AUDIO OR VIDEO RECORDING, UNLESS
 SUCH DATA IS GENERATED TO IDENTIFY A SPECIFIC INDIVIDUAL.
   2.  "BUSINESS  ASSOCIATE"  HAS  THE SAME MEANING AS IN TITLE 45 OF THE
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   3. "CONSENT" MEANS A CLEAR AFFIRMATIVE ACT SIGNIFYING A FREELY  GIVEN,
 SPECIFIC, INFORMED, AND UNAMBIGUOUS INDICATION OF A CONSUMER'S AGREEMENT
 TO  THE  PROCESSING  OF  DATA RELATING TO THE CONSUMER.   CONSENT MAY BE
 WITHDRAWN AT ANY TIME, AND A CONTROLLER MUST PROVIDE CLEAR, CONSPICUOUS,
 AND CONSUMER-FRIENDLY MEANS TO WITHDRAW CONSENT. THE  BURDEN  OF  ESTAB-
 LISHING  CONSENT IS ON THE CONTROLLER.  CONSENT DOES NOT INCLUDE: (A) AN
 AGREEMENT OF GENERAL TERMS OF USE OR A SIMILAR DOCUMENT THAT  REFERENCES
 UNRELATED  INFORMATION  IN  ADDITION TO PERSONAL DATA PROCESSING; (B) AN
 AGREEMENT OBTAINED THROUGH FRAUD, DECEIT OR DECEPTION; (C) ANY ACT  THAT
 DOES  NOT CONSTITUTE A USER'S INTENT TO INTERACT WITH ANOTHER PARTY SUCH
 AS HOVERING OVER, PAUSING OR CLOSING ANY CONTENT; OR (D)  A  PRE-CHECKED
 BOX OR SIMILAR DEFAULT.
   4. "CONSUMER" MEANS A NATURAL PERSON WHO IS A NEW YORK RESIDENT ACTING
 ONLY  IN  AN  INDIVIDUAL  OR  HOUSEHOLD  CONTEXT.  IT DOES NOT INCLUDE A
 NATURAL PERSON KNOWN TO  BE  ACTING  IN  A  PROFESSIONAL  OR  EMPLOYMENT
 CONTEXT.
   5.  "CONTROLLER"  MEANS  THE PERSON WHO, ALONE OR JOINTLY WITH OTHERS,
 DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF PERSONAL DATA.
   6. "COVERED ENTITY" HAS THE SAME MEANING AS IN TITLE 45 OF THE C.F.R.,
 ESTABLISHED PURSUANT TO THE FEDERAL  HEALTH  INSURANCE  PORTABILITY  AND
 ACCOUNTABILITY ACT OF 1996.
   7.  "DATA  BROKER" MEANS A PERSON, OR UNIT OR UNITS OF A LEGAL ENTITY,
 SEPARATELY OR TOGETHER, THAT DOES BUSINESS IN THE STATE OF NEW YORK  AND
 S. 3044                             3
 
 KNOWINGLY COLLECTS, AND SELLS TO OTHER CONTROLLERS OR THIRD PARTIES, THE
 PERSONAL  DATA  OF  A  CONSUMER  WITH  WHOM  IT  DOES  NOT HAVE A DIRECT
 RELATIONSHIP. "DATA BROKER" DOES NOT INCLUDE ANY OF THE FOLLOWING:
   (A)  A  CONSUMER  REPORTING AGENCY TO THE EXTENT THAT IT IS COVERED BY
 THE FEDERAL FAIR CREDIT REPORTING ACT (15 U.S.C. SEC. 1681 ET SEQ.); OR
   (B) A FINANCIAL INSTITUTION TO THE EXTENT THAT IT IS  COVERED  BY  THE
 GRAMM-LEACH-BLILEY  ACT  (PUBLIC  LAW  106-102)  AND  IMPLEMENTING REGU-
 LATIONS.
   8. "DECISIONS THAT PRODUCE LEGAL  OR  SIMILARLY  SIGNIFICANT  EFFECTS"
 MEANS  DECISIONS  MADE BY THE CONTROLLER THAT RESULT IN THE PROVISION OR
 DENIAL BY THE CONTROLLER OF  FINANCIAL  OR  LENDING  SERVICES,  HOUSING,
 INSURANCE,   EDUCATION  ENROLLMENT  OR  OPPORTUNITY,  CRIMINAL  JUSTICE,
 EMPLOYMENT OPPORTUNITIES, HEALTH CARE SERVICES OR  ACCESS  TO  ESSENTIAL
 GOODS OR SERVICES.
   9.  "DEIDENTIFIED  DATA"  MEANS DATA THAT CANNOT REASONABLY BE USED TO
 INFER INFORMATION ABOUT, OR OTHERWISE BE LINKED TO A PARTICULAR  CONSUM-
 ER,  HOUSEHOLD OR DEVICE, PROVIDED THAT THE PROCESSOR OR CONTROLLER THAT
 POSSESSES THE DATA:
   (A) IMPLEMENTS REASONABLE TECHNICAL SAFEGUARDS TO ENSURE THAT THE DATA
 CANNOT BE ASSOCIATED WITH A CONSUMER, HOUSEHOLD OR DEVICE;
   (B) PUBLICLY COMMITS TO PROCESS THE DATA ONLY AS DEIDENTIFIED DATA AND
 NOT ATTEMPT TO REIDENTIFY  THE  DATA,  EXCEPT  THAT  THE  CONTROLLER  OR
 PROCESSOR  MAY  ATTEMPT  TO  REIDENTIFY  THE  INFORMATION SOLELY FOR THE
 PURPOSE OF DETERMINING WHETHER ITS  DEIDENTIFICATION  PROCESSES  SATISFY
 THE REQUIREMENTS OF THIS SUBDIVISION; AND
   (C)  CONTRACTUALLY OBLIGATES ANY RECIPIENTS OF THE DATA TO COMPLY WITH
 ALL PROVISIONS OF THIS ARTICLE.
   10. "DEVICE" MEANS ANY PHYSICAL OBJECT THAT IS CAPABLE  OF  CONNECTING
 TO  THE  INTERNET,  DIRECTLY  OR INDIRECTLY, OR TO ANOTHER DEVICE AND IS
 INTENDED FOR USE BY A NATURAL PERSON OR HOUSEHOLD OR,  IF  USED  OUTSIDE
 THE HOME, FOR USE BY THE GENERAL PUBLIC.
   11.  "GENETIC  INFORMATION"  MEANS ANY DATA, REGARDLESS OF ITS FORMAT,
 THAT CONCERNS  A  CONSUMER'S  GENETIC  CHARACTERISTICS.  "GENETIC  DATA"
 INCLUDES  BUT  IS  NOT LIMITED TO (A) RAW SEQUENCE DATA THAT RESULT FROM
 SEQUENCING OF A CONSUMER'S  COMPLETE  EXTRACTED  OR  A  PORTION  OF  THE
 EXTRACTED  DEOXYRIBONUCLEIC  ACID  (DNA)  INFORMATION;  (B) GENOTYPE AND
 PHENOTYPIC INFORMATION THAT RESULTS  FROM  ANALYZING  THE  RAW  SEQUENCE
 DATA;  AND  (C) SELF-REPORTED HEALTH INFORMATION THAT A CONSUMER SUBMITS
 TO A COMPANY REGARDING THE CONSUMER'S HEALTH CONDITIONS AND THAT IS USED
 FOR  SCIENTIFIC  RESEARCH  OR  PRODUCT  DEVELOPMENT  AND   ANALYZED   IN
 CONNECTION WITH THE CONSUMER'S RAW SEQUENCE DATA.
   12.  "HOUSEHOLD"  MEANS  A GROUP, HOWEVER IDENTIFIED, OF CONSUMERS WHO
 COHABITATE WITH ONE ANOTHER AT THE  SAME  RESIDENTIAL  ADDRESS  AND  MAY
 SHARE USE OF COMMON DEVICES OR SERVICES.
   13.  "IDENTIFIED  OR  IDENTIFIABLE"  MEANS A NATURAL PERSON WHO CAN BE
 IDENTIFIED, DIRECTLY OR INDIRECTLY, SUCH AS BY REFERENCE TO AN IDENTIFI-
 ER SUCH AS A NAME, AN IDENTIFICATION NUMBER, LOCATION DATA, OR AN ONLINE
 OR DEVICE IDENTIFIER.
   14. "NATURAL PERSON" MEANS A NATURAL PERSON ACTING ONLY IN AN INDIVID-
 UAL OR HOUSEHOLD CONTEXT. IT DOES NOT INCLUDE A NATURAL PERSON KNOWN  TO
 BE ACTING IN A PROFESSIONAL OR EMPLOYMENT CONTEXT.
   15.  "PERSON"  MEANS A NATURAL PERSON OR A LEGAL ENTITY, INCLUDING BUT
 NOT LIMITED  TO  A  PROPRIETORSHIP,  PARTNERSHIP,  LIMITED  PARTNERSHIP,
 CORPORATION,  COMPANY, LIMITED LIABILITY COMPANY OR CORPORATION, ASSOCI-
 ATION, OR OTHER FIRM OR SIMILAR BODY, OR  ANY  UNIT,  DIVISION,  AGENCY,
 DEPARTMENT, OR SIMILAR SUBDIVISION THEREOF.
 S. 3044                             4
 
   16. "PERSONAL DATA" MEANS ANY DATA THAT IDENTIFIES OR COULD REASONABLY
 BE  LINKED,  DIRECTLY  OR INDIRECTLY, WITH A SPECIFIC NATURAL PERSON, OR
 HOUSEHOLD.  PERSONAL DATA DOES NOT INCLUDE DEIDENTIFIED  DATA,  INFORMA-
 TION  THAT  IS  LAWFULLY  MADE PUBLICLY AVAILABLE FROM FEDERAL, STATE OR
 LOCAL GOVERNMENT RECORDS, OR INFORMATION THAT A CONTROLLER HAS A REASON-
 ABLE   BASIS TO BELIEVE IS LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC
 BY THE  CONSUMER OR FROM WIDELY DISTRIBUTED MEDIA.
   17. "PRECISE GEOLOCATION DATA" MEANS INFORMATION DERIVED FROM TECHNOL-
 OGY, INCLUDING, BUT NOT LIMITED TO, GLOBAL POSITION SYSTEM  LEVEL  LATI-
 TUDE  AND LONGITUDE COORDINATES OR OTHER MECHANISMS, THAT DIRECTLY IDEN-
 TIFIES THE  SPECIFIC  LOCATION  OF  AN  INDIVIDUAL  WITH  PRECISION  AND
 ACCURACY  WITHIN  A  RADIUS  OF  ONE  THOUSAND SEVEN HUNDRED FIFTY FEET,
 EXCEPT AS PRESCRIBED BY REGULATIONS. PRECISE GEOLOCATION DATA  DOES  NOT
 INCLUDE  THE  CONTENT  OF  COMMUNICATIONS  OR  ANY  DATA GENERATED BY OR
 CONNECTED TO ADVANCE UTILITY METERING INFRASTRUCTURE SYSTEMS  OR  EQUIP-
 MENT FOR USE BY A UTILITY.
   18.  "PROCESS",  "PROCESSES" OR "PROCESSING" MEANS AN OPERATION OR SET
 OF OPERATIONS WHICH ARE PERFORMED ON DATA OR ON SETS OF DATA,  INCLUDING
 BUT  NOT  LIMITED TO THE COLLECTION, USE, ACCESS, SHARING, MONETIZATION,
 ANALYSIS, RETENTION, CREATION, GENERATION, DERIVATION, RECORDING, ORGAN-
 IZATION,  STRUCTURING,  STORAGE,  DISCLOSURE,  TRANSMISSION,   ANALYSIS,
 DISPOSAL, LICENSING, DESTRUCTION, DELETION, MODIFICATION, OR DEIDENTIFI-
 CATION OF DATA.
   19.  "PROCESSOR"  MEANS  A PERSON THAT PROCESSES DATA ON BEHALF OF THE
 CONTROLLER.
   20. "PROFILING" MEANS ANY FORM OF AUTOMATED  PROCESSING  PERFORMED  ON
 PERSONAL  DATA TO EVALUATE, ANALYZE, OR PREDICT PERSONAL ASPECTS RELATED
 TO AN IDENTIFIED OR IDENTIFIABLE NATURAL  PERSON'S  ECONOMIC  SITUATION,
 HEALTH,   PERSONAL   PREFERENCES,   INTERESTS,   RELIABILITY,  BEHAVIOR,
 LOCATION, OR MOVEMENTS.  PROFILING DOES NOT INCLUDE  EVALUATION,  ANALY-
 SIS,  OR  PREDICTION BASED SOLELY UPON A NATURAL PERSON'S CURRENT SEARCH
 QUERY OR ACTIVITIES ON, OR CURRENT VISIT TO, THE CONTROLLER'S WEBSITE OR
 ONLINE APPLICATION.
   21. "PROTECTED HEALTH INFORMATION" HAS THE SAME MEANING AS IN TITLE 45
 C.F.R., ESTABLISHED PURSUANT TO THE FEDERAL HEALTH INSURANCE PORTABILITY
 AND ACCOUNTABILITY ACT OF 1996.
   22. "SALE", "SELL", OR "SOLD" MEANS THE DISCLOSURE, TRANSFER,  CONVEY-
 ANCE,  SHARING,  LICENSING,  MAKING  AVAILABLE,  PROCESSING, GRANTING OF
 PERMISSION OR AUTHORIZATION TO PROCESS, OR OTHER  EXCHANGE  OF  PERSONAL
 DATA,  OR  PROVIDING ACCESS TO PERSONAL DATA FOR MONETARY OR OTHER VALU-
 ABLE CONSIDERATION BY THE CONTROLLER TO A THIRD PARTY.  "SALE"  INCLUDES
 ENABLING, FACILITATING OR PROVIDING ACCESS TO PERSONAL DATA FOR TARGETED
 ADVERTISING. "SALE" DOES NOT INCLUDE THE FOLLOWING:
   (A)  THE  DISCLOSURE  OF DATA TO A PROCESSOR WHO PROCESSES THE DATA ON
 BEHALF OF THE CONTROLLER AND  WHICH  IS  CONTRACTUALLY  PROHIBITED  FROM
 USING IT FOR ANY PURPOSE OTHER THAN AS INSTRUCTED BY THE CONTROLLER;
   (B)  THE  DISCLOSURE OR TRANSFER OF DATA AS AN ASSET THAT IS PART OF A
 MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANSACTION IN  WHICH  ANOTHER
 ENTITY ASSUMES CONTROL OR OWNERSHIP OF ALL OR A MAJORITY OF THE CONTROL-
 LER'S ASSETS; OR
   (C)  THE  DISCLOSURE  OF  PERSONAL DATA TO A THIRD PARTY NECESSARY FOR
 PURPOSES OF PROVIDING A PRODUCT, SERVICE, OR INTERACTION WITH SUCH THIRD
 PARTY, WHEN THE CONSUMER INTENTIONALLY AND UNAMBIGUOUSLY  REQUESTS  SUCH
 DISCLOSURE.
   23. "SENSITIVE DATA" MEANS PERSONAL DATA THAT REVEALS:
 S. 3044                             5
 
   (A)  RACIAL  OR  ETHNIC  ORIGIN, RELIGIOUS BELIEFS, MENTAL OR PHYSICAL
 HEALTH CONDITION OR DIAGNOSIS, SEX LIFE, SEXUAL ORIENTATION, OR CITIZEN-
 SHIP OR IMMIGRATION STATUS;
   (B)  GENETIC  INFORMATION  OR BIOMETRIC INFORMATION FOR THE PURPOSE OF
 UNIQUELY IDENTIFYING A NATURAL PERSON;
   (C) PRECISE GEOLOCATION DATA; OR
   (D) SOCIAL SECURITY, FINANCIAL ACCOUNT, PASSPORT OR  DRIVER'S  LICENSE
 NUMBERS.
   24. "TARGETED ADVERTISING" MEANS ADVERTISING BASED UPON PROFILING.
   25.  "THIRD  PARTY" MEANS, WITH RESPECT TO A PARTICULAR INTERACTION OR
 OCCURRENCE, A PERSON, PUBLIC AUTHORITY, AGENCY, OR BODY OTHER  THAN  THE
 CONSUMER, THE CONTROLLER, OR PROCESSOR OF THE CONTROLLER.  A THIRD PARTY
 MAY  ALSO  BE  A  CONTROLLER  IF  THE THIRD PARTY, ALONE OR JOINTLY WITH
 OTHERS, DETERMINES THE PURPOSES AND MEANS OF THE PROCESSING OF  PERSONAL
 DATA.
   26. "VERIFIED REQUEST" MEANS A REQUEST BY A CONSUMER OR THEIR AGENT TO
 EXERCISE  A  RIGHT AUTHORIZED BY THIS ARTICLE, THE AUTHENTICITY OF WHICH
 HAS BEEN ASCERTAINED BY THE CONTROLLER IN ACCORDANCE WITH PARAGRAPH  (C)
 OF SUBDIVISION EIGHT OF SECTION TWELVE HUNDRED TWO OF THIS ARTICLE.
   § 1201. JURISDICTIONAL SCOPE. 1. THIS ARTICLE APPLIES TO LEGAL PERSONS
 THAT  CONDUCT  BUSINESS IN NEW YORK OR PRODUCE PRODUCTS OR SERVICES THAT
 ARE TARGETED TO RESIDENTS OF NEW YORK, AND THAT SATISFY ONE OR  MORE  OF
 THE FOLLOWING THRESHOLDS:
   (A) HAVE ANNUAL GROSS REVENUE OF TWENTY-FIVE MILLION DOLLARS OR MORE;
   (B) CONTROLS OR PROCESSES PERSONAL DATA OF FIFTY THOUSAND CONSUMERS OR
 MORE; OR
   (C)  DERIVES  OVER  FIFTY  PERCENT  OF  GROSS REVENUE FROM THE SALE OF
 PERSONAL DATA.
   2. THIS ARTICLE DOES NOT APPLY TO:
   (A) PERSONAL DATA PROCESSED BY STATE AND LOCAL GOVERNMENTS, AND MUNIC-
 IPAL CORPORATIONS, FOR PROCESSES OTHER THAN SALE (FILING AND  PROCESSING
 FEES ARE NOT SALE);
   (B)  A  NATIONAL SECURITIES ASSOCIATION REGISTERED PURSUANT TO SECTION
 15A OF THE SECURITIES EXCHANGE ACT OF 1934, AS AMENDED,  OR  REGULATIONS
 ADOPTED  THEREUNDER  OR  A  REGISTERED FUTURES ASSOCIATION SO DESIGNATED
 PURSUANT TO SECTION 17 OF THE COMMODITY EXCHANGE ACT, AS AMENDED, OR ANY
 REGULATIONS ADOPTED THEREUNDER;
   (C) ANY NONPROFIT ENTITY IDENTIFIED IN SECTION FOUR  HUNDRED  FIVE  OF
 THE  FINANCIAL  SERVICES  LAW  TO THE EXTENT SUCH ORGANIZATION COLLECTS,
 PROCESSES, USES, OR SHARES  DATA  SOLELY  IN  RELATION  TO  IDENTIFYING,
 INVESTIGATING,  OR  ASSISTING (I) LAW ENFORCEMENT AGENCIES IN CONNECTION
 WITH SUSPECTED INSURANCE-RELATED CRIMINAL OR FRAUDULENT  ACTS;  OR  (II)
 FIRST RESPONDERS IN CONNECTION WITH CATASTROPHIC EVENTS;
   (D) INFORMATION THAT MEETS THE FOLLOWING CRITERIA:
   (I) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT TO
 AND   IN  COMPLIANCE  WITH  THE  FEDERAL  GRAMM-LEACH-BLILEY  ACT  (P.L.
 106-102), AND IMPLEMENTING REGULATIONS;
   (II) PERSONAL DATA COLLECTED, PROCESSED, SOLD, OR  DISCLOSED  PURSUANT
 TO  THE  FEDERAL DRIVER'S PRIVACY PROTECTION ACT OF 1994 (18 U.S.C. SEC.
 2721 ET SEQ.), IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS  IN
 COMPLIANCE WITH THAT LAW;
   (III) PERSONAL DATA REGULATED BY THE FEDERAL FAMILY EDUCATIONAL RIGHTS
 AND PRIVACY ACT, U.S.C. SEC. 1232G AND ITS IMPLEMENTING REGULATIONS;
   (IV)  PERSONAL  DATA COLLECTED, PROCESSED, SOLD, OR DISCLOSED PURSUANT
 TO THE FEDERAL FARM CREDIT ACT OF 1971 (AS AMENDED  IN  12  U.S.C.  SEC.
 2001-2279CC)  AND  ITS  IMPLEMENTING  REGULATIONS (12 C.F.R. PART 600 ET
 S. 3044                             6
 
 SEQ.) IF THE COLLECTION, PROCESSING, SALE, OR DISCLOSURE IS  IN  COMPLI-
 ANCE WITH THAT LAW;
   (V) PERSONAL DATA REGULATED BY SECTION TWO-D OF THE EDUCATION LAW;
   (VI)  DATA  MAINTAINED  AS EMPLOYMENT RECORDS, FOR PURPOSES OTHER THAN
 SALE;
   (VII) PROTECTED HEALTH INFORMATION THAT IS  LAWFULLY  COLLECTED  BY  A
 COVERED  ENTITY  OR  BUSINESS  ASSOCIATE AND IS GOVERNED BY THE PRIVACY,
 SECURITY, AND BREACH NOTIFICATION RULES  ISSUED  BY  THE  UNITED  STATES
 DEPARTMENT  OF  HEALTH AND HUMAN SERVICES, PARTS 160 AND 164 OF TITLE 45
 OF THE CODE OF FEDERAL REGULATIONS, ESTABLISHED PURSUANT TO  THE  HEALTH
 INSURANCE  PORTABILITY  AND  ACCOUNTABILITY  ACT  OF  1996  (PUBLIC  LAW
 104-191) ("HIPAA") AND THE HEALTH INFORMATION  TECHNOLOGY  FOR  ECONOMIC
 AND CLINICAL HEALTH ACT (PUBLIC LAW 111-5);
   (VIII)  PATIENT IDENTIFYING INFORMATION FOR PURPOSES OF 42 C.F.R. PART
 2, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 290DD-2, AS LONG AS SUCH  DATA
 IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR FEDERAL LAW;
   (IX)  INFORMATION  AND  DOCUMENTS LAWFULLY CREATED FOR PURPOSES OF THE
 FEDERAL HEALTH CARE QUALITY IMPROVEMENT ACT OF 1986, AND  RELATED  REGU-
 LATIONS;
   (X) PATIENT SAFETY WORK PRODUCT CREATED FOR PURPOSES OF 42 C.F.R. PART
 3, ESTABLISHED PURSUANT TO 42 U.S.C. SEC. 299B-21 THROUGH 299B-26;
   (XI)  INFORMATION  THAT  IS  TREATED IN THE SAME MANNER AS INFORMATION
 EXEMPT UNDER SUBPARAGRAPH (VII) OF THIS PARAGRAPH THAT IS MAINTAINED  BY
 A  COVERED ENTITY OR BUSINESS ASSOCIATE AS DEFINED BY HIPAA OR A PROGRAM
 OR A QUALIFIED SERVICE ORGANIZATION AS DEFINED BY 42 U.S.C.  §  290DD-2,
 AS  LONG  AS SUCH DATA IS NOT SOLD IN VIOLATION OF HIPAA OR ANY STATE OR
 FEDERAL LAW;
   (XII) DEIDENTIFIED HEALTH INFORMATION THAT MEETS ALL OF THE  FOLLOWING
 CONDITIONS:
   (A) IT IS DEIDENTIFIED IN ACCORDANCE WITH THE REQUIREMENTS FOR DEIDEN-
 TIFICATION  SET  FORTH IN SECTION 164.514 OF PART 164 OF TITLE 45 OF THE
 CODE OF FEDERAL REGULATIONS;
   (B) IT IS DERIVED  FROM  PROTECTED  HEALTH  INFORMATION,  INDIVIDUALLY
 IDENTIFIABLE  HEALTH  INFORMATION,  OR  IDENTIFIABLE PRIVATE INFORMATION
 COMPLIANT WITH THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN  SUBJECTS,
 ALSO KNOWN AS THE COMMON RULE; AND
   (C) A COVERED ENTITY OR BUSINESS ASSOCIATE DOES NOT ATTEMPT TO REIDEN-
 TIFY  THE  INFORMATION  NOR  DO THEY ACTUALLY REIDENTIFY THE INFORMATION
 EXCEPT AS OTHERWISE ALLOWED UNDER STATE OR FEDERAL LAW;
   (XIII) INFORMATION MAINTAINED BY A COVERED ENTITY OR BUSINESS  ASSOCI-
 ATE  GOVERNED  BY  THE  PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES
 ISSUED BY THE UNITED STATES DEPARTMENT OF  HEALTH  AND  HUMAN  SERVICES,
 PARTS 160 AND 164 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS, ESTAB-
 LISHED  PURSUANT  TO THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY
 ACT OF 1996 (PUBLIC LAW 104-191), TO THE EXTENT THE  COVERED  ENTITY  OR
 BUSINESS  ASSOCIATE  MAINTAINS  THE  INFORMATION  IN  THE SAME MANNER AS
 PROTECTED HEALTH INFORMATION AS DESCRIBED IN SUBPARAGRAPH (VII) OF  THIS
 PARAGRAPH;
   (XIV)  DATA  COLLECTED AS PART OF HUMAN SUBJECTS RESEARCH, INCLUDING A
 CLINICAL TRIAL, CONDUCTED IN ACCORDANCE WITH THE FEDERAL POLICY FOR  THE
 PROTECTION OF HUMAN SUBJECTS, ALSO KNOWN AS THE COMMON RULE, PURSUANT TO
 GOOD  CLINICAL  PRACTICE  GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL
 FOR HARMONISATION OR PURSUANT TO HUMAN SUBJECT  PROTECTION  REQUIREMENTS
 OF THE UNITED STATES FOOD AND DRUG ADMINISTRATION;
   (XV)  PERSONAL  DATA  PROCESSED  ONLY FOR ONE OR MORE OF THE FOLLOWING
 PURPOSES:
 S. 3044                             7
 
   (A) PRODUCT  REGISTRATION  AND  TRACKING  CONSISTENT  WITH  APPLICABLE
 UNITED STATES FOOD AND DRUG ADMINISTRATION REGULATIONS AND GUIDANCE;
   (B)  PUBLIC  HEALTH  ACTIVITIES  AND  PURPOSES AS DESCRIBED IN SECTION
 164.512 OF TITLE 45 OF THE CODE OF FEDERAL REGULATIONS; AND/OR
   (C) ACTIVITIES RELATED TO QUALITY, SAFETY, OR EFFECTIVENESS  REGULATED
 BY THE UNITED STATES FOOD AND DRUG ADMINISTRATION; OR
   (XVI) PERSONAL DATA COLLECTED, PROCESSED, OR DISCLOSED PURSUANT TO AND
 IN  COMPLIANCE WITH ANY OPT-OUT PROGRAM AUTHORIZED BY THE PUBLIC SERVICE
 COMMISSION  OR  ANY  OTHER  OPT-OUT  COMMUNITY  DISTRIBUTED   GENERATION
 PROGRAMS AUTHORIZED IN LAW; OR
   (E) (I) AN ACTIVITY INVOLVING THE COLLECTION, MAINTENANCE, DISCLOSURE,
 SALE, COMMUNICATION, OR USE OF ANY PERSONAL DATA BEARING ON A CONSUMER'S
 CREDIT  WORTHINESS, CREDIT STANDING, CREDIT CAPACITY, CHARACTER, GENERAL
 REPUTATION, PERSONAL CHARACTERISTICS, OR MODE OF LIVING  BY  A  CONSUMER
 REPORTING  AGENCY,  AS  DEFINED  IN  TITLE 15 U.S.C. SEC. 1681A(F), BY A
 FURNISHER OF INFORMATION, AS SET FORTH IN TITLE 15 U.S.C. SEC.  1681S-2,
 WHO PROVIDES INFORMATION FOR USE IN A CONSUMER  REPORT,  AS  DEFINED  IN
 TITLE  15  U.S.C.  SEC. 1861A(D), AND BY A USER OF A CONSUMER REPORT, AS
 SET FORTH IN TITLE 15 U.S.C. SEC. 1681B.; AND
   (II) THIS PARAGRAPH SHALL APPLY ONLY TO THE EXTENT THAT SUCH  ACTIVITY
 INVOLVING  THE COLLECTION, MAINTENANCE, DISCLOSURE, SALE, COMMUNICATION,
 OR USE OF SUCH DATA BY THAT AGENCY, FURNISHER, OR  USER  IS  SUBJECT  TO
 REGULATION  UNDER  THE  FAIR  CREDIT REPORTING ACT, TITLE 15 U.S.C. SEC.
 1681 ET SEQ., AND THE DATA IS NOT COLLECTED, MAINTAINED, USED,  COMMUNI-
 CATED,  DISCLOSED,  OR  SOLD  EXCEPT  AS  AUTHORIZED  BY THE FAIR CREDIT
 REPORTING ACT.
   § 1202. CONSUMER RIGHTS. 1. RIGHT TO NOTICE. (A) NOTICE. EACH CONTROL-
 LER THAT PROCESSES A CONSUMER'S PERSONAL DATA  MUST  MAKE  PUBLICLY  AND
 CONSISTENTLY  AVAILABLE, IN A CONSPICUOUS AND READILY ACCESSIBLE MANNER,
 A NOTICE CONTAINING THE FOLLOWING:
   (I) A DESCRIPTION OF THE  CONSUMER'S  RIGHTS  UNDER  SUBDIVISIONS  TWO
 THROUGH  SEVEN  OF  THIS  SECTION  AND HOW A CONSUMER MAY EXERCISE THOSE
 RIGHTS, INCLUDING HOW TO WITHDRAW CONSENT;
   (II) THE CATEGORIES OF PERSONAL DATA PROCESSED BY THE  CONTROLLER  AND
 BY  ANY  PROCESSOR WHO PROCESSES PERSONAL DATA ON BEHALF OF THE CONTROL-
 LER;
   (III) THE SOURCES FROM WHICH PERSONAL DATA IS COLLECTED;
   (IV) THE PURPOSES FOR PROCESSING PERSONAL DATA;
   (V) THE CATEGORIES OF THIRD PARTIES TO WHOM THE CONTROLLER  DISCLOSED,
 SHARED,  TRANSFERRED  OR  SOLD  PERSONAL  DATA AND, FOR EACH CATEGORY OF
 THIRD  PARTY,  (A)  THE  CATEGORIES  OF  PERSONAL  DATA  BEING   SHARED,
 DISCLOSED, TRANSFERRED, OR SOLD TO THE THIRD PARTY, (B) THE PURPOSES FOR
 WHICH  PERSONAL DATA IS BEING SHARED, DISCLOSED, TRANSFERRED, OR SOLD TO
 THE THIRD PARTY, (C) ANY APPLICABLE RETENTION PERIODS FOR EACH  CATEGORY
 OF  PERSONAL  DATA  PROCESSED BY THE THIRD PARTIES OR PROCESSED ON THEIR
 BEHALF, OR IF THAT IS NOT POSSIBLE, THE CRITERIA USED TO  DETERMINE  THE
 PERIOD,  AND (D) WHETHER THE THIRD PARTIES MAY USE THE PERSONAL DATA FOR
 TARGETED ADVERTISING; AND
   (VI) THE CONTROLLER'S RETENTION PERIOD FOR EACH CATEGORY  OF  PERSONAL
 DATA  THAT  THEY  PROCESS OR IS PROCESSED ON THEIR BEHALF, OR IF THAT IS
 NOT POSSIBLE, THE CRITERIA USED TO DETERMINE THAT PERIOD.
   (B) NOTICE REQUIREMENTS.
   (I) THE NOTICE MUST BE  WRITTEN  IN  EASY-TO-UNDERSTAND  LANGUAGE  AND
 FORMAT  AT AN EIGHTH GRADE READING LEVEL OR BELOW AND IN AT LEAST TWELVE
 POINT FONT.
 S. 3044                             8
 
   (II) THE CATEGORIES OF PERSONAL DATA PROCESSED AND PURPOSES FOR  WHICH
 EACH CATEGORY OF PERSONAL DATA IS PROCESSED MUST BE DESCRIBED IN A CLEAR
 AND  CONSPICUOUS MANNER, AT A LEVEL SPECIFIC ENOUGH TO ENABLE A CONSUMER
 TO EXERCISE MEANINGFUL CONTROL OVER  THEIR  PERSONAL  DATA  BUT  NOT  SO
 SPECIFIC AS TO RENDER THE NOTICE UNHELPFUL TO A CONSUMER.
   (III)  THE NOTICE MUST BE DATED WITH ITS EFFECTIVE DATE AND UPDATED AT
 LEAST ANNUALLY.   WHEN THE INFORMATION REQUIRED TO  BE  DISCLOSED  TO  A
 CONSUMER  PURSUANT  TO PARAGRAPH (A) OF THIS SUBDIVISION HAS NOT CHANGED
 SINCE THE IMMEDIATELY  PREVIOUS  NOTICE  (WHETHER  INITIAL,  ANNUAL,  OR
 REVISED)  PROVIDED  TO  THE CONSUMER, A CONTROLLER MAY ISSUE A STATEMENT
 THAT NO CHANGES HAVE BEEN MADE.
   (IV) THE NOTICE, AS WELL AS EACH VERSION OF THE NOTICE  IN  EFFECT  IN
 THE  PRECEDING  SIX  YEARS,   MUST BE EASILY ACCESSIBLE TO CONSUMERS AND
 CAPABLE OF BEING VIEWED BY CONSUMERS AT ANY TIME.
   2. RIGHT TO OPT OUT.  (A) A CONTROLLER MUST ALLOW CONSUMERS THE  RIGHT
 TO  OPT  OUT,  AT  ANY  TIME, OF PROCESSING PERSONAL DATA CONCERNING THE
 CONSUMER FOR THE PURPOSES OF:
   (I) TARGETED ADVERTISING;
   (II) THE SALE OF PERSONAL DATA; AND
   (III) PROFILING IN FURTHERANCE OF  DECISIONS  THAT  PRODUCE  LEGAL  OR
 SIMILARLY SIGNIFICANT EFFECTS CONCERNING A CONSUMER.
   (B)  A  CONTROLLER  MUST  PROVIDE  CLEAR AND CONSPICUOUS MEANS FOR THE
 CONSUMER OR THEIR AGENT TO OPT OUT OF PROCESSING AND CLEARLY PRESENT  AS
 THE  MOST  CONSPICUOUS CHOICE AN OPTION TO SIMULTANEOUSLY OPT OUT OF ALL
 PROCESSING PURPOSES SET FORTH IN PARAGRAPH (A) OF THIS SUBDIVISION.
   (C) A CONTROLLER MUST NOT PROCESS PERSONAL DATA FOR ANY  PURPOSE  FROM
 WHICH THE CONSUMER HAS OPTED OUT.
   (D) A CONTROLLER MUST NOT REQUEST THAT A CONSUMER WHO HAS OPTED OUT OF
 CERTAIN  PURPOSES  OF PROCESSING PERSONAL DATA OPT BACK IN, UNLESS THOSE
 PURPOSES SUBSEQUENTLY BECOME NECESSARY TO PROVIDE THE SERVICES OR  GOODS
 REQUESTED  BY A CONSUMER. TARGETED ADVERTISING AND SALE OF PERSONAL DATA
 SHALL NOT BE  CONSIDERED  PROCESSING  PURPOSES  THAT  ARE  NECESSARY  TO
 PROVIDE SERVICE OR GOODS REQUESTED BY A CONSUMER.
   (E) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLS IN A BROWSER,
 BROWSER   PLUG-IN,  SMARTPHONE  APPLICATION,  OPERATING  SYSTEM,  DEVICE
 SETTING, OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE  CONSUMER'S
 CHOICE  NOT TO OPT OUT OF THE PROCESSING OF PERSONAL DATA IN FURTHERANCE
 OF TARGETED ADVERTISING, THE SALE OF THEIR PERSONAL DATA,  OR  PROFILING
 IN  FURTHERANCE OF DECISIONS THAT PRODUCE LEGAL OR SIMILARLY SIGNIFICANT
 EFFECTS CONCERNING THE CONSUMER AS AN OPT OUT UNDER THIS ARTICLE. TO THE
 EXTENT THAT THE PRIVACY CONTROL CONFLICTS WITH A CONSUMER'S CONSENT, THE
 CONTROLLER SHALL COMPLY WITH THE PRIVACY  CONTROL  BUT  MAY  NOTIFY  THE
 CONSUMER  OF  SUCH  CONFLICT  AND PROVIDE TO SUCH CONSUMER THE CHOICE TO
 GIVE CONTROLLER SPECIFIC CONSENT TO SUCH PROCESSING.
   3. SENSITIVE DATA. (A) A CONTROLLER MUST OBTAIN FREELY GIVEN,  SPECIF-
 IC, INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT FROM A CONSUMER TO:
   (I) PROCESS THE CONSUMER'S SENSITIVE DATA RELATED TO THAT CONSUMER FOR
 ANY  PURPOSE  OTHER  THAN  THOSE  IN  SUBDIVISION  TWO OF SECTION TWELVE
 HUNDRED FIVE OF THIS ARTICLE; OR
   (II) MAKE  ANY  CHANGES  TO  THE  EXISTING  PROCESSING  OR  PROCESSING
 PURPOSE,  INCLUDING  THOSE REGARDING THE METHOD AND SCOPE OF COLLECTION,
 OF THE CONSUMER'S SENSITIVE DATA THAT MAY  BE  LESS  PROTECTIVE  OF  THE
 CONSUMER'S  SENSITIVE DATA THAN THE PROCESSING TO WHICH THE CONSUMER HAS
 PREVIOUSLY GIVEN THEIR FREELY GIVEN, SPECIFIC, INFORMED, AND UNAMBIGUOUS
 OPT-IN CONSENT.
 S. 3044                             9
 
   (B) ANY REQUEST FOR CONSENT TO PROCESS SENSITIVE DATA MUST BE PROVIDED
 TO THE CONSUMER, PRIOR TO PROCESSING THEIR SENSITIVE DATA, IN  A  STAND-
 ALONE DISCLOSURE THAT IS SEPARATE AND APART FROM ANY CONTRACT OR PRIVACY
 POLICY. THE REQUEST FOR CONSENT MUST:
   (I)  BE  WRITTEN IN A TWELVE POINT FONT OR GREATER AND INCLUDE A CLEAR
 AND CONSPICUOUS DESCRIPTION OF EACH  CATEGORY  OF  DATA  AND  PROCESSING
 PURPOSE FOR WHICH CONSENT IS SOUGHT;
   (II)  CLEARLY  IDENTIFY AND DISTINGUISH BETWEEN CATEGORIES OF DATA AND
 PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE THE SERVICES OR  GOODS
 REQUESTED BY THE CONSUMER AND CATEGORIES OF DATA AND PROCESSING PURPOSES
 THAT ARE NOT NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED BY THE
 CONSUMER;
   (III)  ENABLE  A REASONABLE CONSUMER TO EASILY IDENTIFY THE CATEGORIES
 OF DATA AND PROCESSING PURPOSES FOR WHICH CONSENT IS SOUGHT;
   (IV) CLEARLY PRESENT AS THE  MOST  CONSPICUOUS  CHOICE  AN  OPTION  TO
 PROVIDE  ONLY  THE  CONSENT  NECESSARY  TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY THE CONSUMER;
   (V) CLEARLY PRESENT AN OPTION TO DENY CONSENT; AND
   (VI) WHERE THE REQUEST SEEKS CONSENT TO SHARING, DISCLOSURE, TRANSFER,
 OR SALE OF SENSITIVE DATA TO THIRD PARTIES, IDENTIFY THE  CATEGORIES  OF
 SUCH THIRD PARTIES, THE CATEGORIES OF DATA SOLD OR SHARED WITH THEM, THE
 PROCESSING  PURPOSES,  THE RETENTION PERIOD, OR IF THAT IS NOT POSSIBLE,
 THE CRITERIA USED TO DETERMINE THE PERIOD, AND STATE  IF  SUCH  SHARING,
 DISCLOSURE,  TRANSFER, OR SALE ENABLES OR INVOLVES TARGETED ADVERTISING.
 THE DETAILS OF THE CATEGORIES OF SUCH THIRD PARTIES, AND THE  CATEGORIES
 OF DATA, PROCESSING PURPOSES, AND THE RETENTION PERIOD, MAY BE SET FORTH
 IN  A  DIFFERENT  DISCLOSURE,  PROVIDED  THAT  THE  REQUEST  FOR CONSENT
 CONTAINS A CONSPICUOUS AND DIRECTLY ACCESSIBLE LINK TO THAT DISCLOSURE.
   (C) TARGETED ADVERTISING AND  SALE  OF  PERSONAL  DATA  SHALL  NOT  BE
 CONSIDERED PROCESSING PURPOSES THAT ARE NECESSARY TO PROVIDE SERVICES OR
 GOODS REQUESTED BY A CONSUMER.
   (D) ONCE A CONSUMER HAS PROVIDED FREELY GIVEN, SPECIFIC, INFORMED, AND
 UNAMBIGUOUS  OPT-IN  CONSENT TO PROCESS THEIR SENSITIVE DATA FOR A PROC-
 ESSING PURPOSE, A CONTROLLER MAY RELY ON SUCH CONSENT UNTIL IT IS  WITH-
 DRAWN.
   (E)  A  CONTROLLER MUST PROVIDE A MECHANISM FOR A CONSUMER TO WITHDRAW
 PREVIOUSLY GIVEN CONSENT AT ANY TIME. SUCH MECHANISM SHALL  MAKE  IT  AS
 EASY FOR A CONSUMER TO WITHDRAW THEIR CONSENT AS IT IS FOR SUCH CONSUMER
 TO PROVIDE CONSENT.
   (F)  A  CONTROLLER  MUST NOT INFER THAT A CONSUMER HAS PROVIDED FREELY
 GIVEN, SPECIFIC, INFORMED,  AND  UNAMBIGUOUS  OPT-IN  CONSENT  FROM  THE
 CONSUMER'S  INACTION  OR  THE  CONSUMER'S  CONTINUED USE OF A SERVICE OR
 PRODUCT PROVIDED BY THE CONTROLLER.
   (G) CONTROLLERS MUST NOT REQUEST  CONSENT  FROM  A  CONSUMER  WHO  HAS
 PREVIOUSLY  WITHHELD  OR DENIED CONSENT TO PROCESS SENSITIVE DATA, UNTIL
 AT LEAST TWELVE MONTHS AFTER A DENIAL, UNLESS CONSENT  IS  NECESSARY  TO
 PROVIDE THE SERVICES OR GOODS REQUESTED BY THE CONSUMER.
   (H) CONTROLLERS MUST TREAT USER-ENABLED PRIVACY CONTROLLERS IN A BROW-
 SER,  BROWSER  PLUG-IN, SMARTPHONE APPLICATION, OPERATING SYSTEM, DEVICE
 SETTING, OR OTHER MECHANISM THAT COMMUNICATES OR SIGNALS THE  CONSUMER'S
 CHOICES  TO OPT OUT OF THE PROCESSING OF PERSONAL DATA IN FURTHERANCE OF
 TARGETED ADVERTISING, THE SALE OF THEIR PERSONAL DATA, OR  PROFILING  IN
 FURTHERANCE  OF  DECISIONS  THAT  PRODUCE LEGAL OR SIMILARLY SIGNIFICANT
 EFFECTS CONCERNING THE CONSUMER AS A DENIAL OF CONSENT TO PROCESS SENSI-
 TIVE DATA UNDER THIS ARTICLE. TO THE EXTENT  THAT  THE  PRIVACY  CONTROL
 CONFLICTS  WITH  A  CONSUMER'S  CONSENT,  THE  PRIVACY  CONTROL SETTINGS
 S. 3044                            10
 
 GOVERN, UNLESS THE CONSUMER PROVIDES FREELY GIVEN,  SPECIFIC,  INFORMED,
 AND UNAMBIGUOUS OPT-IN CONSENT TO OVERRIDE THE PRIVACY CONTROL, HOWEVER,
 THE  CONTROLLER MAY NOTIFY SUCH CONSUMER OF SUCH CONFLICT AND PROVIDE TO
 THE    CONSUMER  THE  CHOICE TO GIVE CONTROLLER-SPECIFIC CONSENT TO SUCH
 PROCESSING.
   (I) (I) A CONTROLLER MUST NOT  DISCRIMINATE  AGAINST  A  CONSUMER  FOR
 WITHHOLDING OR DENYING CONSENT, INCLUDING, BUT NOT LIMITED TO, BY:
   (A)  DENYING  SERVICES  OR  GOODS TO THE CONSUMER, UNLESS THE CONSUMER
 DOES NOT CONSENT TO PROCESSING NECESSARY  TO  PROVIDE  THE  SERVICES  OR
 GOODS REQUESTED BY THE CONSUMER;
   (B) CHARGING DIFFERENT PRICES FOR GOODS OR SERVICES, INCLUDING THROUGH
 THE USE OF DISCOUNTS OR OTHER BENEFITS, IMPOSING PENALTIES, OR PROVIDING
 A DIFFERENT LEVEL OR QUALITY OF SERVICES OR GOODS TO THE CONSUMER; OR
   (C)  SUGGESTING  THAT  THE  CONSUMER WILL RECEIVE A DIFFERENT PRICE OR
 RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY  OF  SERVICES
 OR GOODS.
   (II)  A  CONTROLLER  SHALL NOT BE PROHIBITED FROM OFFERING A DIFFERENT
 PRICE, RATE, LEVEL, QUALITY, OR SELECTION OF  GOODS  OR  SERVICES  TO  A
 CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFER-
 ING  IS  IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION IN BONA
 FIDE  LOYALTY,  REWARDS,  PREMIUM  FEATURES,  DISCOUNTS,  OR  CLUB  CARD
 PROGRAM.  IF  A CONSUMER EXERCISES THEIR RIGHT PURSUANT TO PARAGRAPH (A)
 OF SUBDIVISION TWO OF THIS SECTION, A CONTROLLER MAY NOT  SELL  PERSONAL
 DATA  TO  A THIRD PARTY CONTROLLER AS PART OF SUCH A PROGRAM UNLESS: (A)
 THE SALE IS REASONABLY NECESSARY TO ENABLE THE THIRD PARTY TO PROVIDE  A
 BENEFIT TO WHICH THE CONSUMER IS ENTITLED; (B) THE SALE OF PERSONAL DATA
 TO  THIRD  PARTIES IS CLEARLY DISCLOSED IN THE TERMS OF THE PROGRAM; AND
 (C) THE THIRD PARTY USES THE PERSONAL DATA ONLY FOR PURPOSES OF  FACILI-
 TATING  SUCH  A  BENEFIT  TO WHICH THE CONSUMER IS ENTITLED AND DOES NOT
 RETAIN OR OTHERWISE USE OR DISCLOSE THE  PERSONAL  DATA  FOR  ANY  OTHER
 PURPOSE.
   (J)  A  CONTROLLER  MAY,  WITH  THE CONSUMER'S FREELY GIVEN, SPECIFIC,
 INFORMED, AND UNAMBIGUOUS OPT-IN CONSENT GIVEN PURSUANT TO THIS SECTION,
 OPERATE A PROGRAM IN WHICH INFORMATION, PRODUCTS, OR  SERVICES  SOLD  TO
 THE  CONSUMER  ARE  DISCOUNTED  BASED  SOLELY  ON  SUCH CONSUMER'S PRIOR
 PURCHASES FROM THE CONTROLLER, PROVIDED THAT ANY SENSITIVE DATA USED  TO
 OPERATE  SUCH  PROGRAM  IS PROCESSED SOLELY FOR THE PURPOSE OF OPERATING
 SUCH PROGRAM.
   (K) IN THE EVENT OF A MERGER, ACQUISITION, BANKRUPTCY, OR OTHER TRANS-
 ACTION IN WHICH ANOTHER ENTITY ASSUMES CONTROL OR OWNERSHIP  OF  ALL  OR
 MAJORITY  OF  THE  CONTROLLER'S  ASSETS,  ANY  CONSENT  PROVIDED  TO THE
 CONTROLLER BY A CONSUMER RELATING TO SENSITIVE DATA PRIOR TO SUCH TRANS-
 ACTION OTHER THAN CONSENT TO PROCESSING NECESSARY TO PROVIDE SERVICES OR
 GOODS REQUESTED BY THE CONSUMER, SHALL BE DEEMED WITHDRAWN.
   4. RIGHT TO ACCESS.  UPON  THE  VERIFIED  REQUEST  OF  A  CONSUMER,  A
 CONTROLLER SHALL:
   (A)  CONFIRM  WHETHER OR NOT THE CONTROLLER IS PROCESSING OR HAS PROC-
 ESSED PERSONAL DATA OF THAT CONSUMER, AND PROVIDE ACCESS TO  A  COPY  OF
 ANY  SUCH  PERSONAL  DATA  IN  A  MANNER  UNDERSTANDABLE TO A REASONABLE
 CONSUMER WHEN REQUESTED; AND
   (B) PROVIDE THE CATEGORY OF EACH PROCESSOR OR THIRD PARTY TO WHOM  THE
 CONTROLLER  DISCLOSED, TRANSFERRED, OR SOLD THE CONSUMER'S PERSONAL DATA
 AND, FOR EACH CATEGORY OF PROCESSOR OR THIRD PARTY, (I)  THE  CATEGORIES
 OF  THE CONSUMER'S PERSONAL DATA DISCLOSED, TRANSFERRED, OR SOLD TO EACH
 PROCESSOR OR THIRD PARTY AND (II) THE PURPOSES FOR WHICH  EACH  CATEGORY
 S. 3044                            11
 
 OF  THE  CONSUMER'S PERSONAL DATA WAS DISCLOSED, TRANSFERRED, OR SOLD TO
 EACH PROCESSOR OR THIRD PARTY.
   5. RIGHT TO PORTABLE DATA.  UPON A VERIFIED REQUEST, AND TO THE EXTENT
 TECHNICALLY FEASIBLE, THE CONTROLLER MUST: (A) PROVIDE TO THE CONSUMER A
 COPY  OF  ALL  OF, OR A PORTION OF, AS DESIGNATED IN A VERIFIED REQUEST,
 THE  CONSUMER'S  PERSONAL  DATA  IN  A  STRUCTURED,  COMMONLY  USED  AND
 MACHINE-READABLE  FORMAT  AND (B) TRANSMIT THE DATA TO ANOTHER PERSON OF
 THE CONSUMER'S OR THEIR AGENT'S DESIGNATION WITHOUT HINDRANCE.
   6. RIGHT TO CORRECT. (A) UPON THE VERIFIED REQUEST OF  A  CONSUMER  OR
 THEIR  AGENT,  A  CONTROLLER  MUST CONDUCT A REASONABLE INVESTIGATION TO
 DETERMINE WHETHER PERSONAL DATA, THE ACCURACY OF WHICH  IS  DISPUTED  BY
 THE  CONSUMER,  IS  INACCURATE,  WITH SUCH INVESTIGATION TO BE CONCLUDED
 WITHIN THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF  SUBDIVISION  EIGHT
 OF THIS SECTION.
   (B)  NOTWITHSTANDING  PARAGRAPH  (A) OF THIS SUBDIVISION, A CONTROLLER
 MAY TERMINATE AN INVESTIGATION INITIATED PURSUANT TO SUCH  PARAGRAPH  IF
 THE  CONTROLLER REASONABLY AND IN GOOD FAITH DETERMINES THAT THE DISPUTE
 BY THE CONSUMER IS WHOLLY WITHOUT MERIT, INCLUDING BY REASON OF A  FAIL-
 URE  BY  A CONSUMER TO PROVIDE SUFFICIENT INFORMATION TO INVESTIGATE THE
 DISPUTED PERSONAL DATA. UPON MAKING ANY DETERMINATION IN ACCORDANCE WITH
 THIS PARAGRAPH THAT A DISPUTE IS  WHOLLY  WITHOUT  MERIT,  A  CONTROLLER
 MUST,  WITHIN  THE TIME PERIOD SET FORTH IN PARAGRAPH (A) OF SUBDIVISION
 EIGHT OF THIS SECTION, PROVIDE THE  AFFECTED  CONSUMER  A  STATEMENT  IN
 WRITING THAT INCLUDES, AT A MINIMUM, THE SPECIFIC REASONS FOR THE DETER-
 MINATION,  AND IDENTIFICATION OF ANY INFORMATION REQUIRED TO INVESTIGATE
 THE DISPUTED PERSONAL DATA, WHICH MAY CONSIST  OF  A  STANDARDIZED  FORM
 DESCRIBING THE GENERAL NATURE OF SUCH INFORMATION.
   (C)  IF,  AFTER ANY INVESTIGATION UNDER PARAGRAPH (A) OF THIS SUBDIVI-
 SION OF ANY PERSONAL DATA  DISPUTED  BY  A  CONSUMER,  AN  ITEM  OF  THE
 PERSONAL  DATA  IS  FOUND  TO  BE INACCURATE OR INCOMPLETE, OR CANNOT BE
 VERIFIED, THE CONTROLLER MUST:
   (I) CORRECT THE INACCURATE OR INCOMPLETE PERSONAL DATA OF THE  CONSUM-
 ER; AND
   (II)  UNLESS IT PROVES IMPOSSIBLE OR INVOLVES DISPROPORTIONATE EFFORT,
 COMMUNICATE SUCH REQUEST TO EACH PROCESSOR OR THIRD PARTY  TO  WHOM  THE
 CONTROLLER  DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA WITHIN ONE
 YEAR PRECEDING THE CONSUMER'S REQUEST, AND TO REQUIRE  THOSE  PROCESSORS
 OR  THIRD  PARTIES  TO  DO  THE SAME FOR ANY FURTHER PROCESSORS OR THIRD
 PARTIES THEY DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (D) IF THE INVESTIGATION DOES NOT RESOLVE THE  DISPUTE,  THE  CONSUMER
 MAY  FILE WITH THE CONTROLLER A BRIEF STATEMENT SETTING FORTH THE NATURE
 OF THE DISPUTE. WHENEVER A STATEMENT OF A DISPUTE IS FILED, UNLESS THERE
 EXISTS REASONABLE GROUNDS TO BELIEVE THAT IT IS  WHOLLY  WITHOUT  MERIT,
 THE CONTROLLER MUST NOTE THAT IT IS DISPUTED BY THE CONSUMER AND INCLUDE
 EITHER  THE CONSUMER'S STATEMENT OR A CLEAR AND ACCURATE CODIFICATION OR
 SUMMARY  THEREOF  WITH  THE  DISPUTED  PERSONAL  DATA  WHENEVER  IT   IS
 DISCLOSED, TRANSFERRED, OR SOLD TO ANY PROCESSOR OR THIRD PARTY.
   7.  RIGHT  TO  DELETE.  (A) UPON THE VERIFIED REQUEST OF A CONSUMER, A
 CONTROLLER MUST:
   (I) WITHIN FORTY-FIVE  DAYS  AFTER  RECEIVING  THE  VERIFIED  REQUEST,
 DELETE  ANY  OR  ALL OF THE CONSUMER'S PERSONAL DATA, AS DIRECTED BY THE
 CONSUMER OR THEIR AGENT,  THAT THE CONTROLLER POSSESSES OR CONTROLS; AND
   (II) UNLESS IT PROVES IMPOSSIBLE OR INVOLVES  DISPROPORTIONATE  EFFORT
 THAT  IS  DOCUMENTED  IN  WRITING  BY  THE  CONTROLLER, COMMUNICATE SUCH
 REQUEST TO  EACH  PROCESSOR  OR  THIRD  PARTY  TO  WHOM  THE  CONTROLLER
 DISCLOSED, TRANSFERRED OR SOLD THE PERSONAL DATA WITHIN ONE YEAR PRECED-
 S. 3044                            12
 
 ING  THE  CONSUMER'S  REQUEST  AND  TO REQUIRE THOSE PROCESSORS OR THIRD
 PARTIES TO DO THE SAME FOR ANY FURTHER PROCESSORS OR THIRD PARTIES  THEY
 DISCLOSED, TRANSFERRED, OR SOLD THE PERSONAL DATA TO.
   (B) FOR PERSONAL DATA THAT IS NOT POSSESSED BY THE CONTROLLER BUT BY A
 PROCESSOR  OF  THE CONTROLLER, THE CONTROLLER MAY CHOOSE TO (I) COMMUNI-
 CATE THE CONSUMER'S REQUEST FOR  DELETION  TO  THE  PROCESSOR,  OR  (II)
 REQUEST  THAT  THE  PROCESSOR RETURN TO THE CONTROLLER THE PERSONAL DATA
 THAT IS THE SUBJECT OF THE CONSUMER'S REQUEST AND DELETE  SUCH  PERSONAL
 DATA UPON RECEIPT OF THE REQUEST.
   (C) A CONSUMER'S DELETION OF THEIR ONLINE ACCOUNT MUST BE TREATED AS A
 REQUEST TO THE CONTROLLER TO DELETE ALL OF THAT CONSUMER'S PERSONAL DATA
 DIRECTLY RELATED TO THAT ACCOUNT.
   (D)  A  CONTROLLER  MUST  MAINTAIN  REASONABLE  PROCEDURES DESIGNED TO
 PREVENT THE REAPPEARANCE IN ITS SYSTEMS, AND IN ANY DATA  IT  DISCLOSES,
 TRANSFERS,  OR  SELLS TO ANY PROCESSOR OR THIRD PARTY, THE PERSONAL DATA
 THAT IS DELETED PURSUANT TO THIS SUBDIVISION.
   (E) A CONTROLLER IS NOT REQUIRED TO COMPLY WITH A  CONSUMER'S  REQUEST
 TO DELETE PERSONAL DATA IF:
   (I)  COMPLYING  WITH  THE  REQUEST  WOULD  PREVENT THE CONTROLLER FROM
 PERFORMING ACCOUNTING  FUNCTIONS,  PROCESSING  REFUNDS,  EFFECTUATING  A
 PRODUCT  RECALL PURSUANT TO FEDERAL OR STATE LAW, OR FULFILLING WARRANTY
 CLAIMS, PROVIDED THAT THE PERSONAL DATA  THAT  IS  THE  SUBJECT  OF  THE
 REQUEST IS NOT PROCESSED FOR ANY PURPOSE OTHER THAN SUCH SPECIFIC ACTIV-
 ITIES; OR
   (II)  IT  IS  NECESSARY  FOR THE CONTROLLER TO MAINTAIN THE CONSUMER'S
 PERSONAL DATA TO ENGAGE IN PUBLIC OR PEER-REVIEWED  SCIENTIFIC,  HISTOR-
 ICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES TO ALL
 OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE CONTROLLER'S DELETION
 OF  THE  INFORMATION  IS LIKELY TO RENDER IMPOSSIBLE OR SERIOUSLY IMPAIR
 THE ACHIEVEMENT OF SUCH RESEARCH, PROVIDED THAT THE CONSUMER  HAS  GIVEN
 INFORMED  CONSENT AND THE PERSONAL DATA IS NOT PROCESSED FOR ANY PURPOSE
 OTHER THAN SUCH RESEARCH.
   (F) WHERE A CONSUMER'S REQUEST FOR DELETION IS DENIED, THE  CONTROLLER
 SHALL PROVIDE THE CONSUMER WITH A WRITTEN JUSTIFICATION FOR SUCH DENIAL.
   8.    RESPONDING  TO REQUESTS. (A) A CONTROLLER MUST TAKE ACTION UNDER
 SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION AND INFORM THE  CONSUMER
 OF  ANY ACTIONS TAKEN WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-
 FIVE DAYS OF RECEIPT OF THE REQUEST. THAT PERIOD MAY BE EXTENDED ONCE BY
 FORTY-FIVE ADDITIONAL  DAYS  WHERE  REASONABLY  NECESSARY,  TAKING  INTO
 ACCOUNT  THE  COMPLEXITY AND NUMBER OF THE REQUESTS. THE CONTROLLER MUST
 INFORM THE CONSUMER OF ANY SUCH  EXTENSION  WITHIN  FORTY-FIVE  DAYS  OF
 RECEIPT  OF THE REQUEST, TOGETHER WITH THE REASONS FOR THE DELAY. WHEN A
 CONTROLLER DENIES ANY SUCH REQUEST, IT MUST WITHIN THIS PERIOD  DISCLOSE
 TO  THE  CONSUMER A STATEMENT IN WRITING OF THE SPECIFIC REASONS FOR THE
 DENIAL AND INSTRUCTIONS FOR HOW TO APPEAL THE DECISION.
   (B) A CONTROLLER SHALL PERMIT THE EXERCISE OF RIGHTS AND CARRY OUT ITS
 OBLIGATIONS SET FORTH IN SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION
 FREE OF CHARGE, AT LEAST TWICE ANNUALLY TO THE CONSUMER. WHERE  REQUESTS
 FROM  A  CONSUMER  ARE  MANIFESTLY UNFOUNDED OR EXCESSIVE, IN PARTICULAR
 BECAUSE OF THEIR REPETITIVE CHARACTER, THE  CONTROLLER  MAY  EITHER  (I)
 CHARGE  A  REASONABLE FEE TO COVER THE ADMINISTRATIVE COSTS OF COMPLYING
 WITH THE REQUEST OR (II) REFUSE TO ACT ON THE  REQUEST  AND  NOTIFY  THE
 CONSUMER  OF  THE  REASON FOR REFUSING THE REQUEST. THE CONTROLLER BEARS
 THE BURDEN OF DEMONSTRATING THE MANIFESTLY UNFOUNDED OR EXCESSIVE  CHAR-
 ACTER OF THE REQUEST.
 S. 3044                            13
 
   (C)  (I)  A  CONTROLLER  SHALL  PROMPTLY  ATTEMPT,  USING COMMERCIALLY
 REASONABLE EFFORTS, TO VERIFY THAT ALL REQUESTS TO EXERCISE  ANY  RIGHTS
 SET  FORTH  IN  ANY SECTION OF THIS ARTICLE REQUIRING A VERIFIED REQUEST
 WERE MADE BY THE CONSUMER WHO IS THE SUBJECT OF THE DATA, OR BY A PERSON
 LAWFULLY  EXERCISING  THE  RIGHT  ON  BEHALF  OF THE CONSUMER WHO IS THE
 SUBJECT OF THE DATA. COMMERCIALLY REASONABLE EFFORTS SHALL BE DETERMINED
 BASED ON THE TOTALITY OF THE CIRCUMSTANCES, INCLUDING THE NATURE OF  THE
 DATA IMPLICATED BY THE REQUEST.
   (II)  A  CONTROLLER  MAY  REQUIRE  THE  CONSUMER TO PROVIDE ADDITIONAL
 INFORMATION ONLY IF THE REQUEST CANNOT REASONABLY  BE  VERIFIED  WITHOUT
 THE  PROVISION  OF  SUCH  ADDITIONAL  INFORMATION. A CONTROLLER MUST NOT
 TRANSFER OR PROCESS ANY SUCH ADDITIONAL INFORMATION PROVIDED PURSUANT TO
 THIS SECTION FOR ANY OTHER PURPOSE AND MUST DELETE ANY  SUCH  ADDITIONAL
 INFORMATION  WITHOUT UNDUE DELAY AND IN ANY EVENT WITHIN FORTY-FIVE DAYS
 AFTER THE CONTROLLER HAS NOTIFIED THE CONSUMER THAT IT HAS TAKEN  ACTION
 ON  A  REQUEST  UNDER SUBDIVISIONS FOUR THROUGH SEVEN OF THIS SECTION AS
 DESCRIBED IN PARAGRAPH (A) OF THIS SUBDIVISION.
   (III) IF A CONTROLLER DISCLOSES THIS  ADDITIONAL  INFORMATION  TO  ANY
 PROCESSOR  OR  THIRD  PARTY  FOR  THE  PURPOSE  OF  VERIFYING A CONSUMER
 REQUEST, IT MUST NOTIFY THE RECEIVING PROCESSOR OR THIRD  PARTY  AT  THE
 TIME  OF  SUCH  DISCLOSURE,  OR AS CLOSE IN TIME TO THE DISCLOSURE AS IS
 REASONABLY PRACTICABLE,  THAT  SUCH  INFORMATION  WAS  PROVIDED  BY  THE
 CONSUMER  FOR  THE  SOLE PURPOSE OF VERIFICATION AND CANNOT BE PROCESSED
 FOR ANY PURPOSE OTHER THAN VERIFICATION.
   9. IMPLEMENTATION OF RIGHTS. CONTROLLERS MUST PROVIDE EASILY  ACCESSI-
 BLE  AND  CONVENIENT  MEANS FOR CONSUMERS TO EXERCISE THEIR RIGHTS UNDER
 THIS ARTICLE.
   10. NON-WAIVER OF RIGHTS. ANY PROVISION OF A CONTRACT OR AGREEMENT  OF
 ANY  KIND THAT PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER'S RIGHTS
 UNDER THIS ARTICLE IS CONTRARY TO PUBLIC POLICY AND IS  VOID  AND  UNEN-
 FORCEABLE.
   §  1203.  CONTROLLER,  PROCESSOR, AND THIRD PARTY RESPONSIBILITIES. 1.
 CONTROLLER RESPONSIBILITIES. (A)  DATA  PROTECTION  ASSESSMENTS.  (I)  A
 CONTROLLER  SHALL  REGULARLY  CONDUCT  AND  DOCUMENT  A  DATA PROTECTION
 ASSESSMENT FOR EACH  OF  THE  CONTROLLER'S  PROCESSING  ACTIVITIES  THAT
 PRESENTS  A  HEIGHTENED  RISK OF HARM TO A CONSUMER. FOR THE PURPOSES OF
 THIS SECTION, PROCESSING THAT PRESENTS A HEIGHTENED RISK OF  HARM  TO  A
 CONSUMER  INCLUDES: (A) THE PROCESSING OF PERSONAL DATA FOR THE PURPOSES
 OF TARGETING ADVERTISING, (B) THE SALE OF PERSONAL DATA, (C)  THE  PROC-
 ESSING  OF  PERSONAL  DATA  FOR  THE  PURPOSES  OF PROFILING, WHERE SUCH
 PROFILING PRESENTS A REASONABLY FORESEEABLE RISK OF (I) UNFAIR OR DECEP-
 TIVE TREATMENT OF, OR  UNLAWFUL  DISPARATE  IMPACT  ON  CONSUMERS,  (II)
 FINANCIAL,  PHYSICAL  OR REPUTATIONAL INJURY TO CONSUMERS, (III) A PHYS-
 ICAL OR OTHER INTRUSION UPON THE SOLITUDE OR SECLUSION, OR  THE  PRIVATE
 AFFAIRS OR CONCERNS OF CONSUMERS WHERE SUCH INTRUSION WOULD BE OFFENSIVE
 TO  A  REASONABLE PERSON, OR (IV) OTHER SUBSTANTIAL INJURY TO CONSUMERS;
 AND (D) THE PROCESSING OF SENSITIVE DATA.
   (II) DATA PROTECTION ASSESSMENTS CONDUCTED  PURSUANT  TO  SUBPARAGRAPH
 (I)  OF  THIS  PARAGRAPH  SHALL IDENTIFY AND WEIGH THE BENEFITS THAT MAY
 FLOW, DIRECTLY AND INDIRECTLY, FROM THE PROCESSING  TO  THE  CONTROLLER,
 THE  CONSUMER,  OTHER  STAKEHOLDERS AND THE PUBLIC AGAINST THE POTENTIAL
 RISKS TO THE RIGHTS OF THE CONSUMER ASSOCIATED WITH SUCH PROCESSING,  AS
 MITIGATED BY SAFEGUARDS THAT CAN BE EMPLOYED BY THE CONTROLLER TO REDUCE
 SUCH  RISKS.  THE  CONTROLLER SHALL FACTOR INTO ANY SUCH DATA PROTECTION
 ASSESSMENT THAT USE OF DEIDENTIFIED DATA AND THE REASONABLE EXPECTATIONS
 OF CONSUMERS, AS WELL AS THE CONTEXT OF THE PROCESSING AND THE RELATION-
 S. 3044                            14
 
 SHIP BETWEEN THE CONTROLLER AND THE CONSUMER WHOSE PERSONAL DATA WILL BE
 PROCESSED.
   (III)  THE ATTORNEY GENERAL MAY REQUIRE THAT A CONTROLLER DISCLOSE ANY
 DATA  PROTECTION  ASSESSMENT  THAT  IS  RELEVANT  TO  AN   INVESTIGATION
 CONDUCTED  BY  THE  ATTORNEY  GENERAL, AND THE CONTROLLER SHALL MAKE THE
 DATA PROTECTION ASSESSMENT AVAILABLE TO THE ATTORNEY GENERAL. THE ATTOR-
 NEY GENERAL MAY  EVALUATE  THE  DATA  PROTECTION  ASSESSMENT  TO  ASSESS
 COMPLIANCE  WITH THE PROVISIONS OF THIS ARTICLE. DATA PROTECTION ASSESS-
 MENTS SHALL BE CONFIDENTIAL AND SHALL BE EXEMPT  FROM  DISCLOSURE  UNDER
 THE  FREEDOM OF INFORMATION LAW. TO THE EXTENT ANY INFORMATION CONTAINED
 IN A DATA PROTECTION  ASSESSMENT  DISCLOSURE  TO  THE  ATTORNEY  GENERAL
 INCLUDES  INFORMATION SUBJECT TO ATTORNEY-CLIENT PRIVILEGE OR WORK PROD-
 UCT PROTECTION, SUCH DISCLOSURE SHALL NOT CONSTITUTE A  WAIVER  OF  SUCH
 PRIVILEGE OR PROTECTION.
   (IV)  A SINGLE DATA PROTECTION ASSESSMENT MAY ADDRESS A COMPARABLE SET
 OF PROCESSING OPERATIONS THAT INCLUDE SIMILAR ACTIVITIES.
   (V) IF A CONTROLLER CONDUCTS A  DATA  PROTECTION  ASSESSMENT  FOR  THE
 PURPOSE OF COMPLYING WITH ANOTHER APPLICABLE LAW OR REGULATION, THE DATA
 PROTECTION ASSESSMENT SHALL BE DEEMED TO SATISFY THE REQUIREMENTS ESTAB-
 LISHED  IN THIS SECTION IF SUCH DATA PROTECTION ASSESSMENT IS REASONABLY
 SIMILAR IN SCOPE AND EFFECT TO THE DATA PROTECTION ASSESSMENT THAT WOULD
 OTHERWISE BE CONDUCTED PURSUANT TO THIS SECTION.
   (VI) DATA PROTECTION ASSESSMENT REQUIREMENTS SHALL APPLY TO PROCESSING
 ACTIVITIES CREATED OR GENERATED AFTER THE EFFECTIVE DATE OF  THIS  ARTI-
 CLE.
   (B)  CONTROLLERS MUST NOT ENGAGE IN UNFAIR, DECEPTIVE, OR ABUSIVE ACTS
 OR PRACTICES WITH RESPECT TO OBTAINING CONSUMER CONSENT, THE  PROCESSING
 OF  PERSONAL  DATA,  AND  A CONSUMER'S EXERCISE OF ANY RIGHTS UNDER THIS
 ARTICLE, INCLUDING WITHOUT LIMITATION:
   (I) DESIGNING A USER INTERFACE WITH THE PURPOSE OR SUBSTANTIAL  EFFECT
 OF  DECEIVING CONSUMERS, OBSCURING CONSUMERS' RIGHTS UNDER THIS ARTICLE,
 OR SUBVERTING OR IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE; OR
   (II) OBTAINING CONSENT IN A MANNER DESIGNED TO OVERPOWER A  CONSUMER'S
 RESISTANCE; FOR EXAMPLE, BY MAKING EXCESSIVE REQUESTS FOR CONSENT.
   (C) CONTROLLERS MUST DEVELOP, IMPLEMENT, AND MAINTAIN REASONABLE SAFE-
 GUARDS  TO  PROTECT  THE  SECURITY, CONFIDENTIALITY AND INTEGRITY OF THE
 PERSONAL DATA OF CONSUMERS INCLUDING ADOPTING REASONABLE ADMINISTRATIVE,
 TECHNICAL AND PHYSICAL SAFEGUARDS APPROPRIATE TO THE VOLUME  AND  NATURE
 OF THE PERSONAL DATA AT ISSUE.
   (D) (I) A CONTROLLER SHALL LIMIT THE USE AND RETENTION OF A CONSUMER'S
 PERSONAL  DATA TO WHAT IS (A) NECESSARY TO PROVIDE THE SERVICES OR GOODS
 REQUESTED BY THE CONSUMER, (B) NECESSARY FOR THE INTERNAL BUSINESS OPER-
 ATIONS OF THE CONTROLLER AND CONSISTENT WITH THE DISCLOSURES MADE TO THE
 CONSUMER PURSUANT TO SECTION TWELVE HUNDRED TWO OF THIS ARTICLE, OR  (C)
 NECESSARY TO COMPLY WITH THE LEGAL OBLIGATIONS OF THE CONTROLLER.
   (II)  AT LEAST ANNUALLY, A CONTROLLER SHALL REVIEW ITS RETENTION PRAC-
 TICES FOR THE PURPOSE OF ENSURING THAT IT  IS  MAINTAINING  THE  MINIMUM
 AMOUNT  OF  PERSONAL DATA AS IS NECESSARY FOR THE OPERATION OF ITS BUSI-
 NESS. A CONTROLLER MUST SECURELY DISPOSE OF ALL PERSONAL DATA THAT IS NO
 LONGER (A) NECESSARY TO PROVIDE THE SERVICES OR GOODS REQUESTED  BY  THE
 CONSUMER,  (B)  NECESSARY  FOR  THE  INTERNAL BUSINESS OPERATIONS OF THE
 CONTROLLER AND CONSISTENT WITH THE  DISCLOSURES  MADE  TO  THE  CONSUMER
 PURSUANT TO SECTION TWELVE HUNDRED TWO OF THIS ARTICLE, OR (C) NECESSARY
 TO COMPLY WITH THE LEGAL OBLIGATIONS OF THE CONTROLLER.
 S. 3044                            15
 
   (E)  NON-DISCRIMINATION.  (I)  (A)  A CONTROLLER MUST NOT DISCRIMINATE
 AGAINST A CONSUMER FOR EXERCISING RIGHTS UNDER THIS  ARTICLE,  INCLUDING
 BUT NOT LIMITED TO, BY:
   (I) DENYING SERVICES OR GOODS TO CONSUMERS;
   (II)  CHARGING  DIFFERENT  PRICES  FOR  SERVICES  OR  GOODS, INCLUDING
 THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS; IMPOSING  PENALTIES;  OR
 PROVIDING  A  DIFFERENT  LEVEL  OR  QUALITY  OF SERVICES OR GOODS TO THE
 CONSUMER; OR
   (III) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT  PRICE  OR
 RATE  FOR  SERVICES OR GOODS OR A DIFFERENT LEVEL OR QUALITY OF SERVICES
 OR GOODS.
   (B) A CONTROLLER SHALL NOT BE PROHIBITED  FROM  OFFERING  A  DIFFERENT
 PRICE,  RATE,  LEVEL,  QUALITY,  OR  SELECTION OF GOODS OR SERVICES TO A
 CONSUMER, INCLUDING OFFERING GOODS OR SERVICES FOR NO FEE, IF THE OFFER-
 ING IS IN CONNECTION WITH A CONSUMER'S VOLUNTARY PARTICIPATION  IN  BONA
 FIDE  LOYALTY,  REWARDS,  PREMIUM  FEATURES,  DISCOUNTS,  OR  CLUB  CARD
 PROGRAM. IF A CONSUMER EXERCISES THEIR RIGHT PURSUANT TO  PARAGRAPH  (A)
 OF  SUBDIVISION  TWO  OF  SECTION  TWELVE HUNDRED TWO OF THIS ARTICLE, A
 CONTROLLER MAY NOT SELL PERSONAL DATA TO A  THIRD  PARTY  CONTROLLER  AS
 PART  OF  SUCH A PROGRAM UNLESS: (I) THE SALE IS REASONABLY NECESSARY TO
 ENABLE THE THIRD PARTY TO PROVIDE A BENEFIT TO  WHICH  THE  CONSUMER  IS
 ENTITLED;  (II)  THE  SALE  OF PERSONAL DATA TO THIRD PARTIES IS CLEARLY
 DISCLOSED IN THE TERMS OF THE PROGRAM; AND (III) THE  THIRD  PARTY  USES
 THE  PERSONAL  DATA  ONLY FOR PURPOSES OF FACILITATING SUCH A BENEFIT TO
 WHICH THE CONSUMER IS ENTITLED AND DOES NOT RETAIN OR OTHERWISE  USE  OR
 DISCLOSE THE PERSONAL DATA FOR ANY OTHER PURPOSE.
   (II)  THIS  PARAGRAPH  DOES  NOT  APPLY TO A CONTROLLER'S CONDUCT WITH
 RESPECT TO OPT-IN CONSENT, IN WHICH CASE PARAGRAPH  (J)  OF  SUBDIVISION
 THREE OF SECTION TWELVE HUNDRED TWO OF THIS ARTICLE GOVERNS.
   (F)  AGREEMENTS  WITH  PROCESSORS.  (I)  BEFORE MAKING ANY DISCLOSURE,
 TRANSFER, OR SALE OF PERSONAL DATA TO ANY PROCESSOR, THE CONTROLLER MUST
 ENTER INTO A WRITTEN, SIGNED CONTRACT WITH THAT PROCESSOR. SUCH CONTRACT
 MUST BE BINDING AND CLEARLY SET FORTH INSTRUCTIONS FOR PROCESSING  DATA,
 THE  NATURE AND PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROC-
 ESSING, THE DURATION OF PROCESSING, AND THE RIGHTS  AND  OBLIGATIONS  OF
 BOTH  PARTIES.  THE  CONTRACT  MUST  ALSO  INCLUDE REQUIREMENTS THAT THE
 PROCESSOR MUST:
   (A) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS SUBJECT  TO  A
 DUTY OF CONFIDENTIALITY WITH RESPECT TO THE DATA;
   (B)  PROTECT  THE DATA IN A MANNER CONSISTENT WITH THE REQUIREMENTS OF
 THIS ARTICLE AND AT LEAST EQUAL TO  THE  SECURITY  REQUIREMENTS  OF  THE
 CONTROLLER  SET  FORTH IN THEIR PUBLICLY AVAILABLE POLICIES, NOTICES, OR
 SIMILAR STATEMENTS;
   (C) PROCESS THE DATA ONLY WHEN AND TO THE EXTENT NECESSARY  TO  COMPLY
 WITH ITS LEGAL OBLIGATIONS TO THE CONTROLLER UNLESS OTHERWISE EXPLICITLY
 AUTHORIZED BY THE CONTROLLER;
   (D) NOT COMBINE THE PERSONAL DATA WHICH THE PROCESSOR RECEIVES FROM OR
 ON  BEHALF  OF  THE  CONTROLLER  WITH  PERSONAL DATA WHICH THE PROCESSOR
 RECEIVES FROM OR ON BEHALF OF ANOTHER PERSON OR COLLECTS  FROM  ITS  OWN
 INTERACTION WITH CONSUMERS;
   (E)  COMPLY  WITH  ANY  EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
 TWELVE HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF  THE  CONTROLLER,
 SUBJECT  TO  THE LIMITATIONS SET FORTH IN SECTION TWELVE HUNDRED FIVE OF
 THIS ARTICLE;
 S. 3044                            16
 
   (F) AT THE CONTROLLER'S DIRECTION, DELETE OR RETURN ALL PERSONAL  DATA
 TO  THE CONTROLLER AS REQUESTED AT THE END OF THE PROVISION OF SERVICES,
 UNLESS RETENTION OF THE PERSONAL DATA IS REQUIRED BY LAW;
   (G)  UPON  THE REASONABLE REQUEST OF THE CONTROLLER, MAKE AVAILABLE TO
 THE CONTROLLER ALL DATA IN ITS POSSESSION NECESSARY TO  DEMONSTRATE  THE
 PROCESSOR'S COMPLIANCE WITH THE OBLIGATIONS IN THIS ARTICLE;
   (H)  ALLOW, AND COOPERATE WITH, REASONABLE ASSESSMENTS BY THE CONTROL-
 LER OR THE CONTROLLER'S DESIGNATED ASSESSOR; ALTERNATIVELY, THE PROCESS-
 OR MAY ARRANGE FOR A QUALIFIED AND INDEPENDENT ASSESSOR  TO  CONDUCT  AN
 ASSESSMENT  OF THE PROCESSOR'S POLICIES AND TECHNICAL AND ORGANIZATIONAL
 MEASURES IN SUPPORT OF THE  OBLIGATIONS  UNDER  THIS  ARTICLE  USING  AN
 APPROPRIATE  AND  ACCEPTED  CONTROL STANDARD OR FRAMEWORK AND ASSESSMENT
 PROCEDURE FOR SUCH ASSESSMENTS. THE PROCESSOR SHALL PROVIDE A REPORT  OF
 SUCH ASSESSMENT TO THE CONTROLLER UPON REQUEST;
   (I) A REASONABLE TIME IN ADVANCE BEFORE DISCLOSING OR TRANSFERRING THE
 DATA TO ANY FURTHER PROCESSORS, NOTIFY THE CONTROLLER OF SUCH A PROPOSED
 DISCLOSURE  OR  TRANSFER  AND  PROVIDE  THE CONTROLLER AN OPPORTUNITY TO
 APPROVE OR REJECT THE PROPOSAL; AND
   (J) ENGAGE  ANY  FURTHER  PROCESSOR  PURSUANT  TO  A  WRITTEN,  SIGNED
 CONTRACT  THAT  INCLUDES  THE  CONTRACTUAL REQUIREMENTS PROVIDED IN THIS
 PARAGRAPH, CONTAINING AT MINIMUM THE SAME OBLIGATIONS THAT THE PROCESSOR
 HAS ENTERED INTO WITH REGARD TO THE DATA.
   (II) A CONTROLLER MUST NOT AGREE  TO  INDEMNIFY,  DEFEND,  OR  HOLD  A
 PROCESSOR  HARMLESS,  OR  AGREE  TO  A  PROVISION THAT HAS THE EFFECT OF
 INDEMNIFYING, DEFENDING, OR HOLDING THE PROCESSOR HARMLESS, FROM  CLAIMS
 OR  LIABILITY  ARISING  FROM  THE  PROCESSOR'S  BREACH  OF  THE CONTRACT
 REQUIRED BY CLAUSE (A) OF  SUBPARAGRAPH  (I)  OF  THIS  PARAGRAPH  OR  A
 VIOLATION  OF  THIS ARTICLE. ANY PROVISION OF AN AGREEMENT THAT VIOLATES
 THIS SUBPARAGRAPH IS CONTRARY TO PUBLIC POLICY AND  IS  VOID  AND  UNEN-
 FORCEABLE.
   (III)  NOTHING  IN THIS PARAGRAPH RELIEVES A CONTROLLER OR A PROCESSOR
 FROM THE LIABILITIES IMPOSED ON IT BY VIRTUE OF ITS ROLE IN THE PROCESS-
 ING RELATIONSHIP AS DEFINED BY THIS ARTICLE.
   (IV) DETERMINING WHETHER A PERSON IS ACTING AS A CONTROLLER OR PROCES-
 SOR WITH RESPECT TO A SPECIFIC PROCESSING OF DATA IS A FACT-BASED DETER-
 MINATION THAT DEPENDS UPON THE CONTEXT IN WHICH PERSONAL DATA IS  TO  BE
 PROCESSED.  A  PROCESSOR  THAT  CONTINUES  TO  ADHERE  TO A CONTROLLER'S
 INSTRUCTIONS WITH RESPECT TO A  SPECIFIC  PROCESSING  OF  PERSONAL  DATA
 REMAINS A PROCESSOR.
   (G)  THIRD  PARTIES. (I) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANS-
 FER, OR SELL PERSONAL DATA, OR  FACILITATE  OR  ENABLE  THE  PROCESSING,
 DISCLOSURE,  TRANSFER,  OR  SALE  TO  A THIRD PARTY OF PERSONAL DATA FOR
 WHICH A CONSUMER HAS EXERCISED THEIR OPT-OUT RIGHTS PURSUANT TO SUBDIVI-
 SION TWO OF SECTION TWELVE HUNDRED TWO OF THIS  ARTICLE,  OR  FOR  WHICH
 CONSENT  OF THE CONSUMER PURSUANT TO SUBDIVISION THREE OF SECTION TWELVE
 HUNDRED TWO OF THIS ARTICLE, HAS NOT BEEN OBTAINED OR IS  NOT  CURRENTLY
 IN EFFECT. ANY REQUEST FOR CONSENT TO SHARE, DISCLOSE, TRANSFER, OR SELL
 PERSONAL  DATA,  OR  TO FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE,
 TRANSFER, OR SALE OF PERSONAL DATA TO A THIRD PARTY OF PERSONAL DATA  TO
 A  THIRD  PARTY MUST CLEARLY INCLUDE THE CATEGORY OF THE THIRD PARTY AND
 THE PROCESSING PURPOSES FOR WHICH THE THIRD PARTY MAY USE  THE  PERSONAL
 DATA.
   (II) A CONTROLLER MUST NOT SHARE, DISCLOSE, TRANSFER, OR SELL PERSONAL
 DATA,  OR  FACILITATE OR ENABLE THE PROCESSING, DISCLOSURE, TRANSFER, OR
 SALE TO A THIRD PARTY OF PERSONAL DATA IF IT CAN REASONABLY  EXPECT  THE
 PERSONAL DATA OF A CONSUMER TO BE USED FOR PURPOSES FOR WHICH A CONSUMER
 S. 3044                            17
 
 HAS  EXERCISED  THEIR  OPT-OUT  RIGHTS  PURSUANT  TO  SUBDIVISION TWO OF
 SECTION TWELVE HUNDRED TWO OF THIS ARTICLE, OR FOR  WHICH  THE  CONSUMER
 HAS  NOT  CONSENTED  TO  PURSUANT TO SUBDIVISION THREE OF SECTION TWELVE
 HUNDRED  TWO  OF  THIS  ARTICLE, OR IF IT CAN REASONABLY EXPECT THAT ANY
 RIGHTS OF THE CONSUMER PROVIDED IN THIS ARTICLE WOULD BE COMPROMISED  AS
 A RESULT OF SUCH TRANSACTION.
   (III) BEFORE MAKING ANY DISCLOSURE, TRANSFER, OR SALE OF PERSONAL DATA
 TO  ANY  THIRD  PARTY,  THE CONTROLLER MUST ENTER INTO A WRITTEN, SIGNED
 CONTRACT. SUCH CONTRACT MUST BE  BINDING  AND  THE  SCOPE,  NATURE,  AND
 PURPOSE OF PROCESSING, THE TYPE OF DATA SUBJECT TO PROCESSING, THE DURA-
 TION  OF  PROCESSING,  AND  THE  RIGHTS AND OBLIGATIONS OF BOTH PARTIES.
 SUCH CONTRACT MUST INCLUDE REQUIREMENTS THAT THE THIRD PARTY:
   (A) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED  BY  THE  AGREEMENT
 ENTERED INTO WITH THE CONTROLLER; AND
   (B)  PROVIDE  A MECHANISM TO COMPLY WITH ANY EXERCISES OF A CONSUMER'S
 RIGHTS UNDER SECTION TWELVE HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST
 OF THE CONTROLLER, SUBJECT TO ANY LIMITATIONS THEREON AS  AUTHORIZED  BY
 THIS ARTICLE; AND
   (C)  TO  THE  EXTENT THE DISCLOSURE, TRANSFER, OR SALE OF THE PERSONAL
 DATA CAUSES THE THIRD PARTY TO BECOME  A  CONTROLLER,  COMPLY  WITH  ALL
 OBLIGATIONS IMPOSED ON CONTROLLERS UNDER THIS ARTICLE.
   2.  PROCESSOR  RESPONSIBILITIES.  (A)  FOR  ANY  PERSONAL DATA THAT IS
 OBTAINED, RECEIVED, PURCHASED, OR OTHERWISE  ACQUIRED  BY  A  PROCESSOR,
 WHETHER DIRECTLY FROM A CONTROLLER OR INDIRECTLY FROM ANOTHER PROCESSOR,
 THE PROCESSOR MUST COMPLY WITH THE REQUIREMENTS SET FORTH IN CLAUSES (A)
 THROUGH  (J)  OF SUBPARAGRAPH (I) OF PARAGRAPH (F) OF SUBDIVISION ONE OF
 THIS SECTION.
   (B) A PROCESSOR IS NOT REQUIRED TO COMPLY  WITH  A  REQUEST  SUBMITTED
 PURSUANT TO THIS ARTICLE IF (I) THE CONSUMER SUBMITS THE REQUEST DIRECT-
 LY TO THE PROCESSOR; AND (II) THE PROCESSOR HAS PROCESSED THE CONSUMER'S
 PERSONAL DATA SOLELY IN ITS ROLE AS A PROCESSOR FOR A CONTROLLER.
   (C)  PROCESSORS  SHALL  BE  UNDER A CONTINUING OBLIGATION TO ENGAGE IN
 REASONABLE MEASURES TO REVIEW THEIR ACTIVITIES  FOR  CIRCUMSTANCES  THAT
 MAY HAVE ALTERED THEIR ABILITY TO IDENTIFY A SPECIFIC NATURAL PERSON AND
 TO  UPDATE  THEIR  CLASSIFICATIONS OF DATA AS IDENTIFIED OR IDENTIFIABLE
 ACCORDINGLY.
   (D) A PROCESSOR SHALL NOT ENGAGE IN ANY SALE OF  PERSONAL  DATA  OTHER
 THAN  ON BEHALF OF THE CONTROLLER PURSUANT TO ANY AGREEMENT ENTERED INTO
 WITH THE CONTROLLER.
   3. THIRD PARTY RESPONSIBILITIES.    FOR  ANY  PERSONAL  DATA  THAT  IS
 OBTAINED,  RECEIVED,  PURCHASED,  OR OTHERWISE ACQUIRED OR ACCESSED BY A
 THIRD PARTY FROM A CONTROLLER OR PROCESSOR, THE THIRD PARTY MUST:
   (A) PROCESS THAT DATA ONLY TO THE EXTENT PERMITTED BY  ANY  AGREEMENTS
 ENTERED INTO WITH THE CONTROLLER;
   (B)  COMPLY  WITH  ANY  EXERCISES OF A CONSUMER'S RIGHTS UNDER SECTION
 TWELVE HUNDRED TWO OF THIS ARTICLE UPON THE REQUEST OF THE CONTROLLER OR
 PROCESSOR, SUBJECT TO ANY LIMITATIONS  THEREON  AS  AUTHORIZED  BY  THIS
 ARTICLE; AND
   (C)  TO  THE  EXTENT THE THIRD PARTY BECOMES A CONTROLLER FOR PERSONAL
 DATA, COMPLY WITH ALL OBLIGATIONS  IMPOSED  ON  CONTROLLERS  UNDER  THIS
 ARTICLE.
   4. EXCEPTIONS. THE REQUIREMENTS OF THIS SECTION SHALL NOT APPLY WHERE:
   (A) THE PROCESSING IS REQUIRED BY LAW;
   (B)  THE PROCESSING IS MADE PURSUANT TO A REQUEST BY A FEDERAL, STATE,
 OR LOCAL GOVERNMENT OR GOVERNMENT ENTITY; OR
 S. 3044                            18
 
   (C) THE PROCESSING SIGNIFICANTLY ADVANCES PROTECTION AGAINST  CRIMINAL
 OR TORTIOUS ACTIVITY.
   § 1204. DATA BROKERS. 1. A DATA BROKER, AS DEFINED UNDER THIS ARTICLE,
 MUST  ANNUALLY,  ON  OR  BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN
 WHICH A PERSON MEETS THE DEFINITION OF DATA BROKER IN THIS ARTICLE:
   (A) REGISTER WITH THE ATTORNEY GENERAL;
   (B) PAY A REGISTRATION FEE OF ONE  HUNDRED  DOLLARS  OR  AS  OTHERWISE
 DETERMINED  BY THE ATTORNEY GENERAL PURSUANT TO THE REGULATORY AUTHORITY
 GRANTED TO THE ATTORNEY GENERAL UNDER THIS ARTICLE, NOT  TO  EXCEED  THE
 REASONABLE  COST OF ESTABLISHING AND MAINTAINING THE DATABASE AND INFOR-
 MATIONAL WEBSITE DESCRIBED IN THIS SECTION; AND
   (C) PROVIDE THE FOLLOWING INFORMATION:
   (I) THE NAME AND PRIMARY PHYSICAL, EMAIL, AND INTERNET WEBSITE ADDRESS
 OF THE DATA BROKER;
   (II) THE NAME AND BUSINESS ADDRESS OF AN OFFICER OR  REGISTERED  AGENT
 OF  THE  DATA BROKER AUTHORIZED TO ACCEPT LEGAL PROCESS ON BEHALF OF THE
 DATA BROKER;
   (III) A STATEMENT  DESCRIBING  THE  METHOD  FOR  EXERCISING  CONSUMERS
 RIGHTS UNDER SECTION TWELVE HUNDRED TWO OF THIS ARTICLE;
   (IV)  A  STATEMENT  WHETHER  THE  DATA  BROKER  IMPLEMENTS A PURCHASER
 CREDENTIALING PROCESS; AND
   (V) ANY ADDITIONAL INFORMATION OR EXPLANATION THE DATA BROKER  CHOOSES
 TO PROVIDE CONCERNING ITS DATA COLLECTION PRACTICES.
   2. NOTWITHSTANDING ANY OTHER PROVISION OF THIS ARTICLE, ANY CONTROLLER
 THAT CONDUCTS BUSINESS IN THE STATE OF NEW YORK MUST:
   (A)  ANNUALLY,  ON  OR BEFORE JANUARY THIRTY-FIRST FOLLOWING A YEAR IN
 WHICH A PERSON MEETS THE  DEFINITION  OF  CONTROLLER  IN  THIS  ARTICLE,
 PROVIDE  TO  THE  ATTORNEY GENERAL A LIST OF ALL DATA BROKERS OR PERSONS
 REASONABLY BELIEVED TO BE DATA BROKERS TO WHICH THE CONTROLLER  PROVIDED
 PERSONAL DATA IN THE PRECEDING YEAR; AND
   (B)  NOT  SELL  A  CONSUMER'S  PERSONAL  DATA  TO AN ENTITY REASONABLY
 BELIEVED TO BE A DATA BROKER THAT IS NOT REGISTERED  WITH  THE  ATTORNEY
 GENERAL.
   3.  THE ATTORNEY GENERAL SHALL ESTABLISH, MANAGE AND MAINTAIN A STATE-
 WIDE REGISTRY ON ITS INTERNET WEBSITE, WHICH SHALL LIST  ALL  REGISTERED
 DATA  BROKERS  AND  MAKE  ACCESSIBLE  TO  THE PUBLIC ALL THE INFORMATION
 PROVIDED BY DATA BROKERS PURSUANT TO THIS SECTION. PRINTED  HARD  COPIES
 OF  SUCH  REGISTRY SHALL BE MADE AVAILABLE UPON REQUEST AND PAYMENT OF A
 REASONABLE FEE TO BE DETERMINED BY THE ATTORNEY GENERAL.
   4. A DATA BROKER THAT FAILS TO REGISTER AS REQUIRED BY THIS SECTION OR
 SUBMITS FALSE INFORMATION IN ITS REGISTRATION IS,  IN  ADDITION  TO  ANY
 OTHER  INJUNCTION,  PENALTY, OR LIABILITY THAT MAY BE IMPOSED UNDER THIS
 ARTICLE, LIABLE FOR CIVIL  PENALTIES,  FEES,  AND  COSTS  IN  AN  ACTION
 BROUGHT  BY  THE ATTORNEY GENERAL AS FOLLOWS: (A) A CIVIL PENALTY OF ONE
 THOUSAND DOLLARS FOR EACH DAY THE  DATA  BROKER  FAILS  TO  REGISTER  AS
 REQUIRED  BY  THIS SECTION OR FAILS TO CORRECT FALSE INFORMATION, (B) AN
 AMOUNT EQUAL TO THE FEES THAT WERE DUE DURING THE PERIOD  IT  FAILED  TO
 REGISTER,  AND  (C)  EXPENSES  INCURRED  BY  THE ATTORNEY GENERAL IN THE
 INVESTIGATION AND PROSECUTION OF THE ACTION AS THE COURT DEEMS APPROPRI-
 ATE.
   § 1205. LIMITATIONS. 1. THIS ARTICLE DOES NOT REQUIRE A CONTROLLER  OR
 PROCESSOR  TO  DO  ANY OF THE FOLLOWING SOLELY FOR PURPOSES OF COMPLYING
 WITH THIS ARTICLE:
   (A) REIDENTIFY DEIDENTIFIED DATA;
 S. 3044                            19
 
   (B) COMPLY WITH A VERIFIED CONSUMER REQUEST  TO  ACCESS,  CORRECT,  OR
 DELETE  PERSONAL  DATA  PURSUANT TO THIS ARTICLE IF ALL OF THE FOLLOWING
 ARE TRUE:
   (I)  THE  CONTROLLER  IS  NOT  REASONABLY  CAPABLE  OF ASSOCIATING THE
 REQUEST WITH THE PERSONAL DATA;
   (II) THE CONTROLLER DOES NOT ASSOCIATE THE PERSONAL  DATA  WITH  OTHER
 PERSONAL  DATA  ABOUT  THE  SAME SPECIFIC CONSUMER AS PART OF ITS NORMAL
 BUSINESS PRACTICE; AND
   (III) THE CONTROLLER DOES NOT SELL THE  PERSONAL  DATA  TO  ANY  THIRD
 PARTY OR OTHERWISE VOLUNTARILY DISCLOSE OR TRANSFER THE PERSONAL DATA TO
 ANY  PROCESSOR  OR  THIRD  PARTY,  EXCEPT AS OTHERWISE PERMITTED IN THIS
 ARTICLE; OR
   (C) MAINTAIN PERSONAL DATA IN IDENTIFIABLE FORM, OR  COLLECT,  OBTAIN,
 RETAIN,  OR ACCESS ANY PERSONAL DATA OR TECHNOLOGY, IN ORDER TO BE CAPA-
 BLE OF ASSOCIATING A VERIFIED CONSUMER REQUEST WITH PERSONAL DATA.
   2. THE OBLIGATIONS IMPOSED ON CONTROLLERS AND  PROCESSORS  UNDER  THIS
 ARTICLE  DO NOT RESTRICT A CONTROLLER'S OR PROCESSOR'S ABILITY TO DO ANY
 OF THE FOLLOWING, TO THE EXTENT THAT THE USE OF THE CONSUMER'S  PERSONAL
 DATA IS REASONABLY NECESSARY AND PROPORTIONATE FOR THESE PURPOSES:
   (A)  COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS, RULES, OR REGULATIONS,
 PROVIDED THAT NO LAW ENFORCEMENT AGENCY OR OFFICER THEREOF SHALL  ACCESS
 PERSONAL  DATA WITHOUT A SUBPOENA OR A LAWFULLY EXECUTED SEARCH WARRANT,
 EXCEPT FOR THE ATTORNEY GENERAL FOR THE    PURPOSES  OF  ENFORCING  THIS
 ARTICLE, EXCEPT WHERE OTHERWISE PROVIDED SPECIFICALLY IN FEDERAL LAW;
   (B)  INVESTIGATE,  ESTABLISH,  EXERCISE,  PREPARE FOR, OR DEFEND LEGAL
 CLAIMS;
   (C) PROCESS PERSONAL DATA NECESSARY TO PROVIDE THE SERVICES  OR  GOODS
 REQUESTED  BY  A CONSUMER; PERFORM A CONTRACT TO WHICH THE CONSUMER IS A
 PARTY; OR TAKE STEPS AT THE REQUEST OF THE CONSUMER  PRIOR  TO  ENTERING
 INTO A CONTRACT;
   (D) TAKE IMMEDIATE STEPS TO PROTECT THE LIFE OR PHYSICAL SAFETY OF THE
 CONSUMER  OR  OF ANOTHER NATURAL PERSON, AND WHERE THE PROCESSING CANNOT
 BE MANIFESTLY BASED ON ANOTHER LEGAL BASIS;
   (E) PREVENT, DETECT, PROTECT AGAINST, OR  RESPOND  TO  SECURITY  INCI-
 DENTS,  IDENTITY THEFT, FRAUD, HARASSMENT, MALICIOUS OR DECEPTIVE ACTIV-
 ITIES, OR ANY ILLEGAL ACTIVITY; PRESERVE THE INTEGRITY  OR  SECURITY  OF
 SYSTEMS;  OR INVESTIGATE, REPORT, OR PROSECUTE THOSE RESPONSIBLE FOR ANY
 SUCH ACTION;
   (F) IDENTIFY AND REPAIR  TECHNICAL  ERRORS  THAT  IMPAIR  EXISTING  OR
 INTENDED FUNCTIONALITY; OR
   (G) PROCESS BUSINESS CONTACT INFORMATION, INCLUDING A NATURAL PERSON'S
 NAME,  POSITION  NAME  OR  TITLE,  BUSINESS  TELEPHONE  NUMBER, BUSINESS
 ADDRESS, BUSINESS ELECTRONIC MAIL ADDRESS, BUSINESS FAX NUMBER, OR QUAL-
 IFICATIONS AND ANY OTHER SIMILAR INFORMATION ABOUT THE NATURAL PERSON.
   3. THE OBLIGATIONS IMPOSED ON CONTROLLERS  OR  PROCESSORS  UNDER  THIS
 ARTICLE  DO  NOT  APPLY  WHERE COMPLIANCE BY THE CONTROLLER OR PROCESSOR
 WITH THIS ARTICLE WOULD VIOLATE AN EVIDENTIARY PRIVILEGE UNDER NEW  YORK
 LAW AND DO NOT PREVENT A CONTROLLER OR PROCESSOR FROM PROVIDING PERSONAL
 DATA  CONCERNING A CONSUMER TO A PERSON COVERED BY AN EVIDENTIARY PRIVI-
 LEGE UNDER NEW YORK LAW AS PART OF A PRIVILEGED COMMUNICATION.
   4. A CONTROLLER THAT RECEIVES A REQUEST PURSUANT TO SUBDIVISIONS  FOUR
 THROUGH  SEVEN  OF  SECTION  TWELVE  HUNDRED  TWO  OF THIS ARTICLE, OR A
 PROCESSOR OR THIRD PARTY  TO  WHOM  A  CONTROLLER  COMMUNICATES  SUCH  A
 REQUEST, MAY DECLINE TO FULFILL THE RELEVANT PART OF SUCH REQUEST IF:
 S. 3044                            20
 
   (A)  THE CONTROLLER, PROCESSOR, OR THIRD PARTY IS UNABLE TO VERIFY THE
 REQUEST USING COMMERCIALLY REASONABLE EFFORTS, AS DESCRIBED IN PARAGRAPH
 (C) OF SUBDIVISION EIGHT OF SECTION TWELVE HUNDRED TWO OF THIS ARTICLE;
   (B)  COMPLYING  WITH THE REQUEST WOULD BE DEMONSTRABLY IMPOSSIBLE (FOR
 PURPOSES OF THIS PARAGRAPH, THE RECEIPT OF A LARGE  NUMBER  OF  VERIFIED
 REQUESTS,  ON  ITS  OWN,  IS  NOT SUFFICIENT TO RENDER COMPLIANCE WITH A
 REQUEST DEMONSTRABLY IMPOSSIBLE);
   (C) COMPLYING WITH THE REQUEST WOULD IMPAIR  THE  PRIVACY  OF  ANOTHER
 INDIVIDUAL OR THE RIGHTS OF ANOTHER TO EXERCISE FREE SPEECH; OR
   (D)  THE  PERSONAL DATA WAS CREATED BY A NATURAL PERSON OTHER THAN THE
 CONSUMER MAKING THE REQUEST AND IS BEING PROCESSED FOR  THE  PURPOSE  OF
 FACILITATING INTERPERSONAL RELATIONSHIPS OR PUBLIC DISCUSSION.
   §  1206.  ENFORCEMENT. 1. WHENEVER IT APPEARS TO THE ATTORNEY GENERAL,
 EITHER UPON COMPLAINT OR OTHERWISE,  THAT  ANY  PERSON  OR  PERSONS  HAS
 ENGAGED  IN OR IS ABOUT TO ENGAGE IN ANY OF THE ACTS OR PRACTICES STATED
 TO BE UNLAWFUL UNDER THIS ARTICLE, THE ATTORNEY  GENERAL  MAY  BRING  AN
 ACTION  OR SPECIAL PROCEEDING IN THE NAME AND ON BEHALF OF THE PEOPLE OF
 THE STATE OF NEW YORK TO ENJOIN ANY VIOLATION OF THIS ARTICLE, TO OBTAIN
 RESTITUTION OF ANY MONEYS OR PROPERTY OBTAINED DIRECTLY OR INDIRECTLY BY
 ANY SUCH VIOLATION, TO  OBTAIN  DISGORGEMENT  OF  ANY  PROFITS  OBTAINED
 DIRECTLY  OR INDIRECTLY BY ANY SUCH VIOLATION, TO OBTAIN CIVIL PENALTIES
 OF NOT MORE THAN TWENTY THOUSAND DOLLARS PER VIOLATION,  AND  TO  OBTAIN
 ANY  SUCH OTHER AND FURTHER RELIEF AS THE COURT MAY DEEM PROPER, INCLUD-
 ING PRELIMINARY RELIEF.
   (A) ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE  ATTORNEY  GENERAL
 PURSUANT TO THIS SECTION MUST BE COMMENCED WITHIN SIX YEARS.
   (B)  EACH  INSTANCE  OF  UNLAWFUL  PROCESSING  COUNTS  AS  A  SEPARATE
 VIOLATION. UNLAWFUL PROCESSING OF THE PERSONAL DATA  OF  MORE  THAN  ONE
 CONSUMER  COUNTS  AS  A  SEPARATE  VIOLATION  AS  TO EACH CONSUMER. EACH
 PROVISION OF  THIS  ARTICLE  THAT  IS  VIOLATED  COUNTS  AS  A  SEPARATE
 VIOLATION.
   (C)  IN ASSESSING THE AMOUNT OF PENALTIES, THE COURT MUST CONSIDER ANY
 ONE OR MORE OF THE  RELEVANT  CIRCUMSTANCES  PRESENTED  BY  ANY  OF  THE
 PARTIES,  INCLUDING,  BUT  NOT LIMITED TO, THE NATURE AND SERIOUSNESS OF
 THE MISCONDUCT, THE NUMBER OF VIOLATIONS, THE PERSISTENCE OF THE MISCON-
 DUCT, THE LENGTH OF TIME OVER WHICH THE MISCONDUCT OCCURRED,  THE  WILL-
 FULNESS  OF  THE  VIOLATOR'S  MISCONDUCT,  AND  THE VIOLATOR'S FINANCIAL
 CONDITION.
   2. IN CONNECTION WITH ANY PROPOSED ACTION OR SPECIAL PROCEEDING  UNDER
 THIS  SECTION, THE ATTORNEY GENERAL IS AUTHORIZED TO TAKE PROOF AND MAKE
 A DETERMINATION OF THE RELEVANT FACTS, AND TO ISSUE SUBPOENAS IN ACCORD-
 ANCE WITH THE CIVIL PRACTICE LAW AND RULES.  THE  ATTORNEY  GENERAL  MAY
 ALSO  REQUIRE  SUCH  OTHER DATA AND INFORMATION AS SUCH ATTORNEY GENERAL
 MAY DEEM RELEVANT AND MAY REQUIRE WRITTEN RESPONSES TO  QUESTIONS  UNDER
 OATH.  SUCH  POWER OF SUBPOENA AND EXAMINATION SHALL NOT ABATE OR TERMI-
 NATE BY REASON OF ANY ACTION OR SPECIAL PROCEEDING BROUGHT BY THE ATTOR-
 NEY GENERAL UNDER THIS ARTICLE.
   3. ANY PERSON, WITHIN OR OUTSIDE THE STATE, WHO THE  ATTORNEY  GENERAL
 BELIEVES MAY BE IN POSSESSION, CUSTODY, OR CONTROL OF ANY BOOKS, PAPERS,
 OR  OTHER THINGS, OR MAY HAVE INFORMATION, RELEVANT TO ACTS OR PRACTICES
 STATED TO BE UNLAWFUL IN THIS ARTICLE IS SUBJECT TO  THE  SERVICE  OF  A
 SUBPOENA  ISSUED  BY  THE  ATTORNEY  GENERAL  PURSUANT  TO THIS SECTION.
 SERVICE MAY BE MADE IN ANY MANNER THAT IS AUTHORIZED FOR  SERVICE  OF  A
 SUBPOENA OR A SUMMONS BY THE STATE IN WHICH SERVICE IS MADE.
   4.  (A)  FAILURE  TO    COMPLY WITH A SUBPOENA ISSUED PURSUANT TO THIS
 SECTION WITHOUT REASONABLE CAUSE TOLLS THE APPLICABLE STATUTES OF  LIMI-
 S. 3044                            21
 
 TATIONS  IN  ANY  ACTION  OR  SPECIAL PROCEEDING BROUGHT BY THE ATTORNEY
 GENERAL AGAINST THE NONCOMPLIANT PERSON THAT ARISES OUT OF THE  ATTORNEY
 GENERAL'S INVESTIGATION.
   (B)  IF  A  PERSON  FAILS TO COMPLY WITH A SUBPOENA ISSUED PURSUANT TO
 THIS SECTION, THE ATTORNEY GENERAL MAY MOVE  IN  THE  SUPREME  COURT  TO
 COMPEL COMPLIANCE.  IF THE COURT FINDS THAT THE SUBPOENA WAS AUTHORIZED,
 IT  SHALL  ORDER  COMPLIANCE AND MAY IMPOSE A CIVIL PENALTY OF UP TO ONE
 THOUSAND DOLLARS PER DAY OF NONCOMPLIANCE.
   (C) SUCH TOLLING AND CIVIL PENALTY SHALL BE IN ADDITION TO  ANY  OTHER
 PENALTIES OR REMEDIES PROVIDED BY LAW FOR NONCOMPLIANCE WITH A SUBPOENA.
   5.  THIS SECTION SHALL APPLY TO ALL ACTS DECLARED TO BE UNLAWFUL UNDER
 THIS ARTICLE, WHETHER OR NOT SUBJECT TO ANY OTHER LAW OF THIS STATE, AND
 SHALL NOT SUPERSEDE, AMEND OR REPEAL ANY OTHER LAW OF THIS  STATE  UNDER
 WHICH  THE  ATTORNEY GENERAL IS AUTHORIZED TO TAKE ANY ACTION OR CONDUCT
 ANY INQUIRY.
   § 1207. MISCELLANEOUS. 1. PREEMPTION. THIS  ARTICLE  DOES  NOT  ANNUL,
 ALTER,  OR  AFFECT  THE LAWS, ORDINANCES, REGULATIONS, OR THE EQUIVALENT
 ADOPTED BY ANY LOCAL ENTITY REGARDING THE PROCESSING, COLLECTION, TRANS-
 FER, DISCLOSURE, AND SALE OF CONSUMERS' PERSONAL DATA BY A CONTROLLER OR
 PROCESSOR SUBJECT TO THIS ARTICLE, EXCEPT  TO  THE  EXTENT  THOSE  LAWS,
 ORDINANCES,  REGULATIONS, OR THE EQUIVALENT CREATE REQUIREMENTS OR OBLI-
 GATIONS THAT CONFLICT WITH OR REDUCE THE PROTECTIONS AFFORDED TO CONSUM-
 ERS UNDER THIS ARTICLE.
   2. IMPACT REPORT. THE ATTORNEY GENERAL SHALL ISSUE A REPORT EVALUATING
 THIS ARTICLE, ITS SCOPE, ANY COMPLAINTS FROM CONSUMERS OR  PERSONS,  THE
 LIABILITY  AND ENFORCEMENT PROVISIONS OF THIS ARTICLE INCLUDING, BUT NOT
 LIMITED TO, THE EFFECTIVENESS OF ITS EFFORTS TO  ENFORCE  THIS  ARTICLE,
 AND  ANY  RECOMMENDATIONS  FOR  CHANGES TO SUCH PROVISIONS. THE ATTORNEY
 GENERAL SHALL SUBMIT THE REPORT TO THE GOVERNOR, THE TEMPORARY PRESIDENT
 OF THE SENATE, THE SPEAKER OF THE ASSEMBLY, AND THE APPROPRIATE  COMMIT-
 TEES  OF  THE LEGISLATURE WITHIN TWO YEARS OF THE EFFECTIVE DATE OF THIS
 SECTION.
   3. REGULATORY AUTHORITY. (A) THE ATTORNEY GENERAL IS HEREBY AUTHORIZED
 AND EMPOWERED TO ADOPT, PROMULGATE, AMEND AND RESCIND SUITABLE RULES AND
 REGULATIONS TO CARRY OUT THE PROVISIONS OF THIS ARTICLE, INCLUDING RULES
 GOVERNING THE FORM AND CONTENT  OF  ANY  DISCLOSURES  OR  COMMUNICATIONS
 REQUIRED BY THIS ARTICLE.
   (B)  THE  ATTORNEY  GENERAL  MAY  REQUEST, AND SHALL RECEIVE, DATA AND
 INFORMATION FROM CONTROLLERS CONDUCTING  BUSINESS  IN  NEW  YORK  STATE,
 OTHER  NEW  YORK  STATE  GOVERNMENT  ENTITIES  ADMINISTERING  NOTICE AND
 CONSENT REGIMES, CONSUMER PROTECTION AND PRIVACY ADVOCATES AND RESEARCH-
 ERS, INTERNET STANDARDS SETTING BODIES, SUCH AS THE INTERNET ENGINEERING
 TASKFORCE AND THE INSTITUTE OF ELECTRICAL AND ELECTRONICS ENGINEERS, AND
 OTHER RELEVANT SOURCES, TO CONDUCT STUDIES TO INFORM SUITABLE RULES  AND
 REGULATIONS.    THE  ATTORNEY  GENERAL SHALL RECEIVE, UPON REQUEST, DATA
 FROM OTHER NEW YORK STATE GOVERNMENTAL ENTITIES.
   4.  EXERCISE OF RIGHTS. ANY CONSUMER RIGHT SET FORTH IN  THIS  ARTICLE
 MAY  BE  EXERCISED AT ANY TIME BY THE CONSUMER WHO IS THE SUBJECT OF THE
 DATA OR BY A PARENT OR GUARDIAN AUTHORIZED BY LAW  TO  TAKE  ACTIONS  OF
 LEGAL  CONSEQUENCE  ON  BEHALF OF THE CONSUMER WHO IS THE SUBJECT OF THE
 DATA. AN AGENT AUTHORIZED BY A CONSUMER MAY EXERCISE THE CONSUMER RIGHTS
 SET FORTH IN SUBDIVISIONS FOUR THROUGH SEVEN OF SECTION  TWELVE  HUNDRED
 TWO OF THIS ARTICLE ON THE CONSUMERS BEHALF.
   § 4. Severability. If any provision of this act, or any application of
 any  provision of this act, is held to be invalid, that shall not affect
 the  validity or effectiveness of any other provision of this act, or of
 S. 3044                            22
 
 any other application of any provision of this act, which can  be  given
 effect  without  that  provision  or  application;  and to that end, the
 provisions and  applications of this act are severable.
   §  5.  This act shall take effect immediately; provided, however, that
 sections 1201, 1202, 1203, 1205, 1206 and 1207 of the  general  business
 law,  as  added by section three of this act, shall take effect one year
 after it shall have become a law.