Difference between revisions of "MD. HB 901 (2019)"

Text of the law

Applicability Provisions The bill applies to any for-profit business that collects the personal information of Maryland consumers and satisfies one or more of the following thresholds:  has annual gross revenues of more than $25 million;  annually buys, receives (for commercial purposes), sells, or shares (for commercial purposes), alone or in combination, the personal information of 100,000 or more consumer, households, or devices; or  derives at least one-half of its annual revenues from selling consumers’ personal information. For purposes of the bill, “business” means a sole proprietorship, limited liability corporation, a corporation, association, or any other legal entity operated for-profit or the financial benefit of owners and shareholders. The bill also applies to any entity that (1) controls (or is controlled by) a business subject to the bill’s requirements and (2) shares a name, service mark, or trademark with the business. The bill defines “personal information” as information relating to an identified (or identifiable) consumer and information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked (directly or indirectly) with a particular consumer or the consumer’s device. “Personal information” does not include information that is lawfully made available from government records or consumer information that is de-identified or aggregate consumer information. Required Disclosures The bill requires a business that collects a consumer’s personal information to notify a consumer (at or before the point of collection) of (1) the categories of personal information the business will collect; (2) the business purposes for which the categories of personal information may be used; (3) the categories of third parties to which the business discloses personal information; and (4) the business purpose for third-party disclosure, as specified.

HB 901/ Page 3 In addition, the business must notify a consumer of his or her rights to request (1) a copy of the consumer’s personal information; (2) the deletion of the consumer’s personal information; and (3) to opt-out of third-party disclosure. Right to Request a Copy of Personal Information The bill allows a consumer to request that a business that collects a consumer’s personal information disclose:  the specific personal information the business has collected about that consumer;  the sources from which the consumer’s personal information was collected;  the names of third parties to which the business disclosed the consumer’s personal information; and  the business purpose for third-party disclosure. A business that receives a verifiable consumer request must promptly take steps to deliver (free of charge) the required information. The bill specifies the manner in which the information may be provided and establishes that a business may only be required to provide personal information to the same consumer two times in a 12-month period. If requests from a consumer are manifestly unfounded or excessive, a business may either charge a reasonable fee or refuse to act on the request and notify the consumer of the reason for refusing the request. Access to Personal Information The bill requires a business to make available to consumers two or more designated methods for submitting requests, including (if the business maintains a website) a link on the homepage of the website. A business is prohibited from requiring a consumer to create an account with the business in order to make a request. Generally, within 45 days of receiving a verifiable consumer request for a copy of personal information, a business must deliver (free of charge) the required information in a readily useable format that allows the consumer to transmit the information from one entity to another entity without hindrance. The bill requires a business to include specified information in its online privacy policy (if applicable), or (if the business does not maintain such a policy), on its website. The information must be updated once every 12 months. A business must ensure that all individuals responsible for handling consumer inquiries regarding privacy practices are informed of the bill’s requirements and how to direct consumers to exercise their rights.

HB 901/ Page 4 Right to Delete Personal Information The bill allows a consumer to request that a business delete any personal information about the consumer that the business has collected. If a business receives such a request, the business must delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information as well. The bill also identifies the instances in which a business or service provider is not required to comply with a request to delete a consumer’s personal information. Right to Request Information Not Be Sold to Third Parties The bill allows a consumer to demand that a business not disclose the consumer’s personal information to third parties. (However, in no circumstances may a business disclose the personal information of a consumer to a third party if the business has actual knowledge or willfully disregards that the consumer is younger than age 18.) A business that receives this direction from a consumer may not disclose the consumer’s personal information to third parties unless the consumer later provides express authorization. In addition, a business may not subsequently request authorization to disclose the consumer’s personal information to third parties for at least 12 months. A business must provide a clear and conspicuous link on the homepage of the business to an Internet webpage that enables a consumer (or an authorized person) to opt-out of the third-party disclosure of the consumer’s personal information. A business may not require a consumer to create an account in order to exercise this right. Right to Receive Equal Service The bill prohibits discrimination against a consumer because the consumer exercised his or her rights under the bill. Discrimination includes:  denying goods or services to the consumer;  charging different prices or rates for goods or services (including through the use of discounts or other benefits, or imposing penalties);  providing a different level or quality of goods or services to the consumer;  suggesting that the consumer will receive a different price or rate for goods or services (or a different level of quality of goods or services). Exceptions to the Bill’s Requirements The bill’s requirements may not restrict the ability of any business or third party to (1) comply with federal, state, or local laws; (2) comply with a civil, criminal, or regulatory

HB 901/ Page 5 inquiry, investigation, subpoena, or summons by a federal, state, or local authority; (3) cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably (and in good faith) believes may violate federal, state, or local law; (4) exercise legal rights or privileges; or (5) engage in news-gathering activities protected by the First Amendment. The bill also identifies other instances in which its requirements do not apply and specifies the manner in which research with personal information may be used. Office of the Attorney General If OAG has reason to believe that any business, service provider, or other person is in violation of the bill’s requirements (and that proceedings would be in the public interest), OAG may (1) bring an action in the name of the State against the party to restrain the violation by temporary restraining order or preliminary or permanent injunction and (2) seek a civil penalty of up to $2,500 for each violation (or up to $7,500 for each intentional violation). The bill also establishes liability standards for businesses and service providers. OAG must solicit broad public participation and adopt regulations as specified to further the purposes of the bill by July 1, 2021. Regulations must include, among other things, provisions for updating unique identifiers, facilitating submission of verifiable consumer requests, establishing consumer notification standards and establishing necessary exceptions to comply with federal and State laws. OAG is prohibited from bringing an enforcement action under the bill until six months after the publication of the final regulations issued in accordance with the bill. Other Legal/Contractual Provisions The bill specifies that, wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of the bill. However, in the event of a conflict between other laws and the bill, the provisions of the law that afford the greatest protection for the right of privacy for consumers must control. If a series of steps (or transactions) where component parts of a single transaction were taken with the intention of avoiding the reach of the bill, a court must disregard the intermediate steps or transactions for purposes of the carrying out the bill. Any provision of a contract (or an agreement of any kind) that purports to waive or limit in any way a consumer’s rights under the bill (including any remedy or means of enforcement) must be considered contrary to public policy and must be void and unenforceable.

HB 901/ Page 6 Current Law/Background: Internet Privacy State law does not generally regulate Internet privacy. However, businesses are required under the Maryland Personal Information Protection Act to take precautions to secure the personal information of customers and to provide notice of information of breaches. In addition, the Social Security Number Privacy Act (Chapter 521 of 2005) prohibits specified disclosures of an individual’s Social Security number (SSN). However, the law exempts entities that provide Internet access (including “interactive computer service providers” and telecommunications providers) under specified circumstances. More specifically, the law does not apply to an interactive computer service provider’s or a telecommunication’s provider’s transmission or routing of (or intermediate temporary storage or caching of) an individual’s SSN. In addition, the law does not impose a duty on an interactive computer service provider or a telecommunications provider to monitor its service or to seek evidence of the transmission of SSNs on its service. Federal Actions Regarding Internet Privacy In 2016, the Federal Communications Commission (FCC) adopted rules that required broadband ISPs to protect the privacy of their customers. According to FCC, the rules established a framework of customer consent required for ISPs to use, sell, and share their customers’ personal information. The rules separated the use and sharing of information into three categories and included guidance for both ISPs and customers about the transparency, choice, and security requirements for customers’ personal information.  Opt In: For certain sensitive information, ISPs would have been required to obtain affirmative “opt-in” consent from consumers to use and share the information. The rules specified categories of information considered sensitive, including precise geo-location, financial information, health information, children’s information, SSNs, web browsing history, app usage history, and the content of communications.  Opt Out: ISPs would have been allowed to use and share other, nonsensitive, information unless the customer “opted-out.” For example, email address information would have been considered nonsensitive information, and the use and sharing of that information would have been subject to opt-out consent.  Exceptions to Consent Requirements: Customer consent was inferred for certain specified purposes, including the provision of broadband service or billing and collection. For the use of this information, no additional consent would have been required beyond the creation of the customer-ISP relationship.

HB 901/ Page 7 The rules established other provisions, including:  transparency requirements for ISPs to provide customers with clear, conspicuous, and persistent notice about the information collected, how it was to be used, and with whom it could have been shared, as well as how customers could change their privacy preferences;  a requirement that broadband providers engage in reasonable data security practices and guidelines on steps ISPs should consider taking, such as implementing relevant industry best practices, providing appropriate oversight of security practices, implementing robust customer authentication tools, and proper disposal of data; and  data breach notification requirements to encourage ISPs to protect the confidentiality of customer data and to give consumers and law enforcement notice of failures to protect such information. The scope of the rules was limited to broadband service providers and other telecommunications carriers. The rules did not apply to the privacy practices of websites and other services over which the Federal Trade Commission, rather than FCC, has authority. In addition, the scope of the rules did not include other services of a broadband provider, such as the operation of a social media website, nor did the rules cover issues such as government surveillance, encryption, or law enforcement. The rules were originally scheduled to take effect in 2017. However, in early 2017, the U.S. Congress approved a resolution of disapproval nullifying the FCC rule. The President signed the resolution on April 3, 2017. California Online Privacy Law The bill is similar to a California law that was enacted in 2018. Among other things, that law establishes that a consumer has the right to request that a business disclose categories and specific pieces of personal information the business has collected about the consumer. Consumers may request that a business delete any personal information that the business has collected about the consumer. In addition, consumers may direct a business not to sell their personal information. The law also prohibits discrimination against a consumer because the consumer exercised his or her rights under the law. State Fiscal Effect: While the bill authorizes OAG to bring an action against a party for a violation of the bill and requires OAG to adopt regulations, OAG advises it can implement the bill’s requirements with existing resources.

Because OAG may also seek a civil penalty (of up to $2,500 for each violation, or $7,500 for each intentional violation), general fund revenues may increase to the extent that cases are successfully brought and the civil penalty is imposed. However, the impact on the general fund is likely to be minimal. Also, any fiscal impact is presumed not to occur until fiscal 2022, since OAG cannot bring any enforcement actions until six months after its regulations enforcing the bill are promulgated.

Small Business Effect: The bill establishes numerous requirements for businesses that handle the personal information of consumers. To the extent that any small businesses meet the thresholds identified by the bill, such businesses are likely to be meaningfully affected by the bill’s requirements.

The Department of Legislative Services advises that the exact number of small businesses that may be affected by the bill cannot be determined due to insufficient data. However, any small businesses that do meet the bill’s criteria as a “business” must comply with the bill’s personal information protection requirements and may incur significant costs to do so.

Additional Information

Prior Introductions: None.

Cross File: SB 613 (Senator Lee) – Finance.

Information Source(s): Office of the Attorney General (Consumer Protection Division); Judiciary (Administrative Office of the Courts); California State Legislature; New York Times; Department of Legislative Services

Fiscal Note History: First Reader - March 5, 2019 mag/kdm

Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.

14–4202. 16 (A) A BUSINESS THAT COLLECTS A CONSUMER’S PERSONAL INFORMATION 17 SHALL, AT OR BEFORE THE POINT OF COLLECTION, NOTIFY A CONSUMER OF: 18 (1) THE CATEGORIES OF PERSONAL INFORMATION THE BUSINESS 19 WILL COLLECT ABOUT THAT CONSUMER; 20 (2) THE BUSINESS PURPOSES FOR WHICH THE CATEGORIES OF 21 PERSONAL INFORMATION MAY BE USED; 22 (3) THE CATEGORIES OF THIRD PARTIES TO WHICH THE BUSINESS 23 DISCLOSES PERSONAL INFORMATION; 24 (4) THE BUSINESS PURPOSE FOR THIRD–PARTY DISCLOSURE; AND 25 (5) THE CONSUMER’S RIGHTS TO REQUEST: 26 (I) A COPY OF THE CONSUMER’S PERSONAL INFORMATION 27 UNDER § 14–4203 OF THIS SUBTITLE; (II) THE DELETION OF THE CONSUMER’S PERSONAL 2 INFORMATION UNDER § 14–4205 OF THIS SUBTITLE; AND 3 (III) TO OPT OUT OF THIRD–PARTY DISCLOSURE UNDER § 4 14–4206 OF THIS SUBTITLE. 5 (B) A BUSINESS MAY NOT COLLECT ADDITIONAL CATEGORIES OF PERSONAL 6 INFORMATION OR USE PERSONAL INFORMATION COLLECTED FOR ADDITIONAL 7 PURPOSES WITHOUT FIRST PROVIDING THE CONSUMER WITH NOTICE CONSISTENT 8 WITH THIS SECTION. 9 14–4203. 10 (A) A CONSUMER MAY REQUEST THAT A BUSINESS THAT COLLECTS A 11 CONSUMER’S PERSONAL INFORMATION DISCLOSE TO THAT CONSUMER: 12 (1) THE SPECIFIC PIECES OF PERSONAL INFORMATION THE 13 BUSINESS HAS COLLECTED ABOUT THAT CONSUMER; 14 (2) THE SOURCES FROM WHICH THE CONSUMER’S PERSONAL 15 INFORMATION WAS COLLECTED; 16 (3) THE NAMES OF THIRD PARTIES TO WHICH THE BUSINESS 17 DISCLOSED THE CONSUMER’S PERSONAL INFORMATION; AND 18 (4) THE BUSINESS PURPOSE FOR THIRD–PARTY DISCLOSURE. 19 (B) A BUSINESS SHALL PROVIDE THE INFORMATION SPECIFIED IN 20 SUBSECTION (A) OF THIS SECTION TO A CONSUMER ONLY ON RECEIPT OF A 21 VERIFIABLE CONSUMER REQUEST. (C) (1) A BUSINESS THAT RECEIVES A VERIFIABLE CONSUMER REQUEST 23 FROM A CONSUMER TO ACCESS PERSONAL INFORMATION SHALL PROMPTLY TAKE 24 STEPS TO DELIVER, FREE OF CHARGE TO THE CONSUMER, THE PERSONAL 25 INFORMATION REQUIRED BY THIS SECTION. 26 (2) THE INFORMATION MAY BE DELIVERED BY MAIL OR 27 ELECTRONICALLY, AND IF PROVIDED ELECTRONICALLY, THE INFORMATION SHALL 28 BE IN A PORTABLE AND, TO THE EXTENT TECHNICALLY FEASIBLE, READILY 29 USEABLE FORMAT THAT ALLOWS THE CONSUMER TO TRANSMIT THIS INFORMATION 30 TO ANOTHER ENTITY WITHOUT HINDRANCE. (D) A BUSINESS MAY PROVIDE PERSONAL INFORMATION TO A CONSUMER 2 AT ANY TIME, NOTWITHSTANDING § 14–4204 OF THIS SUBTITLE, BUT MAY NOT BE 3 REQUIRED TO PROVIDE PERSONAL INFORMATION TO THE SAME CONSUMER MORE 4 THAN TWICE IN A 12–MONTH PERIOD. 5 (E) THIS SECTION MAY NOT REQUIRE A BUSINESS TO: 6 (1) RETAIN ANY PERSONAL INFORMATION ABOUT A CONSUMER 7 COLLECTED FOR A SINGLE ONE–TIME TRANSACTION IF, IN THE ORDINARY COURSE 8 OF BUSINESS, THAT INFORMATION ABOUT THE CONSUMER IS NOT RETAINED; 9 (2) RE–IDENTIFY OR OTHERWISE LINK ANY DATA THAT, IN THE 10 ORDINARY COURSE OF BUSINESS, IS NOT MAINTAINED IN A MANNER THAT WOULD 11 BE CONSIDERED PERSONAL INFORMATION; OR 12 (3) DISCLOSE ANY SPECIFIC PERSONAL INFORMATION THAT WOULD 13 ADVERSELY AFFECT THE LEGAL RIGHTS OF OTHER CONSUMERS. 14 (F) IF VERIFIED REQUESTS FROM A CONSUMER ARE MANIFESTLY 15 UNFOUNDED OR EXCESSIVE, IN PARTICULAR BECAUSE OF THEIR REPETITIVE 16 CHARACTER, A BUSINESS MAY EITHER CHARGE A REASONABLE FEE, TAKING INTO 17 ACCOUNT THE ADMINISTRATIVE COSTS OF PROVIDING THE INFORMATION OR 18 COMMUNICATION OR TAKING THE ACTION REQUESTED, OR REFUSE TO ACT ON THE 19 REQUEST AND NOTIFY THE CONSUMER OF THE REASON FOR REFUSING THE 20 REQUEST. 14–4204. 22 (A) (1) A BUSINESS SHALL, IN A FORM THAT IS REASONABLY ACCESSIBLE 23 TO CONSUMERS, MAKE AVAILABLE TO CONSUMERS TWO OR MORE DESIGNATED 24 METHODS FOR SUBMITTING CONSUMER VERIFIED REQUESTS, INCLUDING, IF THE 25 BUSINESS MAINTAINS AN INTERNET WEBSITE, A LINK ON THE HOMEPAGE OF THE 26 WEBSITE. 27 (2) A BUSINESS MAY NOT REQUIRE THE CONSUMER TO CREATE AN 28 ACCOUNT WITH THE BUSINESS IN ORDER TO MAKE A VERIFIABLE CONSUMER 29 REQUEST. 30 (B) (1) A BUSINESS SHALL DELIVER TO A CONSUMER FREE OF CHARGE 31 WITHIN 45 DAYS AFTER RECEIVING A VERIFIABLE CONSUMER REQUEST FROM THE 32 CONSUMER THE INFORMATION REQUIRED IN § 14–4203 OF THIS SUBTITLE IN A 33 READILY USEABLE FORMAT THAT ALLOWS THE CONSUMER TO TRANSMIT THE 34 INFORMATION FROM ONE ENTITY TO ANOTHER ENTITY WITHOUT HINDRANCE. (2) THE TIME PERIOD TO PROVIDE THE REQUIRED INFORMATION 2 MAY BE EXTENDED ONCE BY UP TO AN ADDITIONAL 45 DAYS WHEN REASONABLY 3 NECESSARY, IF THE CONSUMER IS PROVIDED NOTICE OF THE EXTENSION WITHIN 4 THE FIRST 45–DAY PERIOD. 5 (C) A BUSINESS IS NOT REQUIRED TO PROVIDE THE INFORMATION 6 REQUIRED BY § 14–4203 OF THIS SUBTITLE TO THE SAME CONSUMER MORE THAN 7 TWICE IN A 12–MONTH PERIOD. 8 (D) A BUSINESS SHALL INCLUDE THE FOLLOWING INFORMATION IN ITS 9 ONLINE PRIVACY POLICY IF THE BUSINESS HAS AN ONLINE PRIVACY POLICY, OR IF 10 THE BUSINESS DOES NOT MAINTAIN A POLICY, ON ITS INTERNET WEBSITE, AND 11 UPDATE THAT INFORMATION AT LEAST ONCE EVERY 12 MONTHS: 12 (1) THE CATEGORIES OF PERSONAL INFORMATION THE BUSINESS 13 COLLECTS ABOUT CONSUMERS; 14 (2) THE BUSINESS PURPOSES FOR WHICH THE CATEGORIES OF 15 PERSONAL INFORMATION ARE USED; 16 (3) THE CATEGORIES OF THIRD PARTIES TO WHICH THE BUSINESS 17 DISCLOSES PERSONAL INFORMATION; 18 (4) THE BUSINESS PURPOSE FOR THIRD–PARTY DISCLOSURE; AND 19 (5) THE CONSUMER’S RIGHTS TO REQUEST: 20 (I) A COPY OF THE CONSUMER’S PERSONAL INFORMATION IN 21 ACCORDANCE WITH § 14–4203 OF THIS SUBTITLE; 22 (II) THE DELETION OF THE CONSUMER’S PERSONAL 23 INFORMATION IN ACCORDANCE WITH § 14–4205 OF THIS SUBTITLE; AND 24 (III) TO OPT OUT OF THIRD–PARTY DISCLOSURE IN 25 ACCORDANCE WITH § 14–4206 OF THIS SUBTITLE. (E) A BUSINESS SHALL ENSURE THAT ALL INDIVIDUALS RESPONSIBLE FOR 27 HANDLING CONSUMER INQUIRIES ABOUT THE BUSINESS’S PRIVACY PRACTICES OR 28 THE BUSINESS’S COMPLIANCE WITH THIS SUBTITLE ARE INFORMED OF ALL 29 REQUIREMENTS IN THIS SUBTITLE AND HOW TO DIRECT CONSUMERS TO EXERCISE 30 THEIR RIGHTS. (F) A BUSINESS SHALL USE ANY PERSONAL INFORMATION COLLECTED 2 FROM THE CONSUMER IN CONNECTION WITH THE BUSINESS’S VERIFICATION OF THE 3 CONSUMER’S REQUEST SOLELY FOR THE PURPOSES OF VERIFICATION. 4 14–4205. 5 (A) A CONSUMER MAY REQUEST THAT A BUSINESS DELETE ANY PERSONAL 6 INFORMATION ABOUT THE CONSUMER THAT THE BUSINESS HAS COLLECTED FROM 7 THE CONSUMER. 8 (B) A BUSINESS THAT COLLECTS PERSONAL INFORMATION ABOUT 9 CONSUMERS SHALL DISCLOSE, IN ACCORDANCE WITH § 14–4202 OF THIS SUBTITLE, 10 THE CONSUMER’S RIGHTS TO REQUEST THE DELETION OF THE CONSUMER’S 11 PERSONAL INFORMATION. 12 (C) A BUSINESS THAT RECEIVES A VERIFIABLE CONSUMER REQUEST FROM 13 A CONSUMER TO DELETE THE CONSUMER’S PERSONAL INFORMATION IN 14 ACCORDANCE WITH SUBSECTION (A) OF THIS SECTION SHALL DELETE THE 15 CONSUMER’S PERSONAL INFORMATION FROM ITS RECORDS AND DIRECT ANY 16 SERVICE PROVIDERS TO DELETE THE CONSUMER’S PERSONAL INFORMATION FROM 17 THE SERVICE PROVIDERS’ RECORDS. 18 (D) A BUSINESS OR A SERVICE PROVIDER MAY NOT BE REQUIRED TO 19 COMPLY WITH A CONSUMER’S REQUEST TO DELETE THE CONSUMER’S PERSONAL 20 INFORMATION IF IT IS NECESSARY FOR THE BUSINESS OR SERVICE PROVIDER TO 21 MAINTAIN THE CONSUMER’S PERSONAL INFORMATION IN ORDER TO: 22 (1) COMPLETE THE TRANSACTION FOR WHICH THE PERSONAL 23 INFORMATION WAS COLLECTED, PROVIDE A GOOD OR SERVICE REQUESTED BY THE 24 CONSUMER OR REASONABLY ANTICIPATED WITHIN THE CONTEXT OF A BUSINESS’S 25 ONGOING BUSINESS RELATIONSHIP WITH THE CONSUMER, OR OTHERWISE 26 PERFORM A CONTRACT BETWEEN THE BUSINESS AND THE CONSUMER; 27 (2) DETECT SECURITY INCIDENTS, PROTECT AGAINST MALICIOUS, 28 DECEPTIVE, FRAUDULENT, OR ILLEGAL ACTIVITY, OR PROSECUTE THOSE 29 RESPONSIBLE FOR THAT ACTIVITY; (3) IDENTIFY OR REPAIR ERRORS THAT IMPAIR EXISTING INTENDED 31 FUNCTIONALITY; 32 (4) EXERCISE FREE SPEECH, ENSURE THE RIGHT OF ANOTHER 33 CONSUMER TO EXERCISE THE RIGHT OF FREE SPEECH, OR EXERCISE ANOTHER 34 RIGHT PROVIDED FOR BY LAW; (5) ENGAGE IN PUBLIC OR PEER–REVIEWED SCIENTIFIC, 2 HISTORICAL, OR STATISTICAL RESEARCH IN THE PUBLIC INTEREST THAT ADHERES 3 TO ALL OTHER APPLICABLE ETHICS AND PRIVACY LAWS, WHEN THE BUSINESSES’ 4 DELETION OF THE INFORMATION IS LIKELY TO RENDER IMPOSSIBLE OR TO 5 SERIOUSLY IMPAIR THE ACHIEVEMENT OF THE RESEARCH, IF THE CONSUMER HAS 6 PROVIDED INFORMED CONSENT; OR 14–4206. 9 (A) (1) A CONSUMER MAY, AT ANY TIME, DEMAND THAT A BUSINESS NOT 10 DISCLOSE THE CONSUMER’S PERSONAL INFORMATION TO THIRD PARTIES. 11 (2) THIS RIGHT MAY BE REFERRED TO AS THE “RIGHT TO OPT OUT OF 12 THIRD–PARTY DISCLOSURE”. 13 (B) NOTWITHSTANDING SUBSECTION (A) OF THIS SECTION, A BUSINESS MAY 14 NOT DISCLOSE THE PERSONAL INFORMATION OF A CONSUMER TO A THIRD PARTY IF 15 THE BUSINESS HAS ACTUAL KNOWLEDGE OR WILLFULLY DISREGARDS THE FACT 16 THAT THE CONSUMER IS UNDER THE AGE OF 18 YEARS. 17 (C) (1) A BUSINESS THAT HAS RECEIVED DIRECTION FROM A CONSUMER 18 NOT TO DISCLOSE THE CONSUMER’S PERSONAL INFORMATION TO THIRD PARTIES 19 MAY NOT DISCLOSE THE CONSUMER’S PERSONAL INFORMATION TO THIRD PARTIES 20 UNLESS THE CONSUMER LATER PROVIDES EXPRESS AUTHORIZATION FOR THAT 21 DISCLOSURE. 22 (2) A BUSINESS THAT HAS RECEIVED DIRECTION FROM A CONSUMER 23 NOT TO DISCLOSE THE CONSUMER’S PERSONAL INFORMATION TO THIRD PARTIES 24 MAY NOT REQUEST AUTHORIZATION TO DISCLOSE THE CONSUMER’S PERSONAL 25 INFORMATION TO THIRD PARTIES FOR AT LEAST 12 MONTHS. 26 (D) (1) A BUSINESS SHALL PROVIDE A CLEAR AND CONSPICUOUS LINK ON 27 THE INTERNET HOMEPAGE OF THE BUSINESS TO AN INTERNET WEBPAGE THAT 28 ENABLES A CONSUMER, OR A PERSON AUTHORIZED BY THE CONSUMER, TO OPT OUT 29 OF THE THIRD–PARTY DISCLOSURE OF THE CONSUMER’S PERSONAL INFORMATION. 30 (2) A BUSINESS MAY NOT REQUIRE A CONSUMER TO CREATE AN 31 ACCOUNT IN ORDER TO EXERCISE THIS RIGHT. (E) A CONSUMER MAY AUTHORIZE ANOTHER PERSON SOLELY TO OPT OUT 2 OF THE SALE OR DISCLOSURE OF THE CONSUMER’S PERSONAL INFORMATION ON 3 THE CONSUMER’S BEHALF, AND A BUSINESS SHALL COMPLY WITH AN OPT–OUT 4 REQUEST RECEIVED FROM A PERSON AUTHORIZED BY THE CONSUMER TO ACT ON 5 THE CONSUMER’S BEHALF, IN ACCORDANCE WITH REGULATIONS ADOPTED BY THE 6 ATTORNEY GENERAL. 7 14–4207. 8 A BUSINESS MAY NOT DISCRIMINATE AGAINST A CONSUMER BECAUSE THE 9 CONSUMER EXERCISED ANY OF THE CONSUMER’S RIGHTS UNDER THIS SUBTITLE, 10 INCLUDING BY: 11 (1) DENYING GOODS OR SERVICES TO THE CONSUMER; 12 (2) CHARGING DIFFERENT PRICES OR RATES FOR GOODS OR 13 SERVICES, INCLUDING THROUGH THE USE OF DISCOUNTS OR OTHER BENEFITS OR 14 IMPOSING PENALTIES; 15 (3) PROVIDING A DIFFERENT LEVEL OR QUALITY OF GOODS OR 16 SERVICES TO THE CONSUMER; OR 17 (4) SUGGESTING THAT THE CONSUMER WILL RECEIVE A DIFFERENT 18 PRICE OR RATE FOR GOODS OR SERVICES OR A DIFFERENT LEVEL OR QUALITY OF 19 GOODS OR SERVICES. 14–4208. 21 (A) THE OBLIGATIONS IMPOSED BY THIS SUBTITLE MAY NOT RESTRICT THE 22 ABILITY OF ANY BUSINESS OR THIRD PARTY TO: 23 (1) COMPLY WITH FEDERAL, STATE, OR LOCAL LAWS; 24 (2) COMPLY WITH A CIVIL, CRIMINAL, OR REGULATORY INQUIRY, 25 INVESTIGATION, SUBPOENA, OR SUMMONS BY A FEDERAL, STATE, OR LOCAL 26 AUTHORITY; 27 (3) COOPERATE WITH LAW ENFORCEMENT AGENCIES CONCERNING 28 CONDUCT OR ACTIVITY THAT THE BUSINESS, SERVICE PROVIDER, OR THIRD PARTY 29 REASONABLY AND IN GOOD FAITH BELIEVES MAY VIOLATE FEDERAL, STATE, OR 30 LOCAL LAW; 31 (4) EXERCISE LEGAL RIGHTS OR PRIVILEGES; OR (5) ENGAGE IN NEWS–GATHERING ACTIVITIES PROTECTED BY THE 2 FIRST AMENDMENT. 3 (B) THIS SUBTITLE DOES NOT APPLY TO: 4 (1) A BUSINESS COLLECTING OR DISCLOSING PERSONAL 5 INFORMATION OF THE BUSINESS’S EMPLOYEES TO THE EXTENT THAT THE BUSINESS 6 IS COLLECTING OR DISCLOSING THE INFORMATION WITHIN THE SCOPE OF ITS ROLE 7 AS AN EMPLOYER; 8 (2) HEALTH INFORMATION THAT IS COLLECTED BY A COVERED 9 ENTITY OR BUSINESS ASSOCIATE GOVERNED BY THE PRIVACY, SECURITY, AND 10 BREACH NOTIFICATION RULES ISSUED BY THE U.S. DEPARTMENT OF HEALTH AND 11 HUMAN SERVICES IN 45 C.F.R. PARTS 160 AND 164, ESTABLISHED IN ACCORDANCE 12 WITH THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 13 OF 1996 AND THE FEDERAL HEALTH INFORMATION TECHNOLOGY FOR ECONOMIC 14 AND CLINICAL HEALTH ACT; 15 (3) A COVERED ENTITY GOVERNED BY THE PRIVACY, SECURITY, AND 16 BREACH NOTIFICATION RULES ISSUED BY THE U.S. DEPARTMENT OF HEALTH AND 17 HUMAN SERVICES IN 45 C.F.R. PARTS 160 AND 164, ESTABLISHED IN ACCORDANCE 18 WITH THE FEDERAL HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT 19 OF 1996, TO THE EXTENT THE PROVIDER OR COVERED ENTITY MAINTAINS PATIENT 20 INFORMATION IN THE SAME MANNER AS MEDICAL INFORMATION OR PROTECTED 21 HEALTH INFORMATION AS DESCRIBED IN ITEM (2) OF THIS SUBSECTION; 22 (4) INFORMATION COLLECTED AS PART OF A CLINICAL TRIAL 23 SUBJECT TO THE FEDERAL POLICY FOR THE PROTECTION OF HUMAN SUBJECTS, 24 ALSO KNOWN AS THE COMMON RULE, PURSUANT TO GOOD CLINICAL PRACTICE 25 GUIDELINES ISSUED BY THE INTERNATIONAL COUNCIL FOR HARMONISATION OR IN 26 ACCORDANCE WITH HUMAN SUBJECT PROTECTION REQUIREMENTS OF THE U.S. 27 FOOD AND DRUG ADMINISTRATION; 28 (5) SALE OF PERSONAL INFORMATION TO OR FROM A CONSUMER 29 REPORTING AGENCY IF THAT INFORMATION IS TO BE REPORTED IN, OR USED TO 30 GENERATE, A “CONSUMER REPORT” AS DEFINED BY 15 U.S.C. § 1681(A) AND USE OF 31 THAT INFORMATION IS LIMITED BY THE FEDERAL FAIR CREDIT REPORTING ACT; 32 (6) PERSONAL INFORMATION COLLECTED, PROCESSED, SOLD, OR 33 DISCLOSED UNDER THE FEDERAL GRAMM–LEACH–BLILEY ACT AND 34 IMPLEMENTING REGULATIONS; (7) PERSONAL INFORMATION COLLECTED, PROCESSED, SOLD, OR 2 DISCLOSED UNDER THE FEDERAL DRIVER’S PRIVACY PROTECTION ACT OF 1994; 3 AND 4 (8) EDUCATION INFORMATION COVERED BY THE FEDERAL FAMILY 5 EDUCATIONAL RIGHTS AND PRIVACY ACT, 20 U.S.C. § 1232G AND 34 C.F.R. PART 6 99. 7 14–4209. 8 RESEARCH WITH PERSONAL INFORMATION THAT MAY HAVE BEEN 9 COLLECTED FROM A CONSUMER IN THE COURSE OF THE CONSUMER’S 10 INTERACTIONS WITH A BUSINESS’S SERVICE OR DEVICE FOR OTHER PURPOSES 11 SHALL BE: (1) USED SOLELY FOR RESEARCH PURPOSES THAT ARE COMPATIBLE 13 WITH THE CONTEXT IN WHICH THE PERSONAL INFORMATION WAS COLLECTED; 14 (2) RESTRICTED FROM USE FOR ANY COMMERCIAL PURPOSE; 15 (3) SUBSEQUENTLY PSEUDONYMIZED AND DE–IDENTIFIED, OR 16 DE–IDENTIFIED AND IN THE AGGREGATE, SO THAT THE INFORMATION CANNOT 17 REASONABLY IDENTIFY, RELATE TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED 18 WITH, OR BE LINKED, DIRECTLY OR INDIRECTLY, TO A PARTICULAR CONSUMER; 19 (4) MADE SUBJECT TO TECHNICAL SAFEGUARDS THAT PROHIBIT 20 RE–IDENTIFICATION OF THE CONSUMER TO WHOM THE INFORMATION MAY 21 PERTAIN; 22 (5) SUBJECT TO BUSINESS PROCESSES THAT SPECIFICALLY 23 PROHIBIT RE–IDENTIFICATION OF THE INFORMATION; 24 (6) MADE SUBJECT TO BUSINESS PROCESSES TO PREVENT 25 INADVERTENT RELEASE OF DE–IDENTIFIED INFORMATION; 26 (7) PROTECTED FROM ANY RE–IDENTIFICATION ATTEMPTS; AND 27 (8) SUBJECTED BY THE BUSINESS CONDUCTING THE RESEARCH TO 28 ADDITIONAL SECURITY CONTROLS THAT LIMIT ACCESS TO THE RESEARCH DATA TO 29 ONLY THOSE INDIVIDUALS IN A BUSINESS AS ARE NECESSARY TO CARRY OUT THE 30 RESEARCH PURPOSE. 14–4210 (A) WHENEVER THE OFFICE OF THE ATTORNEY GENERAL HAS REASON TO 2 BELIEVE THAT ANY BUSINESS, SERVICE PROVIDER, OR OTHER PERSON IS IN 3 VIOLATION OF THIS SUBTITLE, AND THAT PROCEEDINGS WOULD BE IN THE PUBLIC 4 INTEREST, THE ATTORNEY GENERAL MAY: 5 (1) BRING AN ACTION IN THE NAME OF THE STATE AGAINST THE 6 PARTY TO RESTRAIN THE VIOLATION BY TEMPORARY RESTRAINING ORDER OR 7 PRELIMINARY OR PERMANENT INJUNCTION; AND 8 (2) SEEK A CIVIL PENALTY NOT EXCEEDING $2,500 FOR EACH 9 VIOLATION OR NOT EXCEEDING $7,500 FOR EACH INTENTIONAL VIOLATION. 10 (B) (1) A BUSINESS THAT DISCLOSES PERSONAL INFORMATION TO A 11 SERVICE PROVIDER MAY NOT BE LIABLE UNDER THIS SUBTITLE IF THE SERVICE 12 PROVIDER RECEIVING THE PERSONAL INFORMATION USES THE PERSONAL 13 INFORMATION IN VIOLATION OF THE RESTRICTIONS SET FORTH IN THIS SUBTITLE, 14 IF, AT THE TIME OF DISCLOSING THE PERSONAL INFORMATION, THE BUSINESS DOES 15 NOT HAVE ACTUAL KNOWLEDGE, OR REASON TO BELIEVE, THAT THE SERVICE 16 PROVIDER INTENDS TO COMMIT A VIOLATION. 17 (2) A SERVICE PROVIDER MAY NOT BE LIABLE UNDER THIS SUBTITLE 18 FOR THE OBLIGATIONS OF A BUSINESS FOR WHICH IT PROVIDES SERVICES AS SET 19 FORTH IN THIS SUBTITLE. 0 14–4211. 21 (A) ON OR BEFORE JULY 1, 2021, THE OFFICE OF THE ATTORNEY GENERAL 22 SHALL SOLICIT BROAD PUBLIC PARTICIPATION AND ADOPT REGULATIONS TO 23 FURTHER THE PURPOSES OF THIS SUBTITLE, INCLUDING: 24 (1) UPDATING AS NEEDED ADDITIONAL CATEGORIES OF PERSONAL 25 INFORMATION TO THOSE UNDER § 14–4208(B) OF THIS SUBTITLE IN ORDER TO 26 ADDRESS CHANGES IN TECHNOLOGY, DATA COLLECTION PRACTICES, OBSTACLES TO 27 IMPLEMENTATION, AND PRIVACY CONCERNS; 28 (2) UPDATING AS NEEDED THE DEFINITION OF UNIQUE IDENTIFIERS 29 TO ADDRESS CHANGES IN TECHNOLOGY, DATA COLLECTION, OBSTACLES TO 30 IMPLEMENTATION, AND PRIVACY CONCERNS; 31 (3) ESTABLISHING ANY EXCEPTIONS NECESSARY TO COMPLY WITH 32 STATE OR FEDERAL LAW, INCLUDING EXCEPTIONS RELATING TO TRADE SECRETS 33 AND INTELLECTUAL PROPERTY RIGHTS; (4) ADOPTING REGULATIONS AND PROCEDURES: 2 (I) TO FACILITATE AND GOVERN THE SUBMISSION OF 3 VERIFIABLE CONSUMER REQUESTS UNDER §§ 14–4203 THROUGH 14–4206 OF THIS 4 SUBTITLE; 5 (II) TO GOVERN RESPONSES BY BUSINESSES AND SERVICE 6 PROVIDERS TO VERIFIABLE CONSUMER REQUESTS UNDER §§ 14–4203 THROUGH 7 14–4206 OF THIS SUBTITLE; AND 8 (III) FOR THE DEVELOPMENT AND USE OF A RECOGNIZABLE AND 9 UNIFORM OPT–OUT LOGO OR BUTTON BY ALL BUSINESSES TO PROMOTE CONSUMER 10 AWARENESS OF THE OPPORTUNITY TO OPT OUT OF THIRD–PARTY DISCLOSURE OF 11 CONSUMER PERSONAL INFORMATION; 12 (5) ADJUSTING THE MONETARY THRESHOLD IN § 14–4201(D)(1)(III)1 13 OF THIS SUBTITLE IN JANUARY OF EVERY ODD–NUMBERED YEAR TO REFLECT ANY 14 INCREASE IN THE UNITED STATES BUREAU OF LABOR STATISTICS’ CONSUMER 15 PRICE INDEX; 16 (6) ENSURING THAT THE NOTICES AND INFORMATION THAT 17 BUSINESSES ARE REQUIRED TO PROVIDE UNDER THIS SUBTITLE ARE PROVIDED IN 18 A MANNER THAT MAY BE EASILY UNDERSTOOD BY THE AVERAGE CONSUMER, ARE 19 ACCESSIBLE TO CONSUMERS WITH DISABILITIES, AND ARE AVAILABLE IN THE 20 LANGUAGE PRIMARILY USED TO INTERACT WITH THE CONSUMER, INCLUDING 21 ADOPTING REGULATIONS, PROCEDURES, AND GUIDELINES REGARDING FINANCIAL 22 INCENTIVE OFFERINGS; AND (7) FURTHERING THE PURPOSES OF §§ 14–4203 THROUGH 14–4206 24 OF THIS SUBTITLE, WITH THE GOAL OF MINIMIZING THE ADMINISTRATIVE BURDEN 25 ON CONSUMERS, TAKING INTO ACCOUNT AVAILABLE TECHNOLOGY, SECURITY 26 CONCERNS, AND THE BURDEN ON THE BUSINESS, TO GOVERN A DETERMINATION BY 27 A BUSINESS THAT A REQUEST FOR INFORMATION RECEIVED BY A CONSUMER IS A 28 VERIFIABLE CONSUMER REQUEST, INCLUDING TREATING A REQUEST SUBMITTED 29 THROUGH A PASSWORD–PROTECTED ACCOUNT MAINTAINED BY THE CONSUMER 30 WITH THE BUSINESS WHILE THE CONSUMER IS LOGGED INTO THE ACCOUNT AS A 31 VERIFIABLE CONSUMER REQUEST AND PROVIDING A MECHANISM FOR A CONSUMER 32 WHO DOES NOT MAINTAIN AN ACCOUNT WITH THE BUSINESS TO REQUEST 33 INFORMATION THROUGH THE BUSINESS’S AUTHENTICATION OF THE CONSUMER’S 34 IDENTITY. 35 (B) THE ATTORNEY GENERAL MAY ADOPT ADDITIONAL REGULATIONS AS 36 NECESSARY TO CARRY OUT THIS SUBTITLE. (C) THE ATTORNEY GENERAL MAY NOT BRING AN ENFORCEMENT ACTION 2 UNDER THIS SUBTITLE UNTIL 6 MONTHS AFTER THE PUBLICATION OF THE FINAL 3 REGULATIONS ISSUED IN ACCORDANCE WITH THIS SECTION. 4 14–4212. 5 (A) WHEREVER POSSIBLE, LAW RELATING TO CONSUMERS’ PERSONAL 6 INFORMATION SHOULD BE CONSTRUED TO HARMONIZE WITH THE PROVISIONS OF 7 THIS SUBTITLE. 8 (B) IN THE EVENT OF A CONFLICT BETWEEN OTHER LAWS AND THIS 9 SUBTITLE, THE PROVISIONS OF THE LAW THAT AFFORD THE GREATEST PROTECTION 10 FOR THE RIGHT OF PRIVACY FOR CONSUMERS SHALL CONTROL. 11 14–4213. 12 IF A SERIES OF STEPS OR TRANSACTIONS WHERE COMPONENT PARTS OF A 13 SINGLE TRANSACTION WERE TAKEN WITH THE INTENTION OF AVOIDING THE REACH 14 OF THIS SUBTITLE, A COURT SHALL DISREGARD THE INTERMEDIATE STEPS OR 15 TRANSACTIONS FOR PURPOSES OF CARRYING OUT THE PURPOSES OF THIS 16 SUBTITLE. 17 14–4214. 18 ANY PROVISION OF A CONTRACT OR AN AGREEMENT OF ANY KIND THAT 19 PURPORTS TO WAIVE OR LIMIT IN ANY WAY A CONSUMER’S RIGHTS UNDER THIS 20 SUBTITLE, INCLUDING ANY RIGHT TO A REMEDY OR MEANS OF ENFORCEMENT, 21 SHALL BE CONSIDERED CONTRARY TO PUBLIC POLICY AND SHALL BE VOID AND 22 UNENFORCEABLE. 23 SECTION 2. AND BE IT FURTHER ENACTED, That this Act shall take effect January 1, 2021.