This bill amends existing law to prohibit controllers of commercial Internet websites or online services from selling sensitive personal data. The prohibition applies universally to all individuals or legal entities, regardless of the number of consumers whose data they control or process. The bill defines sensitive data to include personal information such as racial or ethnic origin, religious beliefs, health conditions, financial information, sexual orientation, citizenship status, and precise geolocation data, among others.
In addition to the prohibition on selling sensitive data, the bill introduces several requirements for data controllers. These include limiting the collection of personal data to what is necessary, obtaining consumer consent for processing sensitive data, implementing robust data security practices, and providing mechanisms for consumers to revoke consent. The bill also mandates that data protection assessments be conducted for processing activities that present a heightened risk of harm to consumers, ensuring that the benefits of data processing are weighed against potential risks. The assessments must be made available to the Division of Consumer Affairs upon request, while remaining confidential and exempt from public inspection.
Statutes affected: Introduced: 56:8-166.12