A bill

TO AMEND THE SOUTH CAROLINA CODE OF LAWS BY ADDING CHAPTER 31 TO TITLE 37 SO AS TO PROVIDE DEFINITIONS, TO PROVIDE THAT A GOVERNMENTAL ENTITY MAY NOT COMMUNICATE WITH A SOCIAL MEDIA PLATFORM IN CERTAIN INSTANCES, TO PROVIDE APPLICABILITY, TO PROVIDE EXEMPTIONS, TO PROVIDE FOR CERTAIN CONSUMER RIGHTS, TO PROVIDE FOR THE EXERCISING OF CERTAIN RIGHTS, TO ESTABLISH AN APPEALS PROCESS, TO PROVIDE THAT CERTAIN CONTRACTS AND AGREEMENTS THAT WAIVE RIGHTS ARE VOID, TO PROVIDE THAT A CONTROLLER SHALL ESTABLISH METHODS TO SUBMIT REQUESTS, TO PROVIDE FOR DUTIES FOR CONTROLLERS, TO PROVIDE FOR A PRIVACY NOTICE, TO PROVIDE FOR DUTIES OF A PROCESSOR, TO PROVIDE FOR A DATA PROTECTION ASSESSMENT, TO PROVIDE FOR DUTIES OF A CONTROLLER IN POSSESSION OF DEIDENTIFIED DATA, TO PROVIDE THAT A CONTROLLER MAY NOT ENGAGE IN THE SALE OF CERTAIN PERSONAL DATA, TO PROVIDE FOR ACTIONS THAT ARE NOT RESTRICTED, TO PROVIDE FOR THIRD-PARTY DATA DISCLOSURE, TO PROVIDE THAT CERTAIN PERSONAL DATA MAY NOT BE PROCESSED, AND TO PROVIDE THAT A VIOLATION IS AN UNFAIR AND DECEPTIVE TRADE PRACTICE.

Be it enacted by the General Assembly of the State of South Carolina:

SECTION 1.  Title 37 of the S.C. Code is amended by adding:

    CHAPTER 31

    Technology Transparency

    Section 37-31-100. As used in this chapter:

       (1) "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or that shares common branding with another legal entity. For purposes of this item, the term "control" or "controlled" means any of the following:

           (a) the ownership of, or power to vote, more than fifty percent of the outstanding shares of any class of voting security of a company;

           (b) the control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or

           (c) the power to exercise controlling influence over the management of a company.

       (2) "Aggregate consumer information" means information that relates to a group or category of consumers, from which the identity of an individual consumer has been removed and is not reasonably capable of being directly or indirectly associated or linked with any consumer, household, or device. The term does not include information about a group or category of consumers used to facilitate targeted advertising or the display of ads online. The term does not include personal information that has been deidentified.

       (3) "Authenticate" or "authenticated" means to verify or the state of having been verified, respectively, through reasonable means that the consumer who is entitled to exercise the consumer's rights pursuant to this chapter is the same consumer exercising those consumer rights with respect to the personal data at issue.

       (4) "Biometric data" means data generated by automatic measurements of an individual's biological characteristics. The term includes fingerprints, voiceprints, eye retinas or irises, or other unique biological patterns or characteristics used to identify a specific individual. The term does not include physical or digital photographs, video or audio recordings or data generated from video or audio recordings, or information collected, used, or stored for health care treatment, payment, or operations under the Health Insurance Portability and Accountability Act of 1996.

       (5) "Business associate" has the same meaning as in 45 C.F.R. Section 160.103 and the Health Insurance Portability and Accountability Act of 1996.

       (6) "Child" means an individual younger than eighteen years of age.

       (7) "Consent", when referring to a consumer, means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. The term includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative act. The term does not include any of the following:

           (a) acceptance of general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;

           (b) hovering over, muting, pausing, or closing a given piece of content; or

           (c) agreement obtained through the use of dark patterns.

       (8) "Consumer" means an individual who is a resident of or is domiciled in this State acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.

       (9) "Controller" means:

           (a) a sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:

               (i) is organized or operated for the profit or financial benefit of its shareholders or owners;

               (ii) conducts business in this State;

               (iii) collects personal data about consumers or is the entity on behalf of which the information is collected;

               (iv) determines the purposes and means of processing personal data about consumers alone or jointly with others;

               (v) makes in excess of one billion dollars in global gross annual revenues; and

               (vi) satisfies at least one of the following:

                  (A) derives fifty percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online;

                  (B) operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this subsubsubitem, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or

                  (C) operates an app store or a digital distribution platform that offers at least two hundred fifty thousand different software applications for consumers to download and install; or

           (b) any entity that controls or is controlled by a controller. As used in this subitem, the term "control" means:

               (i) ownership of, or the power to vote, more than fifty percent of the outstanding shares of any class of voting security of a controller;

               (ii) control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or

               (iii) the power to exercise a controlling influence over the management of a company.

       (10) "Covered entity" has the same meaning as in 45 C.F.R. Section 160.103 and the Health Insurance Portability and Accountability Act of 1996.

       (11) "Dark pattern" means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision making, or choice. The term includes any practice the Federal Trade Commission refers to as a dark pattern.

       (12) "Decision that produces a legal or similarly significant effect concerning a consumer" means a decision made by a controller which results in the provision or denial by the controller of any of the following:

           (a) financial and lending services;

           (b) housing, insurance, or health care services;

           (c) education enrollment;

           (d) employment opportunities;

           (e) criminal justice; or

           (f) access to basic necessities, such as food and water.

       (13) "Deidentified data" means data that cannot reasonably be linked to an identified or identifiable individual or a device linked to that individual.

       (14) "Governmental entity" means any state, county, district, authority, or municipal office, department, division, board, bureau, commission, or other separate unit of government created or established by law and any other public or private agency, person, partnership, corporation, or business entity acting on behalf of any public agency.

       (15) "Health care provider" has the same meaning as in 45 C.F.R. Section 160.103 and the Health Insurance Portability and Accountability Act of 1996.

       (16) "Health record" means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health care services to an individual which concerns the individual and the services provided. The term includes any of the following:

           (a) the substance of any communication made by an individual to a health