Bill Summary – FastDemocracy

SENATE BILL 930
      I3                                                                                1lr2391
     By: Senator Lee
     Introduced and read first time: February 10, 2021
     Assigned to: Rules
                                                A BILL ENTITLED
 AN ACT concerning
                           Maryland Online Consumer Protection Act
 FOR the purpose of requiring certain businesses that collect a consumer’s personal
      information to provide certain notices to the consumer at or before the point of
      collection; authorizing a consumer to submit a certain request for information to a
      business that collects the consumer’s personal information; requiring a business to
      comply with a certain request for information in a certain manner and within a
      certain period of time; establishing certain exceptions to a consumer’s request for
      personal information; requiring a business to establish a means for consumers to
      submit certain requests; requiring a business to provide certain information to a
      consumer in a certain manner; prohibiting a business from retaining certain
      personal information, re–identifying or linking certain data, or disclosing certain
      personal information under certain circumstances; requiring a business to include
      certain information in a certain policy or website and update certain information
      periodically; requiring a business to ensure that an individual responsible for
      handling certain consumer inquiries is informed of certain requirements relating to
      consumer personal information privacy and how to direct consumers to exercise their
      rights; authorizing a consumer to request a business to delete certain personal
      information and requiring a business to comply with the request in a certain manner;
      authorizing a consumer to demand that a business not disclose the consumer’s
      personal information to third parties and requiring a business to comply with the
      consumer’s request to opt out in a certain manner; authorizing a business to require
      an authentication of a certain request; prohibiting a business from taking certain
      actions against a consumer who exercises the consumer’s rights to consumer
      personal information privacy; providing for certain exceptions to an otherwise
      authorized disclosure of consumer personal information; establishing that a violation
      of this Act is an unfair, abusive, or deceptive trade practice and is subject to certain
      enforcement and penalty provisions; authorizing the Office of the Attorney General
      to adopt certain regulations; providing for the application of this Act; providing for a
      delayed effective date; defining certain terms; and generally relating to privacy of
      consumer personal information.
     EXPLANATION: CAPITALS INDICATE MATTER ADDED TO EXISTING LAW.
           [Brackets] indicate matter deleted from existing law.
                                                                   *sb0930*
                           SENATE BILL 930
 BY adding to
      Article – Commercial Law
      Section 14–4301 through 14–4314 to be under the new subtitle “Subtitle 43.
             Consumer Personal Information Privacy”
      Annotated Code of Maryland
      (2013 Replacement Volume and 2020 Supplement)
       SECTION 1. BE IT ENACTED BY THE GENERAL ASSEMBLY OF MARYLAND,
 That the Laws of Maryland read as follows:
                            Article – Commercial Law
            SUBTITLE 43. CONSUMER PERSONAL INFORMATION PRIVACY.
 14–4301.
      (A)     IN THIS SUBTITLE THE FOLLOWING WORDS HAVE THE MEANINGS
 INDICATED.
      (B)     (1)
                    “AGGREGATE CONSUMER INFORMATION” MEANS INFORMATION
 THAT RELATES TO A GROUP OR CATEGORY OF CONSUMERS, FROM WHICH
 INDIVIDUAL CONSUMER IDENTITIES HAVE BEEN REMOVED, THAT IS NOT LINKED OR
 REASONABLY LINKABLE TO ANY CONSUMER, INCLUDING THROUGH A DEVICE.
           (2) “AGGREGATE CONSUMER INFORMATION” DOES NOT INCLUDE AN
 INDIVIDUAL CONSUMER RECORD THAT HAS BEEN DE–IDENTIFIED.
      (C)     (1)
                    “BIOMETRIC    INFORMATION”    MEANS     AN   INDIVIDUAL’S
 PHYSIOLOGICAL, BIOLOGICAL, OR BEHAVIORAL CHARACTERISTICS, INCLUDING AN
 INDIVIDUAL’S DNA, THAT CAN BE USED, ALONE OR IN COMBINATION WITH EACH
 OTHER OR WITH OTHER IDENTIFYING DATA, TO ESTABLISH INDIVIDUAL IDENTITY.
              (2)   “BIOMETRIC INFORMATION” INCLUDES:
                    (I)
                          IMAGERY OF THE IRIS, RETINA, FINGERPRINT, FACE, HAND,
 PALM, AND VEIN PATTERNS, AND VOICE RECORDINGS FROM WHICH AN IDENTIFIER
 TEMPLATE, SUCH AS A FACE PRINT, A MINUTIAE TEMPLATE, OR A VOICEPRINT, CAN
 BE EXTRACTED; AND
                    (II)
                         KEYSTROKE PATTERNS OR RHYTHMS, GAIT PATTERNS OR
 RHYTHMS, AND SLEEP, HEALTH, OR EXERCISE DATA THAT CONTAIN IDENTIFYING
 INFORMATION.
                                    SENATE BILL 930                            3
      (D)    “BUSINESS” MEANS:
             (1)A SOLE PROPRIETORSHIP, A PARTNERSHIP, A LIMITED LIABILITY
 COMPANY, A CORPORATION, AN ASSOCIATION, OR ANY OTHER LEGAL ENTITY THAT:
                   (I)IS ORGANIZED OR OPERATED FOR THE PROFIT OR
 FINANCIAL BENEFIT OF ITS OWNERS;
                   (II)
                         COLLECTS         THE   PERSONAL   INFORMATION   OF   AN
 INDIVIDUAL OR CONSUMER; AND
                   (III) SATISFIES ONE OR MORE OF THE FOLLOWING THRESHOLDS:
                          1.   HAS ANNUAL GROSS REVENUES IN EXCESS OF
 $25,000,000;
                   2.    ANNUALLY BUYS, RECEIVES FOR THE BUSINESS’S
 COMMERCIAL PURPOSES, SELLS, OR SHARES FOR COMMERCIAL PURPOSES, ALONE
 OR IN COMBINATION, THE PERSONAL INFORMATION OF 100,000 OR MORE
 CONSUMERS, HOUSEHOLDS, OR DEVICES; OR
                          3.
                             DERIVES AT LEAST ONE–HALF OF ITS ANNUAL
 REVENUES FROM SELLING CONSUMERS’ PERSONAL INFORMATION; OR
             (2)   ANY ENTITY THAT:
                   (I) CONTROLS OR IS CONTROLLED BY A BUSINESS UNDER ITEM
 (1) OF THIS SUBSECTION; AND
                   (II)   SHARES A NAME, SERVICE MARK, OR TRADEMARK WITH THE
 BUSINESS.
      (E)    “BUSINESS PURPOSE” MEANS THE USE OF PERSONAL INFORMATION BY
 A BUSINESS OR A SERVICE PROVIDER IN A MANNER REASONABLY NECESSARY TO
 ACHIEVE THE OPERATIONAL PURPOSE FOR WHICH THE INFORMATION WAS
 COLLECTED.
      (F)    (1)“COLLECT” MEANS TO BUY, RENT, GATHER, OBTAIN, RECEIVE, OR
 ACCESS ANY PERSONAL INFORMATION PERTAINING TO A CONSUMER BY ANY MEANS.
             (2)
                   “COLLECT” INCLUDES TO RECEIVE INFORMATION FROM THE
 CONSUMER OR BY OBSERVING THE CONSUMER’S BEHAVIOR.
                         SENATE BILL 930
     (G)   “CONSUMER” MEANS AN INDIVIDUAL WHO RESIDES IN THE STATE.
     (H)   “DE–IDENTIFIED”  MEANS,  WITH   RESPECT   TO  INFORMATION,
 PROCESSED SO THAT THE INFORMATION CANNOT REASONABLY IDENTIFY, RELATE
 TO, DESCRIBE, BE CAPABLE OF BEING ASSOCIATED WITH, OR BE LINKED TO A
 PARTICULAR      CONSUMER,     IF    A     BUSINESS     THAT     USES
 DE–IDENTIFIED INFORMATION:
           (1)   HAS IMPLEMENTED TECHNICAL SAFEGUARDS THAT PROHIBIT
 RE–IDENTIFICATION OF THE CONSUMER TO WHOM THE INFORMATION MAY
 PERTAIN;
           (2) HAS IMPLEMENTED BUSINESS PROCESSES THAT SPECIFICALLY
 PROHIBIT RE–IDENTIFICATION OF THE INFORMATION;
           (3)   HAS IMPLEMENTED BUSINESS PROCESSES          TO     PREVENT
 INADVERTENT RELEASE OF DE–IDENTIFIED INFORMATION; AND
           (4)   MAKES NO ATTEMPT TO RE–IDENTIFY THE INFORMATION.
     (I)   (1) “DESIGNATED METHOD FOR SUBMITTING REQUESTS” MEANS A
 MAILING ADDRESS, AN E–MAIL ADDRESS, AN INTERNET WEBSITE, AN INTERNET
 PORTAL, A TELEPHONE NUMBER, OR ANY OTHER APPLICABLE CONTACT
 INFORMATION THROUGH WHICH A CONSUMER MAY SUBMIT A REQUEST OR
 DIRECTION UNDER THIS SUBTITLE.
          (2) “DESIGNATED METHOD FOR SUBMITTING REQUESTS” INCLUDES
 A CONSUMER–FRIENDLY MEANS OF CONTACTING A BUSINESS APPROVED BY THE
 ATTORNEY GENERAL UNDER § 14–4311(A)(4) OF THIS SUBTITLE.
     (J)  “DEVICE” MEANS A PHYSICAL OBJECT THAT IS CAPABLE OF
 CONNECTING TO THE INTERNET OR TO ANOTHER DEVICE.
     (K)   “HOMEPAGE” MEANS:
           (1) THE INTRODUCTORY PAGE OF AN INTERNET WEBSITE AND ANY
 INTERNET WEBPAGE WHERE PERSONAL INFORMATION IS COLLECTED; OR
           (2)   IN THE CASE OF AN ONLINE SERVICE OR APPLICATION:
               (I)     THE SERVICE OR APPLICATION PLATFORM PAGE OR
 DOWNLOAD PAGE;
                                   SENATE BILL 930                            5
                  (II)A LINK WITHIN THE SERVICE OR APPLICATION, SUCH AS
 FROM THE SERVICE OR APPLICATION CONFIGURATION, “ABOUT”, “INFORMATION”,
 OR SETTINGS PAGE; OR
                (III) ANY OTHER LOCATION THAT ALLOWS A CONSUMER TO
 REVIEW THE NOTICE REQUIRED BY § 14–4302(A) OF THIS SUBTITLE, WHETHER
 BEFORE OR AFTER DOWNLOADING THE APPLICATION OR SERVICE.
      (L) “INFER” MEANS TO DERIVE INFORMATION, DATA, ASSUMPTIONS, OR
 CONCLUSIONS FROM FACTS, EVIDENCE, OR ANOTHER SOURCE OF INFORMATION OR
 DATA.
      (M)   (1) “PERSONAL INFORMATION” MEANS INFORMATION THAT
 IDENTIFIES, RELATES TO, DESCRIBES, IS REASONABLY CAPABLE OF BEING
 ASSOCIATED WITH, OR COULD REASONABLY BE LINKED, DIRECTLY OR INDIRECTLY,
 WITH A PARTICULAR CONSUMER OR THE CONSUMER’S DEVICE.
            (2)   “PERSONAL INFORMATION” DOES NOT INCLUDE:
                  (I)
                        PUBLICLY AVAILABLE INFORMATION THAT IS LAWFULLY
 MADE AVAILABLE FROM FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS;
                  (II)   DE–IDENTIFIED CONSUMER INFORMATION; OR
                  (III) AGGREGATE CONSUMER INFORMATION.
      (N)   “PROBABILISTIC IDENTIFIER” MEANS THE IDENTIFICATION OF A
 CONSUMER OR A DEVICE TO A DEGREE OF CERTAINTY OF MORE PROBABLE THAN
 NOT BASED ON CATEGORIES OF PERSONAL INFORMATION INCLUDED IN, OR SIMILAR
 TO, THE CATEGORIES LISTED UNDER SUBSECTION (M) OF THIS SECTION.
      (O)   “PROCESSING” MEANS AN OPERATION OR A SET OF OPERATIONS THAT
 IS PERFORMED ON PERSONAL INFORMATION OR ON            SETS   OF   PERSONAL
 INFORMATION, WHETHER OR NOT BY AUTOMATED MEANS.
      (P)   “PSEUDONYMIZE”    MEANS   THE  PROCESSING   OF   PERSONAL
 INFORMATION IN A MANNER THAT RENDERS THE PERSONAL INFORMATION NO
 LONGER ATTRIBUTABLE TO A SPECIFIC CONSUMER WITHOUT THE USE OF
 ADDITIONAL INFORMATION, IF THE ADDITIONAL INFORMATION IS KEPT
 SEPARATELY AND IS SUBJECT TO TECHNICAL AND ADMINISTRATIVE SAFEGUARDS
 TO ENSURE THAT THE PERSONAL INFORMATION IS NOT ATTRIBUTED TO AN
 IDENTIFIED OR IDENTIFIABLE CONSUMER.
                           SENATE BILL 930
      (Q) “RESEARCH” MEANS SCIENTIFIC, SYSTEMATIC STUDY AND
 OBSERVATION, INCLUDING BASIC RESEARCH OR APPLIED RESEARCH THAT IS IN THE
 PUBLIC INTEREST AND THAT ADHERES TO APPLICABLE ETHICS AND PRIVACY LAWS
 OR STUDIES CONDUCTED IN THE PUBLIC INTEREST IN THE AREA OF PUBLIC HEALTH.
      (R) “SERVICE” MEANS WORK, LABOR, AND SERVICES, INCLUDING SERVICES
 FURNISHED IN CONNECTION WITH THE SALE OR REPAIR OF GOODS.
      (S)   “SERVICE  PROVIDER”   MEANS    A  PERSON   THAT   PROCESSES
 INFORMATION ON BEHALF OF A BUSINESS AND TO WHICH THE BUSINESS DISCLOSES
 A CONSUMER’S PERSONAL INFORMATION FOR A BUSINESS PURPOSE IN
 ACCORDANCE WITH A WRITTEN CONTRACT IF THE CONTRACT PROHIBITS THE
 ENTITY RECEIVING THE INFORMATION FROM RETAINING, USING, OR DISCLOSING
 THE PERSONAL INFORMATION FOR ANY PURPOSE OTHER THAN FOR THE SPECIFIC
 PURPOSE OF PERFORMING THE SERVICES SPECIFIED IN THE CONTRACT FOR THE
 BUSINESS, OR AS OTHERWISE ALLOWED BY THIS SUBTITLE.
      (T)   “THIRD PARTY” MEANS A PERSON THAT IS NOT THE BUSINESS THAT
 COLLECTS PERSONAL INFORMATION FROM CONSUMERS UNDER THIS SUBTITLE OR
 A SERVICE PROVIDER OF THAT BUSINESS.
      (U)   (1)   “THIRD–PARTY DISCLOSURE” MEANS A TRANSFER OF A
 CONSUMER’S PERSONAL INFORMATION BY THE BUSINESS TO A THIRD PARTY,
 INCLUDING SELLING, RENTING, RELEASING, DISSEMINATING, MAKING AVAILABLE,
 TRANSFERRING, OR OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY
 ELECTRONIC OR OTHER MEANS.
            (2)   “THIRD–PARTY DISCLOSURE” DOES NOT INCLUDE:
                  (I)    A DISCLOSURE BY A BUSINESS OF PERSONAL INFORMATION
 OF A CONSUMER TO A SERVICE PROVIDER THAT IS NECESSARY TO THE
 PERFORMANCE OF A BUSINESS PURPOSE INCLUDED IN A NOTICE UNDER § 14–4302
 OF THIS SUBTITLE;
                  (II)
                         IDENTIFICATION BY A BUSINESS OF A CONSUMER WHO HAS
 OPTED OUT OF THE SALE OF THE CONSUMER’S PERSONAL INFORMATION FOR THE
 PURPOSE OF ALERTING THIRD PARTIES THAT THE CONSUMER HAS OPTED OUT OF
 THE SALE OF THE CONSUMER’S PERSONAL INFORMATION; OR
                (III) THE TRANSFER BY A BUSINESS TO A THIRD PARTY OF THE
 PERSONAL INFORMATION OF A CONSUMER AS AN ASSET THAT IS PART OF A MERGER,
 AN ACQUISITION, A BANKRUPTCY, OR ANY OTHER TRANSACTION IN WHICH THE
 THIRD PARTY ASSUMES CONTROL OF ALL OR PART OF THE BUSINESS IF THAT
                                   SENATE BILL 930                            7
 INFORMATION IS USED OR SHARED CONSISTENTLY WITH THE NOTICE RECEIVED BY
 CONSUMERS UNDER § 14–4302 OF THIS SUBTITLE.
      (V)   “UNIQUE IDENTIFIER” MEANS A PERSISTENT IDENTIFIER THAT CAN BE
 USED TO RECOGNIZE A CONSUMER OR A DEVICE THAT IS LINKED TO A CONSUMER
 OR HOUSEHOLD, OVER TIME AND ACROSS DIFFERENT TECHNOLOGIES, INCLUDING:
            (1)   A DEVICE IDENTIFIER;
            (2)   AN INTERNET PROTOCOL ADDRESS;
            (3) A COOKIE, BEACON, PIXEL TAG, MOBILE AD IDENTIFIER, OR
 SIMILAR TECHNOLOGY;
            (4)   A CONSUMER NUMBER, UNIQUE PSEUDONYM, OR USER ALIAS; OR
           (5) A TELEPHONE NUMBER OR ANY OTHER FORM OF PERSISTENT OR
 PROBABILISTIC IDENTIFIER THAT CAN BE USED TO IDENTIFY A PARTICULAR
 CONSUMER OR DEVICE.
 14–4302.
      (A) A BUSINESS THAT COLLECTS A CONSUMER’S PERSONAL INFORMATION
 SHALL, AT OR BEFORE THE POINT OF COLLECTION, CLEARLY AND CONSPICUOUSLY
 NOTIFY A CONSUMER OF:
            (1) THE CATEGORIES OF PERSONAL INFORMATION THE BUSINESS
 WILL COLLECT ABOUT THAT CONSUMER;
            (2)THE BUSINESS PURPOSES FOR WHICH THE CATEGORIES OF
 PERSONAL INFORMATION MAY BE USED;
            (3) THE CATEGORIES OF THIRD PARTIES TO WHICH THE BUSINESS
 DISCLOSES PERSONAL INFORMATION;
            (4)   THE BUSINESS PURPOSES FOR THIRD–PARTY DISCLOSURE; AND
            (5)   THE CONSUMER’S RIGHT TO REQUEST:
                  (I) A COPY OF THE CONSUMER’S PERSONAL INFORMATION
 UNDER § 14–4303 OF THIS SUBTITLE;
                  (II)   DELETION OF THE CONSUMER’S PERSONAL INFORMATION
                           SENATE BILL 930
 UNDER § 14–4305 OF THIS SUBTITLE; AND
                 (III) TO OPT OUT OF THIRD–PARTY DISCLOSURE UNDER §
 14–4306 OF THIS SUBTITLE.
      (B)   A BUSINESS MAY NOT COLLECT ADDITIONAL CATEGORIES OF PERSONAL
 INFORMATION OR USE PERSONAL INFORMATION COLLECTED FOR ADDITIONAL
 PURPOSES WITHOUT FIRST PROVIDING THE CONSUMER WITH NOTICE CONSISTENT
 WITH THIS SECTION.
 14–4303.
      (A) A CONSUMER MAY REQUEST THAT A BUSINESS THAT COLLECTS A
 CONSUMER’S PERSONAL INFORMATION DISCLOSE TO THAT CONSUMER:
            (1) THE SPECIFIC PIECES OF PERSONAL INFORMATION THE
 BUSINESS HAS COLLECTED ABOUT THAT CONSUMER;
            (2)THE SOURCES FROM WHICH THE CONSUMER’S PERSONAL
 INFORMATION WAS COLLECTED;
            (3) THE NAMES OF THIRD PARTIES TO WHICH THE BUSINESS
 DISCLOSED THE CONSUMER’S PERSONAL INFORMATION; AND
            (4)   THE BUSINESS PURPOSES FOR THIRD–PARTY DISCLOSURE.
      (B)  A BUSINESS SHALL PROVIDE THE INFORMATION SPECIFIED IN
 SUBSECTION (A) OF THIS SECTION TO A CONSUMER ONLY ON RECEIPT OF A
 VERIFIABLE CONSUMER REQUEST.
      (C)   (1) SUBJECT TO PARAGRAPH (2) OF THIS SUBSECTION, AFTER
 RECEIVING A VERIFIABLE CONSUMER REQUEST, A BUSINESS SHALL PROMPTLY
 TAKE STEPS TO PROVIDE, FREE OF CHARGE TO THE CONSUMER, THE PERSONAL
 INFORMATION REQUIRED BY THIS SECTION.
            (2)   THE INFORMATION MAY BE PROVIDED BY:
                  (I)    UNITED STATES MAIL; OR
                  (II)
                        ELECTRONIC DELIVERY THAT IS PORTABLE AND, TO THE
 EXTENT TECHNICALLY FEASIBLE, IN A READILY USEABLE FORMAT THAT ALLOWS
 THE CONSUMER TO TRANSMIT THIS INFORMATION TO ANOTHER ENTITY WITHOUT
 HINDRANCE.
                                 SENATE BILL 930                            9
      (D)  A BUSINESS MAY PROVIDE PERSONAL INFORMATION TO A CONSUMER
 AT ANY TIME, NOTWITHSTANDING § 14–4304 OF THIS SUBTITLE, BUT IS NOT
 REQUIRED TO PROVIDE PERSONAL INFORMATION TO THE SAME CONSUMER MORE
 THAN ONCE IN A 6–MONTH PERIOD.
      (E) IF VERIFIED REQUESTS FROM A CONSUMER ARE EXCESSIVE, BECAUSE
 OF THEIR REPETITIVE CHARACTER, A BUSINESS MAY:
            (1)   CHARGE A REASONABLE FEE, TAKING INTO ACCOUNT THE
 ADMINISTRATIVE COSTS OF PROVIDING THE INFORMATION OR COMMUNICATION OR
 TAKING THE ACTION REQUESTED; OR
            (2) REFUSE TO ACT ON THE REQUEST AND NOTIFY THE CONSUMER OF
 THE REASON FOR REFUSING THE REQUEST.
      (F) A BUSINESS MAY NOT REQUIRE A CONSUMER TO CREATE AN ACCOUNT
 WITH THE BUSINESS IN ORDER TO MAKE A VERIFIABLE CONSUMER REQUEST.
      (G)   A BUSINESS MAY NOT:
            (1)   RETAIN
                           PERSONAL INFO