SENATE BILL 176

54th legislature - STATE OF NEW MEXICO - first session, 2019

INTRODUCED BY

Michael Padilla

 

 

 

 

 

AN ACT

RELATING TO CONSUMER PROTECTION; ENACTING THE CONSUMER INFORMATION PRIVACY ACT; PROVIDING DEFINITIONS; ESTABLISHING CONSUMER RIGHTS; ESTABLISHING OBLIGATIONS FOR BUSINESSES THAT COLLECT OR USE PERSONAL CONSUMER INFORMATION; PROVIDING FOR PROMULGATION OF RULES; ESTABLISHING CIVIL CAUSES OF ACTION; PROVIDING PENALTIES; ESTABLISHING THE CONSUMER PRIVACY FUND; PROVIDING FOR DISTRIBUTIONS.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF NEW MEXICO:

     SECTION 1. [NEW MATERIAL] SHORT TITLE.--This act may be cited as the "Consumer Information Privacy Act".

     SECTION 2. [NEW MATERIAL] DEFINITIONS.--As used in the Consumer Information Privacy Act:

          A. "aggregate consumer information" means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. "Aggregate consumer information" does not mean one or more individual consumer records that have been de-identified;

          B. "biometric information" means an individual's physiological, biological or behavioral characteristics that can be used singly or in combination with each other or with other identifying data to establish individual identity. Biometric information includes:

                (1) imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns and voice recordings from which an identifier template can be extracted;

                (2) keystroke patterns or rhythms or gait patterns or rhythms;

                (3) sleep, health or exercise data that contain identifying information; or

                (4) such other types of information established by the office of the attorney general by rule;

          C. "business" means:

                (1) a corporation, joint venture, limited liability company, partnership, limited partnership, limited liability partnership, real estate investment trust or sole proprietor; or

                (2) any entity that controls or is controlled by a business as defined in Paragraph (1) of this subsection that shares common branding with the business;

          D. "business purpose" means the use of personal information for a business's or a service provider's operational purposes, or other notified purposes, that is reasonably necessary and proportionate to achieve the operational purpose for which the personal information is collected or processed. "Business purpose" includes:

                (1) auditing related to a current interaction with a consumer and concurrent transactions, including counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards;

                (2) detecting security incidents and protecting against malicious, deceptive, fraudulent or illegal activity and legal actions taken against those responsible for that activity;

                (3) debugging to identify and repair errors that impair existing intended functionality;

                (4) short-term, transient use; provided that personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside of the current interaction, including the contextual customization of ads shown as part of the same interaction;

                (5) performing services on behalf of a business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services or providing similar services on behalf of the business or service provider;

                (6) undertaking internal research for technological development and demonstration;

                (7) undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for or controlled by a business and to improve, upgrade or enhance the service or device that is owned by, manufactured by, manufactured for or controlled by the business; or

                (8) other purposes established by the office of the attorney general by rule;

          E. "collect" means to buy, rent, gather, obtain, receive or access any personal information pertaining to a consumer by any means;

          F. "commercial purpose" means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide or exchange products, goods, property, information or services or enabling or effecting, directly or indirectly, a commercial transaction;

          G. "common branding" means a shared name, service mark or trademark;

          H. "control" means equity ownership in a business entity that represents at least fifty percent of the total voting power of that business entity or has a value equal to at least fifty percent of the total equity of that business entity;

          I. "de-identified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with or be linked, directly or indirectly, to a particular consumer;

          J. "designated methods for submitting requests" means a United States mailing address, an email address, an internet web page, internet web portal, a toll-free telephone number or other contact information established by the office of the attorney general by rule whereby consumers may submit a request or direction under the Consumer Information Privacy Act;

          K. "device" means any physical object that is capable of connecting to the internet, directly or indirectly, or to another device;

          L. "family" means a custodial parent or guardian and any minor children over which the parent or guardian has custody;

          M. "health insurance information" means a consumer's insurance policy number, subscriber identification number, any unique identifier used by a health insurer to identify a consumer or any information in a consumer's application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider;

          N. "homepage" means a location that allows consumers to review a notice required of a business pursuant to the Consumer Information Privacy Act, including:

                (1) an introductory page of an internet website or an internet web page where personal information is collected;

                (2) a platform page or download page for an online service or mobile application;

                (3) a link within a mobile application; or

                (4) another location established by the office of the attorney general by rule;

          O. "identifier template" means a face print, a fingerprint minutiae template, a voice print or other template as established by the office of the attorney general by rule;

          P. "incident" means a breach of security that results in the unauthorized access, exfiltration, theft or disclosure of personal information of a consumer;

          Q. "inference" means the derivation of information, data, assumptions or conclusions from facts, evidence or another source of information or data;

          R. "opt out" means a directive by a consumer not to sell the consumer's personal information;

          S. "person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee or any organization or group of persons acting in concert;

          T. "personal information" means information, other than publicly available information, from federal, state or local government records that identifies, describes or could reasonably be linked with a particular consumer or household, including:

                (1) a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, bank account number, credit card number, debit card number, driver's license or state identification card number, insurance policy number, social security number, passport number or telephone number;

                (2) any information that identifies, describes or is capable of being associated with a particular individual, including a signature, physical characteristic or description, education, employment, employment history, financial information, medical information or health insurance information;

                (3) characteristics of protected classifications under state or federal law;

                (4) commercial information, including records of personal property, purchases of products or services or histories of purchases;

                (5) biometric information;

                (6) internet or other electronic network activity information, including browsing history, search history and information regarding a consumer's interaction with an internet website, application or advertisement;

                (7) geolocation data;

                (8) audio, electronic, visual, thermal, olfactory or similar information;

                (9) inferences drawn from any of the information identified in this subsection to create a profile about a consumer that reflects the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities or aptitudes; or

                (10) other types of information established by the office of the attorney general by rule;

          U. "probabilistic identifier" means the identification of a consumer or a device to a degree of certainty that is more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in Subsection S of this section;

          V. "processing" means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means;

          W. "research" means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health;

          X. "sell" means to sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing, electronically or by other means a consumer's personal information for monetary or other valuable consideration;

          Y. "service" means work, labor or service, including service furnished in connection with the sale or repair of a good;

          Z. "service provider" means a business that processes information;

          AA. "sole proprietor" means a single individual who owns all the assets of a business, is solely liable for its debts and employs in the business no person other than that person's self;

          BB. "third party" means a third party as that term is commonly used in business transactions, including:

                (1) a business that collects personal information from consumers; or

                (2) a person to which a business discloses a consumer's personal information for a business purpose pursuant to a written contract that:

                     (a) prohibits the person receiving the personal information to sell, retain, use or disclose the personal information for any purpose other than the services specified in the contract; and

                     (b) includes a certification made by the person receiving the personal information that the person understands the restrictions in Subparagraph (a) of this paragraph and will comply with them;

          CC. "unique identifier" means a persistent identifier that can be used to recognize a consumer, a family or a device that is linked to a consumer or family, over time and across different services, including a device identifier; an internet protocol address; cookies, beacons, pixel tags, mobile ad identifiers or similar technology; a customer's number, unique pseudonym or user alias; telephone numbers; or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device;

          DD. "verifiable consumer request" means a request that is made by a consumer or a person authorized to act on the consumer's behalf and that a business can reasonably verify pursuant to rules established by the office of the attorney general; and

          EE. "willfully disregard" means to purposefully or recklessly ignore information available to a business about a consumer's likely age.

     SECTION 3. [NEW MATERIAL] CONSUMER RIGHTS REGARDING PERSONAL INFORMATION.--

          A. A consumer has the right to request that a business provide to the consumer the following information:

                (1) the categories of personal information about that consumer that the business has disclosed, collected or sold for a business purpose;

                (2) the categories of sources from which personal information is collected;

                (3) the business or commercial purpose for disclosing, collecting or selling personal information;

                (4) the categories of third parties with which the business shares or sells personal information and the categories of personal information for each third party to which the personal information has been sold; and

                (5) the specific pieces of personal information the business has collected about that consumer.

          B. A consumer has the right to request that a business delete any personal information about the consumer that the business has collected from the consumer.

          C. This section does not require a business to:

                (1) retain any personal information about a consumer collected for a one-time transaction if, in the ordinary course of business, that information about the consumer is not retained; or

                (2) re-identify or otherwise link any data that, in the ordinary course of business, are not maintained in a manner that would be considered personal information.

          D. A consumer has the right at any time to:

                (1) opt out of the sale of the consumer's personal information;

                (2) authorize in a manner established by the office of the attorney general by rule another person to opt out on the consumer's behalf; or

                (3) revoke a decision to opt out.

          E. A third party shall not sell personal information about a consumer that has been sold to a third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to Subsection D of this section.

     SECTION 4. [NEW MATERIAL] BUSINESS REQUIREMENTS--OBLIGATIONS TO CONSUMERS--RESTRICTIONS ON USE OR SALE OF PERSONAL INFORMATION.--

          A. At the time of or before collection of personal information, a business that collects a consumer's personal information shall provide notice to the consumer regarding:

                (1) the categories of personal information to be collected and the purposes for which the categories of personal information will be used;

                (2) whether the information might be sold and that the consumer has a right to opt out of the sale of the consumer's personal information; and

                (3) at least two designated methods for submitting verifiable consumer requests for information required to be disclosed pursuant the Consumer Information Privacy Act, including a toll-free telephone number and a website address if the business maintains a website; provided that a business shall not require a consumer to create an account with the business to make a verifiable consumer request.

          B. Within forty-five days of receiving a verifiable consumer request regarding use or sale of the consumer's personal information pursuant to Section 3 of the Consumer Information Privacy Act, a business shall disclose and deliver the requested information free of charge to the consumer; provided that:

                (1) the time to provide the required information may be extended once by an additional forty-five days when reasonably necessary if the consumer is provided notice of the extension within the first forty-five-day period;

                (2) if the business does not take action on a verifiable consumer request, the business shall inform the consumer within the time period permitted for response pursuant to this section of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business;

                (3) if a verifiable consumer request is manifestly unfounded or excessive, in particular because of its repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or the business may refuse to act on the request and notify the consumer of the reason for refusing the request; provided that the business shall bear the burden of demonstrating that any verifiable consumer request is manifestly unfounded or excessive;

                (4) the information covers the twelve-month period preceding the business's receipt of the verifiable consumer request;

                (5) identify the information by the categories specified to the consumer pursuant to Paragraph (1) of Subsection A of this section and specify the disposition of each category of personal information, including whether it was collected, sold or used for a business purpose;

                (6) at the option of the consumer, the response to the verifiable consumer request may be delivered by mail or electronically; provided that electronically delivered information shall be provided, to the extent technically feasible and as established by the office of the attorney general by rule, in a format that allows the consumer to transmit the information to another entity without hindrance; and

                (7) unless contractually obligated, a business is not required to provide personal information to a consumer more than twice in a twelve-month period.

          C. The information disclosed and delivered to a consumer making a request pursuant to Subsection B of this section shall include the:

                (1) categories of personal information it has collected about that consumer;

                (2) categories of sources from which the personal information is collected;

                (3) business purpose or commercial purpose for collecting or selling personal information;

                (4) categories of third parties with whom the business shares personal information; and

                (5) specific pieces of personal information the business has collected about that consumer.

          D. A business that receives a verifiable consumer request to delete the consumer's personal information shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records, except if it is necessary for the business or service provider to maintain the consumer's personal information to:

                (1) complete the transaction for which the personal information was collected, provide a good or service that is requested by the consumer, or that is reasonably anticipated within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;

                (2) detect security incidents and protect against malicious, deceptive, fraudulent or illegal activity or prosecute those responsible for that activity;

                (3) debug to identify and repair errors that impair existing intended functionality;

                (4) exercise free speech, ensure the right of another consumer to exercise the consumer's right of free speech or exercise another right provided for by law;

                (5) enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business; or

                (6) comply with a legal obligation.

          E. A business that collects a consumer's personal information shall provide the following information in its online privacy policy, description of consumers' privacy rights or its internet website and update that information at least once every twelve months:

                (1) a description of consumers' rights pursuant to the Consumer Information Privacy Act and two or more designated methods for submitting information requests, including a toll-free telephone number and a website address if the business maintains a website;

                (2) a list of the categories of personal information it has collected about consumers in the preceding twelve months;

                (3) a list of the categories of personal information it has sold about consumers in the preceding twelve months; and

                (4) a list of the categories of personal information it has disclosed about consumers for business purposes in the preceding twelve months.

          F. A business that sells consumers' personal information to third parties shall:

                (1) provide a clear and conspicuous link to an internet web page titled "Do Not Sell My Personal Information" that enables a consumer or a person authorized by the consumer to opt out of the sale of the consumer's personal information on either:

                     (a) its internet homepage that it makes available to the public generally; or

                     (b) a homepage that is dedicated to New Mexico consumers if the business takes reasonable steps that New Mexico consumers are directed to the homepage for New Mexico consumers and not the homepage made available to the public generally;

                (2) include a description of consumers' rights pursuant to the Consumer Information Privacy Act, along with a separate link to the "Do Not Sell My Personal Information" internet web page in:

                     (a) its online privacy policy or policies if the business has an online privacy policy or policies; and

                     (b) any New Mexico-specific description of consumers' privacy rights;

                (3) not sell personal information collected by the business about consumers who have exercised their right to opt out of the sale of their personal information;

                (4) wait for at least twelve months before requesting that a consumer who has opted out of the sale of the consumer's personal information authorize the sale of the consumer's personal information;

                (5) use any personal information collected from a consumer in connection with the submission of that consumer's opt-out request solely for the purposes of complying with the opt-out request; and

                (6) require a consumer to create an account to direct the business not to sell the consumer's personal information.

          G. A business shall not sell a consumer's personal information if the business has:

                (1) received direction from a consumer not to sell the consumer's personal information; or

                (2) actual knowledge that the consumer is a minor, unless the consumer's parent or legal guardian has affirmatively authorized the sale of the consumer's personal information; provided that if a business has information that reasonably establishes that a consumer is a minor and the business willfully disregards that information, the business shall be deemed to have actual knowledge of the consumer's age.

          H. A business that discloses personal information to a service provider shall not be liable under the Consumer Information Privacy Act if the service provider receiving the personal information uses it in violation of the restrictions set forth in that act; provided that at the time of disclosing the personal information, the business did not have actual knowledge, or reason to believe, that the service provider intended to commit such a violation. A service provider shall likewise not be liable under the Consumer Information Privacy Act for the obligations of a business for which it provides services as set forth in that act.

          I. A business that collects a consumer's personal information shall ensure that:

                (1) all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with the Consumer Information Privacy Act are informed of all the requirements and how to direct consumers to exercise their rights under that act; and

                (2) personal information collected from the consumer in connection with the business's verification of a consumer request be used solely for the purposes of verification.

     SECTION 5. [NEW MATERIAL] OPT-OUT USE--OFFERS OF SERVICE AND INCENTIVES--RESTRICTIONS.--

          A. A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under the Consumer Information Privacy Act by:

                (1) denying goods or services to the consumer;

                (2) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;

                (3) providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer's rights under the Consumer Information Privacy Act; or

                (4) suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services unless the difference is identified to the consumer as reasonably related to the value derived from the consumer's data.

          B. A business may offer financial incentives, including payments to consumers as compensation for the collection of personal information, the sale of personal information or the deletion of personal information. A business may also offer a different price, rate, level or quality of goods or services to the consumer if that price or difference is directly related to the value derived from the consumer's data.

          C. A business that offers any financial incentives pursuant to this section shall notify consumers of the financial incentives pursuant to Section 4 of the Consumer Information Privacy Act.

          D. A business may enter a consumer into a financial incentive program only if the consumer has signed a consent form that clearly describes the material terms of the financial incentive program and that it may be revoked by the consumer at any time.

          E. A business shall not use financial incentive practices that are unjust, unreasonable, coercive or usurious in nature.

     SECTION 6. [NEW MATERIAL] REQUIREMENTS TO TRAIN EMPLOYEES--LIMITS ON USE OF VERIFICATION INFORMATION.--A business that collects a consumer's personal information shall ensure that:

          A. all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with the Consumer Information Privacy Act are informed of all the requirements and how to direct consumers to exercise their rights under that act; and

          B. personal information collected from the consumer in connection with the business's verification of a consumer request be used solely for the purposes of verification.

     SECTION 7. [NEW MATERIAL] CONSUMER INFORMATION PRIVACY ACT--LIMITATIONS ON SCOPE.--

          A. The obligations imposed on businesses by the Consumer Information Privacy Act shall not restrict a business's ability to:

                (1) comply with federal, state or local laws;

                (2) comply with a civil, criminal or regulatory inquiry, an investigation, a subpoena or a summons by federal, state or local authorities;

                (3) cooperate with law enforcement agencies concerning conduct or activity that the business, service provider or third party reasonably and in good faith believes may violate federal, state or local law;

                (4) exercise or defend legal claims;

                (5) collect, use, retain, sell or disclose consumer information that is de-identified or is in aggregate consumer information; or

                (6) collect or sell a consumer's personal information if every aspect of the business's commercial conduct takes place wholly outside of the state. For purposes of the Consumer Information Privacy Act, commercial conduct takes place wholly outside of the state if the business collected that information while the consumer was outside of the state, no part of the sale of the consumer's personal information occurred in the state and no personal information collected while the consumer was in the state is sold. This paragraph shall not permit a business to store, including on a device, personal information about a consumer when the consumer is in New Mexico and then collecting that personal information when the consumer and stored personal information is outside of the state.

          B. The obligations imposed on businesses by the Consumer Information Privacy Act shall not apply where compliance would violate an evidentiary privilege under New Mexico law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under New Mexico law as part of a privileged communication.

          C. The Consumer Information Privacy Act shall not apply to information that is collected or used pursuant to state or federal law if the application is in conflict with that law. The office of the attorney general may promulgate rules to clarify when the application of the Consumer Information Privacy Act is in conflict with state or federal law.

          D. The Consumer Information Privacy Act shall not be construed to require a business to re-identify or otherwise link information that is not maintained in a manner that would be considered personal information.

          E. The rights afforded to a consumer and the obligations imposed on a business in the Consumer Information Privacy Act shall not adversely affect the rights and freedoms of other consumers.

     SECTION 8. [NEW MATERIAL] CIVIL CAUSE OF ACTION-- PROCEDURES--DAMAGES.--

          A. Any consumer whose non-encrypted or non-redacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of a business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may file a civil action:

                (1) to recover actual damages;

                (2) for injunctive or declaratory relief;

                (3) to recover statutory damages of up to seven hundred and fifty dollars ($750) per single occurrence pursuant to Subsection B of this section; or

                (4) any other relief the court deems proper.

          B. A civil action for statutory damages pursuant to this section may be filed by a consumer provided that:

                (1) before filing the action, the consumer has provided the business thirty days written notice identifying the specific provisions of the Consumer Information Privacy Act the consumer alleges have been or are being violated; and

                (2) within thirty days of receiving the notice from the consumer the business has not cured the violation and provided the consumer a written statement that the violation has been cured and that no further violations shall occur.

          C. If a business continues to violate the Consumer Information Privacy Act in breach of an express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement as well as any other violation of the Consumer Information Privacy Act that postdates the written statement.

          D. A consumer who has filed an action for statutory damages pursuant to this section shall notify the office of the attorney general within thirty days that the action has been filed and the consumer may proceed with the action if:

                (1) within thirty days of providing notice to the office of the attorney general, the office of the attorney general has not replied to the consumer stating its own intent to initiate a civil action for violation of the Consumer Information Privacy Act against the business; or

                (2) within six months, the office of the attorney general has not filed an action against the business for violation of the Consumer Information Privacy Act pursuant to this section.

          E. Nothing in this section shall be interpreted to serve as the basis for a private right of action under any other law, and this section shall not relieve any party from any duties or obligations imposed under other state or federal law.

     SECTION 9. [NEW MATERIAL] CIVIL PENALTY--DISTRIBUTION OF PROCEEDS.--

          A. Any business or third party may seek the opinion of the office of the attorney general for guidance on how to comply with the provisions of the Consumer Information Privacy Act or cure a violation of that act.

          B. A business shall be in violation of the Consumer Information Privacy Act if it fails to cure any alleged violation within thirty days after being notified of alleged noncompliance. Any business, service provider or other person that violates that act shall be liable for a civil penalty in an action brought by the office of the attorney general.

          C. Any person, business or service provider that intentionally violates the Consumer Information Privacy Act may be liable for a civil penalty of up to ten thousand dollars ($10,000) for each violation.

          D. Any civil penalty assessed for a violation of the Consumer Information Privacy Act or the proceeds of any settlement of an action brought pursuant to this section shall be allocated as follows:

                (1) twenty percent to the consumer privacy fund; and

                (2) eighty percent to the general fund.

     SECTION 10. [NEW MATERIAL] CONSUMER PRIVACY FUND CREATED--DISTRIBUTION.--

          A. The "consumer privacy fund" is created in the state treasury as a nonrevering fund and shall be administered by the office of the attorney general. The fund consists of distributions to the fund from the proceeds of civil actions filed by the office of the attorney general pursuant to Section 8 of the Consumer Information Privacy Act, gifts, grants, donations and appropriations to the fund. Subject to appropriation by the legislature, money in the fund shall be available for distribution to the office of the attorney general and administrative office of the courts as provided in this section.

          B. Money in the consumer privacy fund may be used to offset costs incurred by the office of the attorney general or the state courts in connection with actions brought to enforce the Consumer Information Privacy Act and any costs incurred by the office of the attorney general in carrying out its duties under that act.

     SECTION 11. [NEW MATERIAL] PROMULGATION OF RULES--REPORT TO LEGISLATURE.--

          A. By July 1, 2020, the office of the attorney general shall promulgate rules to implement the Consumer Information Privacy Act, including:

                (1) making updates to the categories of personal information subject to the act and the definition of unique identifiers to address changes in technology, data collection practices, obstacles to implementation and privacy concerns;

                (2) making updates to the definition of designated methods for submitting requests to facilitate a consumer's ability to obtain information from a business pursuant to the Consumer Information Privacy Act;

                (3) establishing exceptions necessary to comply with state or federal law including those relating to trade secrets and intellectual property rights;

                (4) facilitating and governing the submission of a request by a consumer to opt out of the sale of personal information pursuant to the Consumer Information Privacy Act;

                (5) governing business compliance with a consumer's opt-out request;

                (6) developing and using a recognizable and uniform opt-out logo or website link for use by all businesses to promote consumer awareness of the opportunity to opt out of the sale of personal information;

                (7) ensuring that the notices and information that businesses are required to provide pursuant to the Consumer Information Privacy Act are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities and are available in the language primarily used to interact with the consumer;

                (8) establishing guidelines regarding financial incentive offerings;

                (9) establishing rules and procedures regarding submission of verifiable requests; or

                (10) establishing other rules as the office of the attorney general finds necessary to implement the Consumer Information Privacy Act.

          B. By July 1 of each year, the office of the attorney general shall review the rules promulgated pursuant to the Consumer Information Privacy Act and update them by rule.

          C. The office of the attorney general shall seek broad public participation in the promulgation and annual review of rules pursuant to the Consumer Information Privacy Act.

          D. Each year the office of the attorney general shall provide a report to the relevant legislative interim committee regarding the rules promulgated pursuant to the Consumer Information Privacy Act and issues raised by businesses and consumers about compliance and satisfaction with that act.

     SECTION 12. [NEW MATERIAL] ENCOMPASSING TRANSACTION-- WAIVER OF RIGHTS CONTRARY TO PUBLIC POLICY.--

          A. If a court determines that a series of transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding compliance with the Consumer Information Privacy Act, the series of transactions shall be regarded as one encompassing transaction.

          B. A provision of a contract or agreement that purports to waive or limit a consumer's rights pursuant to the Consumer Information Privacy Act is contrary to public policy and shall be void.

     SECTION 13. SEVERABILITY.--If any part or application of the Consumer Information Privacy Act is held invalid, the remainder or its application to other situations or persons shall not be affected.

     SECTION 14. EFFECTIVE DATES.--

          A. The effective date of the provisions of Section 11 of this act is July 1, 2019.

          B. The effective date of the provisions of Sections 1 through 10, 12 and 13 of this act is July 1, 2020.

- 31 -