SB 731
Creates news provisions relating to the protection of data
Sponsor:
LR Number:
3021S.01I
Committee:
Last Action:
1/8/2024 - Second Read and Referred S Emerging Issues Committee
Journal Page:
S108
Title:
Effective Date:
August 28, 2024

Current Bill Summary

SB 731 - This act creates new consumer rights with respect to the protection of certain data.

CONSUMER RIGHTS (Section 407.2105)

The act gives consumers the following rights relative to his or her personal data:

· Confirm whether a controller is processing the consumer's personal data;

· Access the consumer's personal data;

· Delete the consumer's personal data that the consumer provided to the controller;

· Obtain a copy of the consumer's personal data, that the consumer previously provided to the controller, in a format that, as described in the act, is feasible, practicable, usable, and transmittable by the consumer;

· Opt out of the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data.

A consumer may exercise a right protected by this act by submitting a request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise.

Except as otherwise provided in the act, within 45 days of the receipt of a request from a consumer, a controller of personal data shall take action or inform the consumer of action taken with respect to the request. Controllers may not charge a fee in response to a request unless the request is:

· The consumer's second or subsequent request during the same 12-month period;

· The request is excessive, repetitive, technically infeasible, or manifestly unfounded;

· The controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or

· The request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller's business.

RESPONSIBILITIES RELATIVE TO PROCESSING DATA REQUESTS (Section 407.2110)

The act requires controllers to perform the following acts:

· Provide consumers with a reasonably accessible and clear privacy notice that includes certain information relating to the processing of personal data;

· Disclose the manner and circumstances under which consumers may opt out of the sale of personal data or opt out of the processing for targeted advertising;

· Establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data;

· Considering the controller's business size, scope, and type, use data security practices that are appropriate for the volume and nature of the personal data at issue.

Except as otherwise provided in this act, a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing. In the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act.

Except as otherwise permitted in the act, a controller may not discriminate against a consumer for exercising a right by:

· Denying a good or service to the consumer;

· Charging the consumer a different price or rate for a good or service; or

· Providing the consumer a different level of quality of a good or service.

ENFORCEMENT BY ATTORNEY GENERAL (Section 407.2115)

The act gives enforcement authority for the act exclusively to the Attorney General (AG). The AG is required to establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of this act. The AG is authorized to initiate an action in circuit court against a controller or processor as provided in the act. In such an action, the AG may recover actual damages to the consumer and, for each violation, an amount not to exceed $7,500, which shall be deposited into the Consumer Privacy Account established by this act.

The AG must prepare a report evaluating the liability and enforcement provisions of this act to be submitted to the Speaker of the House of Representatives and the President Pro Tem of the Senate not later than July 1 in each odd-numbered year.

PREEMPTION OF LOCAL ORDINANCES (Section 407.2120)

The act prohibits any political subdivision from enacting any local ordinance that conflicts with this act.

EXEMPTIONS (Section 407.2125)

The act contains various exemptions.

This act is substantially similar to provisions in SCS/SB 7 (2023).

SCOTT SVAGERA

Amendments

No Amendments Found.