Bill > SB642

Introduced Session

This bill establishes requirements for controllers and processors of the personal data of consumers. The bill defines a “controller” as a person that, alone or jointly with others, determines the purpose and means of processing personal data, and the bill applies to controllers that control or process the personal data of at least 100,000 consumers or that control or process the personal data of at least 25,000 consumers and derive over 50 percent of their gross revenue from the sale of personal data. Under the bill, “personal data” means any information that is linked or reasonably linkable to an individual except for publicly available information. The bill provides consumers with the following rights regarding their personal data: 1) to confirm whether a controller is processing the consumer's personal data and to access the personal data; 2) to correct inaccuracies in the consumer's personal data; 3) to require a controller to delete personal data provided by or about the consumer; 4) to obtain a copy of the personal data that the consumer previously provided to the controller; and 5) to opt out of the processing of the consumer's personal data for targeted advertising; the sale of the consumer's personal data; and certain forms of automated processing of the consumer's personal data. These rights are subject to certain exceptions specified in the bill. Controllers may not discriminate against a consumer for exercising rights under the bill, including by charging different prices for goods or providing a different level of quality of goods or services. LRB-2848/1 MDE:cdc 2023 - 2024 Legislature SENATE BILL 642 The bill requires controllers to respond to consumers' requests to invoke rights under the bill without undue delay. If a controller declines to take action regarding a consumer's request, the controller must inform the consumer of its justification without undue delay. The bill also requires that information provided in response to a consumer's request be provided free of charge once annually per consumer. Controllers must also establish processes for consumers to appeal a refusal to take action on a consumer's request. Within 60 days of receiving an appeal, a controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for its decisions. If the appeal is denied, the controller must provide the consumer with a method through which the consumer can contact the attorney general to submit a complaint. Under the bill, a controller must provide consumers with a privacy notice that discloses the categories of personal data processed by the controller; the purpose of processing the personal data; the categories of third parties, if any, with whom the controller shares personal data; the categories of personal data that the controller shares with third parties; and information about how consumers may exercise their rights under the bill. Controllers may not collect or process personal data for purposes that are not relevant to or reasonably necessary for the purposes disclosed in the privacy notice. The bill's requirements do not restrict a controller's ability to collect, use, or retain data for conducting internal research, effectuating a product recall, identifying and repairing technical errors, or performing internal operations that are reasonably aligned with consumer expectations or reasonably anticipated on the basis of a consumer's relationship with the controller. Persons that process personal data on behalf of a controller must adhere to a contract between the controller and the processor, and such contracts must satisfy certain requirements specified in the bill. The bill also requires controllers to conduct data protection assessments related to certain activities, including processing personal data for targeted advertising, selling personal data, processing personal data for profiling purposes, and processing sensitive data, as defined in the bill. The attorney general may request that a controller disclose a data protection assessment that is relevant to an investigation being conducted by the attorney general. The attorney general has exclusive authority to enforce violations of the bill's requirements. A controller or processor that violates the bill's requirements is subject to a forfeiture of up to $7,500 per violation, and the attorney general may recover reasonable investigation and litigation expenses incurred. Before bringing an action to enforce the bill's requirements, the attorney general must first provide a controller or processor with a written notice identifying the violations. If within 30 days of receiving the notice the controller or processor cures the violation and provides the attorney general with an express written statement that the violation is cured and that no such further violations will occur, then the attorney general may not bring an action against the controller or processor. The bill also prohibits cities, villages, towns, and counties from enacting or enforcing ordinances that regulate the collection, processing, or sale of personal data. LRB-2848/1 MDE:cdc 2023 - 2024 Legislature SENATE BILL 642 For further information see the state fiscal estimate, which will be printed as an appendix to this bill.

AI Summary

Committee Categories

Howard Marklein (R)*,  Romaine Quinn (R)*,  Scott Allen (R),  David Armstrong (R),  Elijah Behnke (R),  Amy Binsfeld (R),  Barbara Dittrich (R),  Cindi Duchow (R),  Chanz Green (R),  Nate Gustafson (R),  Joel Kitchens (R),  Anthony Kurtz (R),  John Macco (R),  Dave Murphy (R),  Jeff Mursau (R),  Todd Novak (R),  Jerry O'Connor (R),  William Penterman (R),  Jon Plumer (R),  Treig Pronschinske (R),  Nik Rettinger (R),  Shae Sortwell (R),  John Spiros (R),  David Steffen (R),  Paul Tittl (R),  Chuck Wichgers (R),  Robert Wittke (R),  Shannon Zimmerman (R), 

Failed to pass pursuant to Senate Joint Resolution 1 (on 04/15/2024)

Bill Topics

Official Document