弗吉尼亚州《消费者数据保护法》.pdf

刘贵宾

138

8页

8次

2022-12-02

10墨值下载

2021 SESSION

INTRODUCED

21102919D

1 SENATE BILL NO. 1392

2 Offered January 13, 2021

3 Prefiled January 13, 2021

4 A BILL to amend the Code of Virginia by adding in Title 59.1 a chapter numbered 52, consisting of

5 sections numbered 59.1-571 through 59.1-581, relating to Consumer Data Protection Act.

6 ––––––––––

Patrons––Marsden, Boysko and Dunnavant; Delegates: Hayes and Subramanyam

7 ––––––––––

8 Referred to Committee on General Laws and Technology

9 ––––––––––

10 Be it enacted by the General Assembly of Virginia:

11 1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 52, consisting

12 of sections numbered 59.1-571 through 59.1-581, as follows:

13 CHAPTER 52.

14 CONSUMER DATA PROTECTION ACT.

15 § 59.1-571. Definitions.

16 As used in this chapter, unless the context requires a different meaning:

17 "Affiliate" means a legal entity that controls, is controlled by, or shares common control with

18 another legal entity. For the purposes of this definition, "control" or "controlled" means (i) ownership

19 of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security

20 of a company; (ii) control in any manner over the election of a majority of the directors or of

21 individuals exercising similar functions; or (iii) the power to exercise controlling influence over the

22 management of a company.

23 "Authenticate" means verifying through reasonable means that the consumer, entitled to exercise his

24 consumer rights in § 59.1-573, is the same consumer exercising such consumer rights with respect to the

25 personal data at issue.

26 "Business associate" means the same meaning as the term established by HIPAA.

27 "Child" means any natural person younger than 13 years of age.

28 "Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and

29 unambiguous agreement to process personal data relating to the consumer. Consent may include a

30 written statement, including a statement written by electronic means, or any other unambiguous

31 affirmative action.

32 "Consumer" means a natural person who is a resident of the Commonwealth acting only in an

33 individual or household context. It does not include a natural person acting in a commercial or

34 employment context.

35 "Controller" means the natural or legal entity that, alone or jointly with others, determines the

36 purpose and means of processing personal data.

37 "Covered entity" means the same as the term is established by HIPAA.

38 "Decisions that produce legal or similarly significant effects concerning a consumer" means a

39 decision made by the controller that results in the provision or denial by the controller of financial and

40 lending services, housing, insurance, education enrollment, criminal justice, employment opportunities,

41 health care services, or access to basic necessities, such as food and water.

42 "De-identified data" means data that cannot reasonably be linked to an identified or identifiable

43 natural person, or a device linked to such person. A controller that possesses "de-identified data" shall

44 comply with the requirements of subsection A of § 59.1-577.

45 "Fund" means the Consumer Privacy Fund established pursuant to § 59.1-581.

46 "Health record" means the same as that term is defined in § 32.1-127.1:03.

47 "Health care provider" means the same as that term is defined in § 32.1-276.3.

48 "HIPAA" means the federal Health Insurance Portability and Accountability Act of 1996 (42 U.S.C.

49 § 1320d et seq.).

50 "Identified or identifiable natural person" means a person who can be readily identified, directly or

51 indirectly.

52 "Personal data" means any information that is linked or reasonably associated to an identified or

53 identifiable natural person. "Personal data" does not include de-identified data or publicly available

54 information.

55 "Precise geolocation data" means information derived from technology, including but not limited to

56 global positioning system level latitude and longitude coordinates or other mechanisms, that directly

57 identifies the specific location of a natural person with precision and accuracy below 1,750 feet.

58 "Precise geolocation data" does not include the content of communications.

INTRODUCED

SB1392

2/8/21 18:14

SB1392 2 of 8

59 "Process" or "processing" means any operation or set of operations performed, whether by manual

60 or automated means, on personal data or on sets of personal data, such as the collection, use, storage,

61 disclosure, analysis, deletion, or modification of personal data.

62 "Processor" means a natural or legal entity that processes personal data on behalf of a controller.

63 "Profiling" means any form of automated processing performed on personal data to evaluate,

64 analyze, or predict personal aspects related to an identified or identifiable natural person's economic

65 situation, health, personal preferences, interests, reliability, behavior, location, or movements.

66 "Protected health information" means the same as the term is established by HIPAA.

67 "Pseudonymous data" means personal data that cannot be attributed to a specific natural person

68 without the use of additional information, provided that such additional information is kept separately

69 and is subject to appropriate technical and organizational measures to ensure that the personal data is

70 not attributed to an identified or identifiable natural person.

71 "Publicly available information" means information that is lawfully made available through federal,

72 state, or local government records, or information that a business has a reasonable basis to believe is

73 lawfully made available to the general public through widely distributed media, by the consumer, or by

74 a person to whom the consumer has disclosed the information, unless the consumer has restricted the

75 information to a specific audience.

76 "Sale of personal data" means the exchange of personal data for monetary consideration by the

77 controller to a third party. "Sale of personal data" does not include:

78 1. The disclosure of personal data to a processor that processes the personal data on behalf of the

79 controller;

80 2. The disclosure of personal data to a third party with whom the consumer has a direct relationship

81 for purposes of providing a product or service requested by the consumer;

82 3. The disclosure or transfer of personal data to an affiliate of the controller;

83 4. The disclosure of information that the consumer (i) intentionally made available to the general

84 public via a channel of mass media and (ii) did not restrict to a specific audience; or

85 5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger,

86 acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of

87 the controller's assets.

88 "Sensitive data" means a category of personal data that includes:

89 1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health

90 diagnosis, sexual orientation, or citizenship or immigration status;

91 2. The processing of genetic or biometric data for the purpose of uniquely identifying a natural

92 person;

93 3. The personal data collected from a known child; or

94 4. Precise geolocation data.

95 "State agency" means the same as that term is defined in § 2.2-307.

96 "Targeted advertising" means displaying advertisements to a consumer where the advertisement is

97 selected based on personal data obtained from a consumer's activities over time and across nonaffiliated

98 websites or online applications to predict such consumer's preferences or interests. "Targeted

99 advertising" does not include:

100 1. Advertisements based on activities within a controller's own websites or online applications;

101 2. Advertisements based on the context of a consumer's current search query, visit to a website, or

102 online application;

103 3. Advertisements directed to a consumer in response to the consumer's request for information or

104 feedback; or

105 4. Processing personal data processed solely for measuring or reporting advertising performance,

106 reach, or frequency.

107 "Third party" means a natural or legal person, public authority, agency, or body other than the

108 consumer, controller, processor, or an affiliate of the processor or the controller.

109 § 59.1-572. Scope; exemptions.

110 A. This chapter applies to persons that conduct business in the Commonwealth or produce products

111 or services that are targeted to residents of the Commonwealth and that (i) during a calendar year,

112 control or process personal data of at least 100,000 consumers or (ii) control or process personal data

113 of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal

114 data.

115 B. This chapter shall not apply to (i) any body, authority, board, bureau, commission, district, or

116 agency of the Commonwealth or of any political subdivision of the Commonwealth; (ii) financial

117 institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.);

118 or (iii) any covered entity or business associate governed by the privacy, security, and breach

119 notification rules issued by the United States Department of Health and Human Services, 45 C.F.R.

120 Parts 160 and 164 established pursuant to HIPAA, and the Health Information Technology for