Section 12D-102 - [Effective 1/1/2025] DefinitionsFor purposes of this chapter, the following definitions shall apply:
(1) "Affiliate" means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity. For the purposes of this paragraph, "control" or "controlled" means any of the following: a. Ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a legal entity.b. Control in any manner over the election of a majority of the directors or of individuals exercising similar functions.c. The power to exercise controlling influence over the management of a legal entity.(2) "Authenticate" means to use reasonable means to determine that a request to exercise any of the rights afforded under paragraphs (1) to (4), inclusive, of subsection (a) of § 12D-104 of this chapter is being made by, or on behalf of, the consumer who is entitled to exercise such consumer rights with respect to the personal data at issue.(3) "Biometric data" means data generated by automatic measurements of an individual's unique biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. "Biometric data" does not include any of the following: a. A digital or physical photograph.b. An audio or video recording.c. Any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.(4) "Business associate" means as defined in HIPAA.(5) "Child" means as defined in COPPA.(6) "Child abuse" means, with respect to an individual under 18 years of age, as defined in § 901(a) of Title 10, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.(7) "Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. "Consent" may include a written statement, including by electronic means, or any other unambiguous affirmative action. "Consent" does not include any of the following: a. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.b. Hovering over, muting, pausing, or closing a given piece of content.c. Agreement obtained through the use of dark patterns.(8) "Consumer" means an individual who is a resident of this State. "Consumer" does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit organization, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit organization, or government agency.(9) "Controller" means a person that, alone or jointly with others, determines the purpose and means of processing personal data.(10) "COPPA" means the Children's Online Privacy Protection Act of 1998, 15 U.S.C. § 6501, et seq., and the regulations, rules, guidance, and exemptions adopted pursuant to said act, as said act and such regulations, rules, guidance, and exemptions may be amended.(11) "Covered entity" means as defined in HIPAA.(12) "Dark pattern" means any of the following: a. A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.b. Any other practice the Federal Trade Commission refers to as a dark pattern.(13) "Decisions that produce legal or similarly significant effects concerning the consumer" means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods or services.(14) "De-identified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller that possesses such data does all of the following: a. Takes reasonable measures to ensure that such data cannot be associated with an individual.b. Publicly commits to process such data only in a de-identified fashion and not attempt to re-identify such data.c. Contractually obligates any recipients of such data to comply with all of the provisions of this chapter applicable to the controller with respect to such data.(15) "Domestic violence" means as defined in § 1041 of Title 10, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.(16) "Genetic data" means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. For purposes of this paragraph, "genetic material" includes deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.(17) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d, et seq., as amended.(18) "Human trafficking" means the offense defined in § 787 of Title 11, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.(19) "Identified or identifiable individual" means an individual who can be readily identified, directly or indirectly.(20) "Nonprofit organization" means any organization that is exempt from taxation under §§ 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986, or any subsequent corresponding internal revenue code of the United States, as amended.(21) "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable individual, and does not include de-identified data or publicly available information.(22) "Precise geolocation data" means information derived from technology, including global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. "Precise geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.(23) "Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.(24) "Processor" means a person that processes personal data on behalf of a controller.(25) "Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, demographic characteristics, personal preferences, interests, reliability, behavior, location, or movements.(26) "Protected health information" means as defined in HIPAA.(27) "Pseudonymous data" means personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.(28) "Publicly available information" means any of the following:a. Information that is lawfully made available through federal, state, or local government records.b. Information that a controller has a reasonable basis to believe that the consumer has lawfully made available to the general public through widely distributed media.(29) "Sale of personal data" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. "Sale of personal data" does not include any of the following: a. The disclosure of personal data to a processor that processes the personal data on behalf of the controller where limited to the purpose of such processing.b. The disclosure of personal data to a third party for purposes of providing a product or service affirmatively requested by the consumer.c. The disclosure or transfer of personal data to an affiliate of the controller.d. The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party.e. The disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media, and did not restrict to a specific audience.f. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller's assets, or a proposed merger, acquisition, bankruptcy, or other similar transaction in which the third party assumes control of all or part of the controller's assets.(30) "Sensitive data" means personal data that includes any of the following:a. Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis (including pregnancy), sex life, sexual orientation, status as transgender or nonbinary, citizenship status, or immigration status.b. Genetic or biometric data.c. Personal data of a known child.d. Precise geolocation data.(31) "Sexual assault" means any of the offenses defined in §§ 768-780 and § 787 of Title 11, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.(32) "Stalking" means the offense defined in § 1312 of Title 11, or any equivalent provision in the laws of any other state, the United States, any territory, district, or subdivision of the United States, or any foreign jurisdiction.(33) "Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer's preferences or interests. "Targeted advertising" does not include any of the following:a. Advertisements based on activities within a controller's own Internet web sites or online applications.b. Advertisements based on the context of a consumer's current search query, visit to an Internet web site, or online application.c. Advertisements directed to a consumer in direct response to the consumer's request for information or feedback.d. Processing personal data solely to measure or report advertising frequency, performance, or reach.(34) "Third party" means, with respect to personal data controlled by a controller, any person other than the relevant consumer, the controller of such personal data, or a processor or an affiliate of the processor or the controller.(35) "Trade secret" means as defined in § 2001(4) of Chapter 20 of this title.(36) "Violent felony" means as defined in § 4201 of Title 11 and includes any equivalent provision in the laws of any other state, the United States, and territory, district, or subdivision of the United States, or any foreign jurisdiction.Added by Laws 2023 , ch. 197, s 1, eff. 1/1/2025.