This bill establishes various requirements on controllers that process
consumers' personal data. Under the bill, a “controller” is a person that alone or
jointly with others determines the purposes and means of the processing of personal
data. The bill defines “personal data” as information relating to a consumer that
allows the consumer to be identified other than information lawfully made available
from federal, state, or local government records.

Under the bill, a controller may not process a consumer's personal data unless
certain conditions apply, such as if the consumer consents, if processing is necessary
to perform a contract the controller has with a consumer, if processing is necessary
to comply with a legal obligation, or if processing is conducted to detect a security
incident or to protect against fraudulent or illegal activity. The bill requires that
consent to process personal data must be obtained from a consumer by a statement
or clear affirmative action; that the consumer be able to withdraw consent at any
time; and that consent to process a consumer's personal data may not be required as
a condition of using a service provided by the controller. Additionally, the bill limits
the processing of personal data that reveals a consumer's racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade union membership;
genetic data; biometric data; personal data concerning a consumer's health; and
personal data concerning a consumer's sex life or sexual orientation. Under the bill,
a controller may process those types of personal data only if certain conditions apply,

---

including 1) if the processing is conducted for a purpose to which the consumer
consents; 2) if the processing is necessary to comply with a legal obligation; 3) if the
processing is conducted by a political, philosophical, or religious nonprofit
organization that processes only personal data of members, former members, or
persons who have regular contact with the organization; or 4) if the processing is
necessary for certain public interest reasons.

The bill also allows consumers to request that a controller restrict the
processing of the consumer's personal data, and the controller may store but not
otherwise process the personal data if certain conditions apply, such as the following:
1) if the controller has no legitimate ground to process the personal data that
overrides the consumer's request; or 2) if processing the personal data is unlawful.
The controller generally must notify other controllers to which the controller
discloses the consumer's personal data, unless notification is impossible or involves
unreasonable effort, and those controllers generally must not process, other than by
storing, the personal data. A controller may continue processing a consumer's
personal data under the bill under certain conditions, including 1) if the consumer
consents; 2) if processing occurs for important public interest reasons under federal,
state, or local law; or 3) if processing occurs to protect the rights of another person.

Also, under the bill, controllers and processors must maintain records of
processing of personal data that contain certain information including the purpose
of the processing, the categories of personal data involved in the processing, and the
categories of consumers whose personal data is involved in the processing. The bill
also requires a controller or processor to make the records available to the
Department of Justice upon request.

Under the bill, the attorney general may investigate violations and bring
actions for enforcement. A controller or processor who violates the bill's
record-keeping requirements is subject to a fine of up to $10,000,000 or of up to 2
percent of the controller's total annual revenue, whichever is greater. For violating
the bill's requirements related to processing a consumer's personal data, a controller
or processor may be fined up to $20,000,000 or up to 4 percent of the controller's total
annual revenue, whichever is greater.