Senate
File
2351
S-5075
Amend
Senate
File
2351
as
follows:
1
1.
By
striking
everything
after
the
enacting
clause
and
2
inserting:
3
<
Section
1.
NEW
SECTION
.
715D.1
Definitions.
4
As
used
in
this
chapter,
unless
the
context
otherwise
5
requires:
6
1.
“Breach
of
security”
means
the
same
as
provided
in
7
section
715C.1.
8
2.
“Controller”
means
a
person
who,
separately
or
in
9
combination
with
another
person,
determines
the
purpose
and
10
methodology
of
the
processing
of
personal
data.
11
3.
“Custodian”
means
a
partnership,
corporation,
limited
12
liability
company,
unincorporated
association,
or
other
13
business
or
nonprofit
entity
that
possesses
personal
data.
14
“Custodian”
does
not
include
any
of
the
following:
15
a.
The
state
or
a
political
subdivision
of
the
state.
16
b.
A
partnership,
corporation,
limited
liability
company,
17
unincorporated
association,
or
other
business
entity
which
is
18
located
in
the
state,
which
is
operated
for
profit
and
under
19
a
single
management,
and
which
has
either
fewer
than
twenty
20
employees
or
an
annual
gross
income
of
less
than
four
million
21
dollars
computed
as
the
average
of
the
three
preceding
fiscal
22
years.
23
4.
“Deidentified
data”
means
data
that
cannot
reasonably
be
24
used
to
infer
information
about,
or
otherwise
be
linked
to,
an
25
identified
or
identifiable
individual
or
a
device
associated
26
with
an
individual,
provided
that
the
controller
or
processor
27
who
possesses
the
data
does
all
of
the
following:
28
a.
Takes
reasonable
measures
to
ensure
that
the
data
cannot
29
be
associated
with
an
individual.
30
b.
Commits
to
maintain
and
use
the
data
only
in
a
31
deidentified
fashion
and
does
not
attempt
to
reidentify
the
32
data.
33
c.
Contractually
obligates
recipients
of
the
data
to
comply
34
with
all
provisions
of
this
chapter.
35
-1-
SF2351.3490
(1)
88
ja/rn
1/
6
#1.
5.
“Geolocation
data”
means
information
that
can
be
used
to
1
identify
the
physical
location
of
an
electronic
device.
2
6.
“Minor”
means
an
individual
who
is
less
than
eighteen
3
years
of
age.
4
7.
“Personal
data”
means
any
information
that
is
linked
or
5
reasonably
able
to
be
linked
to
an
identified
or
identifiable
6
individual.
“Personal
data”
does
not
include
deidentified
7
data,
data
that
is
lawfully
obtained
from
publicly
available
8
sources,
or
data
that
is
obtained
from
federal,
state,
or
local
9
government
records
lawfully
made
available
to
the
general
10
public.
11
8.
“Processor”
means
a
person
who
processes
personal
data
on
12
behalf
of
a
controller.
13
9.
“Sensitive
data”
means
any
of
the
following
types
of
14
personal
data:
15
a.
Data
revealing
an
individual’s
racial
or
ethnic
origin,
16
religious
beliefs,
mental
condition,
physical
condition,
or
17
sexual
orientation.
18
b.
A
minor’s
personal
data.
19
c.
An
individual’s
geolocation
data.
20
d.
An
individual’s
first
name
or
first
initial
and
last
21
name
in
combination
with
any
one
or
more
of
the
following
data
22
elements
that
relate
to
the
individual
if
any
of
the
data
23
elements
are
not
encrypted,
redacted,
or
otherwise
altered
by
24
any
method
or
technology
in
such
a
manner
that
the
name
or
25
data
elements
are
unreadable,
or
are
encrypted,
redacted,
or
26
otherwise
altered
by
any
method
or
technology
but
the
keys
to
27
unencrypt,
unredact,
or
otherwise
read
the
data
elements
have
28
been
obtained
through
a
breach
of
security:
29
(1)
Social
security
number.
30
(2)
Driver’s
license
number
or
other
unique
identification
31
number
created
or
collected
by
a
government
body.
32
(3)
Financial
account
number,
credit
card
number,
or
debit
33
card
number
in
combination
with
any
required
expiration
date,
34
security
code,
access
code,
or
password
that
would
permit
35
-2-
SF2351.3490
(1)
88
ja/rn
2/
6
access
to
an
individual’s
financial
account.
1
(4)
Unique
electronic
identifier
or
routing
code,
in
2
combination
with
any
required
security
code,
access
code,
or
3
password
that
would
permit
access
to
an
individual’s
financial
4
account.
5
(5)
Unique
genetic
or
biometric
data,
such
as
a
fingerprint,
6
retina
or
iris
image,
or
other
unique
physical
representation
7
or
digital
representation
of
genetic
or
biometric
data.
8
(6)
Data
pertaining
to
the
ownership
or
acquisition
of
a
9
firearm.
10
Sec.
2.
NEW
SECTION
.
715D.2
Personal
data
rights.
11
1.
An
individual
may
request
any
of
the
following
from
a
12
controller
or
a
processor:
13
a.
A
determination
regarding
whether
the
controller
or
14
processor
possesses
the
individual’s
personal
data.
15
b.
Copies
of
the
individual’s
personal
data
that
is
in
the
16
possession
of
the
controller
or
processor.
17
c.
Correction
of
the
individual’s
personal
data
that
is
18
in
the
possession
of
the
controller
or
processor
and
that
the
19
individual
indicates
in
the
request
is
incorrect.
20
d.
Cessation
of
the
controller
or
processor’s
sale
of
the
21
individual’s
personal
data.
22
e.
Cessation
of
the
controller
or
processor’s
use
of
the
23
individual’s
personal
data
for
purposes
of
targeted
advertising
24
or
profiling
in
furtherance
of
decisions
that
may
result
in
25
the
denial
of
consequential
services
or
support,
such
as
26
financial
or
lending
services,
housing,
insurance,
education
27
enrollment,
criminal
justice,
employment
opportunities,
health
28
care
services,
and
access
to
basic
necessities,
such
as
food
29
and
water.
30
2.
Within
forty-five
days
after
the
receipt
of
a
request
31
made
pursuant
to
subsection
1,
the
controller
or
processor
32
shall
provide
the
information
or
take
the
action
requested
by
33
an
individual.
34
3.
Notwithstanding
subsection
1
or
2,
a
controller
or
35
-3-
SF2351.3490
(1)
88
ja/rn
3/
6
processor
is
not
required
to
provide
the
information
or
take
1
the
action
requested
by
an
individual
if
the
controller
or
2
processor
is
unable
to
authenticate
the
individual’s
request
3
using
commercially
reasonable
efforts.
The
controller
or
4
processor
may
request
additional
information
that
is
reasonably
5
necessary
to
authenticate
such
a
request.
6
Sec.
3.
NEW
SECTION
.
715D.3
Prohibitions
on
certain
7
practices
of
custodians.
8
A
custodian
shall
not
do
any
of
the
following:
9
1.
Collect
or
use
an
individual’s
sensitive
data
unless
the
10
custodian
first
obtains
the
individual’s
consent
to
collect
or
11
use
the
sensitive
data.
An
individual
may
withdraw
the
consent
12
to
collect
or
use
the
individual’s
sensitive
data
at
any
time
13
by
providing
notice
to
the
custodian.
14
2.
Process
personal
data
in
violation
of
state
or
federal
15
law
that
prohibits
discrimination
against
consumers.
16
Sec.
4.
NEW
SECTION
.
715D.4
Obligations
of
certain
17
custodians.
18
A
custodian
possessing
the
personal
data
of
one
hundred
19
thousand
or
more
individuals
shall
comply
with
all
of
the
20
following:
21
1.
The
custodian
shall
provide
an
accessible,
clear,
and
22
meaningful
privacy
notice
that
informs
consumers
and
potential
23
consumers
of
all
of
the
following:
24
a.
The
personal
data
the
custodian
collects.
25
b.
How
the
custodian
uses
personal
data
in
its
possession.
26
c.
Persons
the
custodian
allows
to
access
or
view
personal
27
data
in
the
custodian’s
possession,
and
why
the
custodian
28
allows
such
persons
to
access
or
view
the
personal
data.
29
d.
The
individual’s
rights
under
sections
715D.2
and
715D.3.
30
2.
The
custodian’s
collection
and
processing
of
personal
31
data
shall
be
limited
to
the
types
and
amounts
of
personal
data
32
that
are
reasonably
necessary
in
relation
to
the
purpose
for
33
which
the
personal
data
is
collected
or
processed.
34
3.
The
custodian
shall
establish,
implement,
and
maintain
35
-4-
SF2351.3490
(1)
88
ja/rn
4/
6
reasonable
administrative,
technical,
and
physical
data
1
security
practices
to
protect
the
confidentiality,
integrity,
2
and
accessibility
of
personal
data.
The
custodian’s
data
3
security
practices
shall
be
appropriate
for
the
volume
and
4
nature
of
the
personal
data
the
custodian
possesses.
5
4.
The
custodian
shall
conduct
and
document
a
data
6
protection
assessment
addressing
each
of
the
following
7
activities
involving
personal
data:
8
a.
The
custodian’s
processing
of
personal
data
for
purposes
9
of
targeted
advertising.
10
b.
The
custodian’s
sale
of
personal
data.
11
c.
The
custodian’s
processing
of
personal
data
for
purposes
12
of
profiling
where
such
profiling
presents
a
reasonably
13
foreseeable
risk
of
unfair
or
deceptive
treatment
of
consumers,
14
financial
injury
to
consumers,
reputational
injury
to
15
consumers,
an
intrusion
upon
the
private
affairs
of
consumers
16
that
would
be
offensive
to
a
reasonable
person,
or
other
17
substantial
injury.
18
d.
The
custodian’s
processing
of
sensitive
data.
19
e.
The
custodian’s
processing
activities
involving
personal
20
data
that
present
a
heightened
risk
of
harm
to
consumers.
21
5.
The
custodian
shall
provide
to
the
attorney
general
upon
22
request
the
data
protection
assessment
prepared
pursuant
to
23
subsection
4.
24
Sec.
5.
NEW
SECTION
.
715D.5
Limitations.
25
This
chapter
shall
not
be
construed
to
restrict
or
prevent
26
a
controller,
custodian,
or
processor
from
doing
any
of
the
27
following:
28
1.
Complying
with
any
federal,
state,
or
local
law
or
29
regulation.
30
2.
Complying
with
a
civil,
criminal,
or
regulatory
inquiry,
31
investigation,
subpoena,
or
summons
by
a
federal,
state,
or
32
local
governmental
authority.
33
3.
Cooperating
with
law
enforcement
concerning
conduct
34
or
activity
that
the
controller,
custodian,
or
processor
35
-5-
SF2351.3490
(1)
88
ja/rn
5/
6
reasonably
believes
may
violate
federal,
state,
or
local
laws
1
or
regulations.
2
4.
Investigating,
preparing
for,
or
defining
legal
claims.
3
Sec.
6.
NEW
SECTION
.
715D.6
Enforcement.
4
A
violation
of
this
chapter
is
an
unlawful
practice
under
5
section
714.16,
and
all
the
remedies
pursuant
to
section
714.16
6
are
available
for
such
an
action.
7
Sec.
7.
NEW
SECTION
.
715D.7
Remedies
cumulative.
8
The
rights,
remedies,
and
prohibitions
contained
in
this
9
chapter
shall
be
in
addition
to
and
cumulative
of
any
other
10
right,
remedy,
or
prohibition
accorded
by
common
law
or
state
11
or
federal
law.
This
chapter
shall
not
be
construed
to
deny,
12
abrogate,
or
impair
any
such
common
law
or
statutory
right,
13
remedy,
or
prohibition.
>
14
2.
Title
page,
by
striking
lines
1
and
2
and
inserting
<
An
15
Act
relating
to
personal
data,
including
an
individual’s
rights
16
with
respect
to
personal
data,
the
obligations
of
certain
17
persons
with
respect
to
personal
data,
and
making
penalties
18
applicable.
>
19
3.
By
renumbering
as
necessary.
20
______________________________
ZACH
NUNN
-6-
SF2351.3490
(1)
88
ja/rn
6/
6
#2.
#3.