MISSISSIPPI LEGISLATURE

2019 Regular Session

To: Technology; Judiciary A

By: Representative Johnson (87th)

House Bill 1253

AN ACT TO CREATE THE MISSISSIPPI CONSUMER PRIVACY ACT; TO AUTHORIZE A CONSUMER TO REQUEST THAT A BUSINESS DISCLOSE THE CATEGORIES AND SPECIFIC PIECES OF PERSONAL INFORMATION THAT IT COLLECTS ABOUT THE CONSUMER, THE CATEGORIES OF SOURCES FROM WHICH THAT INFORMATION IS COLLECTED, THE BUSINESS PURPOSES FOR COLLECTING OR SELLING THE INFORMATION, AND THE CATEGORIES OF THIRD PARTIES WITH WHICH THE INFORMATION IS SHARED; TO REQUIRE A BUSINESS TO MAKE DISCLOSURES ABOUT THE CONSUMER'S INFORMATION AND THE PURPOSES FOR WHICH IT IS USED; TO AUTHORIZE A CONSUMER TO REQUEST THAT A BUSINESS DELETE HIS OR HER PERSONAL INFORMATION; TO REQUIRE THE BUSINESS TO DELETE THE CONSUMER'S INFORMATION UPON RECEIPT OF A VERIFIED REQUEST; TO AUTHORIZE A CONSUMER TO REQUEST THAT A BUSINESS THAT SELLS THE CONSUMER'S PERSONAL INFORMATION, OR DISCLOSES IT FOR A BUSINESS PURPOSE, DISCLOSE THE CATEGORIES OF INFORMATION THAT IT COLLECTS AND CATEGORIES OF INFORMATION AND THE IDENTITY OF THIRD PARTIES TO WHICH THE INFORMATION WAS SOLD OR DISCLOSED; TO REQUIRE A BUSINESS TO PROVIDE A CONSUMER'S INFORMATION IN RESPONSE TO A VERIFIABLE CONSUMER REQUEST; TO AUTHORIZE A CONSUMER TO OPT OUT OF THE SALE OF PERSONAL INFORMATION BY A BUSINESS; TO PROHIBIT THE BUSINESS FROM DISCRIMINATING AGAINST THE CONSUMER FOR OPTING OUT OF THE SALE OF HIS OR HER PERSONAL INFORMATION; TO AUTHORIZE BUSINESSES TO OFFER FINANCIAL INCENTIVES FOR COLLECTION OF PERSONAL INFORMATION; TO PROHIBIT A BUSINESS FROM SELLING THE PERSONAL INFORMATION OF A CONSUMER UNDER 16 YEARS OF AGE, UNLESS AFFIRMATIVELY AUTHORIZED; TO PROVIDE REQUIREMENTS FOR RECEIVING, PROCESSING, AND SATISFYING CONSUMER REQUESTS; TO PROVIDE CERTAIN DEFINITIONS REGARDING CONSUMER INFORMATION AND PRIVACY; TO AUTHORIZE THE ATTORNEY GENERAL TO ENFORCE THIS ACT; TO PROVIDE A PRIVATE RIGHT OF ACTION IN CONNECTION WITH CERTAIN UNAUTHORIZED ACCESS AND EXFILTRATION, THEFT, OR DISCLOSURE OF A CONSUMER'S NONENCRYPTED OR NONREDACTED PERSONAL INFORMATION; TO PROVIDE A METHOD FOR THE DISTRIBUTION OF PROCEEDS FROM CAUSES OF ACTION BY THE ATTORNEY GENERAL; TO CREATE THE CONSUMER PRIVACY FUND, WITH THE MONEIES IN THE FUND, UPON APPROPRIATION BY THE LEGISLATURE, TO BE APPLIED TO SUPPORT THE PURPOSES OF THIS ACT AND ITS ENFORCEMENT; TO PROVIDE FOR THE DEPOSIT OF PENALTY MONEY INTO THE FUND; TO REQUIRE THE ATTORNEY GENERAL TO SOLICIT PUBLIC PARTICIPATION FOR THE PURPOSE OF ADOPTING CERTAIN REGULATIONS; TO AUTHORIZE A BUSINESS, SERVICE PROVIDER, OR THIRD PARTY TO SEEK THE ATTORNEY GENERAL'S OPINION ON HOW TO COMPLY WITH THE PROVISIONS OF THIS ACT; AND FOR RELATED PURPOSES.

     BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MISSISSIPPI:

     SECTION 1.  This measure shall be known and may be cited as "The Mississippi Consumer Privacy Act of 2019."

     SECTION 2.  (1)  The Legislature finds and declares that:

          (a)  As the role of technology and data in the every daily lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses.  Mississippi law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information;

          (b)  Many businesses collect personal information from Mississippi consumers.  They may know where a consumer lives and how many children a consumer has, how fast a consumer drives, a consumer's personality, sleep habits, biometric and health information, financial information, precise geolocation information and social networks, to name a few categories;

          (c)  The unauthorized disclosure of personal information and the loss of privacy can have devastating effects for individuals, ranging from financial fraud, identity theft and unnecessary costs to personal time and finances, to destruction of property, harassment, reputational damage, emotional stress and even potential physical harm;

          (d)  In March 2018, it came to light that tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica.  A series of congressional hearings highlighted that our personal information may be vulnerable to misuse when shared on the Internet.  As a result, our desire for privacy controls and transparency in data practices is heightened; and

          (e)  People desire privacy and more control over their information.  Mississippi consumers should be able to exercise control over their personal information, and they want to be certain that there are safeguards against misuse of their personal information.  It is possible for businesses both to respect consumers' privacy and provide a high level transparency to their business practices.

     (2)  Therefore, it is the intent of the Legislature to further Mississippians' right to privacy by giving consumers an effective way to control their personal information, by ensuring the following rights:

          (a)  The right of Mississippians to know what personal information is being collected about them;

          (b)  The right of Mississippians to know whether their personal information is sold or disclosed and to whom;

          (c)  The right of Mississippians to say no to the sale of personal information;

          (d)  The right of Mississippians to access their personal information; and

          (e)  The right of Mississippi to equal service and price, even if they exercise their privacy rights.

     SECTION 3.  (1)  A consumer shall have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

     (2)  A business that collects a consumer's personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.  A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

     (3)  A business shall provide the information specified in subsection (1) of this section to a consumer only upon receipt of a verifiable consumer request.

     (4)  A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section.  The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.  A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

     (5)  This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business, or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

     SECTION 4.  (1)  A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

     (2)  A business that collects personal information about consumers shall disclose, pursuant to Section 9(1)(e)(i) of this act, the consumer's rights to request the deletion of the consumer's personal information.

     (3)  A business that receives a verifiable request from a consumer to delete the consumer's personal information pursuant to subsection (1) of this section shall delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records.

     (4)  A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to:

          (a)  Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business's ongoing business relationship with the consumer or otherwise perform a contract between the business and the consumer;

          (b)  Detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity; or prosecute those responsible for that activity;

          (c)  Debug to identify and repair errors that impair existing intended functionality;

          (d)  Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech or exercise another right provided for by law;

          (e)  Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the business's deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;

          (f)  To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business;

          (g)  Comply with a legal obligation; or

          (h)  Otherwise use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

     SECTION 5.  (1)  A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

          (a)  The categories of personal information it has collected about that consumer;

          (b)  The categories of sources from which the personal information is collected;

          (c)  The business or commercial purpose for collecting or selling personal information;

          (d)  The categories of third parties with whom the business shares personal information; and

          (e)  The specific pieces of personal information it has collected about that consumer.

     (2)  A business that collects personal information about a consumer shall disclose to the consumer, pursuant to Section 9(1)(c) of this act, the information specified in subsection (1) of this section upon receipt of a verifiable request from the consumer.

     (3)  A business that collects personal information about consumers shall disclose, pursuant to Section 9(1)(e)(ii) of this act:

          (a)  The categories of personal information it has collected about that consumer;

          (b)  The categories of sources from which the personal information is collected;

          (c)  The business or commercial purpose for collecting or selling personal information;

          (d)  The categories of third parties with whom the business shares personal information; and

          (e)  The specific pieces of personal information the business has collected about that consumer.

     (4)  This section does not require a business to do the following:

          (a)  Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained; or

          (b)  Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

     SECTION 6.  (1)  A consumer shall have the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer:

          (a)  The categories of personal information that the business collected about the consumer;

          (b)  The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; and

          (c)  The categories of personal information that the business disclosed about the consumer for a business purpose.

     (2)  A business that sells personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose, pursuant to Section 9(1)(d) of this act, the information specified in subsection (1) of this section to the consumer upon receipt of a verifiable request from the consumer.

     (3)  A business that sells consumers' personal information, or that discloses consumers' personal information for a business purpose, shall disclose, pursuant to Section 9(1)(e)(iii) of this act:

          (a) The category or categories of consumers' personal information it has sold, or if the business has not sold consumers' personal information, it shall disclose that fact; and

          (b)  The category or categories of consumers' personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers' personal information for a business purpose, it shall disclose that fact.

     (4)  A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out pursuant to Section 7 of this act.

     SECTION 7.  (1)  A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information.  This right may be referred to as the right to opt out.

     (2)  A business that sells consumers' personal information to third parties shall provide notice to consumers, pursuant to Section 10(1) of this act, that this information may be sold and that consumers have the right to opt out of the sale of their personal information.

     (3)  A business that has received direction from a consumer not to sell the consumer's personal information or, in the case of a minor consumer's personal information has not received consent to sell the minor consumer's personal information shall be prohibited, pursuant to Section 10(1)(d) of this act, from selling the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides express authorization for the sale of the consumer's personal information.

     (4)  Notwithstanding subsection (1) of this section, a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than sixteen (16) years of age, unless the consumer, in the case of consumers between thirteen (13) and sixteen (16) years of age, or the consumer's parent or guardian, in the case of consumers who are less than thirteen (13) years of age, has affirmatively authorized the sale of the consumer's personal information.  A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age.  This right may be referred to as the "right to opt in."

     SECTION 8.  (1)  (a)  A business shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this act, including, but not limited to, by:

              (i)  Denying goods or services to the consumer;

              (ii)  Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;

              (iii)  Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer's rights under this act; or

              (iv)  Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

          (b)  Nothing in this subsection prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data.

     (2)  (a)  A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information.  A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer's data.

          (b)  A business that offers any financial incentives pursuant to subsection (1) of this section, shall notify consumers of the financial incentives pursuant to Section 10 of this act.

          (c)  A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 10 of this act which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.

          (d)  A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

     SECTION 9.  (1)  In order to comply with Sections 3, 4, 5, 6, and 8 of this act, in a form that is reasonably accessible to consumers, a business shall:

          (a)  Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 5 and 6 of this act, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet website, a website address;

          (b)  Disclose and deliver the required information to a consumer free of charge within forty-five (45) days of receiving a verifiable request from the consumer.  The business shall promptly take steps to determine whether the request is a verifiable request, but this shall not extend the business's duty to disclose and deliver the information within forty-five (45) days of receipt of the consumer's request.  The time period to provide the required information may be extended once by an additional   forty-five (45) days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period.  The disclosure shall cover the 12-month period preceding the business's receipt of the verifiable request and shall be made in writing and delivered through the consumer's account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer's option if the consumer does not maintain an account with the business, in a readily usable format that allows the consumer to transmit this information from one entity to another entity without hindrance.  The business shall not require the consumer to create an account with the business in order to make a verifiable request;

          (c)  For purposes of Section 5(2) of this act:

              (i)  To identify the consumer, associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer; and

              (ii)  Identify by category or categories the personal information collected about the consumer in the preceding twelve (12) months by reference to the enumerated category or categories in subsection (3) of this section that most closely describes the personal information collected;

          (d)  For purposes of Section 6(2) of this act:

              (i)  Identify the consumer and associate the information provided by the consumer in the verifiable request to any personal information previously collected by the business about the consumer;

              (ii)  Identify by category or categories the personal information of the consumer that the business sold in the preceding twelve (12) months by reference to the enumerated category in subsection (3) of this section that most closely describes the personal information, and provide the categories of third parties to whom the consumer's personal information was sold in the preceding twelve (12) months by reference to the enumerated category or categories in subsection (3) of this section that most closely describes the personal information sold.  The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (iii) of this paragraph (d); and

              (iii)  Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding twelve (12) months by reference to the enumerated category or categories in subsection (3) of this section that most closely describes the personal information, and provide the categories of third parties to whom the consumer's personal information was disclosed for a business purpose in the preceding twelve (12) months by reference to the enumerated category or categories in subsection (3) of this section that most closely describes the personal information disclosed.  The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (ii) of this paragraph (d);

          (e)  Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any Mississippi-specific description of consumers' privacy rights, or if the business does not maintain those policies, on its Internet Website, and update that information at least once every twelve (12) months:

              (i)  A description of a consumer's rights pursuant to Sections 5, 6 and 8 of this act and one or more designated methods for submitting requests;

              (ii)  For purposes of Section 5(3) of this act, a list of the categories of personal information it has collected about consumers in the preceding twelve (12) months by reference to the enumerated category or categories in subsection (3) of this section that most closely describe the personal information collected; and

              (iii)  For purposes of Section 6(3)(a) and (b) of this act, two (2) separate lists:

                   1.  A list of the categories of personal information it has sold about consumers in the preceding twelve (12) months by reference to the enumerated category or categories in subsection (3) of this section that most closely describe the personal information sold, or if the business has not sold consumers' personal information in the preceding twelve (12) months, the business shall disclose that fact; and

                   2.  A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding twelve (12) months by reference to the enumerated category in subsection (3) of this section that most closely describe the personal information disclosed, or if the business has not disclosed consumers' personal information for a business purpose in the preceding twelve (12) months, the business shall disclose that fact;

          (f)  Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this act are informed of all requirements in Sections 5, 6 and 8 of this act, and this section, and how to direct consumers to exercise their rights under those sections;

          (g)  Use any personal information collected from the consumer in connection with the business's verification of the consumer's request solely for the purposes of verification;

     (2)  A business is not obligated to provide the information required by Sections 5 and 6 of this act to the same consumer more than twice in a 12-month period; and

     (3)  The categories of personal information required to be disclosed pursuant to Sections 5 and 6 of this act shall follow the definition of personal information in Section 11 of this act.

     SECTION 10.  (1)  A business that is required to comply with Section 7 of this act shall, in a form that is reasonably accessible to consumers:

          (a) Provide a clear and conspicuous link on the business' Internet homepage, titled "Do Not Sell My Personal Information," to an Internet web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer's personal information.  A business shall not require a consumer to create an account in order to direct the business not to sell the consumer's personal information;

          (b)  Include a description of a consumer's rights pursuant to Section 7 of this act, along with a separate link to the "Do Not Sell My Personal Information" Internet web page in:

              (i)  Its online privacy policy or policies if the business has an online privacy policy or policies; and

              (ii)  Any Mississippi-specific description of consumers' privacy rights.

          (c)  Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices or the business's compliance with this act are informed of all requirements in Section 7 of this act and this section and how to direct consumers to exercise their rights under those sections;

          (d)  For consumers who exercise their right to opt out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer;

          (e)  For a consumer who has opted out of the sale of the consumer's personal information, respect the consumer's decision to opt out for at least twelve (12) months before requesting that the consumer authorize the sale of the consumer's personal information; and

          (f)  Use any personal information collected from the consumer in connection with the submission of the consumer's opt-out request solely for the purposes of complying with the opt-out request.

     (2)  Nothing in this act shall be construed to require a business to comply with the act by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to Mississippi consumers and that includes the required links and text, and the business takes reasonable steps to ensure that Mississippi consumers are directed to the homepage for Mississippi consumers and not the homepage made available to the public generally.

     (3)  A consumer may authorize another person solely to opt out of the sale of the consumer's personal information on the consumer's behalf, and a business shall comply with an opt out request received from a person authorized by the consumer to act on the consumer's behalf, pursuant to regulations adopted by the Attorney General.

     SECTION 11.  (1)  For purposes of this act:

          (a)  "Aggregate consumer information" means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device.  "Aggregate consumer information" does not mean one or more individual consumer records that have been de­identified.

          (b)  "Biometric information" means an individual's physiological, biological or behavioral characteristics, including an individual's deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity.  Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

          (c)  "Business" means:

              (i)  A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of Mississippi, and that satisfies one or more of the following thresholds:

                   1.  Has annual gross revenues in excess of Twenty-five Million Dollars ($25,000,000.00);

                   2.  Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of fifty thousand (50,000) or more consumers, households, or devices; or

                   3.  Derives fifty percent (50%)or more of its annual revenues from selling consumers' personal information; and

              (ii)  Any entity that controls or is controlled by a business, as defined in subparagraph (i) of this paragraph (c), and that shares common branding with the business.  "Control" or "controlled" means ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.  "Common branding" means a shared name, servicemark, or trademark;

          (d)  "Business purpose" means the use of personal information for the business' or a service provider's operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.  Business purposes are:

              (i)  Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;

              (ii)  Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity and prosecuting those responsible for that activity;

              (iii)  Debugging to identify and repair errors that impair existing intended functionality;

              (iv)  Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer's experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction;

              (v)  Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider;

              (vi)  Undertaking internal research for technological development and demonstration; and

              (vii)  Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

          (e)  "Collects," "collected," or "collection" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.  This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.

          (f)  "Commercial purposes" means to advance a person's commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.  "Commercial purposes" do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

          (g)  "Consumer" means a natural person who is a Mississippi resident.

          (h)  "De-identified" means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses         de-identified information:

              (i)  Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain;

              (ii)  Has implemented business processes that specifically prohibit reidentification of the information;

              (iii)  Has implemented business processes to prevent inadvertent release of de-identified information.

              (iv)  Makes no attempt to reidentify the information.

          (i)  "Designated methods for submitting requests" means a mailing address, email address, Internet web page, Internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this act.

          (j)  "Device" means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.

          (k)  "Health insurance information" means a consumer's insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer's application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.

          (l)  "Homepage" means the introductory page of an Internet website and any Internet web page where personal information is collected.  In the case of an online service, such as a mobile application, homepage means the application's platform page or download page, a link within the application, such as from the application configuration, "About," "Information," or settings page, and any other location that allows consumers to review the notice required by Section 12(1) of this act, including, but not limited to, before downloading the application.

          (m)  "Infer" or "inference" means the derivation of information, data, assumptions, or conclusions from facts, evidence or another source of information or data.

          (n)  "Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.

          (o)  "Personal information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.  Personal information includes, but is not limited to, the following:

              (i)  Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver's license number, passport number or other similar identifiers;

               (ii)  Characteristics of protected classifications under Mississippi or federal law;

              (iii)  Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;

              (iv)  Biometric information;

              (v)  Internet or other electronic network activity information, including, but not limited to, browsing history, search history and information regarding a consumer's interaction with an Internet website, application, or advertisement;

              (vi)  Geolocation data;

              (vii)  Audio, electronic, visual, thermal, olfactory or similar information;

              (viii)  Professional or employment-related information; and

              (iv)  Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 USC section 1232g, 34 C.F.R. Part 99); and

              (x)  Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.

     "Personal information" does not include publicly available information.  For these purposes, "publicly available" means information that is lawfully made available from federal, state or local government records, if any conditions associated with such information.  "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.  Information is not "publicly available" if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.  "Publicly available" does not include consumer information that is de-identified or aggregate consumer information.

          (p)  "Probabilistic identifier" means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

          (q)  "Processing" means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.

          (r)  "Pseudonymize" or "Pseudonymization" means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.

          (s)  "Research" means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health.  Research with personal information that may have been collected from a consumer in the course of the consumer's interactions with a business' service or device for other purposes shall be:

              (i)  Compatible with the business purpose for which the personal information was collected;

              (ii)  Subsequently pseudonymized and de-identified, or de-identified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer;

              (iii)  Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain;

              (iv)  Subject to business processes that specifically prohibit reidentification of the information;

              (v) Made subject to business processes to prevent inadvertent release of de-identified information;

              (vi)  Protected from any reidentification attempts;

              (vii)  Used solely for research purposes that are compatible with the context in which the personal information was collected;

              (viii)  Not be used for any commercial purpose; and

              (ix)  Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.

     (t)  (i)  "Sell," "selling," "sale," or "sold," means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.

               (ii)  For purposes of this act, a business does not sell personal information when:

                   1.  A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions.  Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party;

                   2.  The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer's personal information;

                   3.  The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:  services that the service provider performs on the business' behalf, provided that the service provider also does not sell the personal information;

                   4.  The business has provided notice that information being used or shared in its terms and conditions consistent with Section 10 of this act;

                   5.  The service provider does not further collect, sell or use the personal information of the consumer except as necessary to perform the business purpose; or

                   6.  The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the business provided that information is used or shared consistently with Sections 5 and 6 of this act.  If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer.  The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 7 of this act.  This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Mississippi Consumer Protection Act.

          (u)  "Service" or "services" means work, labor and services, including services furnished in connection with the sale or repair of goods.

          (v)  "Service provider" means a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

          (w)  "Third party" means a person who is not any of the following:

              (i)  The business that collects personal information from consumers under this title;

              (ii)  A person to whom the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract:

                   1.  Prohibits the person receiving the personal information from:

                        a.  Selling the personal information;

                        b.  Retaining, using or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using or disclosing the personal information for a commercial purpose other than providing the services specified in the contract; or

                        c.  Retaining, using or disclosing the information outside of the direct business relationship between the person and the business.

                   2.  Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (ii)1 of this paragraph (w) and will comply with them. 

     A person covered by subparagraph (ii) of this paragraph (w) that violates any of the restrictions set forth in this title shall be liable for the violations.  A business that discloses personal information to a person covered by subparagraph (ii) of this paragraph (w) in compliance with paragraph (ii) shall not be liable under this act if the person receiving the personal information uses it in violation of the restrictions set forth in this act, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.

          (x)  "Unique identifier" or "unique personal identifier" means a persistent identifier that can be used to recognize a consumer, a family or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers or similar technology; customer number, unique pseudonym or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.  For purposes of this subdivision, "family" means a custodial parent or guardian and any minor children over which the parent or guardian has custody.

          (y)  "Verifiable consumer request" means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer's behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to Section 18 of this act to be the consumer about whom the business has collected personal information.  A business is not obligated to provide information to the consumer pursuant to Sections 5 and 6 of this act if the business cannot verify, pursuant this subsection and regulations adopted by the Attorney General pursuant to Section 18 of this act, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer's behalf.

     SECTION 12.  (1)  The obligations imposed on businesses by this act shall not restrict a business's ability to:

          (a)  Comply with federal, state, or local laws;

          (b)  Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state or local authorities;

          (c)  Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider or third party reasonably and in good faith believes may violate federal, state or local law;

          (d)  Exercise or defend legal claims;

          (e)  Collect, use, retain, sell or disclose consumer information that is de-identified or in the aggregate consumer information; or

          (f)  Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of Mississippi.  For purposes of this act, commercial conduct takes place wholly outside of Mississippi if the business collected that information while the consumer was outside of Mississippi, no part of the sale of the consumer's personal information occurred in Mississippi, and no personal information collected while the consumer was in Mississippi is sold.  This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in Mississippi and then collecting that personal information when the consumer and stored personal information is outside of Mississippi.

     (2)  The obligations imposed on businesses by Sections 5 through 10 of this act, shall not apply where compliance by the business with the act would violate an evidentiary privilege under Mississippi law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under Mississippi law as part of a privileged communication.

     (3)  This act shall not apply to protected or health information that is collected by a covered entity governed by the privacy, security and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996.

     (4)  This act shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 USC Sec. 1681 et seq.).

     (5)  This act shall not apply to personal information collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it is in conflict with that law.

     (6)  This act shall not apply to personal information collected, processed, sold or disclosed pursuant to the Driver's Privacy Protection Act of 1994 (18 USC Sec. 2721 et seq.), if it is in conflict with that act.

     (7)  Notwithstanding a business' obligations to respond to and honor consumer rights requests pursuant to this act:

          (a)  A time period for a business to respond to any verified consumer request may be extended by up to ninety (90) additional days where necessary, taking into account the complexity and number of the requests.  The business shall inform the consumer of any such extension within forty-five (45) days of receipt of the request, together with the reasons for the delay;

          (b)  If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business; or

          (c)  If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request.  The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.

     (8)  A business that discloses personal information to a service provider shall not be liable under this act if the service provider receiving the personal information uses it in violation of the restrictions set forth in the act, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation.  A service provider shall likewise not be liable under this act for the obligations of a business for which it provides services as set forth in this act.

     (9)  This act shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

     (10)  The rights afforded to consumers and the obligations imposed on the business in this act shall not adversely affect the rights and freedoms of other consumers.

     SECTION 13.  (1)  Any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

          (a)  To recover damages in an amount not less than One Hundred Dollars ($100.00) and not greater than Seven Hundred Fifty Dollars ($750.00) per consumer per incident or actual damages, whichever is greater;

          (b)  Injunctive or declaratory relief; or

          (c)  Any other relief the court deems proper.

     (2)  In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct and the defendant's assets, liabilities and net worth.

     (3)  Actions pursuant to this section may be brought by a consumer if all of the following requirements are met:

          (a)  Prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer shall provide a business thirty (30) days' written notice identifying the specific provisions of this act the consumer alleges have been or are being violated.  In the event a cure is possible, if within the thirty (30) days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.  No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this act.  If a business continues to violate this act in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of this act that postdates the written statement;

          (b)  A consumer bringing an action as provided in subsection (1) of this section shall notify the Attorney General within thirty (30) days that the action has been filed; and

          (c)  The Attorney General, upon receiving such notice shall, within thirty (30) days, do one of the following:

              (i)  Notify the consumer bringing the action of the Attorney General's intent to prosecute an action against the violation.  If the Attorney General does not prosecute within six (6) months, the consumer may proceed with the action;

              (ii)  Refrain from acting within the thirty (30) days, allowing the consumer bringing the action to proceed; or

              (iii)  Notify the consumer bringing the action that the consumer shall not proceed with the action.

     (3)  Nothing in this act shall be interpreted to serve as the basis for a private right of action under any other law.  This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or Mississippi Constitution.

     SECTION 14.  (1)  Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this act.

     (2)  A business shall be in violation of this act if it fails to cure any alleged violation within thirty (30) days after being notified of alleged noncompliance.  Any business, service provider or other person that violates this act shall be liable for a civil penalty in a civil action brought in the name of the people of the State of Mississippi by the Attorney General.  The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of Mississippi by the Attorney General.

     (3)  Any person, business or service provider that intentionally violates this act may be liable for a civil penalty of up to Seven Thousand Five Hundred Dollars ($7,500.00) for each violation.

     SECTION 15.  (1)  A special fund to be known as the 'Consumer Privacy Fund" is created within in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this act and any costs incurred by the Attorney General in carrying out the Attorney General's duties under this act.

     (2)  Funds transferred to the Consumer Privacy Fund shall be used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with this act.  These funds shall not be subject to appropriation or transfer by the Legislature for any other purpose, unless it is determined that the funds are in excess of the funding needed to fully offset the costs incurred by the state courts and the Attorney General in connection with this act, in which case the Legislature may appropriate excess funds for other purposes.

     SECTION 16.  This act is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information.  The provisions of this act are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers' personal information should be construed to harmonize with the provisions of this act, but in the event of a conflict between other laws and the provisions of this act, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

     SECTION 17.  This act is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances and other laws adopted by a city, county, city and county, municipality or local agency regarding the collection and sale of consumers' personal information by a business.

     SECTION 18.  The Attorney General may adopt such regulations as necessary to further the purposes of this act.

     SECTION 19.  If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this act, including the disclosure of information by a business to a third party in order to avoid the definition of sell, a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this act.

     SECTION 20.  Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this act, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.  This section shall not prevent a consumer from declining to request information from a business, declining to opt out of a business' sale of the consumer's personal information, or authorizing a business to sell the consumer's personal information after previously opting out.

     SECTION 21.  This act shall take effect and be in force from and after July 1, 2019.