2023 Regular Session

To: Judiciary, Division A

By: Senator(s) Turner-Ford

Senate Bill 2080



     SECTION 1.  This act shall be known as the "Mississippi Consumer Data Privacy Act."

     SECTION 2.  (1)  The Legislature finds:

          (a)  That it is an important and substantial state interest to protect the private, personal data in Mississippi;

          (b)  That with the increasing use of technology and data in everyday life, there is an increasing amount of private, personal data being shared by consumers with businesses as a part of everyday transactions and online and other activities;

          (c)  That the increasing collection, storage, use and sale of personal data creates increased risks of identity theft, financial loss, and other misuse of private personal data; and

          (d)  That many consumers do not know, understand, or have appropriate authority over the distribution, use, sale or disclosure of their personal data.

     (2)  Therefore, it is the intent of the Legislature to further Mississippians' right to privacy by recognizing that Mississippi consumers have the following rights:

          (a)  To know what personal information is being collected about them;

          (b)  To know whether their personal information is sold or disclosed and to whom;

          (c)  To decline or opt-out of the sale of their personal information;

          (d)  To access their personal information that has been collected; and

          (e)  To receive equal service and price, even if they exercise their above rights.

     SECTION 3.  As used in this act:

          (a)  "Business" means:

              (i)  A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in Mississippi, and that satisfies one or more of the following thresholds:

                   1.  Has annual gross revenues in excess of Ten Million Dollars ($10,000,000.00);

                   2.  Alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of fifty thousand (50,000) or more consumers, households, or devices; and

                   3.  Derives fifty percent (50%) or more of its annual revenues from selling consumers' personal information;

              (ii)  Any entity that controls or is controlled by a business, as defined in subparagraph (i) of this section, and that shares common branding with the business;

                   1.  For this subparagraph (ii), "control" or "controlled" means ownership of, or the power to vote, more than fifty percent (50%) of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company; and

                   2.  "Common branding" means a shared name or trademark.

          (b)  (i)  "Personal information" means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, including, but not limited to:

                   1.  Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers;

                   2.  Characteristics of protected classifications under Mississippi or federal law;

                   3.  Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;

                   4.  Biometric information;

                   5.  Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement;

                   6.  Geolocation data;

                   7.  Audio, electronic, visual, thermal, olfactory, or similar information;

                   8.  Professional or employment-related information;

                   9.  Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99); and

                   10.  Inferences drawn from any of the information identified in this section to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

              (ii)  "Personal information" does not include publicly available information.  For the purposes of this subparagraph (ii), "publicly available" means information that is lawfully made available from federal, state, or local government records, as restricted by any conditions associated with such information.  "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.  Information is not "publicly available" if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained.  "Publicly available" does not include consumer information that is deidentified or aggregate consumer information.

     SECTION 4.  A consumer shall have the right:

          (a)  To request that a business that collects personal information about the consumer disclose to the consumer the following:

              (i)  The categories and specific pieces of personal information that the business has collected about that consumer;

              (ii)  The categories of sources from which the personal information is collected;

              (iii)  The business or commercial purpose for collecting or selling personal information; and

              (iv)  The categories of third parties with whom the business shares personal information;

          (b)  To request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer:

              (i)  The categories of personal information that the business collected about the consumer;

              (ii)  The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold; and

              (iii)  The categories of personal information that the business disclosed about the consumer for a business purpose; and

          (c)  To request that a business delete any personal information about the consumer which the business has collected from the consumer.

     SECTION 5.  Upon receipt of a verifiable request from a consumer, a business shall:

          (a)  Disclose the information specified in Section 4(a) of this act to the consumer if the business collects personal information about that consumer.  This subparagraph (a) does not require a business to:

              (i)  Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained; or

              (ii)  Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

          (b)  Disclose the information specified in Section 4(b) of this act to the consumer if the business sells personal information about that consumer, or discloses that consumer's personal information for a business purpose.

          (c)  Delete a consumer's personal information from its records and direct any service providers to delete a consumer's personal information from their records.  A business or a service provider shall not be required to comply with a consumer's request to delete the consumer's personal information if it is necessary for the business or service provider to maintain the consumer's personal information in order to:

              (i)  Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipate within the context of a business's ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer;

              (ii)  Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or prosecute those responsible for that activity;

              (iii)  Debug to identify and repair errors that impair existing intended functionality;

              (iv)  Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;

              (v)  Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses' deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent;

              (vi)  To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business; or

              (vii)  Comply with a legal obligation.

     SECTION 6.  A business that collects personal information about consumers shall disclose, pursuant to Section 10 of this act, the consumer's rights to request the deletion of the consumer's personal information.

     SECTION 7.  (1)  A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information.  This right may be referred to as the right to opt out.

          (a)  A business shall respect the consumer's decision to opt out under this subsection (1) for at least twelve (12) months before requesting that the consumer authorize the sale of the consumer's personal information.

          (b)  A business shall use any personal information collected from the consumer in connection with the submission of the consumer's opt-out request solely for the purposes of complying with the opt-out request.

     (2)  A business that sells consumers' personal information to third parties shall provide notice to consumers that this information may be sold and that consumers have the right to opt out of the sale of their personal information.

     (3)  A business that has received direction from a consumer not to sell the consumer's personal information or has not received consent to sell a minor consumer's personal information shall be prohibited from selling the consumer's personal information after its receipt of the consumer's direction, unless the consumer subsequently provides express authorization for the sale of the consumer's personal information.

     (4)  Notwithstanding subsections (1) and (3) of this section, a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than sixteen (16) years of age, unless the consumer, in the case of consumers between thirteen (13) and sixteen (16) years of age, or the consumer's parent or guardian, in the case of consumers who are less than thirteen (13) years of age, has affirmatively authorized the sale of the consumer's personal information.  A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age.  This right may be referred to as the right to opt in.

     SECTION 8.  A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out as provided in Section 7(1) of this act.

     SECTION 9.  (1)  A business shall not discriminate against a consumer when a consumer exercises any of the consumer's rights under this act, including, but not limited to, by:

          (a)  Denying goods or services to the consumer;

          (b)  Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;

          (c)  Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer's rights under this act; or

          (d)  Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

     (2)  Nothing in subsection (l) of this section prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer's data.

     SECTION 10.  (1)  In order to comply with the notice requirements of the above sections, a business shall, in a form that is reasonably accessible to consumers:

          (a)  Make available two (2) or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and if the business maintains an internet website, a website address;

          (b)  Disclose and deliver the required information free of charge within forty-five (45) days of receiving a verifiable request from the consumer.  The time period to provide the required information may be extended once by an additional forty-five (45) days when reasonably necessary, provided the consumer is provided notice of the extension within the first forty-five-day period;

          (c)  Provide a clear and conspicuous link on the business's internet homepage, titled "Do Not Sell My Personal Information," to an internet web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer's personal information.  A business shall not require a consumer to create an account in order to direct the business not to sell the consumer's personal information;

          (d)  Include a description of a consumer's rights along with a separate link to the "Do Not Sell My Personal Information" internet web page in its online privacy policy or policies if the business has an online privacy policy or policies or any Mississippi-specific description of consumers' privacy rights;

          (e)  Ensure that all individuals responsible for handling consumer inquiries about the business's privacy practices are informed of all requirements in this act and how to direct consumers to exercise their rights.

     (2)  Nothing in this section shall be construed to require a business to include the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to Mississippi consumers and that includes the required links and text, and the business takes reasonable steps to ensure that Mississippi consumers are directed to the homepage for Mississippi consumers and not the homepage made available to the public generally.

     SECTION 11.  The obligations imposed on businesses by the above sections shall not restrict a business's ability to:

          (a)  Comply with federal, state, or local laws;

          (b)  Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;

          (c)  Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law;

          (d)  Exercise or defend legal claims;

          (e)  Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information; and

          (f)  Collect or sell a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of Mississippi.  For purposes of this act, commercial conduct takes place wholly outside of Mississippi if the business collected that information while the consumer was outside of Mississippi, no part of the sale of the consumer's personal information occurred in Mississippi, and no personal information collected while the consumer was in Mississippi is sold.  This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in Mississippi and then collecting that personal information when the consumer and stored personal information is outside of Mississippi.

     SECTION 12.  (1)  (a)  Any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

               (i)  To recover damages in an amount not less than One Hundred Dollars ($100.00) and not greater than Seven Hundred Fifty Dollars ($750.00) per consumer per incident or actual damages, whichever is greater;

              (ii)  Injunctive or declaratory relief; or

               (iii)  Any other relief the court deems proper.

          (b)  In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth.

     (2)  Actions pursuant to this section may be brought by a consumer if all of the following requirements are met:

          (a)  Prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer shall provide a business thirty (30) days' written notice identifying the specific provisions of this act the consumer alleges have been or are being violated, but no notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this act; and

          (b)  If a business continues to violate this act in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.

     (3)  In the event a cure is possible, if within the thirty (30) days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.

     (4)  A business shall be in violation of this act if it fails to cure any alleged violation within thirty (30) days after being notified of the alleged noncompliance.  Any business, service provider, or other person that violates this act shall be liable for a civil penalty in a civil action brought in the name of the people of Mississippi by the Attorney General of up to Seven Thousand Five Hundred Dollars ($7,500.00) for each violation.

     SECTION 13.  Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this act.

     SECTION 14.  This is a matter of statewide concern and this act supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers' personal information by a business.

     SECTION 15.  Before July 1, 2024, the Attorney General shall solicit broad public participation to adopt regulations to further the purposes of this act.

     SECTION 16.  This act shall take effect and be in force from and after July 1, 2024.