§ 2430. Definitions
As used in this chapter:
(1)(A) “Brokered personal information” means one or more of the following computerized data
elements about a consumer, if categorized or organized for dissemination to third
parties:
(i) name;
(ii) address;
(iii) date of birth;
(iv) place of birth;
(v) mother’s maiden name;
(vi) unique biometric data generated from measurements or technical analysis of human body
characteristics used by the owner or licensee of the data to identify or authenticate
the consumer, such as a fingerprint, retina or iris image, or other unique physical
representation or digital representation of biometric data;
(vii) name or address of a member of the consumer’s immediate family or household;
(viii) Social Security number or other government-issued identification number; or
(ix) other information that, alone or in combination with the other information sold or
licensed, would allow a reasonable person to identify the consumer with reasonable
certainty.
(B) “Brokered personal information” does not include publicly available information to
the extent that it is related to a consumer’s business or profession.
(2) “Business” means a commercial entity, including a sole proprietorship, partnership,
corporation, association, limited liability company, or other group, however organized
and whether or not organized to operate at a profit, including a financial institution
organized, chartered, or holding a license or authorization certificate under the
laws of this State, any other state, the United States, or any other country, or the
parent, affiliate, or subsidiary of a financial institution, but does not include
the State, a State agency, any political subdivision of the State, or a vendor acting
solely on behalf of, and at the direction of, the State.
(3) “Consumer” means an individual residing in this State.
(4)(A) “Data broker” means a business, or unit or units of a business, separately or together,
that knowingly collects and sells or licenses to third parties the brokered personal
information of a consumer with whom the business does not have a direct relationship.
(B) Examples of a direct relationship with a business include if the consumer is a past
or present:
(i) customer, client, subscriber, user, or registered user of the business’s goods or
services;
(ii) employee, contractor, or agent of the business;
(iii) investor in the business; or
(iv) donor to the business.
(C) The following activities conducted by a business, and the collection and sale or licensing
of brokered personal information incidental to conducting these activities, do not
qualify the business as a data broker:
(i) developing or maintaining third-party e-commerce or application platforms;
(ii) providing 411 directory assistance or directory information services, including name,
address, and telephone number, on behalf of or as a function of a telecommunications
carrier;
(iii) providing publicly available information related to a consumer’s business or profession;
or
(iv) providing publicly available information via real-time or near-real-time alert services
for health or safety purposes.
(D) The phrase “sells or licenses” does not include:
(i) a one-time or occasional sale of assets of a business as part of a transfer of control
of those assets that is not part of the ordinary conduct of the business; or
(ii) a sale or license of data that is merely incidental to the business.
(5)(A) “Data broker security breach” means an unauthorized acquisition or a reasonable belief
of an unauthorized acquisition of more than one element of brokered personal information
maintained by a data broker when the brokered personal information is not encrypted,
redacted, or protected by another method that renders the information unreadable or
unusable by an unauthorized person.
(B) “Data broker security breach” does not include good faith but unauthorized acquisition
of brokered personal information by an employee or agent of the data broker for a
legitimate purpose of the data broker, provided that the brokered personal information
is not used for a purpose unrelated to the data broker’s business or subject to further
unauthorized disclosure.
(C) In determining whether brokered personal information has been acquired or is reasonably
believed to have been acquired by a person without valid authorization, a data broker
may consider the following factors, among others:
(i) indications that the brokered personal information is in the physical possession and
control of a person without valid authorization, such as a lost or stolen computer
or other device containing brokered personal information;
(ii) indications that the brokered personal information has been downloaded or copied;
(iii) indications that the brokered personal information was used by an unauthorized person,
such as fraudulent accounts opened or instances of identity theft reported; or
(iv) that the brokered personal information has been made public.
(6) “Data collector” means a person who, for any purpose, whether by automated collection
or otherwise, handles, collects, disseminates, or otherwise deals with personally
identifiable information, and includes the State, State agencies, political subdivisions
of the State, public and private universities, privately and publicly held corporations,
limited liability companies, financial institutions, and retail operators.
(7) “Encryption” means use of an algorithmic process to transform data into a form in
which the data is rendered unreadable or unusable without use of a confidential process
or key.
(8) “License” means a grant of access to, or distribution of, data by one person to another
in exchange for consideration. A use of data for the sole benefit of the data provider,
where the data provider maintains control over the use of the data, is not a license.
(9) “Login credentials” means a consumer’s user name or e-mail address, in combination
with a password or an answer to a security question, that together permit access to
an online account.
(10)(A) “Personally identifiable information” means a consumer’s first name or first initial
and last name in combination with one or more of the following digital data elements,
when the data elements are not encrypted, redacted, or protected by another method
that renders them unreadable or unusable by unauthorized persons:
(i) a Social Security number;
(ii) a driver license or nondriver State identification card number, individual taxpayer
identification number, passport number, military identification card number, or other
identification number that originates from a government identification document that
is commonly used to verify identity for a commercial transaction;
(iii) a financial account number or credit or debit card number, if the number could be
used without additional identifying information, access codes, or passwords;
(iv) a password, personal identification number, or other access code for a financial account;
(v) unique biometric data generated from measurements or technical analysis of human body
characteristics used by the owner or licensee of the data to identify or authenticate
the consumer, such as a fingerprint, retina or iris image, or other unique physical
representation or digital representation of biometric data;
(vi) genetic information; and
(vii)(I) health records or records of a wellness program or similar program of health promotion
or disease prevention;
(II) a health care professional’s medical diagnosis or treatment of the consumer; or
(III) a health insurance policy number.
(B) “Personally identifiable information” does not mean publicly available information
that is lawfully made available to the general public from federal, State, or local
government records.
(11) “Record” means any material on which written, drawn, spoken, visual, or electromagnetic
information is recorded or preserved, regardless of physical form or characteristics.
(12) “Redaction” means the rendering of data so that the data are unreadable or are truncated
so that no more than the last four digits of the identification number are accessible
as part of the data.
(13)(A) “Security breach” means unauthorized acquisition of electronic data, or a reasonable
belief of an unauthorized acquisition of electronic data, that compromises the security,
confidentiality, or integrity of a consumer’s personally identifiable information
or login credentials maintained by a data collector.
(B) “Security breach” does not include good faith but unauthorized acquisition of personally
identifiable information or login credentials by an employee or agent of the data
collector for a legitimate purpose of the data collector, provided that the personally
identifiable information or login credentials are not used for a purpose unrelated
to the data collector’s business or subject to further unauthorized disclosure.
(C) In determining whether personally identifiable information or login credentials have
been acquired or is reasonably believed to have been acquired by a person without
valid authorization, a data collector may consider the following factors, among others:
(i) indications that the information is in the physical possession and control of a person
without valid authorization, such as a lost or stolen computer or other device containing
information;
(ii) indications that the information has been downloaded or copied;
(iii) indications that the information was used by an unauthorized person, such as fraudulent
accounts opened or instances of identity theft reported; or
(iv) that the information has been made public. (Added 2005, No. 162 (Adj. Sess.), § 1, eff. Jan. 1, 2007; amended 2011, No. 109 (Adj. Sess.), § 4, eff. May 8, 2012; 2017, No. 171 (Adj. Sess.), § 2, eff. Jan. 1, 2019; 2019, No. 89 (Adj. Sess.), § 2.)