Vermont Legislature SmartTranscripts:

[Michael Marcotte (Chair)]: Good morning, everyone. This is the Vermont House Committee on Commerce and Economic Development. It is Thursday, 01/08/1926 at 09:04 in the morning. So we're beginning our day today with our legislative council with single. We're going to I know we we walked through this live here, but I think just need a refresher. We'll walk ask Rick to walk us through again on h 02:11. So, Rick, good morning. Thank you for joining us. Good to see you again. Hope you had good holidays. Good morning. Able to relax while we were gone.

[Rick Siegel (Office of Legislative Counsel)]: Rick Siegel, office of leadership council. The relaxing stopped around late November when the deadline started coming in. But I had I did have a restful summer. I hope you all were able to have some rest and forget about this for a little bit. But it's good to be back. And if I'm here, you know, it's gonna be a technical bill probably that has a lot of IT definitions or AI definitions. And this this one is no different. And, mister Terry, I don't remember a walk through maybe we did. I don't think we have.

[Jonathan Cooper (Member)]: Did. 02:11? Don't think we did.

[Rick Siegel (Office of Legislative Counsel)]: Okay. Yeah. But even if we did, this bill I I look at it and I'm like, what is this bill? So it's it's been a year since I worked on the bill. So forgive me if something comes up that I don't have a quick answer to, but obviously, it's a very detailed bill. Speaking of data brokers and I do want to kind of set the stage a little bit before I talk about the bill. We did have some data broker related bills last session, the Daniel's Law. Remember that one? Three forty two, I think eight three forty two. That one involved data brokers, but it wasn't this specific type of regulation of data brokers. And Vermont, as I said last year, was the first state to regulate data brokers. Other states have now done that. Some states like California has introduced a really pretty large regulatory system over data brokers and also giving consumers the right to basically opt out or delete. It's called the Delete Act. California actually I believe January 1, their system is now live. So if you live in California, can go to the California. I think they have some privacy agency website and you can actually register and then drop. The system's called drop, D R O P probably stands for something, if it's government, probably an acronym. You can go in and you can basically notify data brokers that you want your personal information to be dropped, to be deleted. So that's what this bill kind of does. We'll talk about in detail what it actually imports on the paper does, but I also want to say if you want on your computer to pull up Title IX Chapter 62, that's where this bill is. It's a pretty that that it's not called data privacy. It's called protection of personal information. That's chapter 62. It might as well be data privacy. This is the most that our titles get into when it comes to data privacy, and this bill does not include every section in that chapter. So if you wanna have that pulled up just in case I wanna reference another section on that. What section? So title nine, chapter 62, protection of personal information. That's where the age appropriate design code was also placed in last year. Okay. So let's do a walk through of the bill. The definition section. Now, again, we are we have laws on the books that pertain to data brokers. So a lot of this bill is amending existing either definitions or laws. In some cases, we'll have new sections, but you'll notice that a lot of these definitions are already on the books. We're just updating them in various ways. Page two, bottom of page two, and then on the page three, you have a new definition of authorized agent. And this is a person designated by a consumer, which is a Vermont resident. That's all consumer is here. To act on the consumer's behalf, A parent or legal guardian that acts on behalf of the parent's child or on behalf of a child for whom the guardian has legal responsibility. Or a guardian or conservator that acts on behalf of a consumer that is subject to a guardianship, conservatorship or other protective agreement. This bill, I'm sorry, the statutes previously referred to the third party, and you'll see that. And this definition is not replacing third party, but in some ways it's giving an option for a consumer to designate an agent. Could be a company. Could be a person to help them with their personal information. Biometric data is actually in the current statutes, but it's not defined as anything specific. This is providing a very detailed definition. You may recognize this as it appears. And I think it was in the age appropriate design code. I'll double check that. But it's definitely in data privacy laws that we've walked through here. So it's data generated from the technological processing of an individual's unique biological, physical, or physiological characteristics that is linked or reasonably linkable to an individual, including iris or retina scans, fingerprints, facial or hand mapping, geometry templates, vein patterns, voice patterns, and gait, personally identifying physical movement or patterns. Biometric data does not include a photograph and audio recording or video recording or any data generated from any of those, two items. Okay, broker personal information is an important definition. Not much of a change here except you'll see that one of the characteristics of that is biometric data. Because we have now defined biometric data in this in this bill, we mark out, strike through how it currently is defined, which you can read that through the strike through. It includes a few things, like fingerprint, retina scan, but the proposed definition is much more thorough than what is currently in the books. And then adding phone number as brokered personal information. Currently, it's not in there. Although your name and address is currently in there. Brokered personal information does not include publicly available information to the extent that it is related to a consumer's business or profession. Kind of a curious exception there. We can talk about that later. But it's currently on the books. Okay. Definition of business is pretty much Can you

[Unknown Member]: repeat that? Because I missed what you just said.

[Rick Siegel (Office of Legislative Counsel)]: So it's the top of page five. Brokerage personal information, what does not include? It does not include publicly available information to the extent that it is related to a consumer's business or profession. So if you're a lawyer, and your name and information is online, that would be permitted as not public. I mean that would not be broker personal information because it's your professional information. So definition four of business is pretty much any entity, and you can see all the ways we define that currently except for state entities and any vendor working for the state. So a state or a political subdivision of the state would be not a business when it comes to this chapter. And let me also step take a step back. These are all chapter definitions. These apply to every statute section in this chapter. So keep that in mind too. The proposals to add controller, consumer health data controller, and processor to business. One could argue that those three are already included in those that long list. Are likely either a partnership, a corporation. They're they're probably one of those already existing. However, it doesn't hurt to be specific and ensuring that those three are included as a business. Six, a consumer health data controller means a controller that alone or jointly with others determines the purpose and means of processing consumer health data. A controller is a person who alone or jointly with others determines the purpose and means of processing personal data. The Definitive Data Broker does not change a whole lot. So, I'm going to read it because it's important here. It means a business or unit or units of a business. And so think about the definition of business that we just went through. Several are together that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Okay. So examples of a direct relationship included the consumer as a past or present customer client subscriber user within the last five calendar years is the proposed change. So some kind of limitation. Right now, there's no limitation on when you were a customer or a client of the business or that of broker. Employee, contractor, or agent, investor, donor, The following activities conducted by a business and the collection of sale or licensing of brokered personal information incidental to conducting these activities do not qualify the business as a data broker, developing or maintaining third party e commerce or application platforms, providing four eleven directory assistance or directory information services, providing publicly available information related to a consumer's business or profession, providing publicly available time or near real time alert services for health or safety purposes. The phrase self or licenses does not include a one time or occasional sale of assets of the business as part of a transfer or control of those assets that is not part of the ordinary conduct of the business or a sale or license of data that is merely incidental to the business. Any questions about the definition data broker?

[Unknown Member]: Are non profit five zero one c three fours included in that?

[Rick Siegel (Office of Legislative Counsel)]: They could be. Because they would be a business. And then if they do one of these things, if they collect and sell or license to third parties, they could be a data broker.

[Unknown Member]: Is this considered Okay, never mind.

[Rick Siegel (Office of Legislative Counsel)]: So an affiliate of a data broker? Would they be a data broker?

[Unknown Member]: If there's multiple businesses that they have, is that considered? Is transferring the data from one business to another considered?

[Rick Siegel (Office of Legislative Counsel)]: They would be a processor, right? So would the processor be? This bill, I think, would make sure that they are, because they would be considered a processor if a yeah. But something for me to think about. That's my 99% answer. But instead of a 1% chance that this doesn't always include every affiliate you can come up come up with. Data broker security breach. This is used one time in the current statute. Basically, when the data broker registers annually with the Secretary of State, part of that form asks them have you had a security breach? Will get to this bill really kind of expanding on that quite a bit, not the definition, but there's a new section just specifically dedicated to data broker security breaches. So I'm going to scroll past this for now, but it's not super relevant to the current way the statute is set up. So on the page eight, data collector, which is not a data broker. A data collector is bit more broad of a term. It means a person who for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or otherwise deals with personally identifiable information, not broker personal information. Those are different definitions. And this does include state. So state entities would be considered a data collector if they collect personal information, which would be your name, which most state agencies do in one way or another. I'm gonna skip through encryption and license. Login credentials on page nine. Just correcting grammatically, stylistically email is there's no hyphen in email. So we fixed that. 14a, personally identifiable information is a consumer's first name or first initial and last name in combination with one or more of the following elements. When the data elements are not encrypted, redacted or protected by another method that renders them unreadable or unusable by unauthorized persons. So again, it's your first name or first initial and last name in combination with one or more of these. So your social, your driver's license number, again, you can read all these, military ID, passport, a financial account number or credit or debit card number, password, no changes here. The biometric data, removing the current definition that is in the statute and just referencing the new definition proposed definition, excuse me, genetic information and so forth. So, this is again, this is personally identifiable information. Subdivision 15, a new definition to recognize this precise geolocation means information derived from technology that can precisely and accurately identify the specific location of a consumer within a radius of eighteen fifty feet. Definition of processor, a person that processes personal data on behalf of a controller. Grammatical change of redaction. Security breach 19 a. Good to go over, but not necessarily needed for the walk through here. Okay. Any questions about the definitions?

[Michael Marcotte (Chair)]: I just wanna be sure that any definitions that we're using in here are the same definitions that we put into other bills that we put through the federal statute.

[Rick Siegel (Office of Legislative Counsel)]: So as far as in this chapter or just in general?

[Michael Marcotte (Chair)]: Just just well, in general, like, you you were talking about the biometric. Right. A little bit. Is that the same language that we have in we pass it in the kids code and just wanna be sure that whatever we're putting in here that we either update other areas so that we're consistent. Yeah.

[Monique Priestley (Clerk)]: For the yeah. So there's a amendment that's being worked on that matches everything up. Okay. Yeah.

[Rick Siegel (Office of Legislative Counsel)]: Alright. So this is kids code. Not in effect yet. So obviously. Right. But it's on the website. One of my duties when we're getting towards the end of the bills is to make sure they all line up. Yeah, thank you. Something I'm aware of in general, but especially here. And it's kind of an office wide AI. There's so many definitions of AI that we need to settle on something. So, as an example. Okay. So under current law, Vermont has a security breach act that requires if there's a security breach of a data collector, which includes the state, right, and most businesses. If you have a security breach, you have a requirement to report that to not just to the consumer who was affected by it. I think we've all gotten the letter that your data has been breached, whatever. Most states have some form of this. And there's also a requirement for the Attorney General or DFR to be alerted if you are a collector that meets the definition and Vermonter's data has become breached, you have to notify the consumer and the appropriate state agency. So under our current subchapter two, we have the Security Breach Notice Act. A small amendment here, subsection h, the enforcement mechanism. The current language is with respect to all data collectors and other entities subject to the subchapter. The and then the rest of the language talks about how if you register with DFR or the AG, you have you must notify them or you have enforcement. The proposed language is with respect to a controller or processor. So we're going from data collector, which is very broad, to controller or processor, or the Security Breach Notice Act. Same language elsewhere, speaking of the AG has authority to adopt rules. If you are a financial entity, same thing. You must report to the DFR, and they have the authority to adopt rules. So, again, the main change here is going from data collector to controller or processor. You're narrowing the scope of who meets this definition for enforcement purposes. Questions about this?

[Unknown Member]: Okay.

[Rick Siegel (Office of Legislative Counsel)]: 2436 is a brand new section, and this almost mirrors exactly the Security Breach Notice Act, which I just showed you a couple of sections at the end. So this would apply to data brokers. Data brokers are not specifically mentioned in the Security Breach Notice Act, just data collectors. Sometimes the data broker is a data collector, not always. And the types of breaches they may have are different. So this would be specific to data broker breaches. Subsection A, this shall be known as the Data Broker Security Breach Notice Act. Again, different from the Data Security Breach Notice Act. It's Data Broker. Subsection B, Notice of Breach to Consumers. In fact, I think I wanna change that. So we amend those. If we do amendments to Notice of Breach because this applies to the AEG too, not just to consumer. So it's something I need to fix. Subsection Subdivision one, except as otherwise provided in subsection C, a data broker shall, following discovery or notification to the data broker of a breach affecting the consumer, notify the consumer that there has been a data broker security breach. Notice shall be made in the most expedient time possible and without delay, but not later than forty five days after the discovery or notification consistent with the legitimate needs of law enforcement. Or with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. So you have that forty five day timeline, but it's a little bit squishy because law enforcement can say, hold on, this is an active investigation or something else, which we'll talk about here, could come up. So not just to the consumer, but the subdivision two, a data broker shall provide notice of a breach to the AG as follows. They shall notify the AG of the date of the breach and the date of the discovery of the breach and shall provide a preliminary description of the breach within fourteen business days. So a much shorter timeline to notify the AG. Consistent with the legitimate needs of law enforcement. If the date of the breach is unknown, they shall send to the AG as soon as it knows the date. Subdivision 3, unless otherwise ordered by court for good cause, a notice provided under the subdivision, which is the AG, shall not be disclosed without the consent of the data broker to any person other than the authorized agent or representative of the AG, state's attorney or another law enforcement officer engaged in in legitimate law enforcement activities. When the data broker provides notice of the breach to a consumer, that's what subdivision one is, the data broker shall notify the AG of the number of Vermont consumers affected, if known to the data broker, and shall provide a copy of the notice that it provides to the consumers to the AG. So you're kind of carbon copying the AG on that. The data broker may send to the AG a second copy of the consumer notice from which is redacted the type of brokered personal information that was subject to the breach that the AG shall use for any public disclosure. So they don't have to, they may do it, it's up to the data broker if they want to send that information. The notice of the AG and the consumer shall be delayed upon request of law enforcement. They may request delay, law enforcement, if it believes that notification may impede an investigation or jeopardize public safety or national security. In the event law enforcement makes the request for the delay in a matter other than writing, the data broker shall document the request contemporaneously in writing and include the name of the law enforcement officer making a request and the agency. A law enforcement agency shall promptly notify the data broker in writing when the agency no longer believes that it may impede a law enforcement investigation or other national security issue. The data broker shall provide notice required by the subsection without unreasonable delay upon receipt of a written communication, which includes facsimile or electronic communications from the law enforcement agency withdrawing its request for delay. Okay, back to the consumer notice. It shall be clear and conspicuous that the data broker makes to the consumer. A notice of the consumer of the breach involving brokered personal information shall include a description of each of the following if known to the data broker. The incident in general terms, the categories of brokered personal information that was subject to the breach, the general acts of the data broker to protect the brokered personal information from further security breach, a telephone number that the consumer may call for further information, advice that directs the consumer to remain vigilant by reviewing account statements and monitoring free credit reports, and the approximate date of the data broker security breach. A data broker may provide notice of a breach involving broker per confirmation to a consumer by two or more of the following methods.

[Michael Marcotte (Chair)]: I think that should be a shell. Let me fix that real quick.

[Rick Siegel (Office of Legislative Counsel)]: Okay. Subdivision five, it really should say that a broker shall provide notice of a security breach involving broker information. Written notice mailed to the consumer's residence, electronic notice for those consumers for whom the data broker has a valid email address. If the data brokers primary method of communication with the consumer is by electronic means, the electronic notice does not request or contain a hypertext link to a request that the consumer provide personal information. And the electronic notice conspicuously warns consumers not to provide personal information in response to electronic communications regarding security breaches. Can I ask a question? Just

[Monique Priestley (Clerk)]: out of curiosity, because of that stuff. I am curious, so since the data breach stuff also applies to governments, I'm curious. I'm not seeing anything in here that would make it so it seems like it has to be in writing or some kind of thing, like just vocal telling somebody in person in a thing actually doesn't I'm not seeing anything here that would just allow that kind of thing. For the state?

[Rick Siegel (Office of Legislative Counsel)]: Yeah. So a data broker does not include the state.

[Monique Priestley (Clerk)]: Okay. Yeah. No, no, no. Breach. The breach. Previous. Yeah.

[Rick Siegel (Office of Legislative Counsel)]: So, this is section, this is a new section, right? Okay, I got five twenty applies to data collectors, which includes states. The state, excuse me. So, section 24 up here, this one that we only briefly amended, this one here applies to the state.

[Monique Priestley (Clerk)]: Yeah, yeah. So the language notice goes. Yeah, okay, it's similar. Okay, great. Similar.

[Rick Siegel (Office of Legislative Counsel)]: So if you want, the committee wants to amend that applies to states, you need to amend that section. Okay, cool. Thank you. Okay, so we're on page 17. Here we go. Okay, 18. We're talking about the notice to consumer by two or more of the following methods written electronic telephone notice on line six provided that telephone contacts may directly with each affected consumer and not through prerecorded message or D notice by publication in the newspaper of statewide circulation. I'm trying to think of what that means in Vermont.

[Unknown Member]: Do we have state

[Rick Siegel (Office of Legislative Counsel)]: of publicity? That's kind of what I'm thinking. If we may we may need to to work on this because I imagine this would be a method that they would wanna use publication by newspaper because it's fairly easy. I think we may want to

[Unknown Member]: Suboxone updated that in open meeting lots, so we could use that.

[Rick Siegel (Office of Legislative Counsel)]: I cross reference it?

[Michael Marcotte (Chair)]: Okay.

[Rick Siegel (Office of Legislative Counsel)]: In that statute?

[Unknown Member]: That statute.

[Rick Siegel (Office of Legislative Counsel)]: That term, statewide circulation?

[Unknown Member]: That was how you had to publicize a meeting, an agenda, within minutes. And so they I believe that would be a good, you know, Tucker's argument.

[Michael Marcotte (Chair)]: Yeah, we might need to focus on a little bit. Yeah.

[Unknown Member]: It's like, we knew that in the planning commission, but it's only a regional newspaper because if you're outside of Melton, it doesn't really apply to you. Thus, you're dealing with people, I mean, can be all over the state. Right.

[Unknown Member]: Newspapers, I mean, like The Times, August, technically, is you know

[Rick Siegel (Office of Legislative Counsel)]: Online? It's on Yeah.

[Michael Marcotte (Chair)]: Yeah. But

[Unknown Member]: No. This doesn't preclude does this preclude electronic publications?

[Rick Siegel (Office of Legislative Counsel)]: So that's one of the options, but it's gotta be it's to be an email. So you directly email the consumer. And it's two of these four. Two of these four. So either written via snail mail or electronic email, telephone. It's got to be a it can't be a prerecorded message for the statewide circulation of a newspaper. So, think we can work on this. It just needs to be clear to the data brokers what they need to do. Exception notice of a security breach pursuant to Subsection B, which is the big Go back and look at Subsection B. That's where all the notice requirements are. Is not required if the data broker establishes that misuse of brokered personal information is not reasonably possible and the data broker provides notice of the determination that the misuse of the broker's personal information is not reasonably possible pursuant to the requirements of the subsection. If the data broker establishes that misuse of the brokered personal information is not reasonably possible, the data broker shall provide notice of its determination that misuse is not reasonably possible and a detailed explanation to the AG. The data broker may designate this notice and detailed explanation to the Attorney General as a trade secret if it meets that definition. If it establishes that misuse was not reasonably possible under that subdivision and subsequently obtains facts indicating that misuse of the brokered information has occurred or is occurring, then it must provide notice pursuant to subsection b. In other words, if you make the determination and then you try not to be wrong, you then have to go back and actually provide notice to the consumer and to the AG that your information is being misused. I would think about on subsection as I'm looking at this again, subsection c, there's not really any timelines here. So remember, they have forty five days to alert the consumer and fourteen business days to alert the AG if there was a breach. So at some point during that forty five days, if the data broker realizes that we don't think that we had this thing happened, The breach happened, however, we don't think that misuse occurred. It might help to explain what miss, defile what misuse is. How does the data broker know? If I'm advising data broker, I look at this, I'm like, why don't I know if it was misused? Is it that the data was leaked, it was breached, but then no one got ahold of it? Like the breach was closed up so quickly? I think it just it would help to have that further explained what that misuse looks like.

[Michael Marcotte (Chair)]: Up to you all. But

[Rick Siegel (Office of Legislative Counsel)]: and it's reasonably possible. Again, kinda squishy language here. Something to consider for an amendment. Okay. Page 19, waiver subsection D. You cannot waive this notice. You know, there's no you can't hide this in terms of agreement that you don't have to provide notice of the breach. Subsection e enforcement. This is very similar to the security breach language that is being amended by this bill. Controller or processor, That is not covered by DFR. The AG has the authority to adopt rules and also conduct investigations, etcetera, etcetera. They're bringing into the Consumer Protection Act. If you are a entity that is licensed or registered with DFR, then DFR has the right to adopt rules and conduct investigations, etcetera. Okay. Any questions about the Data Broker security breach notice? Sub chapter five is currently in the books, but there are several edits, updates, proposed edits, updates to how data brokers are regulated in the state. Currently, very lightly, you must register, as I said, but then after that, there's not a whole lot of regulation happening with data brokers. So registration, again, they currently must register once a year on or before January 31 if you meet the definition of a data broker. Currently, you pay a registration fee of a $100 every year. So, this language would amend that and say that you pay a registration fee in an amount determined by the Secretary of State, which shall not exceed the reasonable cost of establishing and maintaining the website set forth that we'll talk about here in a little bit, a new website. And establishing, maintaining, and providing access to the accessible deletion mechanism, also set forth later, which we'll talk about. And be deposited by the Secretary of State into the Data Brokers Registry Fund, which is a new fund that would be established in this bill.

[Unknown Member]: Will you go on? So right now, a broker can collect data for thirteen months before they have to register in the state, and we can amend that right now. That's part of what we're talking about here.

[Rick Siegel (Office of Legislative Counsel)]: This language will not change that, but you can.

[Unknown Member]: They can collect data for six months, eight months, ten months, and then keep that data and never register, and we would never even know under law today.

[Rick Siegel (Office of Legislative Counsel)]: And then would they stop operating in Vermont? Is that how they'd get away with Yeah. Even if you

[Unknown Member]: and do it again.

[Unknown Member]: That's a good thing. I you see I I get five spam calls a day, and these people, you chase them down, and within days, they're they just start a new company.

[Rick Siegel (Office of Legislative Counsel)]: So the way the law is written now is if the data broker operates for even one day in Vermont, they would have to register at some point before January 31. So right now, if there's a data broker that comes into Vermont and they operate for one day and they leave, they would have to register by next January 31. And are they? I don't know. Talk to me about that, but

[Unknown Member]: When we talk to the Secretary of State, we'll have to understand why the following year after they've adopted. Yeah. That was a discussion.

[Unknown Member]: That does seem very excessive.

[Michael Marcotte (Chair)]: Changing from a flat fee to something determined by the Secretary of State. Does anyone give you any notion of what that would be?

[Rick Siegel (Office of Legislative Counsel)]: That would be a Secretary of State question.

[Michael Marcotte (Chair)]: Yes,

[Rick Siegel (Office of Legislative Counsel)]: sir. You'll see that I assume the reason why is because there's gonna be some expenses from the secretary's office if they have to implement some of these things that are coming up, but I don't know what that would look like. Okay, page 21, we talked about the new fund, the data brokerage registered fund. That would be established and all the money of registration will go into that fund and you'll see some more money being put in that fund here in a little bit. Subdivision 3. So when you register, you do have to provide some information to the Secretary of State's office about who you are, like your name, email, phone number. Phone number is new. Email and website are still there. If you so again, this is current law. If you, as a data broker, permit a consumer to opt out of the data collect that broker's collection of broker personal information, opt out of the databases just if you allow an opt out process to your consumers. You don't have to, but if you do, the Secretary of State wants to know. If the opt out applies to only certain activities, whether the data broker permits a consumer to authorize, here you see an authorized agent taking the place of a third party kind of being more clear that the consumer can have this agent opt out for them. A statement specifying the collection, databases, or sales activities where the consumer may not opt out. A statement whether the data broker implements a purchaser credentialing process. The number of data broker security breaches that the data broker has experienced during the prior year. And if known, the total number of consumers affected by the breaches. So this is the current notification to the Secretary of State about a breach. The consumer is not gonna know directly unless the data broker wants to let them know. So, just for your background, this is kind of the limitation of what the data broker would provide to the state is like how many times that happened. Where the data broker has actual knowledge that it possesses the broker personal information of minors, a separate statement detailing the data collection practices, database, and sales activities, and opt out policies that are applicable to the broker information of minors. Okay, this is new, subdivision G. Whether the data broker collects precise geolocation, consumers, reproductive health data, social security numbers, driver's license, biometric data, immigration status, sexual orientation, or union membership of consumers. Beginning on 01/01/2031, whether the data broker has gone through an audit, which is new. Get to that language in a second. And if so, the most recent year that they submitted a report resulting from the audit. Beginning 01/01/2029, the following metrics, and this is gonna refer to the delete mechanism coming up. The number of deletion requests received, the number of deletion requests processed. And these are consumers that are requesting their data be deleted. The number of deletion requests denied because the consumer requests cannot be verified. And the number of deletion requests denied because retention of the consumers broker personal information is required by law. And then J is any information the data broker wants to provide if they want to give the state more information. Penalties. Currently, if you don't register as a data broker, it's a penalty of $50 per day, not to exceed a total of 10,000 for each year. An amount equal, again, is for those to be struck through, but I want to read it just so you can see the current law. An amount equal to the fees due under the section during the period it failed to register and then other penalties that may be imposed. So the new penalties proposed are this. Still administrative fine. I'm sorry, this is new. An administrative fine of $200 for each day the data broker fails to register. So, it goes from 50 to 200. An amount equal to the fees that were due during the period the data broker failed to register. Any reasonable costs incurred by the state in the investigation and administration of the action as the court deems appropriate. Still talking about penalties here. A data broker that fails to provide all registration information shall file an amendment that includes any omitted information not later than thirty days after receiving the omission from the Secretary of State and is liable to the state for a civil penalty of $1,000 per day for each day thereafter that they don't provide the amendment. A data broker that files materially incorrect information in its registration is liable to the state for a civil penalty of $25,000 and shall correct the incorrect information not later than thirty days after notification of the incorrect information. And if it fails to correct the information, an additional penalty of $1,000 per day for each day, the data broker fails to correct the information. All penalties, fees, fines, expenses are going to be deposited into the Data Brokers Retrograde Fund. Okay, enforcement, adding the Secretary of State as an entity that can enforce the penalties or fines that are imposed in this section. D is new, a public webpage. The Secretary of State shall create a webpage where it lists the registration information provided by data brokers pursuant to the section and the accessible deletion mechanisms set forth. So, I think that they do have a website currently that lists There's a data brokers. This just requires an ongoing and also requires the deletion mechanism, which is next. Questions about that second? 2446A accessible deletion mechanism on or before 01/01/2028. The Secretary of State shall establish an accessible deletion mechanism that implements and maintains reasonable security procedures and practices, including appropriate safeguards appropriate to the nature of the information and the purposes for which the brokered personal information will be used and to protect the consumer's brokered personal information from unauthorized use disclosure access destruction or modification. Allows a consumer through a single verifiable consumer request to request that every data broker that maintains any broker personal information about the consumer delete the broker personal information. Allows a consumer to selectively exclude specific data brokers from request. Allows a consumer to alter a previous request made to subdivision two at least forty five days after at least forty five days have passed since the consumer last made the request. So you can change your mind. Allow the consumer to request the deletion of all brokered information related to that consumer all at once through a single deletion request. Permits a consumer to securely submit information in one or more privacy protecting ways as determined by the Secretary of State to aid in the deletion request. Allows a data broker registered with the state to determine whether a consumer has submitted a verifiable request to delete the information related to that consumer does not allow the disclosure of any additional broker's personal information of a consumer when the data broker accesses the deletion mechanism unless otherwise specified. Allows a consumer to make a request described in subject to of the subject and using a website operated by. So just making sure consumers have the ability to do it. Does not have Does not charge a consumer to make a request. Is readily accessible and usable by consumers with disabilities. Supports the ability of a consumer's authorized agent. Might be maybe singular there. Supports the ability of a consumer's authorized agent to aid in the deletion request. 13 allows the consumer or their authorized agent to verify the status of the consumer deletion request, provide a description of the following: the deletion permitted by the section, the process for submitting a deletion request pursuant to the section, and examples of the types of information that may be deleted. Submission B or Subsection B, Data Broker Access, beginning 08/01/2028, So this is deletion mechanism is 01/01/2028. And then that August, a data broker shall access the deletion mechanism at least once every forty five days and shall process all verifiable deletion requests that it's received in the previous forty five days and delete such information, Process a request as an opt out of the sale or sharing of the consumer's brokered information. Direct all service providers and contractors associated with the data broker. So Rabudin talks about maybe affiliates. In this case, that this is more specifically if you are a provider and contractor with us, that you delete all broker personal information related to a consumer who has made a verifiable request and process a request as an opt out of the sale or sharing of the consumer's broker personal information. And do not use or disclose any information submitted by a consumer through the deletion mechanism for any other purpose besides the authority provided in the subsection, including for marketing. A data broker may deny a request if retention is required by law. The Secretary of State may charge an access fee to a data broker to use the mechanism that does not exceed the reasonable costs of providing access. Any fees collected shall be deposited into the data brokers registry fund. Continuing obligation to consumers beginning 08/01/2028, once a data broker has processed a verifiable request to delete a consumer's broken information, the data broker shall delete all information to consumer at least once every forty five days unless the consumer alters the consumer's decision, retention of the consumer's broken information is required by law, And they shall not sell or share new broken information of the consumer unless the consumer express leave requests otherwise in writing. Subsection D audits, a data broker shall undergo an audit by an independent third party. This is not defined, something to think about if you want to be more specific on what you want there. You determine compliance with the section at least once every three years with the first audit taking place on or before 12/31/2030. For an audit completed, the data broker shall submit the report resulting from the audit and any materials related to the Secretary of State within five business days of a request from the Secretary of State. A data broker shall maintain all reports and materials for six years. Subsection E rules. The Secretary of State may adopt rules, implement the provisions of the subchapter, except it shall not be permitted to create a rule that establishes a new fee that is not authorized within the section. Penalties. A data broker that fails to comply with requirements of this section is liable to state for a administrative fine of $200 per day for each deletion request the data broker fails to complete. And reasonable expenses incurred by the state in the investigation and administration section. And then again, all these fines, etc, are going to be fund. 2446B, the data broker registry fund, is established in the state treasury. It shall be administered by the Secretary of State. It's not yet clear. All money collected or received by the Secretary of State and the AG pursuant to the subchapter shall be deposited into the Fund and shall be made available for expenditure by the Secretary of State upon appropriation by the General Assembly to offset the following costs. So this money can only be used in these ways. The reasonable cost of establishing and maintaining the website. So, that accessible deletion website. The costs incurred by the state courts and the Secretary of State in connection with enforcing the subchapter. And the reasonable cost of establishing, maintaining, and providing access to the deletion mechanism as described in section 2446A. Okay, finally 2446C credentialing. A data broker shall maintain reasonable procedures designed to ensure that the broker personal information it discloses is used for a legitimate and legal purpose. These procedures shall require that prospective users of the broken information identify themselves, certify the purposes for which the information is sought, and certify that the information shall be used for no other purpose. A data broker shall make a reasonable effort to verify the identity of a new prospective user and the users certified by the prospective user prior to furnishing the user brokered personal information. And a data broker shall not furnish brokered personal information to any person if it has reasonable grounds for believing that the broker per confirmation will not be used for a legitimate and legal purpose. One, so section two thousand four forty seven, I think you all should look at, even though it's not in this bill, it's on the books. And it is one thing that data brokers have to, it's a informational, make sure I

[Michael Marcotte (Chair)]: get the words right

[Rick Siegel (Office of Legislative Counsel)]: here. So currently data brokers they must register, which we talked about. They also must create this comprehensive informational security program, okay, which is enforceable by the AG. I don't know if the AG has enforced this at all. You can ask them about that, but there is currently at least one duty that data brokers must adhere to under state law, and that's this information security program, keeping the data secure. So that's not touched in this bill. But maybe you want it to be touched. I would take a look at it and see if you like the way it's written. It would take effect. We would need to change that upon amendment presumably to 2026, but up to you all what you want to do. What a way to start the year.

[Monique Priestley (Clerk)]: Isn't that

[Unknown Member]: a modern time?

[Rick Siegel (Office of Legislative Counsel)]: That's a

[Unknown Member]: really good way to start the year.

[Michael Marcotte (Chair)]: Yes. It's that internal bar. That's right.

[Rick Siegel (Office of Legislative Counsel)]: I just kind of know. And there's a clock on my computer that I keep an eye on.

[Unknown Member]: Okay. Questions?

[Michael Marcotte (Chair)]: The fund that's created only assists the Secretary of State's office in the courts. Right? Right. It doesn't assist the attorney general's office if they have to prosecute. Right. That's from the secretary of state, I mean, for the attorney general's office as well. There was a provision making done. It's not sure. Go Go ahead. Heard the memoir. It seems it seems to me I remember there was a provision in there that a lot of the past. That their the AG can recoup their calves from the date of birth, but not something different than what you're talking. Well, I mean, if we're creating a a fund Yeah. That is there to pay the secretary of state's office back for whatever they have to do, it should be open to the AG as well. Yeah. We'll take a look at that. Jonathan?

[Jonathan Cooper (Member)]: Hi. I think my question pertained to think there's something also on page 30 in that same spot. I recall there being something about records retention for six years. Can we go back to that section?

[Rick Siegel (Office of Legislative Counsel)]: Yep. On line 13 Yes. Three. What I'd be

[Jonathan Cooper (Member)]: curious about is what is what are they holding for six years? Does that contain consumers' protected information? And is that is that something else that is also at risk of being breached? I'm just curious about hearing more about what is being retained for six years.

[Rick Siegel (Office of Legislative Counsel)]: So it's the it's the audit that is done by this independent third party that the data broker can can select and, you know, is subject to a breach, guess, if they keep it on, you know, a server that is available to the public. You know, it might be it might be breached. I think that the purpose of that language is so the secretary of state can get it if they need it. They can pull it from the entity. I don't know if six years is a specific reason for six years, you can change that I suppose. But yes, to answer your question, it would potentially contain brokered information that a consumer would not want to be breached.

[Jonathan Cooper (Member)]: Okay. If in if audits by independent third parties are, like, a standard known thing of, well, here's what it will include. That would be good for us to know. Or if it is if each independent third party will perform its according to its own specifications or, you know, customary activities, that I'm just curious about how that's if that's just as at risk as anything else or not.

[Michael Marcotte (Chair)]: Thank you.

[Rick Siegel (Office of Legislative Counsel)]: Yeah, I mean, the audit, there's not a lot of language on the audit. So if you wanna beef up the audit, that's something we can talk about because it's basically that, like I said, you undergo an audit for compliance with the section. It's a very, pretty detailed section, but it's not really, you're not giving the auditor much to go on here. Or how report should look and what information should or should not be in the report. If you want to be more prescriptive, I would suggest that you do so in statute. Otherwise, it's really up to the independent third party to determine what should be compliance and what's not.

[Unknown Member]: Cool. So A data broker gets notification, know, saying we have a button on the website, and they get a notification they have to remove data for the person. If that data broker is one that is maintaining criminal records, would that include the removal of that?

[Rick Siegel (Office of Legislative Counsel)]: Well, that would be publicly available information, I would think.

[Unknown Member]: But it's accessed through the data broker. Right. So therefore

[Rick Siegel (Office of Legislative Counsel)]: And probably required by law to maintain that information. So if it's information that the data program must keep by law, in the statute, it says you don't have to delete that. I don't know the laws on criminal information, what is required to be kept online and what's not. But I would imagine a lot

[Unknown Member]: of that is required by state and federal law to keep the criminal records. Well, suspect that if it's a data broker that's specifically designed to pull data for organizations. They don't maintain the actual records. I mean, a state would breach a claim. But they would have the pingable option. You could ping them for it and then they would say, Oh yeah, there's criminal records. We can grab one.

[Rick Siegel (Office of Legislative Counsel)]: It's like a background check situation. I can't respond to the technical aspects of that. I can tell you that there's a couple of exceptions, and one of the exceptions is required by law, but that may not cover what you're concerned about. I don't know. It may be helpful to get a witness in here that could be more illustrative of what that process looks like and what they would say based on the language. Like, do we think this language prevents that or does not? That's what

[Michael Marcotte (Chair)]: I can say about it. So it's not just deleting, but if in as far as the law goes, they can't delete it, but is there not would they still have the ability to share it?

[Rick Siegel (Office of Legislative Counsel)]: Through this deletion mechanism, if a consumer request data be deleted, you know, One of the explicit If you look at page 28, you delete all the information at least once every forty five days. Yeah, do not sell or share new broker information. Delete and not just delete, but also not sell or share. So that's in there.

[Michael Marcotte (Chair)]: Or you could still have the information that's covered under law that you can't, right, beat it, but Right. Can't sell or share. Right. Right.

[Unknown Member]: What would be the likelihood of putting their ability to put in an exception for organizations that are regulated by DFR, some other federally federal agency.

[Rick Siegel (Office of Legislative Counsel)]: We make exceptions all the time. So you would just wanna talk about what that what you wanna exclude, and we make sure the bill includes that and make as clear as you can. Because except those become very important, right, as are definitions. And you wanna make sure that if you all agree, a majority of you agree on something, that you wanna make that explicitly clear what you're trying to exclude. So, we can't answer your question.

[Unknown Member]: Just for clarity, what I'm talking about is for organizations that are regulated by DFR or some sort of financial organization on the federal level, we'll be able to access the data in those data brokers. I'm very front facing websites that an individual can go on and just pull the information. I 100% am okay and on board with, you should not have access to that if somebody doesn't want it. It's those transactions that are happening on like the Bank of America from insurance companies, those kind of things are very touching.

[Unknown Member]: I could just add to that. I see your point, and I agree with that. I mean, we take I was looking at the I think it's a series 69 or something like that where it was talking about stocks versus banking and insurance. And they specifically carve out banking insurance because you're already regulated. So, I think what he's looking for is, we say in this, if you are already regulated by some other organization, these rules do not apply. Let's take the sex offender registry, for example. I mean, I'm going to use that because if a sex offender says, well, I want my name expunged, is that going to make a person who they may be moving in next to Is it going to make it a lot harder for them to find out if that's the case? Maybe they have small children or something like that. And we certainly don't want to do that. And I don't want them to go on a website to see if this person moving in is a sex offender and to say, oh, yeah, we're sorry, we can't tell you that. That means it's been deleted. Now, maybe it's on the state site, but now we put the Otis on this parent who's concerned about their children to go and find that information. And we're making it a lot harder for them to do that.

[Unknown Member]: Think that's covered under public records, and that we can't request deletion of a public record, but we can get more information.

[Unknown Member]: I would agree, but I

[Rick Siegel (Office of Legislative Counsel)]: can't begin to say a 100% for sure, but that, you know, I I think the the that's not the intent of the bill, but, certainly, we need to make sure that that's what the committee wants that, you know

[Unknown Member]: Right. Yeah. I know that's not the intent, but I think it's important that we make that very clear in this bill. Question is.

[Michael Marcotte (Chair)]: One question for you, Richard. Yep. President has signed an executive order in the states to regulate AI. Can can he can he actually do that? Does it stop us from putting laws in? So this

[Rick Siegel (Office of Legislative Counsel)]: bill would not be affected. Right? Are you asking this kind of separately? Yeah. So I looked at the order. It's been a few weeks. I looked at it when it was when it was signed. If it were upheld as a constitutional use of authority, then yes, because it clearly preempts the state's use of AI. And you have to go through this bureaucratic process to have your AI approved by some counsel that the White House is setting up. But my legal analysis would show that it's probably not a constitutional use of his authority. Because the president has the authority to enforce federal law. That's the executive order power. There is no federal law regulating AI. There's not one federal law that addresses AI or data privacy. So to me, it's like, are you enforcing? Are you enforcing the right of the federal government to preempt state law? That's not really a thing. You have to have a federal law that it that so, again, I I'm not the authority on it, but my advice to you and other committees is is you shouldn't stop what you're doing just because of an executive order that's not been adjudicated yet. And it will it will be. I assume there are lawsuits already filed.

[Unknown Member]: So it doesn't preclude us from doing work on those bills and making testimony. Maybe it just stays on the wall until they figure this out. Right.

[Rick Siegel (Office of Legislative Counsel)]: Now enforcing that, if do pass a law sorry. If you do pass a law and you enact it and whatever, I think that executive order talks about penalties if you do it. And that's something to talk about, but you're not there.

[Unknown Member]: Yeah. That's my advice. Do

[Rick Siegel (Office of Legislative Counsel)]: you want a more in-depth because I would need to prepare for I can do a walk through of the executive order. Would just need time to prepare for that.

[Monique Priestley (Clerk)]: I'm also happy to there there's a webinar tomorrow on hosting, but there's also I'll also through future copies, organizing a EO kind of thing, I'm happy to, like, line up witnesses if you want, just for a couple to, like, go over it and support with Rick, if that helps.

[Rick Siegel (Office of Legislative Counsel)]: I'm doing the NCSL thing as well. Yeah. Yeah.

[Michael Marcotte (Chair)]: I think it would be helpful for us to understand and start delving into the realm of AI this year, but we wanna make sure we're not preemptive. Thank you, Rick.

[Rick Siegel (Office of Legislative Counsel)]: Thank you. Yeah. Good to hear that.

[Unknown Member]: Why

[Michael Marcotte (Chair)]: don't we take Ken to a break and come back to

[Rick Siegel (Office of Legislative Counsel)]: his