Sec. 4. Right to know
829 words·~4 min read·
/bill/116/s/3456/is/section-4·A research copy — for the controlling text, always check the official state or federal source. Not legal advice.
A covered entity shall make publicly available, in a clear and prominent location and in easy-to-understand language, a privacy policy that includes— a clear and specific description of the entity's policies and practices with respect to personal data; a clear and specific description of the rights of individuals with respect to their personal data (including the rights described in section 5) and information on how to exercise those rights; and the information described in subsection (c). A covered entity shall make publicly available any previous version of a privacy policy required under subsection (a). A privacy policy required under subsection
(a)shall include— the identity and the contact details of the covered entity, including, where applicable, the representative of the covered entity for purposes of privacy inquiries or its privacy officer; a clear description of each category of personal data collected by the covered entity and the purposes for which each such category is collected and processed; a clear description of any relevant retention periods (if possible) and any criteria and other information with respect to the deletion or de-identification of personal data collected and processed by the covered entity; whether, and for what purposes, the covered entity discloses personal data to third parties, each category of personal data disclosed to third parties, and the types of third parties to which those categories of personal data are disclosed; whether, and for what purposes, the covered entity receives personal data from third parties, the categories of personal data received from third parties, and the types of third parties from which the covered entity receives personal data; a clear description of the process by which the covered entity informs individuals of material changes to its policies and practices with respect to its collection and processing of personal data; the specific steps an individual may take to minimize the collection or processing by the covered entity of the individual's personal data, and the relevant implications to the individual from minimizing such collection or processing; and the effective date of the privacy policy. A covered entity shall not be required to make available a privacy policy under this subsection with respect to the collection or processing of personal data that is reasonably necessary and limited to— an in-person transaction where the personal data is not processed for further purposes incompatible with that transaction; comply a Federal, State, or local law or another applicable legal requirement, including a subpoena, summons, or other properly executed compulsory process; prevent imminent danger to the personal safety of any individual; or protect the rights or data security of the covered entity, a service provider of the covered entity, or any individual, including to investigate a possible crime or to protect against security threats, abuse, fraud, theft, unauthorized transactions, or any other unlawful activity. A covered entity, upon any material change to the privacy policy of the covered entity or a material change to the privacy policy of a service provider that is made at the direction of the covered entity— shall notify each individual whose personal data is collected or processed by the covered entity, or a service provider on behalf of the covered entity, with a description of the material change, including— change to the categories of personal data the covered entity or service provider processes; change to the purposes for which the covered entity or service provider processes personal data; change to the manner in which the covered entity or service provider discloses personal data to third parties; and which, if any, changes are retroactive; and shall not process (or, in the case of a material change to the privacy policy of a service provider that is directed by the covered entity, shall not direct the service provider to process) any sensitive personal data of an individual that was collected by the covered entity or service provider before the effective date of the material change in a manner that is inconsistent with the privacy policy that was applicable at the time such data was collected until the individual provides express affirmative consent to such processing. A covered entity shall, if operationally and technically feasible, directly provide the notice of a material change required under paragraph (1)(A) to each affected individual, taking into account available technology and the nature of the relationship between the covered entity and the individual. Where directly providing the notice of a material change required under paragraph (1)(A) to each affected individual is impossible or demonstrably impracticable, a covered entity— shall publish the notice in a reasonably prominent location; and shall not process personal data that was collected by the covered entity before the effective date of the material change in a manner that is inconsistent with the privacy policy that was applicable at the time such data was collected until after the notice has been so published for a period of time that is reasonably sufficient to give affected individuals the opportunity to exercise their rights with respect to their personal data.