Terms/Definitions
- “Advertising and marketing,” “advertisement”
CA – “Advertising and marketing” means a communication by a business or a person acting on the business’ behalf in any medium intended to induce a consumer to obtain goods, services, or employment.
- "Affiliate"
CO – “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used in this subsection, "control" means (a) ownership of, or power to vote 25% or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more persons; (b)control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or (c) the power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. §5481(24), if any.
CT, FL, IN, IA, MT, TN, TX, UT, VA (substantially similar) – "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity or shares common branding with another legal entity. For the purposes of this definition, "control" or "controlled" means (i) ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a company; (ii) control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or (iii) the power to exercise controlling influence over the management of a company.
OR – “Affiliate” means a person that, directly or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person such that: (a) The person owns or has the power to vote more than 50% of the outstanding shares of any voting class of the other person’s securities; (b) The person has the power to elect or influence the election of a majority of the directors, members or managers of the other person; (c) The person has the power to direct the management of another person; or (d) The person is subject to another person’s exercise of the powers described in paragraph (a), (b) or (c) of this subsection.
- "Aggregate consumer information,” “aggregate data,” “aggregated data”
CA – "Aggregate consumer information" means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. "Aggregate consumer information" does not mean one or more individual consumer records that have been deidentified.
FL – “Aggregate consumer information” means information that relates to a group or category of consumers, from which the identity of an individual consumer has been removed and is not reasonably capable of being directly or indirectly associated or linked with any consumer, household, or device. The term does not include information about a group or category of consumers used to facilitate targeted advertising or the display of ads online. The term does not include personal information that has been deidentified.
IN, IA, UT – “Aggregate data” means information that relates to a group or category of consumers from which individual consumer identities have been removed; and that is not linked or reasonably linkable to any consumer.
- "Authenticate"
CO, CT, FL, IN, IA, MT, OR, TN, TX, UT, VA (substantially similar) – "Authenticate" means to use reasonable means to determine that a request to exercise any of the rights [as specified] is being made by or on behalf of the consumer who is entitled to exercise the rights.
- “Biometric data,” “biometric information”
CT, FL, IN, IA, MT, TN, TX, UT, VA (substantially similar) – "Biometric data" means data that is generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, voiceprint, images of the retina or iris, or other unique biological patterns or characteristics; and is used to identify a specific individual. The term does not include a physical or digital photograph, or data generated from a physical or digital photograph; a video or audio recording or data generated from a video or audio recording; or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.
CA – "Biometric information" means an individual's physiological, biological, or behavioral characteristics, including information pertaining to an individual's deoxyribonucleic acid (DNA), that is used or intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
OR – “Biometric data” means personal data generated by automatic measurements of a consumer’s biological characteristics, such as the consumer’s fingerprint, voiceprint, retinal pattern, iris pattern, gait or other unique biological characteristics that allow or confirm the unique identification of the consumer. “Biometric data” does not include: (a) A photograph recorded digitally or otherwise; (b) An audio or video recording; (c) Data from a photograph or from an audio or video recording, unless the data were generated for the purpose of identifying a specific consumer or were used to identify a particular consumer; or (d) Facial mapping or facial geometry, unless the facial mapping or facial geometry was generated for the purpose of identifying a specific consumer or was used to identify a specific consumer.
- “Business”
CA – “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers’ personal information or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state, and that satisfies one or more of the following thresholds: (A) As of Jan. 1 of the calendar year, had annual gross revenues in excess of $25 million in the preceding calendar year, as adjusted [to reflect any increase in the Consumer Price Index]. (B) Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households. (C) Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
(2) Any entity that controls or is controlled by a business as defined and that shares common branding with the business and with whom the business shares consumers' personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, service mark, or trademark that the average consumer would understand that two or more entities are commonly owned.
(3) A joint venture or partnership composed of businesses in which each business has at least a 40% interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.
(4) A person who does business in California who is not covered by paragraphs (1), (2), or (3) and that voluntarily certifies to the California Privacy Protection Agency that it is in compliance with, and agrees to be bound by, this title.
- “Business associate"
CO, FL, IN, OR, TN, TX, UT, VA (substantially similar) – "Business associate" has the same meaning as in HIPAA [45 CFR 160.103].
- "Business purpose"
CA – "Business purposes" means the use of personal information for the business' operational purposes, or other notified purposes, or for the service provider or contractor’s operational purposes, as defined by regulations; provided, that the use of personal information shall be reasonably necessary and proportionate to achieve the purpose for which the personal information was collected or processed or for another purpose that is compatible with the context in which the personal information was collected. Business purposes are:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions and auditing compliance with this specification and other standards.
- Helping to ensure security and integrity to the extent the use of the consumer's personal information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term transient use, including but not limited to non-personalized advertising shown as part of a consumer's current interaction with the business, provided the consumer’s personal information that is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business.
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer, provided that for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf. of the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
- "Child"
CO, CT, IN, IA, MT, OR, TN, TX, UT, VA – "Child" means an individual [natural person] under 13 years of age [as provided in COPPA].
FL – “Child” means an individual younger than 18 years of age.
- “Collects,” “collected,” “collection”
CA – "Collects," "collected," or "collection" means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior.
- “Commercial purposes”
CA – “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.
- “Consent"
CA – “Consent” means any freely given, specific, informed, and unambiguous indication of the consumer’s wishes by which the consumer, or the consumer’s legal guardian, a person who has power of attorney, or a person acting as a conservator for the consumer, including by a statement or by a clear affirmative action, signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose. Acceptance of a general or broad terms of use, or similar document, that contains descriptions of personal information processing along with other, unrelated information, does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Likewise, agreement obtained through use of dark patterns does not constitute consent.
CO, CT, FL, MT, TX (substantially similar) – "Consent" means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent:
(a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information.
(b) Hovering over, muting, pausing, or closing a given piece of content.
(c) Agreement obtained through dark patterns.
IN, IA, TN, VA (substantially similar) – "Consent" means a clear affirmative act that signifies a consumer's freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer. For purposes of this section, a "clear affirmative act" includes a written statement, including a statement written by electronic means, or any other unambiguous affirmative action.
OR – “Consent” means an affirmative act by means of which a consumer clearly and conspicuously communicates the consumer’s freely given, specific, informed and unambiguous assent to another person’s act or practice under the following conditions: (a) The user interface by means of which the consumer performs the act does not have any mechanism that has the purpose or substantial effect of obtaining consent by obscuring, subverting or impairing the consumer’s autonomy, decision-making or choice; and (b) The consumer’s inaction does not constitute consent.
UT – “Consent” means an affirmative act by a consumer that unambiguously indicates the consumer’s voluntary and informed agreement to allow a person to process personal data related to the consumer.
- “Consumer”
CA – “Consumer” means a natural person who is a California resident as defined in section 17014 of Title 18 of the California Code of Regulations, as that section read on Sept. 1, 2017, however identified, including by any unique identifier.
CO, IN, IA, OR, UT, VA (substantially similar) – "Consumer" (a) means an individual who is a [state] resident acting only in an individual or household context; and (b) does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context.
FL, TX – “Consumer" means an individual who is a resident of [FL – or is domiciled in] this state acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
CT, MT – "Consumer" means an individual who is a resident of this state. "Consumer" does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.
TN – “Consumer” means a natural person who is a resident of this state acting only in a personal context.
- “Contractor”
CA – “Contractor” means a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business, provided that the contract:
(A) Prohibits the contractor from: (i) Selling or sharing the personal information. (ii) Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract, or as otherwise permitted by this title. (iii) Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business. (iv) Combining the personal information that the contractor receives pursuant to a written contract with the business with personal information that it receives from or on behalf of another person or persons, or collects from its own interaction with the consumer, provided that the contractor may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of section 1798.185, except as provided for in paragraph (6) of subdivision (e) and in regulations adopted by the California Privacy Protection Agency.
(B) Includes a certification made by the contractor that the contractor understands the restrictions in subparagraph (A) and will comply with them.
(C) Permits, subject to agreement with the contractor, the business to monitor the contractor’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.
If a contractor engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the contractor engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).
- "Controller”
CO, CT, IN, IA, MT, OR, TN, TX, UT, VA (substantially similar) – "Controller" means a person [individual or legal entity] that, alone or jointly with others, determines the purposes for and means of processing personal data.
FL – “Controller” means:
(a) A sole proprietorship, partnership, limited liability company, corporation, association, or legal entity that meets the following requirements:
- Is organized or operated for the profit or financial benefit of its shareholders or owners.
- Conducts business in this state.
- Collects personal data about consumers, or is the entity on behalf of which such information is collected.
- Determines the purposes and means of processing personal data about consumers alone or jointly with others.
- Makes in excess of $1 billion in global gross annual revenues.
- Satisfies at least one of the following: a. Derives 50% or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; b. Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation. For purposes of this sub-subparagraph, a consumer smart speaker and voice command component service does not include a motor vehicle or speaker or device associated with or connected to a vehicle which is operated by a motor vehicle manufacturer or a subsidiary or affiliate thereof; or c. Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.
(b) Any entity that controls or is controlled by a controller. As used in this paragraph, the term “control” means: 1. Ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of a controller; 2. Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or 3. The power to exercise a controlling influence over the management of a company.
- "Covered entity"
CO, CT, FL, IN, IA, OR, TN, TX, UT, VA (substantially similar) – "Covered entity" has the meaning established in HIPPA [45 CFR 160.103].
- “Cross-context behavioral advertising”
CA – “Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.
- “Dark pattern”
CA, CO, CT, FL, MT, TX (substantially similar) – “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, as further defined by regulation [CT, FL, TX-includes, but is not limited to, any practice the Federal Trade Commission refers to as a “dark pattern”].
- "Decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer"
CO, CT, FL, IN, MT, OR, TX, VA (substantially similar)– “Decisions [CT, IN, TX – made by the controller] that produce legal or similarly significant effects concerning a consumer" means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services [FL, MT, TX, VA – such as food and water].
- "Deidentified data," “deidentified,” “deidentified information”
CA, CO, CT, IN, UT, MT, VA (substantially similar)– “Deidentified” means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer provided that the business that possesses the information:
- Takes reasonable measures to ensure that the information cannot be associated with a consumer or household [MT – individual].
- Publicly commits to maintain and use the information in deidentified form [MT – only] and not to attempt to reidentify the information, [CA, CO, CT, IN, UT, VA – except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subdivision.]
- Contractually obligates any recipients of the information to comply with all provisions of this subdivision.
IA, TN – “De-identified data” means data that cannot reasonably be linked to an identified or identifiable natural person.
FL, TX – "Deidentified data" means data that cannot reasonably be linked to an identified or identifiable individual, or a device linked to that individual.
OR – ““Deidentified data” means data that:
(a) Cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or to a device that identifies, is linked to or is reasonably linkable to a consumer; or
(b) Is: (A) Derived from patient information that was originally created, collected, transmitted or maintained by an entity subject to regulation under the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, as in effect on the effective date of this 2023 Act, or the Federal Policy for the Protection of Human Subjects, codified as 45 C.F.R. part 46 and in various other deferral regulations, as codified in various sections of the Code of Federal Regulations and as in effect on the effective date of this 2023 Act; and (B) Deidentified as provided in 45 C.F.R. 164.514, as in effect on the effective date of this 2023 Act.
- “Designated methods for submitting requests”
CA – “Designated methods for submitting requests” means a mailing address, email address, internet web page, internet web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the attorney general pursuant to section 1798.185.
- “Device”
CA – "Device" means any physical object that is capable of connecting to the internet, directly or indirectly, or to another device.
OR – “Device” means electronic equipment designed for a consumer’s use that can transmit or receive personal data.
- “Governmental entity”
UT – “Governmental entity" means the same as that term is defined in section 63G-2-103. [(a) "Governmental entity" means: (i) executive department agencies of the state, the offices of the governor, lieutenant governor, state auditor, attorney general, and state treasurer, the Board of Pardons and Parole, the Board of Examiners, the National Guard, the Career Service Review Office, the State Board of Education, the Utah Board of Higher Education, and the State Archives; (ii) the Office of the Legislative Auditor General, Office of the Legislative Fiscal Analyst, Office of Legislative Research and General Counsel, the Legislature, and legislative committees, except any political party, group, caucus, or rules or sifting committee of the Legislature; (iii) courts, the Judicial Council, the Administrative Office of the Courts, and similar administrative units in the judicial branch; (iv) any state-funded institution of higher education or public education; or (v) any political subdivision of the state, but, if a political subdivision has adopted an ordinance or a policy relating to information practices pursuant to section 63G-2-701, this chapter shall apply to the political subdivision to the extent specified in section 63G-2-701 or as specified in any other section of this chapter that specifically refers to political subdivisions. (b) “Governmental entity" also means: (i) every office, agency, board, bureau, committee, department, advisory board, or commission of an entity listed in subsection (11)(a) that is funded or established by the government to carry out the public's business; (ii) as defined in section 11-13-103, an interlocal entity or joint or cooperative undertaking; (iii) as defined in section 11-13a-102, a governmental nonprofit corporation; (iv) an association as defined in section 53G-7-1101; (v) the Utah Independent Redistricting Commission; and (vi) a law enforcement agency, as defined in section 53-1-102, that employs one or more law enforcement officers, as defined in section 53-13-103. (c) "Governmental entity" does not include the Utah Educational Savings Plan created in section 53B-8a-103.]
- “Health care facility”
CO – "Health care facility” means any entity that is licensed, certified, or otherwise authorized or permitted by law to administer medical treatment in this state.
UT – “Health care facility” means the same as that term is defined in section 26B-2-201. [“Health care facility” means general acute hospitals, specialty hospitals, home health agencies, hospices, nursing care facilities, residential-assisted living facilities, birthing centers, ambulatory surgical facilities, small health care facilities, abortion clinics, facilities owned or operated by health maintenance organizations, end stage renal disease facilities, and any other health care facility which the committee designates by rule. “Health care facility” does not include the offices of private physicians or dentists, whether for individual or group practice, except that it does include an abortion clinic.]
- "Health care information"
CO – "Health care information" means individually identifiable information relating to the past, present, or future health status of an individual.
- "Health care provider"
CO – “Health care provider” means a person licensed, certified, or registered in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry, optometry, occupational therapy, or other healing arts under title 12.
FL, TX – "Health care provider" has the meaning assigned to the term by the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).
IN – "Health care provider" has the meaning set forth in IC 4-6-14-2.
IA – “Health care provider” means any of the following: a. A general hospital, ambulatory surgical or treatment center, skilled nursing center, or assisted living center licensed or certified by the state. b. A psychiatric hospital licensed by the state. c. A hospital operated by the state. d. A hospital operated by the state board of regents. e. A person licensed to practice medicine or osteopathy in the state. f. A person licensed to furnish health care policies or plans in the state. g. A person licensed to practice dentistry in the state. h. “Health care provider” does not include a continuing care retirement community or any nursing facility of a religious body which depends upon prayer alone for healing.
UT – “Health care provider” means the same as that term is defined in section 78B-3-403. [“Health care provider” includes any person, partnership, association, corporation, or other facility or institution who causes to be rendered or who renders health care or professional services as a hospital, health care facility, physician, physician assistant, registered nurse, licensed practical nurse, nurse-midwife, licensed direct-entry midwife, dentist, dental hygienist, optometrist, clinical laboratory technologist, pharmacist, physical therapist, physical therapist assistant, podiatric physician, psychologist, chiropractic physician, naturopathic physician, osteopathic physician, osteopathic physician and surgeon, audiologist, speech-language pathologist, clinical social worker, certified social worker, social service worker, marriage and family counselor, practitioner of obstetrics, licensed athletic trainer, or others rendering similar care and services relating to or arising out of the health needs of persons or groups of persons and officers, employees, or agents of any of the above acting in the course and scope of their employment.]
VA – “Health care provider” means the same as that term is defined in §32.1-276.3.
- “Health record”
FL, TN, TX (substantially similar) – “Health record:” (A) Means a written, printed, or electronically recorded material that: (i) Was created or is maintained by a healthcare entity described in or licensed under [state law] in the course of providing healthcare services to an individual; and (ii) Concerns the individual and the services provided; and (B) Includes the substance of a communication made by an individual to a healthcare entity described in or licensed under [state law] in confidence during or in connection with the provision of healthcare services or information otherwise acquired by the healthcare entity about an individual in confidence and in connection with the provision of healthcare services to the individual.
IN – “Health record" has the meaning set forth in IC 1-1-4-5(a)(6). [“Health record”, “hospital record”, or “medical record” means written or printed information possessed by a provider (as defined in IC 16-18-2-295) concerning any diagnosis, treatment, or prognosis of the patient, unless otherwise defined. Except as otherwise provided, the terms include mental health records and drug and alcohol abuse records.]
IA – “Health record” means any written, printed, or electronically recorded material maintained by a health care provider in the course of providing health services to an individual concerning the individual and the services provided, including related health information provided in confidence to a health care provider.
VA – “Health record” means the same as that term is defined in §32.1-127.1:03. [“Health record” means any written, printed or electronically recorded material maintained by a health care entity in the course of providing health services to an individual concerning the individual and the services provided. “Health record” also includes the substance of any communication made by an individual to a health care entity in confidence during or in connection with the provision of health services or information otherwise acquired by the health care entity about an individual in confidence and in connection with the provision of health services to the individual.]
- “HIPPA”
CO, CT, IN, IA, TN, VA (substantially similar) – "HIPAA" means the federal "Health Insurance Portability and Accountability Act of 1996," as amended, 42 U.S.C. §§1320d to 1320d-9.
- “Homepage”
CA – "Homepage" means the introductory page of an internet website and any internet web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,’’ or settings page, and any other location that allows consumers to review the notices required by this title, including, but not limited to, before downloading the application.
- “Household”
CA – “Household” means a group, however identified, of consumers who cohabitate with one another at the same residential address and share use of common devices or services.
- "Identified or identifiable individual” or “Identified or identifiable natural person"
CO – "Identified or identifiable individual person" means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.
CT, FL, IN, IA, MT, TN, TX, UT, VA – "Identified or identifiable natural person" means a person [human being, an individual or consumer] who can be readily identified, directly or indirectly.
- “Infer,” “inference”
CA – "Infer" or "inference" means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.
- "Institution of higher education"
CT, MT – "Institution of higher education" means any individual who, or school, board, association, limited liability company or corporation that, is licensed or accredited to offer one or more programs of higher learning leading to one or more degrees.
IN – “Institution of higher education” means a public or private college or university.
IA – “Institution of higher education” means nonprofit private institutions of higher education and proprietary private institutions of higher education in the state, community colleges, and each associate-degree-granting and baccalaureate public institutions of higher education in the state.
TN, UT, VA (substantially similar) – “Institution of higher education” means a public or private institution of higher education.
TX – "Institution of higher education" means: (A) an institution of higher education as defined by Section 61.003, Education Code; or (B) a private or independent institution of higher education as defined by Section 61.003, Education Code.
- “Intentionally interacts”
CA – “Intentionally interacts” means when the consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, including visiting the person’s website or purchasing a good or service from the person. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a person.
- “Known child”
FL, TX – "Known child" means a child under circumstances where a controller has actual knowledge of, or willfully disregards, the child ’s age.
- “Nonpersonalized advertising”
CA – “Nonpersonalized advertising” means advertising and marketing that is based solely on a consumer’s personal information derived from the consumer’s current interaction with the business with the exception of the consumer’s precise geolocation.
- “Nonprofit organization”
CT, IN, MT (substantially similar) – “Nonprofit organization” means any organization that is exempt from taxation under section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986, or any subsequent corresponding internal revenue code of the United States, as amended from time to time.
FL – “Nonprofit organization” means any of the following: (a) An organization exempt from federal taxation under section 501(a) of the Internal Revenue Code of 1986 by virtue of being listed as an exempt organization under section 501(c)(3), section 501(c)(4), section 501(c)(6), or section 501(c)(12) of that code. (b) A political organization.
IA – “Nonprofit organization” means any corporation organized under chapter 504, any organization exempt from taxation under sections 501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any organization exempt from taxation under section 501(c)(4) of the Internal Revenue Code that is established to detect or prevent insurance-related crime or fraud, and any subsidiaries and affiliates of entities organized pursuant to chapter 499.
TN – “Nonprofit organization” means: (A) A corporation organized under the Tennessee Nonprofit Corporation Act, compiled in title 48, chapter 51; (B) An organization exempt from taxation under the Internal Revenue Code, codified in 26 U.S.C. §§ 501–530; (C) A public utility organized under the laws of this state; or (D) An entity owned or controlled by a nonprofit organization.
TX – "Nonprofit organization" means: (A) a corporation organized under Chapters 20 and 22, Business Organizations Code, and the provisions of Title 1, Business Organizations Code, to the extent applicable to nonprofit corporations; (B) an organization exempt from federal taxation under section 501(a), Internal Revenue Code of 1986, by being listed as an exempt organization under section 501(c)(3), 501(c)(6), 501(c)(12), or 501(c)(19) of that code; (C) a political organization; or (D) an organization that: (i) is exempt from federal taxation under section 501(a), Internal Revenue Code of 1986, by being listed as an exempt organization under section 501(c)(4) of that code; and (ii) is described by section 701.052(a), Insurance Code.
UT – “Nonprofit corporation” means: (a) the same as that term is defined in section 16-6a-102 [“Nonprofit corporation” or “domestic nonprofit corporation” means an entity that: (a) is not a foreign nonprofit corporation; and (b) is incorporated under or subject to this chapter.]; or (b) a foreign nonprofit corporation as defined in section 16-6a-102 [“Foreign nonprofit corporation” means an entity: (a) incorporated under a law other than the laws of this state; and (b) that would be a nonprofit corporation if formed under the laws of this state.].
VA – “Nonprofit organization” means any corporation organized under the Virginia Nonstock Corporation Act (§13.1-801 et seq.) or any organization exempt from taxation under §501(c)(3), 501(c)(6), or 501(c)(12) of the Internal Revenue Code, any political organization, any organization exempt from taxation under §501(c)(4) of the Internal Revenue Code that is identified in § 52-41, and any subsidiary or affiliate of entities organized pursuant to Chapter 9.1 (§56-231.15 et seq.) of Title 56.
- “Person”
CA – "Person" means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
- "Personal data," “personally identifiable information,” “personal information”
CA, TN (substantially similar) – “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
- Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
- Any personal information described in [state law]. [“Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.]
- Characteristics of protected classifications under state or federal law.
- Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
- Biometric information.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website application, or advertisement.
- Geolocation data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. §1232g; 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
- Sensitive personal information.
“Personal information” does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern. For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. “Personal information” does not include consumer information that is deidentified or aggregate consumer information.
CO, CT, IN, IA, MT, UT, VA (substantially similar) – "Personal data": (a) means information that is linked or reasonably linkable to an identified or identifiable individual [natural person]; and (b) does not include de-identified data or publicly available information. [CO – As used in this subsection (17)(b), "publicly available information" means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public.] [IN, UT – aggregate data].
FL, TX – "Personal data" means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.
OR – “Personal data” means data, derived data or any unique identifier that is linked to or is reasonably linkable to a consumer or to a device that identifies, is linked to or is reasonably linkable to one or more consumers in a household. “Personal data” does not include deidentified data or data that: (a) Is lawfully available through federal, state or local government records or through widely distributed media; or (b) A controller reasonably has understood to have been lawfully made available to the public by a consumer.
- “Political organization”
FL, TX, VA (substantially similar) – “Political organization” means a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.
- “Postsecondary education institution”
FL – “Postsecondary education institution” means a Florida College System institution, state university, or nonpublic postsecondary education institution that receives state funds.
- “Precise geolocation,” “precise geolocation data,” “specific geolocation data”
CA – “Precise geolocation” means any data derived from a device and used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.
CT, FL, IN, IA, MT, TN, TX, UT, VA (substantially similar) – "Precise [specific] geolocation data" means information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet. "Precise [specific] geolocation data" does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
- “Probabilistic identifier”
CA – "Probabilistic identifier" means the identification of a consumer or a consumer’s device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.
- "Process", "processing", “processing information”
CA – “Processing" means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not by automated means.
CO – “Process” or “processing” means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.
CT, FL, IN, IA, MT, OR, TN, TX, VA (substantially similar) – "Process" or "processing" means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.
UT – “Process” means an operation or set of operations performed on personal data, including collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
- "Processor"
CO, CT, FL, IN, IA, MT, OR, TN, TX, UT, VA (substantially similar) – "Processor" means a person [CT, MT – individual or legal entity] that processes personal data on behalf of a controller.
- "Profiling"
CA, CO – “Profiling” means any form of automated processing of personal information,[CA – as further defined by regulations pursuant to paragraph (16) of subdivision (a) of section 1798.185,] to evaluate certain personal aspects relating to a natural person and in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
CT, MT, OR, VA (substantially similar) – "Profiling" means any form of automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
FL, IN, TN, TX (substantially similar) – “Profiling” means a form of solely automated processing performed on personal information [data] to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's [individual’s] economic situation, health or health records, personal preferences, interests, reliability, behavior, location, or movements.
- "Protected health information"
CO, CT, FL, IN, IA, MT, TN, TX, UT, VA – “Protected health information” means the same as the term is established by HIPAA [45 CFR 160.103].
- "Pseudonymous data," “pseudonymize,” “pseudonymization”
CO, CT, FL, IN, IA, MT, TN, TX, UT, VA (substantially similar) – "Pseudonymous data" means personal data [information] that can no longer be attributed to a specific individual [natural person] without the use of additional information if the additional information is kept separately and is subject to [FL, TX – appropriate] technical and organizational measures to ensure that the personal data are not attributed to a specific individual.
CA – “Pseudonymize” or “pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.
49.“Publicly available information” and “publicly available”
CT – "Publicly available information" means information that (A) is lawfully made available through federal, state or municipal [local] government records or widely distributed media, and (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
FL, IN, IA, TN, TX, VA (substantially similar) – "Publicly available information" means information: (1) that is lawfully made available through federal, state, or local government records; or (2) that a business has a reasonable basis to believe is lawfully made available: (A) to the general public through widely distributed media; (B) by the consumer to whom the information pertains; or (C) by a person to whom the consumer has disclosed the information; unless the consumer has restricted the information to a specific audience.
MT – "Publicly available information" means information that (A) is lawfully made available through federal, state or municipal government records or widely distributed media, or (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
UT – “Publicly available information” means information that a person: (a) lawfully obtains from a record of a governmental entity; (b) reasonably believes a consumer or widely distributed media has lawfully made available to the general public; or (c) if the consumer has not restricted the information to a specific audience, obtains from a person to whom the consumer disclosed the information.
- “Research”
CA – “Research” means scientific analysis, systematic study, and observation, including basic research or applied research that is designed to develop or contribute to public or scientific knowledge and that adheres or otherwise conforms to all other applicable ethics and privacy laws, including, but not limited to, studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’ service or device for other purposes shall be:
- Compatible with the business purpose for which the personal information was collected.
- Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, by a business.
- Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain, other than as needed to support the research.
- Subject to business processes that specifically prohibit reidentification of the information, other than as needed to support the research.
- Made subject to business processes to prevent inadvertent release of deidentified information.
- Protected from any reidentification attempts.
- Used solely for research purposes that are compatible with the context in which the personal information was collected.
- Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals as are necessary to carry out the research purpose.
- “Right”
UT – “Right” means a consumer right described in section 13-61-201. [(1) A consumer has the right to: (a) confirm whether a controller is processing the consumer's personal data; and (b) access the consumer's personal data. (2) A consumer has the right to delete the consumer's personal data that the consumer provided to the controller. (3) A consumer has the right to obtain a copy of the consumer's personal data, that the consumer previously provided to the controller, in a format that: (a) to the extent technically feasible, is portable; (b) to the extent practicable, is readily usable; and (c) allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means. (4) A consumer has the right to opt out of the processing of the consumer's personal data for purposes of: (a) targeted advertising; or (b) the sale of personal data. (5) Nothing in this section requires a person to cause a breach of security system as defined in section 13-44-102.]
- “Sale,” “sell,” “sold,” “selling,” “sale of personal data”
CA – “Sell,” “selling,” “sale,” or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.
For purposes of this title, a business does not sell personal information when: (A) A consumer uses or directs the business to intentionally: (i) disclose personal information. (ii) interact with one or more third parties. (B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sale of the consumer’s personal information or limited the use of the consumer’s sensitive personal information. (C) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
CO – “Sale,” “sell,” or “sold” means the exchange of personal data for monetary or other valuable consideration by a controller to a third party. "Sale," "sell," or "sold" does not include the following: (i) the disclosure of personal data to a processor that processes the personal data on behalf of a controller; (ii) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (iii) the disclosure or transfer of personal data to an affiliate of the controller; (iv) the disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or (v) the disclosure of personal data: (A) that a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or (B) intentionally made available by a consumer to the general public via a channel of mass media.
UT – “Sale,” “sell,” or “sold” means the exchange of personal data for monetary consideration by a controller to a third party. “Sale,” “sell,” or “sold” does not include: (i) a controller's disclosure of personal data to a processor who processes the personal data on behalf of the controller; (ii) a controller's disclosure of personal data to an affiliate of the controller; (iii) considering the context in which the consumer provided the personal data to the controller, a controller's disclosure of personal data to a third party if the purpose is consistent with a consumer's reasonable expectations; (iv) the disclosure or transfer of personal data when a consumer directs a controller to: (A) disclose the personal data; or (B) interact with one or more third parties; (v) a consumer's disclosure of personal data to a third party for the purpose of providing a product or service requested by the consumer or a parent or legal guardian of a child; (vi) the disclosure of information that the consumer: (A) intentionally makes available to the general public via a channel of mass media; and (B) does not restrict to a specific audience; or (vii) a controller's transfer of personal data to a third party as an asset that is part of a proposed or actual merger, an acquisition, or a bankruptcy in which the third party assumes control of all or part of the controller's assets.
CT, MT, OR, TN, VA (substantially similar) – "Sale of personal data" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. "Sale of personal data" does not include (A) the disclosure of personal data to a processor that processes the personal data on behalf of the controller, (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer, (C) the disclosure or transfer of personal data to an affiliate of the controller, (D) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, (E) the disclosure of personal data that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience, or (F) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller's assets.
FL – “Sale of personal data” means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include any of the following: (a) The disclosure of personal data to a processor who processes the personal data on the controller’s behalf. (b) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer. (c) The disclosure of information that the consumer: 1. Intentionally made available to the general public through a mass media channel; and 2. Did not restrict to a specific audience. (d) The disclosure or transfer of personal data to a third party as an asset that is part of a merger or an acquisition.
IN, IA – "Sale of personal data" means the exchange of personal data for monetary consideration by a controller to a third party. The term does not include: (1) the disclosure of personal data to a processor that processes the personal data on behalf of the controller; (2) the disclosure of personal data to a third party for purposes of providing a product or service requested by: (A) the consumer; or (B) the parent of a child; to whom the personal data pertains; (3) the disclosure or transfer of personal data to an affiliate of the controller; (4) the disclosure of information that the consumer: (A) intentionally made available to the general public via a channel of mass media; and (B) did not restrict to a specific audience; or (5) the disclosure or transfer of personal data to a third party as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.
TX – "Sale of personal data" means the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include: (A) the disclosure of personal data to a processor that processes the personal data on the controller’s behalf; (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (C) the disclosure or transfer of personal data to an affiliate of the controller; (D) the disclosure of information that the consumer: (i) intentionally made available to the general public through a mass media channel; and (ii) did not restrict to a specific audience; or (E) the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.
- “Search engine”
FL – “Search engine” means technology and systems that use algorithms to sift through and index vast third-party websites and content on the internet in response to search queries entered by a user. The term does not include the license of search functionality for the purpose of enabling the licensee to operate a third-party search engine service in circumstances where the licensee does not have legal or operational control of the search algorithm, the index from which results are generated, or the ranking order in which the results are provided.
- "Security or safety purpose," “security and integrity”
CA – “Security and integrity” means the ability of:
- Networks or information systems to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.
- Businesses to detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and to help prosecute those responsible for those actions.
- Businesses to ensure the physical safety of natural persons.
- "Sensitive data," “Sensitive personal information”
CA – "Sensitive personal information" means:
- Personal information that reveals: A consumer’s social security, driver’s license, state identification card or passport number. A consumer’s account log-in, financial account, debit card or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. A consumer’s precise geolocation. A consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership. The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication. A consumer’s genetic data.
- The processing of biometric information for the purpose of uniquely identifying a consumer. Personal information collected and analyzed concerning a consumer’s health. Personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.
- Sensitive personal information that is “publicly available” pursuant to paragraph (2) of subdivision (v) shall not be considered sensitive personal information or personal information. [For purposes of this paragraph, “publicly available” means: information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.]
CO, CT, FL, IN, IA, MT, TN, TX, VA (substantially similar) – “Sensitive data” means: (a) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status [IA – except to the extent such data is used in order to avoid discrimination on the basis of a protected class that would violate a federal or state anti-discrimination law]; (b) genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; or (c) personal data from a known child [CT, FL, IN, IA, MT, TN, TX, VA – (d) precise geolocation data].
OR – “Sensitive data” means personal data that: (a) Reveals a consumer’s racial or ethnic background, national origin, religious beliefs, mental or physical condition or diagnosis, sexual orientation, status as transgender or nonbinary, status as a victim of crime or citizenship or immigration status; (b) Is a child’s personal data; (c) Accurately identifies within a radius of 1,750 feet a consumer’s present or past location, or the present or past location of a device that links or is linkable to a consumer by means of technology that includes, but is not limited to, a global positioning system that provides latitude and longitude coordinates; or (d) Is genetic or biometric data. “Sensitive data” as defined in paragraph (c) of this subsection does not include the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
UT – “Sensitive data” means: (i) personal data that reveals: (A) an individual's racial or ethnic origin; (B) an individual's religious beliefs; (C) an individual's sexual orientation; (D) an individual's citizenship or immigration status; or (E) information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; (ii) the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or (iii) specific geolocation data. “Sensitive data” does not include personal data that reveals an individual's: (i) racial or ethnic origin, if the personal data are processed by a video communication service; or (ii) if the personal data are processed by a person licensed to provide health care under Title 26B, Chapter 2, Part 2, Health Care Facility Licensing and Inspection, or Title 58, Occupations and Professions, information regarding an individual's medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional.
- “Service,” “services”
CA – "Service" or "services" means work, labor, and services, including services furnished in connection with the sale or repair of goods.
- “Service provider”
CA – (1) “Service provider” means a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the person from:
- Selling or sharing the personal information.
- Retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract for the business, including retaining, using or disclosing the personal information for a commercial purpose other than the business purposes specified in the contract with the business, or as otherwise permitted by this title.
- Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business.
- Combining the personal information that the service provider receives from, or on behalf of, the business with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that the service provider may combine personal information to perform any business purpose as defined in regulations adopted pursuant to paragraph (10) of subdivision (a) of section 1798.185, except as provided for in paragraph (6) of subdivision (e) of this section and in regulations adopted by the California Privacy Protection Agency. The contract may, subject to agreement with the service provider, permit the business to monitor the service provider’s compliance with the contract through measures, including, but not limited to, ongoing manual reviews and automated scans and regular assessments, audits, or other technical and operational testing at least once every 12 months.
(2) If a service provider engages any other person to assist it in processing personal information for a business purpose on behalf of the business, or if any other person engaged by the service provider engages another person to assist in processing personal information for that business purpose, it shall notify the business of that engagement, and the engagement shall be pursuant to a written contract binding the other person to observe all the requirements set forth in paragraph (1).
- “Share,” “shared,” “sharing”
CA – “Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
For purposes of this title, a business does not share personal information when:
- A consumer uses or directs the business to intentionally disclose personal information or intentionally interact with one or more third parties.
- The business uses or shares an identifier for a consumer who has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information for the purposes of alerting persons that the consumer has opted out of the sharing of the consumer’s personal information or limited the use of the consumer’s sensitive personal information.
- The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with this title. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this title. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with section 17200) of Part 2 of Division 7 of the Business and Professions Code).
- “State agency”
FL – “State agency” means any department, commission, board, office, council, authority, or other agency in the executive branch of state government created by the State Constitution or state law. The term includes a postsecondary education institution.
IN – “State agency” has the meaning set forth in IC 1-1-15-3. [“State agency” means an authority, board, branch, commission, committee, department, division, or other instrumentality of any of the following: (1) The executive, including the administrative department of state government. (2) The legislative department of state government. (3) The judicial department of state government. (4) A state educational institution. (5) A body corporate and politic created by statute.
IA – “State agency” means the same as defined in 129 IAC 10.2(8B). [“Agency” or “state agency” means a unit of state government, which is an authority, board, commission, committee, council, department, examining board, or independent agency as defined in Iowa Code section 7E.4, including but not limited to each principal central department enumerated in Iowa Code section 7E.5. However, “agency” or “state agency” does not mean any of the following: 1. The office of the governor or the office of an elective constitutional or statutory officer. 2. The general assembly, or any office or unit under its administrative authority. 3. The judicial branch, as provided in Iowa Code section 602.1102. 4. A political subdivision of the state or its offices or units, including but not limited to a county, city, or community college.]
TN – “State agency” means an agency, institution, board, bureau, commission, council, or instrumentality of state government in the executive branch.
TX – "State agency" means a department, commission, board, office, council, authority, or other agency in any branch of state government that is created by the constitution or a statute of this state, including a university system or institution of higher education as defined by section 61.003, Education Code.
VA – “State agency” means the same as that term is defined in §2.2-307. [“State agency” means any agency, institution, board, bureau, commission, council, or instrumentality of state government in the executive branch listed in the appropriation act. “State agency” also includes any local department of social services.]
- "Targeted advertising," “targeted content and advertising”
CO, CT, IN, IA, MT, OR, TN, TX, UT, VA (substantially similar) – "Targeted advertising" means displaying to a consumer an advertisement that is selected based on personal data obtained [CO, MT – or inferred over time] from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests; and does not include:
- Advertising to a consumer in response to the consumer's request for information [UT – product, a service,] or feedback.
- Advertisements based on activities within a controller's own websites or online applications.
- Advertisements based on the context of a consumer's current search query, visit to a website, or online application.
- Processing personal data solely for measuring or reporting advertising performance, reach, or frequency.
FL – Targeted advertising” means displaying to a consumer an advertisement selected based on personal data obtained from that consumer’s activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer’s preferences or interests. The term does not include an advertisement that is: (a) Based on the context of a consumer’s current search query on the controller’s own website or online application; or (b) Directed to a consumer search query on the controller’s own website or online application in response to the consumer’s request for information or feedback.
- "Third party"
CO, CT, FL, IN, IA, MT, VA (substantially similar) – “Third party” means a [IA, TN, VA – natural or legal] person [MT – an individual or legal entity], public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller.
CA – "Third party" means a person who is not any of the following: (1) The business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business under this title; (2) A service provider to the business; or (3) A contractor.
OR – “Third party” means a person, a public corporation, including the Oregon Health and Science University and the Oregon State Bar, or a public body, as defined in ORS 174.109, other than a consumer, a controller, a processor or an affiliate of a controller or processor.
TX – "Third party" means a person, other than the consumer, the controller, the processor, or an affiliate of the controller or processor.
- “Trade secret”
CT, IN, IA, TN, UT – “Trade secret” has the same meaning as provided in statute. [“Trade secret” means information, including a formula, pattern, compilation, program, device, method, technique, or process, [CT – drawing, cost data or customer list] that: (1) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.]
FL – “Trade secret” has the same meaning as in section 812.081. “Trade secret” means the whole or any portion or phase of any formula, pattern, device, combination of devices, or compilation of information which is for use, or is used, in the operation of a business and which provides the business an advantage, or an opportunity to obtain an advantage, over those who do not know or use it. The term includes any scientific, technical, or commercial information, including financial information, and includes any design, process, procedure, list of suppliers, list of customers, business code, or improvement thereof, whether tangible or intangible, and regardless of whether or how it is stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing. Irrespective of novelty, invention, patentability, the state of the prior art, and the level of skill in the business, art, or field to which the subject matter pertains, a trade secret is considered to be: 1. Secret; 2. Of value; 3. For use or in use by the business; and 4. Of advantage to the business, or providing an opportunity to obtain an advantage, over those who do not know or use it, when the owner thereof takes measures to prevent it from becoming available to persons other than those selected by the owner to have access thereto for limited purposes.
TX – "Trade secret" means all forms and types of information, including business, scientific, technical, economic, or engineering information, and any formula, design, prototype, pattern, plan, compilation, program device, program, code, device, method, technique, process, procedure, financial data, or list of actual or potential customers or suppliers, whether tangible or intangible and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if: (A) the owner of the trade secret has taken reasonable measures under the circumstances to keep the information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.
- “Unique identifier,” “Unique personal identifier”
CA – “Unique identifier” or “unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device that is linked to a consumer or family. For purposes of this subdivision, “family” means a custodial parent or guardian and any children under 18 years of age over which the parent or guardian has custody.
- “Verified request,” “verifiable consumer request,” “verifiable request”
CA – "Verifiable consumer request" means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, or by a person who has power of attorney or is acting as a conservator for the consumer, and that the business can verify, using commercially reasonable methods, pursuant to regulations adopted by the attorney general pursuant to paragraph (7) of subdivision (a) of section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to sections 1798.110 and 1798.115, to delete personal information pursuant to section 1798.105, or to correct inaccurate personal information pursuant to section 1798.106, if the business cannot verify, pursuant to this subdivision and regulations adopted by the attorney general pursuant to paragraph (7) of subdivision (a) of section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.
- “Voice recognition feature”
FL – “Voice recognition feature” means the function of a device which enables the collection, recording, storage, analysis, transmission, interpretation, or other use of spoken words or other sounds.