1.This chapter applies to a person conducting business in the state or producing products
or services that are targeted to consumers who are residents of the state and that during a
calendar year does either of the following:
a.Controls or processes personal data of at least one hundred thousand consumers.
b.Controls or processes personal data of at least twenty-five thousand consumers and
derives over fifty percent of gross revenue from the sale of personal data.
2.This chapter shall not apply to the state or any political subdivision of the state;
financial institutions, affiliates of financial institutions, or data subject to Tit. V of the federal
Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq.; persons who are subject to and
comply with regulations promulgated pursuant to T Free access — add to your briefcase to read the full text and ask questions with AI
1. This chapter applies to a person conducting business in the state or producing products
or services that are targeted to consumers who are residents of the state and that during a
calendar year does either of the following:
a. Controls or processes personal data of at least one hundred thousand consumers.
b. Controls or processes personal data of at least twenty-five thousand consumers and
derives over fifty percent of gross revenue from the sale of personal data.
2. This chapter shall not apply to the state or any political subdivision of the state;
financial institutions, affiliates of financial institutions, or data subject to Tit. V of the federal
Gramm-Leach-Bliley Act of 1999, 15 U.S.C. §6801 et seq.; persons who are subject to and
comply with regulations promulgated pursuant to Tit. II, subtit. F, of the federal Health
InsurancePortabilityandAccountabilityActof1996, Pub.L.No.104-191, andTit.XIII,subtit.
D, of the federal Health Information Technology for Economic and Clinical Health Act of
2009, 42 U.S.C. §17921 – 17954; nonprofit organizations; or institutions of higher education.
3. The following information and data is exempt from this chapter:
a. Protected health information under HIPAA.
b. Health records.
c. Patient identifying information for purposes of 42 U.S.C. §290dd-2.
d. Identifiable private information for purposes of the federal policy for the protection of
human subjects under 45 C.F.R. pt. 46.
§715D.2, CONSUMER DATA PROTECTIONS 4
e. Identifiableprivateinformationthatisotherwiseinformationcollectedaspartofhuman
subjects research pursuant to the good clinical practice guidelines issued by the international
council for harmonization of technical requirements for pharmaceuticals for human use.
f. The protection of human subjects under 21 C.F.R. pts. 6, 50, and 56.
g. Personal data used or shared in research conducted in accordance with the
requirements set forth in this chapter, or other research conducted in accordance with
applicable law.
h. Information and documents created for purposes of the federal Health Care Quality
Improvement Act of 1986, 42 U.S.C. §11101 et seq.
i. Patient safety work product for purposes of the federal Patient Safety and Quality
Improvement Act, 42 U.S.C. §299b-21 et seq.
j. Information derived from any of the health care-related information listed in this
subsection that is de-identified in accordance with the requirements for de-identification
pursuant to HIPAA.
k. Information originating from, and intermingled to be indistinguishable with, or
information treated in the same manner as information exempt under this subsection that is
maintained by a covered entity or business associate as defined by HIPAA or a program or a
qualified service organization as defined by 42 U.S.C. §290dd-2.
l. Information used only for public health activities and purposes as authorized by HIPAA.
m. The collection, maintenance, disclosure, sale, communication, or use of any personal
information bearing on a consumer’s credit worthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of living by a consumer
reporting agency or furnisher that provides information for use in a consumer report, and
by a user of a consumer report, but only to the extent that such activity is regulated by and
authorized under the federal Fair Credit Reporting Act, 15 U.S.C. §1681 et seq.
n. Personal data collected, processed, sold, or disclosed in compliance with the federal
Driver’s Privacy Protection Act of 1994, 18 U.S.C. §2721 et seq.
o. Personal data regulated by the federal Family Educational Rights and Privacy Act, 20
U.S.C. §1232 et seq.
p. Personal data collected, processed, sold, or disclosed in compliance with the federal
Farm Credit Act, 12 U.S.C. §2001 et seq.
q. Data processed or maintained as follows:
(1) In the course of an individual applying to, employed by, or acting as an agent or
independent contractor of a controller, processor, or third party, to the extent that the data is
collected and used within the context of that role.
(2) As the emergency contact information of an individual under this chapter used for
emergency contact purposes.
(3) That is necessary to retain to administer benefits for another individual relating to the
individual under subparagraph (1) and used for the purposes of administering those benefits.
r. Personal data used in accordance with the federal Children’s Online Privacy Protection
Act, 15 U.S.C. §6501 – 6506, and its rules, regulations, and exceptions thereto.