SCS/SB 7 - This act creates various new provisions relating to the protection of data.
CHIEF DATA OFFICER (SECTION 37.060)
This act creates the position of Chief Data Officer within the Office of Administration who is authorized to oversee each state agency's management of electronic data for purposes of evaluating appropriate management and security of the data.
The Chief Data Officer may require each state agency to:
· Classify its electronic data into levels of sensitivity identified by the Chief Data Officer and regularly review and update such classifications;
· Develop, adopt, and regularly update a written policy for responding to breaches and suspected breaches of the agency's electronic data;
· Develop, adopt, and regularly update a written policy for the proper disposal of the agency's electronic data, including requiring the agency to use the Office of Administration's electronic waste contract for that purpose;
· Adopt data collection standards and procedures identified by the Chief Data Officer; and
· Develop, adopt, and regularly update other policies and procedures the Chief Data Officer deems necessary to evaluate appropriate management and security of the agency's electronic data.
The act also empowers the Chief Data Officer to prevent any state agency from procuring or utilizing any information or communications technologies or services, components, networks, or systems, that:
· It has determined to pose an unacceptable risk to the safety and security of the state of Missouri due to a connection to or use by a country that the chief data officer deems poses a threat to the security of the state of Missouri;
· A federal agency has prohibited, restricted the transactions or licensing of, or otherwise limited the use of because of national security concerns; and
· Are designed, developed, manufactured, or supplied by companies or affiliates determined by any federal or state department, division, or agency to be owned, controlled by, or domiciled in a country that the chief data officer deems poses a threat to the security of the state of Missouri.
Furthermore, the Chief Data Officer may prevent the exposure of any communication technology, services, equipment, components, networks, or systems of the state of Missouri to persons or entities that are determined by any federal department or state agency to be owned, controlled by, or domiciled in a country that the Chief Data Officer deems poses a threat to the security of the state of Missouri.
State agencies are responsible for identifying the various types of electronic data, the location of such data, and the level of security required for each type of data. Such information shall be communicated to the Chief Data Officer. State agencies are additionally required to cooperate with the Chief Data Officer in fulfilling the requirements of this act.
This act does not waive sovereign immunity or create a cause of action against the state, any agency of the state, or any officer or employee of the state.
This provision is substantially similar to SB 880 (2020).
TIKTOK PROHIBITION ON STATE-RUN DEVICES (SECTION 37.065)
The act requires the Commissioner of Administration, not later than January 1, 2024, to develop standards and guidelines for all departments, divisions, and agencies of the state requiring the removal of TikTok, or any successor application or service, from information technology. This provision does not apply to the Missouri State Highway Patrol to the extent necessary to conduct any law enforcement activities.
This provision is substantially similar to SB 596 (2023).
CONSUMER PERSONAL DATA PROTECTION (SECTIONS 407.2000 TO 407.2025)
The act creates new provisions establishing consumer rights relative to the access and protection of consumer personal data.
TERMINOLOGY (SECTION 407.2000)
The act regulates the activities of controllers, processors, and consumers and the personal data of consumers. Controller is a person doing business in Missouri who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others who meets the following criteria:
· Conducts business in Missouri or produces a product or service that is targeted to consumers who are Missouri residents;
· Has annual revenue of $25 million dollars or more; and
· During a calendar year, controls or processes the personal data of 100,000 or more consumers or derives over 50% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.
A consumer is any individual who is a resident of Missouri.
A processor is a person who processes personal data on behalf of a controller.
CONSUMER RIGHTS (SECTION 407.2005)
The act gives consumers the following rights relative to his or her personal data:
· Confirm whether a controller is processing the consumer's personal data;
· Access the consumer's personal data;
· Delete the consumer's personal data that the consumer provided to the controller;
· Obtain a copy of the consumer's personal data, that the consumer previously provided to the controller, in a format that, as described in the act, is feasible, practicable, usable, and transmittable by the consumer;
· Opt out of the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data.
A consumer may exercise a right protected by this act by submitting a request to a controller, by means prescribed by the controller, specifying the right the consumer intends to exercise.
Except as otherwise provided in the act, within 45 days of the receipt of a request from a consumer, a controller of personal data shall take action or inform the consumer of action taken with respect to the request. Controllers may not charge a fee in response to a request unless the request is:
· The consumer's second or subsequent request during the same 12-month period;
· The request is excessive, repetitive, technically infeasible, or manifestly unfounded;
· The controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or
· The request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller's business.
RESPONSIBILITIES RELATIVE TO PROCESSING DATA REQUESTS (SECTION 407.2010)
The act requires controllers to perform the following acts:
· Provide consumers with a reasonably accessible and clear privacy notice that includes certain information relating to the processing of personal data;
· Disclose the manner in which consumers may opt out of the sale of personal data or be the target of advertising;
· Establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality and integrity of personal data and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data;
· Considering the controller's business size, scope, and type, use data security practices that are appropriate for the volume and nature of the personal data at issue.
Except as otherwise provided in this act, a controller may not process sensitive data collected from a consumer without first presenting the consumer with clear notice and an opportunity to opt out of the processing. In the case of the processing of personal data concerning a known child, processing the data in accordance with the federal Children's Online Privacy Protection Act.
Except as otherwise permitted in the act, a controller may not discriminate against a consumer for exercising a right by:
· Denying a good or service to the consumer;
· Charging the consumer a different price or rate for a good or service; or
· Providing the consumer a different level of quality of a good or service.
ENFORCEMENT BY ATTORNEY GENERAL (SECTION 407.2015)
The act gives enforcement authority for the act exclusively to the Attorney General (AG). The AG is required to establish and administer a system to receive consumer complaints regarding a controller's or processor's alleged violation of this act. The AG is authorized to initiate an action in circuit court against a controller or processor as provided in the act. In such an action, the AG may recover actual damages to the consumer and, for each violation, an amount not to exceed $7,500, which shall be deposited into the Consumer Privacy Account established by this act.
The AG must prepare a report evaluating the liability and enforcement provisions of this act to be submitted to the Speaker of the House of Representatives and the President Pro Tem of the Senate not later than July 1, 2025.
PREEMPTION OF LOCAL ORDINANCES (SECTION 407.2020)
The act prohibits any political subdivision from enacting any local ordinance that conflicts with this act.
EXEMPTIONS (SECTION 407.2025)
The act contains various exemptions.