A Red State Data Privacy Bill Moves
This is the first Wavelength from the Ghost platform from this email address. The move will allow for a price decrease because of reduced costs. This is the week's free edition.
And, it bears mention that content on technology policy, politics, and law that preceded the Wavelength can be found on my blog.
This week, a house of a legislature passed one of the strongest privacy bills to be passed in the United States (U.S.) This bill would establish a system under which residents would need to opt into both data collection and the sale of their personal information. Because the default is that businesses cannot collect or sell personal information, this bill stands out from virtually all the other data privacy bills that have been successfully voted out of a legislative chamber. However, if the past is any indication, this bill will not get enacted, for it is too restrictive for data controllers and processors and too generous for the residents of this state. As a result, industry stakeholders will work hard to defeat this bill in the other chamber of the legislature.
The “Oklahoma Computer Data Privacy Act” (HB 2969) passed the Oklahoma House of Representatives by a 74-15 vote, marking the second straight year a data privacy bill has been sent to the state’s Senate. In early 2021, the Oklahoma House of Representatives sent the “Oklahoma Computer Data Privacy Act” (HB 1602) (see here for more detail and see here for more details and analysis on the bill as reported out of committee) to the State Senate after modifying the privacy bill, most notably through stripping the private right of action. Thereafter the bill died in the Senate which did not act on the bill other than referring it to committee.
The definition of personal information is very broadand is, in part, “information that identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household.” A few things to note about the first sentence of the lengthy definition. First, it includes information that can be associated directly or indirectly with a person or household. This is a broader conception than one usually finds in a data privacy bill, which stop at information that can be linked or can be reasonably linked. HB 2969 would include information that can be associated with a person, which connotes a looser relationship that will mean more information about a person will be “personal information” and subject to the bill. Secondly, the same is true of information that describes a person. Thirdly, personal information pertains to a consumer and a household. Again, most data privacy bills define personal information or data in ways that just pertain to a person. This is a broader notion that may capture some information outside those definitions. For example, metadata from one’s Wi-Fi router or any “smart” devices would automatically be personal information whereas that would be a debatable idea under other bills. And, let it also be said that HB 29269 includes employment information, which most bills do not, for businesses successfully made the case that making these data subject to data privacy laws would impair current employment practices. Moreover, the definition sweeps up “inferences drawn from any of the information listed under this paragraph to create a profile about a consumer that reflects the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities or aptitudes,” which goes to the profiles companies like Meta/Facebook and Google have on most people in the U.S. All in all, this is one of the most comprehensive definitions of personal information in any data privacy bill, and the most extensive in a bill passed by a legislative chamber in the U.S.
Not surprisingly, “public available information” is not considered personal information and this is “information that is lawfully made available to the public from federal, state or local government records or information received from widely distributed media or by the consumer in the public domain.” However, it does not encompass “biometric information or genetic information of a consumer collected by a business without the consumer's knowledge or consent, or de-identified or aggregate consumer information.” As a result, public available information is outside the scope of the bill, and there are many other types of data and businesses exempted from the bill such as those entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley, the Fair Credit Reporting Act,, and others. However, if these entities should engage in practices outside the scope of those frameworks, they may become subject to HB 2969 provided they otherwise qualify. For example, consumer reporting agencies are exempted only if the personal information is to be used in consumer report, and all other activities would be governed by the new regime.
Another remarkable difference in HB 2969 is its broad definition of consent: “an act that clearly and conspicuously communicates the individual's authorization of an act or practice that is made in the absence of any mechanism in the user interface that has the purpose or substantial effect of obscuring, subverting or impairing decision-making or choice to obtain consent.” The first thing of which to take note is consent cannot be given if a business or entity uses dark patterns or other deceptive means. Consequently, businesses subject to the new law would run the risk of violating it if they obtain consent through many common dark patterns. Additionally, consent requires an act, which suggests an affirmative action, that must also convey a person’s “authorization of an act or practice,” which may mean businesses may need different instances of for a range of practices as opposed to a person consenting once.
The eligibility threshold for businesses is low. The new data privacy law would apply to businesses that:
§ do business in the state,
§ collect personal data or has this done on their behalf
§ determines the purposes and means of processing, in part or whole, and any one of the following three:
o made more than $15 million annually;
o buy, sell, or share the personal information of 50,001 people, households, or devices; or
o makes more than 25% of annual revenue from selling consumers’ personal information
With most data privacy bills, the revenue threshold is set higher. Additionally, many bills have a numerical threshold based on the number of people. A fair reading of this bill would seem to permit an aggregation of consumers, households, and devices. If so, a very connected household could easily have more than ten devices between computers, tablets, phones, and any Internet of Things devices. Consequently, a business could easily meet the 50,000 mark. Finally, a number of data privacy bills set the percentage of revenue from data selling activities at 50%.
It is interesting that Internet service providers (ISP) are exempted from the definition of a business “so long as they are acting in their role as ISP,” which means they are not subject to the requirements of HB 2969. Once ISPs move outside the role of acting as an ISP, say in collecting personal data for advertising, then they would need to observe the bill. It is likely ISPs will make the case that many of their activities that involve collecting and processing data should be defined as part of their role as an ISP. Should they succeed, this may create a very significant loophole.
Another key definition is business purposebecause many of the obligations and rights established will pertain to data collection, use, processing, and disclosure pertaining to business purposes. Broadly the definition includes the “operational purposes of a business or service provider, provided that the use of the information is reasonably necessary and proportionate to achieve the operational purpose for which the information was collected or processed or another operational purpose that is compatible with the context in which the information was collected.” This would give businesses some leeway in how they use personal data so long as these means are compatible with the data collection context. And yet, businesses purposes must “reasonably necessary and proportionate to achieve the operational purpose.” Additionally, the definition specifies that for cross-context targeted advertising, opt in consent is required.
Even though there is not a definition of sale or sell per se, it is made clear in the bill that “a business sells a consumer's personal information to another business or a third party if the business sells, rents, discloses, disseminates, makes available, transfers or otherwise communicates, orally, in writing, or by electronic or other means, the information to the other business or third party for monetary or other valuable consideration.” This is a comprehensive definition of sale or selling that encompasses companies that share or rent personal data, and the language at the end specifying that “valuable consideration” other than monetary will make a transfer qualify as a sale under the bill. Many state privacy bills only include those sales or transfers that are made for monetary consideration, and while it is debatable whether receiving personal data for a transfer of personal data constitutes monetary consideration, HB 2969 addresses the issue by including other valuable consideration.
And yet, this section also spells out what is not a sale of personal information. The following would not count as sales. First, if a consumer directs a business to disclose personal information. This seems straight forward and would give a person control of her personal information.
Second, if a person uses an Oklahoma business to intentionally interact with another business so long as this entity does not sell the person’s personal information “unless that disclosure is consistent with this act.” This set of circumstances appears to present two different scenarios where there is not a sale of personal information. In the first, a person uses an Oklahoma business to conduct business of some sort with a third party that does not sell its personal information. The other scenario is if the third party does sell personal information but in a way that confirms with the bill. One of the possible definitions of third party(i.e. a business exempted from this act that collects personal information), and so this second scenario would functionally extend the requirements of the bill to entities that would otherwise not be subject to the bill. Moreover, there is language making clear that interaction with a third party must be “one or more deliberate acts with the intent to interact with a third party.”
Additionally, it would also not be a sale if a business uses an identifier to alert third parties of a person’s opting out of a sale of information. Another set of circumstances that would not be a sale is if a business shares a person’s personal information with a service providernecessary to perform a business purpose if notice has been provided and the service provider does not collect, use, or sell personal information beyond what is necessary to fulfill the business’ purpose.
There is interesting language towards the end of the bill that I have never seen in data privacy bill. Section 24 prohibits businesses from dividing “a single transaction into more than one transaction with the intent to avoid the requirements of this act.” On one level, this provision functions to plug a loophole, but it is not clear which data practice is being targeted. Nonetheless, this section continues that
§ For purposes of this act, two or more substantially similar or related transactions are considered a single transaction if the transactions:
o Are entered into contemporaneously; and
o Have at least one common party.
There is additional language directing courts to “disregard any intermediate transactions conducted by a business with the intent to avoid the requirements of this act, including the disclosure of information by a business to a third party to avoid complying with the requirements under this act applicable to a sale of the information.”
HB 2969 exempts the “noncommercial” activities of the news media and radio and television stations licensed by the Federal Communications Commission. The passage of the bill providing this exemption does not make clear what these activities would be, but reading it together with the definition of a commercial purpose that exempts “the purpose of engaging in speech recognized by state or federal courts as noncommercial speech, including political speech and journalism,” it becomes clear that only the journalism activities are exempt. All other activities would not be (e.g. advertising.)
The bill exempts a range of activities from the obligations and rights established in the new privacy law that are customary in many such bills. For example, businesses could disregard the requirements in order to comply with federal, state and local laws or with criminal or civil investigations. However, unlike other privacy bills, there is not a number of exceptions that may lend themselves to broad readings in order that businesses may circumvent rights afforded to residents of Oklahoma. The only ones I see that might allow this are the carveouts to “detect a security incident; protect against malicious, deceptive, fraudulent or illegal activity.” However, the definition of business purposes might allow for such circumvention because some of the practices defined as such include:
§ detecting a security incident, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for any illegal activity described by this division,
§ identifying and repairing or removing errors that impair the intended functionality of computer hardware or software,
As with virtually all the other data privacy bills, there are rights afforded to consumers, but before getting to the rights, let’s examine the provisions on how people make requests and businesses must process and honor them. Businesses must have two means by which consumers can make requests to exercise rights. Businesses are to take reasonable steps to verify requests are actually being made by the person whose name is on the request. The same is true of requests made on behalf of minors or by a person authorized to act on another’s behalf. What will be considered reasonable will determine how many requests are honored because businesses are not obligated to comply with request they cannot verify. This creates an incentive for businesses interested in holding onto as much information as possible to deny as many requests are they possibly can. In any event, businesses have 45 days in which to act unless they choose to extend this period by another 45 or even 90 days depending on the complexity and number of verifiable requests. Businesses that do not comply with a verifiable consumer request must notify the consumer with the reasons why the request was denied and the recourse available to the consumer.
The first is the right to access as a business must disclose the categories and specific items of information collected. A resident of Oklahoma must submit a verifiable request, and if the resident is verified, then the business must disclose the following:
§ Each enumerated category and item within each category of personal information under paragraph 13 of Section 2 of this act that the business collected about the consumer during the twelve (12) months preceding the date of the request;
§ Each category of sources from which the information was collected;
§ The business or commercial purpose for collecting or selling the personal information; and
§ Each category of third parties with whom the business shares the personal information.
As a threshold matter, I think there is a typo. Paragraph 14 of Section 2 is the definition of personal information whereas Paragraph 13 is the definition of a person. Assuming it is meant to be the definition of personal information, businesses would need to turn over quite a bit of information to people given the breadth of what constitutes personal information. Obviously businesses would need to turn over even more information, including the category of sources from where the information was collected, the business or commercial purpose for selling the personal information, and categories of third parties with whom the personal information was shared. Regarding this last group of data, it is not clear whether this would also include categories of personal information that are sold. Working from the assumption that the dictionary definition of share is operative since the bill does not provide one, one might assume this includes the sale of personal information. If this bill is enacted as is, I feel certain saying some business in Oklahoma will argue just the opposite. However, there is another section on disclosing to consumers when businesses sell or disclose personal information.
Consumers can ask that businesses to disclose the following information if they sell or disclose personal information:
§ Each enumerated category of personal information under paragraph 13 of Section 2 of this act that the business collected about the consumer during the twelve (12) months preceding the date of the request;
§ The categories of third parties to whom the business sold the consumer's personal information during the twelve (12) months preceding the date of the request by reference to each enumerated category of information under paragraph 13 of Section 2 of this act sold to each third party; and
§ The categories of third parties to whom the business disclosed for a business purpose the consumer's personal information during the twelve (12) months preceding the date of the request by reference to each enumerated category of information under paragraph 13 of Section 2 of this act disclosed to each third party.
Note that the first group of information does not include each item of personal information sold as it does in the previous right. The observation made earlier regarding Paragraph 14 of Section stands with this right.
Consumers can request that businesses delete personal information, and upon receipt of a verifiable request the business must comply. Businesses must also direct its service providers to do the same. However, there are exceptions such as a business does not need to delete the personal information if it is needed to complete a transaction, provide a good or service requested by the consumer, or execute a contract between the consumer and business. However, there are exceptions to the right to delete that may come to be the exceptions that swallow the rule in the hands of businesses operating contrary to the spirit of the law:
§ Detect a security incident; protect against malicious, deceptive, fraudulent or illegal activity; or prosecute those responsible for any illegal activity described by this paragraph;
§ Identify and repair or remove errors from computer hardware or software that impair its intended functionality;
§ Exercise free speech or ensure the right of another consumer to exercise the right of free speech or another right afforded by law;
One can imagine the expansive readings of these exceptions that might invite as grounds for businesses to turn down requests to delete personal information.
There are heightened deletion responsibilities for businesses, service providers, and third parties that have made personal information public.
Section 13 has a right not many data privacy bills do: businesses cannot sell one’s personal information unless they provide opt in consent. Moreover, a person can opt out of the selling of their personal information at any time, suggesting one can change her mind if she initially agrees to the sale of personal information. Additionally, as in California, one can have another person exercise this right on his behalf. In any event, a business must “comply with a direction not to sell that is received.” It must be kept in mind how the bill defines sale or sell: “a business sells a consumer's personal information to another business or a third party if the business sells, rents, discloses, disseminates, makes available, transfers or otherwise communicates, orally, in writing, or by electronic or other means, the information to the other business or third party for monetary or other valuable consideration.” Consequently, this right would seem to encompass most if not all of the means by which personal information is transferred or traded.
In conjunction of the aforementioned right, businesses must post notice on their websites with this information:
§ the information may be sold,
§ identifies the categories of persons to whom the information will or could be sold, and
§ consumers have the right to opt in to the sale via consent;
The next provision states businesses must provide “[a] clear and conspicuous link that enables a consumer, or person authorized by the consumer, to consent to the sale of the consumer's personal information.” Moreover, this section continues “[a] business may not sell to a third party the personal information of a consumer who does not consent to the sale of that information after the effective date of this act or after a consumer submits a verifiable request to opt out of any future sale.” This right is strengthened further with the prohibition of third parties selling the personal information they bought from a business unless they provide notice to the consumer who must then consent. All in all, this is one of the most robust rights regarding the sale of personal information to be found in data privacy bills in the U.S.
Moreover, businesses cannot collect personal information directly from people without providing notice about each category of information to be collected and the purposes for which the information will be used. What’s more, businesses need opt in consent before they can collect personal information. Businesses would be barred from making material retroactive changes to privacy policies. If a third party acquires a business and alters materially its personal information sharing or uses, it must provide notice allowing people to exercise their rights.
Businesses that sells or collects personal information or discloses these data for a business purpose must post privacy policies describing consumers’ rights and lists of the categories of personal information collected, sold, or disclosed for a business purpose, among other requirements.
The bill next requires businesses to maintain reasonable security practices with virtually the same language one finds in any data privacy bill.
HB 29269 would make all contracts and agreements waiving rights under the bill void.
Businesses cannot discriminate against residents of Oklahoma for exercising their rights. Specifically, they may not:
§ Deny a good or service to the consumer;
§ Charg[e] the consumer a different price or rate for a good or service, including denying the use of a discount or other benefit or imposing a penalty;
§ Provid[e] a different level or quality of a good or service to the consumer; or
§ Suggest that the consumer will be charged a different price or rate for, or provided a different level or quality of, a good or service.
However, the non-discrimination language is not absolute, for it does “prohibit a business from offering or charging a consumer a different price or rate for a good or service, or offering or providing to the consumer a different level or quality of a good or service, if the difference is reasonably related to the value provided to the consumer by the consumer's data.” It is not a stretch to envision some businesses setting up two tiers of service or products and charging more if a consumer opts not to allow it to collect and sell their personal information on the grounds that data provides value accounting for the price difference.
Additionally, under HB 2969, businesses may offer financial incentive programs so long as they provide a “clear description of the material terms of the program and obtains the consumer's prior opt-in consent, which:
§ Contains a clear description of those material terms; and
§ May be revoked by the consumer at any time.
However, “[a] business may not use financial incentive practices that are unjust, unreasonable, coercive or usurious in nature.”
As strong as HB 2969 is, there is no private right of action. The state attorney general could enforce the new privacy regime. Unlike many other state’s bills, the attorney general does not need to notify potential violators of violations and allow them to cure. Instead the attorney general would proceed against alleged violations the same way he or she would against virtually any other class of suspected offenders. The bill permits the state to seek injunctive relief and civil fines of $2,500 per violation and $7,500 per intentional violation.
United States (U.S.) President Joe Biden and European Union (EU) President Ursula von der Leyen announced the U.S. and EU “have agreed in principle on a new Trans-Atlantic Data Privacy Framework, which will foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020.” In a fact sheet, the U.S. and EU stated “he U.S. commitments will be included in an Executive Order that will form the basis of a draft adequacy decision by the Commission to put in place the new Trans-Atlantic Data Privacy Framework.”
European Union stakeholders have reached agreement on the final text of the “Digital Markets Act” that “will blacklist certain practices used by large platforms acting as “gatekeepers” and enable the Commission to carry out market investigations and sanction non-compliant behaviour.” Talks are ongoing on the “Digital Services Act,” the companion legislation.
Utah’s Governor Spencer Cox (R) signed the “Consumer Privacy Act” (SB227), making the state the fourth to enact a data privacy bill.
The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Energy (DOE) published“a joint Cybersecurity Advisory today with information on multiple intrusion campaigns targeting U.S. and international energy sector organizations conducted by indicted Russian state-sponsored cyber actors from 2011 to 2018.”
Prime Minister Boris Johnson’s government named their preferred candidate to take over the Office of Communications (Ofcom), Lord Michael Grade, a member of the House of Lords. It must be noted that Ofcom is the agency that would enforce the “Online Safety Bill” if it is enacted as written.
The United States (U.S.) Department of Justice unsealed two indictments “charging four defendants, all Russian nationals who worked for the Russian government, with attempting, supporting and conducting computer intrusions that together, in two separate conspiracies, targeted the global energy sector between 2012 and 2018.”
The United States (U.S.) Federal Communications Commission’s (FCC) Wireline Competition Bureau (Bureau) announced“that a third application filing window for the Emergency Connectivity Fund (ECF) Program will open on Thursday, April 28, 2022, and close on Friday, May 13, 2022” with the expectation that “a minimum of $1 billion will be available for commitment and disbursement for this third window.”
The United States (U.S.) Government Accountability Office (GAO) published a report “Blockchain:Emerging Technology Offers Benefits for Some Applications but Faces Challenges.”
Microsoft revealed that “activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$...[that] is known for using a pure extortion and destruction model without deploying ransomware payloads.”
Tweet of the Day
“Warren accuses Raimondo's Commerce Department of ‘lobbying on behalf of Big Tech’” By Cristiano Lima and Aaron Schaeffer — Washington Post
“FBI advised that hackers scanned networks of 5 US energy firms ahead of Biden's Russia cyberattack warning” By Sean Lyngaas — CNN
“Former TikTok moderators sue over emotional toll of 'extremely disturbing' videos” By Bobby Allyn — NPR
“US eyes breakthrough on data dispute with EU as Biden visits Brussels” By Mark Scott and Vincent Manancourt — Politico EU
“Agencies Need More Tech Expertise to Support Future Data Privacy Legislation” By Alexandra Kelley — Nextgov
“Stephen Wilhite, creator of the GIF, has died” By Mitchell Clark — The Verge
“Health data breaches swell in 2021 amid hacking surge, POLITICO analysis finds” By Ben Leonard — Politico
“Where does your info go? US lawsuit gives peek into shadowy world of data brokers” By Johana Bhuiyan — The Guardian
“The rise of the Twitter spies” By Pranshu Verma — Washington Post
“China’s Information Dark Age Could Be Russia’s Future” By Li Yuan — New York Times
“Ukraine’s Engineers Battle To Keep The Internet Running While Russian Bombs Fall Around Them” By Thomas Brewster — Forbes
“Instead of consumer software, Ukraine’s tech workers build apps of war” By Drew Harwell — Washington Post
“Is Russia’s Largest Tech Company Too Big to Fail?” By Paul Starobin — WIRED
“Truth Is Another Front in Putin’s War” By Steven Lee Myers and Stuart A. Thompson — New York Times
“Cellphone dragnets can help catch criminals. Judges say they can also violate constitutional rights.” By Justin Jouvenal and Rachel Weiner — Washington Post
“‘The Ukrainians Are Listening’: Russia’s Military Radios Are Getting Owned” By Jack Detsch and Amy Mackinnon — Foreign Policy
“Bitcoin Miners Want to Recast Themselves as Eco-Friendly” By David Yaffe-Bellany — New York Times
“Twitter leads call for EU lawmakers to ‘think beyond Big Tech’” By Natasha Lomas — Tech Crunch
“Okta says hundreds of companies could have been affected in hack” By Rachel Lerman — Washington Post
“How to Avoid Sharing Misinformation on the War in Ukraine” By Daniel Victor — New York Times
“NYPD accused of collecting DNA for ‘rogue’ database” — Associated Press
“Tech workers are upset their companies are sharing payroll data with Equifax. Here’s what’s going on” By Reed Albergotti and Gerrit De Vynck — Washington Post
“Indonesia preparing tough new curbs for online platforms -sources” By Fanny Potkin and Stefanno Sulaiman — Reuters
“Ransomware attacks on U.S. supply chain are undermining national security, CBP bulletin warns” By Jana Winter — Yahoo News
§ 24 March
o The United Kingdom’s (UK) House of Lords Fraud Act 2006 and Digital Fraud Committee will hold a formal meeting (oral evidence session) regarding “what measures should be taken to tackle the increase in cases of fraud.”
o The United Kingdom’s House of Commons General Committee will hold two formal meetings on the “Product Security and Telecommunications Infrastructure Bill” “A Bill to make provision about the security of internet-connectable products and products capable of connecting to such products; to make provision about electronic communications infrastructure; and for connected purposes.”
§ 29-30 March
o The California Privacy Protection Agency Board will be holding “public informational sessions.”
§ 31 March
o The United Kingdom’s (UK) House of Lords Fraud Act 2006 and Digital Fraud Committee will hold a formal meeting (oral evidence session) regarding “what measures should be taken to tackle the increase in cases of fraud.”
§ 4 April
o United States Assistant Attorney General Jonathan Kanter and Federal Trade Commission Chair Lina M. Khan, as well as senior staff from both agencies, will co-host the Enforcers Summit that “will cover two themes: 1) merger reform to meet the challenges and realities of the modern economy, and 2) lessons for interagency collaboration.”
§ 6 April
o The European Data Protection Board will hold a plenary meeting.
§ 15-16 May
o The United States-European Union Trade and Technology Council will reportedly meet in France.
§ 16-17 June
o The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”
 information that identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household. The term includes the following categories of information if the information identifies, relates to, describes, can be associated with or can reasonably be linked to, directly or indirectly, a particular consumer or household:
a. an identifier, including a real name, alias, mailing address, account name, date of birth, driver license number, unique identifier, Social Security number, passport number, signature, telephone number or other government-issued identification number, or other similar identifier,
b. an online identifier, including an electronic mail address or Internet Protocol address, or other similar identifier,
c. a physical characteristic or description, including a characteristic of a protected classification under state or federal law,
d. commercial information, including:
(1) a record of personal property,
(2) a good or service purchased, obtained or considered,
(3) an insurance policy number, or
(4) other purchasing or consuming histories or tendencies,
e. biometric information and genetic information,
f. Internet or other electronic network activity information, including:
(1) browsing or search history, and
(2) other information regarding a consumer's interaction with an Internet website, application or advertisement,
g. geolocation data,
h. audio, electronic, visual, thermal, olfactory or other similar information,
i. professional or employment-related information,
j. education information that is not publicly available personally identifiable information under the federal Family Educational Rights and Privacy Act of 1974,
k. financial information, including a financial institution account number, credit or debit card number, or password or access code associated with a credit or debit card or bank account,
l. medical information,
m. health insurance information, or
n. inferences drawn from any of the information listed under this paragraph to create a profile about a consumer that reflects the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities or aptitudes;
 "Business purpose" means the use of personal information for:
a. the following operational purposes of a business or service provider, provided that the use of the information is reasonably necessary and proportionate to achieve the operational purpose for which the information was collected or processed or another operational purpose that is compatible with the context in which the information was collected:
(1) auditing related to a current interaction with a consumer and any concurrent transactions, including counting ad impressions to unique visitors, verifying the positioning and quality of ad impressions, and auditing compliance with a specification or other standards for ad impressions,
(2) detecting a security incident, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for any illegal activity described by this division,
(3) identifying and repairing or removing errors that impair the intended functionality of computer hardware or software,
(4) using personal information in the short term or for a transient use, provided that the information is not:
(a) disclosed to a third party, and
(b) used to build a profile about a consumer or alter an individual consumer's experience outside of a current interaction with the consumer, including the contextual customization of an advertisement displayed as part of the same interaction,
(5) performing a service on behalf of the business or service provider, including:
(a) maintaining or servicing an account, providing customer service, processing or fulfilling an order or transaction, verifying customer information, processing a payment, providing financing, providing advertising or marketing services, or providing analytic services, or
(b) performing a service similar to a service described by subdivision (a) of this division on behalf of the business or service provider,
(6) undertaking internal research for technological development and demonstration,
(7) undertaking an activity to:
(a) verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for or controlled by the business, or
(b) improve, upgrade or enhance a service or device described by subdivision (a) of this division, or
(8) retention of employment data, or
b. another operational purpose for which notice is given under this act, but specifically excepting cross-context targeted advertising, unless the customer has opted in to the same;
 "Third party" means a person who is not:
a. a business to which this act applies that collects personal information from consumers, or
b. a person to whom the business discloses, for a business purpose, a consumer's personal information under a written contract, provided that the contract:
(1) prohibits the person receiving the information from:
(a) selling the information,
(b) retaining, using or disclosing the information for any purpose other than providing the services specified in the contract, including for a commercial purpose other than providing those services, and
(c) retaining, using or disclosing the information outside of the direct business relationship between the person and the business, and
(2) includes a certification made by the person receiving the personal information that the person understands and will comply with the prohibitions under division (1) of this subparagraph;
 "Service provider" means a for-profit entity as described by paragraph 3 of this section that processes information on behalf of a business and to which the business discloses, for a business purpose, a consumer's personal information under a written contract, provided that the contract prohibits the entity receiving the information from retaining, using or disclosing the information for any purpose other than:
a. providing the services specified in the contract with the business, or
b. for a purpose permitted by this act, including for a commercial purpose other than providing those specified services;