(a) 1 A covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 shall not make an algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 or an algorithmic information availability determinationAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1 on the basis of an individual's or class of individuals' actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, source of income, or disability in a manner that segregates, discriminates against, or otherwise makes important life opportunitiesImportant life opportunities"Important life opportunities" means access to, approval for, or offer of credit, insurance, education, employment, housing, or place of public accommodation as defined in section 489-2.§ -1 unavailable to an individual or class of individuals.

(b) 1 Any practice that has the effect or consequence of violating subsection (a) shall be deemed to be an unlawful discriminatory practice.

(c) Nothing in subsection (a) shall prohibit covered entities from using individuals' personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 as part of an affirmative action plan adopted pursuant to state or federal law.

2 Any covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 that relies in whole or in part on a service providerService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1 to conduct an algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 or an algorithmic information availability determinationAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1 shall require by written agreement that the service providerService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1 implement and maintain measures reasonably designed to ensure that the service providerService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1 complies with this chapter.

(a)(1)–(5) 3 A covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 shall: (1) Develop a notice that explains how the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 uses personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 in algorithmic eligibility determinationsAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1, including: (A) What personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 collects, generates, infers, uses, and retains; (B) What sources the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 uses to collect, generate, or infer personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1; (C) Whether the personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 is shared, sold, leased, or exchanged with any service providersService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1 for any kind of consideration, and if so, the names of those service providersService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1, including subsidiaries of the service providersService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1; (D) A brief description of the relationship between the personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 and the algorithmic eligibility or algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1; (E) How long the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 will hold the personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1; and (F) The rights provided under this chapter; (2) Ensure that the notice developed and made available under paragraph (1) of this subsection: (A) Is clear, concise, and complete; (B) Does not contain unrelated, confusing, or contradictory materials; and (C) Is in a format that is: (i) Prominent and easily accessible; (ii) Capable of fitting on one printed page; and (iii) Provided in English, as well as in any non-English language spoken by at least five hundred individuals in the State population; (3) Within thirty days after changing its collection or use practices or policies in a way that affects the content of the notice required by paragraph (1) of this subsection, update that notice; (4) Make the notice required under paragraph (1) of this subsection continuously and conspicuously available: (A) On the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's website or mobile application, if the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 maintains a website or mobile application; and (B) At the physical place of business or any offline equivalent the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 maintains; and (5) Send the notice required under paragraph (1) of this subsection to an individual before the first algorithmic information availability determinationAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1 it makes about the individual by: (A) Mail, if the personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 was gathered through the individual contacting or contracting with the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 through mail; (B) Email, if the personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 was gathered through the individual contacting or contracting with the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 through email, or if the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 has the individual's email address for another reason; (C) Informing individuals through a "pop-up" notification upon navigation to the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's website or within the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's mobile application; or (D) Providing a clear and conspicuous link on the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's website's homepage, or the home screen of its mobile application, leading to the notice.

(b) 3 A covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 need not provide the notice described under subsection (a) of this section if another covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 has provided notice to the same individual for the same action as part of a contracted arrangement with the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1.

(c) 4 A covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 that is subject to subsection (a)(1), with respect to any individual whose personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 holds as described in that subsection, shall not use any personal information of the individual in an algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 unless the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 has provided the individual with notice consistent with that subsection.

(d) 5 If a covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 takes any adverse actionAdverse action"Adverse action" means a denial, cancellation, or other adverse change or assessment regarding an individual's eligibility for, opportunity to access, or terms of access to important life opportunities.§ -1 with respect to any individual that is based in whole or in part on the results of an algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1, the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 shall provide the individual a written or electronic disclosure that includes: (1) The covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's name, address, email address, and telephone number; (2) The factors the determination depended on; and (3) An explanation that the individual may: (A) Access any personal informationPersonal information"Personal information" means any information held by a covered entity, regardless of how the information is collected, inferred, derived, created, or obtained, that is linked or reasonably linkable to an individual, household, or personal device. "Personal information" includes but is not limited to: (1) Individually identifiable information such as a real name, alias, signature, date of birth, union membership number, postal address, unique personal identifier, online identifier, internet protocol address, media access control address, unique device identifier, email address, phone number, account name, social security number, military identification number, driver's license number, vehicle identification number, passport number, or other similar identifiers; (2) A person's race, national origin, religious affiliation, gender identity, sexual orientation, marital status, or disability; (3) Commercial information, including records of personal property; products or services purchased, obtained, or considered; or other purchasing or consuming histories or tendencies; (4) Real-time historical geolocation data more specific than a fifty-mile radius; (5) Education records, as defined in title 34, Code of Federal Regulations section 99.3 or any successor regulation; (6) Biometric data, including voice signatures, facial geometry, fingerprints, and retina or iris scans; and (7) Inferences drawn from any of the information identified in paragraphs (1) through (6) to create a profile about an individual reflecting the individual's predispositions, behavior, habits, attitudes, intelligence, abilities, and aptitudes.§ -1 pertaining to that individual that the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 used to make the determination; (B) Submit corrections to that information; and (C) If the individual submits corrections, request that the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 conduct a reasoned reevaluation of the relevant algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1, conducted by a human, based on the corrected data.

(a)(1)–(6) 6 A covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 shall annually audit its algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1 practices to: (1) Determine whether the processing practices discriminate in a manner prohibited under -2; (2) Analyze disparate-impact risks of algorithmic eligibility determinationsAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1 based on actual or perceived race, color, religion, national origin, sex, gender identity or expression, sexual orientation, familial status, genetic information, source of income, or disability; (3) Create and retain for at least five years an audit trail that records, for each algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1: (A) The type of algorithmic eligibility determinationAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 made; (B) The data used in the determination, including the source of the data; (C) The methodology used by the entity to establish the algorithm; (D) The algorithm used to make the determination; (E) Any data or sets of data used to train the algorithm; (F) Any testing and results for model performance across different subgroups or for discriminatory effects; (G) The methodology used to render the determination; and (H) The ultimate decision rendered; (4) Conduct annual impact assessments of: (A) Existing systems that render algorithmic eligibility determinationsAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1; and (B) Prior to implementation, new systems that render algorithmic eligibility determinationsAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1; (5) Conduct the audits under paragraphs (1), (2), and (3) of this subsection in consultation with third parties who have substantial information about or participated in the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's algorithmic eligibility determinationsAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1, including service providersService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1; and (6) Identify and implement reasonable measures to address risks of an unlawful disparate impact identified in the audits and impact assessments conducted under paragraphs (1), (2), and (3) of this subsection, including the risks posed by determinations made by the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's service providersService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1.

(b)(1)–(10) 7 A covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 shall annually submit a report containing the results of the audit mandated under this section to the department of the attorney general on a form provided by the department of the attorney general. The report shall contain the following information: (1) The types of algorithmic eligibility determinationsAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1 that the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 makes; (2) The data and methodologies that the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 uses to establish the algorithms; (3) The optimization criteria of the algorithms used to make the determinations; (4) Any data or sets of data used to train the algorithms, and the source or sources of the data; (5) The methodologies the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 uses to render the determinations; (6) Any performance metrics the entity uses to gauge the accuracy of the assessments, including accuracy, confidence intervals, and how those assessments are obtained; (7) The frequency, methodology, and results of the impact assessments or risk assessments that the entity has conducted; (8) Within the description of each of the decisions in paragraphs (1) through (7), the rationale for each decision; (9) Whether the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 has received complaints from individuals regarding the algorithmic eligibility determinationsAlgorithmic eligibility determination"Algorithmic eligibility determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's eligibility for, or opportunity to access, important life opportunities.§ -1 and algorithmic information availability determinationsAlgorithmic information availability determination"Algorithmic information availability determination" means a determination based in whole or in significant part on an algorithmic process that utilizes machine learning, artificial intelligence, or similar techniques to determine an individual's receipt of advertising, marketing, solicitations, or offers for an important life opportunity.§ -1 it has made; and (10) If the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 has determined that one or more of the exemptions referred to in section -2(c) apply to practices that would otherwise violate section -2(a), a declaration and explanation of the covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1's reliance on those exemptions.

(c) 7 To the extent consistent with federal law or state law, a covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 may, in place of the report required by subsection (a), submit to the department of the attorney general a report previously submitted to a federal, state, or other government entity, if that report contains the required information or is supplemented with missing information.

(d) The attorney general may adopt rules pursuant to chapter 91 necessary to implement the reporting provisions of this section.

(a)–(b) In any case in which the attorney general has reason to believe that any person has used, is using, or intends to use any method, act, or practice in violation of this chapter or rule adopted under this chapter, or has failed to provide a notice, a disclosure, or a report required by this chapter, the attorney general may commence appropriate civil action for: (1) A temporary or permanent injunction; (2) Penalties as described in subsection (c) of this section; (3) Damages or restitution; or (4) Any other relief that the court considers appropriate. (b) In the course of an investigation to determine whether to seek relief, the attorney general may subpoena witnesses; administer oaths; examine an individual under oath; require sworn written responses to written questions; and compel production of records, books, papers, contracts, and other documents.

(c) Any covered entityCovered entity"Covered entity" means any individual, firm, corporation, partnership, cooperative, association, or any other organization, legal entity, or group of individuals however organized, including entities related by common ownership or corporate control, that either makes algorithmic eligibility determinations or algorithmic information availability determinations, or relies on algorithmic eligibility determinations or algorithmic information availability determinations supplied by a service provider, and that meets one or more of the following criteria: (1) Possesses or controls personal information on more than twenty-five thousand residents of the State; (2) Has more than $15,000,000 in average annualized gross receipts for the three years preceding the most recent fiscal year; (3) Is a data broker, or other entity, that derives fifty per cent or more of its annual revenue by collecting, assembling, selling, distributing, providing access to, or maintaining personal information, and some proportion of the personal information concerns a resident of the State who is not a customer or an employee of that entity; or (4) Is a service provider.§ -1 or service providerService provider"Service provider" means any entity that performs algorithmic eligibility determinations or algorithmic information availability determinations on behalf of another entity.§ -1 that violates this chapter shall be liable for a civil penalty of not more than $10,000 for each violation, which may be recovered in a civil action brought by the attorney general.

(d) Any civil penalty assessed for a violation of this chapter, and the proceeds of any settlement of an action brought pursuant to this section, shall be deposited in the litigation deposits trust account under section 28-16.

(e) Any person aggrieved by a violation of this chapter may bring a civil action in any court of competent jurisdiction, and the court may award an amount not less than $100 and not greater than $10,000 per violation or actual damages, whichever is greater.

(f) In a civil action brought under either subsection (c) or (e) of this section in which the plaintiff prevails, the court may also award: (1) Punitive damages; (2) Reasonable attorney's fees and litigation costs; and (3) Any other relief, including equitable or declaratory relief, that the court determines appropriate.

(g) In a civil action brought under subsection (e) of this section, a violation of this chapter or a rule adopted under this chapter with respect to an individual constitutes a concrete and particularized injury to that individual.